Allow the server to change the ciphersuite on resume

[openssl.git] / ssl / s3_lib.c

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ffbe663d9a74a77c0eb0df7b2580b0b12f2b388d..e8bda66d61e7743d3239e571cfacc74aae372cc0 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3728,11 +3728,24 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
             (DTLS_VERSION_LT(s->version, c->min_dtls) ||
              DTLS_VERSION_GT(s->version, c->max_dtls)))
             continue;
-        /*
-         * Since TLS 1.3 ciphersuites can be used with any auth or
-         * key exchange scheme skip tests.
-         */
-        if (!SSL_IS_TLS13(s)) {
+
+        if (SSL_IS_TLS13(s)) {
+            /*
+             * We must choose a ciphersuite that has a digest compatible with
+             * the session, unless we're going to do an HRR in which case we
+             * will just choose our most preferred ciphersuite regardless of
+             * whether it is compatible with the session or not.
+             */
+            if (s->hit
+                    && !s->hello_retry_request
+                    && ssl_md(c->algorithm2)
+                       != ssl_md(s->session->cipher->algorithm2))
+                continue;
+        } else {
+            /*
+             * These tests do not apply to TLS 1.3 ciphersuites because they can
+             * be used with any auth or key exchange scheme.
+             */
             mask_k = s->s3->tmp.mask_k;
             mask_a = s->s3->tmp.mask_a;
 #ifndef OPENSSL_NO_SRP