DTLS message_sequence number wrong in rehandshake ServerHello
authorMichael Tuexen <tuexen@fh-muenster.de>
Tue, 13 Aug 2013 17:53:19 +0000 (18:53 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 13 Aug 2013 18:00:59 +0000 (19:00 +0100)
This fix ensures that
* A HelloRequest is retransmitted if not responded by a ClientHello
* The HelloRequest "consumes" the sequence number 0. The subsequent
ServerHello uses the sequence number 1.
* The client also expects the sequence number of the ServerHello to
be 1 if a HelloRequest was received earlier.
This patch fixes the RFC violation.

Conflicts:

ssl/d1_pkt.c
(cherry picked from commit 6f87807e629ee10ec0006b39d8851af8c5ade67b)

ssl/d1_pkt.c
ssl/d1_srvr.c

index 5bb3939bff62c7f86b05118adf170d211fec9522..d12604e6573eb60f8d0938a186403d5d05479a7b 100644 (file)
@@ -946,6 +946,7 @@ start:
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                        !s->s3->renegotiate)
                        {
+                       s->d1->handshake_read_seq++;
                        ssl3_renegotiate(s);
                        if (ssl3_renegotiate_check(s))
                                {
index 2efaa19ddc503aa2447e3a672c36f1571e22879a..c0246c94eae87f5f9d1d3ded0b90a6a4cf090088 100644 (file)
@@ -246,10 +246,11 @@ int dtls1_accept(SSL *s)
                case SSL3_ST_SW_HELLO_REQ_B:
 
                        s->shutdown=0;
+                       dtls1_clear_record_buffer(s);
                        dtls1_start_timer(s);
                        ret=dtls1_send_hello_request(s);
                        if (ret <= 0) goto end;
-                       s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
+                       s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
                        s->state=SSL3_ST_SW_FLUSH;
                        s->init_num=0;