1 files changed, 14 insertions, 19 deletions

diff --git a/src/ssl/d1_clnt.c b/src/ssl/d1_clnt.c
index 73a3f8a..92fb8f6 100644
--- a/src/ssl/d1_clnt.c
+++ b/src/ssl/d1_clnt.c
@@ -112,8 +112,6 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/ssl.h>
-
 #include <assert.h>
 #include <stdio.h>
 #include <string.h>
@@ -130,7 +128,6 @@
 
 #include "internal.h"
 
-
 static int dtls1_get_hello_verify(SSL *s);
 
 int dtls1_connect(SSL *s) {
@@ -191,8 +188,9 @@ int dtls1_connect(SSL *s) {
       case SSL3_ST_CW_CLNT_HELLO_B:
         s->shutdown = 0;
 
-        if (!ssl3_init_handshake_buffer(s)) {
-          OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+        /* every DTLS ClientHello resets Finished MAC */
+        if (!ssl3_init_finished_mac(s)) {
+          OPENSSL_PUT_ERROR(SSL, dtls1_connect, ERR_R_INTERNAL_ERROR);
           ret = -1;
           goto end;
         }
@@ -263,7 +261,7 @@ int dtls1_connect(SSL *s) {
           if (s->s3->tmp.certificate_status_expected) {
             s->state = SSL3_ST_CR_CERT_STATUS_A;
           } else {
-            s->state = SSL3_ST_VERIFY_SERVER_CERT;
+            s->state = SSL3_ST_CR_KEY_EXCH_A;
           }
         } else {
           skip = 1;
@@ -272,16 +270,6 @@ int dtls1_connect(SSL *s) {
         s->init_num = 0;
         break;
 
-      case SSL3_ST_VERIFY_SERVER_CERT:
-        ret = ssl3_verify_server_cert(s);
-        if (ret <= 0) {
-          goto end;
-        }
-
-        s->state = SSL3_ST_CR_KEY_EXCH_A;
-        s->init_num = 0;
-        break;
-
       case SSL3_ST_CR_KEY_EXCH_A:
       case SSL3_ST_CR_KEY_EXCH_B:
         ret = ssl3_get_server_key_exchange(s);
@@ -290,6 +278,13 @@ int dtls1_connect(SSL *s) {
         }
         s->state = SSL3_ST_CR_CERT_REQ_A;
         s->init_num = 0;
+
+        /* at this point we check that we have the
+         * required stuff from the server */
+        if (!ssl3_check_cert_and_algorithm(s)) {
+          ret = -1;
+          goto end;
+        }
         break;
 
       case SSL3_ST_CR_CERT_REQ_A:
@@ -431,7 +426,7 @@ int dtls1_connect(SSL *s) {
         if (ret <= 0) {
           goto end;
         }
-        s->state = SSL3_ST_VERIFY_SERVER_CERT;
+        s->state = SSL3_ST_CR_KEY_EXCH_A;
         s->init_num = 0;
         break;
 
@@ -488,7 +483,7 @@ int dtls1_connect(SSL *s) {
         goto end;
 
       default:
-        OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE);
+        OPENSSL_PUT_ERROR(SSL, dtls1_connect, SSL_R_UNKNOWN_STATE);
         ret = -1;
         goto end;
     }
@@ -543,7 +538,7 @@ static int dtls1_get_hello_verify(SSL *s) {
       !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
       CBS_len(&hello_verify_request) != 0) {
     al = SSL_AD_DECODE_ERROR;
-    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    OPENSSL_PUT_ERROR(SSL, dtls1_get_hello_verify, SSL_R_DECODE_ERROR);
     goto f_err;
   }