DTLS RFC4347 says HelloVerifyRequest resets Finished MAC.

0d97d00b · Andy Polyakov · e7adda52 · 0d97d00b · 0d97d00b
隐藏空白更改
内联并排

Showing with 7 addition and 2 deletion

ssl/d1_clnt.c ssl/d1_clnt.c +4 -2

ssl/d1_srvr.c ssl/d1_srvr.c +3 -0

未找到文件。
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -213,8 +213,6 @@ int dtls1_connect(SSL *s)

 			/* don't push the buffering BIO quite yet */

-			ssl3_init_finished_mac(s);
-
 			s->state=SSL3_ST_CW_CLNT_HELLO_A;
 			s->ctx->stats.sess_connect++;
 			s->init_num=0;
@@ -226,6 +224,10 @@ int dtls1_connect(SSL *s)
 		case SSL3_ST_CW_CLNT_HELLO_B:

 			s->shutdown=0;
+
+			/* every DTLS ClientHello resets Finished MAC */
+			ssl3_init_finished_mac(s);
+
 			ret=dtls1_client_hello(s);
 			if (ret <= 0) goto end;


--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -286,6 +286,9 @@ int dtls1_accept(SSL *s)
 			s->d1->send_cookie = 0;
 			s->state=SSL3_ST_SW_FLUSH;
 			s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
+
+			/* HelloVerifyRequest resets Finished MAC */
+			ssl3_init_finished_mac(s);
 			break;
 			
 		case SSL3_ST_SW_SRVR_HELLO_A: