@@ -38,6 +38,9 @@ SRC_URI += "\
file://CVE-2025-68119-dependent.patch \
file://CVE-2025-68119.patch \
file://CVE-2025-61732.patch \
+ file://CVE-2025-68121_p1.patch \
+ file://CVE-2025-68121_p2.patch \
+ file://CVE-2025-68121_p3.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
new file mode 100644
@@ -0,0 +1,253 @@
+From 529caf01aff2314585688c0f92f009d0ad0914be Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 26 Jan 2026 10:55:32 -0800
+Subject: [PATCH 1/2] [release-branch.go1.24] crypto/tls: add verifiedChains
+ expiration checking during resumption
+
+When resuming a session, check that the verifiedChains contain at least
+one chain that is still valid at the time of resumption. If not, trigger
+a new handshake.
+
+Updates #77113
+Updates #77355
+Updates CVE-2025-68121
+
+CVE: CVE-2025-68121
+Upstream-Status: Backport [https://github.com/golang/go/commit/5f07b226f9aa]
+
+Change-Id: I14f585c43da17802513cbdd5b10c552d7a38b34e
+Reviewed-on: https://go-review.googlesource.com/c/go/+/739321
+Reviewed-by: Coia Prant <coiaprant@gmail.com>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/740061
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Nicholas Husin <nsh@golang.org>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 5f07b226f9aa185aca4b88a9ae58456d7800fc06)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/crypto/tls/common.go | 13 +++
+ src/crypto/tls/handshake_client.go | 10 +-
+ src/crypto/tls/handshake_server.go | 2 +-
+ src/crypto/tls/handshake_server_test.go | 122 +++++++++++++++++++++++
+ src/crypto/tls/handshake_server_tls13.go | 2 +-
+ 5 files changed, 144 insertions(+), 5 deletions(-)
+
+diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
+index 849e8b0a20..738c7e100b 100644
+--- a/src/crypto/tls/common.go
++++ b/src/crypto/tls/common.go
+@@ -1555,3 +1555,16 @@ func (e *CertificateVerificationError) Error() string {
+ func (e *CertificateVerificationError) Unwrap() error {
+ return e.Err
+ }
++
++// anyUnexpiredChain reports if at least one of verifiedChains is still
++// unexpired. If verifiedChains is empty, it returns false.
++func anyUnexpiredChain(verifiedChains [][]*x509.Certificate, now time.Time) bool {
++ for _, chain := range verifiedChains {
++ if len(chain) != 0 && !slices.ContainsFunc(chain, func(cert *x509.Certificate) bool {
++ return now.Before(cert.NotBefore) || now.After(cert.NotAfter) // cert is expired
++ }) {
++ return true
++ }
++ }
++ return false
++}
+diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
+index 08a2d47974..c2ff9e1959 100644
+--- a/src/crypto/tls/handshake_client.go
++++ b/src/crypto/tls/handshake_client.go
+@@ -322,9 +322,6 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
+ return nil, nil, nil, nil
+ }
+
+- // Check that the cached server certificate is not expired, and that it's
+- // valid for the ServerName. This should be ensured by the cache key, but
+- // protect the application from a faulty ClientSessionCache implementation.
+ if c.config.time().After(session.peerCertificates[0].NotAfter) {
+ // Expired certificate, delete the entry.
+ c.config.ClientSessionCache.Put(cacheKey, nil)
+@@ -336,6 +333,13 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
+ return nil, nil, nil, nil
+ }
+ if err := session.peerCertificates[0].VerifyHostname(c.config.ServerName); err != nil {
++ // This should be ensured by the cache key, but protect the
++ // application from a faulty ClientSessionCache implementation.
++ return nil, nil, nil, nil
++ }
++ if !anyUnexpiredChain(session.verifiedChains, c.config.time()) {
++ // No valid chains, delete the entry.
