TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a29db7da2ee19ba2b8d43c114fdb69af3780d730^! / . / library / ssl_tls13_client.c
commita29db7da2ee19ba2b8d43c114fdb69af3780d730[log] [tgz]
authorYanray Wang <yanray.wang@arm.com>Thu Nov 30 14:06:14 2023 +0800
committerYanray Wang <yanray.wang@arm.com>Thu Nov 30 14:27:38 2023 +0800
tree7cba7bced736d85df9f2acf4d85ebf15bfeae961
parentc3cd410acf1c2f5e1633bf052c234802aa434365 [diff] [blame]
tls13: early_data: cli: assign ciphersuite properly

When early_data extension is enabled and sent in ClientHello,
the client does not know if the server will accept early data
and select the first proposed pre-shared key with a ciphersuite
that is different from the ciphersuite associated to the selected
pre-shared key. To address aforementioned case, we do associated
verification when parsing early_data ext in EncryptedExtensions.
Therefore we have to assign the ciphersuite in current handshake
to session_negotiate later than the associated verification.
This won't impact decryption of EncryptedExtensions since we
compute handshake keys by the ciphersuite in handshake not via
the one in session_negotiate.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 44814b9..d9a4b3e 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c

@@ -1925,7 +1925,6 @@
 
     mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
     MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
-    ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
     ssl->session_in = ssl->session_negotiate;
 
 cleanup:
@@ -2203,6 +2202,20 @@
     }
 #endif
 
+    /*
+     * When early_data extension is enabled and sent in ClientHello, the client
+     * does not know if the server will accept early data and select the first
+     * proposed pre-shared key with a ciphersuite that is different from the
+     * ciphersuite associated to the selected pre-shared key. To address
+     * aforementioned case, we do associated verification when parsing
+     * early_data ext in EncryptedExtensions. Therefore we have to assign
+     * the ciphersuite in current handshake to session_negotiate later than
+     * the associated verification. This won't impact decryption of
+     * EncryptedExtensions since we compute handshake keys by the ciphersuite
+     * in handshake not via the one in session_negotiate.
+     */
+    ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
+
     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
                              ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
                              buf, buf_len));