Google Git
Sign in
boringssl/boringssl.git/676d1e780e96b201113958e8a6f2e787438f200b^!/./ssl/ssl3.h
commit
676d1e780e96b201113958e8a6f2e787438f200b
[log]
author
David Benjamin <davidben@chromium.org>
Tue Jul 08 14:34:10 2014 -0400
committer
Adam Langley <agl@google.com>
Wed Jul 09 19:51:08 2014 +0000
tree
768af533e0fbcc2a5ef4ce8b6db88e8f5dda052d
parent
8f2c20eb7068429b5883d6e334d9cb0f0102f44d [diff] [blame]
Separate client and server certificate_types.

This is the first of reorganizing state between connection state and handshake
state. The existing set are retained in cert_st for the server; they are server
configuration. The client gets a copy in s->s3->tmp alongside other handshake
state.

With other handshake state moved there, hopefully we can reset that state in
one go and possibly not even maintain it when there is no handshake in
progress.  Rather than currently where we sometimes confused connection state
and handshake state and have to reset as appropriate on renegotiate.

While I'm here, document the fields and name them something more useful than
'ctypes'.

Change-Id: Ib927579f0004fc5c6854fce2127625df669b2b6d
Reviewed-on: https://boringssl-review.googlesource.com/1113
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 72db840..fc2f2b0 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h

@@ -476,6 +476,12 @@
 
 	int in_read_app_data;
 
+	/* State pertaining to the pending handshake.
+	 *
+	 * TODO(davidben): State is current spread all over the place. Move
+	 * pending handshake state here so it can be managed separately from
+	 * established connection state in case of renegotiations.
+	 */
 	struct	{
 		/* actually only needs to be 16+20 */
 		unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
@@ -504,10 +510,22 @@
 
 		int reuse_message;
 
-		/* used for certificate requests */
+		/* Client-only: cert_req determines if a client certificate is
+		 * to be sent. This is 0 if no client Certificate message is to
+		 * be sent, 1 if there is a client certificate, and 2 to send an
+		 * empty client Certificate message. */
 		int cert_req;
+
+		/* Client-only: ca_names contains the list of CAs received in a
+		 * CertificateRequest message. */
 		STACK_OF(X509_NAME) *ca_names;
 
+		/* Client-only: certificate_types contains the set of
+		 * certificate types received in a CertificateRequest
+		 * message. */
+		unsigned char *certificate_types;
+		size_t num_certificate_types;
+
 		int use_rsa_tmp;
 
 		int key_block_length;
@@ -518,6 +536,9 @@
 		const EVP_MD *new_hash;
 		int new_mac_pkey_type;
 		int new_mac_secret_size;
+
+		/* Server-only: cert_request is true if a client certificate was
+		 * requested. */
 		int cert_request;
 		} tmp;