OpenSSL 1.0.1[de] DTLS compatibility
David Woodhouse
dwmw2 at infradead.org
Mon Feb 11 18:08:26 EST 2013
On Mon, 2013-02-11 at 22:51 +0000, David Woodhouse wrote:
> It looks like OpenSSL 1.0.0d and 1.0.0e have broken compatibility with
> Cisco's pre-standardisation version of DTLS.
Oops, that should read 1.0.1d and 1.0.1e. I fixed the subject line but
not the body.
OpenSSL 1.0.0k has the same problem; this is the fix for that:
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 5b3f371..61413b8 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
unsigned padding_length, good, to_check, i;
const unsigned overhead = 1 /* padding length byte */ + mac_size;
/* Check if version requires explicit IV */
- if (s->version == DTLS1_VERSION)
+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
{
/* These lengths are all public so we can test them in
* non-constant time.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130211/27f1c5a7/attachment.bin>
More information about the openconnect-devel
mailing list