tls-crypto: Move AEAD ownership to the protection layer
This separates key derivation from key switching.
This commit is contained in:
parent
534a781646
commit
6b23543abd
|
@ -2162,8 +2162,17 @@ static bool derive_labeled_keys(private_tls_crypto_t *this,
|
||||||
tls_hkdf_label_t client_label,
|
tls_hkdf_label_t client_label,
|
||||||
tls_hkdf_label_t server_label)
|
tls_hkdf_label_t server_label)
|
||||||
{
|
{
|
||||||
tls_aead_t *aead_c = this->aead_out, *aead_s = this->aead_in;
|
tls_aead_t *aead_c, *aead_s;
|
||||||
|
suite_algs_t *algs;
|
||||||
|
|
||||||
|
algs = find_suite(this->suite);
|
||||||
|
destroy_aeads(this);
|
||||||
|
if (!create_aead(this, algs))
|
||||||
|
{
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
aead_c = this->aead_out;
|
||||||
|
aead_s = this->aead_in;
|
||||||
if (this->tls->is_server(this->tls))
|
if (this->tls->is_server(this->tls))
|
||||||
{
|
{
|
||||||
aead_c = this->aead_in;
|
aead_c = this->aead_in;
|
||||||
|
@ -2209,8 +2218,15 @@ METHOD(tls_crypto_t, derive_app_keys, bool,
|
||||||
METHOD(tls_crypto_t, update_app_keys, bool,
|
METHOD(tls_crypto_t, update_app_keys, bool,
|
||||||
private_tls_crypto_t *this, bool inbound)
|
private_tls_crypto_t *this, bool inbound)
|
||||||
{
|
{
|
||||||
|
suite_algs_t *algs;
|
||||||
tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
|
tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
|
||||||
|
|
||||||
|
algs = find_suite(this->suite);
|
||||||
|
destroy_aeads(this);
|
||||||
|
if (!create_aead(this, algs))
|
||||||
|
{
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
if (this->tls->is_server(this->tls) != inbound)
|
if (this->tls->is_server(this->tls) != inbound)
|
||||||
{
|
{
|
||||||
label = TLS_HKDF_UPD_S_TRAFFIC;
|
label = TLS_HKDF_UPD_S_TRAFFIC;
|
||||||
|
@ -2264,10 +2280,12 @@ METHOD(tls_crypto_t, change_cipher, void,
|
||||||
if (inbound)
|
if (inbound)
|
||||||
{
|
{
|
||||||
this->protection->set_cipher(this->protection, TRUE, this->aead_in);
|
this->protection->set_cipher(this->protection, TRUE, this->aead_in);
|
||||||
|
this->aead_in = NULL;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
this->protection->set_cipher(this->protection, FALSE, this->aead_out);
|
this->protection->set_cipher(this->protection, FALSE, this->aead_out);
|
||||||
|
this->aead_out = NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -123,11 +123,13 @@ METHOD(tls_protection_t, set_cipher, void,
|
||||||
{
|
{
|
||||||
if (inbound)
|
if (inbound)
|
||||||
{
|
{
|
||||||
|
DESTROY_IF(this->aead_in);
|
||||||
this->aead_in = aead;
|
this->aead_in = aead;
|
||||||
this->seq_in = 0;
|
this->seq_in = 0;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
DESTROY_IF(this->aead_out);
|
||||||
this->aead_out = aead;
|
this->aead_out = aead;
|
||||||
this->seq_out = 0;
|
this->seq_out = 0;
|
||||||
}
|
}
|
||||||
|
@ -142,6 +144,8 @@ METHOD(tls_protection_t, set_version, void,
|
||||||
METHOD(tls_protection_t, destroy, void,
|
METHOD(tls_protection_t, destroy, void,
|
||||||
private_tls_protection_t *this)
|
private_tls_protection_t *this)
|
||||||
{
|
{
|
||||||
|
DESTROY_IF(this->aead_in);
|
||||||
|
DESTROY_IF(this->aead_out);
|
||||||
free(this);
|
free(this);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue