Allow the server to change the ciphersuite on resume (a055a881) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

crypto/err/openssl.txt

+1 −0

Original line number	Diff line number	Diff line
		@@ -2158,6 +2158,7 @@ SSL_R_CCS_RECEIVED_EARLY:133:ccs received early
		SSL_R_CERTIFICATE_VERIFY_FAILED:134:certificate verify failed
		SSL_R_CERT_CB_ERROR:377:cert cb error
		SSL_R_CERT_LENGTH_MISMATCH:135:cert length mismatch
		SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED:218:ciphersuite digest has changed
		SSL_R_CIPHER_CODE_WRONG_LENGTH:137:cipher code wrong length
		SSL_R_CIPHER_OR_HASH_UNAVAILABLE:138:cipher or hash unavailable
		SSL_R_CLIENTHELLO_TLSEXT:226:clienthello tlsext

+1 −0

Original line number	Diff line number	Diff line
		@@ -403,6 +403,7 @@ int ERR_load_SSL_strings(void);
		# define SSL_R_CERTIFICATE_VERIFY_FAILED 134
		# define SSL_R_CERT_CB_ERROR 377
		# define SSL_R_CERT_LENGTH_MISMATCH 135
		# define SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED 218
		# define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
		# define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
		# define SSL_R_CLIENTHELLO_TLSEXT 226

+18 −5

Original line number	Diff line number	Diff line
		@@ -3728,11 +3728,24 @@ const SSL_CIPHER ssl3_choose_cipher(SSL s, STACK_OF(SSL_CIPHER) *clnt,
		(DTLS_VERSION_LT(s->version, c->min_dtls) \|\|
		DTLS_VERSION_GT(s->version, c->max_dtls)))
		continue;

		if (SSL_IS_TLS13(s)) {
		/*
		* We must choose a ciphersuite that has a digest compatible with
		* the session, unless we're going to do an HRR in which case we
		* will just choose our most preferred ciphersuite regardless of
		* whether it is compatible with the session or not.
		*/
		if (s->hit
		&& !s->hello_retry_request
		&& ssl_md(c->algorithm2)
		!= ssl_md(s->session->cipher->algorithm2))
		continue;
		} else {
		/*
		* Since TLS 1.3 ciphersuites can be used with any auth or
		* key exchange scheme skip tests.
		* These tests do not apply to TLS 1.3 ciphersuites because they can
		* be used with any auth or key exchange scheme.
		*/
		if (!SSL_IS_TLS13(s)) {
		mask_k = s->s3->tmp.mask_k;
		mask_a = s->s3->tmp.mask_a;
		#ifndef OPENSSL_NO_SRP

+2 −0

Original line number	Diff line number	Diff line
		@@ -622,6 +622,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
		{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_CB_ERROR), "cert cb error"},
		{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_LENGTH_MISMATCH),
		"cert length mismatch"},
		{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED),
		"ciphersuite digest has changed"},
		{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_CODE_WRONG_LENGTH),
		"cipher code wrong length"},
		{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_OR_HASH_UNAVAILABLE),

+20 −3

Original line number	Diff line number	Diff line
		@@ -1268,10 +1268,27 @@ static int set_client_ciphersuite(SSL s, const unsigned char cipherchars)
		if (s->session->cipher != NULL)
		s->session->cipher_id = s->session->cipher->id;
		if (s->hit && (s->session->cipher_id != c->id)) {
		if (SSL_IS_TLS13(s)) {
		/*
		* In TLSv1.3 it is valid for the server to select a different
		* ciphersuite as long as the hash is the same.
		*/
		if (ssl_md(c->algorithm2)
		!= ssl_md(s->session->cipher->algorithm2)) {
		SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE,
		SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
		return 0;
		}
		} else {
		/*
		* Prior to TLSv1.3 resuming a session always meant using the same
		* ciphersuite.
		*/
		SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE,
		SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
		return 0;
		}
		}
		s->s3->tmp.new_cipher = c;

		return 1;