Basic idea behind explicit IV is to make it unpredictable for attacker.
Until now it was xor between CBC residue and 1st block from last datagram, or in other words still predictable.
This commit is contained in:
Andy Polyakov
parent
89c333e3e5
commit
d527834a1d
1 changed files with 9 additions and 2 deletions
11
ssl/d1_pkt.c
11
ssl/d1_pkt.c
|
|
@ -120,6 +120,7 @@
|
|||
#include <openssl/evp.h>
|
||||
#include <openssl/buffer.h>
|
||||
#include <openssl/pqueue.h>
|
||||
#include <openssl/rand.h>
|
||||
|
||||
/* mod 128 saturating subtract of two 64-bit values in big-endian order */
|
||||
static int satsub64be(const unsigned char *v1,const unsigned char *v2)
|
||||
|
|
@ -1430,8 +1431,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
|
|||
|
||||
|
||||
/* ssl3_enc can only have an error on read */
|
||||
wr->length += bs; /* bs != 0 in case of CBC. The enc fn provides
|
||||
* the randomness */
|
||||
if (bs) /* bs != 0 in case of CBC */
|
||||
{
|
||||
RAND_pseudo_bytes(p,bs);
|
||||
/* master IV and last CBC residue stand for
|
||||
* the rest of randomness */
|
||||
wr->length += bs;
|
||||
}
|
||||
|
||||
s->method->ssl3_enc->enc(s,1);
|
||||
|
||||
/* record length after mac and block padding */
|
||||
|
|
|
|||
Loading…
Reference in a new issue