From 78e745fc0a5ab2895946f9b5ba5e268558908541 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Tue, 4 Nov 2014 15:44:06 +0100
Subject: [PATCH] Don't send back EtM extension if not using CBC

---
 library/ssl_srv.c | 17 +++++++++++++++++
 tests/ssl-opt.sh  | 24 ++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index c884e7cc4..6d8626cc2 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1721,6 +1721,8 @@ static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
                                             size_t *olen )
 {
     unsigned char *p = buf;
+    const ssl_ciphersuite_t *suite = NULL;
+    const cipher_info_t *cipher = NULL;
 
     if( ssl->session_negotiate->encrypt_then_mac == SSL_EXTENDED_MS_DISABLED ||
         ssl->minor_ver == SSL_MINOR_VERSION_0 )
@@ -1729,6 +1731,21 @@ static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
         return;
     }
 
+    /*
+     * RFC 7366: "If a server receives an encrypt-then-MAC request extension
+     * from a client and then selects a stream or Authenticated Encryption
+     * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
+     * encrypt-then-MAC response extension back to the client."
+     */
+    if( ( suite = ssl_ciphersuite_from_id(
+                    ssl->session_negotiate->ciphersuite ) ) == NULL ||
+        ( cipher = cipher_info_from_type( suite->cipher ) ) == NULL ||
+        cipher->mode != POLARSSL_MODE_CBC )
+    {
+        *olen = 0;
+        return;
+    }
+
     SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
 
     *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 100c24459..26b2f897c 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -466,6 +466,30 @@ run_test    "Encrypt then MAC: client enabled, server disabled" \
             -C "using encrypt then mac" \
             -S "using encrypt then mac"
 
+run_test    "Encrypt then MAC: client enabled, aead cipher" \
+            "$P_SRV debug_level=3 etm=1 \
+             force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
+            "$P_CLI debug_level=3 etm=1" \
+            0 \
+            -c "client hello, adding encrypt_then_mac extension" \
+            -s "found encrypt then mac extension" \
+            -S "server hello, adding encrypt then mac extension" \
+            -C "found encrypt_then_mac extension" \
+            -C "using encrypt then mac" \
+            -S "using encrypt then mac"
+
+run_test    "Encrypt then MAC: client enabled, stream cipher" \
+            "$P_SRV debug_level=3 etm=1 \
+             force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
+            "$P_CLI debug_level=3 etm=1" \
+            0 \
+            -c "client hello, adding encrypt_then_mac extension" \
+            -s "found encrypt then mac extension" \
+            -S "server hello, adding encrypt then mac extension" \
+            -C "found encrypt_then_mac extension" \
+            -C "using encrypt then mac" \
+            -S "using encrypt then mac"
+
 run_test    "Encrypt then MAC: client disabled, server enabled" \
             "$P_SRV debug_level=3 etm=1 \
              force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \