Match state machine functions with new calling convention. This cuts down on a lot of unchecked ssl->s3->hs accesses. Next is probably the mass of extensions callbacks, and then we can play whack-a-mole with git grep. Change-Id: I81c506ea25c2569a51ceda903853465b8b567b0f Reviewed-on: https://boringssl-review.googlesource.com/12237 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c index e10e88e..eaeab06 100644 --- a/ssl/tls13_server.c +++ b/ssl/tls13_server.c
@@ -87,7 +87,8 @@ return ok; } -static enum ssl_hs_wait_t do_process_client_hello(SSL *ssl, SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_process_client_hello(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) { return ssl_hs_error; } @@ -173,7 +174,8 @@ return best; } -static enum ssl_hs_wait_t do_select_parameters(SSL *ssl, SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; /* Call |cert_cb| to update server certificates if required. */ if (ssl->cert->cert_cb != NULL) { int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); @@ -317,8 +319,8 @@ return ssl_hs_ok; } -static enum ssl_hs_wait_t do_send_hello_retry_request(SSL *ssl, - SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; CBB cbb, body, extensions; uint16_t group_id; if (!ssl->method->init_message(ssl, &cbb, &body, @@ -338,14 +340,13 @@ return ssl_hs_write_message; } -static enum ssl_hs_wait_t do_flush_hello_retry_request(SSL *ssl, - SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_flush_hello_retry_request(SSL_HANDSHAKE *hs) { hs->state = state_process_second_client_hello; return ssl_hs_flush_and_read_message; } -static enum ssl_hs_wait_t do_process_second_client_hello(SSL *ssl, - SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_process_second_client_hello(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) { return ssl_hs_error; } @@ -377,7 +378,8 @@ return ssl_hs_ok; } -static enum ssl_hs_wait_t do_send_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; CBB cbb, body, extensions; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) || !CBB_add_u16(&body, ssl->version) || @@ -399,8 +401,8 @@ return ssl_hs_error; } -static enum ssl_hs_wait_t do_send_encrypted_extensions(SSL *ssl, - SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_send_encrypted_extensions(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; if (!tls13_set_handshake_traffic(ssl)) { return ssl_hs_error; } @@ -418,16 +420,16 @@ return ssl_hs_write_message; } -static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl, - SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_send_certificate_request(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; /* Determine whether to request a client certificate. */ - ssl->s3->hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); + hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); /* CertificateRequest may only be sent in non-resumption handshakes. */ if (ssl->s3->session_reused) { - ssl->s3->hs->cert_request = 0; + hs->cert_request = 0; } - if (!ssl->s3->hs->cert_request) { + if (!hs->cert_request) { /* Skip this state. */ hs->state = state_send_server_certificate; return ssl_hs_ok; @@ -466,8 +468,8 @@ return ssl_hs_error; } -static enum ssl_hs_wait_t do_send_server_certificate(SSL *ssl, - SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; if (ssl->s3->session_reused) { hs->state = state_send_server_finished; return ssl_hs_ok; @@ -486,10 +488,9 @@ return ssl_hs_write_message; } -static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL *ssl, - SSL_HANDSHAKE *hs, +static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs, int is_first_run) { - switch (tls13_prepare_certificate_verify(ssl, is_first_run)) { + switch (tls13_prepare_certificate_verify(hs->ssl, is_first_run)) { case ssl_private_key_success: hs->state = state_send_server_finished; return ssl_hs_write_message; @@ -506,8 +507,8 @@ return ssl_hs_error; } -static enum ssl_hs_wait_t do_send_server_finished(SSL *ssl, SSL_HANDSHAKE *hs) { - if (!tls13_prepare_finished(ssl)) { +static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { + if (!tls13_prepare_finished(hs->ssl)) { return ssl_hs_error; } @@ -515,7 +516,8 @@ return ssl_hs_write_message; } -static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_flush(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; /* Update the secret to the master secret and derive traffic keys. */ if (!tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) || !tls13_derive_application_secrets(ssl) || @@ -528,9 +530,9 @@ return ssl_hs_flush_and_read_message; } -static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl, - SSL_HANDSHAKE *hs) { - if (!ssl->s3->hs->cert_request) { +static enum ssl_hs_wait_t