Tolerate cipher changes on TLS 1.3 resumption as a client.
As a client, we must tolerate this to avoid interoperability failures
with allowed server behaviors.
BUG=117
Change-Id: I9c40a2a048282e2e63ab5ee1d40773fc2eda110a
Reviewed-on: https://boringssl-review.googlesource.com/12311
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 8a18e8f..ad71167 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5805,6 +5805,8 @@
expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
})
+ // Session resumption in TLS 1.3 may change the cipher suite if the PRF
+ // matches.
testCases = append(testCases, testCase{
name: "Resume-Client-CipherMismatch-TLS13",
resumeSession: true,
@@ -5814,13 +5816,27 @@
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
+ CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
+ },
+ })
+
+ // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
+ testCases = append(testCases, testCase{
+ name: "Resume-Client-PRFMismatch-TLS13",
+ resumeSession: true,
+ config: Config{
+ MaxVersion: VersionTLS13,
+ CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
+ },
+ resumeConfig: &Config{
+ MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SendCipherSuite: TLS_AES_256_GCM_SHA384,
},
},
shouldFail: true,
- expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
+ expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
})
testCases = append(testCases, testCase{
diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index ee82535..4a30ce3 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c
@@ -241,8 +241,8 @@
return ssl_hs_error;
}
- if (ssl->session->cipher != cipher) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
+ if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
