[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Tue Nov 24 19:22:36 UTC 2015


The branch master has been updated
       via  00f5263b78910da233ed0258bf8ea8fd1758abbc (commit)
       via  9cc6fa1ce83ce7857660ee11c3285651ceff0f43 (commit)
       via  28f4580c1e510ccf4278a20975c9bc3306f758d6 (commit)
       via  a0f63828e3e542ba71b166b3d0cac05833591065 (commit)
       via  396d5fd091f68729f0a038a283fe3cca3eb670dd (commit)
       via  93972b8c72d5c074278654b3380a8215d741ea1f (commit)
       via  e3e11e99cebd2f0cbf0b46cc4200a094a9c4b4eb (commit)
       via  192e4bbbf93d258c94075ad329404212f62337f3 (commit)
       via  d18d31a16f91dc5042344e207390322170458025 (commit)
       via  2f142ada2c1f04c96c0c3db3ee3b6425934ad83b (commit)
      from  63eb10a07ee29a312e50a227f5b3a290b1ad22b4 (commit)


- Log -----------------------------------------------------------------
commit 00f5263b78910da233ed0258bf8ea8fd1758abbc
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Nov 24 14:20:58 2015 +0000

    Add ctrl for SHA1 and SSLv3
    
    Add SSLv3 ctrl to EVP_sha1() this is only needed if SSLv3 client
    authentication is used with DSA/ECDSA.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 9cc6fa1ce83ce7857660ee11c3285651ceff0f43
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Nov 24 02:29:57 2015 +0000

    make update
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 28f4580c1e510ccf4278a20975c9bc3306f758d6
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Nov 24 00:47:11 2015 +0000

    Use EVP_md5_sha1() to process client verify
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit a0f63828e3e542ba71b166b3d0cac05833591065
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Nov 24 00:08:35 2015 +0000

    Use EVP_md5_sha1() to generate client verify
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 396d5fd091f68729f0a038a283fe3cca3eb670dd
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Nov 23 16:07:46 2015 +0000

    Add EVP_MD_CTX_ctrl function.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 93972b8c72d5c074278654b3380a8215d741ea1f
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Nov 23 16:05:20 2015 +0000

    Add ssl3 ctrl to EVP_md5_sha1().
    
    Add a ctrl to EVP_md5_sha1() to handle the additional operations needed
    to handle SSL v3 client authentication and finished message.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit e3e11e99cebd2f0cbf0b46cc4200a094a9c4b4eb
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Nov 21 04:03:48 2015 +0000

    Remove RSA exception when generating server key exchange.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 192e4bbbf93d258c94075ad329404212f62337f3
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Nov 21 03:56:52 2015 +0000

    Remove RSA exception when processing server key exchange.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit d18d31a16f91dc5042344e207390322170458025
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 29 22:11:05 2015 +0100

    Use MD5+SHA1 for default digest if appropriate.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 2f142ada2c1f04c96c0c3db3ee3b6425934ad83b
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Nov 20 13:28:48 2014 +0000

    Add MD5+SHA1
    
    Add digest combining MD5 and SHA1. This is used by RSA signatures for
    TLS 1.1 and earlier.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/Makefile      |  19 +++-
 crypto/evp/c_alld.c      |   1 +
 crypto/evp/digest.c      |  11 ++
 crypto/evp/m_md5_sha1.c  | 184 +++++++++++++++++++++++++++++++++
 crypto/evp/m_sha1.c      |  55 ++++++++++
 include/openssl/evp.h    |   4 +
 ssl/ssl_locl.h           |   1 +
 ssl/statem/statem_clnt.c | 263 ++++++++++-------------------------------------
 ssl/statem/statem_srvr.c | 211 ++++++++-----------------------------
 ssl/t1_lib.c             |   9 +-
 util/libeay.num          |   2 +
 11 files changed, 382 insertions(+), 378 deletions(-)
 create mode 100644 crypto/evp/m_md5_sha1.c

diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
index 1a65b46..c672296 100644
--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -20,7 +20,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c evp_cnf.c \
 	e_rc4.c e_aes.c names.c e_seed.c \
 	e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \
 	m_null.c m_md2.c m_md4.c m_md5.c m_sha1.c m_wp.c \
-	m_dss1.c m_mdc2.c m_ripemd.c m_ecdsa.c\
+	m_md5_sha1.c m_dss1.c m_mdc2.c m_ripemd.c m_ecdsa.c\
 	p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
 	bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
 	c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
@@ -33,7 +33,7 @@ LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
 	e_rc4.o e_aes.o names.o e_seed.o \
 	e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \
 	m_null.o m_md2.o m_md4.o m_md5.o m_sha1.o m_wp.o \
-	m_dss1.o m_mdc2.o m_ripemd.o m_ecdsa.o\
+	m_md5_sha1.o m_dss1.o m_mdc2.o m_ripemd.o m_ecdsa.o\
 	p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
 	bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
 	c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
@@ -516,6 +516,21 @@ m_md5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 m_md5.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 m_md5.o: ../../include/openssl/x509_vfy.h ../include/internal/cryptlib.h
 m_md5.o: m_md5.c
+m_md5_sha1.o: ../../e_os.h ../../include/openssl/asn1.h
+m_md5_sha1.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+m_md5_sha1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+m_md5_sha1.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+m_md5_sha1.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+m_md5_sha1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+m_md5_sha1.o: ../../include/openssl/md5.h ../../include/openssl/obj_mac.h
+m_md5_sha1.o: ../../include/openssl/objects.h
+m_md5_sha1.o: ../../include/openssl/opensslconf.h
+m_md5_sha1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_md5_sha1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+m_md5_sha1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+m_md5_sha1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+m_md5_sha1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_md5_sha1.o: ../include/internal/cryptlib.h m_md5_sha1.c
 m_mdc2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_mdc2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_mdc2.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
diff --git a/crypto/evp/c_alld.c b/crypto/evp/c_alld.c
index e89173a..0c68bad 100644
--- a/crypto/evp/c_alld.c
+++ b/crypto/evp/c_alld.c
@@ -70,6 +70,7 @@ void OpenSSL_add_all_digests(void)
 #ifndef OPENSSL_NO_MD5
     EVP_add_digest(EVP_md5());
     EVP_add_digest_alias(SN_md5, "ssl3-md5");
+    EVP_add_digest(EVP_md5_sha1());
 #endif
     EVP_add_digest(EVP_sha1());
     EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 607f0a1..32a87f6 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -364,3 +364,14 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
 
     return 1;
 }
+
+int EVP_MD_CTX_ctrl(EVP_MD_CTX *ctx, int cmd, int p1, void *p2)
+{
+    if (ctx->digest && ctx->digest->md_ctrl) {
+        int ret = ctx->digest->md_ctrl(ctx, cmd, p1, p2);
+        if (ret <= 0)
+            return 0;
+        return 1;
+    }
+    return 0;
+}
diff --git a/crypto/evp/m_md5_sha1.c b/crypto/evp/m_md5_sha1.c
new file mode 100644
index 0000000..2504e95
