Introduce key usage limits under TLS1.3

That introduces a transparent key update for sending key after the safety limit is reached. Resolves #130 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-11-20 16:01:29 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2018-02-19 15:29:36 +0100
commit: 960c8cae91d0496e8317c8d9ee3afeab30b41457 (patch)
tree: 773d9e2deb12e0c0b2dd4b87cb00e232dc199f54 /lib/record.c
parent: 8700a99233f53e4f491e8ffaebaf09285651ed08 (diff)
download: gnutls-960c8cae91d0496e8317c8d9ee3afeab30b41457.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/record.c b/lib/record.c
index 3f2d543868..cee139d80c 100644
--- a/lib/record.c
+++ b/lib/record.c
@@ -581,6 +581,17 @@ _gnutls_send_tlen_int(gnutls_session_t session, content_type_t type,
 	     _gnutls_packet2str(type), type, (int) record_params->epoch,
 	     (int) cipher_size);
 
+	if (vers->tls13_sem && !(session->internals.flags & GNUTLS_NO_AUTO_REKEY) &&
+	    !(record_params->cipher->no_rekey)) {
+		if (unlikely(record_state->sequence_number.i[7] == 0xfd &&
+		    record_state->sequence_number.i[6] == 0xff &&
+		    record_state->sequence_number.i[5] == 0xff)) {
+			/* After we have sent 2^24 messages, mark the session
+			 * as needing a key update. */
+			session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_1;
+		}
+	}
+
 	return retval;
 }
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-11-20 16:01:29 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2018-02-19 15:29:36 +0100
commit	960c8cae91d0496e8317c8d9ee3afeab30b41457 (patch)
tree	773d9e2deb12e0c0b2dd4b87cb00e232dc199f54 /lib/record.c
parent	8700a99233f53e4f491e8ffaebaf09285651ed08 (diff)
download	gnutls-960c8cae91d0496e8317c8d9ee3afeab30b41457.tar.gz