@@ -367,6 +367,7 @@
- bit 7: The client is capable of sending exit notification via control channel using ``EXIT`` message. Also, the client is accepting the protocol-flags pushed option for the EKM capability
- bit 8: The client is capable of accepting ``AUTH_FAILED,TEMP`` messages
- bit 9: The client is capable of dynamic tls-crypt
+ - bit 10: The client is capable of data epoch keys
:code:`IV_NCP=2`
Negotiable ciphers, client supports ``--cipher`` pushed by
@@ -127,7 +127,7 @@
dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s",
format_hex(BPTR(&work), BLEN(&work), 0, &gc));
- if (!(opt->flags & CO_AEAD_TAG_AT_THE_END))
+ if (!(opt->flags & CO_EPOCH_DATA_KEY_FORMAT))
{
/* Reserve space for authentication tag */
mac_out = buf_write_alloc(&work, mac_len);
@@ -148,7 +148,7 @@
ASSERT(buf_inc_len(&work, outlen));
/* if the tag is at end the end, allocate it now */
- if (opt->flags & CO_AEAD_TAG_AT_THE_END)
+ if (opt->flags & CO_EPOCH_DATA_KEY_FORMAT)
{
/* Reserve space for authentication tag */
mac_out = buf_write_alloc(&work, mac_len);
@@ -479,7 +479,7 @@
uint8_t *tag_ptr = NULL;
int data_len = 0;
- if (opt->flags & CO_AEAD_TAG_AT_THE_END)
+ if (opt->flags & CO_EPOCH_DATA_KEY_FORMAT)
{
data_len = BLEN(buf) - tag_size;
tag_ptr = BPTR(buf) + data_len;
@@ -373,9 +373,11 @@
/**< Bit-flag indicating that renegotiations are using tls-crypt
* with a TLS-EKM derived key.
*/
-#define CO_AEAD_TAG_AT_THE_END (1<<8)
- /**< Bit-flag indicating that the AEAD tag is at the end of the
- * packet.
+#define CO_EPOCH_DATA_KEY_FORMAT (1<<8)
+ /**< Bit-flag indicating the epoch the data format. This format
+ * has the AEAD tag is at the end of the packet and using a longer
+ * 64-bit packet id that is split into a 16 bit epoch and 48 bit
+ * epoch counter
*/
unsigned int flags; /**< Bit-flags determining behavior of
@@ -2407,9 +2407,9 @@
{
buf_printf(&out, " dyn-tls-crypt");
}
- if (o->imported_protocol_flags & CO_AEAD_TAG_AT_THE_END)
+ if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
{
- buf_printf(&out, " aead-tag-end");
+ buf_printf(&out, " aead-epoch");
}
}
@@ -8659,9 +8659,9 @@
options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
}
#endif
- else if (streq(p[j], "aead-tag-end"))
+ else if (streq(p[j], "aead-epoch"))
{
- options->imported_protocol_flags |= CO_AEAD_TAG_AT_THE_END;
+ options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
}
else
{
@@ -689,9 +689,9 @@
buf_printf(&proto_flags, " dyn-tls-crypt");
}
- if (o->imported_protocol_flags & CO_AEAD_TAG_AT_THE_END)
+ if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
{
- buf_printf(&proto_flags, " aead-tag-end");
+ buf_printf(&proto_flags, " aead-epoch");
}
if (buf_len(&proto_flags) > 0)
@@ -108,6 +108,9 @@
/** Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key) */
#define IV_PROTO_DYN_TLS_CRYPT (1<<9)
+/** Support the extended packet id and epoch format for data channel packets */
+#define IV_PROTO_DATA_EPOCH (1<<10)
+
/** Supports the --dns option after all the incompatible changes */
#define IV_PROTO_DNS_OPTION_V2 (1<<11)
@@ -404,7 +404,7 @@
run_data_channel_with_cipher_end(const char *cipher)
{
struct crypto_options co = init_crypto_options(cipher, "none");
- co.flags |= CO_AEAD_TAG_AT_THE_END;
+ co.flags |= CO_EPOCH_DATA_KEY_FORMAT;
do_data_channel_round_trip(&co);
uninit_crypto_options(&co);
}