From 29daf4a36b95ea711c0cd3a53df4a8f9517b26f8 Mon Sep 17 00:00:00 2001
From: Pengyu Lv <pengyu.lv@arm.com>
Date: Mon, 30 Oct 2023 17:13:30 +0800
Subject: [PATCH] tls13: server: fully check ticket_flags with available kex
 mode.

We need to fully check if the provided session ticket could be
used in the handshake, so that we wouldn't cause handshake
failure in some cases. Here we bring f8e50a9 back.

Example scenario:
A client proposes to a server, that supports only the psk_ephemeral
key exchange mode, two tickets, the first one is allowed only for
pure PSK key exchange mode and the second one is psk_ephemeral only.
We need to select the second tickets instead of the first one whose
ticket_flags forbid psk_ephemeral and thus cause a handshake
failure.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
---
 library/ssl_tls13_server.c | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 456621b5d3..08ed55c3e6 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -106,6 +106,10 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
 #define SSL_TLS1_3_OFFERED_PSK_MATCH       0
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl);
 
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_offered_psks_check_identity_match_ticket(
@@ -117,6 +121,8 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *ticket_buffer;
+    unsigned int ticket_flags;
+    unsigned int key_exchanges;
 #if defined(MBEDTLS_HAVE_TIME)
     mbedtls_time_t now;
     uint64_t age_in_s;
@@ -172,13 +178,21 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
      * We regard the ticket with incompatible key exchange modes as not match.
      */
     ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-    MBEDTLS_SSL_PRINT_TICKET_FLAGS(4,
-                                   session->ticket_flags);
-    if (mbedtls_ssl_tls13_check_kex_modes(
-            ssl,
-            mbedtls_ssl_session_get_ticket_flags(
-                session,
-                MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) {
+    MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
+    ticket_flags = mbedtls_ssl_session_get_ticket_flags(
+        session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
+
+    key_exchanges = 0;
+    if ((ticket_flags & MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION) &&
+        ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
+        key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+    }
+    if ((ticket_flags & MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION) &&
+        ssl_tls13_check_psk_key_exchange(ssl)) {
+        key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+    }
+
+    if (key_exchanges == 0) {
         MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode"));
         goto exit;
     }