Improve TLSv1.3 state machine for HelloRetryRequest handling.

The state machine currently handles the HelloRetryRequest case by using WITH_HRR - in other words, we're explicitly indicating when we transition to the alternate path. The problem here is that we do not know if we're going to receive a ServerHello or a HelloRetryRequest until we process the message. This means that the ServerHello processing code has to handle both types of messages. The state machine and associated processing code becomes cleaner if we flip this around so that we assume we are going to receive a HelloRetryRequest and upon discovering that it is not, trigger WITHOUT_HRR and hand off to the ServerHello processing function. In particular, this makes the logic much more straight forward on the server side, when adding support for HRR. With feedback from tb@ ok tb@
author: jsing <> 2020-04-22 17:05:07 +0000
committer: jsing <> 2020-04-22 17:05:07 +0000
commit: c18a60d45888295bb8cf344e076d84ef817a65a5 (patch)
tree: c7a924ebca094d3b2e25924b18e7bcf1cf4da7b7 /src/lib
parent: c430432c2ef1ea560124b642f581c3e1ddb24f69 (diff)
download: openbsd-c18a60d45888295bb8cf344e076d84ef817a65a5.tar.gz
openbsd-c18a60d45888295bb8cf344e076d84ef817a65a5.tar.bz2
openbsd-c18a60d45888295bb8cf344e076d84ef817a65a5.zip
5 files changed, 104 insertions, 66 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 0da08f62c3..dffabf1753 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.50 2020/04/21 16:55:17 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.51 2020/04/22 17:05:07 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -281,6 +281,24 @@ tls13_server_hello_is_legacy(CBS *cbs)
 }
 static int
+tls13_server_hello_is_retry(CBS *cbs)
+{
+        CBS server_hello, server_random;
+        uint16_t legacy_version;
+        CBS_dup(cbs, &server_hello);
+        if (!CBS_get_u16(&server_hello, &legacy_version))
+                return 0;
+        if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE))
+                return 0;
+        /* See if this is a HelloRetryRequest. */
+        return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
+            sizeof(tls13_hello_retry_request_hash));
+}
+static int
 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 {
        CBS server_random, session_id;
@@ -331,7 +349,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        /* From here on in we know we are doing TLSv1.3. */
        tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);
-        /* See if this is a Hello Retry Request. */
+        /* See if this is a HelloRetryRequest. */
+        /* XXX - see if we can avoid doing this twice. */
        if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
            sizeof(tls13_hello_retry_request_hash))) {
                tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
@@ -515,40 +534,75 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
 }
 int
+tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
+{
+        /*
+         * The state machine has no way of knowing if we're going to receive a
+         * HelloRetryRequest or a ServerHello. As such, we have to handle
+         * this case here and hand off to the appropriate function.
+         */
+        if (!tls13_server_hello_is_retry(cbs)) {
+                ctx->handshake_stage.hs_type |= WITHOUT_HRR;
+                return tls13_server_hello_recv(ctx, cbs);
+        }
+        if (!tls13_server_hello_process(ctx, cbs))
+                return 0;
+        /*
+         * This may have been a TLSv1.2 or earlier ServerHello that just happened
+         * to have matching server random...
+         */
+        if (ctx->hs->use_legacy)
+                return tls13_use_legacy_client(ctx);
+        if (!ctx->hs->hrr)
+                return 0;
+        if (!tls13_client_synthetic_handshake_message(ctx))
+                return 0;
+        if (!tls13_handshake_msg_record(ctx))
+                return 0;
+        ctx->hs->hrr = 0;
+        return 1;
+}
+int
 tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
        SSL *s = ctx->ssl;
        /*
-         * We may have received a legacy (pre-TLSv1.3) server hello,
+         * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3
-         * a TLSv1.3 server hello or a TLSv1.3 hello retry request.
+         * ServerHello. HelloRetryRequests have already been handled.
