From d223040e498bd50a4b9e0aa493e78587ae1ed653 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Mon, 19 May 2008 21:44:43 +0200
Subject: Fix broken debug check for GNUTLS-SA-2008-1.

---
 lib/gnutls_cipher.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 778402aaf5..4ee6201d99 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -459,15 +459,6 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
       return GNUTLS_E_INTERNAL_ERROR;
     }
 
-  if (ciphertext.size < (unsigned) blocksize + hash_size)
-    {
-      _gnutls_record_log
-	("REC[%x]: Short record length %d < %d + %d (under attack?)\n",
-	 session, ciphertext.size, blocksize, hash_size);
-      gnutls_assert ();
-      return GNUTLS_E_DECRYPTION_FAILED;
-    }
-
   /* actual decryption (inplace)
    */
   switch (_gnutls_cipher_is_block
@@ -521,6 +512,9 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
       if ((int)pad > (int)ciphertext.size - hash_size)
 	{
 	  gnutls_assert ();
+	  _gnutls_record_log
+	    ("REC[%x]: Short record length %d > %d - %d (under attack?)\n",
+	     session, pad, ciphertext.size, hash_size);
 	  /* We do not fail here. We check below for the
 	   * the pad_failed. If zero means success.
 	   */
-- 
cgit v1.2.1