mirror of
https://github.com/yuzu-emu/mbedtls
synced 2024-11-25 21:37:45 +00:00
Preparation for EtM
This commit is contained in:
parent
699cafaea2
commit
0098e7dc70
2 changed files with 58 additions and 16 deletions
|
@ -1060,6 +1060,41 @@ static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
|
|||
}
|
||||
#endif /* POLARSSL_SSL_PROTO_SSL3 */
|
||||
|
||||
#define MAC_NONE 0
|
||||
#define MAC_PLAINTEXT 1
|
||||
#define MAC_CIPHERTEXT 2
|
||||
|
||||
/*
|
||||
* Is MAC applied on ciphertext, cleartext or not at all?
|
||||
*/
|
||||
static char ssl_get_mac_order( ssl_context *ssl,
|
||||
const ssl_session *session,
|
||||
cipher_mode_t mode )
|
||||
{
|
||||
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
|
||||
if( mode == POLARSSL_MODE_STREAM )
|
||||
return( MAC_PLAINTEXT );
|
||||
#endif
|
||||
|
||||
#if defined(POLARSSL_CIPHER_MODE_CBC) && \
|
||||
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
|
||||
if( mode == POLARSSL_MODE_CBC )
|
||||
{
|
||||
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
|
||||
if( session != NULL && session->encrypt_then_mac == SSL_ETM_ENABLED )
|
||||
{
|
||||
SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
|
||||
return( MAC_CIPHERTEXT );
|
||||
}
|
||||
#endif
|
||||
|
||||
return( MAC_PLAINTEXT );
|
||||
}
|
||||
#endif
|
||||
|
||||
return( MAC_NONE );
|
||||
}
|
||||
|
||||
/*
|
||||
* Encryption/decryption functions
|
||||
*/
|
||||
|
@ -1068,26 +1103,20 @@ static int ssl_encrypt_buf( ssl_context *ssl )
|
|||
size_t i;
|
||||
const cipher_mode_t mode = cipher_get_cipher_mode(
|
||||
&ssl->transform_out->cipher_ctx_enc );
|
||||
char mac_order;
|
||||
|
||||
SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
|
||||
|
||||
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
|
||||
if( ssl->session_out != NULL &&
|
||||
ssl->session_out->encrypt_then_mac == SSL_ETM_ENABLED )
|
||||
{
|
||||
// WIP
|
||||
SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
|
||||
}
|
||||
#endif
|
||||
mac_order = ssl_get_mac_order( ssl, ssl->session_out, mode );
|
||||
|
||||
/*
|
||||
* Add MAC before encrypt, except for AEAD modes
|
||||
* Add MAC before if needed
|
||||
*/
|
||||
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
|
||||
( defined(POLARSSL_CIPHER_MODE_CBC) && \
|
||||
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
|
||||
if( mode != POLARSSL_MODE_GCM &&
|
||||
mode != POLARSSL_MODE_CCM )
|
||||
if( mac_order == MAC_PLAINTEXT
|
||||
|| mac_order == MAC_CIPHERTEXT ) // WIP!
|
||||
{
|
||||
#if defined(POLARSSL_SSL_PROTO_SSL3)
|
||||
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
|
||||
|
@ -1358,6 +1387,7 @@ static int ssl_decrypt_buf( ssl_context *ssl )
|
|||
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
|
||||
size_t padlen = 0, correct = 1;
|
||||
#endif
|
||||
char mac_order;
|
||||
|
||||
SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
|
||||
|
||||
|
@ -1368,6 +1398,9 @@ static int ssl_decrypt_buf( ssl_context *ssl )
|
|||
return( POLARSSL_ERR_SSL_INVALID_MAC );
|
||||
}
|
||||
|
||||
mac_order = ssl_get_mac_order( ssl, ssl->session_in, mode );
|
||||
(void) mac_order; // WIP
|
||||
|
||||
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
|
||||
if( mode == POLARSSL_MODE_STREAM )
|
||||
{
|
||||
|
@ -1763,6 +1796,10 @@ static int ssl_decrypt_buf( ssl_context *ssl )
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
#undef MAC_NONE
|
||||
#undef MAC_PLAINTEXT
|
||||
#undef MAC_CIPHERTEXT
|
||||
|
||||
#if defined(POLARSSL_ZLIB_SUPPORT)
|
||||
/*
|
||||
* Compression/decompression functions
|
||||
|
|
|
@ -443,7 +443,8 @@ run_test "Truncated HMAC: actual test" \
|
|||
# Tests for Encrypt-then-MAC extension
|
||||
|
||||
run_test "Encrypt then MAC: default" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_SRV debug_level=3 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
"$P_CLI debug_level=3" \
|
||||
0 \
|
||||
-c "client hello, adding encrypt_then_mac extension" \
|
||||
|
@ -454,7 +455,8 @@ run_test "Encrypt then MAC: default" \
|
|||
-s "using encrypt then mac"
|
||||
|
||||
run_test "Encrypt then MAC: client enabled, server disabled" \
|
||||
"$P_SRV debug_level=3 etm=0" \
|
||||
"$P_SRV debug_level=3 etm=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
"$P_CLI debug_level=3 etm=1" \
|
||||
0 \
|
||||
-c "client hello, adding encrypt_then_mac extension" \
|
||||
|
@ -465,7 +467,8 @@ run_test "Encrypt then MAC: client enabled, server disabled" \
|
|||
-S "using encrypt then mac"
|
||||
|
||||
run_test "Encrypt then MAC: client disabled, server enabled" \
|
||||
"$P_SRV debug_level=3 etm=1" \
|
||||
"$P_SRV debug_level=3 etm=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
"$P_CLI debug_level=3 etm=0" \
|
||||
0 \
|
||||
-C "client hello, adding encrypt_then_mac extension" \
|
||||
|
@ -476,7 +479,8 @@ run_test "Encrypt then MAC: client disabled, server enabled" \
|
|||
-S "using encrypt then mac"
|
||||
|
||||
run_test "Encrypt then MAC: client SSLv3, server enabled" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_SRV debug_level=3 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
"$P_CLI debug_level=3 force_version=ssl3" \
|
||||
0 \
|
||||
-C "client hello, adding encrypt_then_mac extension" \
|
||||
|
@ -487,7 +491,8 @@ run_test "Encrypt then MAC: client SSLv3, server enabled" \
|
|||
-S "using encrypt then mac"
|
||||
|
||||
run_test "Encrypt then MAC: client enabled, server SSLv3" \
|
||||
"$P_SRV debug_level=3 force_version=ssl3" \
|
||||
"$P_SRV debug_level=3 force_version=ssl3 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
"$P_CLI debug_level=3" \
|
||||
0 \
|
||||
-c "client hello, adding encrypt_then_mac extension" \
|
||||
|
|
Loading…
Reference in a new issue