From 429fdc0d3d787c6f9cc248ee7cb1d5a763b1f277 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Fri, 17 Jun 2016 17:33:30 -0400
Subject: [PATCH] Simplify ssl3_send_cert_verify's async logic.

The only thing we've written before the signature is the hash. We can just
choose it anew. This is along the way to getting init_buf out of the handshake
output side. (init_buf is kind of a mess since it doesn't integrate nicely with
a top-level CBB. Some of the logic hasn't been converted to CBB because they're
interspersed with a BUF_MEM_grow.)

Change-Id: I693e834b5a03849bebb04f3f6b81f81fb04e2530
Reviewed-on: https://boringssl-review.googlesource.com/8431
Reviewed-by: Adam Langley <agl@google.com>
---
 ssl/handshake_client.c | 44 +++++++++++++++++-------------------------
 1 file changed, 18 insertions(+), 26 deletions(-)

diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index 9a3ffa5b..8fef3f5c 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -1822,28 +1822,35 @@ static int ssl3_send_cert_verify(SSL *ssl) {
     return ssl_do_write(ssl);
   }
 
+  assert(ssl_has_private_key(ssl));
+
   CBB cbb, child;
   if (!CBB_init_fixed(&cbb, ssl_handshake_start(ssl),
                       ssl->init_buf->max - SSL_HM_HEADER_LENGTH(ssl))) {
     goto err;
   }
 
-  assert(ssl_has_private_key(ssl));
+  /* Select and write out the digest type in TLS 1.2. */
+  const EVP_MD *md = NULL;
+  if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
+    md = tls1_choose_signing_digest(ssl);
+    if (!tls12_add_sigandhash(ssl, &cbb, md)) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+      goto err;
+    }
+  }
 
+  /* Set aside space for the signature. */
   const size_t max_sig_len = ssl_private_key_max_signature_len(ssl);
+  uint8_t *ptr;
+  if (!CBB_add_u16_length_prefixed(&cbb, &child) ||
+      !CBB_reserve(&child, &ptr, max_sig_len)) {
+    goto err;
+  }
+
   size_t sig_len;
   enum ssl_private_key_result_t sign_result;
   if (ssl->state == SSL3_ST_CW_CERT_VRFY_A) {
-    /* Select and write out the digest type in TLS 1.2. */
-    const EVP_MD *md = NULL;
-    if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
-      md = tls1_choose_signing_digest(ssl);
-      if (!tls12_add_sigandhash(ssl, &cbb, md)) {
-        OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-        goto err;
-      }
-    }
-
     /* Compute the digest. In TLS 1.1 and below, the digest type is also
      * selected here. */
     uint8_t digest[EVP_MAX_MD_SIZE];
@@ -1857,25 +1864,10 @@ static int ssl3_send_cert_verify(SSL *ssl) {
     ssl3_free_handshake_buffer(ssl);
 
     /* Sign the digest. */
-    uint8_t *ptr;
-    if (!CBB_add_u16_length_prefixed(&cbb, &child) ||
-        !CBB_reserve(&child, &ptr, max_sig_len)) {
-      goto err;
-    }
     sign_result = ssl_private_key_sign(ssl, ptr, &sig_len, max_sig_len, md,
                                        digest, digest_len);
   } else {
     assert(ssl->state == SSL3_ST_CW_CERT_VRFY_B);
-
-    /* Skip over the already written signature algorithm and retry the
-     * signature. */
-    uint8_t *ptr;
-    if ((ssl3_protocol_version(ssl) >= TLS1_2_VERSION &&
-         !CBB_did_write(&cbb, 2)) ||
-        !CBB_add_u16_length_prefixed(&cbb, &child) ||
-        !CBB_reserve(&child, &ptr, max_sig_len)) {
-      goto err;
-    }
     sign_result =
         ssl_private_key_sign_complete(ssl, ptr, &sig_len, max_sig_len);
   }