From 8731587e41379e8ea5cd7ddda7e418059947ed7a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 26 Feb 2026 12:06:19 +0100 Subject: [PATCH] tls13: Commit to session resume only when we actually do it Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index b0e22230aa..19aa0e6b32 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1755,6 +1755,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } + if (handshake->key_exchange_mode != + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) { + hrr_required = (no_usable_share_for_key_agreement != 0); + } + #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) if (handshake->key_exchange_mode & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL) { @@ -1765,17 +1770,12 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, ((unsigned) psk.ciphersuite_info->id), psk.ciphersuite_info->name)); - if (psk.type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { + if (psk.type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION && (!hrr_required)) { handshake->resume = 1; } } #endif - if (handshake->key_exchange_mode != - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) { - hrr_required = (no_usable_share_for_key_agreement != 0); - } - mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info); return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;