From bc817bac761d56b2bb50ba0d7e3197e65d224460 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 21 Jul 2022 09:35:20 +0200 Subject: [PATCH] TLS 1.3: Limit scope of tls13_kex_modes handshake field Signed-off-by: Ronald Cron --- library/ssl_misc.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 2ad5965fd..d16b254fc 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -612,14 +612,18 @@ struct mbedtls_ssl_handshake_params */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) uint8_t key_exchange_mode; /*!< Selected key exchange mode */ - uint8_t tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */ /** Number of HelloRetryRequest messages received/sent from/to the server. */ int hello_retry_request_count; + #if defined(MBEDTLS_SSL_SRV_C) /** selected_group of key_share extension in HelloRetryRequest message. */ uint16_t hrr_selected_group; +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ +#endif #endif /* MBEDTLS_SSL_SRV_C */ + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) @@ -1770,6 +1774,7 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /** * Given a list of key exchange modes, check if at least one of them is * supported. @@ -1816,6 +1821,7 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) return( ! mbedtls_ssl_tls13_check_kex_modes( ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ /* * Helper functions to check the selected key exchange mode.