move ciphersuite validation to set_session
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index afacb76..0450b3d 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1911,6 +1911,10 @@
size_t *out_len );
#endif /* MBEDTLS_ECDH_C */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
+ int ciphersuite,
+ psa_algorithm_t *psa_alg );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 616df07..892a868 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1373,6 +1373,15 @@
if( ssl->handshake->resume == 1 )
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if( session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ ( ( ret = mbedtls_ssl_tls13_ciphersuite_to_alg(
+ ssl, session->ciphersuite, NULL ) ) != 0 ) )
+ {
+ return( ret );
+ }
+#endif
+
if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
session ) ) != 0 )
return( ret );
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 67ecdc9..8f932d9 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -668,17 +668,19 @@
static psa_algorithm_t ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
int ciphersuite )
{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
- if( mbedtls_ssl_validate_ciphersuite(
- ssl, ciphersuite_info,
- MBEDTLS_SSL_VERSION_TLS1_3,
- MBEDTLS_SSL_VERSION_TLS1_3 ) == 0 )
+ psa_algorithm_t psa_alg;
+ if( mbedtls_ssl_tls13_ciphersuite_to_alg(
+ ssl, ciphersuite, &psa_alg ) != 0 )
{
- return( mbedtls_psa_translate_md( ciphersuite_info->mac ) );
+ /* ciphersuite is `ssl->session_negotiate->ciphersuite` or
+ * PSA_ALG_SHA256, both are validated before writting pre_shared_key.
+ */
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
+ return( PSA_ALG_NONE );
}
- return( PSA_ALG_NONE );
+
+ return( psa_alg );
}
static int ssl_tls13_has_configured_psk( mbedtls_ssl_context *ssl )
@@ -695,9 +697,7 @@
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_session *session = ssl->session_negotiate;
return( session != NULL &&
- session->ticket != NULL &&
- ssl_tls13_ciphersuite_to_alg( ssl,
- ssl->session_negotiate->ciphersuite ) != PSA_ALG_NONE );
+ session->ticket != NULL );
#else
((void) ssl);
return( 0 );
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index abb7a14..56841c4 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1485,4 +1485,36 @@
}
#endif /* MBEDTLS_ECDH_C */
+int mbedtls_ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
+ int ciphersuite,
+ psa_algorithm_t *psa_alg )
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
+ psa_algorithm_t alg;
+
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
+ if( psa_alg )
+ *psa_alg = PSA_ALG_NONE;
+
+ if( mbedtls_ssl_validate_ciphersuite(
+ ssl, ciphersuite_info,
+ MBEDTLS_SSL_VERSION_TLS1_3,
+ MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not valid.", ciphersuite ) );
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );
+ }
+
+ alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
+ if( alg == PSA_ALG_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not valid.", ciphersuite ) );
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );
+ }
+
+ if( psa_alg )
+ *psa_alg = alg;
+ return( 0 );
+}
+
#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */