Clear state in DTLSv1_listen

This is a backport of commit e83ee04bb7de800cdb71d522fa562e99328003a3 from the master branch (and this has also been applied to 1.0.2). In 1.0.2 this was CVE-2015-0207. For other branches there is no known security issue, but this is being backported as a precautionary measure. The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invokation to the next. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit cce3e4adb78a8d3eeb6e0e4efe332fcc5d75f615)
author: Matt Caswell <matt@openssl.org> 2015-03-09 16:09:04 +0000
committer: Matt Caswell <matt@openssl.org> 2015-06-02 09:15:16 +0100
commit: 98377858d14e6582c6dbca4a8bee8c9972ec0a7c (patch)
tree: c8817874c729e0e2851718084c542b80411daef6
parent: aaa654d607f85cbab320e712377a8a345fa1158c (diff)
download: openssl-98377858d14e6582c6dbca4a8bee8c9972ec0a7c.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index f494e045f3..6e8b7d44e0 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -481,6 +481,9 @@ int dtls1_listen(SSL *s, struct sockaddr *client)
 {
     int ret;
 
+    /* Ensure there is no state left over from a previous invocation */
+    SSL_clear(s);
+
     SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
     s->d1->listen = 1;
author	Matt Caswell <matt@openssl.org>	2015-03-09 16:09:04 +0000
committer	Matt Caswell <matt@openssl.org>	2015-06-02 09:15:16 +0100
commit	98377858d14e6582c6dbca4a8bee8c9972ec0a7c (patch)
tree	c8817874c729e0e2851718084c542b80411daef6
parent	aaa654d607f85cbab320e712377a8a345fa1158c (diff)
download	openssl-98377858d14e6582c6dbca4a8bee8c9972ec0a7c.tar.gz