Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 590cbe970c75973f38aeba4b7146dc0b84b66348^! / . / ssl / s3_both.c
commit590cbe970c75973f38aeba4b7146dc0b84b66348[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Mon Aug 25 21:34:56 2014 -0400
committerAdam Langley <agl@google.com>Wed Aug 27 01:54:50 2014 +0000
tree4699a8daf78d3fc4ee8eea294bedec17cde4443e
parent912806b1bb42151159c3d52376dd8c36c2073cfc [diff] [blame]
Introduce a hash_message parameter to ssl_get_message.

This replaces the special-case in ssl3_get_message for Channel ID. Also add
ssl3_hash_current_message to hash the current message, taking TLS vs DTLS
handshake header size into account.

One subtlety with this flag is that a message intended to be processed with
SSL_GET_MESSAGE_DONT_HASH_MESSAGE cannot follow an optional message
(reprocessed with reuse_message, etc.).  There is an assertion to that effect.
If need be, we can loosen it to requiring that the preceeding optional message
also pass SSL_GET_MESSAGE_DONT_HASH_MESSAGE and then maintain some state to
perform the more accurate assertion, but this is sufficient for now.

Change-Id: If8c87342b291ac041a35885b9b5ee961aee86eab
Reviewed-on: https://boringssl-review.googlesource.com/1630
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 8ce6b3b..2b4152b 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c

@@ -235,6 +235,7 @@
 		b,
 		SSL3_MT_FINISHED,
 		64, /* should actually be 36+4 :-) */
+		SSL_GET_MESSAGE_HASH_MESSAGE,
 		&ok);
 
 	if (!ok) return((int)n);
@@ -337,7 +338,7 @@
  * The first four bytes (msg_type and length) are read in state 'st1',
  * the body is read in state 'stn'.
  */
-long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
+long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int hash_message, int *ok)
 	{
 	unsigned char *p;
 	unsigned long l;
@@ -346,6 +347,10 @@
 
 	if (s->s3->tmp.reuse_message)
 		{
+		/* A SSL_GET_MESSAGE_DONT_HASH_MESSAGE call cannot be combined
+		 * with reuse_message; the SSL_GET_MESSAGE_DONT_HASH_MESSAGE
+		 * would have to have been applied to the previous call. */
+		assert(hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE);
 		s->s3->tmp.reuse_message=0;
 		if ((mt >= 0) && (s->s3->tmp.message_type != mt))
 			{
@@ -469,8 +474,8 @@
 #endif
 
 	/* Feed this message into MAC computation. */
-	if (*((unsigned char*) s->init_buf->data) != SSL3_MT_ENCRYPTED_EXTENSIONS)
-		ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
+	if (hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE)
+		ssl3_hash_current_message(s);
 	if (s->msg_callback)
 		s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg);
 	*ok=1;
@@ -482,6 +487,13 @@
 	return(-1);
 	}
 
+void ssl3_hash_current_message(SSL *s)
+	{
+	/* The handshake header (different size between DTLS and TLS) is included in the hash. */
+	size_t header_len = s->init_msg - (uint8_t *)s->init_buf->data;
+	ssl3_finish_mac(s, (uint8_t *)s->init_buf->data, s->init_num + header_len);
+	}
+
 int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
 	{
 	EVP_PKEY *pk;