++ c.config.ClientSessionCache.Put(cacheKey, nil)
+ return nil, nil, nil, nil
+ }
+ }
+diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
+index 17b6891783..608b2535f1 100644
+--- a/src/crypto/tls/handshake_server.go
++++ b/src/crypto/tls/handshake_server.go
+@@ -483,7 +483,7 @@ func (hs *serverHandshakeState) checkForResumption() error {
+ return nil
+ }
+ if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
+- len(sessionState.verifiedChains) == 0 {
++ !anyUnexpiredChain(sessionState.verifiedChains, c.config.time()) {
+ return nil
+ }
+
+diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go
+index 0f10a3e7a6..9eff106ecf 100644
+--- a/src/crypto/tls/handshake_server_test.go
++++ b/src/crypto/tls/handshake_server_test.go
+@@ -12,6 +12,7 @@ import (
+ "crypto/elliptic"
+ "crypto/rand"
+ "crypto/x509"
++ "crypto/x509/pkix"
+ "encoding/pem"
+ "errors"
+ "fmt"
+@@ -2049,3 +2050,124 @@ func TestHandshakeContextHierarchy(t *testing.T) {
+ t.Errorf("Unexpected client error: %v", err)
+ }
+ }
++
++func TestHandshakeChainExpiryResumption(t *testing.T) {
++ t.Run("TLS1.2", func(t *testing.T) {
++ testHandshakeChainExpiryResumption(t, VersionTLS12)
++ })
++ t.Run("TLS1.3", func(t *testing.T) {
++ testHandshakeChainExpiryResumption(t, VersionTLS13)
++ })
++}
++
++func testHandshakeChainExpiryResumption(t *testing.T, version uint16) {
++ now := time.Now()
++
++ createChain := func(leafNotAfter, rootNotAfter time.Time) (leafDER, expiredLeafDER []byte, root *x509.Certificate) {
++ tmpl := &x509.Certificate{
++ Subject: pkix.Name{CommonName: "root"},
++ NotBefore: rootNotAfter.Add(-time.Hour * 24),
++ NotAfter: rootNotAfter,
++ IsCA: true,
++ BasicConstraintsValid: true,
++ }
++ rootDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
++ if err != nil {
++ t.Fatalf("CreateCertificate: %v", err)
++ }
++ root, err = x509.ParseCertificate(rootDER)
++ if err != nil {
++ t.Fatalf("ParseCertificate: %v", err)
++ }
++
++ tmpl = &x509.Certificate{
++ Subject: pkix.Name{},
++ DNSNames: []string{"expired-resume.example.com"},
++ NotBefore: leafNotAfter.Add(-time.Hour * 24),
++ NotAfter: leafNotAfter,
++ KeyUsage: x509.KeyUsageDigitalSignature,
++ }
++ leafCertDER, err := x509.CreateCertificate(rand.Reader, tmpl, root, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
++ if err != nil {
++ t.Fatalf("CreateCertificate: %v", err)
++ }
++ tmpl.NotBefore, tmpl.NotAfter = leafNotAfter.Add(-time.Hour*24*365), leafNotAfter.Add(-time.Hour*24*364)
++ expiredLeafDERCertDER, err := x509.CreateCertificate(rand.Reader, tmpl, root, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
++ if err != nil {
++ t.Fatalf("CreateCertificate: %v", err)
++ }
++
++ return leafCertDER, expiredLeafDERCertDER, root
++ }
++ testExpiration := func(name string, leafNotAfter, rootNotAfter time.Time) {
++ t.Run(name, func(t *testing.T) {
++ initialLeafDER, expiredLeafDER, initialRoot := createChain(leafNotAfter, rootNotAfter)
++
++ serverConfig := testConfig.Clone()
++ serverConfig.MaxVersion = version
++ serverConfig.Certificates = []Certificate{{
++ Certificate: [][]byte{initialLeafDER, expiredLeafDER},
++ PrivateKey: testECDSAPrivateKey,
++ }}
++ serverConfig.ClientCAs = x509.NewCertPool()
++ serverConfig.ClientCAs.AddCert(initialRoot)
++ serverConfig.ClientAuth = RequireAndVerifyClientCert
++ serverConfig.Time = func() time.Time {
++ return now
++ }
++ serverConfig.InsecureSkipVerify = false
++ serverConfig.ServerName = "expired-resume.example.com"
++
++ clientConfig := testConfig.Clone()
++ clientConfig.MaxVersion = version
++ clientConfig.Certificates = []Certificate{{
++ Certificate: [][]byte{initialLeafDER, expiredLeafDER},
++ PrivateKey: testECDSAPrivateKey,
++ }}
++ clientConfig.RootCAs = x509.NewCertPool()
++ clientConfig.RootCAs.AddCert(initialRoot)
++ clientConfig.ServerName = "expired-resume.example.com"
++ clientConfig.ClientSessionCache = NewLRUClientSessionCache(32)
++ clientConfig.InsecureSkipVerify = false
++ clientConfig.ServerName = "expired-resume.example.com"
++ clientConfig.Time = func() time.Time {
++ return now
++ }
++
++ testResume := func(t *testing.T, sc, cc *Config, expectResume bool) {
++ t.Helper()
++ ss, cs, err := testHandshake(t, cc, sc)
++ if err != nil {
++ t.Fatalf("handshake: %v", err)
++ }
++ if cs.DidResume != expectResume {
++ t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
++ }
++ if ss.DidResume != expectResume {
++ t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
++ }
++ }
++
++ testResume(t, serverConfig, clientConfig, false)
++ testResume(t, serverConfig, clientConfig, true)
++
++ expiredNow := time.Unix(0, min(leafNotAfter.UnixNano(), rootNotAfter.UnixNano())).Add(time.Minute)
++
++ freshLeafDER, expiredLeafDER, freshRoot := createChain(expiredNow.Add(time.Hour), expiredNow.Add(time.Hour))
++ clientConfig.Certificates = []Certificate{{
++ Certificate: [][]byte{freshLeafDER, expiredLeafDER},
++ PrivateKey: testECDSAPrivateKey,
++ }}
++ serverConfig.Time = func() time.Time {
++ return expiredNow
++ }
++ serverConfig.ClientCAs = x509.NewCertPool()
++ serverConfig.ClientCAs.AddCert(freshRoot)
++
++ testResume(t, serverConfig, clientConfig, false)
++ })
++ }
++
++ testExpiration("LeafExpiresBeforeRoot", now.Add(2*time.Hour), now.Add(3*time.Hour))
++ testExpiration("LeafExpiresAfterRoot", now.Add(2*time.Hour), now.Add(time.Hour))
++}
+diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
+index 5aa69e9640..a48a296721 100644
+--- a/src/crypto/tls/handshake_server_tls13.go
++++ b/src/crypto/tls/handshake_server_tls13.go
+@@ -346,7 +346,7 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
+ continue
+ }
+ if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
+- len(sessionState.verifiedChains) == 0 {
++ !anyUnexpiredChain(sessionState.verifiedChains, c.config.time()) {
+ continue
+ }
+
+--
+2.35.6
new file mode 100644
@@ -0,0 +1,385 @@
+From c22ca724688b18d51b4bbf97ec42914a7b2642c5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 26 Jan 2026 11:18:45 -0800
+Subject: [PATCH] [release-branch.go1.24] crypto/tls: check verifiedChains
+ roots when resuming sessions
+
+When resuming TLS sessions, on the server and client verify that the
+chains stored in the session state (verifiedChains) are still acceptable
+with regards to the Config by checking for the inclusion of the root in
+either ClientCAs (server) or RootCAs (client). This prevents resuming
+a session with a certificate chain that would be rejected during a full
+handshake due to an untrusted root.
+
+Updates #77113
+Updates #77355
+Updates CVE-2025-68121
+
+CVE: CVE-2025-68121
+Upstream-Status: Backport [https://github.com/golang/go/commit/cb75daf3b291]
+
+Backport Changes:
+- In src/crypto/tls/common.go, the upstream fix introduces the use of
+ slices.ContainsFunc(). To align with that change, the slices library
+ needs to be imported in our local common.go file as well. Since this
+ package is not available in our current Go version (v1.22), we are
+ adding it manually to resolve the compilation issue.
+- The slices library was originally introduced in Go v1.23 as part of
+ the this commit:https://github.com/golang/go/commit/0b57881571a7
+
+Change-Id: I11fe00909ef1961c24ecf80bf5b97f7b1121d359
+Reviewed-on: https://go-review.googlesource.com/c/go/+/737700
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Coia Prant <coiaprant@gmail.com>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/740062
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Nicholas Husin <nsh@golang.org>
+Reviewed-by: Nicholas Husin <husin@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+(cherry picked from commit cb75daf3b29129620fa4a35ee2d3903e908aeb1c)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/crypto/tls/common.go | 26 ++-
+ src/crypto/tls/handshake_client.go | 7 +-
+ src/crypto/tls/handshake_server.go | 7 +-
+ src/crypto/tls/handshake_server_test.go | 214 +++++++++++++++++++++++
+ src/crypto/tls/handshake_server_tls13.go | 8 +-
+ 5 files changed, 254 insertions(+), 8 deletions(-)
+
+diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
+index 738c7e100b..299d6f32cb 100644
+--- a/src/crypto/tls/common.go
++++ b/src/crypto/tls/common.go
+@@ -21,6 +21,7 @@ import (
+ "internal/godebug"
+ "io"
+ "net"
++ "slices"
+ "strings"
+ "sync"
+ "time"
+@@ -1556,13 +1557,28 @@ func (e *CertificateVerificationError) Unwrap() error {
+ return e.Err
+ }
+
+-// anyUnexpiredChain reports if at least one of verifiedChains is still
+-// unexpired. If verifiedChains is empty, it returns false.
