Ensure that the session ID context of an SSL* is updated

when its SSL_CTX is updated. From BoringSSL commit https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 61aa44ca99)
2015-01-05 17:28:33 +01:00 · 2015-01-05 17:28:33 +01:00 · 2357cd2e20
commit 2357cd2e20
parent 5951cc004b
2 changed files with 22 additions and 0 deletions
--- a/7
+++ b/7
@ -4,6 +4,13 @@

 Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]

+  *) Ensure that the session ID context of an SSL is updated when its
+     SSL_CTX is updated via SSL_set_SSL_CTX.
+
+     The session ID context is typically set from the parent SSL_CTX,
+     and can vary with the CTX.
+     [Adam Langley]
+
  *) Fix various certificate fingerprint issues.

     By using non-DER or invalid encodings outside the signed portion of a
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -2982,6 +2982,21 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 	if (ssl->ctx != NULL)
 		SSL_CTX_free(ssl->ctx); /* decrement reference count */
 	ssl->ctx = ctx;
+
+	/*
+	 * Inherit the session ID context as it is typically set from the
+	 * parent SSL_CTX, and can vary with the CTX.
+	 * Note that per-SSL SSL_set_session_id_context() will not persist
+	 * if called before SSL_set_SSL_CTX.
+	 */
+	ssl->sid_ctx_length = ctx->sid_ctx_length;
+	/*
+	 * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
+	 * so setter APIs must prevent invalid lengths from entering the system.
+	 */
+	OPENSSL_assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx);
+	memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
+
 	return(ssl->ctx);
 	}