         */
        if (!tls13_server_hello_process(ctx, cbs))
                return 0;
-        tls1_transcript_unfreeze(s);
+        if (ctx->handshake_stage.hs_type & WITHOUT_HRR) {
+                tls1_transcript_unfreeze(s);
-        if (ctx->hs->hrr) {
+                if (!tls13_handshake_msg_record(ctx))
-                if (!tls13_client_synthetic_handshake_message(ctx))
                        return 0;
        }
-        if (!tls13_handshake_msg_record(ctx))
+        if (ctx->hs->use_legacy) {
-                return 0;
+                if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
+                        return 0;
-        if (ctx->hs->use_legacy)
                return tls13_use_legacy_client(ctx);
+        }
-        if (!ctx->hs->hrr) {
+        if (ctx->hs->hrr) {
-                if (!tls13_client_engage_record_protection(ctx))
+                /* The server has sent two HelloRetryRequests. */
-                        return 0;
+                ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+                return 0;
        }
-        ctx->handshake_stage.hs_type |= NEGOTIATED;
+        if (!tls13_client_engage_record_protection(ctx))
-        if (ctx->hs->hrr)
+                return 0;
-                ctx->handshake_stage.hs_type |= WITH_HRR;
-        ctx->hs->hrr = 0;
+        ctx->handshake_stage.hs_type |= NEGOTIATED;
        return 1;
 }
@@ -581,24 +635,6 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
 }
 int
-tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
-{
-        if (!tls13_server_hello_process(ctx, cbs))
-                return 0;
-        if (ctx->hs->use_legacy)
-                return 0; /* XXX alert */
-        if (ctx->hs->hrr)
-                return 0; /* XXX alert */
-        if (!tls13_client_engage_record_protection(ctx))
-                return 0;
-        return 1;
-}
-int
 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
        int alert_desc;
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 51585d31ba..86046144de 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.52 2020/03/10 17:15:02 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.53 2020/04/22 17:05:07 jsing Exp $      */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -96,11 +96,11 @@ struct tls13_handshake_action state_machine[] = {
                .sent = tls13_server_hello_sent,
                .recv = tls13_server_hello_recv,
        },
-        [SERVER_HELLO_RETRY] = {
+        [SERVER_HELLO_RETRY_REQUEST] = {
                .handshake_type = TLS13_MT_SERVER_HELLO,
                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_hello_retry_send,
+                .send = tls13_server_hello_retry_request_send,
-                .recv = tls13_server_hello_retry_recv,
+                .recv = tls13_server_hello_retry_request_recv,
        },
        [SERVER_ENCRYPTED_EXTENSIONS] = {
                .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
@@ -145,10 +145,14 @@ struct tls13_handshake_action state_machine[] = {
 enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
        [INITIAL] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
        },
        [NEGOTIATED] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE_REQUEST,
@@ -159,11 +163,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
                CLIENT_FINISHED,
                APPLICATION_DATA,
        },
-        [NEGOTIATED | WITH_HRR] = {
+        [NEGOTIATED | WITHOUT_HRR] = {
                CLIENT_HELLO,
                SERVER_HELLO,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO_RETRY,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE_REQUEST,
                SERVER_CERTIFICATE,
@@ -175,6 +177,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
        },
        [NEGOTIATED | WITHOUT_CR] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE,
@@ -183,11 +187,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
                CLIENT_FINISHED,
                APPLICATION_DATA,
        },
-        [NEGOTIATED | WITH_HRR | WITHOUT_CR] = {
+        [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = {
                CLIENT_HELLO,
                SERVER_HELLO,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO_RETRY,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE,
                SERVER_CERTIFICATE_VERIFY,
@@ -197,17 +199,17 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
        },
        [NEGOTIATED | WITH_PSK] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_FINISHED,
                CLIENT_FINISHED,
                APPLICATION_DATA,
        },
-        [NEGOTIATED | WITH_HRR | WITH_PSK] = {
+        [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = {
                CLIENT_HELLO,
                SERVER_HELLO,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO_RETRY,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_FINISHED,
                CLIENT_FINISHED,
@@ -215,6 +217,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
        },
        [NEGOTIATED | WITH_CCV] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE_REQUEST,
@@ -226,11 +230,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
                CLIENT_FINISHED,
                APPLICATION_DATA,
        },
-        [NEGOTIATED | WITH_HRR | WITH_CCV] = {
+        [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = {
                CLIENT_HELLO,
                SERVER_HELLO,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO_RETRY,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE_REQUEST,
                SERVER_CERTIFICATE,
