yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 12:35:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

ssl_srv.c: Mark ETM as disabled if cipher is not CBC

Browse Source 
Encrypt-Then-Mac (ETM) is supported in Mbed TLS
server for TLS version geater than SSLv3 and only
for the CBC cipher mode thus make it
clear in the SSL context.

The previous code was ok as long as the check of
the ETM status was done only in the case of the CBC
cipher mode but fragile as #5573 revealed.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2022-03-24 14:15:28 +01:00
parent c2e2876e0e
commit f1ed5951e3
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
library/ssl_srv.c
View File

@ -2354,12 +2354,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite = NULL;
const mbedtls_cipher_info_t *cipher = NULL;
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
{
*olen = 0;
return;
}
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
/*
* RFC 7366: "If a server receives an encrypt-then-MAC request extension
@ -2371,6 +2367,11 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
ssl->session_negotiate->ciphersuite ) ) == NULL ||
( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
cipher->mode != MBEDTLS_MODE_CBC )
{
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
}
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
{
*olen = 0;
return;