[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Fri Feb 27 22:56:02 UTC 2015


The branch OpenSSL_1_0_2-stable has been updated
       via  6e20f556465f082dd4fdbd096a488e37528ddebf (commit)
      from  87cd297d149495eca0735ec5653c19acaf69286e (commit)


- Log -----------------------------------------------------------------
commit 6e20f556465f082dd4fdbd096a488e37528ddebf
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Feb 27 16:52:07 2015 +0000

    Fix d2i_SSL_SESSION for DTLS1_BAD_VER
    
    Some Cisco appliances use a pre-standard version number for DTLS. We support
    this as DTLS1_BAD_VER within the code.
    
    This change fixes d2i_SSL_SESSION for that DTLS version.
    
    Based on an original patch by David Woodhouse <dwmw2 at infradead.org>
    
    RT#3704
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    
    Conflicts:
    	ssl/ssl_asn1.c

-----------------------------------------------------------------------

Summary of changes:
 ssl/dtls1.h    |    1 +
 ssl/ssl_asn1.c |    4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index 4af7e4a..30bbcf2 100644
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -86,6 +86,7 @@ extern "C" {
 # define DTLS1_VERSION                   0xFEFF
 # define DTLS1_2_VERSION                 0xFEFD
 # define DTLS_MAX_VERSION                DTLS1_2_VERSION
+# define DTLS1_VERSION_MAJOR             0xFE
 
 # define DTLS1_BAD_VER                   0x0100
 
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index f8c265c..39d48ea 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -421,7 +421,9 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
         id = 0x02000000L |
             ((unsigned long)os.data[0] << 16L) |
             ((unsigned long)os.data[1] << 8L) | (unsigned long)os.data[2];
-    } else if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) {
+    } else if ((ssl_version >> 8) == SSL3_VERSION_MAJOR
+        || (ssl_version >> 8) == DTLS1_VERSION_MAJOR
+        || ssl_version == DTLS1_BAD_VER) {
         if (os.length != 2) {
             c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH;
             c.line = __LINE__;


More information about the openssl-commits mailing list