[openssl/openssl] 6e73a0: Fix a DTLS server hangup due to TLS13_AD_MISSING_E...

[bernd-edlinger]

  Branch: refs/heads/OpenSSL_1_1_1-stable
  Home:   https://github.openssl.org/openssl/openssl
  Commit: 6e73a0a0bd608daecb8e2c1e46de9d1014194c84
      https://github.openssl.org/openssl/openssl/commit/6e73a0a0bd608daecb8e2c1e46de9d1014194c84
  Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
  Date:   2022-04-13 (Wed, 13 Apr 2022)

  Changed paths:
    M ssl/s3_enc.c
    M ssl/t1_enc.c
    M test/ssl-tests/10-resumption.conf
    M test/ssl-tests/11-dtls_resumption.conf
    M test/ssl-tests/protocol_version.pm

  Log Message:
  -----------
  Fix a DTLS server hangup due to TLS13_AD_MISSING_EXTENSION

This causes the DTLS server to enter an error state:

./openssl s_server -dtls
./openssl s_client -dtls -maxfraglen 512 -sess_out s1.txt
[...]
Q
./openssl s_client -dtls -sess_in s1.txt
CONNECTED(00000003)
^C
./openssl s_client -dtls
CONNECTED(00000003)
140335537067840:error:14102410:SSL routines:dtls1_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_d1.c:614:SSL alert number 40

At this point the dtls server needs to be restarted,
because verify_cookie_callback always fails, because
the previous cookie is checked against the current one.
The reason for this is not fully understood.

In wireshark we see the following each time:
c->s Client Hello (without cookie)
s->c Hello Verify Request (with new cookie)
s->c Alert (Level: Fatal, Description: Handshake Failure)
c->s Client Hello (echoes new cookie)

The client gives up when the Alert arrives.
The Alert is triggered because the server calls
verify_cookie_callback with the previous cookie,
although it just sent the current cookie in the
Hello Verify Request.

However this does only happen because no Alert message
is sent when the client re-connects the session with
the missing -maxfraglen option.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18094)