> [EMAIL PROTECTED] - Tue Oct 07 10:57:04 2008]: > > This patch to the 0.9.8 branch fixes two bugs with misordered incoming > packets in DTLS, which are reported as RT #1752.
Could you comment on the 0.9.9-dev branch as well? The patch to d1_pkt.c applies fine. The "length" object is gone from the code so it should not be needed any longer. Best regards, Lutz > > Firstly, the bitmap we use for replay protection was ending up with zero > length, so a _single_ pair of packets getting switched around would > cause one of them to be 'dropped'. > > Secondly, it wasn't even _dropping_ the offending packets, in the > non-blocking case. It was just returning garbage instead. > > --- ssl/d1_lib.c~ 2008-10-02 06:43:47.000000000 +0100 > +++ ssl/d1_lib.c 2008-10-05 21:31:38.000000000 +0100 > @@ -106,6 +106,7 @@ int dtls1_new(SSL *s) > pq_64bit_init(&(d1->bitmap.map)); > pq_64bit_init(&(d1->bitmap.max_seq_num)); > > + d1->next_bitmap.length = d1->bitmap.length; > pq_64bit_init(&(d1->next_bitmap.map)); > pq_64bit_init(&(d1->next_bitmap.max_seq_num)); > > --- ssl/d1_pkt.c~ 2008-10-02 06:43:47.000000000 +0100 > +++ ssl/d1_pkt.c 2008-10-05 21:44:54.000000000 +0100 > @@ -597,6 +597,7 @@ again: > /* check whether this is a repeat, or aged record */ > if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) > { > + rr->length = 0; > s->packet_length=0; /* dump this record */ > goto again; /* get another record */ > } > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]