2 files changed, 46 insertions, 41 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index cc66ed0473..ca54515a32 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.131 2022/01/09 15:34:21 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.132 2022/01/09 15:40:13 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1925,40 +1925,44 @@ static int
 ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
 {
        unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
-        EVP_PKEY *pub_key = NULL;
+        EVP_PKEY_CTX *pkey_ctx = NULL;
-        EVP_PKEY_CTX *pkey_ctx;
+        EVP_MD_CTX *ukm_hash = NULL;
+        EVP_PKEY *pub_key;
        X509 *peer_cert;
        size_t msglen;
        unsigned int md_len;
-        EVP_MD_CTX *ukm_hash;
-        int nid;
        CBB gostblob;
+        int nid;
        int ret = 0;
        /* Get server sertificate PKEY and create ctx from it */
        peer_cert = s->session->peer_pkeys[SSL_PKEY_GOST01].x509;
-        if (peer_cert == NULL) {
+        if ((pub_key = X509_get0_pubkey(peer_cert)) == NULL) {
                SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
                goto err;
        }
+        if ((pkey_ctx = EVP_PKEY_CTX_new(pub_key, NULL)) == NULL) {
-        pub_key = X509_get_pubkey(peer_cert);
+                SSLerror(s, ERR_R_MALLOC_FAILURE);
-        pkey_ctx = EVP_PKEY_CTX_new(pub_key, NULL);
+                goto err;
+        }
        /*
         * If we have send a certificate, and certificate key parameters match
         * those of server certificate, use certificate key for key exchange.
         * Otherwise, generate ephemeral key pair.
         */
-        EVP_PKEY_encrypt_init(pkey_ctx);
+        if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0)
+                goto err;
        /* Generate session key. */
-        arc4random_buf(premaster_secret, 32);
+        arc4random_buf(premaster_secret, sizeof(premaster_secret));
        /*
         * If we have client certificate, use its secret as peer key.
+         * XXX - this presumably lacks PFS.
         */
-        if (S3I(s)->hs.tls12.cert_request && s->cert->key->privatekey) {
+        if (S3I(s)->hs.tls12.cert_request != 0 &&
+            s->cert->key->privatekey != NULL) {
                if (EVP_PKEY_derive_set_peer(pkey_ctx,
                    s->cert->key->privatekey) <=0) {
                        /*
@@ -1972,8 +1976,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
        /*
         * Compute shared IV and store it in algorithm-specific context data.
         */
-        ukm_hash = EVP_MD_CTX_new();
+        if ((ukm_hash = EVP_MD_CTX_new()) == NULL) {
-        if (ukm_hash == NULL) {
                SSLerror(s, ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -1985,10 +1988,12 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
                nid = NID_id_tc26_gost3411_2012_256;
        if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)))
                goto err;
-        EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE);
+        if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE))
-        EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE);
+                goto err;
-        EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
+        if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE))
-        EVP_MD_CTX_free(ukm_hash);
+                goto err;
+        if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len))
+                goto err;
        if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
            EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
                SSLerror(s, SSL_R_LIBRARY_BUG);
@@ -2000,7 +2005,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
         */
        msglen = 255;
        if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
-            32) < 0) {
+            sizeof(premaster_secret)) < 0) {
                SSLerror(s, SSL_R_LIBRARY_BUG);
                goto err;
        }
@@ -2016,7 +2021,6 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
        if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
            NULL) > 0)
                s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
-        EVP_PKEY_CTX_free(pkey_ctx);
        if (!tls12_derive_master_secret(s, premaster_secret, 32))
                goto err;
@@ -2025,7 +2029,8 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
 err:
        explicit_bzero(premaster_secret, sizeof(premaster_secret));
-        EVP_PKEY_free(pub_key);
+        EVP_PKEY_CTX_free(pkey_ctx);
+        EVP_MD_CTX_free(ukm_hash);
        return ret;
 }
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 1f6753fdf4..0979750e22 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.136 2022/01/09 15:34:21 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.137 2022/01/09 15:40:13 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1769,23 +1769,21 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
 static int
 ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
 {
-        EVP_PKEY_CTX *pkey_ctx;
-        EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
        unsigned char premaster_secret[32];
-        unsigned long alg_a;
+        EVP_PKEY_CTX *pkey_ctx = NULL;
-        size_t outlen = 32;
+        EVP_PKEY *client_pubkey;
+        EVP_PKEY *pkey = NULL;
+        size_t outlen;
        CBS gostblob;
-        int al;
        /* Get our certificate private key*/
-        alg_a = S3I(s)->hs.cipher->algorithm_auth;
+        if ((S3I(s)->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
-        if (alg_a & SSL_aGOST01)
+                pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
-                pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
-        if ((pkey_ctx = EVP_PKEY_CTX_new(pk, NULL)) == NULL)
+        if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
                goto err;
        if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)
-                goto gerr;
+                goto err;
        /*
         * If client certificate is present and is of the same type,
@@ -1794,9 +1792,8 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
         * it is completely valid to use a client certificate for
         * authorization only.
