Require a ServerHello following a HelloRetryRequest to use the same cipher.

RFC 8446 section 4.1.4 requires that the client ensure the cipher suite
in the TLSv1.3 HelloRetryRequest and subsequent ServerHello is the same.

Reported via GitHub issue #675.

ok inoguchi@ tb@

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 4ba0dd9..0a23756 100644 (file)
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.83 2021/06/27 19:23:51 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.84 2021/06/29 18:47:15 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -303,7 +303,16 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                goto err;
        }
-       /* XXX - move this to hs.tls13? */
+       if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) {
+               /*
+                * A ServerHello following a HelloRetryRequest MUST use the same
+                * cipher suite (RFC 8446 section 4.1.4).
+                */
+               if (ctx->hs->cipher != cipher) {
+                       ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
+                       goto err;
+               }
+       }
        ctx->hs->cipher = cipher;
 
        if (compression_method != 0) {