Moving transcript and PRF functions to SSL_TRANSCRIPT.
Change-Id: I98903df561bbf8c5739f892d2ad5e89ac0eb8e6f
Reviewed-on: https://boringssl-review.googlesource.com/13369
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index 6ebfce4..5e921b6 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -218,13 +218,6 @@
case SSL_ST_ACCEPT:
ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
-
- if (!ssl3_init_handshake_buffer(ssl)) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- ret = -1;
- goto end;
- }
-
hs->state = SSL3_ST_SR_CLNT_HELLO_A;
break;
@@ -421,7 +414,7 @@
* hashes in |ssl->s3->new_session| in case we need them to verify a
* ChannelID signature on a resumption of this session in the future. */
if (ssl->session == NULL && ssl->s3->tlsext_channel_id_valid) {
- ret = tls1_record_handshake_hashes_for_channel_id(ssl);
+ ret = tls1_record_handshake_hashes_for_channel_id(hs);
if (ret <= 0) {
goto end;
}
@@ -654,8 +647,6 @@
hs->client_version = client_hello->version;
ssl->version = ssl->method->version_to_wire(version);
- ssl->s3->enc_method = ssl3_get_enc_method(version);
- assert(ssl->s3->enc_method != NULL);
/* At this point, the connection's version is known and |ssl->version| is
* fixed. Begin enforcing the record-layer version. */
@@ -1053,14 +1044,15 @@
/* Now that all parameters are known, initialize the handshake hash and hash
* the ClientHello. */
- if (!ssl3_init_handshake_hash(ssl) ||
- !ssl_hash_current_message(ssl)) {
+ if (!SSL_TRANSCRIPT_init_hash(&hs->transcript, ssl3_protocol_version(ssl),
+ ssl->s3->tmp.new_cipher->algorithm_prf) ||
+ !ssl_hash_current_message(hs)) {
goto f_err;
}
/* Release the handshake buffer if client authentication isn't required. */
if (!hs->cert_request) {
- ssl3_free_handshake_buffer(ssl);
+ SSL_TRANSCRIPT_free_buffer(&hs->transcript);
}
ret = 1;
@@ -1457,7 +1449,7 @@
return -1;
}
- if (!ssl_hash_current_message(ssl)) {
+ if (!ssl_hash_current_message(hs)) {
return -1;
}
@@ -1488,7 +1480,7 @@
if (sk_CRYPTO_BUFFER_num(ssl->s3->new_session->certs) == 0) {
/* No client certificate so the handshake buffer may be discarded. */
- ssl3_free_handshake_buffer(ssl);
+ SSL_TRANSCRIPT_free_buffer(&hs->transcript);
/* In SSL 3.0, sending no certificate is signaled by omitting the
* Certificate message. */
@@ -1543,7 +1535,7 @@
}
if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE) ||
- !ssl_hash_current_message(ssl)) {
+ !ssl_hash_current_message(hs)) {
return -1;
}
}
@@ -1771,9 +1763,9 @@
}
/* Compute the master secret */
- ssl->s3->new_session->master_key_length = tls1_generate_master_secret(
- ssl, ssl->s3->new_session->master_key, premaster_secret,
- premaster_secret_len);
+ ssl->s3->new_session->master_key_length =
+ tls1_generate_master_secret(hs, ssl->s3->new_session->master_key,
+ premaster_secret, premaster_secret_len);
if (ssl->s3->new_session->master_key_length == 0) {
goto err;
}
@@ -1805,7 +1797,7 @@
* CertificateVerify is required if and only if there's a client certificate.
* */
if (hs->peer_pubkey == NULL) {
- ssl3_free_handshake_buffer(ssl);
+ SSL_TRANSCRIPT_free_buffer(&hs->transcript);
return 1;
}
@@ -1854,26 +1846,25 @@
/* The SSL3 construction for CertificateVerify does not decompose into a
* single final digest and signature, and must be special-cased. */
if (ssl3_protocol_version(ssl) == SSL3_VERSION) {
- const EVP_MD *md;
uint8_t digest[EVP_MAX_MD_SIZE];
size_t digest_len;
- if (!ssl3_cert_verify_hash(ssl, &md, digest, &digest_len,
- signature_algorithm)) {
+ if (!SSL_TRANSCRIPT_ssl3_cert_verify_hash(&hs->transcript, digest,
+ &digest_len, ssl->s3->new_session,
+ signature_algorithm)) {
goto err;
}
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(hs->peer_pubkey, NULL);
sig_ok = pctx != NULL &&
EVP_PKEY_verify_init(pctx) &&
- EVP_PKEY_CTX_set_signature_md(pctx, md) &&
EVP_PKEY_verify(pctx, CBS_data(&signature), CBS_len(&signature),
digest, digest_len);
EVP_PKEY_CTX_free(pctx);
} else {
sig_ok = ssl_public_key_verify(
ssl, CBS_data(&signature), CBS_len(&signature), signature_algorithm,
- hs->peer_pubkey, (const uint8_t *)ssl->s3->handshake_buffer->data,
- ssl->s3->handshake_buffer->length);
+ hs->peer_pubkey, (const uint8_t *)hs->transcript.buffer->data,
+ hs->transcript.buffer->length);
}
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
@@ -1888,8 +1879,8 @@
/* The handshake buffer is no longer necessary, and we may hash the current
* message.*/
- ssl3_free_handshake_buffer(ssl);
- if (!ssl_hash_current_message(ssl)) {
+ SSL_TRANSCRIPT_free_buffer(&hs->transcript);
+ if (!ssl_hash_current_message(hs)) {
goto err;
}
@@ -1911,7 +1902,7 @@
}
if (!ssl_check_message_type(ssl, SSL3_MT_NEXT_PROTO) ||
- !ssl_hash_current_message(ssl)) {
+ !ssl_hash_current_message(hs)) {
return -1;
}
@@ -1942,8 +1933,8 @@
}
if (!ssl_check_message_type(ssl, SSL3_MT_CHANNEL_ID) ||
- !tls1_verify_channel_id(ssl) ||
- !ssl_hash_current_message(ssl)) {
+ !tls1_verify_channel_id(hs) ||
+ !ssl_hash_current_message(hs)) {
return -1;
}
return 1;
