Cypherpunks repositories - gostls13.git/commit

author	Roland Shoemaker <roland@golang.org>
	Mon, 26 Jan 2026 18:55:32 +0000 (10:55 -0800)
committer	Gopher Robot <gobot@golang.org>
	Wed, 28 Jan 2026 22:00:44 +0000 (14:00 -0800)
commit	feaa88bbce2637dbbd9c43437a7816fadf1f4ab9
tree	f26aea3612973262d9c8427f76dfa1b570173e24	tree
parent	a1d9a25ddc3f3446a015f74c998635ff134409ca	commit \| diff

[release-branch.go1.26] crypto/tls: add verifiedChains expiration checking during resumption

When resuming a session, check that the verifiedChains contain at least
one chain that is still valid at the time of resumption. If not, trigger
a new handshake.

Updates #77113
Updates #77357
Updates CVE-2025-68121

Change-Id: I14f585c43da17802513cbdd5b10c552d7a38b34e
Reviewed-on: https://go-review.googlesource.com/c/go/+/739321
Reviewed-by: Coia Prant <coiaprant@gmail.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/740003
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>

src/crypto/tls/common.go		diff \| blob \| history
src/crypto/tls/handshake_client.go		diff \| blob \| history
src/crypto/tls/handshake_server.go		diff \| blob \| history
src/crypto/tls/handshake_server_test.go		diff \| blob \| history
src/crypto/tls/handshake_server_tls13.go		diff \| blob \| history