From baffb509e4ffa105af1955f5481fd1f05f3858c0 Mon Sep 17 00:00:00 2001
From: delphij <delphij@FreeBSD.org>
Date: Thu, 8 Aug 2013 22:29:35 +0000
Subject: MFV r254106 (OpenSSL bugfix for RT #2984):

Check DTLS_BAD_VER for version number.

The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

Requested by:	zi
Approved by:	benl
---
 crypto/openssl/ssl/s3_cbc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'crypto/openssl')

diff --git a/crypto/openssl/ssl/s3_cbc.c b/crypto/openssl/ssl/s3_cbc.c
index 02edf3f..443a31e 100644
--- a/crypto/openssl/ssl/s3_cbc.c
+++ b/crypto/openssl/ssl/s3_cbc.c
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
 	unsigned padding_length, good, to_check, i;
 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
 	/* Check if version requires explicit IV */
-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
+	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
 		{
 		/* These lengths are all public so we can test them in
 		 * non-constant time.
-- 
cgit v1.1