projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Avoid KCI attack for GOST
[openssl.git]
/
ssl
/
statem
/
statem_clnt.c
diff --git
a/ssl/statem/statem_clnt.c
b/ssl/statem/statem_clnt.c
index 1774f7a7d4241e795d538c41554a81b4081d5ab9..e3e593b4073e15c685ac6e93c1053574846cb8bf 100644
(file)
--- a/
ssl/statem/statem_clnt.c
+++ b/
ssl/statem/statem_clnt.c
@@
-2377,18
+2377,6
@@
static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al)
SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
goto err;
};
SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
goto err;
};
- /*
- * If we have client certificate, use its secret as peer key
- */
- if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
- if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <= 0) {
- /*
- * If there was an error - just ignore it. Ephemeral key
- * * would be used
- */
- ERR_clear_error();
- }
- }
/*
* Compute shared IV and store it in algorithm-specific context
* data
/*
* Compute shared IV and store it in algorithm-specific context
* data
@@
-2432,12
+2420,6
@@
static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al)
goto err;
}
goto err;
}
- /* Check if pubkey from client certificate was used */
- if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
- NULL) > 0) {
- /* Set flag "skip certificate verify" */
- s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
- }
EVP_PKEY_CTX_free(pkey_ctx);
s->s3->tmp.pms = pms;
s->s3->tmp.pmslen = pmslen;
EVP_PKEY_CTX_free(pkey_ctx);
s->s3->tmp.pms = pms;
s->s3->tmp.pmslen = pmslen;