From ef9d3a10c36aa30aa764923d42421395da4ce55d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Lutz=20J=C3=A4nicke?= <jaenicke@openssl.org>
Date: Sun, 29 Dec 2002 20:58:55 +0000
Subject: [PATCH] Fix wrong handling of session ID in SSLv2 client code.

PR: 377
---
 CHANGES       | 9 +++++++++
 ssl/s2_clnt.c | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index afefb21303..a259bd33af 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,15 @@
 
  Changes between 0.9.6h and 0.9.7  [XX xxx 2002]
 
+  *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
+     code (06) was taken as the first octet of the session ID and the last
+     octet was ignored consequently. As a result SSLv2 client side session
+     caching could not have worked due to the session ID mismatch between
+     client and server.
+     Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
+     PR #377.
+     [Lutz Jaenicke]
+
   *) Change the declaration of needed Kerberos libraries to use EX_LIBS
      instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
      removed entirely.
diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index 0bc04d284e..c6319bb63d 100644
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -1014,7 +1014,7 @@ static int get_server_finished(SSL *s)
 		 * or bad things can happen */
 		/* ZZZZZZZZZZZZZ */
 		s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
-		memcpy(s->session->session_id,p,SSL2_SSL_SESSION_ID_LENGTH);
+		memcpy(s->session->session_id,p+1,SSL2_SSL_SESSION_ID_LENGTH);
 		}
 	else
 		{
-- 
2.25.1