commit 680ca961f993ac0c7f191dcf289c442cf96c4d2c
author David Benjamin <davidben@chromium.org> Thu Jun 18 12:37:23 2015 -0400
committer Adam Langley <agl@google.com> Thu Jun 18 17:53:57 2015 +0000
tree 5f2017c8941c67f2d3daba1c1a83894267232a72
parent d65bb78c6c350066cbd2f8d3f860848a6cd14895

Preserve session->sess_cert on ticket renewal.

Turns out the safer/simpler method still wasn't quite right. :-)
session->sess_cert isn't serialized and deserialized, which is poor. Duplicate
it manually for now. Leave a TODO to get rid of that field altogether as it's
not especially helpful. The certificate-related fields should be in the
session. The others probably have no reason to be preserved on resumptions at
all.

Test by making bssl_shim.cc assert the peer cert chain is there or not as
expected.

BUG=501220

Change-Id: I44034167629720d6e2b7b0b938d58bcab3ab0abe
Reviewed-on: https://boringssl-review.googlesource.com/5170
Reviewed-by: Adam Langley <agl@google.com>

ssl/s3_clnt.c

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 90b59c5..8d192b6 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1517,6 +1517,15 @@
       OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, ERR_R_INTERNAL_ERROR);
       goto err;
     }
+    if (s->session->sess_cert != NULL) {
+      /* |sess_cert| is not serialized and must be duplicated explicitly. */
+      assert(new_session->sess_cert == NULL);
+      new_session->sess_cert = ssl_sess_cert_dup(s->session->sess_cert);
+      if (new_session->sess_cert == NULL) {
+        SSL_SESSION_free(new_session);
+        goto err;
+      }
+    }
 
     SSL_SESSION_free(s->session);
     s->session = new_session;