tls13: srv: Stop earlier identity check
If an identity has been determined as a
ticket identity but the ticket is not
usable, do not try to check if the
identity is that of an external
provided PSK.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index ca5e112..873f909 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -282,9 +282,9 @@
ssl->handshake->resume = 0;
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- if (ssl_tls13_offered_psks_check_identity_match_ticket(
- ssl, identity, identity_len, obfuscated_ticket_age,
- session) == SSL_TLS1_3_PSK_IDENTITY_MATCH) {
+ ret = ssl_tls13_offered_psks_check_identity_match_ticket(
+ ssl, identity, identity_len, obfuscated_ticket_age, session);
+ if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH) {
ssl->handshake->resume = 1;
*psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
ret = mbedtls_ssl_set_hs_psk(ssl,
@@ -301,6 +301,8 @@
MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",
(unsigned) obfuscated_ticket_age));
return SSL_TLS1_3_PSK_IDENTITY_MATCH;
+ } else if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE) {
+ return SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS */