verify ciphersuite in CH2 matches HRR

[sebastian-carpenter]

Description

When a client sends a ClientHello which prompts a HelloRetryRequest the client is able to send a second ClientHello where the ciphersuite does not match what was chosen in the HelloRetryRequest. Our server would accept this and continue with the connection.

Extended what was done in PR #9340. Now the server will also check the ciphersuite and make sure it matches what was established for the HelloRetryRequest.

Fixes #10016

Testing

Used the reproducer described in #10016.

Also made an equivalent test in the tls13 tests so this is tested in the future.

Checklist

• [ X] added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[Copilot]

Pull request overview

Tightens TLS 1.3 HelloRetryRequest (HRR) handling by ensuring the cipher suite used after HRR cannot change between ClientHello(1) and ClientHello(2), and adds a regression test to cover the scenario from #10016.

Changes:

• Track/restore the cipher suite selected for HRR and reject CH2 if it differs.
• Add a TLS 1.3 API test where CH2 offers a different cipher suite than the one selected in HRR.
• Register the new test in the TLS 1.3 test group list.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
tests/api/test_tls13.h	Registers the new TLS 1.3 regression test.
tests/api/test_tls13.c	Adds a memio-based server-side test for CH2 cipher suite mismatch after HRR.
src/tls13.c	Stores HRR’s selected cipher suite and enforces CH2 consistency.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sebastian-carpenter]

Jenkins retest this please.