Abort connection if we are about to send the same CH

Author: julek-wolfssl

src/ssl.c

@@ -14209,6 +14209,10 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
 #if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST)
         ssl->response_idx = 0;
 #endif
+#endif
+
+#ifdef WOLFSSL_TLS13
+        ssl->initChHash = 0;
 #endif
         return WOLFSSL_SUCCESS;
     }

src/tls13.c

@@ -4739,6 +4739,22 @@ int SendTls13ClientHello(WOLFSSL* ssl)
     if (ret != 0)
         return ret;
 
+    if (ssl->hsHashes == NULL)
+        return BAD_FUNC_ARG;
+    /* https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.4
+     * Clients MUST abort the handshake with an
+     * "illegal_parameter" alert if the HelloRetryRequest would not result
+     * in any change in the ClientHello.
+     */
+    if (ssl->options.connectState != HELLO_AGAIN)
+        ssl->initChHash = HashObject(args->output, args->idx, &ret);
+    else if (ssl->initChHash == HashObject(args->output, args->idx, &ret)) {
+        SendAlert(ssl, alert_fatal, illegal_parameter);
+        ret = DUPLICATE_MSG_E;
+    }
+    if (ret != 0)
+        return ret;
+
     ssl->options.clientState = CLIENT_HELLO_COMPLETE;
 
 #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)

wolfcrypt/src/misc.c

@@ -1281,7 +1281,7 @@ WC_MISC_STATIC WC_INLINE w64wrapper w64Mul(word32 a, word32 b)
 #endif /* WOLFSSL_W64_WRAPPER */
 
 #if defined(HAVE_SESSION_TICKET) || !defined(NO_CERTS) || \
-    !defined(NO_SESSION_CACHE)
+    !defined(NO_SESSION_CACHE) || defined(WOLFSSL_TLS13)
 /* Make a word from the front of random hash */
 WC_MISC_STATIC WC_INLINE word32 MakeWordFromHash(const byte* hashID)
 {

wolfssl/internal.h

@@ -5858,6 +5858,7 @@ struct WOLFSSL {
 #ifdef WOLFSSL_TLS13
     byte            clientSecret[SECRET_LEN];
     byte            serverSecret[SECRET_LEN];
+    word32          initChHash;         /* initial ClientHello hash */
 #endif
     HS_Hashes*      hsHashes;
 #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)