do_process_client_certificate(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; + if (!hs->cert_request) { /* OpenSSL returns X509_V_OK when no certificates are requested. This is * classed by them as a bug, but it's assumed by at least NGINX. */ ssl->s3->new_session->verify_result = X509_V_OK; @@ -560,7 +562,8 @@ } static enum ssl_hs_wait_t do_process_client_certificate_verify( - SSL *ssl, SSL_HANDSHAKE *hs) { + SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; if (ssl->s3->new_session->x509_peer == NULL) { /* Skip this state. */ hs->state = state_process_channel_id; @@ -577,7 +580,8 @@ return ssl_hs_read_message; } -static enum ssl_hs_wait_t do_process_channel_id(SSL *ssl, SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_process_channel_id(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; if (!ssl->s3->tlsext_channel_id_valid) { hs->state = state_process_client_finished; return ssl_hs_ok; @@ -593,8 +597,8 @@ return ssl_hs_read_message; } -static enum ssl_hs_wait_t do_process_client_finished(SSL *ssl, - SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_process_client_finished(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) || !tls13_process_finished(ssl) || !ssl_hash_current_message(ssl) || @@ -618,8 +622,8 @@ * client makes several connections before getting a renewal. */ static const int kNumTickets = 2; -static enum ssl_hs_wait_t do_send_new_session_ticket(SSL *ssl, - SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) { + SSL *const ssl = hs->ssl; /* If the client doesn't accept resumption with PSK_DHE_KE, don't send a * session ticket. */ if (!hs->accept_psk_mode) { @@ -671,75 +675,72 @@ return ssl_hs_error; } -static enum ssl_hs_wait_t do_flush_new_session_tickets(SSL *ssl, - SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_flush_new_session_tickets(SSL_HANDSHAKE *hs) { hs->state = state_done; return ssl_hs_flush; } -enum ssl_hs_wait_t tls13_server_handshake(SSL *ssl) { - SSL_HANDSHAKE *hs = ssl->s3->hs; - +enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) { while (hs->state != state_done) { enum ssl_hs_wait_t ret = ssl_hs_error; enum server_hs_state_t state = hs->state; switch (state) { case state_process_client_hello: - ret = do_process_client_hello(ssl, hs); + ret = do_process_client_hello(hs); break; case state_select_parameters: - ret = do_select_parameters(ssl, hs); + ret = do_select_parameters(hs); break; case state_send_hello_retry_request: - ret = do_send_hello_retry_request(ssl, hs); + ret = do_send_hello_retry_request(hs); break; case state_flush_hello_retry_request: - ret = do_flush_hello_retry_request(ssl, hs); + ret = do_flush_hello_retry_request(hs); break; case state_process_second_client_hello: - ret = do_process_second_client_hello(ssl, hs); + ret = do_process_second_client_hello(hs); break; case state_send_server_hello: - ret = do_send_server_hello(ssl, hs); + ret = do_send_server_hello(hs); break; case state_send_encrypted_extensions: - ret = do_send_encrypted_extensions(ssl, hs); + ret = do_send_encrypted_extensions(hs); break; case state_send_certificate_request: - ret = do_send_certificate_request(ssl, hs); + ret = do_send_certificate_request(hs); break; case state_send_server_certificate: - ret = do_send_server_certificate(ssl, hs); + ret = do_send_server_certificate(hs); break; case state_send_server_certificate_verify: - ret = do_send_server_certificate_verify(ssl, hs, 1 /* first run */); + ret = do_send_server_certificate_verify(hs, 1 /* first run */); break; case state_complete_server_certificate_verify: - ret = do_send_server_certificate_verify(ssl, hs, 0 /* complete */); + ret = do_send_server_certificate_verify(hs, 0 /* complete */); break; case state_send_server_finished: - ret = do_send_server_finished(ssl, hs); + ret = do_send_server_finished(hs); break; case state_flush: - ret = do_flush(ssl, hs); + ret = do_flush(hs); break; case state_process_client_certificate: - ret = do_process_client_certificate(ssl, hs); + ret = do_process_client_certificate(hs); break; case state_process_client_certificate_verify: - ret = do_process_client_certificate_verify(ssl, hs); + ret = do_process_client_certificate_verify(hs); break; case state_process_channel_id: - ret = do_process_channel_id(ssl, hs); + ret = do_process_channel_id(hs); break; case state_process_client_finished: - ret = do_process_client_finished(ssl, hs); + ret = do_process_client_finished(hs); break; case state_send_new_session_ticket: - ret = do_send_new_session_ticket(ssl, hs); + ret = do_send_new_session_ticket(hs); break; case state_flush_new_session_tickets: - ret = do_flush_new_session_tickets(ssl, hs); + ret = do_flush_new_session_tickets(hs); break; case state_done: ret = ssl_hs_ok;