Do not assume that server_group != 0 or tlsext_supportedgroups != NULL

implies that we're dealing with a HRR in the extension handling code.

Explicitly check that we're in this situation by inspecting the flag in
the handshake context. Add missing error checks and send the appropriate
alerts. The hrr flag needs to be unset after parsing the client hello
retry to avoid breaking the server hello handling. All this is far from
ideal, but better than nothing.

The correct fix would likely be to make the message type available
but that would need to be part of a more extensive rearchitecture of
the extension handling.

Discussed at length with jsing

1 files changed, 3 insertions, 1 deletions

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index e0ea6b564d..e605ccd90f 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.51 2020/05/22 02:37:27 beck Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.52 2020/05/23 08:47:19 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -365,6 +365,8 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (s->method->internal->version < TLS1_3_VERSION)
                 return 0;
 
+        ctx->hs->hrr = 0;
+
         return 1;
 }