Have ssl3_send_client_verify() pass *pkey to called functions.

ssl3_send_client_verify() already has a pointer to the EVP_PKEY for the certificate - pass this as an argument to the functions that it calls, rather than duplicating code/variable declarations.
author: jsing <> 2021-06-27 19:16:59 +0000
committer: jsing <> 2021-06-27 19:16:59 +0000
commit: fe2e9ea28e886fa3dae7e2d6035a86fae494be20 (patch)
tree: 824ba9a04d617f76b5150c7a989186b84311ebc7 /src
parent: b109677d03c0eb1062f19ab300b485b90c0c2ad7 (diff)
download: openbsd-fe2e9ea28e886fa3dae7e2d6035a86fae494be20.tar.gz
openbsd-fe2e9ea28e886fa3dae7e2d6035a86fae494be20.tar.bz2
openbsd-fe2e9ea28e886fa3dae7e2d6035a86fae494be20.zip
1 files changed, 11 insertions, 22 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index fac30b26aa..261bf426cc 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.101 2021/06/27 18:15:35 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.102 2021/06/27 19:16:59 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2338,12 +2338,11 @@ ssl3_send_client_key_exchange(SSL *s)
 }
 static int
-ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify)
+ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
 {
        const struct ssl_sigalg *sigalg;
        CBB cbb_signature;
        EVP_PKEY_CTX *pctx = NULL;
-        EVP_PKEY *pkey;
        EVP_MD_CTX mctx;
        const EVP_MD *md;
        const unsigned char *hdata;
@@ -2353,7 +2352,6 @@ ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify)
        EVP_MD_CTX_init(&mctx);
-        pkey = s->cert->key->privatekey;
        if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
                SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
                goto err;
@@ -2419,18 +2417,15 @@ ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify)
 }
 static int
-ssl3_send_client_verify_rsa(SSL *s, CBB *cert_verify)
+ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
 {
        CBB cbb_signature;
-        EVP_PKEY *pkey;
        unsigned char data[EVP_MAX_MD_SIZE];
        unsigned char *signature = NULL;
        unsigned int signature_len;
        size_t data_len;
        int ret = 0;
-        pkey = s->cert->key->privatekey;
        if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len))
                goto err;
        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
@@ -2455,17 +2450,14 @@ ssl3_send_client_verify_rsa(SSL *s, CBB *cert_verify)
 }
 static int
-ssl3_send_client_verify_ec(SSL *s, CBB *cert_verify)
+ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
 {
        CBB cbb_signature;
-        EVP_PKEY *pkey;
        unsigned char data[EVP_MAX_MD_SIZE];
        unsigned char *signature = NULL;
        unsigned int signature_len;
        int ret = 0;
-        pkey = s->cert->key->privatekey;
        if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL))
                goto err;
        if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
@@ -2491,12 +2483,11 @@ ssl3_send_client_verify_ec(SSL *s, CBB *cert_verify)
 #ifndef OPENSSL_NO_GOST
 static int
-ssl3_send_client_verify_gost(SSL *s, CBB *cert_verify)
+ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
 {
        CBB cbb_signature;
        EVP_MD_CTX mctx;
        EVP_PKEY_CTX *pctx;
-        EVP_PKEY *pkey;
        const EVP_MD *md;
        const unsigned char *hdata;
        unsigned char *signature = NULL;
@@ -2507,8 +2498,6 @@ ssl3_send_client_verify_gost(SSL *s, CBB *cert_verify)
        EVP_MD_CTX_init(&mctx);
-        pkey = s->cert->key->privatekey;
        if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
@@ -2576,22 +2565,22 @@ ssl3_send_client_verify(SSL *s)
                pkey = s->cert->key->privatekey;
                /*
-                 * For TLS v1.2 send signature algorithm and signature
+                 * For TLS v1.2 send signature algorithm and signature using
-                 * using agreed digest and cached handshake records.
+                 * agreed digest and cached handshake records.
                 */
                if (SSL_USE_SIGALGS(s)) {
-                        if (!ssl3_send_client_verify_sigalgs(s, &cert_verify))
+                        if (!ssl3_send_client_verify_sigalgs(s, pkey, &cert_verify))
                                goto err;
                } else if (pkey->type == EVP_PKEY_RSA) {
-                        if (!ssl3_send_client_verify_rsa(s, &cert_verify))
+                        if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
                                goto err;
                } else if (pkey->type == EVP_PKEY_EC) {
-                        if (!ssl3_send_client_verify_ec(s, &cert_verify))
+                        if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
                                goto err;
 #ifndef OPENSSL_NO_GOST
                } else if (pkey->type == NID_id_GostR3410_94 ||
                    pkey->type == NID_id_GostR3410_2001) {
-                        if (!ssl3_send_client_verify_gost(s, &cert_verify))
+                        if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
                                goto err;
 #endif
                } else {
author	jsing <>	2021-06-27 19:16:59 +0000
committer	jsing <>	2021-06-27 19:16:59 +0000
commit	fe2e9ea28e886fa3dae7e2d6035a86fae494be20 (patch)
tree	824ba9a04d617f76b5150c7a989186b84311ebc7 /src
parent	b109677d03c0eb1062f19ab300b485b90c0c2ad7 (diff)
download	openbsd-fe2e9ea28e886fa3dae7e2d6035a86fae494be20.tar.gz openbsd-fe2e9ea28e886fa3dae7e2d6035a86fae494be20.tar.bz2 openbsd-fe2e9ea28e886fa3dae7e2d6035a86fae494be20.zip