Loading CHANGES +4 −0 Original line number Diff line number Diff line Loading @@ -1923,6 +1923,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Changes between 0.9.6g and 0.9.6h [xx XXX xxxx] *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). [Bodo Moeller] *) Fix race condition in SSLv3_client_method(). [Bodo Moeller] Loading ssl/s3_clnt.c +5 −16 Original line number Diff line number Diff line Loading @@ -671,30 +671,19 @@ static int ssl3_get_server_hello(SSL *s) /* get the session-id */ j= *(p++); if(j > sizeof s->session->session_id) if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG); SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); goto f_err; } if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { /* SSLref returns 16 :-( */ if (j < SSL2_SSL_SESSION_ID_LENGTH) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT); goto f_err; } } if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { if(s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) { /* actually a client application bug */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; Loading Loading
CHANGES +4 −0 Original line number Diff line number Diff line Loading @@ -1923,6 +1923,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Changes between 0.9.6g and 0.9.6h [xx XXX xxxx] *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). [Bodo Moeller] *) Fix race condition in SSLv3_client_method(). [Bodo Moeller] Loading
ssl/s3_clnt.c +5 −16 Original line number Diff line number Diff line Loading @@ -671,30 +671,19 @@ static int ssl3_get_server_hello(SSL *s) /* get the session-id */ j= *(p++); if(j > sizeof s->session->session_id) if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG); SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); goto f_err; } if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { /* SSLref returns 16 :-( */ if (j < SSL2_SSL_SESSION_ID_LENGTH) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT); goto f_err; } } if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { if(s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) { /* actually a client application bug */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; Loading
