From: Bodo Möller <bodo@openssl.org>
Date: Thu, 19 Sep 2002 11:43:13 +0000 (+0000)
Subject: there is no minimum length for session IDs
X-Git-Tag: OpenSSL_0_9_6h~99
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5fef7d56ce8448bdd41d037621bcf9ed724815ad;p=oweals%2Fopenssl.git

there is no minimum length for session IDs

PR: 274
---

diff --git a/CHANGES b/CHANGES
index 84d9e5fe90..dfa7be1bd2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.6g and 0.9.6h  [xx XXX xxxx]
 
+  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
+     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
+     [Bodo Moeller]
+
   *) Fix race condition in SSLv3_client_method().
      [Bodo Moeller]
 
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index b0c08d0498..227708981c 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -632,13 +632,12 @@ static int ssl3_get_server_hello(SSL *s)
 	/* get the session-id */
 	j= *(p++);
 
-       if(j > sizeof s->session->session_id)
-               {
-               al=SSL_AD_ILLEGAL_PARAMETER;
-               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
-               goto f_err;
-               }
+	if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
+		{
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
+		goto f_err;
+		}
 
 	if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
 		{