Commit fc7129dc authored by Matt Caswell's avatar Matt Caswell
Browse files

Update state machine to send CCS based on whether we did an HRR 



The CCS may be sent at different times based on whether or not we
sent an HRR earlier. In order to make that decision this commit
also updates things to make sure we remember whether an HRR was
used or not.

Reviewed-by: default avatarBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
parent 6f40214f

ssl/record/ssl3_record.c

+2 −2
Original line number Diff line number Diff line
@@ -276,7 +276,7 @@ int ssl3_get_record(SSL *s) 
                 * that explicitly

                 */

                if (!s->first_packet && !SSL_IS_TLS13(s)

                        && !s->hello_retry_request

                        && s->hello_retry_request != SSL_HRR_PENDING

                        && version != (unsigned int)s->version) {

                    if ((s->version & 0xFF00) == (version & 0xFF00)

                        && !s->enc_write_ctx && !s->write_hash) {
@@ -449,7 +449,7 @@ int ssl3_get_record(SSL *s) 


    if (num_recs == 1

            && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC

            && SSL_IS_TLS13(s)

            && (SSL_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE)

            && SSL_IS_FIRST_HANDSHAKE(s)) {

        /*

         * CCS messages must be exactly 1 byte long, containing the value 0x01

ssl/ssl_locl.h

+2 −1
Original line number Diff line number Diff line
@@ -1117,7 +1117,8 @@ struct ssl_st { 
    size_t cert_verify_hash_len;



    /* Flag to indicate whether we should send a HelloRetryRequest or not */

    int hello_retry_request;

    enum {SSL_HRR_NONE = 0, SSL_HRR_PENDING, SSL_HRR_COMPLETE}

        hello_retry_request;



    /*

     * the session_id_context is used to ensure sessions are only reused in

ssl/statem/extensions.c

+6 −6
Original line number Diff line number Diff line
@@ -1235,7 +1235,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent) 
     */

    if (s->server && s->s3->peer_tmp == NULL) {

        /* No suitable share */

        if (s->hello_retry_request == 0 && sent

        if (s->hello_retry_request == SSL_HRR_NONE && sent

                && (!s->hit

                    || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)

                       != 0)) {
@@ -1260,7 +1260,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent) 
            if (i < num_groups) {

                /* A shared group exists so send a HelloRetryRequest */

                s->s3->group_id = group_id;

                s->hello_retry_request = 1;

                s->hello_retry_request = SSL_HRR_PENDING;

                return 1;

            }

        }
@@ -1275,8 +1275,8 @@ static int final_key_share(SSL *s, unsigned int context, int sent) 
    }



    /* We have a key_share so don't send any more HelloRetryRequest messages */

    if (s->server)

        s->hello_retry_request = 0;

    if (s->server && s->hello_retry_request == SSL_HRR_PENDING)

        s->hello_retry_request = SSL_HRR_COMPLETE;



    /*

     * For a client side resumption with no key_share we need to generate
@@ -1405,7 +1405,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 
     * following a HelloRetryRequest then this includes the hash of the first

     * ClientHello and the HelloRetryRequest itself.

     */

    if (s->hello_retry_request) {

    if (s->hello_retry_request == SSL_HRR_PENDING) {

        size_t hdatalen;

        void *hdata;
@@ -1516,7 +1516,7 @@ static int final_early_data(SSL *s, unsigned int context, int sent) 
            || s->session->ext.tick_identity != 0

            || s->early_data_state != SSL_EARLY_DATA_ACCEPTING

            || !s->ext.early_data_ok

            || s->hello_retry_request) {

            || s->hello_retry_request != SSL_HRR_NONE) {

        s->ext.early_data = SSL_EARLY_DATA_REJECTED;

    } else {

        s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;

ssl/statem/extensions_clnt.c

+5 −5
Original line number Diff line number Diff line
@@ -599,7 +599,7 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) 
    size_t encodedlen;



    if (s->s3->tmp.pkey != NULL) {

        if (!ossl_assert(s->hello_retry_request)) {

        if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {

            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,

                     ERR_R_INTERNAL_ERROR);

            return 0;
@@ -749,7 +749,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, 
    SSL_SESSION *edsess = NULL;

    const EVP_MD *handmd = NULL;



    if (s->hello_retry_request)

    if (s->hello_retry_request == SSL_HRR_PENDING)

        handmd = ssl_handshake_md(s);



    if (s->psk_use_session_cb != NULL
@@ -961,7 +961,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, 
            || (s->session->ext.ticklen == 0 && s->psksession == NULL))

        return EXT_RETURN_NOT_SENT;



    if (s->hello_retry_request)

    if (s->hello_retry_request == SSL_HRR_PENDING)

        handmd = ssl_handshake_md(s);



    if (s->session->ext.ticklen != 0) {
@@ -980,7 +980,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, 
            goto dopsksess;

        }



        if (s->hello_retry_request && mdres != handmd) {

        if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {

            /*

             * Selected ciphersuite hash does not match the hash for the session

             * so we can't use it.
@@ -1044,7 +1044,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, 
            return EXT_RETURN_FAIL;

        }



        if (s->hello_retry_request && mdpsk != handmd) {

        if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {

            /*

             * Selected ciphersuite hash does not match the hash for the PSK

             * session. This is an application bug.

ssl/statem/extensions_srvr.c

+2 −2
Original line number Diff line number Diff line
@@ -704,7 +704,7 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, 
        return 0;

    }



    if (s->hello_retry_request) {

    if (s->hello_retry_request != SSL_HRR_NONE) {

        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,

                 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);

        return 0;
@@ -1245,7 +1245,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, 


    if (ckey == NULL) {

        /* No key_share received from client */

        if (s->hello_retry_request) {

        if (s->hello_retry_request == SSL_HRR_PENDING) {

            if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)

                    || !WPACKET_start_sub_packet_u16(pkt)

                    || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)