--- /dev/null
+++ b/crypto/evp/m_md5_sha1.c
@@ -0,0 +1,184 @@
+/* crypto/evp/m_md5_sha1.c */
+/*
+ * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_SHA1)
+
+# include <openssl/evp.h>
+# include <openssl/objects.h>
+# include <openssl/x509.h>
+# include <openssl/md5.h>
+# include <openssl/sha.h>
+# include "internal/cryptlib.h"
+# ifndef OPENSSL_NO_RSA
+#  include <openssl/rsa.h>
+# endif
+
+struct md5_sha1_ctx {
+    MD5_CTX md5;
+    SHA_CTX sha1;
+};
+
+static int init(EVP_MD_CTX *ctx)
+{
+    struct md5_sha1_ctx *mctx = ctx->md_data;
+    if (!MD5_Init(&mctx->md5))
+        return 0;
+    return SHA1_Init(&mctx->sha1);
+}
+
+static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
+{
+    struct md5_sha1_ctx *mctx = ctx->md_data;
+    if (!MD5_Update(&mctx->md5, data, count))
+        return 0;
+    return SHA1_Update(&mctx->sha1, data, count);
+}
+
+static int final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    struct md5_sha1_ctx *mctx = ctx->md_data;
+    if (!MD5_Final(md, &mctx->md5))
+        return 0;
+    return SHA1_Final(md + MD5_DIGEST_LENGTH, &mctx->sha1);
+}
+
+static int ctrl(EVP_MD_CTX *ctx, int cmd, int mslen, void *ms)
+{
+    unsigned char padtmp[48];
+    unsigned char md5tmp[MD5_DIGEST_LENGTH];
+    unsigned char sha1tmp[SHA_DIGEST_LENGTH];
+    struct md5_sha1_ctx *mctx = ctx->md_data;
+
+    if (cmd != EVP_CTRL_SSL3_MASTER_SECRET)
+        return 0;
+
+    /* SSLv3 client auth handling: see RFC-6101 5.6.8 */
+    if (mslen != 48)
+        return 0;
+
+    /* At this point hash contains all handshake messages, update
+     * with master secret and pad_1.
+     */
+
+    if (update(ctx, ms, mslen) <= 0)
+        return 0;
+
+    /* Set padtmp to pad_1 value */
+    memset(padtmp, 0x36, sizeof(padtmp));
+
+    if (!MD5_Update(&mctx->md5, padtmp, sizeof(padtmp)))
+        return 0;
+
+    if (!MD5_Final(md5tmp, &mctx->md5))
+        return 0;
+
+    if (!SHA1_Update(&mctx->sha1, padtmp, 40))
+        return 0;
+
+    if (!SHA1_Final(sha1tmp, &mctx->sha1))
+        return 0;
+
+    /* Reinitialise context */
+
+    if (!init(ctx))
+        return 0;
+
+    if (update(ctx, ms, mslen) <= 0)
+        return 0;
+
+    /* Set padtmp to pad_2 value */
+    memset(padtmp, 0x5c, sizeof(padtmp));
+
+    if (!MD5_Update(&mctx->md5, padtmp, sizeof(padtmp)))
+        return 0;
+
+    if (!MD5_Update(&mctx->md5, md5tmp, sizeof(md5tmp)))
+        return 0;
+
+    if (!SHA1_Update(&mctx->sha1, padtmp, 40))
+        return 0;
+
+    if (!SHA1_Update(&mctx->sha1, sha1tmp, sizeof(sha1tmp)))
+        return 0;
+
+    /* Now when ctx is finalised it will return the SSL v3 hash value */
+
+    OPENSSL_cleanse(md5tmp, sizeof(md5tmp));
+    OPENSSL_cleanse(sha1tmp, sizeof(sha1tmp));
+
+    return 1;
+
+}
+
+static const EVP_MD md5_sha1_md = {
+    NID_md5_sha1,
+    NID_md5_sha1,
+    MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
+    0,
+    init,
+    update,
+    final,
+    NULL,
+    NULL,
+    EVP_PKEY_RSA_method,
+    MD5_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(struct md5_sha1_ctx),
+    ctrl
+};
+
+const EVP_MD *EVP_md5_sha1(void)
+{
+    return &md5_sha1_md;
+}
+#endif
diff --git a/crypto/evp/m_sha1.c b/crypto/evp/m_sha1.c
index 7deed91..42e986d 100644
--- a/crypto/evp/m_sha1.c
+++ b/crypto/evp/m_sha1.c
@@ -81,6 +81,60 @@ static int final(EVP_MD_CTX *ctx, unsigned char *md)
     return SHA1_Final(md, ctx->md_data);
 }
 
