[openssl-dev] [openssl.org #3703] 1.0.2 regression with Cisco DTLS_BAD_VER
David Woodhouse via RT
rt at openssl.org
Wed Feb 18 11:35:58 UTC 2015
On Tue, 2015-02-17 at 22:48 +0100, David Woodhouse via RT wrote:
> Commit 9cf0f187 in HEAD, and 68039af3 in 1.0.2, removed a version check
> from dtls1_buffer_message() which was needed to distinguish between DTLS
> 1.x and Cisco's pre-standard version of DTLS.
Further testing shows that simply reverting the offending commit isn't
sufficient — as the commit comment hinted. We need to treat DTLS v1.2
the same as DTLS v1.0. So invert it to check explicitly for
DTLS1_BAD_VER instead. And in fact we might as well clean it up a little
to look like this:
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 7d48cc4..0216d14 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1072,6 +1072,7 @@ int dtls1_buffer_message(SSL *s, int is_ccs)
pitem *item;
hm_fragment *frag;
unsigned char seq64be[8];
+ unsigned int expected_hdr_len;
/*
* this function is called immediately after a message has been
@@ -1085,13 +1086,15 @@ int dtls1_buffer_message(SSL *s, int is_ccs)
memcpy(frag->fragment, s->init_buf->data, s->init_num);
- if (is_ccs) {
- OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
- DTLS1_CCS_HEADER_LENGTH == (unsigned int)s->init_num);
- } else {
- OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
- DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num);
- }
+ if (!is_ccs)
+ expected_hdr_len = DTLS1_HM_HEADER_LENGTH;
+ else if (s->version == DTLS1_BAD_VER)
+ expected_hdr_len = 3;
+ else
+ expected_hdr_len = DTLS1_CCS_HEADER_LENGTH;
+
+ OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
+ expected_hdr_len == (unsigned int)s->init_num);
frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;
frag->msg_header.seq = s->d1->w_msg_hdr.seq;
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150218/64f5c150/attachment.bin>
More information about the openssl-dev
mailing list