Preserve the transcript hash at specific stages of the TLSv1.3 handshake.

There are various points where we need the hash of all messages prior to the current message. Support this by having the handshake code preserve the transcript hash prior to recording the current message, which avoids the need to sprinkle this throughout multiple handlers. ok inoguchi@ tb@
author: jsing <> 2019-02-10 13:04:29 +0000
committer: jsing <> 2019-02-10 13:04:29 +0000
commit: 6d4aaf1f9ff309085dbf415f1fe769f3165381f6 (patch)
tree: ef8327c4dc4c5c054c766173772e66fa6e75b623 /src/lib/libssl/tls13_handshake.c
parent: b3b102c1f413c950892ae663eb251b656a781b0e (diff)
download: openbsd-6d4aaf1f9ff309085dbf415f1fe769f3165381f6.tar.gz
openbsd-6d4aaf1f9ff309085dbf415f1fe769f3165381f6.tar.bz2
openbsd-6d4aaf1f9ff309085dbf415f1fe769f3165381f6.zip
1 files changed, 11 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 68d6a9d444..8d5b0e3516 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.24 2019/02/07 15:54:18 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.25 2019/02/10 13:04:29 jsing Exp $      */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -33,6 +33,7 @@ struct tls13_handshake_action {
        uint8_t                 handshake_type;
        uint8_t                 sender;
        uint8_t                 handshake_complete;
+        uint8_t                 preserve_transcript_hash;
        int (*send)(struct tls13_ctx *ctx);
        int (*recv)(struct tls13_ctx *ctx);
@@ -133,6 +134,7 @@ struct tls13_handshake_action state_machine[] = {
                .record_type = TLS13_HANDSHAKE,
                .handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
                .sender = TLS13_HS_SERVER,
+                .preserve_transcript_hash = 1,
                .send = tls13_server_certificate_verify_send,
                .recv = tls13_server_certificate_verify_recv,
        },
@@ -140,6 +142,7 @@ struct tls13_handshake_action state_machine[] = {
                .record_type = TLS13_HANDSHAKE,
                .handshake_type = TLS13_MT_FINISHED,
                .sender = TLS13_HS_SERVER,
+                .preserve_transcript_hash = 1,
                .send = tls13_server_finished_send,
                .recv = tls13_server_finished_recv,
        },
@@ -361,6 +364,13 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
        if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0)
                return ret;
+        if (action->preserve_transcript_hash) {
+                if (!tls1_transcript_hash_value(ctx->ssl,
+                    ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash),
+                    &ctx->hs->transcript_hash_len))
+                        return TLS13_IO_FAILURE;
+        }
        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
        if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
                return TLS13_IO_FAILURE;
author	jsing <>	2019-02-10 13:04:29 +0000
committer	jsing <>	2019-02-10 13:04:29 +0000
commit	6d4aaf1f9ff309085dbf415f1fe769f3165381f6 (patch)
tree	ef8327c4dc4c5c054c766173772e66fa6e75b623 /src/lib/libssl/tls13_handshake.c
parent	b3b102c1f413c950892ae663eb251b656a781b0e (diff)
download	openbsd-6d4aaf1f9ff309085dbf415f1fe769f3165381f6.tar.gz openbsd-6d4aaf1f9ff309085dbf415f1fe769f3165381f6.tar.bz2 openbsd-6d4aaf1f9ff309085dbf415f1fe769f3165381f6.zip