Whenever handshake messages are buffered because they arrived reordered and already belong to the next epoch, the MAC validation fails when the messages are finally processed because the sequence number is not restored and instead 0 is always used. This is fixed with setting the s->s3->read_sequence variable when retrieving buffered messages.
--- ssl/d1_pkt.c 6 Apr 2010 12:44:55 -0000 1.27.2.20
+++ ssl/d1_pkt.c 8 Apr 2010 10:43:29 -0000
@@ -196,6 +196,9 @@
s->packet_length = rdata->packet_length;
memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+
+ /* Set proper sequence number for mac calculation */
+ memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
return(1);
}
dtls-badmac-bug-0.9.8.patch
Description: Binary data
dtls-badmac-bug-1.0.0.patch
Description: Binary data
