From: Matt Caswell <matt@openssl.org>
Date: Tue, 25 Apr 2023 13:57:02 +0000 (+0100)
Subject: Be more accurate about what we accept as a valid DTLS version
X-Git-Tag: openssl-3.2.0-alpha1~913
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=861cd8964bfeb955408e93048d118e1826e12d0c;p=thirdparty%2Fopenssl.git

Be more accurate about what we accept as a valid DTLS version

We accepted more version numbers as valid DTLS then we really should do.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20830)
---

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 4b498cd76f8..c2fca8bb129 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -2049,8 +2049,10 @@ int ssl_set_version_bound(int method_version, int version, int *bound)
 
     valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
     valid_dtls =
-        DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
-        DTLS_VERSION_GE(version, DTLS1_BAD_VER);
+        /* We support client side pre-standardisation version of DTLS */
+        (version == DTLS1_BAD_VER)
+        || (DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL)
+            && DTLS_VERSION_GE(version, DTLS1_VERSION));
 
     if (!valid_tls && !valid_dtls)
         return 0;