diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 8970dd4297..3d6f6266bd 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1909,30 +1909,25 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) goto cleanup; } #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->handshake->received_extensions & - MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && - ssl->handshake->selected_identity != 0) { + if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && + (handshake->selected_identity != 0 || + handshake->ciphersuite_info->id != + ssl->session_negotiate->ciphersuite)) { /* RFC8446 4.2.11 * If the server supplies an "early_data" extension, the * client MUST verify that the server's selected_identity * is 0. If any other value is returned, the client MUST * abort the handshake with an "illegal_parameter" alert. + * + * Clients MUST verify that the server selected a cipher suite + * indicating a Hash associated with the PSK, If this value are + * not consistent, the client MUST abort the handshake with an + * "illegal_parameter" alert. */ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } - if (ssl->handshake->received_extensions & - MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && - ssl->handshake->ciphersuite_info->id != - ssl->session_negotiate->ciphersuite) { - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Invalid ciphersuite for session ticket psk.")); - - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); - return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; - } #endif if (!mbedtls_ssl_conf_tls13_check_kex_modes(ssl, handshake->key_exchange_mode)) {