Commit 1f65c045 authored by Dmitry Belyavskiy's avatar Dmitry Belyavskiy Committed by Matt Caswell
Browse files

Bugfix: GOST2012 certificates for GOST ciphersuites were broken. 



Reviewed-by: default avatarBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6168)
parent 02a7e0a9

ssl/ssl_locl.h

+0 −5
Original line number Diff line number Diff line
@@ -383,11 +383,6 @@ 
# define SSL_PKEY_ED25519        7

# define SSL_PKEY_ED448          8

# define SSL_PKEY_NUM            9

/*

 * Pseudo-constant. GOST cipher suites can use different certs for 1

 * SSL_CIPHER. So let's see which one we have in fact.

 */

# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1



/*-

 * SSL_kRSA <- RSA_ENC

ssl/t1_lib.c

+15 −0
Original line number Diff line number Diff line
@@ -857,6 +857,21 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) 
                    break;

                }

            }



            /*

             * Some GOST ciphersuites allow more than one signature algorithms

             * */

            if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) {

                int real_idx;



                for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;

                     real_idx--) {

                    if (s->cert->pkeys[real_idx].privatekey != NULL) {

                        idx = real_idx;

                        break;

                    }

                }

            }

        } else {

            idx = s->cert->key - s->cert->pkeys;

        }