         */
-        if ((client_pub_pkey = X509_get_pubkey(s->session->peer)) != NULL) {
+        if ((client_pubkey = X509_get0_pubkey(s->session->peer)) != NULL) {
-                if (EVP_PKEY_derive_set_peer(pkey_ctx,
+                if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
-                    client_pub_pkey) <= 0)
                        ERR_clear_error();
        }
@@ -1805,13 +1802,15 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
                goto decode_err;
        if (CBS_len(cbs) != 0)
                goto decode_err;
+        outlen = sizeof(premaster_secret);
        if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
            CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
                SSLerror(s, SSL_R_DECRYPTION_FAILED);
-                goto gerr;
+                goto err;
        }
-        if (!tls12_derive_master_secret(s, premaster_secret, 32))
+        if (!tls12_derive_master_secret(s, premaster_secret,
+            sizeof(premaster_secret)))
                goto err;
        /* Check if pubkey from client certificate was used */
@@ -1819,17 +1818,18 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
            2, NULL) > 0)
                s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
- gerr:
+        explicit_bzero(premaster_secret, sizeof(premaster_secret));
-        EVP_PKEY_free(client_pub_pkey);
        EVP_PKEY_CTX_free(pkey_ctx);
        return 1;
 decode_err:
-        al = SSL_AD_DECODE_ERROR;
        SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
+        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
 err:
+        explicit_bzero(premaster_secret, sizeof(premaster_secret));
+        EVP_PKEY_CTX_free(pkey_ctx);
        return 0;
 }

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index cc66ed0473..ca54515a32 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.131 2022/01/09 15:34:21 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.132 2022/01/09 15:40:13 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1925,40 +1925,44 @@ static int
1925	ssl3_send_client_kex_gost(SSL s, CBB cbb)	1925	ssl3_send_client_kex_gost(SSL s, CBB cbb)
1926	{	1926	{
1927	unsigned char premaster_secret[32], shared_ukm[32], tmp[256];	1927	unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
1928	EVP_PKEY *pub_key = NULL;	1928	EVP_PKEY_CTX *pkey_ctx = NULL;
1929	EVP_PKEY_CTX *pkey_ctx;	1929	EVP_MD_CTX *ukm_hash = NULL;
		1930	EVP_PKEY *pub_key;
1930	X509 *peer_cert;	1931	X509 *peer_cert;
1931	size_t msglen;	1932	size_t msglen;
1932	unsigned int md_len;	1933	unsigned int md_len;
1933	EVP_MD_CTX *ukm_hash;
1934	int nid;
1935	CBB gostblob;	1934	CBB gostblob;
		1935	int nid;
1936	int ret = 0;	1936	int ret = 0;
1937		1937
1938	/* Get server sertificate PKEY and create ctx from it */	1938	/* Get server sertificate PKEY and create ctx from it */
1939	peer_cert = s->session->peer_pkeys[SSL_PKEY_GOST01].x509;	1939	peer_cert = s->session->peer_pkeys[SSL_PKEY_GOST01].x509;
1940	if (peer_cert == NULL) {	1940	if ((pub_key = X509_get0_pubkey(peer_cert)) == NULL) {
1941	SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);	1941	SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
1942	goto err;	1942	goto err;
1943	}	1943	}
1944		1944	if ((pkey_ctx = EVP_PKEY_CTX_new(pub_key, NULL)) == NULL) {
1945	pub_key = X509_get_pubkey(peer_cert);	1945	SSLerror(s, ERR_R_MALLOC_FAILURE);
1946	pkey_ctx = EVP_PKEY_CTX_new(pub_key, NULL);	1946	goto err;
		1947	}
1947		1948
1948	/*	1949	/*
1949	* If we have send a certificate, and certificate key parameters match	1950	* If we have send a certificate, and certificate key parameters match
1950	* those of server certificate, use certificate key for key exchange.	1951	* those of server certificate, use certificate key for key exchange.
