commit f46b016058939d4cb131f40c7ef804ac4c0825f4
author Jerry Yu <jerry.h.yu@arm.com> Tue Jan 11 16:28:00 2022 +0800
committer Jerry Yu <jerry.h.yu@arm.com> Tue Jan 11 16:28:00 2022 +0800
tree 7bf59b1de3bf82bddf0904ce14c3fd98ee40288b
parent 63282b43210291931dc14341c94e198a54079c4d

skip some extensions if ephemeral not enabled

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

library/ssl_tls13_client.c

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 5b6aee1..9541fc3 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -219,9 +219,6 @@
 
     *out_len = 0;
 
-    if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
-        return( 0 );
-
     /* Check if we have space for header and length fields:
      * - extension_type         (2 bytes)
      * - extension_data_length  (2 bytes)
@@ -620,36 +617,40 @@
      *
      * It is REQUIRED for ECDHE cipher_suites.
      */
-    ret = mbedtls_ssl_write_supported_groups_ext( ssl, p, end, &output_len );
-    if( ret != 0 )
-        return( ret );
-    p += output_len;
+    /* Skip the extensions on the client if all allowed key exchanges
+     * are PSK-based. */
+    if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
+    {
+        ret = mbedtls_ssl_write_supported_groups_ext( ssl, p, end, &output_len );
+        if( ret != 0 )
+            return( ret );
+        p += output_len;
 
-    /* Write key_share extension
-     *
-     * We need to send the key shares under three conditions:
-     * 1) A certificate-based ciphersuite is being offered. In this case
-     *    supported_groups and supported_signature extensions have been
-     *    successfully added.
-     * 2) A PSK-based ciphersuite with ECDHE is offered. In this case the
-     *    psk_key_exchange_modes has been added as the last extension.
-     * 3) Or, in case all ciphers are supported ( which includes #1 and #2
-     *    from above )
-     */
-    ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
-    if( ret != 0 )
-        return( ret );
-    p += output_len;
+        /* Write key_share extension
+        *
+        * We need to send the key shares under three conditions:
+        * 1) A certificate-based ciphersuite is being offered. In this case
+        *    supported_groups and supported_signature extensions have been
+        *    successfully added.
+        * 2) A PSK-based ciphersuite with ECDHE is offered. In this case the
+        *    psk_key_exchange_modes has been added as the last extension.
+        * 3) Or, in case all ciphers are supported ( which includes #1 and #2
+        *    from above )
+        */
+        ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
+        if( ret != 0 )
+            return( ret );
+        p += output_len;
 
-    /* Write signature_algorithms extension
-     *
-     * It is REQUIRED for certificate authenticated cipher_suites.
-     */
-    ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len );
-    if( ret != 0 )
-        return( ret );
-    p += output_len;
-
+        /* Write signature_algorithms extension
+        *
+        * It is REQUIRED for certificate authenticated cipher_suites.
+        */
+        ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len );
+        if( ret != 0 )
+            return( ret );
+        p += output_len;
+    }
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)