From: Dr. Stephen Henson Date: Sun, 14 Nov 2010 13:50:29 +0000 (+0000) Subject: Get correct GOST private key instead of just assuming the last one is X-Git-Tag: OpenSSL_1_0_0b~4 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=b3c17a480504471a57844b4100db42daa2bc9d4a;p=oweals%2Fopenssl.git Get correct GOST private key instead of just assuming the last one is correct: this isn't always true if we have more than one certificate. --- diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 92f73b6681..d0921c59fc 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2579,12 +2579,19 @@ int ssl3_get_client_key_exchange(SSL *s) { int ret = 0; EVP_PKEY_CTX *pkey_ctx; - EVP_PKEY *client_pub_pkey = NULL; + EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; unsigned char premaster_secret[32], *start; - size_t outlen=32, inlen; + size_t outlen=32, inlen; + unsigned long alg_a; /* Get our certificate private key*/ - pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL); + alg_a = s->s3->tmp.new_cipher->algorithm_auth; + if (alg_a & SSL_aGOST94) + pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; + else if (alg_a & SSL_aGOST01) + pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; + + pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); EVP_PKEY_decrypt_init(pkey_ctx); /* If client certificate is present and is of the same type, maybe * use it for key exchange. Don't mind errors from