Preserve digests for SNI.
authorDr. Stephen Henson <steve@openssl.org>
Fri, 10 Oct 2014 12:18:09 +0000 (13:18 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 10 Oct 2014 22:21:14 +0000 (23:21 +0100)
SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.

PR: 3560
Reviewed-by: Tim Hudson <tjh@openssl.org>
ssl/ssl_lib.c

index 82a2c80..cc094e4 100644 (file)
@@ -2944,15 +2944,26 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
 
 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
        {
+       CERT *ocert = ssl->cert;
        if (ssl->ctx == ctx)
                return ssl->ctx;
 #ifndef OPENSSL_NO_TLSEXT
        if (ctx == NULL)
                ctx = ssl->initial_ctx;
 #endif
-       if (ssl->cert != NULL)
-               ssl_cert_free(ssl->cert);
        ssl->cert = ssl_cert_dup(ctx->cert);
+       if (ocert != NULL)
+               {
+               int i;
+               /* Copy negotiated digests from original */
+               for (i = 0; i < SSL_PKEY_NUM; i++)
+                       {
+                       CERT_PKEY *cpk = ocert->pkeys + i;
+                       CERT_PKEY *rpk = ssl->cert->pkeys + i;
+                       rpk->digest = cpk->digest;
+                       }
+               ssl_cert_free(ocert);
+               }
        CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
        if (ssl->ctx != NULL)
                SSL_CTX_free(ssl->ctx); /* decrement reference count */