From 0afca8113e81e8cd6f0f891f7f6ebfc5f14489db Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Fri, 31 Mar 2017 22:52:56 +0900
Subject: Do not lookup zero-length session ID

A condition was removed by commit 1053a6e2281d; presumably it was an
unintended change. Restore the previous behavior so the get_session_cb
won't be called with zero-length session ID.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4236)
---
 ssl/ssl_sess.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'ssl')

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 7336251210..efba7077ae 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -491,7 +491,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al)
             goto err;
         case TICKET_NONE:
         case TICKET_EMPTY:
-            try_session_cache = 1;
+            if (hello->session_id_len > 0)
+                try_session_cache = 1;
             break;
         case TICKET_NO_DECRYPT:
         case TICKET_SUCCESS:
-- 
cgit v1.2.3