Merge pull request #8697 from BensonLiou/random_bye_on_hrr

Do not generate new random number while receiving HRR
2025-07-30 22:43:08 +03:00 · 2024-03-14 15:59:21 +00:00
parent 50da462fc8 93b305dc8e
commit 1c5ebf4352
3 changed files with 21 additions and 5 deletions
--- a/ChangeLog.d/fix-new-rn-on-hrr.txt
+++ b/ChangeLog.d/fix-new-rn-on-hrr.txt
@ -0,0 +1,3 @@
+Bugfix
+   * In TLS 1.3 clients, fix an interoperability problem due to the client
+     generating a new random after a HelloRetryRequest. Fixes #8669.
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@ -792,10 +792,15 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
        (ssl->handshake->cookie == NULL))
 #endif
    {
-        ret = ssl_generate_random(ssl);
-        if (ret != 0) {
-            MBEDTLS_SSL_DEBUG_RET(1, "Random bytes generation failed", ret);
-            return ret;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        if (!ssl->handshake->hello_retry_request_flag)
+#endif
+        {
+            ret = ssl_generate_random(ssl);
+            if (ret != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "Random bytes generation failed", ret);
+                return ret;
+            }
        }
    }

--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@ -2396,7 +2396,7 @@ void ssl_session_serialize_version_check(int corrupt_major,
     * corrupt them bit-by-bit. */
    for (cur_byte = 0; cur_byte < sizeof(should_corrupt_byte); cur_byte++) {
        int cur_bit;
-        unsigned char * const byte = &serialized_session[cur_byte];
+        unsigned char *const byte = &serialized_session[cur_byte];

        if (should_corrupt_byte[cur_byte] == 0) {
            continue;
@ -3850,6 +3850,7 @@ void tls13_cli_early_data_state(int scenario)
        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
    };
+    uint8_t client_random[MBEDTLS_CLIENT_HELLO_RANDOM_LEN];

    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
@ -3987,9 +3988,16 @@ void tls13_cli_early_data_state(int scenario)
                        if (!client_ep.ssl.handshake->hello_retry_request_flag) {
                            TEST_EQUAL(client_ep.ssl.early_data_state,
                                       MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
+                            memcpy(client_random,
+                                   client_ep.ssl.handshake->randbytes,
+                                   MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
                        } else {
                            TEST_EQUAL(client_ep.ssl.early_data_state,
                                       MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                            TEST_MEMORY_COMPARE(client_random,
+                                                MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
+                                                client_ep.ssl.handshake->randbytes,
+                                                MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
                        }
                        break;