OpenSSL 1.0.1[de] DTLS compatibility

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2013-02-11 at 22:51 +0000, David Woodhouse wrote:
> It looks like OpenSSL 1.0.0d and 1.0.0e have broken compatibility with
> Cisco's pre-standardisation version of DTLS.

Oops, that should read 1.0.1d and 1.0.1e. I fixed the subject line but
not the body.

OpenSSL 1.0.0k has the same problem; this is the fix for that:

diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 5b3f371..61413b8 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
 	unsigned padding_length, good, to_check, i;
 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
 	/* Check if version requires explicit IV */
-	if (s->version == DTLS1_VERSION)
+	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
 		{
 		/* These lengths are all public so we can test them in
 		 * non-constant time.


-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130211/27f1c5a7/attachment.bin>


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux