[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Thu Oct 20 09:03:25 UTC 2016 

The branch OpenSSL_1_1_0-stable has been updated
       via  8afb9742aedc07e26f9930c1f859f8c0f204e77f (commit)
      from  ec7b16ddbb020b2f49ff7394901cd2b2bed5234b (commit)


- Log -----------------------------------------------------------------
commit 8afb9742aedc07e26f9930c1f859f8c0f204e77f
Author: David Woodhouse <David.Woodhouse at intel.com>
Date:   Wed Oct 12 23:10:37 2016 +0100

    Disable encrypt_then_mac negotiation for DTLS.
    
    I use the word 'negotiation' advisedly. Because that's all we were doing.
    We negotiated it, set the TLS1_FLAGS_ENCRYPT_THEN_MAC flag in our data
    structure, and then utterly ignored it in both dtls_process_record()
    and do_dtls1_write().
    
    Turn it off for 1.1.0; we'll fix it for 1.1.1 and by the time that's
    released, hopefully 1.1.0b will be ancient history.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/t1_lib.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 86833d8..a3fb28e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1358,8 +1358,17 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
     /* Add custom TLS Extensions to ClientHello */
     if (!custom_ext_add(s, 0, &ret, limit, al))
         return NULL;
-    s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
-    s2n(0, ret);
+    /*
+     * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just
+     * silently failed to actually do it. It is fixed in 1.1.1 but to
+     * ease the transition especially from 1.1.0b to 1.1.0c, we just
+     * disable it in 1.1.0.
+     */
+    if (!SSL_IS_DTLS(s)) {
+        s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
+        s2n(0, ret);
+    }
+
 #ifndef OPENSSL_NO_CT
     if (s->ct_validation_callback != NULL) {
         s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
@@ -1596,7 +1605,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
          * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
          * for other cases too.
          */
-        if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
+        if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
             || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
             || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
             || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)

More information about the openssl-commits mailing list