<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi all,<br>
<br>
we are facing a weird problem that we started to notice recently and
we could not really find the source of the issue. The issue
presented itself when starting using OpenSSL v1.0.1p (upgrading from
v1.0.1m) in TLS connections. We started noticing the following
error:<br>
<br>
error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert ad
record mac<br>
<br>
This seems to be related to the SSL_AD_BAD_RECORD_MAC. Since this
error happens randomly and it is very difficult to reproduce, I
tried to see the changes in the tls1_enc() function (t1_enc.c) from
the ssl, which is used in the SSL_ENC_METHOD for enc/dec the
records. I noticed the following change:<br>
<blockquote><tt>/* openssl v1.0.1m/ssl/t1_enc.c */:</tt><tt><br>
</tt><tt>812: pad = EVP_CIPHER_CTX_ctrl(ds,
EVP_CTRL_AEAD_TLS1_AAD, 13, buf);</tt><tt><br>
</tt><tt>813: if (send) {</tt><br>
</blockquote>
While in the updated version:<br>
<blockquote><tt>/* openssl v1.0.1p/ssl/t1_enc.c */</tt><tt><br>
</tt><tt>812: pad = EVP_CIPHER_CTX_ctrl(ds,
EVP_CTRL_AEAD_TLS1_AAD,</tt><tt><br>
</tt><tt>813: EVP_AEAD_TLS1_AAD_LEN,
buf);</tt><tt><br>
</tt><tt>814: if (pad <= 0)</tt><tt><br>
</tt><tt>815: return -1;</tt><tt><br>
</tt><tt>816: if (send) {</tt><br>
</blockquote>
This change seems pretty interesting, as it might be related to the
errors we have started seeing after the upgrade. Now, my questions
are (given this might be the source of the error):<br>
<ul>
<li>Has anybody noticed the different behavior (the same code from
1.0.1p is in the current 1.0.2e - plus some additional checks
for DTLS) ?</li>
<li>If the pad <= 0 is detected (not checked before), what can
cause the error ? Network errors should be detected at the TCP
level, so... it might be an application-level error ? Corrupted
buffers ? Shooting in the dark here...</li>
</ul>
<p>Any ideas on how to fix the issue and/or to understand if this is
an OpenSSL issue or an application layer issue that would be
really appreciated. I am not sure how to proceed at this point..
help ?<br>
</p>
<p>Thanks,<br>
Max<br>
<br>
</p>
</body>
</html>