Commit e8300984 authored Nov 03, 2015 by Matt Caswell

Only call ssl3_init_finished_mac once for DTLS



In DTLS if an IO retry occurs during writing of a fragmented ClientHello
then we can end up reseting the finish mac variables on the retry, which
causes a handshake failure. We should only reset on the first attempt not
on retries.

Thanks to BoringSSL for reporting this issue.

RT#4119

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 15a7164e)

parent 84d0c40f

ssl/d1_clnt.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -299,13 +299,12 @@ int dtls1_connect(SSL *s)
		#endif

		case SSL3_ST_CW_CLNT_HELLO_A:
		case SSL3_ST_CW_CLNT_HELLO_B:

		s->shutdown = 0;

		/* every DTLS ClientHello resets Finished MAC */
		ssl3_init_finished_mac(s);

		case SSL3_ST_CW_CLNT_HELLO_B:
		dtls1_start_timer(s);
		ret = dtls1_client_hello(s);
		if (ret <= 0)