From fae4895b8dbcedfde2933e86859e38d0c94324f0 Mon Sep 17 00:00:00 2001
From: Giovanni Bechis <gbechis@apache.org>
Date: Tue, 4 Apr 2023 21:34:57 +0000
Subject: add SSL_CTX_set_session_id_context(3) checks bz #66226

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908971 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/ssl_engine_kernel.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'modules')

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 96aaf6602d..a416ce3f0f 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -988,9 +988,17 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
                           "protocol (%s support secure renegotiation)",
                           reneg_support);
 
-            SSL_set_session_id_context(ssl,
+            if(!SSL_set_session_id_context(ssl,
                                        (unsigned char *)&id,
-                                       sizeof(id));
+                                       sizeof(id))) {
+
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10422)
+                              "error setting SSL session context");
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+
+                r->connection->keepalive = AP_CONN_CLOSE;
+                return HTTP_FORBIDDEN;
+            }
 
             /* Toggle the renegotiation state to allow the new
              * handshake to proceed. */
@@ -2576,7 +2584,9 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
          * a renegotiation.
          */
         if (SSL_num_renegotiations(ssl) == 0) {
-            SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2);
+            if(!SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2)) {
+              return 0;
+            }
         }
 
         /*
-- 
cgit v1.2.1