From d4504fe5792b2dcf8ae6ef35634f1494e72d109b Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 14 Jul 2017 14:50:48 +0100
Subject: Fix early_data with an HRR

early_data is not allowed after an HRR. We failed to handle that
correctly.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3933)
---
 ssl/statem/extensions_srvr.c |  5 +++++
 ssl/statem/statem.c          |  9 ++-------
 ssl/statem/statem_clnt.c     |  7 +++++++
 ssl/statem/statem_srvr.c     | 18 +++++++++---------
 4 files changed, 23 insertions(+), 16 deletions(-)

(limited to 'ssl')

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 7f30ac7792..9fe58a780a 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -678,6 +678,11 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
         return 0;
     }
 
+    if (s->hello_retry_request) {
+        *al = SSL_AD_ILLEGAL_PARAMETER;
+        return 0;
+    }
+
     return 1;
 }
 
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 9eab8ceca7..e5a50c482d 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -157,13 +157,8 @@ int ossl_statem_skip_early_data(SSL *s)
     if (s->ext.early_data != SSL_EARLY_DATA_REJECTED)
         return 0;
 
-    if (s->hello_retry_request) {
-        if (s->statem.hand_state != TLS_ST_SW_HELLO_RETRY_REQUEST)
-            return 0;
-    } else {
-        if (!s->server || s->statem.hand_state != TLS_ST_EARLY_DATA)
-            return 0;
-    }
+    if (!s->server || s->statem.hand_state != TLS_ST_EARLY_DATA)
+        return 0;
 
     return 1;
 }
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 55ac4dd03e..ed9bd5c209 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1571,6 +1571,13 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
 
     s->hello_retry_request = 1;
 
+    /*
+     * If we were sending early_data then the enc_write_ctx is now invalid and
+     * should not be used.
+     */
+    EVP_CIPHER_CTX_free(s->enc_write_ctx);
+    s->enc_write_ctx = NULL;
+
     /* This will fail if it doesn't choose TLSv1.3+ */
     errorcode = ssl_choose_client_version(s, sversion, 0, &al);
     if (errorcode != 0) {
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index f3f54d429b..9d3c387dcd 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -48,15 +48,14 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt)
     default:
         break;
 
-    case TLS_ST_SW_HELLO_RETRY_REQUEST:
-        if (mt == SSL3_MT_CLIENT_HELLO) {
-            st->hand_state = TLS_ST_SR_CLNT_HELLO;
-            return 1;
-        }
-        break;
-
     case TLS_ST_EARLY_DATA:
-        if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
+        if (s->hello_retry_request) {
+            if (mt == SSL3_MT_CLIENT_HELLO) {
+                st->hand_state = TLS_ST_SR_CLNT_HELLO;
+                return 1;
+            }
+            break;
+        } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
             if (mt == SSL3_MT_END_OF_EARLY_DATA) {
                 st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
                 return 1;
@@ -397,7 +396,8 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
         return WRITE_TRAN_CONTINUE;
 
     case TLS_ST_SW_HELLO_RETRY_REQUEST:
-        return WRITE_TRAN_FINISHED;
+        st->hand_state = TLS_ST_EARLY_DATA;
+        return WRITE_TRAN_CONTINUE;
 
     case TLS_ST_SW_SRVR_HELLO:
         st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
-- 
cgit v1.2.3