wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

there is no minimum length for session IDs

Browse source 
PR: 274
[previous commit did not include all the changes]
This commit is contained in:
Bodo Möller 2002-09-20 08:27:44 +00:00
parent 5fef7d56ce
commit caf97dbad0
1 changed files with 1 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
ssl/s3_clnt.c
View file

@ -638,23 +638,13 @@ static int ssl3_get_server_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
goto f_err;
}
if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
{
/* SSLref returns 16 :-( */
if (j < SSL2_SSL_SESSION_ID_LENGTH)
{
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
goto f_err;
}
}
if (j != 0 && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
{
if(s->sid_ctx_length != s->session->sid_ctx_length
|| memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
{
/* actually a client application bug */
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;