1951	* Otherwise, generate ephemeral key pair.	1952	* Otherwise, generate ephemeral key pair.
1952	*/	1953	*/
1953	EVP_PKEY_encrypt_init(pkey_ctx);	1954	if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0)
		1955	goto err;
1954		1956
1955	/* Generate session key. */	1957	/* Generate session key. */
1956	arc4random_buf(premaster_secret, 32);	1958	arc4random_buf(premaster_secret, sizeof(premaster_secret));
1957		1959
1958	/*	1960	/*
1959	* If we have client certificate, use its secret as peer key.	1961	* If we have client certificate, use its secret as peer key.
		1962	* XXX - this presumably lacks PFS.
1960	*/	1963	*/
1961	if (S3I(s)->hs.tls12.cert_request && s->cert->key->privatekey) {	1964	if (S3I(s)->hs.tls12.cert_request != 0 &&
		1965	s->cert->key->privatekey != NULL) {
1962	if (EVP_PKEY_derive_set_peer(pkey_ctx,	1966	if (EVP_PKEY_derive_set_peer(pkey_ctx,
1963	s->cert->key->privatekey) <=0) {	1967	s->cert->key->privatekey) <=0) {
1964	/*	1968	/*
@@ -1972,8 +1976,7 @@ ssl3_send_client_kex_gost(SSL s, CBB cbb)
1972	/*	1976	/*
1973	* Compute shared IV and store it in algorithm-specific context data.	1977	* Compute shared IV and store it in algorithm-specific context data.
1974	*/	1978	*/
1975	ukm_hash = EVP_MD_CTX_new();	1979	if ((ukm_hash = EVP_MD_CTX_new()) == NULL) {
1976	if (ukm_hash == NULL) {
1977	SSLerror(s, ERR_R_MALLOC_FAILURE);	1980	SSLerror(s, ERR_R_MALLOC_FAILURE);
1978	goto err;	1981	goto err;
1979	}	1982	}
@@ -1985,10 +1988,12 @@ ssl3_send_client_kex_gost(SSL s, CBB cbb)
1985	nid = NID_id_tc26_gost3411_2012_256;	1988	nid = NID_id_tc26_gost3411_2012_256;
1986	if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)))	1989	if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)))
1987	goto err;	1990	goto err;
1988	EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE);	1991	if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE))
1989	EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE);	1992	goto err;
1990	EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);	1993	if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE))
1991	EVP_MD_CTX_free(ukm_hash);	1994	goto err;
		1995	if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len))
		1996	goto err;
1992	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,	1997	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
1993	EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {	1998	EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
1994	SSLerror(s, SSL_R_LIBRARY_BUG);	1999	SSLerror(s, SSL_R_LIBRARY_BUG);
@@ -2000,7 +2005,7 @@ ssl3_send_client_kex_gost(SSL s, CBB cbb)
2000	*/	2005	*/
2001	msglen = 255;	2006	msglen = 255;
2002	if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,	2007	if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
2003	32) < 0) {	2008	sizeof(premaster_secret)) < 0) {
2004	SSLerror(s, SSL_R_LIBRARY_BUG);	2009	SSLerror(s, SSL_R_LIBRARY_BUG);
2005	goto err;	2010	goto err;
2006	}	2011	}
@@ -2016,7 +2021,6 @@ ssl3_send_client_kex_gost(SSL s, CBB cbb)
2016	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,	2021	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
2017	NULL) > 0)	2022	NULL) > 0)
2018	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;	2023	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;
2019	EVP_PKEY_CTX_free(pkey_ctx);
2020		2024
2021	if (!tls12_derive_master_secret(s, premaster_secret, 32))	2025	if (!tls12_derive_master_secret(s, premaster_secret, 32))
2022	goto err;	2026	goto err;
@@ -2025,7 +2029,8 @@ ssl3_send_client_kex_gost(SSL s, CBB cbb)
2025		2029
2026	err:	2030	err:
2027	explicit_bzero(premaster_secret, sizeof(premaster_secret));	2031	explicit_bzero(premaster_secret, sizeof(premaster_secret));
2028	EVP_PKEY_free(pub_key);	2032	EVP_PKEY_CTX_free(pkey_ctx);
		2033	EVP_MD_CTX_free(ukm_hash);
2029		2034
2030	return ret;	2035	return ret;
2031	}	2036	}


