Fix DTLS session ticket renewal

A DTLS client will abort a handshake if the server attempts to renew the
session ticket. This is caused by a state machine discrepancy between DTLS
and TLS discovered during the state machine rewrite work.

The bug can be demonstrated as follows:

Start a DTLS s_server instance:
openssl s_server -dtls

Start a client and obtain a session but no ticket:
openssl s_client -dtls -sess_out session.pem -no_ticket

Now start a client reusing the session, but allow a ticket:
openssl s_client -dtls -sess_in session.pem

The client will abort the handshake.

Reviewed-by: Tim Hudson <tjh@openssl.org>

diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index d4116147b41f360249b43c51e7693bc09343ac1c..083333eedb681f7ae2514ea0bfefc777c923fab6 100644 (file)
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -380,6 +380,10 @@ int dtls1_connect(SSL *s)
 #endif
 
                     s->state = SSL3_ST_CR_CHANGE_A;
 #endif
 
                     s->state = SSL3_ST_CR_CHANGE_A;

+                    if (s->tlsext_ticket_expected) {
+                        /* receive renewed session ticket */
+                        s->state = SSL3_ST_CR_SESSION_TICKET_A;
+                    }

                 } else
                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
             }
                 } else
                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
             }