1 files changed, 8 insertions, 24 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index a48cf246da..d98a76f8f0 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.10 2017/03/05 14:39:53 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.11 2017/03/10 16:03:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -493,18 +493,12 @@ ssl3_accept(SSL *s)
                                        goto end;
                                }
                        } else {
-                                int offset = 0;
-                                int dgst_num;
                                s->internal->state = SSL3_ST_SR_CERT_VRFY_A;
                                s->internal->init_num = 0;
                                /*
                                 * We need to get hashes here so if there is
-                                 * a client cert, it can be verified
+                                 * a client cert, it can be verified.
-                                 * FIXME - digest processing for
-                                 * CertificateVerify should be generalized.
-                                 * But it is next step
                                 */
                                if (S3I(s)->handshake_buffer) {
                                        if (!tls1_digest_cached_records(s)) {
@@ -512,22 +506,12 @@ ssl3_accept(SSL *s)
                                                goto end;
                                        }
                                }
-                                for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST;
+                                if (!tls1_handshake_hash_value(s,
-                                    dgst_num++)
+                                    S3I(s)->tmp.cert_verify_md,
-                                        if (S3I(s)->handshake_dgst[dgst_num]) {
+                                    sizeof(S3I(s)->tmp.cert_verify_md),
-                                        int dgst_size;
+                                    NULL)) {
+                                        ret = -1;
-                                        tls1_cert_verify_mac(s,
+                                        goto end;
-                                            EVP_MD_CTX_type(
-                                            S3I(s)->handshake_dgst[dgst_num]),
-                                            &(S3I(s)->tmp.cert_verify_md[offset]));
-                                        dgst_size = EVP_MD_CTX_size(
-                                            S3I(s)->handshake_dgst[dgst_num]);
-                                        if (dgst_size < 0) {
-                                                ret = -1;
-                                                goto end;
-                                        }
-                                        offset += dgst_size;
                                }
                        }
                        break;

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index a48cf246da..d98a76f8f0 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.10 2017/03/05 14:39:53 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.11 2017/03/10 16:03:27 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -493,18 +493,12 @@ ssl3_accept(SSL *s)
493	goto end;	493	goto end;
494	}	494	}
495	} else {	495	} else {
496	int offset = 0;
497	int dgst_num;
498
499	s->internal->state = SSL3_ST_SR_CERT_VRFY_A;	496	s->internal->state = SSL3_ST_SR_CERT_VRFY_A;
500	s->internal->init_num = 0;	497	s->internal->init_num = 0;
501		498
502	/*	499	/*
503	* We need to get hashes here so if there is	500	* We need to get hashes here so if there is
504	* a client cert, it can be verified	501	* a client cert, it can be verified.
505	* FIXME - digest processing for
506	* CertificateVerify should be generalized.
507	* But it is next step
508	*/	502	*/
509	if (S3I(s)->handshake_buffer) {	503	if (S3I(s)->handshake_buffer) {
510	if (!tls1_digest_cached_records(s)) {	504	if (!tls1_digest_cached_records(s)) {
@@ -512,22 +506,12 @@ ssl3_accept(SSL *s)
512	goto end;	506	goto end;
513	}	507	}
514	}	508	}
515	for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST;	509	if (!tls1_handshake_hash_value(s,
516	dgst_num++)	510	S3I(s)->tmp.cert_verify_md,
517	if (S3I(s)->handshake_dgst[dgst_num]) {	511	sizeof(S3I(s)->tmp.cert_verify_md),
518	int dgst_size;	512	NULL)) {
519		513	ret = -1;
520	tls1_cert_verify_mac(s,	514	goto end;
521	EVP_MD_CTX_type(
522	S3I(s)->handshake_dgst[dgst_num]),
523	&(S3I(s)->tmp.cert_verify_md[offset]));
524	dgst_size = EVP_MD_CTX_size(
525	S3I(s)->handshake_dgst[dgst_num]);
526	if (dgst_size < 0) {
527	ret = -1;
528	goto end;
529	}
530	offset += dgst_size;
531	}	515	}
532	}	516	}
533	break;	517	break;