Refactor ssl3_send_client_verify.

patches.chromium/0016-send_client_verify_cleanup.patch

Index: patches.chromium/0016-send_client_verify_cleanup.patch
diff --git a/patches.chromium/0016-send_client_verify_cleanup.patch b/patches.chromium/0016-send_client_verify_cleanup.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6f728ed9214c7f51b4897d489ef072fab7a9d434
--- /dev/null
+++ b/patches.chromium/0016-send_client_verify_cleanup.patch
@@ -0,0 +1,187 @@
+diff --git android-openssl.orig/ssl/s3_clnt.c android-openssl/ssl/s3_clnt.c
+index d6154c5..2b094c9 100644
+--- android-openssl.orig/ssl/s3_clnt.c
++++ android-openssl/ssl/s3_clnt.c
+@@ -3022,33 +3022,18 @@ int ssl3_send_client_verify(SSL *s)
+ 	unsigned char *p,*d;
+ 	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
+ 	EVP_PKEY *pkey;
+-	EVP_PKEY_CTX *pctx=NULL;
++	EVP_PKEY_CTX *pctx = NULL;
+ 	EVP_MD_CTX mctx;
+-	unsigned u=0;
++	unsigned signature_length = 0;
+ 	unsigned long n;
+-	int j;
+ 
+ 	EVP_MD_CTX_init(&mctx);
+ 
+ 	if (s->state == SSL3_ST_CW_CERT_VRFY_A)
+ 		{
+-		d=(unsigned char *)s->init_buf->data;
+-		p= &(d[4]);
+-		pkey=s->cert->key->privatekey;
+-/* Create context from key and test if sha1 is allowed as digest */
+-		pctx = EVP_PKEY_CTX_new(pkey,NULL);
+-		EVP_PKEY_sign_init(pctx);
+-		if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
+-			{
+-			if (TLS1_get_version(s) < TLS1_2_VERSION)
+-				s->method->ssl3_enc->cert_verify_mac(s,
+-						NID_sha1,
+-						&(data[MD5_DIGEST_LENGTH]));
+-			}
+-		else
+-			{
+-			ERR_clear_error();
+-			}
++		d = (unsigned char *)s->init_buf->data;
++		p = &(d[4]);
++		pkey = s->cert->key->privatekey;
+ 		/* For TLS v1.2 send signature algorithm and signature
+ 		 * using agreed digest and cached handshake records.
+ 		 */
+@@ -3072,14 +3057,15 @@ int ssl3_send_client_verify(SSL *s)
+ #endif
+ 			if (!EVP_SignInit_ex(&mctx, md, NULL)
+ 				|| !EVP_SignUpdate(&mctx, hdata, hdatalen)
+-				|| !EVP_SignFinal(&mctx, p + 2, &u, pkey))
++				|| !EVP_SignFinal(&mctx, p + 2,
++					&signature_length, pkey))
+ 				{
+ 				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+ 						ERR_R_EVP_LIB);
+ 				goto err;
+ 				}
+-			s2n(u,p);
+-			n = u + 4;
++			s2n(signature_length, p);
++			n = signature_length + 4;
+ 			if (!ssl3_digest_cached_records(s))
+ 				goto err;
+ 			}
+@@ -3087,78 +3073,80 @@ int ssl3_send_client_verify(SSL *s)
+ #ifndef OPENSSL_NO_RSA
+ 		if (pkey->type == EVP_PKEY_RSA)
+ 			{
++			s->method->ssl3_enc->cert_verify_mac(s, NID_md5, data);
+ 			s->method->ssl3_enc->cert_verify_mac(s,
+-				NID_md5,
+-			 	&(data[0]));
++				NID_sha1, &(data[MD5_DIGEST_LENGTH]));
+ 			if (RSA_sign(NID_md5_sha1, data,
+-					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
+-					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
++					MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
++					&(p[2]), &signature_length, pkey->pkey.rsa) <= 0)
+ 				{
+-				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
++				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB);
+ 				goto err;
+ 				}
+-			s2n(u,p);
+-			n=u+2;
++			s2n(signature_length, p);
++			n = signature_length + 2;
+ 			}
+ 		else
+ #endif
+ #ifndef OPENSSL_NO_DSA
+-			if (pkey->type == EVP_PKEY_DSA)
++		if (pkey->type == EVP_PKEY_DSA)
+ 			{
+-			if (!DSA_sign(pkey->save_type,
+-				&(data[MD5_DIGEST_LENGTH]),
+-				SHA_DIGEST_LENGTH,&(p[2]),
+-				(unsigned int *)&j,pkey->pkey.dsa))
++			s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data);
++			if (!DSA_sign(pkey->save_type, data,
++					SHA_DIGEST_LENGTH, &(p[2]),
++					&signature_length, pkey->pkey.dsa))
+ 				{
+-				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
++				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB);
+ 				goto err;
+ 				}
+-			s2n(j,p);
+-			n=j+2;
++			s2n(signature_length, p);
++			n = signature_length + 2;
+ 			}
+ 		else
+ #endif
+ #ifndef OPENSSL_NO_ECDSA
+-			if (pkey->type == EVP_PKEY_EC)
++		if (pkey->type == EVP_PKEY_EC)
+ 			{
+-			if (!ECDSA_sign(pkey->save_type,
+-				&(data[MD5_DIGEST_LENGTH]),
+-				SHA_DIGEST_LENGTH,&(p[2]),
+-				(unsigned int *)&j,pkey->pkey.ec))
++			s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data);
++			if (!ECDSA_sign(pkey->save_type, data,
++					SHA_DIGEST_LENGTH, &(p[2]),
++					&signature_length, pkey->pkey.ec))
+ 				{
+-				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+-				    ERR_R_ECDSA_LIB);
++				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_ECDSA_LIB);
+ 				goto err;
+ 				}
+-			s2n(j,p);
+-			n=j+2;
++			s2n(signature_length, p);
++			n = signature_length + 2;
+ 			}
+ 		else
+ #endif
+ 		if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 
+-		{
+-		unsigned char signbuf[64];
+-		int i;
+-		size_t sigsize=64;
+-		s->method->ssl3_enc->cert_verify_mac(s,
+-			NID_id_GostR3411_94,
+-			data);
+-		if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
+-			SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+-			ERR_R_INTERNAL_ERROR);
+-			goto err;
+-		}
+-		for (i=63,j=0; i>=0; j++, i--) {
+-			p[2+j]=signbuf[i];
+-		}	
+-		s2n(j,p);
+-		n=j+2;
+-		}
++			{
++			unsigned char signbuf[64];
++			int i, j;
++			size_t sigsize=64;
++
++			s->method->ssl3_enc->cert_verify_mac(s,
++				NID_id_GostR3411_94,
++				data);
++			pctx = EVP_PKEY_CTX_new(pkey, NULL);
++			EVP_PKEY_sign_init(pctx);
++			if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
++				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
++					ERR_R_INTERNAL_ERROR);
++				goto err;
++			}
++			for (i=63,j=0; i>=0; j++, i--) {
++				p[2+j]=signbuf[i];
++			}
++			s2n(j,p);
++			n=j+2;
++			}
+ 		else
+-		{
++			{
+ 			SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
+ 			goto err;
+-		}
++			}
+ 		*(d++)=SSL3_MT_CERTIFICATE_VERIFY;
+ 		l2n3(n,d);
+