From: jsing <jsing@openbsd.org>
Date: Tue, 29 Jun 2021 18:47:15 +0000 (+0000)
Subject: Require a ServerHello following a HelloRetryRequest to use the same cipher.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=ded62235fb94d207c51d59769156ead39f158e06;p=openbsd

Require a ServerHello following a HelloRetryRequest to use the same cipher.

RFC 8446 section 4.1.4 requires that the client ensure the cipher suite
in the TLSv1.3 HelloRetryRequest and subsequent ServerHello is the same.

Reported via GitHub issue #675.

ok inoguchi@ tb@
---

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 4ba0dd92f2f..0a237567fd7 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.83 2021/06/27 19:23:51 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.84 2021/06/29 18:47:15 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -303,7 +303,16 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 		ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
 		goto err;
 	}
-	/* XXX - move this to hs.tls13? */
+	if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) {
+		/*
+		 * A ServerHello following a HelloRetryRequest MUST use the same
+		 * cipher suite (RFC 8446 section 4.1.4).
+		 */
+		if (ctx->hs->cipher != cipher) {
+			ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
+			goto err;
+		}
+	}
 	ctx->hs->cipher = cipher;
 
 	if (compression_method != 0) {