Remove ssl_hash_message_t from ssl_get_message.

Move to explicit hashing everywhere, matching TLS 1.2 with TLS 1.3. The
ssl_get_message calls between all the handshake states are now all
uniform so, when we're ready, we can rewire the TLS 1.2 state machine to
look like the TLS 1.3 one. (ssl_get_message calls become an
ssl_hs_read_message transition, reuse_message becomes an ssl_hs_ok
transition.)

This avoids some nuisance in processing the ServerHello at the 1.2 / 1.3
transition.

The downside of explicit hashing is we may forget to hash something, but
this will fail to interop with our tests and anyone else, so we should
be able to catch it.

BUG=128

Change-Id: I01393943b14dfaa98eec2a78f62c3a41c29b3a0e
Reviewed-on: https://boringssl-review.googlesource.com/13266
Reviewed-by: David Benjamin <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
CQ-Verified: CQ bot account: [email protected] <[email protected]>

Author: davidben

ssl/d1_both.c

@@ -395,16 +395,11 @@ static int dtls1_process_handshake_record(SSL *ssl) {
   return 1;
 }
 
-int dtls1_get_message(SSL *ssl, enum ssl_hash_message_t hash_message) {
+int dtls1_get_message(SSL *ssl) {
   if (ssl->s3->tmp.reuse_message) {
-    /* A ssl_dont_hash_message call cannot be combined with reuse_message; the
-     * ssl_dont_hash_message would have to have been applied to the previous
-     * call. */
-    assert(hash_message == ssl_hash_message);
+    /* There must be a current message. */
     assert(ssl->init_msg != NULL);
-
     ssl->s3->tmp.reuse_message = 0;
-    hash_message = ssl_dont_hash_message;
   } else {
     dtls1_release_current_message(ssl, 0 /* don't free buffer */);
   }
@@ -429,10 +424,6 @@ int dtls1_get_message(SSL *ssl, enum ssl_hash_message_t hash_message) {
   ssl->init_msg = frag->data + DTLS1_HM_HEADER_LENGTH;
   ssl->init_num = frag->msg_len;
 
-  if (hash_message == ssl_hash_message && !ssl_hash_current_message(ssl)) {
-    return -1;
-  }
-
   ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, frag->data,
                       ssl->init_num + DTLS1_HM_HEADER_LENGTH);
   return 1;

ssl/handshake_client.c

@@ -808,7 +808,7 @@ static int dtls1_get_hello_verify(SSL_HANDSHAKE *hs) {
   CBS hello_verify_request, cookie;
   uint16_t server_version;
 
-  int ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int ret = ssl->method->ssl_get_message(ssl);
   if (ret <= 0) {
     return ret;
   }
@@ -819,8 +819,10 @@ static int dtls1_get_hello_verify(SSL_HANDSHAKE *hs) {
     return 1;
   }
 
-  CBS_init(&hello_verify_request, ssl->init_msg, ssl->init_num);
+  /* The handshake transcript is reset on HelloVerifyRequst, so do not bother
+   * hashing it. */
 
+  CBS_init(&hello_verify_request, ssl->init_msg, ssl->init_num);
   if (!CBS_get_u16(&hello_verify_request, &server_version) ||
       !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
       CBS_len(&hello_verify_request) != 0) {
@@ -852,7 +854,7 @@ static int ssl3_get_server_hello(SSL_HANDSHAKE *hs) {
   uint16_t server_wire_version, cipher_suite;
   uint8_t compression_method;
 
-  int ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int ret = ssl->method->ssl_get_message(ssl);
   if (ret <= 0) {
     uint32_t err = ERR_peek_error();
     if (ERR_GET_LIB(err) == ERR_LIB_SSL &&
@@ -995,8 +997,10 @@ static int ssl3_get_server_hello(SSL_HANDSHAKE *hs) {
   }
   ssl->s3->tmp.new_cipher = c;
 
-  /* Now that the cipher is known, initialize the handshake hash. */
-  if (!ssl3_init_handshake_hash(ssl)) {
+  /* Now that the cipher is known, initialize the handshake hash and hash the
+   * ServerHello. */
+  if (!ssl3_init_handshake_hash(ssl) ||
+      !ssl_hash_current_message(ssl)) {
     goto f_err;
   }
 
