Ensure that the session ID context of an SSL* is updated
when its SSL_CTX is updated.
From BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a
Reviewed-by: Rich Salz <rsalz@openssl.org>
diff --git a/CHANGES b/CHANGES
index c076df8..c444b24 100644
--- a/CHANGES
+++ b/CHANGES
@@ -659,6 +659,13 @@
Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+ *) Ensure that the session ID context of an SSL is updated when its
+ SSL_CTX is updated via SSL_set_SSL_CTX.
+
+ The session ID context is typically set from the parent SSL_CTX,
+ and can vary with the CTX.
+ [Adam Langley]
+
*) Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 347ca5e..1552fd9 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3194,6 +3194,21 @@
if (ssl->ctx != NULL)
SSL_CTX_free(ssl->ctx); /* decrement reference count */
ssl->ctx = ctx;
+
+ /*
+ * Inherit the session ID context as it is typically set from the
+ * parent SSL_CTX, and can vary with the CTX.
+ * Note that per-SSL SSL_set_session_id_context() will not persist
+ * if called before SSL_set_SSL_CTX.
+ */
+ ssl->sid_ctx_length = ctx->sid_ctx_length;
+ /*
+ * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
+ * so setter APIs must prevent invalid lengths from entering the system.
+ */
+ OPENSSL_assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx);
+ memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
+
return(ssl->ctx);
}
