From 48d58dd9daff4b321d2dc77ff2fe2c16888917f7 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 22 Sep 2016 18:34:16 +0000
Subject: MFC: Avoid falling back to a weak digest for (EC)DH when using SNI
 with libssl.

---
 src/lib/libssl/src/ssl/ssl_lib.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 5b9b952e72..a4918b12bd 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.116 2015/10/25 15:52:49 doug Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.116.2.1 2016/09/22 18:34:16 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2847,13 +2847,20 @@ SSL_get_SSL_CTX(const SSL *ssl)
 SSL_CTX *
 SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 {
+	CERT *ocert = ssl->cert;
+
 	if (ssl->ctx == ctx)
 		return (ssl->ctx);
 	if (ctx == NULL)
 		ctx = ssl->initial_ctx;
-	if (ssl->cert != NULL)
-		ssl_cert_free(ssl->cert);
 	ssl->cert = ssl_cert_dup(ctx->cert);
+	if (ocert != NULL) {
+		int i;
+		/* Copy negotiated digests from original certificate. */
+		for (i = 0; i < SSL_PKEY_NUM; i++)
+			ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest;
+		ssl_cert_free(ocert);
+	}
 	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
 	SSL_CTX_free(ssl->ctx); /* decrement reference count */
 	ssl->ctx = ctx;
-- 
cgit v1.2.3-55-g6feb