summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2023-06-10 15:34:37 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2023-06-10 15:34:37 +0000
commit5f3a9388361639352f055ca5f5e1f839cfe26e4e (patch)
treecddac9d078854caee9eca69d03f0a74e747c83f5 /lib
parent3afa6ca8315a5c5e39d27b301840e7959e752a2c (diff)
Convert EVP_Digest{Sign,Verify}* to one-shot for TLSv1.3
Using one-shot EVP_DigestSign() and EVP_DigestVerify() is slightly shorter and is needed for Ed25519 support. ok jsing
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/tls13_client.c16
-rw-r--r--lib/libssl/tls13_server.c16
2 files changed, 10 insertions, 22 deletions
diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 3555ebadd19..053cf1689b1 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.101 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.102 2023/06/10 15:34:36 tb Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@@ -688,12 +688,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
goto err;
}
- if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
- ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
- goto err;
- }
- if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
- CBS_len(&signature)) <= 0) {
+ if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature),
+ sig_content, sig_content_len) <= 0) {
ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
goto err;
}
@@ -956,13 +952,11 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
goto err;
}
- if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
- goto err;
- if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
+ if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len))
goto err;
if ((sig = calloc(1, sig_len)) == NULL)
goto err;
- if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
+ if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len))
goto err;
if (!CBB_add_u16(cbb, sigalg->value))
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 75510a90855..dfeb1e01663 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.105 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.106 2023/06/10 15:34:36 tb Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -754,13 +754,11 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
goto err;
}
- if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
- goto err;
- if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
+ if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len))
goto err;
if ((sig = calloc(1, sig_len)) == NULL)
goto err;
- if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
+ if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len))
goto err;
if (!CBB_add_u16(cbb, sigalg->value))
@@ -999,12 +997,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
goto err;
}
- if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
- ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
- goto err;
- }
- if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
- CBS_len(&signature)) <= 0) {
+ if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature),
+ sig_content, sig_content_len) <= 0) {
ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
goto err;
}