commit 1f65c0459a1382481f29756b85e9ec12aedaa6bf
author Dmitry Belyavskiy <beldmit@gmail.com> Thu May 03 17:25:48 2018 +0300
committer Matt Caswell <matt@openssl.org> Wed May 30 09:14:04 2018 +0100
tree 4aaf4778b99f301ed1006857501df287a0c0047b
parent 02a7e0a9f63ec97e9671fec2bb8ce7c289fb4d66

Bugfix: GOST2012 certificates for GOST ciphersuites were broken.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6168)

ssl/t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c076782..e72ac73 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -857,6 +857,21 @@
                     break;
                 }
             }
+
+            /*
+             * Some GOST ciphersuites allow more than one signature algorithms
+             * */
+            if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
+                int real_idx;
+
+                for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
+                     real_idx--) {
+                    if (s->cert->pkeys[real_idx].privatekey != NULL) {
+                        idx = real_idx;
+                        break;
+                    }
+                }
+            }
         } else {
             idx = s->cert->key - s->cert->pkeys;
         }