1 diff --git android-openssl.orig/ssl/s3_clnt.c android-openssl/ssl/s3_clnt.c 2 index d6154c5..2b094c9 100644 3 --- android-openssl.orig/ssl/s3_clnt.c 4 +++ android-openssl/ssl/s3_clnt.c 5 @@ -3022,33 +3022,18 @@ int ssl3_send_client_verify(SSL *s) 6 unsigned char *p,*d; 7 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 8 EVP_PKEY *pkey; 9 - EVP_PKEY_CTX *pctx=NULL; 10 + EVP_PKEY_CTX *pctx = NULL; 11 EVP_MD_CTX mctx; 12 - unsigned u=0; 13 + unsigned signature_length = 0; 14 unsigned long n; 15 - int j; 16 17 EVP_MD_CTX_init(&mctx); 18 19 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 20 { 21 - d=(unsigned char *)s->init_buf->data; 22 - p= &(d[4]); 23 - pkey=s->cert->key->privatekey; 24 -/* Create context from key and test if sha1 is allowed as digest */ 25 - pctx = EVP_PKEY_CTX_new(pkey,NULL); 26 - EVP_PKEY_sign_init(pctx); 27 - if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 28 - { 29 - if (TLS1_get_version(s) < TLS1_2_VERSION) 30 - s->method->ssl3_enc->cert_verify_mac(s, 31 - NID_sha1, 32 - &(data[MD5_DIGEST_LENGTH])); 33 - } 34 - else 35 - { 36 - ERR_clear_error(); 37 - } 38 + d = (unsigned char *)s->init_buf->data; 39 + p = &(d[4]); 40 + pkey = s->cert->key->privatekey; 41 /* For TLS v1.2 send signature algorithm and signature 42 * using agreed digest and cached handshake records. 43 */ 44 @@ -3072,14 +3057,15 @@ int ssl3_send_client_verify(SSL *s) 45 #endif 46 if (!EVP_SignInit_ex(&mctx, md, NULL) 47 || !EVP_SignUpdate(&mctx, hdata, hdatalen) 48 - || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) 49 + || !EVP_SignFinal(&mctx, p + 2, 50 + &signature_length, pkey)) 51 { 52 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 53 ERR_R_EVP_LIB); 54 goto err; 55 } 56 - s2n(u,p); 57 - n = u + 4; 58 + s2n(signature_length, p); 59 + n = signature_length + 4; 60 if (!ssl3_digest_cached_records(s)) 61 goto err; 62 } 63 @@ -3087,78 +3073,80 @@ int ssl3_send_client_verify(SSL *s) 64 #ifndef OPENSSL_NO_RSA 65 if (pkey->type == EVP_PKEY_RSA) 66 { 67 + s->method->ssl3_enc->cert_verify_mac(s, NID_md5, data); 68 s->method->ssl3_enc->cert_verify_mac(s, 69 - NID_md5, 70 - &(data[0])); 71 + NID_sha1, &(data[MD5_DIGEST_LENGTH])); 72 if (RSA_sign(NID_md5_sha1, data, 73 - MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 74 - &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 75 + MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, 76 + &(p[2]), &signature_length, pkey->pkey.rsa) <= 0) 77 { 78 - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 79 + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB); 80 goto err; 81 } 82 - s2n(u,p); 83 - n=u+2; 84 + s2n(signature_length, p); 85 + n = signature_length + 2; 86 } 87 else 88 #endif 89 #ifndef OPENSSL_NO_DSA 90 - if (pkey->type == EVP_PKEY_DSA) 91 + if (pkey->type == EVP_PKEY_DSA) 92 { 93 - if (!DSA_sign(pkey->save_type, 94 - &(data[MD5_DIGEST_LENGTH]), 95 - SHA_DIGEST_LENGTH,&(p[2]), 96 - (unsigned int *)&j,pkey->pkey.dsa)) 97 + s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data); 98 + if (!DSA_sign(pkey->save_type, data, 99 + SHA_DIGEST_LENGTH, &(p[2]), 100 + &signature_length, pkey->pkey.dsa)) 101 { 102 - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 103 + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB); 104 goto err; 105 } 106 - s2n(j,p); 107 - n=j+2; 108 + s2n(signature_length, p); 109 + n = signature_length + 2; 110 } 111 else 112 #endif 113 #ifndef OPENSSL_NO_ECDSA 114 - if (pkey->type == EVP_PKEY_EC) 115 + if (pkey->type == EVP_PKEY_EC) 116 { 117 - if (!ECDSA_sign(pkey->save_type, 118 - &(data[MD5_DIGEST_LENGTH]), 119 - SHA_DIGEST_LENGTH,&(p[2]), 120 - (unsigned int *)&j,pkey->pkey.ec)) 121 + s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data); 122 + if (!ECDSA_sign(pkey->save_type, data, 123 + SHA_DIGEST_LENGTH, &(p[2]), 124 + &signature_length, pkey->pkey.ec)) 125 { 126 - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 127 - ERR_R_ECDSA_LIB); 128 + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_ECDSA_LIB); 129 goto err; 130 } 131 - s2n(j,p); 132 - n=j+2; 133 + s2n(signature_length, p); 134 + n = signature_length + 2; 135 } 136 else 137 #endif 138 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 139 - { 140 - unsigned char signbuf[64]; 141 - int i; 142 - size_t sigsize=64; 143 - s->method->ssl3_enc->cert_verify_mac(s, 144 - NID_id_GostR3411_94, 145 - data); 146 - if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 147 - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 148 - ERR_R_INTERNAL_ERROR); 149 - goto err; 150 - } 151 - for (i=63,j=0; i>=0; j++, i--) { 152 - p[2+j]=signbuf[i]; 153 - } 154 - s2n(j,p); 155 - n=j+2; 156 - } 157 + { 158 + unsigned char signbuf[64]; 159 + int i, j; 160 + size_t sigsize=64; 161 + 162 + s->method->ssl3_enc->cert_verify_mac(s, 163 + NID_id_GostR3411_94, 164 + data); 165 + pctx = EVP_PKEY_CTX_new(pkey, NULL); 166 + EVP_PKEY_sign_init(pctx); 167 + if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 168 + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 169 + ERR_R_INTERNAL_ERROR); 170 + goto err; 171 + } 172 + for (i=63,j=0; i>=0; j++, i--) { 173 + p[2+j]=signbuf[i]; 174 + } 175 + s2n(j,p); 176 + n=j+2; 177 + } 178 else 179 - { 180 + { 181 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); 182 goto err; 183 - } 184 + } 185 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 186 l2n3(n,d); 187 188
