feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #4750 from SparkiDev/etm-disable

Browse Source 
TLS EncryptThenMac; fix when extension response sent
This commit is contained in:
David Garske
2022-01-13 13:33:57 -08:00
committed by GitHub
parent 8d7059497e 70b169e3f2
commit f81e15f342
3 changed files with 41 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/internal.c
View File

@ -30022,6 +30022,16 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (ret != 0) if (ret != 0)
goto out; goto out;
#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \
!defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac && ssl->specs.cipher_type == block) {
ret = TLSX_EncryptThenMac_Respond(ssl);
if (ret != 0)
goto out;
}
else
ssl->options.encThenMac = 0;
#endif
if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) { if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) {
WOLFSSL_LEAVE("DoClientHello", ret); WOLFSSL_LEAVE("DoClientHello", ret);
WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
@ -30049,6 +30059,15 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
else if (ret < 0) else if (ret < 0)
SendAlert(ssl, alert_fatal, handshake_failure); SendAlert(ssl, alert_fatal, handshake_failure);
#endif #endif
#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \
!defined(WOLFSSL_AEAD_ONLY)
if (ret == 0 && ssl->options.encThenMac &&
ssl->specs.cipher_type == block) {
ret = TLSX_EncryptThenMac_Respond(ssl);
}
else
ssl->options.encThenMac = 0;
#endif
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
if (ret == 0 && ssl->options.dtls) if (ret == 0 && ssl->options.dtls)

19
src/tls.c
View File

@ -5282,7 +5282,6 @@ static int TLSX_EncryptThenMac_Parse(WOLFSSL* ssl, const byte* input,
ret = TLSX_EncryptThenMac_Use(ssl); ret = TLSX_EncryptThenMac_Use(ssl);
if (ret != 0) if (ret != 0)
return ret; return ret;
TLSX_SetResponse(ssl, TLSX_ENCRYPT_THEN_MAC);
} }
return 0; return 0;
} }
@ -5320,6 +5319,24 @@ static int TLSX_EncryptThenMac_Use(WOLFSSL* ssl)
return 0; return 0;
} }
/**
* Set the Encrypt-Then-MAC extension as one to respond too.
*
* ssl SSL object
* return EXT_MISSING when EncryptThenMac extension not in list.
*/
int TLSX_EncryptThenMac_Respond(WOLFSSL* ssl)
{
TLSX* extension;
extension = TLSX_Find(ssl->extensions, TLSX_ENCRYPT_THEN_MAC);
if (extension == NULL)
return EXT_MISSING;
extension->resp = 1;
return 0;
}
#define ETM_GET_SIZE TLSX_EncryptThenMac_GetSize #define ETM_GET_SIZE TLSX_EncryptThenMac_GetSize
#define ETM_WRITE TLSX_EncryptThenMac_Write #define ETM_WRITE TLSX_EncryptThenMac_Write
#define ETM_PARSE TLSX_EncryptThenMac_Parse #define ETM_PARSE TLSX_EncryptThenMac_Parse

4
wolfssl/internal.h
View File

@ -2600,6 +2600,10 @@ WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket, void* heap);
#endif /* HAVE_SESSION_TICKET */ #endif /* HAVE_SESSION_TICKET */
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
int TLSX_EncryptThenMac_Respond(WOLFSSL* ssl);
#endif
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
/* Cookie extension information - cookie data. */ /* Cookie extension information - cookie data. */
typedef struct Cookie { typedef struct Cookie {