mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 02:05:39 +01:00
ssl_srv.c: Mark ETM as disabled if cipher is not CBC
Encrypt-Then-Mac (ETM) is supported in Mbed TLS server for TLS version geater than SSLv3 and only for the CBC cipher mode thus make it clear in the SSL context. The previous code was ok as long as the check of the ETM status was done only in the case of the CBC cipher mode but fragile as #5573 revealed. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
parent
c2e2876e0e
commit
f1ed5951e3
@ -2354,12 +2354,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t *suite = NULL;
|
||||
const mbedtls_cipher_info_t *cipher = NULL;
|
||||
|
||||
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||
{
|
||||
*olen = 0;
|
||||
return;
|
||||
}
|
||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
|
||||
|
||||
/*
|
||||
* RFC 7366: "If a server receives an encrypt-then-MAC request extension
|
||||
@ -2371,6 +2367,11 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||
ssl->session_negotiate->ciphersuite ) ) == NULL ||
|
||||
( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
|
||||
cipher->mode != MBEDTLS_MODE_CBC )
|
||||
{
|
||||
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
|
||||
}
|
||||
|
||||
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
|
||||
{
|
||||
*olen = 0;
|
||||
return;
|
||||
|
Loading…
Reference in New Issue
Block a user