Remove ssl_hash_message_t from ssl_get_message.
Move to explicit hashing everywhere, matching TLS 1.2 with TLS 1.3. The
ssl_get_message calls between all the handshake states are now all
uniform so, when we're ready, we can rewire the TLS 1.2 state machine to
look like the TLS 1.3 one. (ssl_get_message calls become an
ssl_hs_read_message transition, reuse_message becomes an ssl_hs_ok
transition.)
This avoids some nuisance in processing the ServerHello at the 1.2 / 1.3
transition.
The downside of explicit hashing is we may forget to hash something, but
this will fail to interop with our tests and anyone else, so we should
be able to catch it.
BUG=128
Change-Id: I01393943b14dfaa98eec2a78f62c3a41c29b3a0e
Reviewed-on: https://boringssl-review.googlesource.com/13266
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index 8c85799..df8f7a5 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -815,7 +815,7 @@
if (hs->state == SSL3_ST_SR_CLNT_HELLO_A) {
/* The first time around, read the ClientHello. */
- int msg_ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+ int msg_ret = ssl->method->ssl_get_message(ssl);
if (msg_ret <= 0) {
return msg_ret;
}
@@ -1026,8 +1026,10 @@
goto f_err;
}
- /* Now that all parameters are known, initialize the handshake hash. */
- if (!ssl3_init_handshake_hash(ssl)) {
+ /* Now that all parameters are known, initialize the handshake hash and hash
+ * the ClientHello. */
+ if (!ssl3_init_handshake_hash(ssl) ||
+ !ssl_hash_current_message(ssl)) {
goto f_err;
}
@@ -1402,7 +1404,7 @@
SSL *const ssl = hs->ssl;
assert(hs->cert_request);
- int msg_ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+ int msg_ret = ssl->method->ssl_get_message(ssl);
if (msg_ret <= 0) {
return msg_ret;
}
@@ -1430,6 +1432,10 @@
return -1;
}
+ if (!ssl_hash_current_message(ssl)) {
+ return -1;
+ }
+
CBS certificate_msg;
CBS_init(&certificate_msg, ssl->init_msg, ssl->init_num);
@@ -1506,12 +1512,13 @@
uint8_t psk[PSK_MAX_PSK_LEN];
if (hs->state == SSL3_ST_SR_KEY_EXCH_A) {
- int ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+ int ret = ssl->method->ssl_get_message(ssl);
if (ret <= 0) {
return ret;
}
- if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE)) {
+ if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE) ||
+ !ssl_hash_current_message(ssl)) {
return -1;
}
}
@@ -1777,7 +1784,7 @@
return 1;
}
- int msg_ret = ssl->method->ssl_get_message(ssl, ssl_dont_hash_message);
+ int msg_ret = ssl->method->ssl_get_message(ssl);
if (msg_ret <= 0) {
return msg_ret;
}
@@ -1873,13 +1880,13 @@
* sets the next_proto member in s if found */
static int ssl3_get_next_proto(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- int ret =
- ssl->method->ssl_get_message(ssl, ssl_hash_message);
+ int ret = ssl->method->ssl_get_message(ssl);
if (ret <= 0) {
return ret;
}
- if (!ssl_check_message_type(ssl, SSL3_MT_NEXT_PROTO)) {
+ if (!ssl_check_message_type(ssl, SSL3_MT_NEXT_PROTO) ||
+ !ssl_hash_current_message(ssl)) {
return -1;
}
@@ -1904,7 +1911,7 @@
/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
static int ssl3_get_channel_id(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- int msg_ret = ssl->method->ssl_get_message(ssl, ssl_dont_hash_message);
+ int msg_ret = ssl->method->ssl_get_message(ssl);
if (msg_ret <= 0) {
return msg_ret;
}
