lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

tls13: srv: Stop earlier identity check

Browse Source 
If an identity has been determined as a
ticket identity but the ticket is not
usable, do not try to check if the
identity is that of an external
provided PSK.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
2024-02-23 14:38:59 +01:00
parent fbae94a52f
commit 7a30cf5954
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
library/ssl_tls13_server.c
View File

@ -282,9 +282,9 @@ static int ssl_tls13_offered_psks_check_identity_match(
ssl->handshake->resume = 0; ssl->handshake->resume = 0;
#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_SESSION_TICKETS)
if (ssl_tls13_offered_psks_check_identity_match_ticket( ret = ssl_tls13_offered_psks_check_identity_match_ticket(
ssl, identity, identity_len, obfuscated_ticket_age, ssl, identity, identity_len, obfuscated_ticket_age, session);
session) == SSL_TLS1_3_PSK_IDENTITY_MATCH) { if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH) {
ssl->handshake->resume = 1; ssl->handshake->resume = 1;
*psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
ret = mbedtls_ssl_set_hs_psk(ssl, ret = mbedtls_ssl_set_hs_psk(ssl,
@ -301,6 +301,8 @@ static int ssl_tls13_offered_psks_check_identity_match(
MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u", MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",
(unsigned) obfuscated_ticket_age)); (unsigned) obfuscated_ticket_age));
return SSL_TLS1_3_PSK_IDENTITY_MATCH; return SSL_TLS1_3_PSK_IDENTITY_MATCH;
} else if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE) {
return SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
} }
#endif /* MBEDTLS_SSL_SESSION_TICKETS */ #endif /* MBEDTLS_SSL_SESSION_TICKETS */