diff --git a/src/lib/libssl/tls13_handshake.h b/src/lib/libssl/tls13_handshake.h
index 956d27c61a..8a08b9fd5b 100644
--- a/src/lib/libssl/tls13_handshake.h
+++ b/src/lib/libssl/tls13_handshake.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_handshake.h,v 1.4 2020/03/10 17:15:02 jsing Exp $ */
+/* $OpenBSD: tls13_handshake.h,v 1.5 2020/04/22 17:05:07 jsing Exp $ */
 /*
 * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
 *
@@ -24,7 +24,7 @@ __BEGIN_HIDDEN_DECLS
 #define INITIAL                 0x00
 #define NEGOTIATED              0x01
-#define WITH_HRR                0x02
+#define WITHOUT_HRR             0x02
 #define WITHOUT_CR              0x04
 #define WITH_PSK                0x08
 #define WITH_CCV                0x10
@@ -33,9 +33,9 @@ __BEGIN_HIDDEN_DECLS
 enum tls13_message_type {
        INVALID,
        CLIENT_HELLO,
-        SERVER_HELLO,
+        SERVER_HELLO_RETRY_REQUEST,
        CLIENT_HELLO_RETRY,
-        SERVER_HELLO_RETRY,
+        SERVER_HELLO,
        SERVER_ENCRYPTED_EXTENSIONS,
        SERVER_CERTIFICATE_REQUEST,
        SERVER_CERTIFICATE,
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index c5b893bc16..ee82a44693 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.64 2020/04/21 16:55:17 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.65 2020/04/22 17:05:07 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -309,8 +309,8 @@ int tls13_client_finished_sent(struct tls13_ctx *ctx);
 int tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_hello_sent(struct tls13_ctx *ctx);
-int tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs);
+int tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs);
-int tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb);
+int tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs);
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index f3d21a7477..9bc4cb6170 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.30 2020/04/21 17:06:16 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.31 2020/04/22 17:05:07 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -280,11 +280,11 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
                return 1;
        /*
-         * If no matching key share was provided, we need to send a
+         * If a matching key share was provided, we do not need to
-         * HelloRetryRequest, if matching security parameters exist.
+         * send a HelloRetryRequest.
         */
-        if (ctx->hs->key_share == NULL)
+        if (ctx->hs->key_share != NULL)
-                ctx->handshake_stage.hs_type |= WITH_HRR;
+                ctx->handshake_stage.hs_type |= WITHOUT_HRR;
        /* XXX - check this is the correct point */
        tls13_record_layer_allow_ccs(ctx->rl, 1);
@@ -608,7 +608,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
 }
 int
-tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
+tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
        return 0;
 }
author	jsing <>	2020-04-22 17:05:07 +0000
committer	jsing <>	2020-04-22 17:05:07 +0000
commit	c18a60d45888295bb8cf344e076d84ef817a65a5 (patch)
tree	c7a924ebca094d3b2e25924b18e7bcf1cf4da7b7 /src/lib
parent	c430432c2ef1ea560124b642f581c3e1ddb24f69 (diff)
download	openbsd-c18a60d45888295bb8cf344e076d84ef817a65a5.tar.gz openbsd-c18a60d45888295bb8cf344e076d84ef817a65a5.tar.bz2 openbsd-c18a60d45888295bb8cf344e076d84ef817a65a5.zip

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 0da08f62c3..dffabf1753 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.50 2020/04/21 16:55:17 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.51 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -281,6 +281,24 @@ tls13_server_hello_is_legacy(CBS *cbs)
281	}	281	}
282		282
283	static int	283	static int
		284	tls13_server_hello_is_retry(CBS *cbs)
		285	{
		286	CBS server_hello, server_random;
		287	uint16_t legacy_version;
		288
		289	CBS_dup(cbs, &server_hello);
		290
		291	if (!CBS_get_u16(&server_hello, &legacy_version))
		292	return 0;
		293	if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE))
		294	return 0;
		295
		296	/* See if this is a HelloRetryRequest. */
		297	return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
		298	sizeof(tls13_hello_retry_request_hash));
		299	}
		300
		301	static int
284	tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)	302	tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
285	{	303	{
286	CBS server_random, session_id;	304	CBS server_random, session_id;
@@ -331,7 +349,8 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
331	/* From here on in we know we are doing TLSv1.3. */	349	/* From here on in we know we are doing TLSv1.3. */
332	tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);	350	tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);
333		351
334	/* See if this is a Hello Retry Request. */	352	/* See if this is a HelloRetryRequest. */
		353	/* XXX - see if we can avoid doing this twice. */
335	if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,	354	if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
336	sizeof(tls13_hello_retry_request_hash))) {	355	sizeof(tls13_hello_retry_request_hash))) {
337	tlsext_msg_type = SSL_TLSEXT_MSG_HRR;	356	tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
@@ -515,40 +534,75 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
515	}	534	}
516		535
517	int	536	int
		537	tls13_server_hello_retry_request_recv(struct tls13_ctx ctx, CBS cbs)
		538	{
		539	/*
		540	* The state machine has no way of knowing if we're going to receive a
		541	* HelloRetryRequest or a ServerHello. As such, we have to handle
		542	* this case here and hand off to the appropriate function.
