1 files changed, 2 insertions, 204 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 52f5de35a4..56fb9ba1c7 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.163 2023/12/29 12:24:33 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.164 2024/02/03 15:58:33 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -161,10 +161,6 @@
 #include <openssl/objects.h>
 #include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_GOST
-#include <openssl/gost.h>
-#endif
 #include "bytestring.h"
 #include "dtls_local.h"
 #include "ssl_local.h"
@@ -829,7 +825,6 @@ ssl3_get_server_hello(SSL *s)
        uint8_t compression_method;
        const SSL_CIPHER *cipher;
        const SSL_METHOD *method;
-        unsigned long alg_k;
        int al, ret;
        s->first_packet = 1;
@@ -1038,8 +1033,7 @@ ssl3_get_server_hello(SSL *s)
         * Don't digest cached records if no sigalgs: we may need them for
         * client authentication.
         */
-        alg_k = s->s3->hs.cipher->algorithm_mkey;
+        if (!SSL_USE_SIGALGS(s))
-        if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)))
                tls1_transcript_free(s);
        if (!CBS_get_u8(&cbs, &compression_method))
@@ -1931,119 +1925,6 @@ ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
 }
 static int
-ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
-{
-        unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
-        EVP_PKEY_CTX *pkey_ctx = NULL;
-        EVP_MD_CTX *ukm_hash = NULL;
-        EVP_PKEY *pkey;
-        size_t msglen;
-        unsigned int md_len;
-        CBB gostblob;
-        int nid;
-        int ret = 0;
-        /* Get server certificate PKEY and create ctx from it */
-        pkey = X509_get0_pubkey(s->session->peer_cert);
-        if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) {
-                SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
-                goto err;
-        }
-        if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        /*
-         * If we have send a certificate, and certificate key parameters match
-         * those of server certificate, use certificate key for key exchange.
-         * Otherwise, generate ephemeral key pair.
-         */
-        if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0)
-                goto err;
-        /* Generate session key. */
-        arc4random_buf(premaster_secret, sizeof(premaster_secret));
-        /*
-         * If we have client certificate, use its secret as peer key.
-         * XXX - this presumably lacks PFS.
-         */
-        if (s->s3->hs.tls12.cert_request != 0 &&
-            s->cert->key->privatekey != NULL) {
-                if (EVP_PKEY_derive_set_peer(pkey_ctx,
-                    s->cert->key->privatekey) <=0) {
-                        /*
-                         * If there was an error - just ignore it.
-                         * Ephemeral key would be used.
-                         */
-                        ERR_clear_error();
-                }
-        }
-        /*
-         * Compute shared IV and store it in algorithm-specific context data.
-         */
-        if ((ukm_hash = EVP_MD_CTX_new()) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        /* XXX check handshake hash instead. */
-        if (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
-                nid = NID_id_GostR3411_94;
-        else
-                nid = NID_id_tc26_gost3411_2012_256;
-        if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)))
-                goto err;
-        if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE))
-                goto err;
-        if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE))
-                goto err;
-        if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len))
-                goto err;
-        if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
-            EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
-                SSLerror(s, SSL_R_LIBRARY_BUG);
-                goto err;
-        }
-        /*
-         * Make GOST keytransport blob message, encapsulate it into sequence.
