From 1e4a3f5babdf46c8c47b6bbaf8c197b4c94d6964 Mon Sep 17 00:00:00 2001
From: Michael Brown
Date: Tue, 4 Jul 2017 12:51:29 +0100
Subject: [tls] Support RFC5746 secure renegotiation

Support renegotiation with servers supporting RFC5746.  This allows
for the use of per-directory client certificates.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/include/ipxe/tls.h | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'src/include')

diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index 7d982c32..7345fbee 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -108,6 +108,17 @@ struct tls_header {
 /* TLS signature algorithms extension */
 #define TLS_SIGNATURE_ALGORITHMS 13
 
+/* TLS renegotiation information extension */
+#define TLS_RENEGOTIATION_INFO 0xff01
+
+/** TLS verification data */
+struct tls_verify_data {
+	/** Client verification data */
+	uint8_t client[12];
+	/** Server verification data */
+	uint8_t server[12];
+} __attribute__ (( packed ));
+
 /** TLS RX state machine state */
 enum tls_rx_state {
 	TLS_RX_HEADER = 0,
@@ -271,6 +282,10 @@ struct tls_session {
 	uint8_t *handshake_ctx;
 	/** Client certificate (if used) */
 	struct x509_certificate *cert;
+	/** Secure renegotiation flag */
+	int secure_renegotiation;
+	/** Verification data */
+	struct tls_verify_data verify;
 
 	/** Server certificate chain */
 	struct x509_chain *chain;
-- 
cgit v1.2.3-55-g7522