@@ -1051,12 +1055,13 @@ static int ssl3_get_server_hello(SSL_HANDSHAKE *hs) {
 
 static int ssl3_get_server_certificate(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  int ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int ret = ssl->method->ssl_get_message(ssl);
   if (ret <= 0) {
     return ret;
   }
 
-  if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE)) {
+  if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
+      !ssl_hash_current_message(ssl)) {
     return -1;
   }
 
@@ -1098,7 +1103,7 @@ static int ssl3_get_cert_status(SSL_HANDSHAKE *hs) {
   CBS certificate_status, ocsp_response;
   uint8_t status_type;
 
-  int ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int ret = ssl->method->ssl_get_message(ssl);
   if (ret <= 0) {
     return ret;
   }
@@ -1110,6 +1115,10 @@ static int ssl3_get_cert_status(SSL_HANDSHAKE *hs) {
     return 1;
   }
 
+  if (!ssl_hash_current_message(ssl)) {
+    return -1;
+  }
+
   CBS_init(&certificate_status, ssl->init_msg, ssl->init_num);
   if (!CBS_get_u8(&certificate_status, &status_type) ||
       status_type != TLSEXT_STATUSTYPE_ocsp ||
@@ -1151,7 +1160,7 @@ static int ssl3_get_server_key_exchange(SSL_HANDSHAKE *hs) {
   EC_KEY *ecdh = NULL;
   EC_POINT *srvr_ecpoint = NULL;
 
-  int ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int ret = ssl->method->ssl_get_message(ssl);
   if (ret <= 0) {
     return ret;
   }
@@ -1168,6 +1177,10 @@ static int ssl3_get_server_key_exchange(SSL_HANDSHAKE *hs) {
     return 1;
   }
 
+  if (!ssl_hash_current_message(ssl)) {
+    return -1;
+  }
+
   /* Retain a copy of the original CBS to compute the signature over. */
   CBS server_key_exchange;
   CBS_init(&server_key_exchange, ssl->init_msg, ssl->init_num);
@@ -1381,7 +1394,7 @@ static int ssl3_get_server_key_exchange(SSL_HANDSHAKE *hs) {
 
 static int ssl3_get_certificate_request(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  int msg_ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int msg_ret = ssl->method->ssl_get_message(ssl);
   if (msg_ret <= 0) {
     return msg_ret;
   }
@@ -1394,7 +1407,8 @@ static int ssl3_get_certificate_request(SSL_HANDSHAKE *hs) {
     return 1;
   }
 
-  if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_REQUEST)) {
+  if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_REQUEST) ||
+      !ssl_hash_current_message(ssl)) {
     return -1;
   }
 
@@ -1447,12 +1461,13 @@ static int ssl3_get_certificate_request(SSL_HANDSHAKE *hs) {
 
 static int ssl3_get_server_hello_done(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  int ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int ret = ssl->method->ssl_get_message(ssl);
   if (ret <= 0) {
     return ret;
   }
 
-  if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO_DONE)) {
+  if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO_DONE) ||
+      !ssl_hash_current_message(ssl)) {
     return -1;
   }
 
@@ -1831,12 +1846,13 @@ static int ssl3_send_channel_id(SSL_HANDSHAKE *hs) {
 
 static int ssl3_get_new_session_ticket(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  int ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int ret = ssl->method->ssl_get_message(ssl);
   if (ret <= 0) {
     return ret;
   }
 
-  if (!ssl_check_message_type(ssl, SSL3_MT_NEW_SESSION_TICKET)) {
+  if (!ssl_check_message_type(ssl, SSL3_MT_NEW_SESSION_TICKET) ||
+      !ssl_hash_current_message(ssl)) {
     return -1;
   }
 

ssl/handshake_server.c

@@ -815,7 +815,7 @@ static int ssl3_get_client_hello(SSL_HANDSHAKE *hs) {
 
   if (hs->state == SSL3_ST_SR_CLNT_HELLO_A) {
     /* The first time around, read the ClientHello. */
-    int msg_ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+    int msg_ret = ssl->method->ssl_get_message(ssl);
     if (msg_ret <= 0) {
       return msg_ret;
     }
@@ -1026,8 +1026,10 @@ static int ssl3_get_client_hello(SSL_HANDSHAKE *hs) {
     goto f_err;
   }
 