+static int ctrl(EVP_MD_CTX *ctx, int cmd, int mslen, void *ms)
+{
+    unsigned char padtmp[40];
+    unsigned char sha1tmp[SHA_DIGEST_LENGTH];
+
+    SHA_CTX *sha1 = ctx->md_data;
+
+    if (cmd != EVP_CTRL_SSL3_MASTER_SECRET)
+        return 0;
+
+    /* SSLv3 client auth handling: see RFC-6101 5.6.8 */
+    if (mslen != 48)
+        return 0;
+
+    /* At this point hash contains all handshake messages, update
+     * with master secret and pad_1.
+     */
+
+    if (SHA1_Update(sha1, ms, mslen) <= 0)
+        return 0;
+
+    /* Set padtmp to pad_1 value */
+    memset(padtmp, 0x36, sizeof(padtmp));
+
+    if (!SHA1_Update(sha1, padtmp, sizeof(padtmp)))
+        return 0;
+
+    if (!SHA1_Final(sha1tmp, sha1))
+        return 0;
+
+    /* Reinitialise context */
+
+    if (!SHA1_Init(sha1))
+        return 0;
+
+    if (SHA1_Update(sha1, ms, mslen) <= 0)
+        return 0;
+
+    /* Set padtmp to pad_2 value */
+    memset(padtmp, 0x5c, sizeof(padtmp));
+
+    if (!SHA1_Update(sha1, padtmp, sizeof(padtmp)))
+        return 0;
+
+    if (!SHA1_Update(sha1, sha1tmp, sizeof(sha1tmp)))
+        return 0;
+
+    /* Now when ctx is finalised it will return the SSL v3 hash value */
+    OPENSSL_cleanse(sha1tmp, sizeof(sha1tmp));
+
+    return 1;
+
+}
+
 static const EVP_MD sha1_md = {
     NID_sha1,
     NID_sha1WithRSAEncryption,
@@ -94,6 +148,7 @@ static const EVP_MD sha1_md = {
     EVP_PKEY_NULL_method,
     SHA_CBLOCK,
     sizeof(EVP_MD *) + sizeof(SHA_CTX),
+    ctrl
 };
 
 const EVP_MD *EVP_sha1(void)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 15796c0..c9659b3 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -427,6 +427,8 @@ struct evp_cipher_st {
 # define         EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT      0x1b
 # define         EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE  0x1c
 
+# define         EVP_CTRL_SSL3_MASTER_SECRET             0x1d
+
 /* RFC 5246 defines additional data to be 13 bytes in length */
 # define         EVP_AEAD_TLS1_AAD_LEN           13
 
