mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 20:40:53 +02:00
F-5811: verify resumed cipher suite matches cached session
On session-ID resumption the client only checked that the server's selected suite was in its offered list, not that it equaled the resumed session's suite, so a server could resume the session ID under a different cipher suite. Per RFC 5246 Section 7.4.1.2 / F.1.4 a resumed session reuses its negotiated suite; abort with a fatal illegal_parameter on mismatch.
This commit is contained in:
@@ -32279,6 +32279,25 @@ static void MakePSKPreMasterSecret(Arrays* arrays, byte use_psk_key)
|
||||
WOLFSSL_ERROR_VERBOSE(EXT_MASTER_SECRET_NEEDED_E);
|
||||
return EXT_MASTER_SECRET_NEEDED_E;
|
||||
}
|
||||
#ifndef NO_RESUME_SUITE_CHECK
|
||||
/* RFC 5246 Section 7.4.1.3: on resumption the ServerHello
|
||||
* reuses the previously negotiated cipher suite. Reject a
|
||||
* server that resumes the session but selects a different
|
||||
* suite. Skipped for ticket resumption (suite is bound in the
|
||||
* ticket), consistent with the EMS check above. */
|
||||
if (
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
ssl->session->ticketLen == 0 &&
|
||||
#endif
|
||||
(ssl->options.cipherSuite0 != ssl->session->cipherSuite0 ||
|
||||
ssl->options.cipherSuite != ssl->session->cipherSuite)) {
|
||||
WOLFSSL_MSG("Resumed session cipher suite does not match "
|
||||
"ServerHello cipher suite");
|
||||
SendAlert(ssl, alert_fatal, illegal_parameter);
|
||||
WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR);
|
||||
return MATCH_SUITE_ERROR;
|
||||
}
|
||||
#endif /* NO_RESUME_SUITE_CHECK */
|
||||
if (SetCipherSpecs(ssl) == 0) {
|
||||
if (!HaveUniqueSessionObj(ssl)) {
|
||||
WOLFSSL_MSG("Unable to have unique session object");
|
||||
|
||||
Reference in New Issue
Block a user