Commit 619c589b authored by David Woodhouse's avatar David Woodhouse Committed by Richard Levitte
Browse files

Add SSL_OP_NO_ENCRYPT_THEN_MAC 



Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit cde6145b)
parent 6717d1cf

doc/ssl/SSL_CTX_set_options.pod

+8 −0
Original line number Diff line number Diff line
@@ -189,6 +189,14 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched servers 
B<only>: this option is currently set by default. See the

B<SECURE RENEGOTIATION> section for more details.



=item SSL_OP_NO_ENCRYPT_THEN_MAC



Normally clients and servers will transparently attempt to negotiate the

RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.



If this option is set, Encrypt-then-MAC is disabled. Clients will not

propose, and servers will not accept the extension.



=back



=head1 SECURE RENEGOTIATION

include/openssl/ssl.h

+2 −0
Original line number Diff line number Diff line
@@ -297,6 +297,8 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); 
# define SSL_OP_NO_COMPRESSION                           0x00020000U

/* Permit unsafe legacy renegotiation */

# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x00040000U

/* Disable encrypt-then-mac */

# define SSL_OP_NO_ENCRYPT_THEN_MAC                      0x00080000U

/*

 * Set on servers to choose the cipher according to the server's preferences

 */

ssl/t1_lib.c

+6 −3
Original line number Diff line number Diff line
@@ -1356,8 +1356,9 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, 
     * silently failed to actually do it. It is fixed in 1.1.1 but to

     * ease the transition especially from 1.1.0b to 1.1.0c, we just

     * disable it in 1.1.0.

     * Also skip if SSL_OP_NO_ENCRYPT_THEN_MAC is set.

     */

    if (!SSL_IS_DTLS(s)) {

    if (!SSL_IS_DTLS(s) && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {

        /*-

         * check for enough space.

         * 4 bytes for the ETM type and extension length
@@ -2285,7 +2286,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) 
                return 0;

        }

#endif

        else if (type == TLSEXT_TYPE_encrypt_then_mac)

        else if (type == TLSEXT_TYPE_encrypt_then_mac &&

                 !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))

            s->tlsext_use_etm = 1;

        /*

         * Note: extended master secret extension handled in
@@ -2605,7 +2607,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) 
#endif

        else if (type == TLSEXT_TYPE_encrypt_then_mac) {

            /* Ignore if inappropriate ciphersuite */

            if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD

            if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) &&

                s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD

                && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)

                s->tlsext_use_etm = 1;

        } else if (type == TLSEXT_TYPE_extended_master_secret) {