Back out server side CCS sending. It breaks TLSv1.3 client communication

with TLSv1.2 servers, since it makes clients send their dummy CCS too
early...  There's an obvious but dirty bandaid which I can't bring myself
to applying - this business is already disgusting enough.

Issue found the hard way by sthen

3 files changed, 3 insertions, 34 deletions

diff --git a/lib/libssl/tls13_handshake.c b/lib/libssl/tls13_handshake.c
index 1825bfbf6c9..d3333a2e4a9 100644
--- a/lib/libssl/tls13_handshake.c
+++ b/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_handshake.c,v 1.58 2020/05/09 16:43:05 tb Exp $	*/
+/*	$OpenBSD: tls13_handshake.c,v 1.59 2020/05/09 20:38:19 tb Exp $	*/
 /*
  * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -102,7 +102,6 @@ static const struct tls13_handshake_action state_machine[] = {
 		.sender = TLS13_HS_SERVER,
 		.send = tls13_server_hello_retry_request_send,
 		.recv = tls13_server_hello_retry_request_recv,
-		.sent = tls13_server_hello_retry_request_sent,
 	},
 	[SERVER_ENCRYPTED_EXTENSIONS] = {
 		.handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
@@ -374,12 +373,6 @@ tls13_handshake_send_action(struct tls13_ctx *ctx,
 	if (action->sent != NULL && !action->sent(ctx))
 		return TLS13_IO_FAILURE;
 
-	if (ctx->send_dummy_ccs) {
-		if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
-			return ret;
-		ctx->send_dummy_ccs = 0;
-	}
-
 	return TLS13_IO_SUCCESS;
 }
 
diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h
index e3aaf634c32..050ad15df89 100644
--- a/lib/libssl/tls13_internal.h
+++ b/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.71 2020/05/09 16:43:05 tb Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.72 2020/05/09 20:38:19 tb Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -323,7 +323,6 @@ int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_hello_sent(struct tls13_ctx *ctx);
 int tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb);
-int tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx);
 int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs);
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 5e2711d4d48..0b040fb51d2 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.39 2020/05/09 16:43:05 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.40 2020/05/09 20:38:19 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -335,20 +335,6 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 }
 
 int
-tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
-{
-	/*
-	 * If the client has requested middlebox compatibility mode,
-	 * we MUST send a dummy CCS following our first handshake message.
-	 * See RFC 8446 Appendix D.4.
-	 */
-	if (ctx->hs->legacy_session_id_len > 0)
-		ctx->send_dummy_ccs = 1;
-
-	return 1;
-}
-
-int
 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
 	SSL *s = ctx->ssl;
@@ -382,15 +368,6 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_hello_sent(struct tls13_ctx *ctx)
 {
-	/*
-	 * If the client has requested middlebox compatibility mode,
-	 * we MUST send a dummy CCS following our first handshake message.
-	 * See RFC 8446 Appendix D.4.
-	 */
-	if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
-	    ctx->hs->legacy_session_id_len > 0)
-		ctx->send_dummy_ccs = 1;
-
 	return tls13_server_engage_record_protection(ctx);
 }