From: Andy Polyakov <appro@openssl.org>
Date: Sun, 30 Sep 2007 22:01:36 +0000 (+0000)
Subject: Basic idea behind explicit IV is to make it unpredictable for attacker.
X-Git-Tag: OpenSSL_0_9_8k^2~662
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=d527834a1d2b268725652d8463f86e957274ab33;ds=sidebyside

Basic idea behind explicit IV is to make it unpredictable for attacker.
Until now it was xor between CBC residue and 1st block from last datagram,
or in other words still predictable.
---

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 4523484011..b9bbbd4826 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -120,6 +120,7 @@
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/pqueue.h>
+#include <openssl/rand.h>
 
 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
 static int satsub64be(const unsigned char *v1,const unsigned char *v2)
@@ -1430,8 +1431,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
 
 	/* ssl3_enc can only have an error on read */
-	wr->length += bs;  /* bs != 0 in case of CBC.  The enc fn provides
-						* the randomness */ 
+	if (bs)	/* bs != 0 in case of CBC */
+		{
+		RAND_pseudo_bytes(p,bs);
+		/* master IV and last CBC residue stand for
+		 * the rest of randomness */
+		wr->length += bs;
+		}
+
 	s->method->ssl3_enc->enc(s,1);
 
 	/* record length after mac and block padding */