summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAdam Langley <agl@chromium.org>2015-01-05 17:28:33 +0100
committerEmilia Kasper <emilia@openssl.org>2015-01-05 17:33:28 +0100
commit2357cd2e200dbc964e81e867194dd3be8fc00d7e (patch)
tree80642eeaa26e34e3c9f87b8f1f5025ca255aabab
parent5951cc004b96cd681ffdf39d3fc9238a1ff597ae (diff)
Ensure that the session ID context of an SSL* is updated
when its SSL_CTX is updated. From BoringSSL commit https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 61aa44ca99473f9cabdfb2d3b35abd0b473437d1)
-rw-r--r--CHANGES7
-rw-r--r--ssl/ssl_lib.c15
2 files changed, 22 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index c91552ca12..bfb75bea0b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+ *) Ensure that the session ID context of an SSL is updated when its
+ SSL_CTX is updated via SSL_set_SSL_CTX.
+
+ The session ID context is typically set from the parent SSL_CTX,
+ and can vary with the CTX.
+ [Adam Langley]
+
*) Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 2fab2f15f2..707ec6bdf4 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2982,6 +2982,21 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
if (ssl->ctx != NULL)
SSL_CTX_free(ssl->ctx); /* decrement reference count */
ssl->ctx = ctx;
+
+ /*
+ * Inherit the session ID context as it is typically set from the
+ * parent SSL_CTX, and can vary with the CTX.
+ * Note that per-SSL SSL_set_session_id_context() will not persist
+ * if called before SSL_set_SSL_CTX.
+ */
+ ssl->sid_ctx_length = ctx->sid_ctx_length;
+ /*
+ * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
+ * so setter APIs must prevent invalid lengths from entering the system.
+ */
+ OPENSSL_assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx);
+ memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
+
return(ssl->ctx);
}