OLD | NEW |
| (Empty) |
1 diff --git android-openssl.orig/ssl/s3_clnt.c android-openssl/ssl/s3_clnt.c | |
2 index d6154c5..2b094c9 100644 | |
3 --- android-openssl.orig/ssl/s3_clnt.c | |
4 +++ android-openssl/ssl/s3_clnt.c | |
5 @@ -3022,33 +3022,18 @@ int ssl3_send_client_verify(SSL *s) | |
6 unsigned char *p,*d; | |
7 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; | |
8 EVP_PKEY *pkey; | |
9 - EVP_PKEY_CTX *pctx=NULL; | |
10 + EVP_PKEY_CTX *pctx = NULL; | |
11 EVP_MD_CTX mctx; | |
12 - unsigned u=0; | |
13 + unsigned signature_length = 0; | |
14 unsigned long n; | |
15 - int j; | |
16 | |
17 EVP_MD_CTX_init(&mctx); | |
18 | |
19 if (s->state == SSL3_ST_CW_CERT_VRFY_A) | |
20 { | |
21 - d=(unsigned char *)s->init_buf->data; | |
22 - p= &(d[4]); | |
23 - pkey=s->cert->key->privatekey; | |
24 -/* Create context from key and test if sha1 is allowed as digest */ | |
25 - pctx = EVP_PKEY_CTX_new(pkey,NULL); | |
26 - EVP_PKEY_sign_init(pctx); | |
27 - if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) | |
28 - { | |
29 - if (TLS1_get_version(s) < TLS1_2_VERSION) | |
30 - s->method->ssl3_enc->cert_verify_mac(s, | |
31 - NID_sha1, | |
32 - &(data[MD5_DIGEST_LENGTH])); | |
33 - } | |
34 - else | |
35 - { | |
36 - ERR_clear_error(); | |
37 - } | |
38 + d = (unsigned char *)s->init_buf->data; | |
39 + p = &(d[4]); | |
40 + pkey = s->cert->key->privatekey; | |
41 /* For TLS v1.2 send signature algorithm and signature | |
42 * using agreed digest and cached handshake records. | |
43 */ | |
44 @@ -3072,14 +3057,15 @@ int ssl3_send_client_verify(SSL *s) | |
45 #endif | |
46 if (!EVP_SignInit_ex(&mctx, md, NULL) | |
47 || !EVP_SignUpdate(&mctx, hdata, hdatalen) | |
48 - || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) | |
49 + || !EVP_SignFinal(&mctx, p + 2, | |
50 + &signature_length, pkey)) | |
51 { | |
52 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, | |
53 ERR_R_EVP_LIB); | |
54 goto err; | |
55 } | |
56 - s2n(u,p); | |
57 - n = u + 4; | |
58 + s2n(signature_length, p); | |
59 + n = signature_length + 4; | |
60 if (!ssl3_digest_cached_records(s)) | |
61 goto err; | |
62 } | |
63 @@ -3087,78 +3073,80 @@ int ssl3_send_client_verify(SSL *s) | |
64 #ifndef OPENSSL_NO_RSA | |
65 if (pkey->type == EVP_PKEY_RSA) | |
66 { | |
67 + s->method->ssl3_enc->cert_verify_mac(s, NID_md5, data); | |
68 s->method->ssl3_enc->cert_verify_mac(s, | |
69 - NID_md5, | |
70 - &(data[0])); | |
71 + NID_sha1, &(data[MD5_DIGEST_LENGTH])); | |
72 if (RSA_sign(NID_md5_sha1, data, | |
73 - MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, | |
74 - &(p[2]), &u, pkey->pkey.rsa) <= 0 ) | |
75 + MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, | |
76 + &(p[2]), &signature_length, pkey->pkey.r
sa) <= 0) | |
77 { | |
78 - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_L
IB); | |
79 + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_
LIB); | |
80 goto err; | |
81 } | |
82 - s2n(u,p); | |
83 - n=u+2; | |
84 + s2n(signature_length, p); | |
85 + n = signature_length + 2; | |
86 } | |
87 else | |
88 #endif | |
89 #ifndef OPENSSL_NO_DSA | |
90 - if (pkey->type == EVP_PKEY_DSA) | |
91 + if (pkey->type == EVP_PKEY_DSA) | |
92 { | |
93 - if (!DSA_sign(pkey->save_type, | |
94 - &(data[MD5_DIGEST_LENGTH]), | |
95 - SHA_DIGEST_LENGTH,&(p[2]), | |
96 - (unsigned int *)&j,pkey->pkey.dsa)) | |
97 + s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data); | |
98 + if (!DSA_sign(pkey->save_type, data, | |
99 + SHA_DIGEST_LENGTH, &(p[2]), | |
100 + &signature_length, pkey->pkey.dsa)) | |
101 { | |
102 - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_L
IB); | |
103 + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_
LIB); | |
104 goto err; | |
105 } | |
106 - s2n(j,p); | |
107 - n=j+2; | |
108 + s2n(signature_length, p); | |
109 + n = signature_length + 2; | |
110 } | |
111 else | |
112 #endif | |
113 #ifndef OPENSSL_NO_ECDSA | |
114 - if (pkey->type == EVP_PKEY_EC) | |
115 + if (pkey->type == EVP_PKEY_EC) | |
116 { | |
117 - if (!ECDSA_sign(pkey->save_type, | |
118 - &(data[MD5_DIGEST_LENGTH]), | |
119 - SHA_DIGEST_LENGTH,&(p[2]), | |
120 - (unsigned int *)&j,pkey->pkey.ec)) | |
121 + s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data); | |
122 + if (!ECDSA_sign(pkey->save_type, data, | |
123 + SHA_DIGEST_LENGTH, &(p[2]), | |
124 + &signature_length, pkey->pkey.ec)) | |
125 { | |
126 - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, | |
127 - ERR_R_ECDSA_LIB); | |
128 + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_ECDS
A_LIB); | |
129 goto err; | |
130 } | |
131 - s2n(j,p); | |
132 - n=j+2; | |
133 + s2n(signature_length, p); | |
134 + n = signature_length + 2; | |
135 } | |
136 else | |
137 #endif | |
138 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_Go
stR3410_2001) | |
139 - { | |
140 - unsigned char signbuf[64]; | |
141 - int i; | |
142 - size_t sigsize=64; | |
143 - s->method->ssl3_enc->cert_verify_mac(s, | |
144 - NID_id_GostR3411_94, | |
145 - data); | |
146 - if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { | |
147 - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, | |
148 - ERR_R_INTERNAL_ERROR); | |
149 - goto err; | |
150 - } | |
151 - for (i=63,j=0; i>=0; j++, i--) { | |
152 - p[2+j]=signbuf[i]; | |
153 - } | |
154 - s2n(j,p); | |
155 - n=j+2; | |
156 - } | |
157 + { | |
158 + unsigned char signbuf[64]; | |
159 + int i, j; | |
160 + size_t sigsize=64; | |
161 + | |
162 + s->method->ssl3_enc->cert_verify_mac(s, | |
163 + NID_id_GostR3411_94, | |
164 + data); | |
165 + pctx = EVP_PKEY_CTX_new(pkey, NULL); | |
166 + EVP_PKEY_sign_init(pctx); | |
167 + if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <=
0) { | |
168 + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, | |
169 + ERR_R_INTERNAL_ERROR); | |
170 + goto err; | |
171 + } | |
172 + for (i=63,j=0; i>=0; j++, i--) { | |
173 + p[2+j]=signbuf[i]; | |
174 + } | |
175 + s2n(j,p); | |
176 + n=j+2; | |
177 + } | |
178 else | |
179 - { | |
180 + { | |
181 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERRO
R); | |
182 goto err; | |
183 - } | |
184 + } | |
185 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; | |
186 l2n3(n,d); | |
187 | |
OLD | NEW |