From e3b5576a512551338fe0e6af9fbcb7f68c850797 Mon Sep 17 00:00:00 2001
From: John David Duncan <john.duncan@oracle.com>
Date: Wed, 30 Nov 2022 12:09:59 -0800
Subject: [PATCH] WL#15154 patch #8 TLS key rotation

In the TCP Transporter, request a TLS key rotation after each
2^32 bytes are sent.

Note that there is no visibility into whether this has occured.

Change-Id: I70e1fff8b20305d565efc5a44e7ecb827da22dca
---
 .../ndb/src/common/transporter/TCP_Transporter.cpp  | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/storage/ndb/src/common/transporter/TCP_Transporter.cpp b/storage/ndb/src/common/transporter/TCP_Transporter.cpp
index 3c271f5a912c..8f9d62708b2c 100644
--- a/storage/ndb/src/common/transporter/TCP_Transporter.cpp
+++ b/storage/ndb/src/common/transporter/TCP_Transporter.cpp
@@ -96,6 +96,11 @@ Uint32 overload_limit(const TransporterConfiguration* conf)
           conf->tcp.sendBufferSize*4/5);
 }
 
+/* Request a TLS key rotation after this number of bytes are sent
+   by a transporter, as described in WL#15130 and in RFC 8446 sec. 5.5.
+   The number here should have just one bit set.
+*/
+static constexpr Uint64 keyRotateBit = 0x0000000100000000;
 
 TCP_Transporter::TCP_Transporter(TransporterRegistry &t_reg,
 				 const TransporterConfiguration* conf)
@@ -525,7 +530,15 @@ TCP_Transporter::doSend(bool need_wakeup)
   }
   sendCount += send_cnt;
   sendSize  += sum_sent;
+  bool rotateBitPre = ((m_bytes_sent & keyRotateBit) == keyRotateBit);
   m_bytes_sent += sum_sent;
+  bool rotateBitPost = ((m_bytes_sent & keyRotateBit) == keyRotateBit);
+
+  if(rotateBitPost != rotateBitPre)
+  {
+    theSocket.update_keys();
+  }
+
   if(sendCount >= reportFreq)
   {
     get_callback_obj()->reportSendLen(remoteNodeId, sendCount, sendSize);