Switch to NEGOTIATED when using WITHOUT_HRR.

This ensures that we remain in a valid handshake state in the TLSv1.3
server. Ideally we would not switch to NEGOTIATED until after record
protection has been enabled, but we'll revisit this later.

Issue noted by inoguchi@

ok tb@

1 files changed, 9 insertions, 4 deletions

diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 9bc4cb6170f..16c2e32dbab 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.31 2020/04/22 17:05:07 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.32 2020/04/25 18:06:28 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -280,11 +280,16 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 		return 1;
 
 	/*
-	 * If a matching key share was provided, we do not need to
-	 * send a HelloRetryRequest.
+	 * If a matching key share was provided, we do not need to send a
+	 * HelloRetryRequest.
+	 */
+	/*
+	 * XXX - ideally NEGOTIATED would only be added after record protection
+	 * has been enabled. This would probably mean using either an
+	 * INITIAL | WITHOUT_HRR state, or another intermediate state.
 	 */
 	if (ctx->hs->key_share != NULL)
-		ctx->handshake_stage.hs_type |= WITHOUT_HRR;
+		ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
 
 	/* XXX - check this is the correct point */
 	tls13_record_layer_allow_ccs(ctx->rl, 1);