From 35a685b9f0ea284ca2efa53191d7e9d39c12b843 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 13 Jun 2018 17:47:50 +0200
Subject: _gnutls13_handshake_server: send CCS immediately after HRR

In the TLS 1.3 middlebox compatibility mode, CCS follows the first
handshake message sent from the server, that is either SH or HRR.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/handshake-tls13.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

(limited to 'lib/handshake-tls13.c')

diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c
index 443f9c8f8e..8a8ae52774 100644
--- a/lib/handshake-tls13.c
+++ b/lib/handshake-tls13.c
@@ -288,6 +288,13 @@ int _gnutls13_handshake_server(gnutls_session_t session)
 		IMED_RET("send hello retry request", ret, 0);
 		/* fall through */
 	case STATE92:
+#ifdef TLS13_APPENDIX_D4
+		ret = _gnutls_send_change_cipher_spec(session, AGAIN(STATE92));
+		STATE = STATE92;
+		IMED_RET("send change cipher spec", ret, 0);
+#endif
+		/* fall through */
+	case STATE93:
 		ret =
 		    _gnutls_recv_handshake(session,
 					   GNUTLS_HANDSHAKE_CLIENT_HELLO,
@@ -296,24 +303,28 @@ int _gnutls13_handshake_server(gnutls_session_t session)
 			/* this is triggered by post_client_hello, and instructs the
 			 * handshake to proceed but be put on hold */
 			ret = GNUTLS_E_INTERRUPTED;
-			STATE = STATE93; /* hello already parsed -> move to next state */
+			STATE = STATE94; /* hello already parsed -> move to next state */
 		} else {
-			STATE = STATE92;
+			STATE = STATE93;
 		}
 
 		IMED_RET("recv client hello", ret, 0);
 		/* fall through */
-	case STATE93:
-		ret = _gnutls_send_server_hello(session, AGAIN(STATE93));
-		STATE = STATE93;
+	case STATE94:
+		ret = _gnutls_send_server_hello(session, AGAIN(STATE94));
+		STATE = STATE94;
 		IMED_RET("send hello", ret, 0);
 		/* fall through */
 	case STATE99:
 	case STATE100:
 #ifdef TLS13_APPENDIX_D4
-		ret = _gnutls_send_change_cipher_spec(session, AGAIN(STATE100));
-		STATE = STATE100;
-		IMED_RET("send change cipher spec", ret, 0);
+		/* don't send CCS twice: when HRR has already been
+		 * sent, CCS should have followed it (see above) */
+		if (!(session->internals.hsk_flags & HSK_HRR_SENT)) {
+			ret = _gnutls_send_change_cipher_spec(session, AGAIN(STATE100));
+			STATE = STATE100;
+			IMED_RET("send change cipher spec", ret, 0);
+		}
 #endif
 		/* fall through */
 	case STATE101:
-- 
cgit v1.2.1