Index: openssl/ssl/s3_clnt.c |
diff --git a/openssl/ssl/s3_clnt.c b/openssl/ssl/s3_clnt.c |
index d6154c521d088e37d1c8af3335ccdb6c19e6d7e2..2b094c9901d5cd7ae2ca8233c203e65bafbbf59a 100644 |
--- a/openssl/ssl/s3_clnt.c |
+++ b/openssl/ssl/s3_clnt.c |
@@ -3022,33 +3022,18 @@ int ssl3_send_client_verify(SSL *s) |
unsigned char *p,*d; |
unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; |
EVP_PKEY *pkey; |
- EVP_PKEY_CTX *pctx=NULL; |
+ EVP_PKEY_CTX *pctx = NULL; |
EVP_MD_CTX mctx; |
- unsigned u=0; |
+ unsigned signature_length = 0; |
unsigned long n; |
- int j; |
EVP_MD_CTX_init(&mctx); |
if (s->state == SSL3_ST_CW_CERT_VRFY_A) |
{ |
- d=(unsigned char *)s->init_buf->data; |
- p= &(d[4]); |
- pkey=s->cert->key->privatekey; |
-/* Create context from key and test if sha1 is allowed as digest */ |
- pctx = EVP_PKEY_CTX_new(pkey,NULL); |
- EVP_PKEY_sign_init(pctx); |
- if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) |
- { |
- if (TLS1_get_version(s) < TLS1_2_VERSION) |
- s->method->ssl3_enc->cert_verify_mac(s, |
- NID_sha1, |
- &(data[MD5_DIGEST_LENGTH])); |
- } |
- else |
- { |
- ERR_clear_error(); |
- } |
+ d = (unsigned char *)s->init_buf->data; |
+ p = &(d[4]); |
+ pkey = s->cert->key->privatekey; |
/* For TLS v1.2 send signature algorithm and signature |
* using agreed digest and cached handshake records. |
*/ |
@@ -3072,14 +3057,15 @@ int ssl3_send_client_verify(SSL *s) |
#endif |
if (!EVP_SignInit_ex(&mctx, md, NULL) |
|| !EVP_SignUpdate(&mctx, hdata, hdatalen) |
- || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) |
+ || !EVP_SignFinal(&mctx, p + 2, |
+ &signature_length, pkey)) |
{ |
SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, |
ERR_R_EVP_LIB); |
goto err; |
} |
- s2n(u,p); |
- n = u + 4; |
+ s2n(signature_length, p); |
+ n = signature_length + 4; |
if (!ssl3_digest_cached_records(s)) |
goto err; |
} |
@@ -3087,78 +3073,80 @@ int ssl3_send_client_verify(SSL *s) |
#ifndef OPENSSL_NO_RSA |
if (pkey->type == EVP_PKEY_RSA) |
{ |
+ s->method->ssl3_enc->cert_verify_mac(s, NID_md5, data); |
s->method->ssl3_enc->cert_verify_mac(s, |
- NID_md5, |
- &(data[0])); |
+ NID_sha1, &(data[MD5_DIGEST_LENGTH])); |
if (RSA_sign(NID_md5_sha1, data, |
- MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, |
- &(p[2]), &u, pkey->pkey.rsa) <= 0 ) |
+ MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, |
+ &(p[2]), &signature_length, pkey->pkey.rsa) <= 0) |
{ |
- SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); |
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB); |
goto err; |
} |
- s2n(u,p); |
- n=u+2; |
+ s2n(signature_length, p); |
+ n = signature_length + 2; |
} |
else |
#endif |
#ifndef OPENSSL_NO_DSA |
- if (pkey->type == EVP_PKEY_DSA) |
+ if (pkey->type == EVP_PKEY_DSA) |
{ |
- if (!DSA_sign(pkey->save_type, |
- &(data[MD5_DIGEST_LENGTH]), |
- SHA_DIGEST_LENGTH,&(p[2]), |
- (unsigned int *)&j,pkey->pkey.dsa)) |
+ s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data); |
+ if (!DSA_sign(pkey->save_type, data, |
+ SHA_DIGEST_LENGTH, &(p[2]), |
+ &signature_length, pkey->pkey.dsa)) |
{ |
- SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); |
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB); |
goto err; |
} |
- s2n(j,p); |
- n=j+2; |
+ s2n(signature_length, p); |
+ n = signature_length + 2; |
} |
else |
#endif |
#ifndef OPENSSL_NO_ECDSA |
- if (pkey->type == EVP_PKEY_EC) |
+ if (pkey->type == EVP_PKEY_EC) |
{ |
- if (!ECDSA_sign(pkey->save_type, |
- &(data[MD5_DIGEST_LENGTH]), |
- SHA_DIGEST_LENGTH,&(p[2]), |
- (unsigned int *)&j,pkey->pkey.ec)) |
+ s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data); |
+ if (!ECDSA_sign(pkey->save_type, data, |
+ SHA_DIGEST_LENGTH, &(p[2]), |
+ &signature_length, pkey->pkey.ec)) |
{ |
- SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, |
- ERR_R_ECDSA_LIB); |
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_ECDSA_LIB); |
goto err; |
} |
- s2n(j,p); |
- n=j+2; |
+ s2n(signature_length, p); |
+ n = signature_length + 2; |
} |
else |
#endif |
if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) |
- { |
- unsigned char signbuf[64]; |
- int i; |
- size_t sigsize=64; |
- s->method->ssl3_enc->cert_verify_mac(s, |
- NID_id_GostR3411_94, |
- data); |
- if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { |
- SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, |
- ERR_R_INTERNAL_ERROR); |
- goto err; |
- } |
- for (i=63,j=0; i>=0; j++, i--) { |
- p[2+j]=signbuf[i]; |
- } |
- s2n(j,p); |
- n=j+2; |
- } |
+ { |
+ unsigned char signbuf[64]; |
+ int i, j; |
+ size_t sigsize=64; |
+ |
+ s->method->ssl3_enc->cert_verify_mac(s, |
+ NID_id_GostR3411_94, |
+ data); |
+ pctx = EVP_PKEY_CTX_new(pkey, NULL); |
+ EVP_PKEY_sign_init(pctx); |
+ if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { |
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, |
+ ERR_R_INTERNAL_ERROR); |
+ goto err; |
+ } |
+ for (i=63,j=0; i>=0; j++, i--) { |
+ p[2+j]=signbuf[i]; |
+ } |
+ s2n(j,p); |
+ n=j+2; |
+ } |
else |
- { |
+ { |
SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); |
goto err; |
- } |
+ } |
*(d++)=SSL3_MT_CERTIFICATE_VERIFY; |
l2n3(n,d); |