Improve TLSv1.3 state machine for HelloRetryRequest handling.

The state machine currently handles the HelloRetryRequest case by using
WITH_HRR - in other words, we're explicitly indicating when we transition
to the alternate path. The problem here is that we do not know if we're
going to receive a ServerHello or a HelloRetryRequest until we process
the message. This means that the ServerHello processing code has to handle
both types of messages.

The state machine and associated processing code becomes cleaner if we flip
this around so that we assume we are going to receive a HelloRetryRequest
and upon discovering that it is not, trigger WITHOUT_HRR and hand off to
the ServerHello processing function. In particular, this makes the logic
much more straight forward on the server side, when adding support for HRR.

With feedback from tb@

ok tb@

Remove some unnecessary handshake enums/functions.

Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.

ok inoguchi@ tb@

By design, our state machine is a DAG contrary to the state machine in
the spec. To avoid the obvious loop in the RFC's state machine, we added
a CLIENT_HELLO_RETRY state which is a second ClientHello with special
rules. There is, however, no state to react to this second client hello.
This adds a matching SERVER_HELLO_RETRY state to the handshakes table.

This means in particular that the WITH_HRR state cannot be set in
tls13_server_hello_recv(), so remove this now dead check.

ok jsing

Fix header guard

Expose some symbols in a new tls13_handshake.h for regression testing.
Update the handshake state tables and flag names according to the
design decisions and naming conventions in the hackroom. Garbage collect
some things that turn out not to belong here.

ok jsing

Remove some unnecessary handshake enums/functions.

Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.

ok inoguchi@ tb@

By design, our state machine is a DAG contrary to the state machine in
the spec. To avoid the obvious loop in the RFC's state machine, we added
a CLIENT_HELLO_RETRY state which is a second ClientHello with special
rules. There is, however, no state to react to this second client hello.
This adds a matching SERVER_HELLO_RETRY state to the handshakes table.

This means in particular that the WITH_HRR state cannot be set in
tls13_server_hello_recv(), so remove this now dead check.

ok jsing

Fix header guard

Expose some symbols in a new tls13_handshake.h for regression testing.
Update the handshake state tables and flag names according to the
design decisions and naming conventions in the hackroom. Garbage collect
some things that turn out not to belong here.

ok jsing

By design, our state machine is a DAG contrary to the state machine in
the spec. To avoid the obvious loop in the RFC's state machine, we added
a CLIENT_HELLO_RETRY state which is a second ClientHello with special
rules. There is, however, no state to react to this second client hello.
This adds a matching SERVER_HELLO_RETRY state to the handshakes table.

This means in particular that the WITH_HRR state cannot be set in
tls13_server_hello_recv(), so remove this now dead check.

ok jsing

Fix header guard

Expose some symbols in a new tls13_handshake.h for regression testing.
Update the handshake state tables and flag names according to the
design decisions and naming conventions in the hackroom. Garbage collect
some things that turn out not to belong here.

ok jsing

Fix header guard

Expose some symbols in a new tls13_handshake.h for regression testing.
Update the handshake state tables and flag names according to the
design decisions and naming conventions in the hackroom. Garbage collect
some things that turn out not to belong here.

ok jsing