Correctly handle key share extensions in a hello retry request.

In a hello retry request the server will only send the selected group and
not actually provide a key exchange. In this case we need to store the
server selected group for further processing.

ok tb@

lib/libssl/ssl_locl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.262 2020/02/05 17:30:30 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.263 2020/02/06 13:14:17 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -463,6 +463,7 @@ typedef struct ssl_handshake_tls13_st {
 	/* Version proposed by peer server. */
 	uint16_t server_version;
 
+	uint16_t server_group;
 	struct tls13_key_share *key_share;
 	struct tls13_secrets *secrets;
 

lib/libssl/ssl_tlsext.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.59 2020/02/01 12:41:58 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.60 2020/02/06 13:14:17 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1338,11 +1338,17 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
 	/* Unpack server share. */
 	if (!CBS_get_u16(cbs, &group))
 		goto err;
+
+	if (CBS_len(cbs) == 0) {
+		/* HRR does not include an actual key share. */
+		/* XXX - we should know that we are in a HRR... */
+		S3I(s)->hs_tls13.server_group = group;
+		return 1;
+	}
+
 	if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
 		return 0;
 
-	/* XXX - Handle other groups and verify that they're valid. */
-
 	if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
 	    group, &key_exchange))
 		goto err;