Google Git
Sign in
boringssl / boringssl.git / 1258b6a756674d63f172602d8041ccc0dffd03d1^! / . / ssl / ssl3.h
commit1258b6a756674d63f172602d8041ccc0dffd03d1[log] [tgz]
authorAdam Langley <agl@chromium.org>Fri Jun 20 12:00:00 2014 -0700
committerAdam Langley <agl@chromium.org>Fri Jun 20 13:17:33 2014 -0700
treea21f01ed557e31f9cda67664dda3d96d0b779da4
parent75872534c2e9f04e762543e44fa93183a76fac22 [diff] [blame]
ChannelID support.

Implement ChannelID as both a client and server.

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index eb179e2..04d2e0c 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h

@@ -589,6 +589,22 @@
 	unsigned char *alpn_selected;
 	unsigned alpn_selected_len;
 #endif	/* OPENSSL_NO_TLSEXT */
+
+	/* In a client, this means that the server supported Channel ID and that
+	 * a Channel ID was sent. In a server it means that we echoed support
+	 * for Channel IDs and that tlsext_channel_id will be valid after the
+	 * handshake. */
+	char tlsext_channel_id_valid;
+	/* tlsext_channel_id_new means that the updated Channel ID extension
+	 * was negotiated. This is a temporary hack in the code to support both
+	 * forms of Channel ID extension while we transition to the new format,
+	 * which fixed a security issue. */
+	char tlsext_channel_id_new;
+	/* For a server:
+	 *     If |tlsext_channel_id_valid| is true, then this contains the
+	 *     verified Channel ID from the client: a P256 point, (x,y), where
+	 *     each are big-endian values. */
+	unsigned char tlsext_channel_id[64];
 	} SSL3_STATE;
 
 #endif
@@ -631,6 +647,8 @@
 #define SSL3_ST_CW_NEXT_PROTO_A		(0x200|SSL_ST_CONNECT)
 #define SSL3_ST_CW_NEXT_PROTO_B		(0x201|SSL_ST_CONNECT)
 #endif
+#define SSL3_ST_CW_CHANNEL_ID_A		(0x220|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CHANNEL_ID_B		(0x221|SSL_ST_CONNECT)
 #define SSL3_ST_CW_FINISHED_A		(0x1B0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_FINISHED_B		(0x1B1|SSL_ST_CONNECT)
 /* read from server */
@@ -681,6 +699,9 @@
 #define SSL3_ST_SR_NEXT_PROTO_A		(0x210|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_NEXT_PROTO_B		(0x211|SSL_ST_ACCEPT)
 #endif
+#define SSL3_ST_SR_POST_CLIENT_CERT	(0x1BF|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CHANNEL_ID_A		(0x230|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CHANNEL_ID_B		(0x231|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_FINISHED_A		(0x1C0|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_FINISHED_B		(0x1C1|SSL_ST_ACCEPT)
 /* write to client */
@@ -711,6 +732,7 @@
 #ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_MT_NEXT_PROTO			67
 #endif
+#define SSL3_MT_ENCRYPTED_EXTENSIONS		203
 #define DTLS1_MT_HELLO_VERIFY_REQUEST    3