From: David Woodhouse <David.Woodhouse@intel.com>
Date: Thu, 13 Oct 2016 23:26:38 +0000 (+0100)
Subject: Add SSL_OP_NO_ENCRYPT_THEN_MAC
X-Git-Tag: OpenSSL_1_1_0g~52
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=619c589bdb2fc52e4f180db548222e2b7ab169d8;p=oweals%2Fopenssl.git

Add SSL_OP_NO_ENCRYPT_THEN_MAC

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cde6145ba19a2fce039cf054a89e49f67c623c59)
---

diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 635b470e12..63609f3a31 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -189,6 +189,14 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched servers
 B<only>: this option is currently set by default. See the
 B<SECURE RENEGOTIATION> section for more details.
 
+=item SSL_OP_NO_ENCRYPT_THEN_MAC
+
+Normally clients and servers will transparently attempt to negotiate the
+RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.
+
+If this option is set, Encrypt-then-MAC is disabled. Clients will not
+propose, and servers will not accept the extension.
+
 =back
 
 =head1 SECURE RENEGOTIATION
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 940a5f0eb5..4e7f82f433 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -297,6 +297,8 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
 # define SSL_OP_NO_COMPRESSION                           0x00020000U
 /* Permit unsafe legacy renegotiation */
 # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x00040000U
+/* Disable encrypt-then-mac */
+# define SSL_OP_NO_ENCRYPT_THEN_MAC                      0x00080000U
 /*
  * Set on servers to choose the cipher according to the server's preferences
  */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 55abba9619..b2cfff58df 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1356,8 +1356,9 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
      * silently failed to actually do it. It is fixed in 1.1.1 but to
      * ease the transition especially from 1.1.0b to 1.1.0c, we just
      * disable it in 1.1.0.
+     * Also skip if SSL_OP_NO_ENCRYPT_THEN_MAC is set.
      */
-    if (!SSL_IS_DTLS(s)) {
+    if (!SSL_IS_DTLS(s) && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
         /*-
          * check for enough space.
          * 4 bytes for the ETM type and extension length
@@ -2285,7 +2286,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
                 return 0;
         }
 #endif
-        else if (type == TLSEXT_TYPE_encrypt_then_mac)
+        else if (type == TLSEXT_TYPE_encrypt_then_mac &&
+                 !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
             s->tlsext_use_etm = 1;
         /*
          * Note: extended master secret extension handled in
@@ -2605,7 +2607,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
 #endif
         else if (type == TLSEXT_TYPE_encrypt_then_mac) {
             /* Ignore if inappropriate ciphersuite */
-            if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
+            if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) &&
+                s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
                 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
                 s->tlsext_use_etm = 1;
         } else if (type == TLSEXT_TYPE_extended_master_secret) {