yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 16:45:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Don't send back EtM extension if not using CBC

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-04 15:44:06 +01:00
parent 08558e5b46
commit 78e745fc0a
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
library/ssl_srv.c
View File

@ -1721,6 +1721,8 @@ static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
size_t *olen ) size_t *olen )
{ {
unsigned char *p = buf; unsigned char *p = buf;
const ssl_ciphersuite_t *suite = NULL;
const cipher_info_t *cipher = NULL;
if( ssl->session_negotiate->encrypt_then_mac == SSL_EXTENDED_MS_DISABLED || if( ssl->session_negotiate->encrypt_then_mac == SSL_EXTENDED_MS_DISABLED ||
ssl->minor_ver == SSL_MINOR_VERSION_0 ) ssl->minor_ver == SSL_MINOR_VERSION_0 )
@ -1729,6 +1731,21 @@ static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
return; return;
} }
/*
* RFC 7366: "If a server receives an encrypt-then-MAC request extension
* from a client and then selects a stream or Authenticated Encryption
* with Associated Data (AEAD) ciphersuite, it MUST NOT send an
* encrypt-then-MAC response extension back to the client."
*/
if( ( suite = ssl_ciphersuite_from_id(
ssl->session_negotiate->ciphersuite ) ) == NULL ||
( cipher = cipher_info_from_type( suite->cipher ) ) == NULL ||
cipher->mode != POLARSSL_MODE_CBC )
{
*olen = 0;
return;
}
SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
*p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );

24
tests/ssl-opt.sh
View File

@ -466,6 +466,30 @@ run_test "Encrypt then MAC: client enabled, server disabled" \
-C "using encrypt then mac" \ -C "using encrypt then mac" \
-S "using encrypt then mac" -S "using encrypt then mac"
run_test "Encrypt then MAC: client enabled, aead cipher" \
"$P_SRV debug_level=3 etm=1 \
force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
"$P_CLI debug_level=3 etm=1" \
0 \
-c "client hello, adding encrypt_then_mac extension" \
-s "found encrypt then mac extension" \
-S "server hello, adding encrypt then mac extension" \
-C "found encrypt_then_mac extension" \
-C "using encrypt then mac" \
-S "using encrypt then mac"
run_test "Encrypt then MAC: client enabled, stream cipher" \
"$P_SRV debug_level=3 etm=1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI debug_level=3 etm=1" \
0 \
-c "client hello, adding encrypt_then_mac extension" \
-s "found encrypt then mac extension" \
-S "server hello, adding encrypt then mac extension" \
-C "found encrypt_then_mac extension" \
-C "using encrypt then mac" \
-S "using encrypt then mac"
run_test "Encrypt then MAC: client disabled, server enabled" \ run_test "Encrypt then MAC: client disabled, server enabled" \
"$P_SRV debug_level=3 etm=1 \ "$P_SRV debug_level=3 etm=1 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \