there is no minimum length for session IDs

author Bodo Möller <bodo@openssl.org>

Thu, 19 Sep 2002 11:43:13 +0000 (11:43 +0000)

committer Bodo Möller <bodo@openssl.org>

Thu, 19 Sep 2002 11:43:13 +0000 (11:43 +0000)
author Bodo Möller <bodo@openssl.org>
Thu, 19 Sep 2002 11:43:13 +0000 (11:43 +0000)
committer Bodo Möller <bodo@openssl.org>
Thu, 19 Sep 2002 11:43:13 +0000 (11:43 +0000)
diff --git a/CHANGES b/CHANGES

index 84d9e5fe90b35c45d9a39acc7182864e4a5c53ff..dfa7be1bd22d4fa4644fae6927902c7928355f25 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
  
   Changes between 0.9.6g and 0.9.6h  [xx XXX xxxx]
  
+  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
+     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
+     [Bodo Moeller]
+
    *) Fix race condition in SSLv3_client_method().
       [Bodo Moeller]
  
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index b0c08d04982f46bda1fe11a848fe926989397800..227708981ca1183c7e59e459954dbebe8e13f7bf 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -632,13 +632,12 @@ static int ssl3_get_server_hello(SSL *s)
         /* get the session-id */
         j= *(p++);
  
-       if(j > sizeof s->session->session_id)
-               {
-               al=SSL_AD_ILLEGAL_PARAMETER;
-               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
-               goto f_err;
-               }
+       if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
+               goto f_err;
+               }
  
         if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
                 {
author	Bodo Möller <bodo@openssl.org>
	Thu, 19 Sep 2002 11:43:13 +0000 (11:43 +0000)
committer	Bodo Möller <bodo@openssl.org>
	Thu, 19 Sep 2002 11:43:13 +0000 (11:43 +0000)
CHANGES		patch \| blob \| history
ssl/s3_clnt.c		patch \| blob \| history