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 1f6753fdf4..0979750e22 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.136 2022/01/09 15:34:21 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.137 2022/01/09 15:40:13 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1769,23 +1769,21 @@ ssl3_get_client_kex_ecdhe(SSL s, CBS cbs)
1769	static int	1769	static int
1770	ssl3_get_client_kex_gost(SSL s, CBS cbs)	1770	ssl3_get_client_kex_gost(SSL s, CBS cbs)
1771	{	1771	{
1772	EVP_PKEY_CTX *pkey_ctx;
1773	EVP_PKEY client_pub_pkey = NULL, pk = NULL;
1774	unsigned char premaster_secret[32];	1772	unsigned char premaster_secret[32];
1775	unsigned long alg_a;	1773	EVP_PKEY_CTX *pkey_ctx = NULL;
1776	size_t outlen = 32;	1774	EVP_PKEY *client_pubkey;
		1775	EVP_PKEY *pkey = NULL;
		1776	size_t outlen;
1777	CBS gostblob;	1777	CBS gostblob;
1778	int al;
1779		1778
1780	/* Get our certificate private key*/	1779	/* Get our certificate private key*/
1781	alg_a = S3I(s)->hs.cipher->algorithm_auth;	1780	if ((S3I(s)->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
1782	if (alg_a & SSL_aGOST01)	1781	pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
1783	pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
1784		1782
1785	if ((pkey_ctx = EVP_PKEY_CTX_new(pk, NULL)) == NULL)	1783	if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
1786	goto err;	1784	goto err;
1787	if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)	1785	if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)
1788	goto gerr;	1786	goto err;
1789		1787
1790	/*	1788	/*
1791	* If client certificate is present and is of the same type,	1789	* If client certificate is present and is of the same type,
@@ -1794,9 +1792,8 @@ ssl3_get_client_kex_gost(SSL s, CBS cbs)
1794	* it is completely valid to use a client certificate for	1792	* it is completely valid to use a client certificate for
1795	* authorization only.	1793	* authorization only.
1796	*/	1794	*/
1797	if ((client_pub_pkey = X509_get_pubkey(s->session->peer)) != NULL) {	1795	if ((client_pubkey = X509_get0_pubkey(s->session->peer)) != NULL) {
1798	if (EVP_PKEY_derive_set_peer(pkey_ctx,	1796	if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
1799	client_pub_pkey) <= 0)
1800	ERR_clear_error();	1797	ERR_clear_error();
1801	}	1798	}
1802		1799
@@ -1805,13 +1802,15 @@ ssl3_get_client_kex_gost(SSL s, CBS cbs)
1805	goto decode_err;	1802	goto decode_err;
1806	if (CBS_len(cbs) != 0)	1803	if (CBS_len(cbs) != 0)
1807	goto decode_err;	1804	goto decode_err;
		1805	outlen = sizeof(premaster_secret);
1808	if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,	1806	if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
1809	CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {	1807	CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
1810	SSLerror(s, SSL_R_DECRYPTION_FAILED);	1808	SSLerror(s, SSL_R_DECRYPTION_FAILED);
1811	goto gerr;	1809	goto err;
1812	}	1810	}
1813		1811
1814	if (!tls12_derive_master_secret(s, premaster_secret, 32))	1812	if (!tls12_derive_master_secret(s, premaster_secret,
		1813	sizeof(premaster_secret)))
1815	goto err;	1814	goto err;
1816		1815
1817	/* Check if pubkey from client certificate was used */	1816	/* Check if pubkey from client certificate was used */
@@ -1819,17 +1818,18 @@ ssl3_get_client_kex_gost(SSL s, CBS cbs)
1819	2, NULL) > 0)	1818	2, NULL) > 0)
1820	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;	1819	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;
1821		1820
1822	gerr:	1821	explicit_bzero(premaster_secret, sizeof(premaster_secret));
1823	EVP_PKEY_free(client_pub_pkey);
1824	EVP_PKEY_CTX_free(pkey_ctx);	1822	EVP_PKEY_CTX_free(pkey_ctx);
1825		1823
1826	return 1;	1824	return 1;
1827		1825
1828	decode_err:	1826	decode_err:
1829	al = SSL_AD_DECODE_ERROR;
1830	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);	1827	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1831	ssl3_send_alert(s, SSL3_AL_FATAL, al);	1828	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1832	err:	1829	err:
		1830	explicit_bzero(premaster_secret, sizeof(premaster_secret));
		1831	EVP_PKEY_CTX_free(pkey_ctx);
		1832
1833	return 0;	1833	return 0;
1834	}	1834	}
1835		1835