Fix another dtls regression

fwh-dc · Jan 3, 2024 · 93a6d88 · 93a6d88
1 parent 8c78c9a
commit 93a6d88
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
@@ -1323,10 +1323,10 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
         return CON_FUNC_ERROR;
     }
 #ifndef OPENSSL_NO_COMP
+    int maxversion = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION;
     if (ssl_allow_compression(s)
             && sctx->comp_methods
-            && ((SSL_CONNECTION_IS_DTLS(s) && DTLS_VERSION_LT(s->s3.tmp.max_ver, DTLS1_3_VERSION))
-                || (!SSL_CONNECTION_IS_DTLS(s) && s->s3.tmp.max_ver < TLS1_3_VERSION))) {
+            && ssl_version_cmp(s, s->s3.tmp.max_ver, maxversion) < 0) {
         int compnum = sk_SSL_COMP_num(sctx->comp_methods);
         for (i = 0; i < compnum; i++) {
             comp = sk_SSL_COMP_value(sctx->comp_methods, i);

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
@@ -1980,9 +1980,8 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
     }
 
     if (!s->hit
-            && s->version >= TLS1_VERSION
-            && !SSL_CONNECTION_IS_TLS13(s)
-            && !SSL_CONNECTION_IS_DTLS(s)
+            && ssl_version_cmp(s, s->version, SSL_CONNECTION_IS_DTLS(s) ? DTLS1_VERSION : TLS1_VERSION) >= 0
+            && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
             && s->ext.session_secret_cb != NULL) {
         const SSL_CIPHER *pref_cipher = NULL;
         /*