@@ -624,6 +626,7 @@ void BIO_set_md(BIO *, const EVP_MD *md);
 
 void EVP_MD_CTX_init(EVP_MD_CTX *ctx);
 int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
+int EVP_MD_CTX_ctrl(EVP_MD_CTX *ctx, int cmd, int p1, void *p2);
 EVP_MD_CTX *EVP_MD_CTX_create(void);
 void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
 /*__owur*/ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in);
@@ -766,6 +769,7 @@ const EVP_MD *EVP_md4(void);
 # endif
 # ifndef OPENSSL_NO_MD5
 const EVP_MD *EVP_md5(void);
+const EVP_MD *EVP_md5_sha1(void);
 # endif
 const EVP_MD *EVP_sha1(void);
 const EVP_MD *EVP_dss1(void);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 95a9c62..3cec5c3 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2069,6 +2069,7 @@ __owur unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
 __owur unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
                                           unsigned char *limit, int *al);
 __owur int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt);
+void ssl_set_default_md(SSL *s);
 __owur int tls1_set_server_sigalgs(SSL *s);
 __owur int ssl_check_clienthello_tlsext_late(SSL *s);
 __owur int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 9b1846b..c6bc86f 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1361,15 +1361,6 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
         goto f_err;
     }
     s->s3->tmp.new_cipher = c;
-    /*
-     * Don't digest cached records if no sigalgs: we may need them for client
-     * authentication.
-     */
-    if (!(SSL_USE_SIGALGS(s)
-            || (s->s3->tmp.new_cipher->algorithm_auth
-                & (SSL_aGOST12|SSL_aGOST01)))
-            && !ssl3_digest_cached_records(s, 0))
-        goto f_err;
     /* lets get the compression algorithm */
     /* COMPRESSION */
     if (!PACKET_get_1(pkt, &compression)) {
@@ -1593,11 +1584,8 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
 
 MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
 {
-#ifndef OPENSSL_NO_RSA
-    unsigned char *q, md_buf[EVP_MAX_MD_SIZE * 2];
-#endif
     EVP_MD_CTX md_ctx;
-    int al, j, verify_ret;
+    int al, j;
     long alg_k, alg_a;
     EVP_PKEY *pkey = NULL;
     const EVP_MD *md = NULL;
@@ -1935,6 +1923,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
 #ifdef SSL_DEBUG
             fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
 #endif
+        } else if (pkey->type == EVP_PKEY_RSA) {
+            md = EVP_md5_sha1();
         } else {
             md = EVP_sha1();
         }
@@ -1958,68 +1948,23 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
             SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH);
             goto f_err;
         }
-#ifndef OPENSSL_NO_RSA
-        if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) {
-            int num;
-            unsigned int size;
-
-            j = 0;
-            q = md_buf;
-            for (num = 2; num > 0; num--) {
-                EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-                if (EVP_DigestInit_ex(&md_ctx,
-                                      (num == 2) ? s->ctx->md5 : s->ctx->sha1,
-                                      NULL) <= 0
-                        || EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
-                                            SSL3_RANDOM_SIZE) <= 0
-                        || EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
-                                            SSL3_RANDOM_SIZE) <= 0
-                        || EVP_DigestUpdate(&md_ctx, PACKET_data(&params),
-                                            PACKET_remaining(&params)) <= 0
-                        || EVP_DigestFinal_ex(&md_ctx, q, &size) <= 0) {
-                    SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE,
-                           ERR_R_INTERNAL_ERROR);
-                    al = SSL_AD_INTERNAL_ERROR;
-                    goto f_err;
-                }
-                q += size;
-                j += size;
-            }
-            verify_ret =
-                RSA_verify(NID_md5_sha1, md_buf, j, PACKET_data(&signature),
-                           PACKET_remaining(&signature), pkey->pkey.rsa);
-            if (verify_ret < 0) {
-                al = SSL_AD_DECRYPT_ERROR;
-                SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_RSA_DECRYPT);
-                goto f_err;
-            }
-            if (verify_ret == 0) {
-                /* bad signature */
-                al = SSL_AD_DECRYPT_ERROR;
-                SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
-                goto f_err;
-            }
-        } else
-#endif
-        {
-            if (EVP_VerifyInit_ex(&md_ctx, md, NULL) <= 0
-                    || EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]),
-                                        SSL3_RANDOM_SIZE) <= 0
-                    || EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]),
-                                        SSL3_RANDOM_SIZE) <= 0
-                    || EVP_VerifyUpdate(&md_ctx, PACKET_data(&params),
-                                        PACKET_remaining(&params)) <= 0) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
-                goto f_err;
-            }
-            if (EVP_VerifyFinal(&md_ctx, PACKET_data(&signature),
-                                PACKET_remaining(&signature), pkey) <= 0) {
-                /* bad signature */
-                al = SSL_AD_DECRYPT_ERROR;
-                SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
-                goto f_err;
-            }
+        if (EVP_VerifyInit_ex(&md_ctx, md, NULL) <= 0
+                || EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]),
+                                    SSL3_RANDOM_SIZE) <= 0
+                || EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]),
+                                    SSL3_RANDOM_SIZE) <= 0
+                || EVP_VerifyUpdate(&md_ctx, PACKET_data(&params),
+                                    PACKET_remaining(&params)) <= 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
+            goto f_err;
+        }
+        if (EVP_VerifyFinal(&md_ctx, PACKET_data(&signature),
+                            PACKET_remaining(&signature), pkey) <= 0) {
+            /* bad signature */
+            al = SSL_AD_DECRYPT_ERROR;
+            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
+            goto f_err;
         }
     } else {
         /* aNULL, aSRP or PSK do not need public keys */
@@ -2121,6 +2066,8 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
             SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
             goto err;
         }
+    } else {
+        ssl_set_default_md(s);
     }
 
