[tls] Clean up change cipher spec record handling

Define and use data structures and constants for the (single-byte)
change cipher spec records.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index 6fcb69bef44f3d6d8012333013b689067136650b..99c7be019b491c623b01d5e081e41a8f08634c60 100644 (file)
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -52,6 +52,9 @@ struct tls_header {
 /** Change cipher content type */
 #define TLS_TYPE_CHANGE_CIPHER 20
 
+/** Change cipher spec magic byte */
+#define TLS_CHANGE_CIPHER_SPEC 1
+
 /** Alert content type */
 #define TLS_TYPE_ALERT 21
 

diff --git a/src/net/tls.c b/src/net/tls.c
index 8996296263ed4216876b6485bfb3a0bbc9cb1317..e0231b1c40e53bd21750f9ff0b5714ae05b2d94d 100644 (file)
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -1682,9 +1682,14 @@ static int tls_send_certificate_verify ( struct tls_connection *tls ) {
  * @ret rc             Return status code
  */
 static int tls_send_change_cipher ( struct tls_connection *tls ) {
-       static const uint8_t change_cipher[1] = { 1 };
+       static const struct {
+               uint8_t spec;
+       } __attribute__ (( packed )) change_cipher = {
+               .spec = TLS_CHANGE_CIPHER_SPEC,
+       };
+
        return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
-                                   change_cipher, sizeof ( change_cipher ) );
+                                   &change_cipher, sizeof ( change_cipher ) );
 }
 
 /**
@@ -1737,14 +1742,20 @@ static int tls_send_finished ( struct tls_connection *tls ) {
  */
 static int tls_new_change_cipher ( struct tls_connection *tls,
                                   const void *data, size_t len ) {
+       const struct {
+               uint8_t spec;
+       } __attribute__ (( packed )) *change_cipher = data;
        int rc;
 
-       if ( ( len != 1 ) || ( *( ( uint8_t * ) data ) != 1 ) ) {
+       /* Sanity check */
+       if ( ( sizeof ( *change_cipher ) != len ) ||
+            ( change_cipher->spec != TLS_CHANGE_CIPHER_SPEC ) ) {
                DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
-               DBGC_HD ( tls, data, len );
+               DBGC_HD ( tls, change_cipher, len );
                return -EINVAL_CHANGE_CIPHER;
        }
 
+       /* Change receive cipher spec */
        if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending,
                                        &tls->rx_cipherspec ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",