Google Git
Sign in
boringssl/boringssl.git/aed2306b9db35f2ad06cd47b5afecfde08168a75^!/.
commit
aed2306b9db35f2ad06cd47b5afecfde08168a75
[log]
author
Adam Langley <agl@chromium.org>
Fri Jun 20 12:00:00 2014 -0700
committer
Adam Langley <agl@chromium.org>
Fri Jun 20 13:17:37 2014 -0700
tree
f5785dbf4dbf9fcbeb89fdb8d8ecd106fdf94825
parent
28acbbc2d6d2fdd9717c6e7e55c5c0e14608a0f0 [diff]
Refactor ssl3_send_client_verify.

The original logic was a confusing spaghetti and mixed up initialization
for all the different cases together.

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index b0af827..4bc2380 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c

@@ -2785,32 +2785,17 @@
 	unsigned char *p;
 	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
 	EVP_PKEY *pkey;
-	EVP_PKEY_CTX *pctx=NULL;
+	EVP_PKEY_CTX *pctx = NULL;
 	EVP_MD_CTX mctx;
-	unsigned u=0;
+	unsigned signature_length = 0;
 	unsigned long n;
-	int j;
 
 	EVP_MD_CTX_init(&mctx);
 
 	if (s->state == SSL3_ST_CW_CERT_VRFY_A)
 		{
 		p= ssl_handshake_start(s);
-		pkey=s->cert->key->privatekey;
-/* Create context from key and test if sha1 is allowed as digest */
-		pctx = EVP_PKEY_CTX_new(pkey,NULL);
-		EVP_PKEY_sign_init(pctx);
-		if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
-			{
-			if (!SSL_USE_SIGALGS(s))
-				s->method->ssl3_enc->cert_verify_mac(s,
-						NID_sha1,
-						&(data[MD5_DIGEST_LENGTH]));
-			}
-		else
-			{
-			ERR_clear_error();
-			}
+		pkey = s->cert->key->privatekey;
 		/* For TLS v1.2 send signature algorithm and signature
 		 * using agreed digest and cached handshake records.
 		 */
@@ -2833,13 +2818,14 @@
 #endif
 			if (!EVP_SignInit_ex(&mctx, md, NULL)
 				|| !EVP_SignUpdate(&mctx, hdata, hdatalen)
-				|| !EVP_SignFinal(&mctx, p + 2, &u, pkey))
+				|| !EVP_SignFinal(&mctx, p + 2,
+					&signature_length, pkey))
 				{
 				OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_EVP_LIB);
 				goto err;
 				}
-			s2n(u,p);
-			n = u + 4;
+			s2n(signature_length, p);
+			n = signature_length + 4;
 			if (!ssl3_digest_cached_records(s))
 				goto err;
 			}
@@ -2847,76 +2833,79 @@
 #ifndef OPENSSL_NO_RSA
 		if (pkey->type == EVP_PKEY_RSA)
 			{
+			s->method->ssl3_enc->cert_verify_mac(s, NID_md5, data);
 			s->method->ssl3_enc->cert_verify_mac(s,
-				NID_md5,
-			 	&(data[0]));
+				NID_sha1, &data[MD5_DIGEST_LENGTH]);
 			if (RSA_sign(NID_md5_sha1, data,
-					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
-					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
+					MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
+					&p[2], &signature_length, pkey->pkey.rsa) <= 0)
 				{
 				OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_RSA_LIB);
 				goto err;
 				}
-			s2n(u,p);
-			n=u+2;
+			s2n(signature_length, p);
+			n = signature_length + 2;
 			}
 		else
 #endif
 #ifndef OPENSSL_NO_DSA
-			if (pkey->type == EVP_PKEY_DSA)
+		if (pkey->type == EVP_PKEY_DSA)
 			{
-			if (!DSA_sign(pkey->save_type,
-				&(data[MD5_DIGEST_LENGTH]),
-				SHA_DIGEST_LENGTH,&(p[2]),
-				(unsigned int *)&j,pkey->pkey.dsa))
+			s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data);
+			if (!DSA_sign(pkey->save_type, data,
+					SHA_DIGEST_LENGTH, &(p[2]),
+					&signature_length, pkey->pkey.dsa))
 				{
 				OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_DSA_LIB);
 				goto err;
 				}
-			s2n(j,p);
-			n=j+2;
+			s2n(signature_length, p);
+			n = signature_length + 2;
 			}
 		else
 #endif
 #ifndef OPENSSL_NO_ECDSA
-			if (pkey->type == EVP_PKEY_EC)
+		if (pkey->type == EVP_PKEY_EC)
 			{
-			if (!ECDSA_sign(pkey->save_type,
-				&(data[MD5_DIGEST_LENGTH]),
-				SHA_DIGEST_LENGTH,&(p[2]),
-				(unsigned int *)&j,pkey->pkey.ec))
+			s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data);
+			if (!ECDSA_sign(pkey->save_type, data,
+					SHA_DIGEST_LENGTH, &(p[2]),
+					&signature_length, pkey->pkey.ec))
 				{
 				OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_ECDSA_LIB);
 				goto err;
 				}
-			s2n(j,p);
-			n=j+2;
+			s2n(signature_length, p);
+			n = signature_length + 2;
 			}
 		else
 #endif
 		if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 
-		{
-		unsigned char signbuf[64];
-		int i;
-		size_t sigsize=64;
-		s->method->ssl3_enc->cert_verify_mac(s,
-			NID_id_GostR3411_94,
-			data);
-		if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
-			OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
-			goto err;
-		}
-		for (i=63,j=0; i>=0; j++, i--) {
-			p[2+j]=signbuf[i];
-		}	
-		s2n(j,p);
-		n=j+2;
-		}
+			{
+			unsigned char signbuf[64];
+			int i, j;
+			size_t sigsize=64;
+
+			s->method->ssl3_enc->cert_verify_mac(s,
+				NID_id_GostR3411_94,
+				data);
+			pctx = EVP_PKEY_CTX_new(pkey, NULL);
+			EVP_PKEY_sign_init(pctx);
+			if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
+				OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
+				goto err;
+			}
+			for (i=63,j=0; i>=0; j++, i--) {
+				p[2+j]=signbuf[i];
+			}
+			s2n(j,p);
+			n=j+2;
+			}
 		else
-		{
+			{
 			OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
 			goto err;
-		}
+			}
 		ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n);
 		s->state=SSL3_ST_CW_CERT_VRFY_B;
 		}