Update DTLS code to match CBC decoding in TLS.

[openssl.git] / ssl / s3_pkt.c

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 5bd0cd462ce83d1afcea799e8e5254cd6b71b232..4730c6b89474c2868d68d54c328ec5bf3feb0d89 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -290,7 +290,6 @@ static int ssl3_get_record(SSL *s)
        unsigned char md[EVP_MAX_MD_SIZE];
        short version;
        unsigned mac_size;
-       int clear=0;
        size_t extra;
 
        rr= &(s->s3->rrec);
@@ -407,8 +406,9 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
         *    -1: if the padding is invalid */
        if (enc_err == 0)
                {
-               /* SSLerr() and ssl3_send_alert() have been called */
-               goto err;
+               al=SSL_AD_DECRYPTION_FAILED;
+               SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+               goto f_err;
                }
 
 #ifdef TLS_DEBUG
@@ -418,14 +418,11 @@ printf("\n");
 #endif
 
        /* r->length is now the compressed data plus mac */
-       if (    (sess == NULL) ||
-               (s->enc_read_ctx == NULL) ||
-               (EVP_MD_CTX_md(s->read_hash) == NULL))
-               clear=1;
-
-       if (!clear)
+       if ((sess != NULL) &&
+           (s->enc_read_ctx != NULL) &&
+           (EVP_MD_CTX_md(s->read_hash) != NULL))
                {
-               /* !clear => s->read_hash != NULL => mac_size != -1 */
+               /* s->read_hash != NULL => mac_size != -1 */
                unsigned char *mac = NULL;
                unsigned char mac_tmp[EVP_MAX_MD_SIZE];
                mac_size=EVP_MD_CTX_size(s->read_hash);