[tls] Support RFC5746 secure renegotiation

Support renegotiation with servers supporting RFC5746. This allows for the use of per-directory client certificates. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-12-19 19:49:45 +03:00 · 2017-07-04 12:51:29 +01:00
parent c20da4fc5c
commit 1e4a3f5bab
2 changed files with 203 additions and 19 deletions
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -108,6 +108,17 @@ struct tls_header {
 /* TLS signature algorithms extension */
 #define TLS_SIGNATURE_ALGORITHMS 13

+/* TLS renegotiation information extension */
+#define TLS_RENEGOTIATION_INFO 0xff01
+
+/** TLS verification data */
+struct tls_verify_data {
+	/** Client verification data */
+	uint8_t client[12];
+	/** Server verification data */
+	uint8_t server[12];
+} __attribute__ (( packed ));
+
 /** TLS RX state machine state */
 enum tls_rx_state {
 	TLS_RX_HEADER = 0,
@@ -271,6 +282,10 @@ struct tls_session {
 	uint8_t *handshake_ctx;
 	/** Client certificate (if used) */
 	struct x509_certificate *cert;
+	/** Secure renegotiation flag */
+	int secure_renegotiation;
+	/** Verification data */
+	struct tls_verify_data verify;

 	/** Server certificate chain */
 	struct x509_chain *chain;