diff options
author | Matt Caswell <matt@openssl.org> | 2015-03-02 14:34:19 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-03-09 10:51:57 +0000 |
commit | 5178a16c4375471d25e1f5ef5de46febb62a5529 (patch) | |
tree | 3b32ce6c4f166e3ae81510134fe1456947f0537b /ssl | |
parent | a8ae0891d4bfd18f224777aed1fbb172504421f1 (diff) |
Fix DTLS1_BAD_VER regression
Commit 9cf0f187 in HEAD, and 68039af3 in 1.0.2, removed a version check
from dtls1_buffer_message() which was needed to distinguish between DTLS
1.x and Cisco's pre-standard version of DTLS (DTLS1_BAD_VER).
Based on an original patch by David Woodhouse <dwmw2@infradead.org>
RT#3703
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/d1_both.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 7d48cc4df3..a7d0a82085 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -1086,8 +1086,10 @@ int dtls1_buffer_message(SSL *s, int is_ccs) memcpy(frag->fragment, s->init_buf->data, s->init_num); if (is_ccs) { + /* For DTLS1_BAD_VER the header length is non-standard */ OPENSSL_assert(s->d1->w_msg_hdr.msg_len + - DTLS1_CCS_HEADER_LENGTH == (unsigned int)s->init_num); + ((s->version==DTLS1_BAD_VER)?3:DTLS1_CCS_HEADER_LENGTH) + == (unsigned int)s->init_num); } else { OPENSSL_assert(s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num); |