Don't reject TLS packets with zero plaintext bytes

OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
author: Jack Lloyd <[email protected]> 2016-04-15 02:09:45 -0400
committer: Jack Lloyd <[email protected]> 2016-04-15 02:09:45 -0400
commit: 6315841fca399cf9bdc62b324fdfe0e23b9afbe9 (patch)
tree: 30aada06ff2169efe442c39ccd48e644dcfb2364 /doc/news.rst
parent: 0b06b4f61b497c7ad9869441f12ee287b65cde36 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/doc/news.rst b/doc/news.rst
index 7a5b3b115..b1a04302a 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -4,6 +4,11 @@ Release Notes
 Version 1.11.30, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* In 1.11.23 a bug was introduced such that CBC-encrypted TLS packets
+  containing no plaintext bytes at all were incorrectly rejected with
+  a MAC failure. Records like this are used by OpenSSL in TLS 1.0
+  connections in order to randomize the IV.
+
 * Add IETF versions of the ChaCha20Poly1305 TLS ciphersuites from
   draft-ietf-tls-chacha20-poly1305-04. The previously implemented
   (non-standard) ChaCha20Poly1305 ciphersuites from
author	Jack Lloyd <[email protected]>	2016-04-15 02:09:45 -0400
committer	Jack Lloyd <[email protected]>	2016-04-15 02:09:45 -0400
commit	6315841fca399cf9bdc62b324fdfe0e23b9afbe9 (patch)
tree	30aada06ff2169efe442c39ccd48e644dcfb2364 /doc/news.rst
parent	0b06b4f61b497c7ad9869441f12ee287b65cde36 (diff)