commit 5e3ff62c345c976cd1ffbcc5e6042f55264977f5
author Dr. Stephen Henson <steve@openssl.org> Fri Mar 22 17:12:33 2013 +0000
committer Dr. Stephen Henson <steve@openssl.org> Sun Sep 08 13:14:03 2013 +0100
tree 16c9ffcc2468e21f5ee445e440c835857ed94c81
parent 226751ae4a1f3e00021c43399d7bb51a99c22c17

Experimental encrypt-then-mac support.

Experimental support for encrypt then mac from
draft-gutmann-tls-encrypt-then-mac-02.txt

To enable it set the appropriate extension number (0x10 for the test server)
using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x10

For non-compliant peers (i.e. just about everything) this should have no
effect.

ssl/s3_pkt.c

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 65b742c..3f936c0 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -408,6 +408,30 @@
 	/* decrypt in place in 'rr->input' */
 	rr->data=rr->input;
 	rr->orig_len=rr->length;
+	/* If in encrypt-then-mac mode calculate mac from encrypted record.
+	 * All the details below are public so no timing details can leak.
+	 */
+	if (SSL_USE_ETM(s) && s->read_hash)
+		{
+		unsigned char *mac;
+		mac_size=EVP_MD_CTX_size(s->read_hash);
+		OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
+		if (rr->length < mac_size)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+			goto f_err;
+			}
+		rr->length -= mac_size;
+		mac = rr->data + rr->length;
+		i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
+		if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
+			{
+			al=SSL_AD_BAD_RECORD_MAC;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+			goto f_err;
+			}
+		}
 
 	enc_err = s->method->ssl3_enc->enc(s,0);
 	/* enc_err is:
@@ -430,7 +454,7 @@
 	/* r->length is now the compressed data plus mac */
 	if ((sess != NULL) &&
 	    (s->enc_read_ctx != NULL) &&
-	    (EVP_MD_CTX_md(s->read_hash) != NULL))
+	    (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s))
 		{
 		/* s->read_hash != NULL => mac_size != -1 */
 		unsigned char *mac = NULL;
@@ -820,7 +844,7 @@
 	 * from wr->input.  Length should be wr->length.
 	 * wr->data still points in the wb->buf */
 
-	if (mac_size != 0)
+	if (!SSL_USE_ETM(s) && mac_size != 0)
 		{
 		if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
 			goto err;
@@ -840,6 +864,13 @@
 	/* ssl3_enc can only have an error on read */
 	s->method->ssl3_enc->enc(s,1);
 
+	if (SSL_USE_ETM(s) && mac_size != 0)
+		{
+		if (s->method->ssl3_enc->mac(s,p + wr->length,1) < 0)
+			goto err;
+		wr->length+=mac_size;
+		}
+
 	/* record length after mac and block padding */
 	s2n(wr->length,plen);