From efcbc859d153bd2908ab9c32fb042c03eb84d265 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Fri, 10 Mar 2017 16:03:27 +0000 Subject: Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer. ok beck@ inoguchi@ --- src/lib/libssl/ssl_clnt.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'src/lib/libssl/ssl_clnt.c') diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 8dd30e87fb..1cdbf86c50 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.10 2017/03/05 14:39:53 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.11 2017/03/10 16:03:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2354,13 +2354,21 @@ ssl3_send_client_verify(SSL *s) pkey = s->cert->key->privatekey; pctx = EVP_PKEY_CTX_new(pkey, NULL); EVP_PKEY_sign_init(pctx); - if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) { - if (!SSL_USE_SIGALGS(s)) - tls1_cert_verify_mac(s, - NID_sha1, &(data[MD5_DIGEST_LENGTH])); - } else { + + /* XXX - is this needed? */ + if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0) ERR_clear_error(); + + if (!SSL_USE_SIGALGS(s)) { + if (S3I(s)->handshake_buffer) { + if (!tls1_digest_cached_records(s)) + goto err; + } + if (!tls1_handshake_hash_value(s, data, sizeof(data), + NULL)) + goto err; } + /* * For TLS v1.2 send signature algorithm and signature * using agreed digest and cached handshake records. @@ -2388,8 +2396,6 @@ ssl3_send_client_verify(SSL *s) if (!tls1_digest_cached_records(s)) goto err; } else if (pkey->type == EVP_PKEY_RSA) { - tls1_cert_verify_mac( - s, NID_md5, &(data[0])); if (RSA_sign(NID_md5_sha1, data, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]), &u, pkey->pkey.rsa) <= 0 ) { -- cgit v1.2.3-55-g6feb