     /* get the CA RDNs */
@@ -3013,167 +2960,71 @@ int tls_client_key_exchange_post_work(SSL *s)
 int tls_construct_client_verify(SSL *s)
 {
     unsigned char *p;
-    unsigned char data[EVP_MAX_MD_SIZE]; /* GOST R 34.11-2012-256*/
     EVP_PKEY *pkey;
-    EVP_PKEY_CTX *pctx = NULL;
+    const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
     EVP_MD_CTX mctx;
     unsigned u = 0;
     unsigned long n;
-    int j;
+    long hdatalen = 0;
+    void *hdata;
 
     EVP_MD_CTX_init(&mctx);
 
     p = ssl_handshake_start(s);
     pkey = s->cert->key->privatekey;
-    /* Create context from key and test if sha1 is allowed as digest */
-    pctx = EVP_PKEY_CTX_new(pkey, NULL);
-    if (pctx == NULL) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-    if (EVP_PKEY_sign_init(pctx) <= 0) {
+
+    hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
+    if (hdatalen <= 0) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
         goto err;
     }
-    if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
-        if (!SSL_USE_SIGALGS(s))
-            s->method->ssl3_enc->cert_verify_mac(s,
-                                                 NID_sha1,
-                                                 &(data
-                                                   [MD5_DIGEST_LENGTH]));
-    } else {
-        ERR_clear_error();
-    }
-
-    /*
-     * For TLS v1.2 send signature algorithm and signature using agreed
-     * digest and cached handshake records.
-     */
-    if (SSL_USE_SIGALGS(s) || pkey->type == NID_id_GostR3410_2001
-                || pkey->type == NID_id_GostR3410_2012_256
-                || pkey->type == NID_id_GostR3410_2012_512) {
-        long hdatalen = 0;
-        void *hdata;
-        const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
-        hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
-        if (!SSL_USE_SIGALGS(s)) {
-                int dgst_nid;
-                if (EVP_PKEY_get_default_digest_nid(pkey, &dgst_nid) <= 0
-                                || (md = EVP_get_digestbynid(dgst_nid)) == NULL) {
-                        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
-                        goto err;
-                }
-        }
-        if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {
+    if (SSL_USE_SIGALGS(s)) {
+        if (!tls12_get_sigandhash(p, pkey, md)) {
             SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
             goto err;
         }
-        if (SSL_USE_SIGALGS(s) ) {
-            p += 2;
-        }
+        p += 2;
+    }
 #ifdef SSL_DEBUG
-        fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
-                EVP_MD_name(md));
-#endif
-        if (!EVP_SignInit_ex(&mctx, md, NULL)
-            || !EVP_SignUpdate(&mctx, hdata, hdatalen)
-            || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
-            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
-            goto err;
-        }
-        if (pkey->type == NID_id_GostR3410_2001
-                || pkey->type == NID_id_GostR3410_2012_256
-                || pkey->type == NID_id_GostR3410_2012_512) {
-            unsigned int i, k;
-            for (i = u - 1, k = 0; k < u/2; k++, i--) {
-                char c = p[2 + k];
-                p[2 + k] = p[2 + i];
-                p[2 + i] = c;
-            }
-        }
-        s2n(u, p);
-        n = u + 2;
-        if (SSL_USE_SIGALGS(s))
-            n += 2;
-        /* Digest cached records and discard handshake buffer */
-        if (!ssl3_digest_cached_records(s, 0))
-            goto err;
-    } else
-#ifndef OPENSSL_NO_RSA
-    if (pkey->type == EVP_PKEY_RSA) {
-        s->method->ssl3_enc->cert_verify_mac(s, NID_md5, &(data[0]));
-        if (RSA_sign(NID_md5_sha1, data,
-                     MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
-                     &(p[2]), &u, pkey->pkey.rsa) <= 0) {
-            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_RSA_LIB);
-            goto err;
-        }
-        s2n(u, p);
-        n = u + 2;
-    } else
-#endif
-#ifndef OPENSSL_NO_DSA
-    if (pkey->type == EVP_PKEY_DSA) {
-        if (!DSA_sign(pkey->save_type,
-                      &(data[MD5_DIGEST_LENGTH]),
-                      SHA_DIGEST_LENGTH, &(p[2]),
-                      (unsigned int *)&j, pkey->pkey.dsa)) {
-            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_DSA_LIB);
-            goto err;
-        }
-        s2n(j, p);
-        n = j + 2;
-    } else
-#endif
-#ifndef OPENSSL_NO_EC
-    if (pkey->type == EVP_PKEY_EC) {
-        if (!ECDSA_sign(pkey->save_type,
-                        &(data[MD5_DIGEST_LENGTH]),
-                        SHA_DIGEST_LENGTH, &(p[2]),
-                        (unsigned int *)&j, pkey->pkey.ec)) {
-            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_ECDSA_LIB);
-            goto err;
-        }
-        s2n(j, p);
-        n = j + 2;
-    } else
-#endif
+    fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md));
+#endif
+    if (!EVP_SignInit_ex(&mctx, md, NULL)
+        || !EVP_SignUpdate(&mctx, hdata, hdatalen)
+        || (s->version == SSL3_VERSION
+            && !EVP_MD_CTX_ctrl(&mctx, EVP_CTRL_SSL3_MASTER_SECRET,
+                                s->session->master_key_length,
+                                s->session->master_key))
+        || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
+        goto err;
+    }
     if (pkey->type == NID_id_GostR3410_2001
             || pkey->type == NID_id_GostR3410_2012_256
             || pkey->type == NID_id_GostR3410_2012_512) {
-        unsigned char signbuf[128];
-        int i;
-        size_t sigsize =
-            (pkey->type == NID_id_GostR3410_2012_512) ? 128 : 64;
-        int dgst_nid = NID_undef;
-
-        EVP_PKEY_get_default_digest_nid(pkey, &dgst_nid);
-        s->method->ssl3_enc->cert_verify_mac(s, dgst_nid, data);
-        if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data,
-                          EVP_MD_size(EVP_get_digestbynid(dgst_nid))) <= 0) {
-            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
-            goto err;
+        unsigned int i, k;
+        for (i = u - 1, k = 0; k < u/2; k++, i--) {
+            char c = p[2 + k];
+            p[2 + k] = p[2 + i];
+            p[2 + i] = c;
         }
-        for (i = sigsize - 1, j = 0; i >= 0; j++, i--) {
-            p[2 + j] = signbuf[i];
-        }
-        s2n(j, p);
-        n = j + 2;
-    } else {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
-        goto err;
     }
+
+    s2n(u, p);
+    n = u + 2;
+    if (SSL_USE_SIGALGS(s))
+        n += 2;
+    /* Digest cached records and discard handshake buffer */
+    if (!ssl3_digest_cached_records(s, 0))
+        goto err;
     if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
         goto err;
     }
 
