Commit d9b277e0 authored by Adam Langley's avatar Adam Langley Committed by Emilia Kasper
Browse files

Ensure that the session ID context of an SSL* is updated 

when its SSL_CTX is updated.

From BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a



Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit 61aa44ca)
parent aace6dbc

CHANGES

+7 −0
Original line number Diff line number Diff line
@@ -365,6 +365,13 @@ 


 Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]



  *) Ensure that the session ID context of an SSL is updated when its

     SSL_CTX is updated via SSL_set_SSL_CTX.



     The session ID context is typically set from the parent SSL_CTX,

     and can vary with the CTX.

     [Adam Langley]



  *) Fix various certificate fingerprint issues.



     By using non-DER or invalid encodings outside the signed portion of a

ssl/ssl_lib.c

+15 −0
Original line number Diff line number Diff line
@@ -3198,6 +3198,21 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) 
	if (ssl->ctx != NULL)

		SSL_CTX_free(ssl->ctx); /* decrement reference count */

	ssl->ctx = ctx;



	/*

	 * Inherit the session ID context as it is typically set from the

	 * parent SSL_CTX, and can vary with the CTX.

	 * Note that per-SSL SSL_set_session_id_context() will not persist

	 * if called before SSL_set_SSL_CTX.

	 */

	ssl->sid_ctx_length = ctx->sid_ctx_length;

	/*

	 * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),

	 * so setter APIs must prevent invalid lengths from entering the system.

	 */

	OPENSSL_assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx);

	memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));



	return(ssl->ctx);

	}