granicus.if.org Git - openssl/commit

author	Robin Seggelmann <seggelmann@fh-muenster.de>
	Wed, 9 May 2012 17:28:41 +0000 (19:28 +0200)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 30 Oct 2013 14:37:22 +0000 (14:37 +0000)
commit	9fb523adce6fd6015b68da2ca8e4ac4900ac2be2
tree	4acd4fdf67d5f4419ba5736abc1447ab02fe6ad8	tree \| snapshot
parent	cecf4d98d0ea0d2316e8fa815bd7fd62b8e680ca	commit \| diff

DTLS/SCTP Finished Auth Bug

PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key. Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.

ssl/d1_clnt.c		diff \| blob \| history
ssl/d1_srvr.c		diff \| blob \| history