-  /* Now that all parameters are known, initialize the handshake hash. */
-  if (!ssl3_init_handshake_hash(ssl)) {
+  /* Now that all parameters are known, initialize the handshake hash and hash
+   * the ClientHello. */
+  if (!ssl3_init_handshake_hash(ssl) ||
+      !ssl_hash_current_message(ssl)) {
     goto f_err;
   }
 
@@ -1402,7 +1404,7 @@ static int ssl3_get_client_certificate(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   assert(hs->cert_request);
 
-  int msg_ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int msg_ret = ssl->method->ssl_get_message(ssl);
   if (msg_ret <= 0) {
     return msg_ret;
   }
@@ -1430,6 +1432,10 @@ static int ssl3_get_client_certificate(SSL_HANDSHAKE *hs) {
     return -1;
   }
 
+  if (!ssl_hash_current_message(ssl)) {
+    return -1;
+  }
+
   CBS certificate_msg;
   CBS_init(&certificate_msg, ssl->init_msg, ssl->init_num);
 
@@ -1506,12 +1512,13 @@ static int ssl3_get_client_key_exchange(SSL_HANDSHAKE *hs) {
   uint8_t psk[PSK_MAX_PSK_LEN];
 
   if (hs->state == SSL3_ST_SR_KEY_EXCH_A) {
-    int ret = ssl->method->ssl_get_message(ssl, ssl_hash_message);
+    int ret = ssl->method->ssl_get_message(ssl);
     if (ret <= 0) {
       return ret;
     }
 
-    if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE)) {
+    if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE) ||
+        !ssl_hash_current_message(ssl)) {
       return -1;
     }
   }
@@ -1777,7 +1784,7 @@ static int ssl3_get_cert_verify(SSL_HANDSHAKE *hs) {
     return 1;
   }
 
-  int msg_ret = ssl->method->ssl_get_message(ssl, ssl_dont_hash_message);
+  int msg_ret = ssl->method->ssl_get_message(ssl);
   if (msg_ret <= 0) {
     return msg_ret;
   }
@@ -1873,13 +1880,13 @@ static int ssl3_get_cert_verify(SSL_HANDSHAKE *hs) {
  * sets the next_proto member in s if found */
 static int ssl3_get_next_proto(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  int ret =
-      ssl->method->ssl_get_message(ssl, ssl_hash_message);
+  int ret = ssl->method->ssl_get_message(ssl);
   if (ret <= 0) {
     return ret;
   }
 
-  if (!ssl_check_message_type(ssl, SSL3_MT_NEXT_PROTO)) {
+  if (!ssl_check_message_type(ssl, SSL3_MT_NEXT_PROTO) ||
+      !ssl_hash_current_message(ssl)) {
     return -1;
   }
 
@@ -1904,7 +1911,7 @@ static int ssl3_get_next_proto(SSL_HANDSHAKE *hs) {
 /* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
 static int ssl3_get_channel_id(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  int msg_ret = ssl->method->ssl_get_message(ssl, ssl_dont_hash_message);
+  int msg_ret = ssl->method->ssl_get_message(ssl);
   if (msg_ret <= 0) {
     return msg_ret;
   }

ssl/internal.h

@@ -1224,11 +1224,6 @@ int tls12_check_peer_sigalg(SSL *ssl, int *out_alert, uint16_t sigalg);
 /* From RFC4492, used in encoding the curve type in ECParameters */
 #define NAMED_CURVE_TYPE 3
 
-enum ssl_hash_message_t {
-  ssl_dont_hash_message,
-  ssl_hash_message,
-};
-
 typedef struct cert_st {
   EVP_PKEY *privatekey;
 
