pull in fix from openssl-0.9.7-stable-SNAP-20020921:

*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). [Bodo Moeller]
author: markus <> 2002-09-23 21:32:28 +0000
committer: markus <> 2002-09-23 21:32:28 +0000
commit: f31910c44fa57c65521a215e1404058a14bb8fd2 (patch)
tree: ec82598741316cec7701f58e4e153564b97f215b /src/lib/libssl/s3_clnt.c
parent: b8476376aa93d01a90c88ac2718a3516cf9a7222 (diff)
download: openbsd-f31910c44fa57c65521a215e1404058a14bb8fd2.tar.gz
openbsd-f31910c44fa57c65521a215e1404058a14bb8fd2.tar.bz2
openbsd-f31910c44fa57c65521a215e1404058a14bb8fd2.zip
1 files changed, 5 insertions, 16 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 9ce5373b51..7da9363ef5 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -631,23 +631,11 @@ static int ssl3_get_server_hello(SSL *s)
        /* get the session-id */
        j= *(p++);
-       if(j > sizeof s->session->session_id)
+        if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
-               {
-               al=SSL_AD_ILLEGAL_PARAMETER;
-               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
-               goto f_err;
-               }
-        if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
                {
-                /* SSLref returns 16 :-( */
+                al=SSL_AD_ILLEGAL_PARAMETER;
-                if (j < SSL2_SSL_SESSION_ID_LENGTH)
+                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
-                        {
+                goto f_err;
-                        al=SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
-                        goto f_err;
-                        }
                }
        if (j != 0 && j == s->session->session_id_length
            && memcmp(p,s->session->session_id,j) == 0)
@@ -655,6 +643,7 @@ static int ssl3_get_server_hello(SSL *s)
            if(s->sid_ctx_length != s->session->sid_ctx_length
               || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
                {
+                /* actually a client application bug */
                al=SSL_AD_ILLEGAL_PARAMETER;
                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
                goto f_err;
author	markus <>	2002-09-23 21:32:28 +0000
committer	markus <>	2002-09-23 21:32:28 +0000
commit	f31910c44fa57c65521a215e1404058a14bb8fd2 (patch)
tree	ec82598741316cec7701f58e4e153564b97f215b /src/lib/libssl/s3_clnt.c
parent	b8476376aa93d01a90c88ac2718a3516cf9a7222 (diff)
download	openbsd-f31910c44fa57c65521a215e1404058a14bb8fd2.tar.gz openbsd-f31910c44fa57c65521a215e1404058a14bb8fd2.tar.bz2 openbsd-f31910c44fa57c65521a215e1404058a14bb8fd2.zip