From 43759fc1ed8f10fff50b4239089d02c0fbe6895d Mon Sep 17 00:00:00 2001
From: emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sun, 10 Jun 2012 01:53:20 +0000
Subject: * lib/openssl/ssl.rb: Use a simple random number to generate the  
 session id. MD5, as was used before, causes problems when   using a FIPS
 version of OpenSSL. Issue was found by Jared   Jennings, thank you!  
 [ruby-trunk - Bug #6137]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36005 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ext/openssl/lib/openssl/ssl.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'ext')

diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index 70b27f4416..268e8e9d67 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -146,7 +146,9 @@ module OpenSSL
         @svr = svr
         @ctx = ctx
         unless ctx.session_id_context
-          session_id = OpenSSL::Digest::MD5.hexdigest($0)
+          # see #6137 - session id may not exceed 32 bytes
+          prng = ::Random.new($0.hash)
+          session_id = prng.bytes(16).unpack('H*')[0]
           @ctx.session_id_context = session_id
         end
         @start_immediately = true
-- 
cgit v1.2.3