there is no minimum length for session IDs

PR: 274

fix race condition
PR: 262

diff --git a/CHANGES b/CHANGES
index 03b697cd7e8fc2aea8fcbb13b0b5de2926ce92b4..e3fc49c0d2bf169d59e0d6d76fa9cc064a22c55a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1675,6 +1675,13 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
  Changes between 0.9.6g and 0.9.6h  [xx XXX xxxx]
 
+  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
+     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
+     [Bodo Moeller]
+
+  *) Fix race condition in SSLv3_client_method().
+     [Bodo Moeller]
+
   *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
      the cached sessions are flushed, as the remove_cb() might use ex_data
      contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 2b58482484d42e6f9553acf60ac362ca040f943a..4e6c946ec2508814ed3313887113ac855b8205cf 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -146,11 +146,11 @@ SSL_METHOD *SSLv3_client_method(void)
 
        if (init)
                {
-               init=0;
                memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
                        sizeof(SSL_METHOD));
                SSLv3_client_data.ssl_connect=ssl3_connect;
                SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+               init=0;
                }
        return(&SSLv3_client_data);
        }
@@ -632,23 +632,11 @@ static int ssl3_get_server_hello(SSL *s)
        /* get the session-id */
        j= *(p++);
 
-       if(j > sizeof s->session->session_id)
-               {
-               al=SSL_AD_ILLEGAL_PARAMETER;
-               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
-               goto f_err;
-               }
-
-       if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
+       if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
                {
-               /* SSLref returns 16 :-( */
-               if (j < SSL2_SSL_SESSION_ID_LENGTH)
-                       {
-                       al=SSL_AD_ILLEGAL_PARAMETER;
-                       SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
-                       goto f_err;
-                       }
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
+               goto f_err;
                }
        if (j != 0 && j == s->session->session_id_length
            && memcmp(p,s->session->session_id,j) == 0)
@@ -656,6 +644,7 @@ static int ssl3_get_server_hello(SSL *s)
            if(s->sid_ctx_length != s->session->sid_ctx_length
               || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
                {
+               /* actually a client application bug */
                al=SSL_AD_ILLEGAL_PARAMETER;
                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
                goto f_err;