[openssl-commits] [openssl] OpenSSL source code branch OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-154-ged736dd

Tue Jan 6 22:19:24 UTC 2015

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  ed736ddd74549ef80f17d5675e8aaf54da572336 (commit)
      from  c7c2a56a1b3bf481b2c6b91906477b53fe118702 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ed736ddd74549ef80f17d5675e8aaf54da572336
Author: Emilia Kasper <emilia at openssl.org>
Date:   Tue Jan 6 15:41:04 2015 +0100

    Only inherit the session ID context in SSL_set_SSL_CTX if the existing
    context was also inherited (matches that of the existing SSL_CTX).
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit ac8e9cbe14b59dacfe4ac52bc5ff06f8003e9b01)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_lib.c |   33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 64c9eab..c44bcd2 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3194,24 +3194,31 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 			}
 		ssl_cert_free(ocert);
 		}
-	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
-	if (ssl->ctx != NULL)
-		SSL_CTX_free(ssl->ctx); /* decrement reference count */
-	ssl->ctx = ctx;
 
 	/*
-	 * Inherit the session ID context as it is typically set from the
-	 * parent SSL_CTX, and can vary with the CTX.
-	 * Note that per-SSL SSL_set_session_id_context() will not persist
-	 * if called before SSL_set_SSL_CTX.
-	 */
-	ssl->sid_ctx_length = ctx->sid_ctx_length;
-	/*
 	 * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
 	 * so setter APIs must prevent invalid lengths from entering the system.
 	 */
-	OPENSSL_assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx);
-	memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
+	OPENSSL_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx));
+
+	/*
+	 * If the session ID context matches that of the parent SSL_CTX,
+	 * inherit it from the new SSL_CTX as well. If however the context does
+	 * not match (i.e., it was set per-ssl with SSL_set_session_id_context),
+	 * leave it unchanged.
+	 */
+	if ((ssl->ctx != NULL) &&
+		(ssl->sid_ctx_length == ssl->ctx->sid_ctx_length) &&
+		(memcmp(ssl->sid_ctx, ssl->ctx->sid_ctx, ssl->sid_ctx_length) == 0))
+		{
+		ssl->sid_ctx_length = ctx->sid_ctx_length;
+		memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
+		}
+
+	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
+	if (ssl->ctx != NULL)
+		SSL_CTX_free(ssl->ctx); /* decrement reference count */
+	ssl->ctx = ctx;
 
 	return(ssl->ctx);
 	}


hooks/post-receive
-- 
OpenSSL source code
