Remove redundant checks in ssl_cert_dup. This was causing spurious error messages...

[openssl.git] / ssl / ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 27819b452f52f58e44c08c74f6489be019503d0d..22a210e90fe8ce668116fa33017a26ebd47efce7 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1593,6 +1593,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
                                        ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
                                goto err;
                                }
+                       p += n;
                        continue;
                        }
 
@@ -3183,15 +3184,28 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
 
 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
        {
+       CERT *ocert = ssl->cert;
        if (ssl->ctx == ctx)
                return ssl->ctx;
 #ifndef OPENSSL_NO_TLSEXT
        if (ctx == NULL)
                ctx = ssl->initial_ctx;
 #endif
-       if (ssl->cert != NULL)
-               ssl_cert_free(ssl->cert);
        ssl->cert = ssl_cert_dup(ctx->cert);
+       if (ocert)
+               {
+               /* Preserve any already negotiated parameters */
+               if (ssl->server)
+                       {
+                       ssl->cert->peer_sigalgs = ocert->peer_sigalgs;
+                       ssl->cert->peer_sigalgslen = ocert->peer_sigalgslen;
+                       ocert->peer_sigalgs = NULL;
+                       ssl->cert->ciphers_raw = ocert->ciphers_raw;
+                       ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen;
+                       ocert->ciphers_raw = NULL;
+                       }
+               ssl_cert_free(ocert);
+               }
        CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
        if (ssl->ctx != NULL)
                SSL_CTX_free(ssl->ctx); /* decrement reference count */