From: Dr. Stephen Henson <steve@openssl.org>
Date: Tue, 15 Sep 2009 22:48:57 +0000 (+0000)
Subject: PR: 2039
X-Git-Tag: OpenSSL-fips-2_0-rc1~1534
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e9f613aceae39aa17ea7e493976d5e00fc7a985d;p=openssl

PR: 2039
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS listen bug fix,
---

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 355d5ed9cd..3ee46c4721 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -648,8 +648,15 @@ again:
 		goto again;   /* get another record */
 		}
 
-	/* check whether this is a repeat, or aged record */
-	if ( ! dtls1_record_replay_check(s, bitmap))
+	/* Check whether this is a repeat, or aged record.
+	 * Don't check if we're listening and this message is
+	 * a ClientHello. They can look as if they're replayed,
+	 * since they arrive from different connections and
+	 * would be dropped unnecessarily.
+	 */
+	if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
+		*p == SSL3_MT_CLIENT_HELLO) &&
+		!dtls1_record_replay_check(s, bitmap))
 		{
 		rr->length = 0;
 		s->packet_length=0; /* dump this record */