Loading doc/ssl/SSL_CTX_set_options.pod +8 −0 Original line number Diff line number Diff line Loading @@ -189,6 +189,14 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched servers B<only>: this option is currently set by default. See the B<SECURE RENEGOTIATION> section for more details. =item SSL_OP_NO_ENCRYPT_THEN_MAC Normally clients and servers will transparently attempt to negotiate the RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. If this option is set, Encrypt-then-MAC is disabled. Clients will not propose, and servers will not accept the extension. =back =head1 SECURE RENEGOTIATION Loading include/openssl/ssl.h +2 −0 Original line number Diff line number Diff line Loading @@ -318,6 +318,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, # define SSL_OP_NO_COMPRESSION 0x00020000U /* Permit unsafe legacy renegotiation */ # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U /* Disable encrypt-then-mac */ # define SSL_OP_NO_ENCRYPT_THEN_MAC 0x00080000U /* Does nothing: retained for compatibility */ # define SSL_OP_SINGLE_ECDH_USE 0x0 /* Does nothing: retained for compatibility */ Loading ssl/t1_lib.c +9 −5 Original line number Diff line number Diff line Loading @@ -1335,11 +1335,13 @@ int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al) return 0; } if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) { if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) || !WPACKET_put_bytes_u16(pkt, 0)) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return 0; } } #ifndef OPENSSL_NO_CT if (s->ct_validation_callback != NULL) { Loading Loading @@ -2128,7 +2130,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) return 0; } #endif else if (type == TLSEXT_TYPE_encrypt_then_mac) else if (type == TLSEXT_TYPE_encrypt_then_mac && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; /* * Note: extended master secret extension handled in Loading Loading @@ -2448,7 +2451,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) #endif else if (type == TLSEXT_TYPE_encrypt_then_mac) { /* Ignore if inappropriate ciphersuite */ if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; } else if (type == TLSEXT_TYPE_extended_master_secret) { Loading Loading
doc/ssl/SSL_CTX_set_options.pod +8 −0 Original line number Diff line number Diff line Loading @@ -189,6 +189,14 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched servers B<only>: this option is currently set by default. See the B<SECURE RENEGOTIATION> section for more details. =item SSL_OP_NO_ENCRYPT_THEN_MAC Normally clients and servers will transparently attempt to negotiate the RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. If this option is set, Encrypt-then-MAC is disabled. Clients will not propose, and servers will not accept the extension. =back =head1 SECURE RENEGOTIATION Loading
include/openssl/ssl.h +2 −0 Original line number Diff line number Diff line Loading @@ -318,6 +318,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, # define SSL_OP_NO_COMPRESSION 0x00020000U /* Permit unsafe legacy renegotiation */ # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U /* Disable encrypt-then-mac */ # define SSL_OP_NO_ENCRYPT_THEN_MAC 0x00080000U /* Does nothing: retained for compatibility */ # define SSL_OP_SINGLE_ECDH_USE 0x0 /* Does nothing: retained for compatibility */ Loading
ssl/t1_lib.c +9 −5 Original line number Diff line number Diff line Loading @@ -1335,11 +1335,13 @@ int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al) return 0; } if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) { if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) || !WPACKET_put_bytes_u16(pkt, 0)) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return 0; } } #ifndef OPENSSL_NO_CT if (s->ct_validation_callback != NULL) { Loading Loading @@ -2128,7 +2130,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) return 0; } #endif else if (type == TLSEXT_TYPE_encrypt_then_mac) else if (type == TLSEXT_TYPE_encrypt_then_mac && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; /* * Note: extended master secret extension handled in Loading Loading @@ -2448,7 +2451,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) #endif else if (type == TLSEXT_TYPE_encrypt_then_mac) { /* Ignore if inappropriate ciphersuite */ if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; } else if (type == TLSEXT_TYPE_extended_master_secret) { Loading
Tim Hudson <tjh@openssl.org> Reviewed-by:
Matt Caswell <matt@openssl.org>