From 8558c49351784e14ace856a1b993b68ff38e2a29 Mon Sep 17 00:00:00 2001
From: cameronrich <cameronrich@9a5d90b5-6617-0410-8a86-bb477d3ed2e3>
Date: Thu, 28 Apr 2011 13:00:20 +0000
Subject: [PATCH] Fixed variable length macs used by gnutls.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@205 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
---
 ssl/test/ssltest.c | 4 ++--
 ssl/tls1.c         | 2 +-
 ssl/tls1_svr.c     | 3 ++-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ssl/test/ssltest.c b/ssl/test/ssltest.c
index 9e86004d2..9ecd2275b 100644
--- a/ssl/test/ssltest.c
+++ b/ssl/test/ssltest.c
@@ -798,13 +798,13 @@ static void do_client(client_t *clnt)
     /* show the session ids in the reconnect test */
     if (strcmp(clnt->testname, "Session Reuse") == 0)
     {
-        sprintf(openssl_buf, "echo \"hello client\" | openssl s_client "
+        sprintf(openssl_buf, "echo \"hello client\" | openssl s_client -tls1 "
             "-connect localhost:%d %s 2>&1 | grep \"Session-ID:\"", 
             g_port, clnt->openssl_option);
     }
     else
     {
-        sprintf(openssl_buf, "echo \"hello client\" | openssl s_client "
+        sprintf(openssl_buf, "echo \"hello client\" | openssl s_client -tls1 "
 #ifdef WIN32
             "-connect localhost:%d -quiet %s",
 #else
diff --git a/ssl/tls1.c b/ssl/tls1.c
index ded4c0284..21a01733b 100755
--- a/ssl/tls1.c
+++ b/ssl/tls1.c
@@ -698,7 +698,7 @@ static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len)
         hmac_offset = read_len-last_blk_size-ssl->cipher_info->digest_size-1;
 
         /* guard against a timing attack - make sure we do the digest */
-        if (hmac_offset < 0 || last_blk_size > ssl->cipher_info->padding_size)
+        if (hmac_offset < 0)
         {
             hmac_offset = 0;
         }
diff --git a/ssl/tls1_svr.c b/ssl/tls1_svr.c
index 53a37b924..de6f4898a 100644
--- a/ssl/tls1_svr.c
+++ b/ssl/tls1_svr.c
@@ -124,9 +124,10 @@ static int process_client_hello(SSL *ssl)
     
     /* should be v3.1 (TLSv1) or better - we'll send in v3.1 mode anyway */
     uint8_t version = (record_buf[1] << 4) + record_buf[2];
+
     if (version > SSL_PROTOCOL_VERSION)
         version = SSL_PROTOCOL_VERSION;
-    else if (ssl->version < SSL_PROTOCOL_MIN_VERSION) 
+    else if (version < SSL_PROTOCOL_MIN_VERSION) 
     {
         ret = SSL_ERROR_INVALID_VERSION;
         ssl_display_error(ret);