Hi, ... see below Christiane
>-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Kurt Roeckx via RT >Sent: Thursday, January 19, 2006 10:06 PM >To: Kämpfe, Christiane >Cc: openssl-dev@openssl.org >Subject: [openssl.org #1204]: bad record mac because of wrong >SSL_OP_TLS_BLOCK_PADDING_BUG handling > > >Hi, > >It seems to me that tls1_enc() is setting >SSL_OP_TLS_BLOCK_PADDING_BUG, while the other side does >not have that bug. this is my opinion too. > >The code looks like this: > /* First packet is even in >size, so check */ > if ((memcmp(s->s3->read_sequence, > "\0\0\0\0\0\0\0\0",8) >== 0) && !(ii & 1)) > >s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; > >The 0.9.8 code seems to compress by default in case that >zlib compression has been added, while 0.9.7 doesn't. aaaha. I have only 0.9.8 - so I didn't know this detail. >This seems to generate a (compressed) package of size 45 >in most cases, but 44 in some cases, depending on the >message being send. > >In case it's 45, ii is set to 2 and i to 3, like it >should, but the flags get set to >TLS1_FLAGS_TLS_PADDING_BUG, and i gets decreased to 2. So >the lenth gets sets to 46 instead of 45. correct - I've got this effect. > >I can not find a good way to always make sure this >workaround for that bug works proplery, but I think we >should assume there is no bug. So I propose the attached >patch to fix it. This should have as effect that in most >case that the bug is present, it still sets the flag, but >it won't in the case were the last byte just happens to be the >same as the padding byte. > >This patch fixes it for me, so that two versions with >0.9.8 with zlib compression support can talk to each >other without errors. > > >Kurt > ... hmmm, where is the patch ? I didn't know how to verify the existence or not-existence of the BUG inside the data ... Any ideas about compatibility with "older" versions including the BUG. Christiane ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
