From c72d315325744dda9460e504b87e5576b6b66bf5 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Tue, 20 Sep 2022 12:53:54 +0200
Subject: [PATCH] DTLS 1.3: Don't add HRR to ssl->dtls13Rtx

Signed-off-by: Marco Oliverio <marco@wolfssl.com>
---
 src/dtls13.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/dtls13.c b/src/dtls13.c
index 2b9d1edaa..90ba294ee 100644
--- a/src/dtls13.c
+++ b/src/dtls13.c
@@ -811,7 +811,7 @@ static int Dtls13SendOneFragmentRtx(WOLFSSL* ssl,
     enum HandShakeType handshakeType, word16 outputSize, byte* message,
     word32 length, int hashOutput)
 {
-    Dtls13RtxRecord* rtxRecord;
+    Dtls13RtxRecord* rtxRecord = NULL;
     word16 recordHeaderLength;
     byte isProtected;
     int ret;
@@ -819,20 +819,23 @@ static int Dtls13SendOneFragmentRtx(WOLFSSL* ssl,
     isProtected = Dtls13TypeIsEncrypted(handshakeType);
     recordHeaderLength = Dtls13GetRlHeaderLength(ssl, isProtected);
 
-    rtxRecord = Dtls13RtxNewRecord(ssl, message + recordHeaderLength,
-        (word16)(length - recordHeaderLength), handshakeType,
-        ssl->dtls13EncryptEpoch->nextSeqNumber);
-
-    if (rtxRecord == NULL)
-        return MEMORY_E;
+    if (handshakeType != hello_retry_request) {
+        rtxRecord = Dtls13RtxNewRecord(ssl, message + recordHeaderLength,
+            (word16)(length - recordHeaderLength), handshakeType,
+            ssl->dtls13EncryptEpoch->nextSeqNumber);
+        if (rtxRecord == NULL)
+            return MEMORY_E;
+    }
 
     ret = Dtls13SendFragment(ssl, message, outputSize, (word16)length,
         handshakeType, hashOutput, Dtls13SendNow(ssl, handshakeType));
 
-    if (ret == 0 || ret == WANT_WRITE)
-        Dtls13RtxAddRecord(&ssl->dtls13Rtx, rtxRecord);
-    else
-        Dtls13FreeRtxBufferRecord(ssl, rtxRecord);
+    if (rtxRecord != NULL) {
+        if (ret == 0 || ret == WANT_WRITE)
+            Dtls13RtxAddRecord(&ssl->dtls13Rtx, rtxRecord);
+        else
+            Dtls13FreeRtxBufferRecord(ssl, rtxRecord);
+    }
 
     return ret;
 }