From 277598e34a0909700a7f778a2ff46761545ba9cc Mon Sep 17 00:00:00 2001
From: Jonas Norling <jonas.norling@gmail.com>
Date: Wed, 4 Jun 2014 13:15:45 +0200
Subject: [PATCH] Use same sequence number calculation in tls.c and internal.c

The DTLS sequence number used when decrypting CCM/GCM was taken from
the internal state, instead of from the actual message record.

If any DTLS messages were dropped, the expectation of the next
sequence number was wrong. This lead to a failed MAC check on the next
message to arrive, and an alert was generated.
---
 src/internal.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 4d54e9978..180793eba 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -4740,6 +4740,14 @@ static int DoDtlsHandShakeMsg(CYASSL* ssl, byte* input, word32* inOutIdx,
     || defined(HAVE_AESGCM)
 static INLINE word32 GetSEQIncrement(CYASSL* ssl, int verify)
 {
+#ifdef CYASSL_DTLS
+    if (ssl->options.dtls) {
+        if (verify)
+            return ssl->keys.dtls_state.curSeq; /* explicit from peer */
+        else
+            return ssl->keys.dtls_sequence_number - 1; /* already incremented */
+    }
+#endif
     if (verify)
         return ssl->keys.peer_sequence_number++;
     else