MFV r254106 (OpenSSL bugfix for RT #2984):

Check DTLS_BAD_VER for version number. The version check for DTLS1_VERSION was redundant as DTLS1_VERSION > TLS1_1_VERSION, however we do need to check for DTLS1_BAD_VER for compatibility. Requested by: zi Approved by: benl
svn path=/head/; revision=254107
2013-08-08 22:29:35 +00:00 · 2013-08-08 22:29:35 +00:00 · 14bf23ce31 · 2020-12-20 02:59:44 +00:00
commit 14bf23ce31
parent 5e82c321f8 ed4c5254dd
1 changed files with 1 additions and 1 deletions
--- a/crypto/openssl/ssl/s3_cbc.c
+++ b/crypto/openssl/ssl/s3_cbc.c
@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
 	unsigned padding_length, good, to_check, i;
 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
 	/* Check if version requires explicit IV */
-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
+	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
 		{
 		/* These lengths are all public so we can test them in
 		 * non-constant time.