Switch application traffic keys at the right time in Go TLS 1.3.
The server must switch the outgoing keys early so that client certificate alerts are sent with the right keys. (Also so that half-RTT data may be sent.) Change-Id: Id5482c811aa0b747ab646453b3856a83f23d3f06 Reviewed-on: https://boringssl-review.googlesource.com/8791 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
parent
90bf7104de
commit
2aad406b1b
@ -478,6 +478,10 @@ Curves:
|
||||
masterSecret := hs.finishedHash.extractKey(handshakeSecret, hs.finishedHash.zeroSecret())
|
||||
trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
|
||||
|
||||
// Switch to application data keys on write. In particular, any alerts
|
||||
// from the client certificate are sent over these keys.
|
||||
c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite), c.vers)
|
||||
|
||||
// If we requested a client certificate, then the client must send a
|
||||
// certificate message, even if it's empty.
|
||||
if config.ClientAuth >= RequestClientCert {
|
||||
@ -548,8 +552,7 @@ Curves:
|
||||
}
|
||||
hs.writeClientHash(clientFinished.marshal())
|
||||
|
||||
// Switch to application data keys.
|
||||
c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite), c.vers)
|
||||
// Switch to application data keys on read.
|
||||
c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite), c.vers)
|
||||
|
||||
// TODO(davidben): Derive and save the resumption master secret for receiving tickets.
|
||||
|
Loading…
Reference in New Issue
Block a user