Easy EVP_Digest{Sign,Verify} conversions for legacy stack

Convert ssl3_send_client_verify_{sigalgs,gost}() to EVP_DigestSign() and
ssl3_get_cert_verify() to EVP_DigestVerify().

ok jsing

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index c721aed..2ab90b5 100644 (file)
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.158 2022/12/26 07:31:44 jmc Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.159 2023/06/11 18:50:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2125,12 +2125,7 @@ ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
                SSLerror(s, ERR_R_EVP_LIB);
                goto err;
        }
-       if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)) {
-               SSLerror(s, ERR_R_EVP_LIB);
-               goto err;
-       }
-       if (!EVP_DigestSignFinal(mctx, NULL, &signature_len) ||
-           signature_len == 0) {
+       if (!EVP_DigestSign(mctx, NULL, &signature_len, hdata, hdata_len)) {
                SSLerror(s, ERR_R_EVP_LIB);
                goto err;
        }
@@ -2138,7 +2133,7 @@ ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
                SSLerror(s, ERR_R_MALLOC_FAILURE);
                goto err;
        }
-       if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) {
+       if (!EVP_DigestSign(mctx, signature, &signature_len, hdata, hdata_len)) {
                SSLerror(s, ERR_R_EVP_LIB);
                goto err;
        }
@@ -2267,12 +2262,7 @@ ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
                SSLerror(s, ERR_R_EVP_LIB);
                goto err;
        }
-       if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)) {
-               SSLerror(s, ERR_R_EVP_LIB);
-               goto err;
-       }
-       if (!EVP_DigestSignFinal(mctx, NULL, &signature_len) ||
-           signature_len == 0) {
+       if (!EVP_DigestSign(mctx, NULL, &signature_len, hdata, hdata_len)) {
                SSLerror(s, ERR_R_EVP_LIB);
                goto err;
        }
@@ -2280,7 +2270,7 @@ ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
                SSLerror(s, ERR_R_MALLOC_FAILURE);
                goto err;
        }
-       if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) {
+       if (!EVP_DigestSign(mctx, signature, &signature_len, hdata, hdata_len)) {
                SSLerror(s, ERR_R_EVP_LIB);
                goto err;
        }

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 556107f..d0814a8 100644 (file)
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.153 2022/12/26 07:31:44 jmc Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.154 2023/06/11 18:50:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2049,17 +2049,12 @@ ssl3_get_cert_verify(SSL *s)
                        al = SSL_AD_INTERNAL_ERROR;
                        goto fatal_err;
                }
-               if (!EVP_DigestVerifyUpdate(mctx, hdata, hdatalen)) {
+               if (EVP_DigestVerify(mctx, CBS_data(&signature),
+                   CBS_len(&signature), hdata, hdatalen) <= 0) {
                        SSLerror(s, ERR_R_EVP_LIB);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto fatal_err;
                }
-               if (EVP_DigestVerifyFinal(mctx, CBS_data(&signature),
-                   CBS_len(&signature)) <= 0) {
-                       al = SSL_AD_DECRYPT_ERROR;
-                       SSLerror(s, SSL_R_BAD_SIGNATURE);
-                       goto fatal_err;
-               }
        } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
                RSA *rsa;