From b3c17a480504471a57844b4100db42daa2bc9d4a Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 14 Nov 2010 13:50:29 +0000 Subject: [PATCH] Get correct GOST private key instead of just assuming the last one is correct: this isn't always true if we have more than one certificate. --- ssl/s3_srvr.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 92f73b6681..d0921c59fc 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2579,12 +2579,19 @@ int ssl3_get_client_key_exchange(SSL *s) { int ret = 0; EVP_PKEY_CTX *pkey_ctx; - EVP_PKEY *client_pub_pkey = NULL; + EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; unsigned char premaster_secret[32], *start; - size_t outlen=32, inlen; + size_t outlen=32, inlen; + unsigned long alg_a; /* Get our certificate private key*/ - pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL); + alg_a = s->s3->tmp.new_cipher->algorithm_auth; + if (alg_a & SSL_aGOST94) + pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; + else if (alg_a & SSL_aGOST01) + pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; + + pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); EVP_PKEY_decrypt_init(pkey_ctx); /* If client certificate is present and is of the same type, maybe * use it for key exchange. Don't mind errors from -- 2.25.1