commit 57dbd69945e60ab2b47338d97c89dc8cf2237d01
author Gilles Peskine <Gilles.Peskine@arm.com> Mon Aug 26 12:04:39 2024 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Mon Aug 26 12:04:39 2024 +0200
tree 4a9377c6b94208b06a8e6605100b8c231db6bde2
parent aa6ef7da50b5abf69274d5a94199b3044d9ea6c5

TLS 1.3 server: move crypto_init after protocol negotiation

This reduces the workflows where psa_crypto_init is called when not
necessary: it won't be called when a dual-version server receives a 1.2-only
ClientHello.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

library/ssl_tls13_server.c

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 616d2ee..693edc7 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1412,6 +1412,12 @@
     ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
     ssl->session_negotiate->endpoint = ssl->conf->endpoint;
 
+    /* Before doing any crypto, make sure we can. */
+    ret = mbedtls_ssl_tls13_crypto_init(ssl);
+    if (ret != 0) {
+        return ret;
+    }
+
     /*
      * We are negotiating the version 1.3 of the protocol. Do what we have
      * postponed: copy of the client random bytes, copy of the legacy session
@@ -1948,11 +1954,6 @@
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
 
-    ret = mbedtls_ssl_tls13_crypto_init(ssl);
-    if (ret != 0) {
-        return ret;
-    }
-
     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
                              ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
                              &buf, &buflen));