Since commit a693ead6 in HEAD, 820988a0 in 1.0.2, 014265eb in 1.0.1 and f852b6079 in 1.0.0, DTLS_BAD_VER (needed for Cisco AnyConnect compatibility) has been broken.
The check 's->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION' is redundant anyway since DTLS1_VERSION (0xfeff) is greater than TLS1_1_VERSION (0x302). We *do*, however, need to include DTLS1_BAD_VER (0x100) in the set of versions which have an explicit IV. A patch for 1.0.[12] and HEAD, and a separate patch for 1.0.0, are attached. -- dwmw2
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 5b3f371..61413b8 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
unsigned padding_length, good, to_check, i;
const unsigned overhead = 1 /* padding length byte */ + mac_size;
/* Check if version requires explicit IV */
- if (s->version == DTLS1_VERSION)
+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
{
/* These lengths are all public so we can test them in
* non-constant time.
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 2e93657..1db1d8c 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -146,7 +146,7 @@ int tls1_cbc_remove_padding(const SSL* s,
unsigned padding_length, good, to_check, i;
const unsigned overhead = 1 /* padding length byte */ + mac_size;
/* Check if version requires explicit IV */
- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
{
/* These lengths are all public so we can test them in
* non-constant time.
smime.p7s
Description: S/MIME cryptographic signature
