From: David Woodhouse <dwmw2@infradead.org>
Date: Tue, 12 Feb 2013 14:55:32 +0000 (+0000)
Subject: Check DTLS_BAD_VER for version number.
X-Git-Tag: OpenSSL_1_0_2-beta1~415
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3a3a1af1da8c38361f73476e5b8e4f962cde0139;p=thirdparty%2Fopenssl.git

Check DTLS_BAD_VER for version number.

The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

PR:2984
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
---

diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 02edf3f9189..443a31e7462 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
 	unsigned padding_length, good, to_check, i;
 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
 	/* Check if version requires explicit IV */
-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
+	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
 		{
 		/* These lengths are all public so we can test them in
 		 * non-constant time.