-         */
-        msglen = 255;
-        if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
-            sizeof(premaster_secret)) < 0) {
-                SSLerror(s, SSL_R_LIBRARY_BUG);
-                goto err;
-        }
-        if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE))
-                goto err;
-        if (!CBB_add_bytes(&gostblob, tmp, msglen))
-                goto err;
-        if (!CBB_flush(cbb))
-                goto err;
-        /* Check if pubkey from client certificate was used. */
-        if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
-            NULL) > 0)
-                s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
-        if (!tls12_derive_master_secret(s, premaster_secret, 32))
-                goto err;
-        ret = 1;
- err:
-        explicit_bzero(premaster_secret, sizeof(premaster_secret));
-        EVP_PKEY_CTX_free(pkey_ctx);
-        EVP_MD_CTX_free(ukm_hash);
-        return ret;
-}
-static int
 ssl3_send_client_key_exchange(SSL *s)
 {
        unsigned long alg_k;
@@ -2067,9 +1948,6 @@ ssl3_send_client_key_exchange(SSL *s)
                } else if (alg_k & SSL_kECDHE) {
                        if (!ssl3_send_client_kex_ecdhe(s, &kex))
                                goto err;
-                } else if (alg_k & SSL_kGOST) {
-                        if (!ssl3_send_client_kex_gost(s, &kex))
-                                goto err;
                } else {
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                            SSL_AD_HANDSHAKE_FAILURE);
@@ -2115,14 +1993,6 @@ ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
                SSLerror(s, ERR_R_EVP_LIB);
                goto err;
        }
-#ifndef OPENSSL_NO_GOST
-        if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
-            EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
-            EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
-                SSLerror(s, ERR_R_EVP_LIB);
-                goto err;
-        }
-#endif
        if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
            (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
            !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
@@ -2230,72 +2100,6 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
        return ret;
 }
-#ifndef OPENSSL_NO_GOST
-static int
-ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
-{
-        CBB cbb_signature;
-        EVP_MD_CTX *mctx;
-        EVP_PKEY_CTX *pctx;
-        const EVP_MD *md;
-        const unsigned char *hdata;
-        unsigned char *signature = NULL;
-        size_t signature_len;
-        size_t hdata_len;
-        int nid;
-        int ret = 0;
-        if ((mctx = EVP_MD_CTX_new()) == NULL)
-                goto err;
-        if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                goto err;
-        }
-        if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
-            (md = EVP_get_digestbynid(nid)) == NULL) {
-                SSLerror(s, ERR_R_EVP_LIB);
-                goto err;
-        }
-        if (!EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey)) {
-                SSLerror(s, ERR_R_EVP_LIB);
-                goto err;
-        }
-#ifndef OPENSSL_NO_GOST
-        if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
-            EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
-                SSLerror(s, ERR_R_EVP_LIB);
-                goto err;
-        }
-#endif
-        if (!EVP_DigestSign(mctx, NULL, &signature_len, hdata, hdata_len)) {
-                SSLerror(s, ERR_R_EVP_LIB);
-                goto err;
-        }
-        if ((signature = calloc(1, signature_len)) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if (!EVP_DigestSign(mctx, signature, &signature_len, hdata, hdata_len)) {
-                SSLerror(s, ERR_R_EVP_LIB);
-                goto err;
-        }
-        if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
-                goto err;
-        if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
-                goto err;
-        if (!CBB_flush(cert_verify))
-                goto err;
-        ret = 1;
- err:
-        EVP_MD_CTX_free(mctx);
-        free(signature);
-        return ret;
-}
-#endif
 static int
 ssl3_send_client_verify(SSL *s)
 {
@@ -2331,12 +2135,6 @@ ssl3_send_client_verify(SSL *s)
                } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
                        if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
                                goto err;
-#ifndef OPENSSL_NO_GOST
-                } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
-                    EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
-                        if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
-                                goto err;
-#endif
                } else {
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        goto err;

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 52f5de35a4..56fb9ba1c7 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.163 2023/12/29 12:24:33 tb Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.164 2024/02/03 15:58:33 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -161,10 +161,6 @@
161	#include <openssl/objects.h>	161	#include <openssl/objects.h>
162	#include <openssl/opensslconf.h>	162	#include <openssl/opensslconf.h>
163		163
164	#ifndef OPENSSL_NO_GOST
165	#include <openssl/gost.h>
166	#endif
167
168	#include "bytestring.h"	164	#include "bytestring.h"
169	#include "dtls_local.h"	165	#include "dtls_local.h"
170	#include "ssl_local.h"	166	#include "ssl_local.h"
@@ -829,7 +825,6 @@ ssl3_get_server_hello(SSL *s)
829	uint8_t compression_method;	825	uint8_t compression_method;
830	const SSL_CIPHER *cipher;	826	const SSL_CIPHER *cipher;
831	const SSL_METHOD *method;	827	const SSL_METHOD *method;
832	unsigned long alg_k;
833	int al, ret;	828	int al, ret;
834		829
835	s->first_packet = 1;	830	s->first_packet = 1;
@@ -1038,8 +1033,7 @@ ssl3_get_server_hello(SSL *s)
1038	* Don't digest cached records if no sigalgs: we may need them for	1033	* Don't digest cached records if no sigalgs: we may need them for
1039	* client authentication.	1034	* client authentication.
