On Thu, Sep 20, 2001 at 12:00:00AM +0000, Eric Rescorla wrote:
[...]
> After some investigation, the problem appears to be that
> you can't safely interlace SSL_write() with rehandshakes.
>
> Consider the following sequence of events:
>
> CLIENT SERVER
>
> SSL_renegotiate();
> SSL_do_handshake();
> calls ssl_init_wbio_buffer()
> sends HelloRequest
>
> SSL_read()
> read the HelloRequest and
> start the handshake,
> sending the ClientHello
>
> SSL_write()
> this write gets buffered.
> SSL_read();
>
> Now, when SSL_read() reads the ClientHello it eventually calls
> ssl3_accept() which calls ssl_init_wbio_buffer AGAIN. This causes
> the buffer to be zeroed with the result that the record from
> the SSL_write() gets lost. Then when the ServerHello is transmitted
> the client tries to decrypt it with the wrong CBC residue (or the
> wrong part of RC4 keystream) and the wrong sequence #. This causes
> MAC errors. This is a bug in OpenSSL.
>
> The quick and dirty fix seems to be is to change ssl_init_wbio_buffer
> by adding a BIO_flush() (see below). There may be something cleaner,
> though. I don't immediately see how this fix can do any harm,
> but there may well be somethign unobvious that I'm missing.
I think the clean solution would be to have ssl3_accept() call
ssl_init_wbio_buffer() only if an actual handshake is beginning, not
when it is merely sending a HelloRequest.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
