From 79bf381577b952bb4388f9f766c992be782c1c74 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 29 Mar 2021 16:56:20 +0000
Subject: Avoid transcript initialisation when sending a TLS HelloRequest.

When server side renegotiation is triggered, the TLSv1.2 state machine
sends a HelloRequest before going to ST_SW_FLUSH and ST_OK. In this case
we do not need the transcript and currently hit the sanity check in ST_OK
that ensures the transcript has been freed, breaking server initiated
renegotiation. We do however need the transcript in the DTLS case.

ok tb@
---
 src/lib/libssl/ssl_srvr.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index aea8d67260..0f3572a678 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.100 2021/03/27 17:56:28 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.101 2021/03/29 16:56:20 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -294,9 +294,11 @@ ssl3_accept(SSL *s)
 			S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
 			s->internal->init_num = 0;
 
-			if (!tls1_transcript_init(s)) {
-				ret = -1;
-				goto end;
+			if (SSL_is_dtls(s)) {
+				if (!tls1_transcript_init(s)) {
+					ret = -1;
+					goto end;
+				}
 			}
 			break;
 
-- 
cgit v1.2.3-55-g6feb