From 57dbd69945e60ab2b47338d97c89dc8cf2237d01 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 26 Aug 2024 12:04:39 +0200 Subject: [PATCH] TLS 1.3 server: move crypto_init after protocol negotiation This reduces the workflows where psa_crypto_init is called when not necessary: it won't be called when a dual-version server receives a 1.2-only ClientHello. Signed-off-by: Gilles Peskine --- library/ssl_tls13_server.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 616d2ee57..693edc7b0 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1412,6 +1412,12 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; ssl->session_negotiate->endpoint = ssl->conf->endpoint; + /* Before doing any crypto, make sure we can. */ + ret = mbedtls_ssl_tls13_crypto_init(ssl); + if (ret != 0) { + return ret; + } + /* * We are negotiating the version 1.3 of the protocol. Do what we have * postponed: copy of the client random bytes, copy of the legacy session @@ -1948,11 +1954,6 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello")); - ret = mbedtls_ssl_tls13_crypto_init(ssl); - if (ret != 0) { - return ret; - } - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, &buf, &buflen));