+-func anyUnexpiredChain(verifiedChains [][]*x509.Certificate, now time.Time) bool {
++// anyValidVerifiedChain reports if at least one of the chains in verifiedChains
++// is valid, as indicated by none of the certificates being expired and the root
++// being in opts.Roots (or in the system root pool if opts.Roots is nil). If
++// verifiedChains is empty, it returns false.
++func anyValidVerifiedChain(verifiedChains [][]*x509.Certificate, opts x509.VerifyOptions) bool {
+ for _, chain := range verifiedChains {
+- if len(chain) != 0 && !slices.ContainsFunc(chain, func(cert *x509.Certificate) bool {
+- return now.Before(cert.NotBefore) || now.After(cert.NotAfter) // cert is expired
++ if len(chain) == 0 {
++ continue
++ }
++ if slices.ContainsFunc(chain, func(cert *x509.Certificate) bool {
++ return opts.CurrentTime.Before(cert.NotBefore) || opts.CurrentTime.After(cert.NotAfter)
+ }) {
++ continue
++ }
++ // Since we already validated the chain, we only care that it is
++ // rooted in a CA in CAs, or in the system pool. On platforms where
++ // we control chain validation (e.g. not Windows or macOS) this is a
++ // simple lookup in the CertPool internal hash map. On other
++ // platforms, this may be more expensive, depending on how they
++ // implement verification of just root certificates.
++ root := chain[len(chain)-1]
++ if _, err := root.Verify(opts); err == nil {
+ return true
+ }
+ }
+diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
+index c2ff9e1959..c8746b1023 100644
+--- a/src/crypto/tls/handshake_client.go
++++ b/src/crypto/tls/handshake_client.go
+@@ -337,7 +337,12 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
+ // application from a faulty ClientSessionCache implementation.
+ return nil, nil, nil, nil
+ }
+- if !anyUnexpiredChain(session.verifiedChains, c.config.time()) {
++ opts := x509.VerifyOptions{
++ CurrentTime: c.config.time(),
++ Roots: c.config.RootCAs,
++ KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
++ }
++ if !anyValidVerifiedChain(session.verifiedChains, opts) {
+ // No valid chains, delete the entry.
+ c.config.ClientSessionCache.Put(cacheKey, nil)
+ return nil, nil, nil, nil
+diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
+index 608b2535f1..4e3f5e19fb 100644
+--- a/src/crypto/tls/handshake_server.go
++++ b/src/crypto/tls/handshake_server.go
+@@ -482,8 +482,13 @@ func (hs *serverHandshakeState) checkForResumption() error {
+ if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
+ return nil
+ }
++ opts := x509.VerifyOptions{
++ CurrentTime: c.config.time(),
++ Roots: c.config.ClientCAs,
++ KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
++ }
+ if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
+- !anyUnexpiredChain(sessionState.verifiedChains, c.config.time()) {
++ !anyValidVerifiedChain(sessionState.verifiedChains, opts) {
+ return nil
+ }
+
+diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go
+index 9eff106ecf..c44ad51804 100644
+--- a/src/crypto/tls/handshake_server_test.go
++++ b/src/crypto/tls/handshake_server_test.go
+@@ -2171,3 +2171,217 @@ func testHandshakeChainExpiryResumption(t *testing.T, version uint16) {
+ testExpiration("LeafExpiresBeforeRoot", now.Add(2*time.Hour), now.Add(3*time.Hour))
+ testExpiration("LeafExpiresAfterRoot", now.Add(2*time.Hour), now.Add(time.Hour))
+ }
++
++func TestHandshakeGetConfigForClientDifferentClientCAs(t *testing.T) {