1040	*/	1035	*/
1041	alg_k = s->s3->hs.cipher->algorithm_mkey;	1036	if (!SSL_USE_SIGALGS(s))
1042	if (!(SSL_USE_SIGALGS(s) \|\| (alg_k & SSL_kGOST)))
1043	tls1_transcript_free(s);	1037	tls1_transcript_free(s);
1044		1038
1045	if (!CBS_get_u8(&cbs, &compression_method))	1039	if (!CBS_get_u8(&cbs, &compression_method))
@@ -1931,119 +1925,6 @@ ssl3_send_client_kex_ecdhe(SSL s, CBB cbb)
1931	}	1925	}
1932		1926
1933	static int	1927	static int
1934	ssl3_send_client_kex_gost(SSL s, CBB cbb)
1935	{
1936	unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
1937	EVP_PKEY_CTX *pkey_ctx = NULL;
1938	EVP_MD_CTX *ukm_hash = NULL;
1939	EVP_PKEY *pkey;
1940	size_t msglen;
1941	unsigned int md_len;
1942	CBB gostblob;
1943	int nid;
1944	int ret = 0;
1945
1946	/* Get server certificate PKEY and create ctx from it */
1947	pkey = X509_get0_pubkey(s->session->peer_cert);
1948	if (pkey == NULL \|\| s->session->peer_cert_type != SSL_PKEY_GOST01) {
1949	SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
1950	goto err;
1951	}
1952	if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
1953	SSLerror(s, ERR_R_MALLOC_FAILURE);
1954	goto err;
1955	}
1956
1957	/*
1958	* If we have send a certificate, and certificate key parameters match
1959	* those of server certificate, use certificate key for key exchange.
1960	* Otherwise, generate ephemeral key pair.
1961	*/
1962	if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0)
1963	goto err;
1964
1965	/* Generate session key. */
1966	arc4random_buf(premaster_secret, sizeof(premaster_secret));
1967
1968	/*
1969	* If we have client certificate, use its secret as peer key.
1970	* XXX - this presumably lacks PFS.
1971	*/
1972	if (s->s3->hs.tls12.cert_request != 0 &&
1973	s->cert->key->privatekey != NULL) {
1974	if (EVP_PKEY_derive_set_peer(pkey_ctx,
1975	s->cert->key->privatekey) <=0) {
1976	/*
1977	* If there was an error - just ignore it.
1978	* Ephemeral key would be used.
1979	*/
1980	ERR_clear_error();
1981	}
1982	}
1983
1984	/*
1985	* Compute shared IV and store it in algorithm-specific context data.
1986	*/
1987	if ((ukm_hash = EVP_MD_CTX_new()) == NULL) {
1988	SSLerror(s, ERR_R_MALLOC_FAILURE);
1989	goto err;
1990	}
1991
1992	/* XXX check handshake hash instead. */
1993	if (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
1994	nid = NID_id_GostR3411_94;
1995	else
1996	nid = NID_id_tc26_gost3411_2012_256;
1997	if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)))
1998	goto err;
1999	if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE))
2000	goto err;
2001	if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE))
2002	goto err;
2003	if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len))
2004	goto err;
2005	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
2006	EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
2007	SSLerror(s, SSL_R_LIBRARY_BUG);
2008	goto err;
2009	}
2010
2011	/*
2012	* Make GOST keytransport blob message, encapsulate it into sequence.
2013	*/
2014	msglen = 255;
2015	if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
2016	sizeof(premaster_secret)) < 0) {
2017	SSLerror(s, SSL_R_LIBRARY_BUG);
2018	goto err;
2019	}
2020
2021	if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE))
2022	goto err;
2023	if (!CBB_add_bytes(&gostblob, tmp, msglen))
2024	goto err;
2025	if (!CBB_flush(cbb))
2026	goto err;
2027
2028	/* Check if pubkey from client certificate was used. */
2029	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
2030	NULL) > 0)
2031	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;
2032
2033	if (!tls12_derive_master_secret(s, premaster_secret, 32))
2034	goto err;
2035
2036	ret = 1;
2037
2038	err:
2039	explicit_bzero(premaster_secret, sizeof(premaster_secret));
2040	EVP_PKEY_CTX_free(pkey_ctx);
2041	EVP_MD_CTX_free(ukm_hash);
2042
2043	return ret;
2044	}
2045
2046	static int
2047	ssl3_send_client_key_exchange(SSL *s)	1928	ssl3_send_client_key_exchange(SSL *s)
2048	{	1929	{
2049	unsigned long alg_k;	1930	unsigned long alg_k;
@@ -2067,9 +1948,6 @@ ssl3_send_client_key_exchange(SSL *s)
