From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 27 Aug 2020 09:51:58 +0000 (+0200)
Subject: tls-peer: Add support to handle KeyUpdate message
X-Git-Tag: 5.9.2rc1~23^2~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bfcb49b3935b38f580c34451268483025bc3fba7;p=thirdparty%2Fstrongswan.git

tls-peer: Add support to handle KeyUpdate message

We currently don't support switching our own keys and sending the
message if requested by the server.
---

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 95fee05fe6..a63b9fc5b4 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -1029,6 +1029,36 @@ static status_t process_new_session_ticket(private_tls_peer_t *this,
 	return NEED_MORE;
 }
 
+/**
+ * Process KeyUpdate message
+ */
+static status_t process_key_update(private_tls_peer_t *this,
+								   bio_reader_t *reader)
+{
+	uint8_t update_requested;
+
+	if (!reader->read_uint8(reader, &update_requested) ||
+		update_requested > 1)
+	{
+		DBG1(DBG_TLS, "received invalid KeyUpdate");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	if (!this->crypto->update_app_keys(this->crypto, TRUE))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	this->crypto->change_cipher(this->crypto, TRUE);
+
+	if (update_requested)
+	{
+		DBG1(DBG_TLS, "server requested KeyUpdate, currently not supported");
+	}
+	return NEED_MORE;
+}
+
 METHOD(tls_handshake_t, process, status_t,
 	private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
 {
@@ -1135,6 +1165,10 @@ METHOD(tls_handshake_t, process, status_t,
 				{
 					return process_new_session_ticket(this, reader);
 				}
+				if (type == TLS_KEY_UPDATE)
+				{
+					return process_key_update(this, reader);
+				}
 				expected = TLS_NEW_SESSION_TICKET;
 				break;
 			default: