Get correct GOST private key instead of just assuming the last one is
authorDr. Stephen Henson <steve@openssl.org>
Sun, 14 Nov 2010 13:50:55 +0000 (13:50 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sun, 14 Nov 2010 13:50:55 +0000 (13:50 +0000)
correct: this isn't always true if we have more than one certificate.

ssl/s3_srvr.c

index de3f9d27a73d729afb473e892cb7934bf297365c..49751a00487eaa72e0a4de2bf055016148f68e6f 100644 (file)
@@ -2621,12 +2621,19 @@ int ssl3_get_client_key_exchange(SSL *s)
                        {
                        int ret = 0;
                        EVP_PKEY_CTX *pkey_ctx;
-                       EVP_PKEY *client_pub_pkey = NULL;
+                       EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
                        unsigned char premaster_secret[32], *start;
-                       size_t outlen=32, inlen;                        
+                       size_t outlen=32, inlen;
+                       unsigned long alg_a;
 
                        /* Get our certificate private key*/
-                       pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL);     
+                       alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+                       if (alg_a & SSL_aGOST94)
+                               pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
+                       else if (alg_a & SSL_aGOST01)
+                               pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
+
+                       pkey_ctx = EVP_PKEY_CTX_new(pk,NULL);
                        EVP_PKEY_decrypt_init(pkey_ctx);
                        /* If client certificate is present and is of the same type, maybe
                         * use it for key exchange.  Don't mind errors from