2067	} else if (alg_k & SSL_kECDHE) {	1948	} else if (alg_k & SSL_kECDHE) {
2068	if (!ssl3_send_client_kex_ecdhe(s, &kex))	1949	if (!ssl3_send_client_kex_ecdhe(s, &kex))
2069	goto err;	1950	goto err;
2070	} else if (alg_k & SSL_kGOST) {
2071	if (!ssl3_send_client_kex_gost(s, &kex))
2072	goto err;
2073	} else {	1951	} else {
2074	ssl3_send_alert(s, SSL3_AL_FATAL,	1952	ssl3_send_alert(s, SSL3_AL_FATAL,
2075	SSL_AD_HANDSHAKE_FAILURE);	1953	SSL_AD_HANDSHAKE_FAILURE);
@@ -2115,14 +1993,6 @@ ssl3_send_client_verify_sigalgs(SSL s, EVP_PKEY pkey,
2115	SSLerror(s, ERR_R_EVP_LIB);	1993	SSLerror(s, ERR_R_EVP_LIB);
2116	goto err;	1994	goto err;
2117	}	1995	}
2118	#ifndef OPENSSL_NO_GOST
2119	if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
2120	EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2121	EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
2122	SSLerror(s, ERR_R_EVP_LIB);
2123	goto err;
2124	}
2125	#endif
2126	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&	1996	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
2127	(!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) \|\|	1997	(!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) \|\|
2128	!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {	1998	!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
@@ -2230,72 +2100,6 @@ ssl3_send_client_verify_ec(SSL s, EVP_PKEY pkey, CBB *cert_verify)
2230	return ret;	2100	return ret;
2231	}	2101	}
2232		2102
2233	#ifndef OPENSSL_NO_GOST
2234	static int
2235	ssl3_send_client_verify_gost(SSL s, EVP_PKEY pkey, CBB *cert_verify)
2236	{
2237	CBB cbb_signature;
2238	EVP_MD_CTX *mctx;
2239	EVP_PKEY_CTX *pctx;
2240	const EVP_MD *md;
2241	const unsigned char *hdata;
2242	unsigned char *signature = NULL;
2243	size_t signature_len;
2244	size_t hdata_len;
2245	int nid;
2246	int ret = 0;
2247
2248	if ((mctx = EVP_MD_CTX_new()) == NULL)
2249	goto err;
2250
2251	if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
2252	SSLerror(s, ERR_R_INTERNAL_ERROR);
2253	goto err;
2254	}
2255	if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) \|\|
2256	(md = EVP_get_digestbynid(nid)) == NULL) {
2257	SSLerror(s, ERR_R_EVP_LIB);
2258	goto err;
2259	}
2260	if (!EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey)) {
2261	SSLerror(s, ERR_R_EVP_LIB);
2262	goto err;
2263	}
2264	#ifndef OPENSSL_NO_GOST
2265	if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2266	EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
2267	SSLerror(s, ERR_R_EVP_LIB);
2268	goto err;
2269	}
2270	#endif
2271	if (!EVP_DigestSign(mctx, NULL, &signature_len, hdata, hdata_len)) {
2272	SSLerror(s, ERR_R_EVP_LIB);
2273	goto err;
2274	}
2275	if ((signature = calloc(1, signature_len)) == NULL) {
2276	SSLerror(s, ERR_R_MALLOC_FAILURE);
2277	goto err;
2278	}
2279	if (!EVP_DigestSign(mctx, signature, &signature_len, hdata, hdata_len)) {
2280	SSLerror(s, ERR_R_EVP_LIB);
2281	goto err;
2282	}
2283
2284	if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2285	goto err;
2286	if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2287	goto err;
2288	if (!CBB_flush(cert_verify))
2289	goto err;
2290
2291	ret = 1;
2292	err:
2293	EVP_MD_CTX_free(mctx);
2294	free(signature);
2295	return ret;
2296	}
2297	#endif
2298
2299	static int	2103	static int
2300	ssl3_send_client_verify(SSL *s)	2104	ssl3_send_client_verify(SSL *s)
2301	{	2105	{
@@ -2331,12 +2135,6 @@ ssl3_send_client_verify(SSL *s)
2331	} else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {	2135	} else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2332	if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))	2136	if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
2333	goto err;	2137	goto err;
2334	#ifndef OPENSSL_NO_GOST
2335	} else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 \|\|
2336	EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2337	if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
2338	goto err;
2339	#endif
2340	} else {	2138	} else {
2341	SSLerror(s, ERR_R_INTERNAL_ERROR);	2139	SSLerror(s, ERR_R_INTERNAL_ERROR);
2342	goto err;	2140	goto err;