From: Matt Caswell <matt@openssl.org>
Date: Thu, 29 May 2025 10:59:25 +0000 (+0100)
Subject: Implement explicit storing of the handshake_traffic_hash
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4579a18cf5129479e781bf05e168204ca739fa3c;p=thirdparty%2Fopenssl.git

Implement explicit storing of the handshake_traffic_hash

tls13_change_cipher_state was storing the handshake_traffic_hash as a
side effect of its operation. This decision is better made by the state
machine which actually knows what state we are in.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)
---

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 960f0c0f84b..ba66405d2e9 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2772,6 +2772,7 @@ __owur int tls1_generate_master_secret(SSL_CONNECTION *s, unsigned char *out,
 __owur int tls13_setup_key_block(SSL_CONNECTION *s);
 __owur size_t tls13_final_finish_mac(SSL_CONNECTION *s, const char *str, size_t slen,
                                      unsigned char *p);
+__owur int tls13_store_handshake_traffic_hash(SSL_CONNECTION *s);
 __owur int tls13_change_cipher_state(SSL_CONNECTION *s, int which);
 __owur int tls13_update_key(SSL_CONNECTION *s, int send);
 __owur int tls13_hkdf_expand(SSL_CONNECTION *s,
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 3990a2b0c21..cdb5e2d599a 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1788,6 +1788,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
      */
     if (SSL_CONNECTION_IS_TLS13(s)) {
         if (!ssl->method->ssl3_enc->setup_key_block(s)
+                || !tls13_store_handshake_traffic_hash(s)
                 || !ssl->method->ssl3_enc->change_cipher_state(s,
                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
             /* SSLfatal() already called */
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index dceec1a5870..5b202969a7d 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -977,6 +977,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst)
 
         if (SSL_CONNECTION_IS_TLS13(s)) {
             if (!ssl->method->ssl3_enc->setup_key_block(s)
+                || !tls13_store_handshake_traffic_hash(s)
                 || !ssl->method->ssl3_enc->change_cipher_state(s,
                         SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
                 /* SSLfatal() already called */
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 6bddc9b51c4..d89a42720c7 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -446,6 +446,20 @@ static int derive_secret_key_and_iv(SSL_CONNECTION *s, const EVP_MD *md,
     return 1;
 }
 
+int tls13_store_handshake_traffic_hash(SSL_CONNECTION *s)
+{
+    size_t hashlen;
+
+    if (!ssl3_digest_cached_records(s, 1)
+            || !ssl_handshake_hash(s, s->handshake_traffic_hash,
+                                   sizeof(s->handshake_traffic_hash), &hashlen)) {
+        /* SSLfatal() already called */;
+        return 0;
+    }
+
+    return 1;
+}
+
 int tls13_change_cipher_state(SSL_CONNECTION *s, int which)
 {
     /* ASCII: "c e traffic", in hex for EBCDIC compatibility */
@@ -655,9 +669,6 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which)
     if (label == server_application_traffic)
         memcpy(s->server_finished_hash, hashval, hashlen);
 
-    if (label == server_handshake_traffic)
-        memcpy(s->handshake_traffic_hash, hashval, hashlen);
-
     if (label == client_application_traffic) {
         /*
          * We also create the resumption master secret, but this time use the