Avoid transcript initialisation when sending a TLS HelloRequest.

When server side renegotiation is triggered, the TLSv1.2 state machine
sends a HelloRequest before going to ST_SW_FLUSH and ST_OK. In this case
we do not need the transcript and currently hit the sanity check in ST_OK
that ensures the transcript has been freed, breaking server initiated
renegotiation. We do however need the transcript in the DTLS case.

ok tb@

1 files changed, 6 insertions, 4 deletions

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index aea8d67260..0f3572a678 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.100 2021/03/27 17:56:28 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.101 2021/03/29 16:56:20 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -294,9 +294,11 @@ ssl3_accept(SSL *s)
                         S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
                         s->internal->init_num = 0;
 
-                        if (!tls1_transcript_init(s)) {
-                                ret = -1;
-                                goto end;
+                        if (SSL_is_dtls(s)) {
+                                if (!tls1_transcript_init(s)) {
+                                        ret = -1;
+                                        goto end;
+                                }
                         }
                         break;