use TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with DTLS
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 0633c09..9e52ed4 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -928,7 +928,7 @@
/* Don't digest cached records if TLS v1.2: we may need them for
* client authentication.
*/
- if (s->version < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
+ if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
goto f_err;
/* lets get the compression algorithm */
/* COMPRESSION */
@@ -1659,7 +1659,7 @@
/* if it was signed, check the signature */
if (pkey != NULL)
{
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
int sigalg = tls12_get_sigid(pkey);
/* Should never happen */
@@ -1704,7 +1704,7 @@
}
#ifndef OPENSSL_NO_RSA
- if (pkey->type == EVP_PKEY_RSA && s->version < TLS1_2_VERSION)
+ if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)
{
int num;
@@ -1864,8 +1864,7 @@
for (i=0; i<ctype_num; i++)
s->s3->tmp.ctype[i]= p[i];
p+=ctype_num;
- /* HACK! For now just skip over signatature algorithms */
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
n2s(p, llen);
/* Check we have enough room for signature algorithms and
@@ -2886,7 +2885,7 @@
EVP_PKEY_sign_init(pctx);
if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
{
- if (s->version < TLS1_2_VERSION)
+ if (TLS1_get_version(s) < TLS1_2_VERSION)
s->method->ssl3_enc->cert_verify_mac(s,
NID_sha1,
&(data[MD5_DIGEST_LENGTH]));
@@ -2898,7 +2897,7 @@
/* For TLS v1.2 send signature algorithm and signature
* using agreed digest and cached handshake records.
*/
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
long hdatalen = 0;
void *hdata;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index b147935..028e996 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3780,7 +3780,7 @@
long ssl_get_algorithm2(SSL *s)
{
long alg2 = s->s3->tmp.new_cipher->algorithm2;
- if (s->version >= TLS1_2_VERSION &&
+ if (TLS1_get_version(s) >= TLS1_2_VERSION &&
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
return alg2;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 9a2be88..74af5dc 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -611,7 +611,7 @@
#endif
s->init_num = 0;
}
- else if (s->version >= TLS1_2_VERSION)
+ else if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
s->state=SSL3_ST_SR_CERT_VRFY_A;
s->init_num=0;
@@ -1380,7 +1380,7 @@
s->s3->tmp.new_cipher=s->session->cipher;
}
- if (s->version < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
+ if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
{
if (!ssl3_digest_cached_records(s))
goto f_err;
@@ -1915,7 +1915,7 @@
* and p points to the space at the end. */
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA
- && s->version < TLS1_2_VERSION)
+ && TLS1_get_version(s) < TLS1_2_VERSION)
{
q=md_buf;
j=0;
@@ -1948,7 +1948,7 @@
{
/* For TLS1.2 and later send signature
* algorithm */
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
if (!tls12_get_sigandhash(p, pkey, md))
{
@@ -1975,7 +1975,7 @@
}
s2n(i,p);
n+=i+2;
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
n+= 2;
}
else
@@ -2031,7 +2031,7 @@
p+=n;
n++;
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
nl = tls12_get_req_sig_algs(s, p + 2);
s2n(nl, p);
@@ -2964,7 +2964,7 @@
}
else
{
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
int sigalg = tls12_get_sigid(pkey);
/* Should never happen */
@@ -3011,7 +3011,7 @@
goto f_err;
}
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
long hdatalen = 0;
void *hdata;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 77b5b5e..9f25c6c 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2226,7 +2226,7 @@
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
return 0;
}
- if ((alg_k & SSL_kECDHe) && s->version < TLS1_2_VERSION)
+ if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
{
/* signature alg must be ECDSA */
if (signature_nid != NID_ecdsa_with_SHA1)
@@ -2235,7 +2235,7 @@
return 0;
}
}
- if ((alg_k & SSL_kECDHr) && s->version < TLS1_2_VERSION)
+ if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
{
/* signature alg must be RSA */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 414e4c2..e673ec0 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -502,7 +502,7 @@
}
skip_ext:
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
return NULL;
@@ -2100,7 +2100,7 @@
const EVP_MD *md;
CERT *c = s->cert;
/* Extension ignored for TLS versions below 1.2 */
- if (s->version < TLS1_2_VERSION)
+ if (TLS1_get_version(s) < TLS1_2_VERSION)
return 1;
/* Should never happen */
if (!c)
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 35efebe..f8d2fda 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -171,6 +171,9 @@
#define TLS1_VERSION_MAJOR 0x03
#define TLS1_VERSION_MINOR 0x01
+#define TLS1_get_version(s) \
+ ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
+
#define TLS1_AD_DECRYPTION_FAILED 21
#define TLS1_AD_RECORD_OVERFLOW 22
#define TLS1_AD_UNKNOWN_CA 48 /* fatal */
