If a callback is generating a new session ID for SSLv2, then upon exiting,

the ID will be padded out to 16 bytes if the callback attempted to generate
a shorter one. The problem is that the uniqueness checking function used in
callbacks may mistakenly think a 9-byte ID is unique when in fact its
padded 16-byte version is not. This makes the checking function detect
SSLv2 cases, and ensures the padded form is checked rather than the shorter
one passed by the callback.

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7864f2f7b00038c7e346c2cf738b45e2b9643217..0e372f5843c6ef44bffa50c99bde802d848be0b0 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -311,6 +311,17 @@ int SSL_CTX_has_matching_session_id(const SSL_CTX *ctx, const unsigned char *id,
        r.ssl_version = ctx->method->version;
        r.session_id_length = id_len;
        memcpy(r.session_id, id, id_len);
+       /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
+        * callback is calling us to check the uniqueness of a shorter ID, it
+        * must be compared as a padded-out ID because that is what it will be
+        * converted to when the callback has finished choosing it. */
+       if((r.ssl_version == SSL2_VERSION) &&
+                       (id_len < SSL2_SSL_SESSION_ID_LENGTH))
+               {
+               memset(r.session_id + id_len, 0,
+                       SSL2_SSL_SESSION_ID_LENGTH - id_len);
+               r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
+               }
 
        CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
        p = (SSL_SESSION *)lh_retrieve(ctx->sessions, &r);