From d4504fe5792b2dcf8ae6ef35634f1494e72d109b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 14 Jul 2017 14:50:48 +0100 Subject: [PATCH] Fix early_data with an HRR early_data is not allowed after an HRR. We failed to handle that correctly. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/3933) --- ssl/statem/extensions_srvr.c | 5 +++++ ssl/statem/statem.c | 9 ++------- ssl/statem/statem_clnt.c | 7 +++++++ ssl/statem/statem_srvr.c | 18 +++++++++--------- 4 files changed, 23 insertions(+), 16 deletions(-) diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 7f30ac7792..9fe58a780a 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -678,6 +678,11 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, return 0; } + if (s->hello_retry_request) { + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + return 1; } diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 9eab8ceca7..e5a50c482d 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -157,13 +157,8 @@ int ossl_statem_skip_early_data(SSL *s) if (s->ext.early_data != SSL_EARLY_DATA_REJECTED) return 0; - if (s->hello_retry_request) { - if (s->statem.hand_state != TLS_ST_SW_HELLO_RETRY_REQUEST) - return 0; - } else { - if (!s->server || s->statem.hand_state != TLS_ST_EARLY_DATA) - return 0; - } + if (!s->server || s->statem.hand_state != TLS_ST_EARLY_DATA) + return 0; return 1; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 55ac4dd03e..ed9bd5c209 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1571,6 +1571,13 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) s->hello_retry_request = 1; + /* + * If we were sending early_data then the enc_write_ctx is now invalid and + * should not be used. + */ + EVP_CIPHER_CTX_free(s->enc_write_ctx); + s->enc_write_ctx = NULL; + /* This will fail if it doesn't choose TLSv1.3+ */ errorcode = ssl_choose_client_version(s, sversion, 0, &al); if (errorcode != 0) { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index f3f54d429b..9d3c387dcd 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -48,15 +48,14 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt) default: break; - case TLS_ST_SW_HELLO_RETRY_REQUEST: - if (mt == SSL3_MT_CLIENT_HELLO) { - st->hand_state = TLS_ST_SR_CLNT_HELLO; - return 1; - } - break; - case TLS_ST_EARLY_DATA: - if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { + if (s->hello_retry_request) { + if (mt == SSL3_MT_CLIENT_HELLO) { + st->hand_state = TLS_ST_SR_CLNT_HELLO; + return 1; + } + break; + } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { if (mt == SSL3_MT_END_OF_EARLY_DATA) { st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA; return 1; @@ -397,7 +396,8 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SW_HELLO_RETRY_REQUEST: - return WRITE_TRAN_FINISHED; + st->hand_state = TLS_ST_EARLY_DATA; + return WRITE_TRAN_CONTINUE; case TLS_ST_SW_SRVR_HELLO: st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; -- 2.25.1