diff options
| author | jsing <> | 2016-09-22 18:34:16 +0000 |
|---|---|---|
| committer | jsing <> | 2016-09-22 18:34:16 +0000 |
| commit | 3821c7448ea23755aa8633c749558353a46bc9e7 (patch) | |
| tree | 799e14d96e3166dc3554ec7e5ccc9683f14ea0de | |
| parent | 651c6f6d69c217d7077f4d9258ec212a3e66bc7a (diff) | |
| download | openbsd-3821c7448ea23755aa8633c749558353a46bc9e7.tar.gz openbsd-3821c7448ea23755aa8633c749558353a46bc9e7.tar.bz2 openbsd-3821c7448ea23755aa8633c749558353a46bc9e7.zip | |
MFC: Avoid falling back to a weak digest for (EC)DH when using SNI withlibressl-v2.3.8
libssl.
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_lib.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 5b9b952e72..a4918b12bd 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.116 2015/10/25 15:52:49 doug Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.116.2.1 2016/09/22 18:34:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2847,13 +2847,20 @@ SSL_get_SSL_CTX(const SSL *ssl) | |||
| 2847 | SSL_CTX * | 2847 | SSL_CTX * |
| 2848 | SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) | 2848 | SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) |
| 2849 | { | 2849 | { |
| 2850 | CERT *ocert = ssl->cert; | ||
| 2851 | |||
| 2850 | if (ssl->ctx == ctx) | 2852 | if (ssl->ctx == ctx) |
| 2851 | return (ssl->ctx); | 2853 | return (ssl->ctx); |
| 2852 | if (ctx == NULL) | 2854 | if (ctx == NULL) |
| 2853 | ctx = ssl->initial_ctx; | 2855 | ctx = ssl->initial_ctx; |
| 2854 | if (ssl->cert != NULL) | ||
| 2855 | ssl_cert_free(ssl->cert); | ||
| 2856 | ssl->cert = ssl_cert_dup(ctx->cert); | 2856 | ssl->cert = ssl_cert_dup(ctx->cert); |
| 2857 | if (ocert != NULL) { | ||
| 2858 | int i; | ||
| 2859 | /* Copy negotiated digests from original certificate. */ | ||
| 2860 | for (i = 0; i < SSL_PKEY_NUM; i++) | ||
| 2861 | ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest; | ||
| 2862 | ssl_cert_free(ocert); | ||
| 2863 | } | ||
| 2857 | CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); | 2864 | CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); |
| 2858 | SSL_CTX_free(ssl->ctx); /* decrement reference count */ | 2865 | SSL_CTX_free(ssl->ctx); /* decrement reference count */ |
| 2859 | ssl->ctx = ctx; | 2866 | ssl->ctx = ctx; |