[openssl-dev] [openssl.org #3703] 1.0.2 regression with Cisco DTLS_BAD_VER

David Woodhouse via RT rt at openssl.org
Wed Feb 18 11:35:58 UTC 2015


On Tue, 2015-02-17 at 22:48 +0100, David Woodhouse via RT wrote:
> Commit 9cf0f187 in HEAD, and 68039af3 in 1.0.2, removed a version check
> from dtls1_buffer_message() which was needed to distinguish between DTLS
> 1.x and Cisco's pre-standard version of DTLS.

Further testing shows that simply reverting the offending commit isn't
sufficient — as the commit comment hinted. We need to treat DTLS v1.2
the same as DTLS v1.0. So invert it to check explicitly for
DTLS1_BAD_VER instead. And in fact we might as well clean it up a little
to look like this:

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 7d48cc4..0216d14 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1072,6 +1072,7 @@ int dtls1_buffer_message(SSL *s, int is_ccs)
     pitem *item;
     hm_fragment *frag;
     unsigned char seq64be[8];
+    unsigned int expected_hdr_len;
 
     /*
      * this function is called immediately after a message has been
@@ -1085,13 +1086,15 @@ int dtls1_buffer_message(SSL *s, int is_ccs)
 
     memcpy(frag->fragment, s->init_buf->data, s->init_num);
 
-    if (is_ccs) {
-        OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
-                       DTLS1_CCS_HEADER_LENGTH == (unsigned int)s->init_num);
-    } else {
-        OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
-                       DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num);
-    }
+    if (!is_ccs)
+        expected_hdr_len = DTLS1_HM_HEADER_LENGTH;
+    else if (s->version == DTLS1_BAD_VER)
+        expected_hdr_len = 3;
+    else
+        expected_hdr_len = DTLS1_CCS_HEADER_LENGTH;
+
+    OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
+                   expected_hdr_len == (unsigned int)s->init_num);
 
     frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;
     frag->msg_header.seq = s->d1->w_msg_hdr.seq;


-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150218/64f5c150/attachment.bin>


More information about the openssl-dev mailing list