Get correct GOST private key instead of just assuming the last one is

correct: this isn't always true if we have more than one certificate.

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 3a62a95fa1adaabfe0dec83fb08635c817809a31..b1071da262c07bedb502f20a8b94c94974de24ec 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2580,12 +2580,19 @@ int ssl3_get_client_key_exchange(SSL *s)
                        {
                        int ret = 0;
                        EVP_PKEY_CTX *pkey_ctx;
-                       EVP_PKEY *client_pub_pkey = NULL;
+                       EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
                        unsigned char premaster_secret[32], *start;
-                       size_t outlen=32, inlen;                        
+                       size_t outlen=32, inlen;
+                       unsigned long alg_a;
 
                        /* Get our certificate private key*/
-                       pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL);     
+                       alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+                       if (alg_a & SSL_aGOST94)
+                               pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
+                       else if (alg_a & SSL_aGOST01)
+                               pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
+
+                       pkey_ctx = EVP_PKEY_CTX_new(pk,NULL);
                        EVP_PKEY_decrypt_init(pkey_ctx);
                        /* If client certificate is present and is of the same type, maybe
                         * use it for key exchange.  Don't mind errors from