[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/2] Explicit symmetric cipher state versionning.
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: [PATCH 2/2] Explicit symmetric cipher state versionning. |
|
Date: |
Fri, 17 Sep 2010 08:23:01 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100826 Thunderbird/3.0.7 |
On 09/17/2010 05:32 AM, Jonathan Bastien-Filiatrault wrote:
> This introduces the concept of a "cipher epoch". The epoch number is
> the number of successful handshakes and is incremented by one each
> time. This concept is native to DTLS and this patch makes the
> symmetric cipher state explicit for TLS in preparation for DTLS. This
> concept was implicit in plain TLS and ChangeCipherSpec messages
> triggered a "pending state copy". Now, we the current epoch number is
> simply incremented to the parameters negotiated by the handshake.
>
> The main side effects of this patch is a slightly more abstract
> internal API and, in some cases, simpler code. The session blob format
> is also changed a bit since this patch avoids storing information that
> is now redundant. If this breaks library users' expectations, this
> side effect can be negated.
>
> The cipher_specs structure has been removed. The conn_state has become
> record_state_st. Only symmetric cipher information is
> versioned. Things such as key exchange algorithm and the master secret
> are not versioned and their handling is unchanged.
I like the changes. I've commited them!
regards,
Nikos