diff options
author | Martin Thomson <martin.thomson@gmail.com> | 2017-09-11 16:42:38 +0200 |
---|---|---|
committer | Martin Thomson <martin.thomson@gmail.com> | 2017-09-11 16:42:38 +0200 |
commit | fa4ad4296cbacf6cf5fb7d27bf2a44e0ecbdf134 (patch) | |
tree | a66d510f1401796b3243e327d640caf544a99cfc | |
parent | 96ddf41932cd0736fd2c8df288281303ef131fc5 (diff) | |
download | nss-hg-fa4ad4296cbacf6cf5fb7d27bf2a44e0ecbdf134.tar.gz |
Bug 1377618 - Simplify handling of CertificateVerify, r=kaie
-rw-r--r-- | lib/ssl/ssl3con.c | 21 | ||||
-rw-r--r-- | lib/ssl/ssl3prot.h | 2 |
2 files changed, 11 insertions, 12 deletions
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index 9a64646d2..186ce23f3 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -9774,13 +9774,12 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, hashAlg = ssl_SignatureSchemeToHashType(sigScheme); - if (hashes->u.pointer_to_hash_input.data) { - rv = ssl3_ComputeHandshakeHash(hashes->u.pointer_to_hash_input.data, - hashes->u.pointer_to_hash_input.len, - hashAlg, &localHashes); - } else { - rv = SECFailure; - } + /* Read from the message buffer, but we need to use only up to the end + * of the previous handshake message. The length of the transcript up to + * that point is saved in |hashes->u.transcriptLen|. */ + rv = ssl3_ComputeHandshakeHash(ss->ssl3.hs.messages.buf, + hashes->u.transcriptLen, + hashAlg, &localHashes); if (rv == SECSuccess) { hashesForVerify = &localHashes; @@ -11680,15 +11679,15 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length, * additional handshake messages will have been added to the * buffer, e.g. the certificate_verify message itself.) * - * Therefore, we use SSL3Hashes.u.pointer_to_hash_input - * to signal the current state of the buffer. + * Therefore, we use SSL3Hashes.u.transcriptLen to save how much + * data there is and read directly from ss->ssl3.hs.messages + * when calculating the hashes. * * ssl3_HandleCertificateVerify will detect * hashType == handshake_hash_record * and use that information to calculate the hash. */ - hashes.u.pointer_to_hash_input.data = ss->ssl3.hs.messages.buf; - hashes.u.pointer_to_hash_input.len = ss->ssl3.hs.messages.len; + hashes.u.transcriptLen = ss->ssl3.hs.messages.len; hashesPtr = &hashes; } else { computeHashes = PR_TRUE; diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h index 146cba4f4..35c7e547d 100644 --- a/lib/ssl/ssl3prot.h +++ b/lib/ssl/ssl3prot.h @@ -237,7 +237,7 @@ typedef struct { union { PRUint8 raw[64]; SSL3HashesIndividually s; - SECItem pointer_to_hash_input; + unsigned int transcriptLen; } u; } SSL3Hashes; |