     EVP_MD_CTX_cleanup(&mctx);
-    EVP_PKEY_CTX_free(pctx);
     return 1;
  err:
     EVP_MD_CTX_cleanup(&mctx);
-    EVP_PKEY_CTX_free(pctx);
     return 0;
 }
 
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index ab9b163..d114621 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1550,8 +1550,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
             s->s3->tmp.new_cipher = s->session->cipher;
         }
 
-        if (!(SSL_USE_SIGALGS(s) || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aGOST12|SSL_aGOST01)) )
-                || !(s->verify_mode & SSL_VERIFY_PEER)) {
+        if (!(s->verify_mode & SSL_VERIFY_PEER)) {
             if (!ssl3_digest_cached_records(s, 0)) {
                 al = SSL_AD_INTERNAL_ERROR;
                 goto f_err;
@@ -1725,11 +1724,7 @@ int tls_construct_server_done(SSL *s)
 int tls_construct_server_key_exchange(SSL *s)
 {
 #ifndef OPENSSL_NO_RSA
-    unsigned char *q;
-    int j, num;
     RSA *rsa;
-    unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
-    unsigned int u;
 #endif
 #ifndef OPENSSL_NO_DH
     DH *dh = NULL, *dhp;
@@ -2103,39 +2098,6 @@ int tls_construct_server_key_exchange(SSL *s)
          * n is the length of the params, they start at &(d[4]) and p
          * points to the space at the end.
          */
-#ifndef OPENSSL_NO_RSA
-        if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) {
-            q = md_buf;
-            j = 0;
-            for (num = 2; num > 0; num--) {
-                EVP_MD_CTX_set_flags(&md_ctx,
-                                     EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-                if (EVP_DigestInit_ex(&md_ctx, (num == 2)
-                                      ? s->ctx->md5 : s->ctx->sha1, NULL) <= 0
-                        || EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
-                                            SSL3_RANDOM_SIZE) <= 0
-                        || EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
-                                            SSL3_RANDOM_SIZE) <= 0
-                        || EVP_DigestUpdate(&md_ctx, d, n) <= 0
-                        || EVP_DigestFinal_ex(&md_ctx, q,
-                                              (unsigned int *)&i) <= 0) {
-                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
-                           ERR_LIB_EVP);
-                    al = SSL_AD_INTERNAL_ERROR;
-                    goto f_err;
-                }
-                q += i;
-                j += i;
-            }
-            if (RSA_sign(NID_md5_sha1, md_buf, j,
-                         &(p[2]), &u, pkey->pkey.rsa) <= 0) {
-                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_RSA);
-                goto err;
-            }
-            s2n(u, p);
-            n += u + 2;
-        } else
-#endif
         if (md) {
             /* send signature algorithm */
             if (SSL_USE_SIGALGS(s)) {
@@ -2970,8 +2932,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
         BIO_free(s->s3->handshake_buffer);
         s->s3->handshake_buffer = NULL;
         return WORK_FINISHED_CONTINUE;
-    } else if (SSL_USE_SIGALGS(s) || (s->s3->tmp.new_cipher->algorithm_auth
-                        & (SSL_aGOST12|SSL_aGOST01) )) {
+    } else {
         if (!s->session->peer) {
             /* No peer certificate so we no longer need the handshake_buffer */
             BIO_free(s->s3->handshake_buffer);
@@ -2991,41 +2952,6 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
             ossl_statem_set_error(s);
             return WORK_ERROR;
         }
-    } else {
-        int offset = 0;
-        int dgst_num;
-
-        /*
-         * We need to get hashes here so if there is a client cert,
-         * it can be verified FIXME - digest processing for
-         * CertificateVerify should be generalized. But it is next
-         * step
-         */
-        if (!ssl3_digest_cached_records(s, 0)) {
-            ossl_statem_set_error(s);
-            return WORK_ERROR;
-        }
-        for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++) {
-            if (s->s3->handshake_dgst[dgst_num]) {
-                int dgst_size;
-
-                s->method->ssl3_enc->cert_verify_mac(s,
-                                                     EVP_MD_CTX_type
-                                                     (s->
-                                                      s3->handshake_dgst
-                                                      [dgst_num]),
-                                                     &(s->s3->
-                                                       tmp.cert_verify_md
-                                                       [offset]));
-                dgst_size =
-                    EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
-                if (dgst_size < 0) {
-                    ossl_statem_set_error(s);
-                return WORK_ERROR;
-                }
-                offset += dgst_size;
-            }
-        }
     }
 
     return WORK_FINISHED_CONTINUE;
@@ -3036,10 +2962,13 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
     EVP_PKEY *pkey = NULL;
     unsigned char *sig, *data;
     int al, ret = MSG_PROCESS_ERROR;
-    int type = 0, i, j;
+    int type = 0, j;
     unsigned int len;
     X509 *peer;
     const EVP_MD *md = NULL;
+    long hdatalen = 0;
+    void *hdata;
+
     EVP_MD_CTX mctx;
     EVP_MD_CTX_init(&mctx);
 
@@ -3080,6 +3009,10 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
 #ifdef SSL_DEBUG
             fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
 #endif
+        } else if (pkey->type == EVP_PKEY_RSA) {
+            md = EVP_md5_sha1();
+        } else {
+            md = EVP_sha1();
         }
         if (!PACKET_get_net_2(pkt, &len)) {
             SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
@@ -3100,101 +3033,45 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
         goto f_err;
     }
 
-    if (SSL_USE_SIGALGS(s)
-            || pkey->type == NID_id_GostR3410_2001
-            || pkey->type == NID_id_GostR3410_2012_256
-            || pkey->type == NID_id_GostR3410_2012_512) {
-        long hdatalen = 0;
-        void *hdata;
-        hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
-        if (hdatalen <= 0) {
-            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
-            al = SSL_AD_INTERNAL_ERROR;
-            goto f_err;
-        }
+    hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
+    if (hdatalen <= 0) {
+        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
+        al = SSL_AD_INTERNAL_ERROR;
+        goto f_err;
+    }
 #ifdef SSL_DEBUG
-        fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
-                EVP_MD_name(md));
+    fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
 #endif
-        if (!SSL_USE_SIGALGS(s)) {
-            int dgst_nid;
-            if (EVP_PKEY_get_default_digest_nid(pkey, &dgst_nid) <= 0
-                || (md = EVP_get_digestbynid(dgst_nid)) == NULL) {
-                SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
-                al = SSL_AD_INTERNAL_ERROR;
-                goto f_err;
-            }
-        }
-        if (!EVP_VerifyInit_ex(&mctx, md, NULL)
-            || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
-            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
-            al = SSL_AD_INTERNAL_ERROR;
-            goto f_err;
-        }
+    if (!EVP_VerifyInit_ex(&mctx, md, NULL)
+        || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
+        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
+        al = SSL_AD_INTERNAL_ERROR;
+        goto f_err;
+    }
 
