We need to read one more byte of the REQUEST-CERTIFICATE message.

PR: 300

diff --git a/CHANGES b/CHANGES
index cabad0f066bd91993d6a9c97630165e800d100a8..7fca062af0648f3f7a11c4c34485d450377ca0f1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.6g and 0.9.6h  [xx XXX xxxx]
 
+  *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
+     length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
+     [Zeev Lieber <zeev-l@yahoo.com>]
+
   *) Change the default configuration reader to deal with last line not
      being properly terminated.
      [Richard Levitte]

diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index 3f56f6480b5bbb0390891349266629caed559cbb..5c40996e1cfc53e86f9a0d352e340245ba23031a 100644 (file)
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -752,8 +752,8 @@ static int client_certificate(SSL *s)
        if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A)
                {
                i=ssl2_read(s,(char *)&(buf[s->init_num]),
-                       SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num);
-               if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num))
+                       SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num);
+               if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num))
                        return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
                s->init_num += i;