		543	*/
		544	if (!tls13_server_hello_is_retry(cbs)) {
		545	ctx->handshake_stage.hs_type \|= WITHOUT_HRR;
		546	return tls13_server_hello_recv(ctx, cbs);
		547	}
		548
		549	if (!tls13_server_hello_process(ctx, cbs))
		550	return 0;
		551
		552	/*
		553	* This may have been a TLSv1.2 or earlier ServerHello that just happened
		554	* to have matching server random...
		555	*/
		556	if (ctx->hs->use_legacy)
		557	return tls13_use_legacy_client(ctx);
		558
		559	if (!ctx->hs->hrr)
		560	return 0;
		561
		562	if (!tls13_client_synthetic_handshake_message(ctx))
		563	return 0;
		564	if (!tls13_handshake_msg_record(ctx))
		565	return 0;
		566
		567	ctx->hs->hrr = 0;
		568
		569	return 1;
		570	}
		571
		572	int
518	tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs)	573	tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs)
519	{	574	{
520	SSL *s = ctx->ssl;	575	SSL *s = ctx->ssl;
521		576
522	/*	577	/*
523	* We may have received a legacy (pre-TLSv1.3) server hello,	578	* We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3
524	* a TLSv1.3 server hello or a TLSv1.3 hello retry request.	579	* ServerHello. HelloRetryRequests have already been handled.
525	*/	580	*/
526	if (!tls13_server_hello_process(ctx, cbs))	581	if (!tls13_server_hello_process(ctx, cbs))
527	return 0;	582	return 0;
528		583
529	tls1_transcript_unfreeze(s);	584	if (ctx->handshake_stage.hs_type & WITHOUT_HRR) {
530		585	tls1_transcript_unfreeze(s);
531	if (ctx->hs->hrr) {	586	if (!tls13_handshake_msg_record(ctx))
532	if (!tls13_client_synthetic_handshake_message(ctx))
533	return 0;	587	return 0;
534	}	588	}
535		589
536	if (!tls13_handshake_msg_record(ctx))	590	if (ctx->hs->use_legacy) {
537	return 0;	591	if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
538		592	return 0;
539	if (ctx->hs->use_legacy)
540	return tls13_use_legacy_client(ctx);	593	return tls13_use_legacy_client(ctx);
		594	}
541		595
542	if (!ctx->hs->hrr) {	596	if (ctx->hs->hrr) {
543	if (!tls13_client_engage_record_protection(ctx))	597	/* The server has sent two HelloRetryRequests. */
544	return 0;	598	ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
		599	return 0;
545	}	600	}
546		601
547	ctx->handshake_stage.hs_type \|= NEGOTIATED;	602	if (!tls13_client_engage_record_protection(ctx))
548	if (ctx->hs->hrr)	603	return 0;
549	ctx->handshake_stage.hs_type \|= WITH_HRR;
550		604
551	ctx->hs->hrr = 0;	605	ctx->handshake_stage.hs_type \|= NEGOTIATED;
552		606
553	return 1;	607	return 1;
554	}	608	}
@@ -581,24 +635,6 @@ tls13_client_hello_retry_send(struct tls13_ctx ctx, CBB cbb)
581	}	635	}
582		636
583	int	637	int
584	tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs)
585	{
586	if (!tls13_server_hello_process(ctx, cbs))
587	return 0;
588
589	if (ctx->hs->use_legacy)
590	return 0; /* XXX alert */
591
592	if (ctx->hs->hrr)
593	return 0; /* XXX alert */
594
595	if (!tls13_client_engage_record_protection(ctx))
596	return 0;
597
598	return 1;
599	}
600
601	int
602	tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs)	638	tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs)
