Skip to content
Permalink
Browse files

Avoid KCI attack for GOST

Russian GOST ciphersuites are vulnerable to the KCI attack because they use
long-term keys to establish the connection when ssl client authorization is
on. This change brings the GOST implementation into line with the latest
specs in order to avoid the attack. It should not break backwards
compatibility.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
  • Loading branch information...
beldmit authored and mattcaswell committed Sep 19, 2016
1 parent b8d2439 commit 41b42807726e340538701021cdc196672330f4db
Showing with 0 additions and 18 deletions.
  1. +0 −18 ssl/statem/statem_clnt.c
@@ -2377,18 +2377,6 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al)
SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
goto err;
};
/*
* If we have client certificate, use its secret as peer key
*/
if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <= 0) {
/*
* If there was an error - just ignore it. Ephemeral key
* * would be used
*/
ERR_clear_error();
}
}
/*
* Compute shared IV and store it in algorithm-specific context
* data
@@ -2432,12 +2420,6 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al)
goto err;
}

/* Check if pubkey from client certificate was used */
if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
NULL) > 0) {
/* Set flag "skip certificate verify" */
s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
}
EVP_PKEY_CTX_free(pkey_ctx);
s->s3->tmp.pms = pms;
s->s3->tmp.pmslen = pmslen;

0 comments on commit 41b4280

Please sign in to comment.
You can’t perform that action at this time.