Disable encrypt them mac for SSL 3.0 and stream ciphers (RC4 only).
Reviewed-by: Tim Hudson <tjh@openssl.org>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index dc108aa..d0602fb 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1485,8 +1485,11 @@
if (!custom_ext_add(s, 0, &ret, limit, al))
return NULL;
#ifdef TLSEXT_TYPE_encrypt_then_mac
- s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
- s2n(0,ret);
+ if (s->version != SSL3_VERSION)
+ {
+ s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
+ s2n(0,ret);
+ }
#endif
/* Add padding to workaround bugs in F5 terminators.
@@ -1719,10 +1722,12 @@
#ifdef TLSEXT_TYPE_encrypt_then_mac
if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
{
- /* Don't use encrypt_then_mac if AEAD: might want
- * to disable for other ciphersuites too.
+ /* Don't use encrypt_then_mac if AEAD, RC4 or SSL 3.0:
+ * might want to disable for other cases too.
*/
- if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD)
+ if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
+ || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
+ || s->version == SSL3_VERSION)
s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
else
{
@@ -2436,7 +2441,10 @@
}
#ifdef TLSEXT_TYPE_encrypt_then_mac
else if (type == TLSEXT_TYPE_encrypt_then_mac)
- s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ {
+ if (s->version != SSL3_VERSION)
+ s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ }
#endif
/* If this ClientHello extension was unhandled and this is
* a nonresumed connection, check whether the extension is a
@@ -2777,8 +2785,10 @@
#ifdef TLSEXT_TYPE_encrypt_then_mac
else if (type == TLSEXT_TYPE_encrypt_then_mac)
{
- /* Ignore if inappropriate ciphersuite */
- if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD)
+ /* Ignore if inappropriate ciphersuite or SSL 3.0 */
+ if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
+ && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4
+ && s->version != SSL3_VERSION)
s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
}
#endif
