Implement explicit storing of the handshake_traffic_hash

tls13_change_cipher_state was storing the handshake_traffic_hash as a
side effect of its operation. This decision is better made by the state
machine which actually knows what state we are in.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 960f0c0f84b3a0cdff7ef2ca0df0cc994c1e2f4e..ba66405d2e93c8beeb57bd31b5e01464df9e1b56 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2772,6 +2772,7 @@ __owur int tls1_generate_master_secret(SSL_CONNECTION *s, unsigned char *out,
 __owur int tls13_setup_key_block(SSL_CONNECTION *s);
 __owur size_t tls13_final_finish_mac(SSL_CONNECTION *s, const char *str, size_t slen,
                                      unsigned char *p);
+__owur int tls13_store_handshake_traffic_hash(SSL_CONNECTION *s);
 __owur int tls13_change_cipher_state(SSL_CONNECTION *s, int which);
 __owur int tls13_update_key(SSL_CONNECTION *s, int send);
 __owur int tls13_hkdf_expand(SSL_CONNECTION *s,

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 3990a2b0c219478c0e7a80fdd632201951f7963e..cdb5e2d599a9c51209f5beed01113bc7e634c3a2 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1788,6 +1788,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
      */
     if (SSL_CONNECTION_IS_TLS13(s)) {
         if (!ssl->method->ssl3_enc->setup_key_block(s)
+                || !tls13_store_handshake_traffic_hash(s)
                 || !ssl->method->ssl3_enc->change_cipher_state(s,
                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
             /* SSLfatal() already called */

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index dceec1a58700445ee950165441e2cb92204dbfe4..5b202969a7dc209ebd4e1d4a974f46b7f9055566 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -977,6 +977,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst)
 
         if (SSL_CONNECTION_IS_TLS13(s)) {
             if (!ssl->method->ssl3_enc->setup_key_block(s)
+                || !tls13_store_handshake_traffic_hash(s)
                 || !ssl->method->ssl3_enc->change_cipher_state(s,
                         SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
                 /* SSLfatal() already called */

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 6bddc9b51c4ab95293a849e813779e65ba7b1892..d89a42720c7127b8d25b16ecc0527805ef9d1fde 100644 (file)
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -446,6 +446,20 @@ static int derive_secret_key_and_iv(SSL_CONNECTION *s, const EVP_MD *md,
     return 1;
 }
 
+int tls13_store_handshake_traffic_hash(SSL_CONNECTION *s)
+{
+    size_t hashlen;
+
+    if (!ssl3_digest_cached_records(s, 1)
+            || !ssl_handshake_hash(s, s->handshake_traffic_hash,
+                                   sizeof(s->handshake_traffic_hash), &hashlen)) {
+        /* SSLfatal() already called */;
+        return 0;
+    }
+
+    return 1;
+}
+
 int tls13_change_cipher_state(SSL_CONNECTION *s, int which)
 {
     /* ASCII: "c e traffic", in hex for EBCDIC compatibility */
@@ -655,9 +669,6 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which)
     if (label == server_application_traffic)
         memcpy(s->server_finished_hash, hashval, hashlen);
 
-    if (label == server_handshake_traffic)
-        memcpy(s->handshake_traffic_hash, hashval, hashlen);
-
     if (label == client_application_traffic) {
         /*
          * We also create the resumption master secret, but this time use the