commit 3fe8fa74acf0a7bcd8ab5ad08698e8a99a667703
author Adam Langley <agl@google.com> Fri Jan 26 09:14:30 2018 -0800
committer Adam Langley <agl@google.com> Wed Jan 31 22:24:17 2018 +0000
tree c9944f7e44f43dbeb37ed0296f7db008745d6272
parent 7e5dd25d47face6deb452823ae4f40c4c7ca375a

Add initial, experimental support for split handshakes.

Split handshakes allows the handshaking of a TLS connection to be
performed remotely. This encompasses not just the private-key and ticket
operations – support for that was already available – but also things
such as selecting the certificates and cipher suites.

The the comment block in ssl.h for details. This is highly experimental
and will change significantly before its settled.

Change-Id: I337bdfa4c3262169e9b79dd4e70b57f0d380fcad
Reviewed-on: https://boringssl-review.googlesource.com/25387
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>

ssl/internal.h

diff --git a/ssl/internal.h b/ssl/internal.h
index f2b2f6d..937c9fe 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1257,6 +1257,7 @@
   ssl_hs_read_message,
   ssl_hs_flush,
   ssl_hs_certificate_selection_pending,
+  ssl_hs_handoff,
   ssl_hs_x509_lookup,
   ssl_hs_channel_id_lookup,
   ssl_hs_private_key_operation,
@@ -2173,6 +2174,11 @@
   // false_start_allowed_without_alpn is whether False Start (if
   // |SSL_MODE_ENABLE_FALSE_START| is enabled) is allowed without ALPN.
   bool false_start_allowed_without_alpn:1;
+
+  // handoff indicates that a server should stop after receiving the
+  // ClientHello and pause the handshake in such a way that |SSL_get_error|
+  // returns |SSL_HANDOFF|.
+  bool handoff:1;
 };
 
 // An ssl_shutdown_t describes the shutdown state of one end of the connection,
@@ -2537,8 +2543,8 @@
 
   // session info
 
-  // client cert?
-  // This is used to hold the server certificate used
+  // This is used to hold the local certificate used (i.e. the server
+  // certificate for a server or the client certificate for a client).
   CERT *cert;
 
   // initial_timeout_duration_ms is the default DTLS timeout duration in
@@ -2658,6 +2664,12 @@
   // hash of the peer's certificate and then discard it to save memory and
   // session space. Only effective on the server side.
   bool retain_only_sha256_of_client_certs:1;
+
+  // handoff indicates that a server should stop after receiving the
+  // ClientHello and pause the handshake in such a way that |SSL_get_error|
+  // returns |SSL_HANDOFF|. This is copied in |SSL_new| from the |SSL_CTX|
+  // element of the same name and may be cleared if the handoff is declined.
+  bool handoff:1;
 };
 
 // From draft-ietf-tls-tls13-18, used in determining PSK modes.
@@ -2847,6 +2859,16 @@
 void dtls1_next_message(SSL *ssl);
 int dtls1_dispatch_alert(SSL *ssl);
 
+// tls1_configure_aead configures either the read or write direction AEAD (as
+// determined by |direction|) using the keys generated by the TLS KDF. The
+// |key_block_cache| argument is used to store the generated key block, if
+// empty. Otherwise it's assumed that the key block is already contained within
+// it. Returns one on success or zero on error.
+int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
+                        Array<uint8_t> *key_block_cache,
+                        const SSL_CIPHER *cipher,
+                        Span<const uint8_t> iv_override);
+
 int tls1_change_cipher_state(SSL_HANDSHAKE *hs, evp_aead_direction_t direction);
 int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
                                 Span<const uint8_t> premaster);