Commit 8afb9742 authored by David Woodhouse's avatar David Woodhouse Committed by Matt Caswell
Browse files

Disable encrypt_then_mac negotiation for DTLS. 



I use the word 'negotiation' advisedly. Because that's all we were doing.
We negotiated it, set the TLS1_FLAGS_ENCRYPT_THEN_MAC flag in our data
structure, and then utterly ignored it in both dtls_process_record()
and do_dtls1_write().

Turn it off for 1.1.0; we'll fix it for 1.1.1 and by the time that's
released, hopefully 1.1.0b will be ancient history.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent ec7b16dd

ssl/t1_lib.c

+12 −3
Original line number Diff line number Diff line
@@ -1358,8 +1358,17 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, 
    /* Add custom TLS Extensions to ClientHello */

    if (!custom_ext_add(s, 0, &ret, limit, al))

        return NULL;

    /*

     * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just

     * silently failed to actually do it. It is fixed in 1.1.1 but to

     * ease the transition especially from 1.1.0b to 1.1.0c, we just

     * disable it in 1.1.0.

     */

    if (!SSL_IS_DTLS(s)) {

        s2n(TLSEXT_TYPE_encrypt_then_mac, ret);

        s2n(0, ret);

    }



#ifndef OPENSSL_NO_CT

    if (s->ct_validation_callback != NULL) {

        s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
@@ -1596,7 +1605,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, 
         * Don't use encrypt_then_mac if AEAD or RC4 might want to disable

         * for other cases too.

         */

        if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD

        if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD

            || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4

            || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT

            || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)