diff options
| -rw-r--r-- | include/openssl/ssl3.h | 5 | ||||
| -rw-r--r-- | ssl/d1_lib.c | 2 | ||||
| -rw-r--r-- | ssl/record/rec_layer_d1.c | 4 | ||||
| -rw-r--r-- | ssl/record/rec_layer_s3.c | 6 | ||||
| -rw-r--r-- | ssl/record/ssl3_record.c | 14 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 6 | ||||
| -rw-r--r-- | ssl/statem/extensions.c | 4 | ||||
| -rw-r--r-- | ssl/statem/extensions_clnt.c | 2 | ||||
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 6 | ||||
| -rw-r--r-- | ssl/t1_enc.c | 15 | ||||
| -rw-r--r-- | test/dtls_mtu_test.c | 4 |
11 files changed, 42 insertions, 26 deletions
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index d76236ab8d..f2f62b4f1a 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -265,11 +265,14 @@ extern "C" { # define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 /* Set if we encrypt then mac instead of usual mac then encrypt */ -# define TLS1_FLAGS_ENCRYPT_THEN_MAC 0x0100 +# define TLS1_FLAGS_ENCRYPT_THEN_MAC_READ 0x0100 +# define TLS1_FLAGS_ENCRYPT_THEN_MAC TLS1_FLAGS_ENCRYPT_THEN_MAC_READ /* Set if extended master secret extension received from peer */ # define TLS1_FLAGS_RECEIVED_EXTMS 0x0200 +# define TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE 0x0400 + # define SSL3_MT_HELLO_REQUEST 0 # define SSL3_MT_CLIENT_HELLO 1 # define SSL3_MT_SERVER_HELLO 2 diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index c1d160ecd4..213fad5a8d 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -937,7 +937,7 @@ size_t DTLS_get_data_mtu(const SSL *s) &blocksize, &ext_overhead)) return 0; - if (SSL_USE_ETM(s)) + if (SSL_READ_ETM(s)) ext_overhead += mac_overhead; else int_overhead += mac_overhead; diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 67846bd19f..dc106732f5 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -1029,7 +1029,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, * wb->buf */ - if (!SSL_USE_ETM(s) && mac_size != 0) { + if (!SSL_WRITE_ETM(s) && mac_size != 0) { if (!s->method->ssl3_enc->mac(s, &wr, &(p[SSL3_RECORD_get_length(&wr) + eivlen]), 1)) @@ -1047,7 +1047,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, if (s->method->ssl3_enc->enc(s, &wr, 1, 1) < 1) goto err; - if (SSL_USE_ETM(s) && mac_size != 0) { + if (SSL_WRITE_ETM(s) && mac_size != 0) { if (!s->method->ssl3_enc->mac(s, &wr, &(p[SSL3_RECORD_get_length(&wr)]), 1)) goto err; diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 58a4716ffe..0da91b1c62 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -401,7 +401,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, if (type == SSL3_RT_APPLICATION_DATA && len >= 4 * (max_send_fragment = s->max_send_fragment) && s->compress == NULL && s->msg_callback == NULL && - !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && + !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) { unsigned char aad[13]; @@ -870,7 +870,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * in the wb->buf */ - if (!SSL_USE_ETM(s) && mac_size != 0) { + if (!SSL_WRITE_ETM(s) && mac_size != 0) { unsigned char *mac; if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) @@ -923,7 +923,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); goto err; } - if (SSL_USE_ETM(s) && mac_size != 0) { + if (SSL_WRITE_ETM(s) && mac_size != 0) { unsigned char *mac; if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index fc4723685c..9e99210d89 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -383,7 +383,7 @@ int ssl3_get_record(SSL *s) * If in encrypt-then-mac mode calculate mac from encrypted record. All * the details below are public so no timing details can leak. */ - if (SSL_USE_ETM(s) && s->read_hash) { + if (SSL_READ_ETM(s) && s->read_hash) { unsigned char *mac; /* TODO(size_t): convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); @@ -440,7 +440,7 @@ int ssl3_get_record(SSL *s) /* r->length is now the compressed data plus mac */ if ((sess != NULL) && (s->enc_read_ctx != NULL) && - (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s)) { + (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) { /* s->read_hash != NULL => mac_size != -1 */ unsigned char *mac = NULL; unsigned char mac_tmp[EVP_MAX_MD_SIZE]; @@ -915,7 +915,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) } ret = 1; - if (!SSL_USE_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { + if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { imac_size = EVP_MD_CTX_size(s->read_hash); if (imac_size < 0) return -1; @@ -1092,7 +1092,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) header[11] = (unsigned char)(rec->length >> 8); header[12] = (unsigned char)(rec->length & 0xff); - if (!send && !SSL_USE_ETM(ssl) && + if (!send && !SSL_READ_ETM(ssl) && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && ssl3_cbc_record_digest_supported(mac_ctx)) { /* @@ -1118,7 +1118,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) EVP_MD_CTX_free(hmac); return 0; } - if (!send && !SSL_USE_ETM(ssl) && FIPS_mode()) + if (!send && !SSL_READ_ETM(ssl) && FIPS_mode()) if (!tls_fips_digest_extra(ssl->enc_read_ctx, mac_ctx, rec->input, rec->length, rec->orig_len)) { @@ -1408,7 +1408,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) rr->data = rr->input; rr->orig_len = rr->length; - if (SSL_USE_ETM(s) && s->read_hash) { + if (SSL_READ_ETM(s) && s->read_hash) { unsigned char *mac; mac_size = EVP_MD_CTX_size(s->read_hash); OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); @@ -1452,7 +1452,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) #endif /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && !SSL_USE_ETM(s) && + if ((sess != NULL) && !SSL_READ_ETM(s) && (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { /* s->read_hash != NULL => mac_size != -1 */ unsigned char *mac = NULL; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 106ff69492..e1bce30a20 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -395,7 +395,8 @@ # define SSL_CLIENT_USE_SIGALGS(s) \ SSL_CLIENT_USE_TLS1_2_CIPHERS(s) -# define SSL_USE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) +# define SSL_READ_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_READ) +# define SSL_WRITE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE) /* Mostly for SSLv3 */ # define SSL_PKEY_RSA 0 @@ -1132,6 +1133,9 @@ struct ssl_st { /* The available PSK key exchange modes */ int psk_kex_mode; + + /* Set to one if we have negotiated ETM */ + int use_etm; } ext; /*- diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index edb674d7a8..8e1b502083 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -207,7 +207,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { #endif { TLSEXT_TYPE_encrypt_then_mac, - EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, + EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY | EXT_SSL3_ALLOWED, init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, tls_construct_stoc_etm, tls_construct_ctos_etm, NULL }, @@ -912,7 +912,7 @@ static int init_srp(SSL *s, unsigned int context) static int init_etm(SSL *s, unsigned int context) { - s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; + s->ext.use_etm = 0; return 1; } diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index ea379199e0..09780a9495 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1172,7 +1172,7 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) - s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; + s->ext.use_etm = 1; return 1; } diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index b555d68d8d..ecfd00b098 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -451,7 +451,7 @@ int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al) { if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) - s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; + s->ext.use_etm = 1; return 1; } @@ -953,7 +953,7 @@ int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context, int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al) { - if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0) + if (!s->ext.use_etm) return 1; /* @@ -964,7 +964,7 @@ int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) { - s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; + s->ext.use_etm = 0; return 1; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index ebdc0fbd52..4158548568 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -129,6 +129,11 @@ int tls1_change_cipher_state(SSL *s, int which) #endif if (which & SSL3_CC_READ) { + if (s->ext.use_etm) + s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; + else + s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; else @@ -167,6 +172,11 @@ int tls1_change_cipher_state(SSL *s, int which) mac_secret = &(s->s3->read_mac_secret[0]); mac_secret_size = &(s->s3->read_mac_secret_size); } else { + if (s->ext.use_etm) + s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; + else + s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; else @@ -369,9 +379,8 @@ int tls1_setup_key_block(SSL *s) if (s->s3->tmp.key_block_length != 0) return (1); - if (!ssl_cipher_get_evp - (s->session, &c, &hash, &mac_type, &mac_secret_size, &comp, - SSL_USE_ETM(s))) { + if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, + &comp, s->ext.use_etm)) { SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c index da970a7fa7..1a05c541f7 100644 --- a/test/dtls_mtu_test.c +++ b/test/dtls_mtu_test.c @@ -16,7 +16,7 @@ #include "ssltestlib.h" -/* for SSL_USE_ETM() */ +/* for SSL_READ_ETM() */ #include "../ssl/ssl_locl.h" static int debug = 0; @@ -133,7 +133,7 @@ static int mtu_test(SSL_CTX *ctx, const char *cs, int no_etm) } } rv = 1; - if (SSL_USE_ETM(clnt_ssl)) + if (SSL_READ_ETM(clnt_ssl)) rv = 2; out: SSL_free(clnt_ssl); |