From: Adam Langley Date: Mon, 5 Jan 2015 16:28:33 +0000 (+0100) Subject: Ensure that the session ID context of an SSL* is updated X-Git-Tag: OpenSSL_1_0_1k~19 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=2357cd2e200dbc964e81e867194dd3be8fc00d7e;p=oweals%2Fopenssl.git Ensure that the session ID context of an SSL* is updated when its SSL_CTX is updated. From BoringSSL commit https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a Reviewed-by: Rich Salz (cherry picked from commit 61aa44ca99473f9cabdfb2d3b35abd0b473437d1) --- diff --git a/CHANGES b/CHANGES index c91552ca12..bfb75bea0b 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,13 @@ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] + *) Ensure that the session ID context of an SSL is updated when its + SSL_CTX is updated via SSL_set_SSL_CTX. + + The session ID context is typically set from the parent SSL_CTX, + and can vary with the CTX. + [Adam Langley] + *) Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 2fab2f15f2..707ec6bdf4 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2982,6 +2982,21 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) if (ssl->ctx != NULL) SSL_CTX_free(ssl->ctx); /* decrement reference count */ ssl->ctx = ctx; + + /* + * Inherit the session ID context as it is typically set from the + * parent SSL_CTX, and can vary with the CTX. + * Note that per-SSL SSL_set_session_id_context() will not persist + * if called before SSL_set_SSL_CTX. + */ + ssl->sid_ctx_length = ctx->sid_ctx_length; + /* + * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), + * so setter APIs must prevent invalid lengths from entering the system. + */ + OPENSSL_assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx); + memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx)); + return(ssl->ctx); }