🐛 prevent hang when HelloRetryRequest is returned

It was possible for the following query to hang ``` tls.ciphers ``` This happened in cases where the server response with a `HelloRetryRequest`. This looks like a `ServerHello` until you check the random field of that message. We ended up hanging because we thought the server replied successfully with a hello and were waiting for more data, and the server was waiting for us to write.
mondoohq · May 20, 2024 · 678be83 · 678be83
1 parent d976b36
commit 678be83
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/providers/network/resources/tlsshake/tlsshake.go b/providers/network/resources/tlsshake/tlsshake.go
@@ -309,12 +309,24 @@ func (s *Tester) parseAlert(data []byte, conf *ScanConfig) error {
 	return nil
 }
 
+var helloRetryRequestRandom = []byte{
+	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
+	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
+	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
+	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
+}
+
 func (s *Tester) parseServerHello(data []byte, version string, conf *ScanConfig) error {
 	idx := 0
 
-	idx += 2 + 32
-	// handshake tls version (2), which we don't need yet (we will look at it in the extension if necessary)
-	// random (32), which we don't need
+	idx += 2
+	random := data[idx : idx+32]
+	if bytes.Equal(random, helloRetryRequestRandom) {
+		// The server wants us to retry. However, we hardcode a bunch of inputs
+		// so we can't really retry.
+		return errors.New("unexpected HelloRetryRequest")
+	}
+	idx += 32
 
 	// we don't need the session ID
 	sessionIDlen := byte1int(data[idx])