603	{	639	{
604	int alert_desc;	640	int alert_desc;


diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c index 51585d31ba..86046144de 100644 --- a/src/lib/libssl/tls13_handshake.c +++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_handshake.c,v 1.52 2020/03/10 17:15:02 jsing Exp $ */	1	/* $OpenBSD: tls13_handshake.c,v 1.53 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -96,11 +96,11 @@ struct tls13_handshake_action state_machine[] = {
96	.sent = tls13_server_hello_sent,	96	.sent = tls13_server_hello_sent,
97	.recv = tls13_server_hello_recv,	97	.recv = tls13_server_hello_recv,
98	},	98	},
99	[SERVER_HELLO_RETRY] = {	99	[SERVER_HELLO_RETRY_REQUEST] = {
100	.handshake_type = TLS13_MT_SERVER_HELLO,	100	.handshake_type = TLS13_MT_SERVER_HELLO,
101	.sender = TLS13_HS_SERVER,	101	.sender = TLS13_HS_SERVER,
102	.send = tls13_server_hello_retry_send,	102	.send = tls13_server_hello_retry_request_send,
103	.recv = tls13_server_hello_retry_recv,	103	.recv = tls13_server_hello_retry_request_recv,
104	},	104	},
105	[SERVER_ENCRYPTED_EXTENSIONS] = {	105	[SERVER_ENCRYPTED_EXTENSIONS] = {
106	.handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,	106	.handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
@@ -145,10 +145,14 @@ struct tls13_handshake_action state_machine[] = {
145	enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {	145	enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
146	[INITIAL] = {	146	[INITIAL] = {
147	CLIENT_HELLO,	147	CLIENT_HELLO,
		148	SERVER_HELLO_RETRY_REQUEST,
		149	CLIENT_HELLO_RETRY,
148	SERVER_HELLO,	150	SERVER_HELLO,
149	},	151	},
150	[NEGOTIATED] = {	152	[NEGOTIATED] = {
151	CLIENT_HELLO,	153	CLIENT_HELLO,
		154	SERVER_HELLO_RETRY_REQUEST,
		155	CLIENT_HELLO_RETRY,
152	SERVER_HELLO,	156	SERVER_HELLO,
153	SERVER_ENCRYPTED_EXTENSIONS,	157	SERVER_ENCRYPTED_EXTENSIONS,
154	SERVER_CERTIFICATE_REQUEST,	158	SERVER_CERTIFICATE_REQUEST,
@@ -159,11 +163,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
159	CLIENT_FINISHED,	163	CLIENT_FINISHED,
160	APPLICATION_DATA,	164	APPLICATION_DATA,
161	},	165	},
162	[NEGOTIATED \| WITH_HRR] = {	166	[NEGOTIATED \| WITHOUT_HRR] = {
163	CLIENT_HELLO,	167	CLIENT_HELLO,
164	SERVER_HELLO,	168	SERVER_HELLO,
165	CLIENT_HELLO_RETRY,
166	SERVER_HELLO_RETRY,
167	SERVER_ENCRYPTED_EXTENSIONS,	169	SERVER_ENCRYPTED_EXTENSIONS,
168	SERVER_CERTIFICATE_REQUEST,	170	SERVER_CERTIFICATE_REQUEST,
169	SERVER_CERTIFICATE,	171	SERVER_CERTIFICATE,
@@ -175,6 +177,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
175	},	177	},
176	[NEGOTIATED \| WITHOUT_CR] = {	178	[NEGOTIATED \| WITHOUT_CR] = {
177	CLIENT_HELLO,	179	CLIENT_HELLO,
		180	SERVER_HELLO_RETRY_REQUEST,
		181	CLIENT_HELLO_RETRY,
178	SERVER_HELLO,	182	SERVER_HELLO,
179	SERVER_ENCRYPTED_EXTENSIONS,	183	SERVER_ENCRYPTED_EXTENSIONS,
180	SERVER_CERTIFICATE,	184	SERVER_CERTIFICATE,
@@ -183,11 +187,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
183	CLIENT_FINISHED,	187	CLIENT_FINISHED,
184	APPLICATION_DATA,	188	APPLICATION_DATA,
185	},	189	},
