there is no minimum length for session IDs

PR: 274

1 files changed, 5 insertions, 16 deletions

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index ca15881eaf..578eca457a 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -671,23 +671,11 @@ static int ssl3_get_server_hello(SSL *s)
 	/* get the session-id */
 	j= *(p++);
 
-       if(j > sizeof s->session->session_id)
-               {
-               al=SSL_AD_ILLEGAL_PARAMETER;
-               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
-               goto f_err;
-               }
-
-	if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
+	if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
 		{
-		/* SSLref returns 16 :-( */
-		if (j < SSL2_SSL_SESSION_ID_LENGTH)
-			{
-			al=SSL_AD_ILLEGAL_PARAMETER;
-			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
-			goto f_err;
-			}
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
+		goto f_err;
 		}
 	if (j != 0 && j == s->session->session_id_length
 	    && memcmp(p,s->session->session_id,j) == 0)
@@ -695,6 +683,7 @@ static int ssl3_get_server_hello(SSL *s)
 	    if(s->sid_ctx_length != s->session->sid_ctx_length
 	       || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
 		{
+		/* actually a client application bug */
 		al=SSL_AD_ILLEGAL_PARAMETER;
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
 		goto f_err;