commit 57b25d38e056f335effc5a408eef128e9a5c5c3e
author David Benjamin <davidben@google.com> Thu Oct 10 14:04:04 2024 -0400
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Oct 10 22:31:07 2024 +0000
tree a6a6dd47e758a320d5168bf786a9d1e30fdb4380
parent 23396fe18efc6c110c612d612e0f168169c4c479

Drop the transcript buffer before hashing ClientHello whenever possible

This isn't very important, but in the common case of TLS 1.2 servers
without requesting client certificates, there's no point in copying the
unhashed ClientHello only to throw it away immediately anyway.

Change-Id: Ia3a4f143bc153f05d1805ef8f4386f0d4a0a2ef4
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/71987
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>

ssl/handshake_server.cc

diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index 59531f7..0eb037b 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc
@@ -991,8 +991,7 @@
 
   // Now that all parameters are known, initialize the handshake hash and hash
   // the ClientHello.
-  if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
-      !ssl_hash_message(hs, msg)) {
+  if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
     return ssl_hs_error;
   }
@@ -1003,6 +1002,11 @@
     hs->transcript.FreeBuffer();
   }
 
+  if (!ssl_hash_message(hs, msg)) {
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+    return ssl_hs_error;
+  }
+
   ssl->method->next_message(ssl);
 
   hs->state = state12_send_server_hello;