186	[NEGOTIATED \| WITH_HRR \| WITHOUT_CR] = {	190	[NEGOTIATED \| WITHOUT_HRR \| WITHOUT_CR] = {
187	CLIENT_HELLO,	191	CLIENT_HELLO,
188	SERVER_HELLO,	192	SERVER_HELLO,
189	CLIENT_HELLO_RETRY,
190	SERVER_HELLO_RETRY,
191	SERVER_ENCRYPTED_EXTENSIONS,	193	SERVER_ENCRYPTED_EXTENSIONS,
192	SERVER_CERTIFICATE,	194	SERVER_CERTIFICATE,
193	SERVER_CERTIFICATE_VERIFY,	195	SERVER_CERTIFICATE_VERIFY,
@@ -197,17 +199,17 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
197	},	199	},
198	[NEGOTIATED \| WITH_PSK] = {	200	[NEGOTIATED \| WITH_PSK] = {
199	CLIENT_HELLO,	201	CLIENT_HELLO,
		202	SERVER_HELLO_RETRY_REQUEST,
		203	CLIENT_HELLO_RETRY,
200	SERVER_HELLO,	204	SERVER_HELLO,
201	SERVER_ENCRYPTED_EXTENSIONS,	205	SERVER_ENCRYPTED_EXTENSIONS,
202	SERVER_FINISHED,	206	SERVER_FINISHED,
203	CLIENT_FINISHED,	207	CLIENT_FINISHED,
204	APPLICATION_DATA,	208	APPLICATION_DATA,
205	},	209	},
206	[NEGOTIATED \| WITH_HRR \| WITH_PSK] = {	210	[NEGOTIATED \| WITHOUT_HRR \| WITH_PSK] = {
207	CLIENT_HELLO,	211	CLIENT_HELLO,
208	SERVER_HELLO,	212	SERVER_HELLO,
209	CLIENT_HELLO_RETRY,
210	SERVER_HELLO_RETRY,
211	SERVER_ENCRYPTED_EXTENSIONS,	213	SERVER_ENCRYPTED_EXTENSIONS,
212	SERVER_FINISHED,	214	SERVER_FINISHED,
213	CLIENT_FINISHED,	215	CLIENT_FINISHED,
@@ -215,6 +217,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
215	},	217	},
216	[NEGOTIATED \| WITH_CCV] = {	218	[NEGOTIATED \| WITH_CCV] = {
217	CLIENT_HELLO,	219	CLIENT_HELLO,
		220	SERVER_HELLO_RETRY_REQUEST,
		221	CLIENT_HELLO_RETRY,
218	SERVER_HELLO,	222	SERVER_HELLO,
219	SERVER_ENCRYPTED_EXTENSIONS,	223	SERVER_ENCRYPTED_EXTENSIONS,
220	SERVER_CERTIFICATE_REQUEST,	224	SERVER_CERTIFICATE_REQUEST,
@@ -226,11 +230,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
226	CLIENT_FINISHED,	230	CLIENT_FINISHED,
227	APPLICATION_DATA,	231	APPLICATION_DATA,
228	},	232	},
229	[NEGOTIATED \| WITH_HRR \| WITH_CCV] = {	233	[NEGOTIATED \| WITHOUT_HRR \| WITH_CCV] = {
230	CLIENT_HELLO,	234	CLIENT_HELLO,
231	SERVER_HELLO,	235	SERVER_HELLO,
232	CLIENT_HELLO_RETRY,
233	SERVER_HELLO_RETRY,
234	SERVER_ENCRYPTED_EXTENSIONS,	236	SERVER_ENCRYPTED_EXTENSIONS,
235	SERVER_CERTIFICATE_REQUEST,	237	SERVER_CERTIFICATE_REQUEST,
236	SERVER_CERTIFICATE,	238	SERVER_CERTIFICATE,


diff --git a/src/lib/libssl/tls13_handshake.h b/src/lib/libssl/tls13_handshake.h index 956d27c61a..8a08b9fd5b 100644 --- a/src/lib/libssl/tls13_handshake.h +++ b/src/lib/libssl/tls13_handshake.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_handshake.h,v 1.4 2020/03/10 17:15:02 jsing Exp $ */	1	/* $OpenBSD: tls13_handshake.h,v 1.5 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
4	*	4	*
@@ -24,7 +24,7 @@ __BEGIN_HIDDEN_DECLS
24		24
25	#define INITIAL 0x00	25	#define INITIAL 0x00
26	#define NEGOTIATED 0x01	26	#define NEGOTIATED 0x01
27	#define WITH_HRR 0x02	27	#define WITHOUT_HRR 0x02
28	#define WITHOUT_CR 0x04	28	#define WITHOUT_CR 0x04
29	#define WITH_PSK 0x08	29	#define WITH_PSK 0x08
30	#define WITH_CCV 0x10	30	#define WITH_CCV 0x10
@@ -33,9 +33,9 @@ __BEGIN_HIDDEN_DECLS
33	enum tls13_message_type {	33	enum tls13_message_type {
34	INVALID,	34	INVALID,
