diff options
author | Michael Tuexen <tuexen@fh-muenster.de> | 2018-12-26 12:44:53 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-02-01 12:03:43 +0000 |
commit | 243ff51cc6757ab56cda4a7f69fbdcddf81141b6 (patch) | |
tree | 71177c7b975c9945d27c25356eb4edc0b0be2a8d /include | |
parent | 1b66fc87da7c3851d7229993219336afa587f325 (diff) |
Fix end-point shared secret for DTLS/SCTP
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.
Fixes #7956
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7957)
(cherry picked from commit 09d62b336d9e2a11b330d45d4f0f3f37cbb0d674)
Diffstat (limited to 'include')
-rw-r--r-- | include/openssl/ssl.h | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index d6b1b4e6a6..e68efa838b 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -494,6 +494,19 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); */ # define SSL_MODE_ASYNC 0x00000100U +/* + * When using DTLS/SCTP, include the terminating zero in the label + * used for computing the endpoint-pair shared secret. Required for + * interoperability with implementations having this bug like these + * older version of OpenSSL: + * - OpenSSL 1.0.0 series + * - OpenSSL 1.0.1 series + * - OpenSSL 1.0.2 series + * - OpenSSL 1.1.0 series + * - OpenSSL 1.1.1 and 1.1.1a + */ +# define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U + /* Cert related flags */ /* * Many implementations ignore some aspects of the TLS standards such as |