2 files changed, 10 insertions, 22 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 3555ebadd1..053cf1689b 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.101 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.102 2023/06/10 15:34:36 tb Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -688,12 +688,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
                        goto err;
        }
-        if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
+        if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature),
-                ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
+            sig_content, sig_content_len) <= 0) {
-                goto err;
-        }
-        if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
-            CBS_len(&signature)) <= 0) {
                ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
                goto err;
        }
@@ -956,13 +952,11 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
                if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
                        goto err;
        }
-        if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
+        if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len))
-                goto err;
-        if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
                goto err;
        if ((sig = calloc(1, sig_len)) == NULL)
                goto err;
-        if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
+        if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len))
                goto err;
        if (!CBB_add_u16(cbb, sigalg->value))
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 75510a9085..dfeb1e0166 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.105 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.106 2023/06/10 15:34:36 tb Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -754,13 +754,11 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
                if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
                        goto err;
        }
-        if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
+        if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len))
-                goto err;
-        if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
                goto err;
        if ((sig = calloc(1, sig_len)) == NULL)
                goto err;
-        if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
+        if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len))
                goto err;
        if (!CBB_add_u16(cbb, sigalg->value))
@@ -999,12 +997,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
                        goto err;
        }
-        if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
+        if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature),
-                ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
+            sig_content, sig_content_len) <= 0) {
-                goto err;
-        }
-        if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
-            CBS_len(&signature)) <= 0) {
                ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
                goto err;
        }