35	CLIENT_HELLO,	35	CLIENT_HELLO,
36	SERVER_HELLO,	36	SERVER_HELLO_RETRY_REQUEST,
37	CLIENT_HELLO_RETRY,	37	CLIENT_HELLO_RETRY,
38	SERVER_HELLO_RETRY,	38	SERVER_HELLO,
39	SERVER_ENCRYPTED_EXTENSIONS,	39	SERVER_ENCRYPTED_EXTENSIONS,
40	SERVER_CERTIFICATE_REQUEST,	40	SERVER_CERTIFICATE_REQUEST,
41	SERVER_CERTIFICATE,	41	SERVER_CERTIFICATE,


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index c5b893bc16..ee82a44693 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.64 2020/04/21 16:55:17 jsing Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.65 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -309,8 +309,8 @@ int tls13_client_finished_sent(struct tls13_ctx *ctx);
309	int tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs);	309	int tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs);
310	int tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb);	310	int tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb);
311	int tls13_server_hello_sent(struct tls13_ctx *ctx);	311	int tls13_server_hello_sent(struct tls13_ctx *ctx);
312	int tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs);	312	int tls13_server_hello_retry_request_recv(struct tls13_ctx ctx, CBS cbs);
313	int tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb);	313	int tls13_server_hello_retry_request_send(struct tls13_ctx ctx, CBB cbb);
314	int tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs);	314	int tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs);
315	int tls13_server_encrypted_extensions_send(struct tls13_ctx ctx, CBB cbb);	315	int tls13_server_encrypted_extensions_send(struct tls13_ctx ctx, CBB cbb);
316	int tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs);	316	int tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs);


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index f3d21a7477..9bc4cb6170 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.30 2020/04/21 17:06:16 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.31 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -280,11 +280,11 @@ tls13_client_hello_recv(struct tls13_ctx ctx, CBS cbs)
280	return 1;	280	return 1;
281		281
282	/*	282	/*
283	* If no matching key share was provided, we need to send a	283	* If a matching key share was provided, we do not need to
284	* HelloRetryRequest, if matching security parameters exist.	284	* send a HelloRetryRequest.
285	*/	285	*/
286	if (ctx->hs->key_share == NULL)	286	if (ctx->hs->key_share != NULL)
287	ctx->handshake_stage.hs_type \|= WITH_HRR;	287	ctx->handshake_stage.hs_type \|= WITHOUT_HRR;
288		288
289	/* XXX - check this is the correct point */	289	/* XXX - check this is the correct point */
290	tls13_record_layer_allow_ccs(ctx->rl, 1);	290	tls13_record_layer_allow_ccs(ctx->rl, 1);
@@ -608,7 +608,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
608	}	608	}
609		609
610	int	610	int
611	tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb)	611	tls13_server_hello_retry_request_send(struct tls13_ctx ctx, CBB cbb)
612	{	612	{
613	return 0;	613	return 0;
614	}	614	}