[openssl] OpenSSL_1_1_1-stable update

matthias.st.pierre at ncp-e.com matthias.st.pierre at ncp-e.com
Thu Oct 3 13:18:56 UTC 2019 

The branch OpenSSL_1_1_1-stable has been updated
       via  a80de34b2769c35270d45bbae67c4b219c99156d (commit)
      from  61cc715240d2d3f9511ca88043a3e9797c11482f (commit)


- Log -----------------------------------------------------------------
commit a80de34b2769c35270d45bbae67c4b219c99156d
Author: NaveenShivanna86 <navin.shivanna at gmail.com>
Date:   Wed Aug 21 11:58:29 2019 +0530

    'init_buf' memory can be freed when DTLS is used over SCTP (not over UDP).
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    (Merged from https://github.com/openssl/openssl/pull/9653)
    
    (cherry picked from commit e7c27a6c3716843f8412fd96311b70ac84b785f9)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/statem_lib.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index ed52b18d3a..bd1d34f3b6 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1033,14 +1033,25 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
     int cleanuphand = s->statem.cleanuphand;
 
     if (clearbufs) {
-        if (!SSL_IS_DTLS(s)) {
+        if (!SSL_IS_DTLS(s)
+#ifndef OPENSSL_NO_SCTP
             /*
-             * We don't do this in DTLS because we may still need the init_buf
+             * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
+             * messages that require it. Therefore, DTLS procedures for retransmissions
+             * MUST NOT be used.
+             * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
+             */
+            || BIO_dgram_is_sctp(SSL_get_wbio(s))
+#endif
+            ) {
+            /*
+             * We don't do this in DTLS over UDP because we may still need the init_buf
              * in case there are any unexpected retransmits
              */
             BUF_MEM_free(s->init_buf);
             s->init_buf = NULL;
         }
+
         if (!ssl_free_wbio_buffer(s)) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
                      ERR_R_INTERNAL_ERROR);

More information about the openssl-commits mailing list