Ensure that the session ID context of an SSL* is updated

when its SSL_CTX is updated.

From BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 61aa44ca99473f9cabdfb2d3b35abd0b473437d1)

diff --git a/CHANGES b/CHANGES
index 5b2f38899c8aedba9f733647e3984d7e0ea22b7f..1880a4661c68dbb75b473b8bea27c1f3e114e448 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -365,6 +365,13 @@
 
  Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
 
+  *) Ensure that the session ID context of an SSL is updated when its
+     SSL_CTX is updated via SSL_set_SSL_CTX.
+
+     The session ID context is typically set from the parent SSL_CTX,
+     and can vary with the CTX.
+     [Adam Langley]
+
   *) Fix various certificate fingerprint issues.
 
      By using non-DER or invalid encodings outside the signed portion of a

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index cd4ea68d4428af05b5a548d4abe16adcdfc62ed8..64c9eabdd61a3d56f15897c8cba44ccb97ee6e31 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3198,6 +3198,21 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
        if (ssl->ctx != NULL)
                SSL_CTX_free(ssl->ctx); /* decrement reference count */
        ssl->ctx = ctx;
+
+       /*
+        * Inherit the session ID context as it is typically set from the
+        * parent SSL_CTX, and can vary with the CTX.
+        * Note that per-SSL SSL_set_session_id_context() will not persist
+        * if called before SSL_set_SSL_CTX.
+        */
+       ssl->sid_ctx_length = ctx->sid_ctx_length;
+       /*
+        * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
+        * so setter APIs must prevent invalid lengths from entering the system.
+        */
+       OPENSSL_assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx);
+       memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
+
        return(ssl->ctx);
        }