++ t.Run("TLS1.2", func(t *testing.T) {
++ testHandshakeGetConfigForClientDifferentClientCAs(t, VersionTLS12)
++ })
++ t.Run("TLS1.3", func(t *testing.T) {
++ testHandshakeGetConfigForClientDifferentClientCAs(t, VersionTLS13)
++ })
++}
++
++func testHandshakeGetConfigForClientDifferentClientCAs(t *testing.T, version uint16) {
++ now := time.Now()
++ tmpl := &x509.Certificate{
++ Subject: pkix.Name{CommonName: "root"},
++ NotBefore: now.Add(-time.Hour * 24),
++ NotAfter: now.Add(time.Hour * 24),
++ IsCA: true,
++ BasicConstraintsValid: true,
++ }
++ rootDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
++ if err != nil {
++ t.Fatalf("CreateCertificate: %v", err)
++ }
++ rootA, err := x509.ParseCertificate(rootDER)
++ if err != nil {
++ t.Fatalf("ParseCertificate: %v", err)
++ }
++ rootDER, err = x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
++ if err != nil {
++ t.Fatalf("CreateCertificate: %v", err)
++ }
++ rootB, err := x509.ParseCertificate(rootDER)
++ if err != nil {
++ t.Fatalf("ParseCertificate: %v", err)
++ }
++
++ tmpl = &x509.Certificate{
++ Subject: pkix.Name{},
++ DNSNames: []string{"example.com"},
++ NotBefore: now.Add(-time.Hour * 24),
++ NotAfter: now.Add(time.Hour * 24),
++ KeyUsage: x509.KeyUsageDigitalSignature,
++ }
++ certDER, err := x509.CreateCertificate(rand.Reader, tmpl, rootA, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
++ if err != nil {
++ t.Fatalf("CreateCertificate: %v", err)
++ }
++
++ serverConfig := testConfig.Clone()
++ serverConfig.MaxVersion = version
++ serverConfig.Certificates = []Certificate{{
++ Certificate: [][]byte{certDER},
++ PrivateKey: testECDSAPrivateKey,
++ }}
++ serverConfig.Time = func() time.Time {
++ return now
++ }
++ serverConfig.ClientCAs = x509.NewCertPool()
++ serverConfig.ClientCAs.AddCert(rootA)
++ serverConfig.ClientAuth = RequireAndVerifyClientCert
++ switchConfig := false
++ serverConfig.GetConfigForClient = func(clientHello *ClientHelloInfo) (*Config, error) {
++ if !switchConfig {
++ return nil, nil
++ }
++ cfg := serverConfig.Clone()
++ cfg.ClientCAs = x509.NewCertPool()
++ cfg.ClientCAs.AddCert(rootB)
++ return cfg, nil
++ }
++ serverConfig.InsecureSkipVerify = false
++ serverConfig.ServerName = "example.com"
++
++ clientConfig := testConfig.Clone()
++ clientConfig.MaxVersion = version
++ clientConfig.Certificates = []Certificate{{
++ Certificate: [][]byte{certDER},
++ PrivateKey: testECDSAPrivateKey,
++ }}
++ clientConfig.ClientSessionCache = NewLRUClientSessionCache(32)
++ clientConfig.RootCAs = x509.NewCertPool()
++ clientConfig.RootCAs.AddCert(rootA)
++ clientConfig.Time = func() time.Time {
++ return now
++ }
++ clientConfig.InsecureSkipVerify = false
++ clientConfig.ServerName = "example.com"
++
++ testResume := func(t *testing.T, sc, cc *Config, expectResume bool) {
++ t.Helper()
++ ss, cs, err := testHandshake(t, cc, sc)
++ if err != nil {
++ t.Fatalf("handshake: %v", err)
++ }
++ if cs.DidResume != expectResume {
++ t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
++ }
++ if ss.DidResume != expectResume {
++ t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
++ }
++ }
++
++ testResume(t, serverConfig, clientConfig, false)
++ testResume(t, serverConfig, clientConfig, true)
++
++ // Cause GetConfigForClient to return a config cloned from the base config,
++ // but with a different ClientCAs pool. This should cause resumption to fail.
++ switchConfig = true
++
++ testResume(t, serverConfig, clientConfig, false)
++ testResume(t, serverConfig, clientConfig, true)
++}
++
++func TestHandshakeChangeRootCAsResumption(t *testing.T) {
++ t.Run("TLS1.2", func(t *testing.T) {
++ testHandshakeChangeRootCAsResumption(t, VersionTLS12)
++ })
++ t.Run("TLS1.3", func(t *testing.T) {
++ testHandshakeChangeRootCAsResumption(t, VersionTLS13)
++ })
++}
++
++func testHandshakeChangeRootCAsResumption(t *testing.T, version uint16) {
++ now := time.Now()
++ tmpl := &x509.Certificate{
++ Subject: pkix.Name{CommonName: "root"},
++ NotBefore: now.Add(-time.Hour * 24),
++ NotAfter: now.Add(time.Hour * 24),
++ IsCA: true,
++ BasicConstraintsValid: true,
++ }
++ rootDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
++ if err != nil {
++ t.Fatalf("CreateCertificate: %v", err)
++ }
++ rootA, err := x509.ParseCertificate(rootDER)
++ if err != nil {
++ t.Fatalf("ParseCertificate: %v", err)
++ }
++ rootDER, err = x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
++ if err != nil {
++ t.Fatalf("CreateCertificate: %v", err)
++ }
++ rootB, err := x509.ParseCertificate(rootDER)
++ if err != nil {
++ t.Fatalf("ParseCertificate: %v", err)
++ }
++
++ tmpl = &x509.Certificate{
++ Subject: pkix.Name{},
++ DNSNames: []string{"example.com"},
++ NotBefore: now.Add(-time.Hour * 24),
++ NotAfter: now.Add(time.Hour * 24),
++ KeyUsage: x509.KeyUsageDigitalSignature,
++ }
++ certDER, err := x509.CreateCertificate(rand.Reader, tmpl, rootA, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
++ if err != nil {
++ t.Fatalf("CreateCertificate: %v", err)
++ }
++
++ serverConfig := testConfig.Clone()
++ serverConfig.MaxVersion = version
++ serverConfig.Certificates = []Certificate{{
++ Certificate: [][]byte{certDER},
++ PrivateKey: testECDSAPrivateKey,
++ }}
++ serverConfig.Time = func() time.Time {
++ return now
++ }
++ serverConfig.ClientCAs = x509.NewCertPool()
++ serverConfig.ClientCAs.AddCert(rootA)
++ serverConfig.ClientAuth = RequireAndVerifyClientCert
++ serverConfig.InsecureSkipVerify = false
++ serverConfig.ServerName = "example.com"
++
++ clientConfig := testConfig.Clone()
++ clientConfig.MaxVersion = version
++ clientConfig.Certificates = []Certificate{{
++ Certificate: [][]byte{certDER},
++ PrivateKey: testECDSAPrivateKey,
++ }}
++ clientConfig.ClientSessionCache = NewLRUClientSessionCache(32)
++ clientConfig.RootCAs = x509.NewCertPool()
++ clientConfig.RootCAs.AddCert(rootA)
++ clientConfig.Time = func() time.Time {
++ return now
++ }
++ clientConfig.InsecureSkipVerify = false
++ clientConfig.ServerName = "example.com"
++
++ testResume := func(t *testing.T, sc, cc *Config, expectResume bool) {
++ t.Helper()
++ ss, cs, err := testHandshake(t, cc, sc)
++ if err != nil {
++ t.Fatalf("handshake: %v", err)
++ }
++ if cs.DidResume != expectResume {
++ t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
++ }
++ if ss.DidResume != expectResume {
++ t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
++ }
++ }
++
++ testResume(t, serverConfig, clientConfig, false)
++ testResume(t, serverConfig, clientConfig, true)
++
++ clientConfig = clientConfig.Clone()
++ clientConfig.RootCAs = x509.NewCertPool()
++ clientConfig.RootCAs.AddCert(rootB)
++
++ testResume(t, serverConfig, clientConfig, false)
++ testResume(t, serverConfig, clientConfig, true)
++}
+diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
+index a48a296721..1ecee3a867 100644
+--- a/src/crypto/tls/handshake_server_tls13.go
++++ b/src/crypto/tls/handshake_server_tls13.go
+@@ -11,6 +11,7 @@ import (
+ "crypto/hmac"
+ "crypto/rsa"
+ "encoding/binary"
++ "crypto/x509"
+ "errors"
+ "hash"
+ "io"
+@@ -345,8 +346,13 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
+ if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
+ continue
+ }
++ opts := x509.VerifyOptions{
++ CurrentTime: c.config.time(),
++ Roots: c.config.ClientCAs,
++ KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
++ }
+ if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
