runner: Check that the server did not resume a session at the wrong version/cipher The TLS 1.3 side was missing a version check, which is technically a no-op (only one TLS 1.3 version), but maybe there will be a TLS 1.4 someday. The TLS 1.2 side was missing all of these checks. We already explicitly tested the server behavior, so we weren't missing any test coverage here, but since this is a protocol-wide rule, not specific to those tests, we should assert on this in the handshake logic itself. Change-Id: I136fa9fc69108c1ed09952f2f0d25c196fa3b041 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/89469 Reviewed-by: Lily Chen <chlily@google.com> Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go index 96f0298..f2f9c97 100644 --- a/ssl/test/runner/handshake_client.go +++ b/ssl/test/runner/handshake_client.go
@@ -1152,8 +1152,12 @@ c.sendAlert(alertUnknownPSKIdentity) return errors.New("tls: server sent unknown PSK identity") } + if hs.session.wireVersion != c.wireVersion { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server resumed an invalid session for the protocol version") + } if hs.session.cipherSuite.hash() != hs.suite.hash() { - c.sendAlert(alertHandshakeFailure) + c.sendAlert(alertIllegalParameter) return errors.New("tls: server resumed an invalid session for the cipher suite") } pskSecret = hs.session.secret @@ -2195,6 +2199,14 @@ return false, errors.New("tls: server resumed session on renegotiation") } + if hs.session.wireVersion != c.wireVersion { + return false, errors.New("tls: server resumed an invalid session for the protocol version") + } + + if hs.session.cipherSuite.id != hs.suite.id { + return false, errors.New("tls: server resumed an invalid session for the cipher suite") + } + if hs.serverHello.extensions.sctList != nil { return false, errors.New("tls: server sent SCT extension on session resumption") }