From 5fef7d56ce8448bdd41d037621bcf9ed724815ad Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Thu, 19 Sep 2002 11:43:13 +0000 Subject: [PATCH] there is no minimum length for session IDs PR: 274 --- CHANGES | 4 ++++ ssl/s3_clnt.c | 13 ++++++------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 84d9e5fe90..dfa7be1bd2 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 0.9.6g and 0.9.6h [xx XXX xxxx] + *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c + (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). + [Bodo Moeller] + *) Fix race condition in SSLv3_client_method(). [Bodo Moeller] diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index b0c08d0498..227708981c 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -632,13 +632,12 @@ static int ssl3_get_server_hello(SSL *s) /* get the session-id */ j= *(p++); - if(j > sizeof s->session->session_id) - { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; - } + if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { -- 2.25.1