DTLS message_sequence number wrong in rehandshake ServerHello

This fix ensures that
* A HelloRequest is retransmitted if not responded by a ClientHello
* The HelloRequest "consumes" the sequence number 0. The subsequent
ServerHello uses the sequence number 1.
* The client also expects the sequence number of the ServerHello to
be 1 if a HelloRequest was received earlier.
This patch fixes the RFC violation.
(cherry picked from commit b62f4daac00303280361924b9cc19b3e27528b15)

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index e0bbcb982d6ad0c39e9bf5debc3c3325f618b949..8186462d4a6be97eab48f424eb1b6b6e61299f21 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -1057,6 +1057,7 @@ start:
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                        !s->s3->renegotiate)
                        {
+                       s->d1->handshake_read_seq++;
                        s->new_session = 1;
                        ssl3_renegotiate(s);
                        if (ssl3_renegotiate_check(s))

diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 29421da9aacebe91e1a067e5647461dd7263af5e..1e7c45a021b64d42a62a40b272b9c0377de15e80 100644 (file)
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s)
                case SSL3_ST_SW_HELLO_REQ_B:
 
                        s->shutdown=0;
+                       dtls1_clear_record_buffer(s);
                        dtls1_start_timer(s);
                        ret=dtls1_send_hello_request(s);
                        if (ret <= 0) goto end;
-                       s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
+                       s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
                        s->state=SSL3_ST_SW_FLUSH;
                        s->init_num=0;