kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Switch application traffic keys at the right time in Go TLS 1.3.

Browse Source 
The server must switch the outgoing keys early so that client
certificate alerts are sent with the right keys. (Also so that half-RTT
data may be sent.)

Change-Id: Id5482c811aa0b747ab646453b3856a83f23d3f06
Reviewed-on: https://boringssl-review.googlesource.com/8791
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-07-14 23:15:40 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent 90bf7104de
commit 2aad406b1b
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ssl/test/runner/handshake_server.go
View File

@ -478,6 +478,10 @@ Curves:
masterSecret := hs.finishedHash.extractKey(handshakeSecret, hs.finishedHash.zeroSecret()) masterSecret := hs.finishedHash.extractKey(handshakeSecret, hs.finishedHash.zeroSecret())
trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel) trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
// Switch to application data keys on write. In particular, any alerts
// from the client certificate are sent over these keys.
c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite), c.vers)
// If we requested a client certificate, then the client must send a // If we requested a client certificate, then the client must send a
// certificate message, even if it's empty. // certificate message, even if it's empty.
if config.ClientAuth >= RequestClientCert { if config.ClientAuth >= RequestClientCert {
@ -548,8 +552,7 @@ Curves:
} }
hs.writeClientHash(clientFinished.marshal()) hs.writeClientHash(clientFinished.marshal())
// Switch to application data keys. // Switch to application data keys on read.
c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite), c.vers)
c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite), c.vers) c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite), c.vers)
// TODO(davidben): Derive and save the resumption master secret for receiving tickets. // TODO(davidben): Derive and save the resumption master secret for receiving tickets.