By design, our state machine is a DAG contrary to the state machine in

the spec. To avoid the obvious loop in the RFC's state machine, we added
a CLIENT_HELLO_RETRY state which is a second ClientHello with special
rules.  There is, however, no state to react to this second client hello.
This adds a matching SERVER_HELLO_RETRY state to the handshakes table.

This means in particular that the WITH_HRR state cannot be set in
tls13_server_hello_recv(), so remove this now dead check.

ok jsing

1 files changed, 1 insertions, 4 deletions

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 1729401505..a9f1b6bbd5 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.15 2019/04/04 16:53:57 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.16 2019/04/05 20:23:38 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -339,9 +339,6 @@ tls13_server_hello_recv(struct tls13_ctx *ctx)
         if (s->method->internal->version < TLS1_3_VERSION)
                 return 1;
 
-        if (ctx->handshake_stage.hs_type & WITH_HRR)
-                return 1;
-
         /* XXX - handle other key share types. */
         if (ctx->hs->x25519_peer_public == NULL) {
                 /* XXX - alert. */