diff options
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 15 |
2 files changed, 22 insertions, 0 deletions
@@ -4,6 +4,13 @@ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] + *) Ensure that the session ID context of an SSL is updated when its + SSL_CTX is updated via SSL_set_SSL_CTX. + + The session ID context is typically set from the parent SSL_CTX, + and can vary with the CTX. + [Adam Langley] + *) Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 2fab2f15f2..707ec6bdf4 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2982,6 +2982,21 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) if (ssl->ctx != NULL) SSL_CTX_free(ssl->ctx); /* decrement reference count */ ssl->ctx = ctx; + + /* + * Inherit the session ID context as it is typically set from the + * parent SSL_CTX, and can vary with the CTX. + * Note that per-SSL SSL_set_session_id_context() will not persist + * if called before SSL_set_SSL_CTX. + */ + ssl->sid_ctx_length = ctx->sid_ctx_length; + /* + * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), + * so setter APIs must prevent invalid lengths from entering the system. + */ + OPENSSL_assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx); + memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx)); + return(ssl->ctx); } |