Convert EVP_Digest{Sign,Verify}* to one-shot for TLSv1.3

Using one-shot EVP_DigestSign() and EVP_DigestVerify() is slightly shorter
and is needed for Ed25519 support.

ok jsing

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 3555eba..053cf16 100644 (file)
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.101 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.102 2023/06/10 15:34:36 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -688,12 +688,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
                        goto err;
        }
-       if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
-               ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
-               goto err;
-       }
-       if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
-           CBS_len(&signature)) <= 0) {
+       if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature),
+           sig_content, sig_content_len) <= 0) {
                ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
                goto err;
        }
@@ -956,13 +952,11 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
                if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
                        goto err;
        }
-       if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
-               goto err;
-       if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
+       if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len))
                goto err;
        if ((sig = calloc(1, sig_len)) == NULL)
                goto err;
-       if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
+       if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len))
                goto err;
 
        if (!CBB_add_u16(cbb, sigalg->value))

diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 75510a9..dfeb1e0 100644 (file)
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.105 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.106 2023/06/10 15:34:36 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -754,13 +754,11 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
                if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
                        goto err;
        }
-       if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
-               goto err;
-       if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
+       if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len))
                goto err;
        if ((sig = calloc(1, sig_len)) == NULL)
                goto err;
-       if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
+       if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len))
                goto err;
 
        if (!CBB_add_u16(cbb, sigalg->value))
@@ -999,12 +997,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
                if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
                        goto err;
        }
-       if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
-               ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
-               goto err;
-       }
-       if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
-           CBS_len(&signature)) <= 0) {
+       if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature),
+           sig_content, sig_content_len) <= 0) {
                ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
                goto err;
        }