From e93597193dae5bc2e0dcfbf6d812f71d6961576f Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 29 Dec 2017 17:36:28 +0000
Subject: [PATCH] Don't send unexpected_message if we receive CCS while
 stateless

Probably this is the CCS between the first and second ClientHellos. It
should be ignored.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)
---
 ssl/statem/statem_lib.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 38b86c9ef2..6bd54ac2b7 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1120,6 +1120,17 @@ int tls_get_message_header(SSL *s, int *mt)
                              SSL_R_BAD_CHANGE_CIPHER_SPEC);
                     return 0;
                 }
+                if (s->statem.hand_state == TLS_ST_BEFORE
+                        && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) {
+                    /*
+                     * We are stateless and we received a CCS. Probably this is
+                     * from a client between the first and second ClientHellos.
+                     * We should ignore this, but return an error because we do
+                     * not return success until we see the second ClientHello
+                     * with a valid cookie.
+                     */
+                    return 0;
+                }
                 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
                 s->init_num = readbytes - 1;
                 s->init_msg = s->init_buf->data;
-- 
2.25.1