handshake: record transcript hash for ClientHello

This is necessary to compute client_early_traffic_secret and
early_exporter_master_secret in TLS 1.3.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/lib/handshake.c b/lib/handshake.c
index a20c7a302a..a760e6d465 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -80,6 +80,7 @@ handshake_hash_buffer_reset(gnutls_session_t session)
 {
 	_gnutls_buffers_log("BUF[HSK]: Emptied buffer\n");
 
+	session->internals.handshake_hash_buffer_client_hello_len = 0;
 	session->internals.handshake_hash_buffer_client_kx_len = 0;
 	session->internals.handshake_hash_buffer_server_finished_len = 0;
 	session->internals.handshake_hash_buffer_client_finished_len = 0;
@@ -1408,6 +1409,9 @@ handshake_hash_add_recvd(gnutls_session_t session,
 	/* save the size until client KX. That is because the TLS
 	 * session hash is calculated up to this message.
 	 */
+	if (recv_type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
+		session->internals.handshake_hash_buffer_client_hello_len =
+			session->internals.handshake_hash_buffer.length;
 	if (recv_type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
 		session->internals.handshake_hash_buffer_client_kx_len =
 			session->internals.handshake_hash_buffer.length;
@@ -1459,6 +1463,9 @@ handshake_hash_add_sent(gnutls_session_t session,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
+	if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
+		session->internals.handshake_hash_buffer_client_hello_len =
+			session->internals.handshake_hash_buffer.length;
 	if (type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
 		session->internals.handshake_hash_buffer_client_kx_len =
 			session->internals.handshake_hash_buffer.length;