Fix wrong handling of session ID in SSLv2 client code.

PR: 377

Fix wrong handling of session ID in SSLv2 client code.
PR: 377
21cde7a4 · Lutz Jänicke · 85982899 · 21cde7a4 · 21cde7a4
隐藏空白更改
内联并排

Showing with 10 addition and 1 deletion

CHANGES CHANGES +9 -0

ssl/s2_clnt.c ssl/s2_clnt.c +1 -1

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -352,6 +352,15 @@ TODO: bug: pad  x  with leading zeros if necessary
 
 Changes between 0.9.6h and 0.9.7  [XX xxx 2002]

+  *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
+     code (06) was taken as the first octet of the session ID and the last
+     octet was ignored consequently. As a result SSLv2 client side session
+     caching could not have worked due to the session ID mismatch between
+     client and server.
+     Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
+     PR #377.
+     [Lutz Jaenicke]
+
  *) Change the declaration of needed Kerberos libraries to use EX_LIBS
     instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
     removed entirely.

--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -1014,7 +1014,7 @@ static int get_server_finished(SSL *s)
 		 * or bad things can happen */
 		/* ZZZZZZZZZZZZZ */
 		s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
-		memcpy(s->session->session_id,p,SSL2_SSL_SESSION_ID_LENGTH);
+		memcpy(s->session->session_id,p+1,SSL2_SSL_SESSION_ID_LENGTH);
 		}
 	else
 		{