[nrf fromtree] Clarify the need for calling mbedtls_ssl_derive_keys after extension parsing

Andrzej Kurek · SebastianBoe · commit 599aff024b33 · 2022-09-26T16:22:21.000+02:00
Use a more straightforward condition to note that session resumption is happening. Co-authored-by: Ronald Cron <ronald.cron@arm.com> Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com> Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no> (cherry picked from commit 21b5080)
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
@@ -2368,7 +2368,12 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
         }
     }
 
-    if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+    /*
+     * mbedtls_ssl_derive_keys() has to be called after the parsing of the
+     * extensions. It sets the transform data for the resumed session which in
+     * case of DTLS includes the server CID extracted from the CID extension.
+     */
+    if( ssl->handshake->resume )
     {
         if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
         {

Original file line number	Diff line number	Diff line change
`@@ -2368,7 +2368,12 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )`
`2368`	`2368`	`}`
`2369`	`2369`	`}`
`2370`	`2370`
`2371`		`- if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )`
	`2371`	`+ /*`
	`2372`	`+ * mbedtls_ssl_derive_keys() has to be called after the parsing of the`
	`2373`	`+ * extensions. It sets the transform data for the resumed session which in`
	`2374`	`+ * case of DTLS includes the server CID extracted from the CID extension.`
	`2375`	`+ */`
	`2376`	`+ if( ssl->handshake->resume )`
`2372`	`2377`	`{`
`2373`	`2378`	`if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )`
`2374`	`2379`	`{`