From af674d4e20a82c2a98767b837072d7093c70b1cf Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 27 Feb 2015 16:52:07 +0000
Subject: Fix d2i_SSL_SESSION for DTLS1_BAD_VER

Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.

This change fixes d2i_SSL_SESSION for that DTLS version.

Based on an original patch by David Woodhouse <dwmw2@infradead.org>

RT#3704

Reviewed-by: Tim Hudson <tjh@openssl.org>
---
 ssl/ssl_asn1.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'ssl/ssl_asn1.c')

diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 63fe17f16e..dd02b4171a 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -410,7 +410,9 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
     os.data = NULL;
     os.length = 0;
     M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING);
-    if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) {
+    if ((ssl_version >> 8) == SSL3_VERSION_MAJOR
+        || (ssl_version >> 8) == DTLS1_VERSION_MAJOR
+        || ssl_version == DTLS1_BAD_VER) {
         if (os.length != 2) {
             c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH;
             c.line = __LINE__;
-- 
cgit v1.2.3