1 files changed, 13 insertions, 15 deletions
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 3a167f058c..b8be8b5255 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -178,7 +178,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
        /* For DTLS/UDP reads should not span multiple packets
         * because the read operation returns the whole packet
         * at once (as long as it fits into the buffer). */
-        if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) {
+        if (SSL_IS_DTLS(s)) {
                if (left > 0 && n > left)
                        n = left;
        }
@@ -238,18 +238,17 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
                if (i <= 0) {
                        rb->left = left;
                        if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
-                            SSL_version(s) != DTLS1_VERSION &&
+                            !SSL_IS_DTLS(s)) {
-                            SSL_version(s) != DTLS1_BAD_VER)
                                if (len + left == 0)
                                        ssl3_release_read_buffer(s);
+                        }
                        return (i);
                }
                left += i;
                /* reads should *never* span multiple packets for DTLS because
                 * the underlying transport protocol is message oriented as opposed
                 * to byte oriented as in the TLS case. */
-                if (SSL_version(s) == DTLS1_VERSION ||
+                if (SSL_IS_DTLS(s)) {
-                    SSL_version(s) == DTLS1_BAD_VER) {
                        if (n > left)
                                n = left; /* makes the while condition false */
                }
@@ -722,10 +721,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        /* field where we are to write out packet length */
        plen = p;
        p += 2;
-        /* Explicit IV length, block ciphers and TLS version 1.1 or later */
-        if (s->enc_write_ctx && s->version >= TLS1_1_VERSION) {
+        /* Explicit IV length. */
+        if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) {
                int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
                if (mode == EVP_CIPH_CBC_MODE) {
                        eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
@@ -844,18 +843,17 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                        wb->left = 0;
                        wb->offset += i;
                        if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
-                            SSL_version(s) != DTLS1_VERSION &&
+                            !SSL_IS_DTLS(s))
-                            SSL_version(s) != DTLS1_BAD_VER)
                                ssl3_release_write_buffer(s);
                        s->rwstate = SSL_NOTHING;
                        return (s->s3->wpend_ret);
                } else if (i <= 0) {
-                        if (s->version == DTLS1_VERSION ||
+                        /*
-                            s->version == DTLS1_BAD_VER) {
+                         * For DTLS, just drop it. That's kind of the
-                                /* For DTLS, just drop it. That's kind of the whole
+                         * whole point in using a datagram service.
-                                   point in using a datagram service */
+                         */
+                        if (SSL_IS_DTLS(s))
                                wb->left = 0;
-                        }
                        return (i);
                }
                wb->offset += i;

diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 3a167f058c..b8be8b5255 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c
@@ -178,7 +178,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
178	/* For DTLS/UDP reads should not span multiple packets	178	/* For DTLS/UDP reads should not span multiple packets
179	* because the read operation returns the whole packet	179	* because the read operation returns the whole packet
180	* at once (as long as it fits into the buffer). */	180	* at once (as long as it fits into the buffer). */
181	if (SSL_version(s) == DTLS1_VERSION \|\| SSL_version(s) == DTLS1_BAD_VER) {	181	if (SSL_IS_DTLS(s)) {
182	if (left > 0 && n > left)	182	if (left > 0 && n > left)
183	n = left;	183	n = left;
184	}	184	}
@@ -238,18 +238,17 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
238	if (i <= 0) {	238	if (i <= 0) {
239	rb->left = left;	239	rb->left = left;
240	if (s->mode & SSL_MODE_RELEASE_BUFFERS &&	240	if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
241	SSL_version(s) != DTLS1_VERSION &&	241	!SSL_IS_DTLS(s)) {
242	SSL_version(s) != DTLS1_BAD_VER)
243	if (len + left == 0)	242	if (len + left == 0)
244	ssl3_release_read_buffer(s);	243	ssl3_release_read_buffer(s);
		244	}
245	return (i);	245	return (i);
246	}	246	}
247	left += i;	247	left += i;
248	/* reads should never span multiple packets for DTLS because	248	/* reads should never span multiple packets for DTLS because
249	* the underlying transport protocol is message oriented as opposed	249	* the underlying transport protocol is message oriented as opposed
250	* to byte oriented as in the TLS case. */	250	* to byte oriented as in the TLS case. */
251	if (SSL_version(s) == DTLS1_VERSION \|\|	251	if (SSL_IS_DTLS(s)) {
252	SSL_version(s) == DTLS1_BAD_VER) {
253	if (n > left)	252	if (n > left)
254	n = left; /* makes the while condition false */	253	n = left; /* makes the while condition false */
255	}	254	}
@@ -722,10 +721,10 @@ do_ssl3_write(SSL s, int type, const unsigned char buf,
722		721
723	/* field where we are to write out packet length */	722	/* field where we are to write out packet length */
724	plen = p;	723	plen = p;
725
726	p += 2;	724	p += 2;
727	/* Explicit IV length, block ciphers and TLS version 1.1 or later */	725
728	if (s->enc_write_ctx && s->version >= TLS1_1_VERSION) {	726	/* Explicit IV length. */
		727	if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) {
729	int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);	728	int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
730	if (mode == EVP_CIPH_CBC_MODE) {	729	if (mode == EVP_CIPH_CBC_MODE) {
731	eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);	730	eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
@@ -844,18 +843,17 @@ ssl3_write_pending(SSL s, int type, const unsigned char buf,
844	wb->left = 0;	843	wb->left = 0;
845	wb->offset += i;	844	wb->offset += i;
846	if (s->mode & SSL_MODE_RELEASE_BUFFERS &&	845	if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
847	SSL_version(s) != DTLS1_VERSION &&	846	!SSL_IS_DTLS(s))
848	SSL_version(s) != DTLS1_BAD_VER)
849	ssl3_release_write_buffer(s);	847	ssl3_release_write_buffer(s);
850	s->rwstate = SSL_NOTHING;	848	s->rwstate = SSL_NOTHING;
851	return (s->s3->wpend_ret);	849	return (s->s3->wpend_ret);
852	} else if (i <= 0) {	850	} else if (i <= 0) {
853	if (s->version == DTLS1_VERSION \|\|	851	/*
854	s->version == DTLS1_BAD_VER) {	852	* For DTLS, just drop it. That's kind of the
855	/* For DTLS, just drop it. That's kind of the whole	853	* whole point in using a datagram service.
856	point in using a datagram service */	854	*/
		855	if (SSL_IS_DTLS(s))
857	wb->left = 0;	856	wb->left = 0;
858	}
859	return (i);	857	return (i);
860	}	858	}
861	wb->offset += i;	859	wb->offset += i;