From bcbd701155e2ecafebd77f52a9e421ec43ac52a4 Mon Sep 17 00:00:00 2001
From: Jon Shallow <supjps-libcoap@jpshallow.com>
Date: Tue, 6 Aug 2024 16:08:47 +0100
Subject: [PATCH] Support DTLS1.3 downgrade when server sends multiple
 handshakes in packet

If the server sends Server Hello, Server Key Exchange and Server Hello Done
in a single DTLS packet, but for DTLS1.2 in response to a client DTLS1.3
request, then FIRST_REPLAY state does not occur until the server re-sends
the packet.  At this point wolfSSLconnect() gets used and all bursts into
life.

When processing handshakes in wolfSSL_connect_TLSv13() for case
HELLO_AGAIN_REPLY, downgrade to using  wolfSSLconnect() to continue
processing the remaining handshakes in the packet.

Found when using Mbed TLS for the server.
---
 src/tls13.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/tls13.c b/src/tls13.c
index aa2ab160d..55c9fabe5 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -13086,6 +13086,14 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
         case HELLO_AGAIN_REPLY:
             /* Get the response/s from the server. */
             while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
+#ifdef WOLFSSL_DTLS13
+                if (!IsAtLeastTLSv1_3(ssl->version)) {
+        #ifndef WOLFSSL_NO_TLS12
+                    if (ssl->options.downgrade)
+                        return wolfSSL_connect(ssl);
+        #endif
+                }
+#endif /* WOLFSSL_DTLS13 */
                 if ((ssl->error = ProcessReply(ssl)) < 0) {
                         WOLFSSL_ERROR(ssl->error);
                         return WOLFSSL_FATAL_ERROR;