DTLS/SCTP Finished Auth Bug

PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key.  Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
(cherry picked from commit 9fb523adce6fd6015b68da2ca8e4ac4900ac2be2)

diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 40acbb756b321d7d18b1c817603ede293d8a8f17..5f25dfc3401873b5056824b9277bd1e0f9899a89 100644 (file)
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -556,13 +556,6 @@ int dtls1_connect(SSL *s)
                                SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
                        if (ret <= 0) goto end;
 
                                SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
                        if (ret <= 0) goto end;
 

-#ifndef OPENSSL_NO_SCTP
-                       /* Change to new shared key of SCTP-Auth,
-                        * will be ignored if no SCTP used.
-                        */
-                       BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
-#endif
-

                        s->state=SSL3_ST_CW_FINISHED_A;
                        s->init_num=0;
 
                        s->state=SSL3_ST_CW_FINISHED_A;
                        s->init_num=0;
 


@@ -589,6 +582,16 @@ int dtls1_connect(SSL *s)
                                goto end;
                                }
                        
                                goto end;
                                }
                        

+#ifndef OPENSSL_NO_SCTP
+                               if (s->hit)
+                                       {
+                                       /* Change to new shared key of SCTP-Auth,
+                                        * will be ignored if no SCTP used.
+                                        */
+                                       BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+                                       }
+#endif
+

                        dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
                        break;
 
                        dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
                        break;
 


@@ -631,6 +634,13 @@ int dtls1_connect(SSL *s)
                                }
                        else
                                {
                                }
                        else
                                {

+#ifndef OPENSSL_NO_SCTP
+                               /* Change to new shared key of SCTP-Auth,
+                                * will be ignored if no SCTP used.
+                                */
+                               BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+#endif
+

 #ifndef OPENSSL_NO_TLSEXT
                                /* Allow NewSessionTicket if ticket expected */
                                if (s->tlsext_ticket_expected)
 #ifndef OPENSSL_NO_TLSEXT
                                /* Allow NewSessionTicket if ticket expected */
                                if (s->tlsext_ticket_expected)

diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index d3afec993db3a7a59eff53556682c1c4d962b943..c69d44b839f59bc96279dfb09fc0cea71114038e 100644 (file)
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -758,10 +758,13 @@ int dtls1_accept(SSL *s)
                        if (ret <= 0) goto end;
 
 #ifndef OPENSSL_NO_SCTP
                        if (ret <= 0) goto end;
 
 #ifndef OPENSSL_NO_SCTP

-                       /* Change to new shared key of SCTP-Auth,
-                        * will be ignored if no SCTP used.
-                        */
-                       BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+                       if (!s->hit)
+                               {
+                               /* Change to new shared key of SCTP-Auth,
+                                * will be ignored if no SCTP used.
+                                */
+                               BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+                               }

 #endif
 
                        s->state=SSL3_ST_SW_FINISHED_A;
 #endif
 
                        s->state=SSL3_ST_SW_FINISHED_A;


@@ -786,7 +789,16 @@ int dtls1_accept(SSL *s)
                        if (ret <= 0) goto end;
                        s->state=SSL3_ST_SW_FLUSH;
                        if (s->hit)
                        if (ret <= 0) goto end;
                        s->state=SSL3_ST_SW_FLUSH;
                        if (s->hit)

+                               {

                                s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
                                s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;

+
+#ifndef OPENSSL_NO_SCTP
+                               /* Change to new shared key of SCTP-Auth,
+                                * will be ignored if no SCTP used.
+                                */
+                               BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+#endif
+                               }

                        else
                                {
                                s->s3->tmp.next_state=SSL_ST_OK;
                        else
                                {
                                s->s3->tmp.next_state=SSL_ST_OK;