From 2357cd2e200dbc964e81e867194dd3be8fc00d7e Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Mon, 5 Jan 2015 17:28:33 +0100 Subject: [PATCH] Ensure that the session ID context of an SSL* is updated when its SSL_CTX is updated. From BoringSSL commit https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a Reviewed-by: Rich Salz (cherry picked from commit 61aa44ca99473f9cabdfb2d3b35abd0b473437d1) --- CHANGES | 7 +++++++ ssl/ssl_lib.c | 15 +++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/CHANGES b/CHANGES index c91552ca1..bfb75bea0 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,13 @@ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] + *) Ensure that the session ID context of an SSL is updated when its + SSL_CTX is updated via SSL_set_SSL_CTX. + + The session ID context is typically set from the parent SSL_CTX, + and can vary with the CTX. + [Adam Langley] + *) Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 2fab2f15f..707ec6bdf 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2982,6 +2982,21 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) if (ssl->ctx != NULL) SSL_CTX_free(ssl->ctx); /* decrement reference count */ ssl->ctx = ctx; + + /* + * Inherit the session ID context as it is typically set from the + * parent SSL_CTX, and can vary with the CTX. + * Note that per-SSL SSL_set_session_id_context() will not persist + * if called before SSL_set_SSL_CTX. + */ + ssl->sid_ctx_length = ctx->sid_ctx_length; + /* + * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), + * so setter APIs must prevent invalid lengths from entering the system. + */ + OPENSSL_assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx); + memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx)); + return(ssl->ctx); }