wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

there is no minimum length for session IDs

Browse source 
PR: 274
This commit is contained in:
Bodo Möller 2002-09-19 11:43:13 +00:00
parent 30c37c52c5
commit 5fef7d56ce
2 changed files with 10 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -4,6 +4,10 @@
Changes between 0.9.6g and 0.9.6h [xx XXX xxxx] Changes between 0.9.6g and 0.9.6h [xx XXX xxxx]
*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
(the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
[Bodo Moeller]
*) Fix race condition in SSLv3_client_method(). *) Fix race condition in SSLv3_client_method().
[Bodo Moeller] [Bodo Moeller]

13
ssl/s3_clnt.c
View file

@ -632,13 +632,12 @@ static int ssl3_get_server_hello(SSL *s)
/* get the session-id */ /* get the session-id */
j= *(p++); j= *(p++);
if(j > sizeof s->session->session_id) if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
{ {
al=SSL_AD_ILLEGAL_PARAMETER; al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
SSL_R_SSL3_SESSION_ID_TOO_LONG); goto f_err;
goto f_err; }
}
if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
{ {