Require a ServerHello following a HelloRetryRequest to use the same cipher.

RFC 8446 section 4.1.4 requires that the client ensure the cipher suite
in the TLSv1.3 HelloRetryRequest and subsequent ServerHello is the same.

Reported via GitHub issue #675.

ok inoguchi@ tb@

1 files changed, 11 insertions, 2 deletions

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 4ba0dd92f2..0a237567fd 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.83 2021/06/27 19:23:51 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.84 2021/06/29 18:47:15 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -303,7 +303,16 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                 goto err;
         }
-        /* XXX - move this to hs.tls13? */
+        if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) {
+                /*
+                 * A ServerHello following a HelloRetryRequest MUST use the same
+                 * cipher suite (RFC 8446 section 4.1.4).
+                 */
+                if (ctx->hs->cipher != cipher) {
+                        ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
+                        goto err;
+                }
+        }
         ctx->hs->cipher = cipher;
 
         if (compression_method != 0) {