From: David Woodhouse Date: Wed, 12 Oct 2016 22:10:37 +0000 (+0100) Subject: Disable encrypt_then_mac negotiation for DTLS. X-Git-Tag: OpenSSL_1_1_0c~73 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=8afb9742aedc07e26f9930c1f859f8c0f204e77f;p=oweals%2Fopenssl.git Disable encrypt_then_mac negotiation for DTLS. I use the word 'negotiation' advisedly. Because that's all we were doing. We negotiated it, set the TLS1_FLAGS_ENCRYPT_THEN_MAC flag in our data structure, and then utterly ignored it in both dtls_process_record() and do_dtls1_write(). Turn it off for 1.1.0; we'll fix it for 1.1.1 and by the time that's released, hopefully 1.1.0b will be ancient history. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell --- diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 86833d8c98..a3fb28e9cb 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1358,8 +1358,17 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, /* Add custom TLS Extensions to ClientHello */ if (!custom_ext_add(s, 0, &ret, limit, al)) return NULL; - s2n(TLSEXT_TYPE_encrypt_then_mac, ret); - s2n(0, ret); + /* + * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just + * silently failed to actually do it. It is fixed in 1.1.1 but to + * ease the transition especially from 1.1.0b to 1.1.0c, we just + * disable it in 1.1.0. + */ + if (!SSL_IS_DTLS(s)) { + s2n(TLSEXT_TYPE_encrypt_then_mac, ret); + s2n(0, ret); + } + #ifndef OPENSSL_NO_CT if (s->ct_validation_callback != NULL) { s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret); @@ -1596,7 +1605,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, * Don't use encrypt_then_mac if AEAD or RC4 might want to disable * for other cases too. */ - if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD + if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)