+- !anyUnexpiredChain(sessionState.verifiedChains, c.config.time()) {
++ !anyValidVerifiedChain(sessionState.verifiedChains, opts) {
+ continue
+ }
+
+--
+2.35.6
new file mode 100644
@@ -0,0 +1,82 @@
+From f38ac662b21e333b77951848a7e0549e4f69799e Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Thu, 29 Jan 2026 11:32:25 +0100
+Subject: [PATCH] [release-branch.go1.24] crypto/tls: document resumption
+ behavior across Configs
+
+Updates #77113
+Updates #77217
+Updates CVE-2025-68121
+
+CVE: CVE-2025-68121
+Upstream-Status: Backport [https://github.com/golang/go/commit/6a501314718b]
+
+Change-Id: Ia47904a9ed001275aad0243a6a0ce57e6a6a6964
+Reviewed-on: https://go-review.googlesource.com/c/go/+/740240
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Auto-Submit: Filippo Valsorda <filippo@golang.org>
+(cherry picked from commit 1c9abbdc8e9032cd613bd147c78b166ebacc8a2e)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/741180
+Auto-Submit: Michael Pratt <mpratt@google.com>
+(cherry picked from commit 6a501314718b6d69bad1723b3065ca6067b560ea)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/crypto/tls/common.go | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
+index 299d6f32cb..348bdf0866 100644
+--- a/src/crypto/tls/common.go
++++ b/src/crypto/tls/common.go
+@@ -595,10 +595,13 @@ type Config struct {
+ // If GetConfigForClient is nil, the Config passed to Server() will be
+ // used for all connections.
+ //
+- // If SessionTicketKey was explicitly set on the returned Config, or if
+- // SetSessionTicketKeys was called on the returned Config, those keys will
++ // If SessionTicketKey is explicitly set on the returned Config, or if
++ // SetSessionTicketKeys is called on the returned Config, those keys will
+ // be used. Otherwise, the original Config keys will be used (and possibly
+- // rotated if they are automatically managed).
++ // rotated if they are automatically managed). WARNING: this allows session
++ // resumtion of connections originally established with the parent (or a
++ // sibling) Config, which may bypass the [Config.VerifyPeerCertificate]
++ // value of the returned Config.
+ GetConfigForClient func(*ClientHelloInfo) (*Config, error)
+
+ // VerifyPeerCertificate, if not nil, is called after normal
+@@ -616,8 +619,10 @@ type Config struct {
+ // rawCerts may be empty on the server if ClientAuth is RequestClientCert or
+ // VerifyClientCertIfGiven.
+ //
+- // This callback is not invoked on resumed connections, as certificates are
+- // not re-verified on resumption.
++ // This callback is not invoked on resumed connections. WARNING: this
++ // includes connections resumed across Configs returned by [Config.Clone] or
++ // [Config.GetConfigForClient] and their parents. If that is not intended,
++ // use [Config.VerifyConnection] instead, or set [Config.SessionTicketsDisabled].
+ //
+ // verifiedChains and its contents should not be modified.
+ VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
+@@ -825,8 +830,15 @@ func (c *Config) ticketKeyFromBytes(b [32]byte) (key ticketKey) {
+ // ticket, and the lifetime we set for all tickets we send.
+ const maxSessionTicketLifetime = 7 * 24 * time.Hour
+
+-// Clone returns a shallow clone of c or nil if c is nil. It is safe to clone a [Config] that is
+-// being used concurrently by a TLS client or server.
++// Clone returns a shallow clone of c or nil if c is nil. It is safe to clone a
++// [Config] that is being used concurrently by a TLS client or server.
++//
++// The returned Config can share session ticket keys with the original Config,
++// which means connections could be resumed across the two Configs. WARNING:
++// [Config.VerifyPeerCertificate] does not get called on resumed connections,
++// including connections that were originally established on the parent Config.
++// If that is not intended, use [Config.VerifyConnection] instead, or set
++// [Config.SessionTicketsDisabled].
+ func (c *Config) Clone() *Config {
+ if c == nil {
+ return nil
+--
+2.35.6