@@ -1307,7 +1302,7 @@ struct ssl_protocol_method_st {
   /* ssl_get_message reads the next handshake message. On success, it returns
    * one and sets |ssl->s3->tmp.message_type|, |ssl->init_msg|, and
    * |ssl->init_num|. Otherwise, it returns <= 0. */
-  int (*ssl_get_message)(SSL *ssl, enum ssl_hash_message_t hash_message);
+  int (*ssl_get_message)(SSL *ssl);
   /* get_current_message sets |*out| to the current handshake message. This
    * includes the protocol-specific message header. */
   void (*get_current_message)(const SSL *ssl, CBS *out);
@@ -1768,7 +1763,7 @@ int ssl_verify_alarm_type(long type);
 
 int ssl3_get_finished(SSL_HANDSHAKE *hs);
 int ssl3_send_alert(SSL *ssl, int level, int desc);
-int ssl3_get_message(SSL *ssl, enum ssl_hash_message_t hash_message);
+int ssl3_get_message(SSL *ssl);
 void ssl3_get_current_message(const SSL *ssl, CBS *out);
 void ssl3_release_current_message(SSL *ssl, int free_buffer);
 
@@ -1854,7 +1849,7 @@ int dtls1_accept(SSL *ssl);
 int dtls1_connect(SSL *ssl);
 void dtls1_free(SSL *ssl);
 
-int dtls1_get_message(SSL *ssl, enum ssl_hash_message_t hash_message);
+int dtls1_get_message(SSL *ssl);
 void dtls1_get_current_message(const SSL *ssl, CBS *out);
 void dtls1_release_current_message(SSL *ssl, int free_buffer);
 int dtls1_dispatch_alert(SSL *ssl);

ssl/s3_both.c

@@ -398,7 +398,7 @@ int ssl3_send_finished(SSL_HANDSHAKE *hs) {
 
 int ssl3_get_finished(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  int ret = ssl->method->ssl_get_message(ssl, ssl_dont_hash_message);
+  int ret = ssl->method->ssl_get_message(ssl);
   if (ret <= 0) {
     return ret;
   }
@@ -661,7 +661,7 @@ static int read_v2_client_hello(SSL *ssl) {
   return 1;
 }
 
-int ssl3_get_message(SSL *ssl, enum ssl_hash_message_t hash_message) {
+int ssl3_get_message(SSL *ssl) {
 again:
   /* Re-create the handshake buffer if needed. */
   if (ssl->init_buf == NULL) {
@@ -681,14 +681,9 @@ int ssl3_get_message(SSL *ssl, enum ssl_hash_message_t hash_message) {
   }
 
   if (ssl->s3->tmp.reuse_message) {
-    /* A ssl_dont_hash_message call cannot be combined with reuse_message; the
-     * ssl_dont_hash_message would have to have been applied to the previous
-     * call. */
-    assert(hash_message == ssl_hash_message);
+    /* There must be a current message. */
     assert(ssl->init_msg != NULL);
-
     ssl->s3->tmp.reuse_message = 0;
-    hash_message = ssl_dont_hash_message;
   } else {
     ssl3_release_current_message(ssl, 0 /* don't free buffer */);
   }
@@ -732,11 +727,6 @@ int ssl3_get_message(SSL *ssl, enum ssl_hash_message_t hash_message) {
     goto again;
   }
 
-  /* Feed this message into MAC computation. */
-  if (hash_message == ssl_hash_message && !ssl_hash_current_message(ssl)) {
-    return -1;
-  }
-
   return 1;
 }
 

ssl/s3_pkt.c

@@ -372,7 +372,7 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
       }
 
       /* Parse post-handshake handshake messages. */
-      int ret = ssl3_get_message(ssl, ssl_dont_hash_message);
+      int ret = ssl3_get_message(ssl);
       if (ret <= 0) {
         return ret;
       }

ssl/tls13_both.c

@@ -58,7 +58,7 @@ int tls13_handshake(SSL_HANDSHAKE *hs) {
       }
 
       case ssl_hs_read_message: {
-        int ret = ssl->method->ssl_get_message(ssl, ssl_dont_hash_message);
+        int ret = ssl->method->ssl_get_message(ssl);
         if (ret <= 0) {
           return ret;
         }