From a709a0f2c62b89f11a1b277bbf13a5a2d85ce96b Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Tue, 27 Sep 2022 16:46:11 +0200
Subject: [PATCH] tls13: Declare PSK ephemeral key exchange mode first

In the PSK exchange modes extension declare first
PSK ephemeral if we support both PSK ephemeral
and PSK. This is aligned with our implementation
giving precedence to PSK ephemeral over pure PSK
and improve compatibility with GnuTLS.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_tls13_client.c             | 16 ++++++++--------
 tests/opt-testcases/tls13-kex-modes.sh | 13 +++++++------
 tests/ssl-opt.sh                       |  2 +-
 3 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 72f48577a..ac19f6308 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -648,14 +648,6 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
      */
     p += 5;
 
-    if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
-    {
-        *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
-        ke_modes_len++;
-
-        MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
-    }
-
     if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
     {
         *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
@@ -664,6 +656,14 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
     }
 
+    if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
+    {
+        *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
+        ke_modes_len++;
+
+        MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
+    }
+
     /* Now write the extension and ke_modes length */
     MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 );
     buf[4] = ke_modes_len;
diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh
index f4997402f..4f62ed69b 100755
--- a/tests/opt-testcases/tls13-kex-modes.sh
+++ b/tests/opt-testcases/tls13-kex-modes.sh
@@ -3212,7 +3212,7 @@ run_test    "TLS 1.3: m->G: psk_all/all, good" \
             -s "Parsing extension 'PSK Key Exchange Modes/45'" \
             -s "Parsing extension 'Pre Shared Key/41'" \
             -c "<= write client hello" \
-            -c "Selected key exchange mode: psk$" \
+            -c "Selected key exchange mode: psk_ephemeral" \
             -c "HTTP/1.0 200 OK"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3222,10 +3222,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: m->G: psk_all/ephemeral_all, fail - no fallback" \
+run_test    "TLS 1.3: m->G: psk_all/ephemeral_all, good" \
             "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
             "$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_all" \
-            1 \
+            0 \
             -c "=> write client hello" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
@@ -3233,7 +3233,8 @@ run_test    "TLS 1.3: m->G: psk_all/ephemeral_all, fail - no fallback" \
             -s "Parsing extension 'PSK Key Exchange Modes/45'" \
             -s "Parsing extension 'Pre Shared Key/41'" \
             -c "<= write client hello" \
-            -c "Last error was: -0x7780 - SSL - A fatal alert message was received from our peer"
+            -c "Selected key exchange mode: psk_ephemeral" \
+            -c "HTTP/1.0 200 OK"
 
 #GNUTLS-SERVER psk_ephemeral mode
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3366,7 +3367,7 @@ run_test    "TLS 1.3: m->G: all/all, good" \
             -s "Parsing extension 'PSK Key Exchange Modes/45'" \
             -s "Parsing extension 'Pre Shared Key/41'" \
             -c "<= write client hello" \
-            -c "Selected key exchange mode: psk$" \
+            -c "Selected key exchange mode: psk_ephemeral" \
             -c "HTTP/1.0 200 OK"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3388,5 +3389,5 @@ run_test    "TLS 1.3: m->G: all/ephemeral_all, good" \
             -s "Parsing extension 'PSK Key Exchange Modes/45'" \
             -s "Parsing extension 'Pre Shared Key/41'" \
             -c "<= write client hello" \
-            -c "Selected key exchange mode: ephemeral" \
+            -c "Selected key exchange mode: psk_ephemeral" \
             -c "HTTP/1.0 200 OK"
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index e2f9206ec..a75b3f593 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -12882,7 +12882,7 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: NewSessionTicket: Basic check, m->G" \
-            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --disable-client-cert" \
+            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \
             "$P_CLI debug_level=1 reco_mode=1 reconnect=1" \
             0 \
             -c "Protocol is TLSv1.3" \