From: Dmitry Belyavsky Date: Mon, 19 Sep 2016 14:53:35 +0000 (+0100) Subject: Avoid KCI attack for GOST X-Git-Tag: OpenSSL_1_1_1-pre1~3468 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=41b42807726e340538701021cdc196672330f4db Avoid KCI attack for GOST Russian GOST ciphersuites are vulnerable to the KCI attack because they use long-term keys to establish the connection when ssl client authorization is on. This change brings the GOST implementation into line with the latest specs in order to avoid the attack. It should not break backwards compatibility. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell --- diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 1774f7a7d4..e3e593b407 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2377,18 +2377,6 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al) SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); goto err; }; - /* - * If we have client certificate, use its secret as peer key - */ - if (s->s3->tmp.cert_req && s->cert->key->privatekey) { - if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <= 0) { - /* - * If there was an error - just ignore it. Ephemeral key - * * would be used - */ - ERR_clear_error(); - } - } /* * Compute shared IV and store it in algorithm-specific context * data @@ -2432,12 +2420,6 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al) goto err; } - /* Check if pubkey from client certificate was used */ - if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, - NULL) > 0) { - /* Set flag "skip certificate verify" */ - s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; - } EVP_PKEY_CTX_free(pkey_ctx); s->s3->tmp.pms = pms; s->s3->tmp.pmslen = pmslen;