From 26fb658206b2082b9cdaf0957d362f8b6d7a57b2 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Wed, 10 Mar 2021 18:34:09 +0100
Subject: [PATCH] SCR cookie exchange shouldn't change seq and epoch numbers

---
 src/internal.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index eb3178617..b817f92a5 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -29759,10 +29759,16 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
         output = ssl->buffers.outputBuffer.buffer +
                  ssl->buffers.outputBuffer.length;
 
-        /* Hello Verify Request should use the same sequence number as the
-         * Client Hello. */
-        ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi;
-        ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo;
+        /* Hello Verify Request should use the same sequence number
+         * as the Client Hello unless we are in renegotiation then
+         * don't change numbers */
+#ifdef HAVE_SECURE_RENEGOTIATION
+        if (!IsSCR(ssl))
+#endif
+        {
+            ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi;
+            ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo;
+        }
         AddHeaders(output, length, hello_verify_request, ssl);
 
 #ifdef OPENSSL_EXTRA