By design, our state machine is a DAG contrary to the state machine in

the spec. To avoid the obvious loop in the RFC's state machine, we added
a CLIENT_HELLO_RETRY state which is a second ClientHello with special
rules.  There is, however, no state to react to this second client hello.
This adds a matching SERVER_HELLO_RETRY state to the handshakes table.

This means in particular that the WITH_HRR state cannot be set in
tls13_server_hello_recv(), so remove this now dead check.

ok jsing

1 files changed, 2 insertions, 1 deletions

diff --git a/src/lib/libssl/tls13_handshake.h b/src/lib/libssl/tls13_handshake.h
index cbbec744d3..9910dab106 100644
--- a/src/lib/libssl/tls13_handshake.h
+++ b/src/lib/libssl/tls13_handshake.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_handshake.h,v 1.2 2019/01/20 22:36:19 tb Exp $ */
+/* $OpenBSD: tls13_handshake.h,v 1.3 2019/04/05 20:23:38 tb Exp $ */
 /*
  * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
  *
@@ -35,6 +35,7 @@ enum tls13_message_type {
         CLIENT_HELLO,
         SERVER_HELLO,
         CLIENT_HELLO_RETRY,
+        SERVER_HELLO_RETRY,
         SERVER_ENCRYPTED_EXTENSIONS,
         SERVER_CERTIFICATE_REQUEST,
         SERVER_CERTIFICATE,