-        if (pkey->type == NID_id_GostR3410_2001
-                || pkey->type == NID_id_GostR3410_2012_256
-                || pkey->type == NID_id_GostR3410_2012_512) {
-            unsigned int j1, j2;
-            for (j1 = len - 1, j2 = 0; j2 < len/2; j2++, j1--) {
-                char c = data[j2];
-                data[j2] = data[j1];
-                data[j1] = c;
-            }
+    if (pkey->type == NID_id_GostR3410_2001
+            || pkey->type == NID_id_GostR3410_2012_256
+            || pkey->type == NID_id_GostR3410_2012_512) {
+        unsigned int j1, j2;
+        for (j1 = len - 1, j2 = 0; j2 < len/2; j2++, j1--) {
+            char c = data[j2];
+            data[j2] = data[j1];
+            data[j1] = c;
         }
+    }
 
-        if (EVP_VerifyFinal(&mctx, data, len, pkey) <= 0) {
-            al = SSL_AD_DECRYPT_ERROR;
-            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
-            goto f_err;
-        }
-    } else
-#ifndef OPENSSL_NO_RSA
-    if (pkey->type == EVP_PKEY_RSA) {
-        i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
-                       MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, data, len,
-                       pkey->pkey.rsa);
-        if (i < 0) {
-            al = SSL_AD_DECRYPT_ERROR;
-            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT);
-            goto f_err;
-        }
-        if (i == 0) {
-            al = SSL_AD_DECRYPT_ERROR;
-            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE);
-            goto f_err;
-        }
-    } else
-#endif
-#ifndef OPENSSL_NO_DSA
-    if (pkey->type == EVP_PKEY_DSA) {
-        j = DSA_verify(pkey->save_type,
-                       &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
-                       SHA_DIGEST_LENGTH, data, len, pkey->pkey.dsa);
-        if (j <= 0) {
-            /* bad signature */
-            al = SSL_AD_DECRYPT_ERROR;
-            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE);
-            goto f_err;
-        }
-    } else
-#endif
-#ifndef OPENSSL_NO_EC
-    if (pkey->type == EVP_PKEY_EC) {
-        j = ECDSA_verify(pkey->save_type,
-                         &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
-                         SHA_DIGEST_LENGTH, data, len, pkey->pkey.ec);
-        if (j <= 0) {
-            /* bad signature */
-            al = SSL_AD_DECRYPT_ERROR;
-            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE);
-            goto f_err;
-        }
-    } else
-#endif
-    {
-        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
-        al = SSL_AD_UNSUPPORTED_CERTIFICATE;
+    if (s->version == SSL3_VERSION
+        && !EVP_MD_CTX_ctrl(&mctx, EVP_CTRL_SSL3_MASTER_SECRET,
+                            s->session->master_key_length,
+                            s->session->master_key)) {
+        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
+        al = SSL_AD_INTERNAL_ERROR;
+        goto f_err;
+    }
+
+    if (EVP_VerifyFinal(&mctx, data, len, pkey) <= 0) {
+        al = SSL_AD_DECRYPT_ERROR;
+        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
         goto f_err;
     }
 
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2ba76e3..999859e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2705,15 +2705,18 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
     }
 }
 /* Initialise digests to default values */
-static void ssl_set_default_md(SSL *s)
+void ssl_set_default_md(SSL *s)
 {
     const EVP_MD **pmd = s->s3->tmp.md;
 #ifndef OPENSSL_NO_DSA
     pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
 #endif
 #ifndef OPENSSL_NO_RSA
-    pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
-    pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
+    if (SSL_USE_SIGALGS(s))
+        pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
+    else
+        pmd[SSL_PKEY_RSA_SIGN] = EVP_md5_sha1();
+    pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
 #endif
 #ifndef OPENSSL_NO_EC
     pmd[SSL_PKEY_ECC] = EVP_sha1();
diff --git a/util/libeay.num b/util/libeay.num
index 0ff302c..5119769 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4663,3 +4663,5 @@ ASYNC_unblock_pause                     5022	EXIST::FUNCTION:
 ASYNC_block_pause                       5023	EXIST::FUNCTION:
 ASYNC_cleanup                           5024	EXIST::FUNCTION:
 ASYNC_init                              5025	EXIST::FUNCTION:
+EVP_MD_CTX_ctrl                         5026	EXIST::FUNCTION:
+EVP_md5_sha1                            5027	EXIST::FUNCTION:MD5


More information about the openssl-commits mailing list