Preparation for EtM

This commit is contained in:
Manuel Pégourié-Gonnard 2014-10-28 13:08:59 +01:00
parent 699cafaea2
commit 0098e7dc70
2 changed files with 58 additions and 16 deletions

View file

@ -1060,6 +1060,41 @@ static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
}
#endif /* POLARSSL_SSL_PROTO_SSL3 */
#define MAC_NONE 0
#define MAC_PLAINTEXT 1
#define MAC_CIPHERTEXT 2
/*
* Is MAC applied on ciphertext, cleartext or not at all?
*/
static char ssl_get_mac_order( ssl_context *ssl,
const ssl_session *session,
cipher_mode_t mode )
{
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
if( mode == POLARSSL_MODE_STREAM )
return( MAC_PLAINTEXT );
#endif
#if defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
if( mode == POLARSSL_MODE_CBC )
{
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
if( session != NULL && session->encrypt_then_mac == SSL_ETM_ENABLED )
{
SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
return( MAC_CIPHERTEXT );
}
#endif
return( MAC_PLAINTEXT );
}
#endif
return( MAC_NONE );
}
/*
* Encryption/decryption functions
*/
@ -1068,26 +1103,20 @@ static int ssl_encrypt_buf( ssl_context *ssl )
size_t i;
const cipher_mode_t mode = cipher_get_cipher_mode(
&ssl->transform_out->cipher_ctx_enc );
char mac_order;
SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
if( ssl->session_out != NULL &&
ssl->session_out->encrypt_then_mac == SSL_ETM_ENABLED )
{
// WIP
SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
}
#endif
mac_order = ssl_get_mac_order( ssl, ssl->session_out, mode );
/*
* Add MAC before encrypt, except for AEAD modes
* Add MAC before if needed
*/
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
( defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
if( mode != POLARSSL_MODE_GCM &&
mode != POLARSSL_MODE_CCM )
if( mac_order == MAC_PLAINTEXT
|| mac_order == MAC_CIPHERTEXT ) // WIP!
{
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
@ -1358,6 +1387,7 @@ static int ssl_decrypt_buf( ssl_context *ssl )
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
size_t padlen = 0, correct = 1;
#endif
char mac_order;
SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
@ -1368,6 +1398,9 @@ static int ssl_decrypt_buf( ssl_context *ssl )
return( POLARSSL_ERR_SSL_INVALID_MAC );
}
mac_order = ssl_get_mac_order( ssl, ssl->session_in, mode );
(void) mac_order; // WIP
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
if( mode == POLARSSL_MODE_STREAM )
{
@ -1763,6 +1796,10 @@ static int ssl_decrypt_buf( ssl_context *ssl )
return( 0 );
}
#undef MAC_NONE
#undef MAC_PLAINTEXT
#undef MAC_CIPHERTEXT
#if defined(POLARSSL_ZLIB_SUPPORT)
/*
* Compression/decompression functions

View file

@ -443,7 +443,8 @@ run_test "Truncated HMAC: actual test" \
# Tests for Encrypt-then-MAC extension
run_test "Encrypt then MAC: default" \
"$P_SRV debug_level=3" \
"$P_SRV debug_level=3 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=3" \
0 \
-c "client hello, adding encrypt_then_mac extension" \
@ -454,7 +455,8 @@ run_test "Encrypt then MAC: default" \
-s "using encrypt then mac"
run_test "Encrypt then MAC: client enabled, server disabled" \
"$P_SRV debug_level=3 etm=0" \
"$P_SRV debug_level=3 etm=0 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=3 etm=1" \
0 \
-c "client hello, adding encrypt_then_mac extension" \
@ -465,7 +467,8 @@ run_test "Encrypt then MAC: client enabled, server disabled" \
-S "using encrypt then mac"
run_test "Encrypt then MAC: client disabled, server enabled" \
"$P_SRV debug_level=3 etm=1" \
"$P_SRV debug_level=3 etm=1 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=3 etm=0" \
0 \
-C "client hello, adding encrypt_then_mac extension" \
@ -476,7 +479,8 @@ run_test "Encrypt then MAC: client disabled, server enabled" \
-S "using encrypt then mac"
run_test "Encrypt then MAC: client SSLv3, server enabled" \
"$P_SRV debug_level=3" \
"$P_SRV debug_level=3 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=3 force_version=ssl3" \
0 \
-C "client hello, adding encrypt_then_mac extension" \
@ -487,7 +491,8 @@ run_test "Encrypt then MAC: client SSLv3, server enabled" \
-S "using encrypt then mac"
run_test "Encrypt then MAC: client enabled, server SSLv3" \
"$P_SRV debug_level=3 force_version=ssl3" \
"$P_SRV debug_level=3 force_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=3" \
0 \
-c "client hello, adding encrypt_then_mac extension" \