From: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date: Wed, 9 Jul 2025 05:42:43 +0000 (+0200)
Subject: Revert changes to ssl_version_cmp() to avoid calling assert on non-sane inputs
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Ffeature%2Fdtls-1.3;p=thirdparty%2Fopenssl.git

Revert changes to ssl_version_cmp() to avoid calling assert on non-sane inputs

The function can be called with arbitrary inputs.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28000)
---

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index faf76dd23b7..8a9d8237834 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1822,7 +1822,12 @@ int ssl_version_cmp(const SSL_CONNECTION *s, int versiona, int versionb)
 {
     int dtls = SSL_CONNECTION_IS_DTLS(s);
 
-    return PROTOCOL_VERSION_CMP(dtls, versiona, versionb);
+    if (versiona == versionb)
+        return 0;
+    if (!dtls)
+        return versiona < versionb ? -1 : 1;
+    return DTLS_VERSION_LT(versiona, versionb) ? -1 : 1;
+
 }
 
 typedef struct {