Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.

Both Perl's HTTP::Tiny and IO::Socket::SSL know about SSL_MODE_AUTO_RETRY
and try to work around the fact that OpenSSL enabled it by default.
However, this can lead to the mode being disabled prior to the TLSv1.3
handshake and then enabled after the handshake has completed.

In order to handle this correctly we have to check the mode and inform the
record layer prior to every read.

Issue reported and test case provided by Nathanael Rensen
<nathanael@polymorpheus.com>.

ok inoguchi@ tb@

1 files changed, 4 insertions, 1 deletions

diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index 23f9c5f664..3feb143183 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.10 2020/07/14 18:55:59 jsing Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.11 2020/07/25 17:44:30 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -208,6 +208,9 @@ tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int pee
                 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
         }
 
+        tls13_record_layer_set_retry_after_phh(ctx->rl,
+            (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
+
         if (type != SSL3_RT_APPLICATION_DATA) {
                 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                 return -1;