From af674d4e20a82c2a98767b837072d7093c70b1cf Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 27 Feb 2015 16:52:07 +0000 Subject: [PATCH] Fix d2i_SSL_SESSION for DTLS1_BAD_VER Some Cisco appliances use a pre-standard version number for DTLS. We support this as DTLS1_BAD_VER within the code. This change fixes d2i_SSL_SESSION for that DTLS version. Based on an original patch by David Woodhouse RT#3704 Reviewed-by: Tim Hudson --- ssl/dtls1.h | 1 + ssl/ssl_asn1.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/dtls1.h b/ssl/dtls1.h index ff406d8ba6..542ae04627 100644 --- a/ssl/dtls1.h +++ b/ssl/dtls1.h @@ -86,6 +86,7 @@ extern "C" { # define DTLS1_VERSION 0xFEFF # define DTLS1_2_VERSION 0xFEFD # define DTLS_MAX_VERSION DTLS1_2_VERSION +# define DTLS1_VERSION_MAJOR 0xFE # define DTLS1_BAD_VER 0x0100 diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 63fe17f16e..dd02b4171a 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -410,7 +410,9 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, os.data = NULL; os.length = 0; M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING); - if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) { + if ((ssl_version >> 8) == SSL3_VERSION_MAJOR + || (ssl_version >> 8) == DTLS1_VERSION_MAJOR + || ssl_version == DTLS1_BAD_VER) { if (os.length != 2) { c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH; c.line = __LINE__; -- 2.25.1