diff options
| author | tb <> | 2023-06-10 15:34:36 +0000 |
|---|---|---|
| committer | tb <> | 2023-06-10 15:34:36 +0000 |
| commit | eb0246e144fe40ea036a24f84618aff44aeec499 (patch) | |
| tree | 21d70bef9b7aa0b3bee4a21d86ddc42c67815288 | |
| parent | 845474be2d49eab2540acf0c233c0f1045cdd2f8 (diff) | |
| download | openbsd-eb0246e144fe40ea036a24f84618aff44aeec499.tar.gz openbsd-eb0246e144fe40ea036a24f84618aff44aeec499.tar.bz2 openbsd-eb0246e144fe40ea036a24f84618aff44aeec499.zip | |
Convert EVP_Digest{Sign,Verify}* to one-shot for TLSv1.3
Using one-shot EVP_DigestSign() and EVP_DigestVerify() is slightly shorter
and is needed for Ed25519 support.
ok jsing
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 16 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 16 |
2 files changed, 10 insertions, 22 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 3555ebadd1..053cf1689b 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.101 2022/11/26 16:08:56 tb Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.102 2023/06/10 15:34:36 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -688,12 +688,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 688 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) | 688 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) |
| 689 | goto err; | 689 | goto err; |
| 690 | } | 690 | } |
| 691 | if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { | 691 | if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature), |
| 692 | ctx->alert = TLS13_ALERT_DECRYPT_ERROR; | 692 | sig_content, sig_content_len) <= 0) { |
| 693 | goto err; | ||
| 694 | } | ||
| 695 | if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), | ||
| 696 | CBS_len(&signature)) <= 0) { | ||
| 697 | ctx->alert = TLS13_ALERT_DECRYPT_ERROR; | 693 | ctx->alert = TLS13_ALERT_DECRYPT_ERROR; |
| 698 | goto err; | 694 | goto err; |
| 699 | } | 695 | } |
| @@ -956,13 +952,11 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 956 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) | 952 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) |
| 957 | goto err; | 953 | goto err; |
| 958 | } | 954 | } |
| 959 | if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) | 955 | if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len)) |
| 960 | goto err; | ||
| 961 | if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) | ||
| 962 | goto err; | 956 | goto err; |
| 963 | if ((sig = calloc(1, sig_len)) == NULL) | 957 | if ((sig = calloc(1, sig_len)) == NULL) |
| 964 | goto err; | 958 | goto err; |
| 965 | if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) | 959 | if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len)) |
| 966 | goto err; | 960 | goto err; |
| 967 | 961 | ||
| 968 | if (!CBB_add_u16(cbb, sigalg->value)) | 962 | if (!CBB_add_u16(cbb, sigalg->value)) |
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 75510a9085..dfeb1e0166 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.105 2022/11/26 16:08:56 tb Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.106 2023/06/10 15:34:36 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -754,13 +754,11 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 754 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) | 754 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) |
| 755 | goto err; | 755 | goto err; |
| 756 | } | 756 | } |
| 757 | if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) | 757 | if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len)) |
| 758 | goto err; | ||
| 759 | if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) | ||
| 760 | goto err; | 758 | goto err; |
| 761 | if ((sig = calloc(1, sig_len)) == NULL) | 759 | if ((sig = calloc(1, sig_len)) == NULL) |
| 762 | goto err; | 760 | goto err; |
| 763 | if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) | 761 | if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len)) |
| 764 | goto err; | 762 | goto err; |
| 765 | 763 | ||
| 766 | if (!CBB_add_u16(cbb, sigalg->value)) | 764 | if (!CBB_add_u16(cbb, sigalg->value)) |
| @@ -999,12 +997,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 999 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) | 997 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) |
| 1000 | goto err; | 998 | goto err; |
| 1001 | } | 999 | } |
| 1002 | if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { | 1000 | if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature), |
| 1003 | ctx->alert = TLS13_ALERT_DECRYPT_ERROR; | 1001 | sig_content, sig_content_len) <= 0) { |
| 1004 | goto err; | ||
| 1005 | } | ||
| 1006 | if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), | ||
| 1007 | CBS_len(&signature)) <= 0) { | ||
| 1008 | ctx->alert = TLS13_ALERT_DECRYPT_ERROR; | 1002 | ctx->alert = TLS13_ALERT_DECRYPT_ERROR; |
| 1009 | goto err; | 1003 | goto err; |
| 1010 | } | 1004 | } |