Implement initial negotiation of EtM
Not implemented yet:
- actually using EtM
- conditions on renegotiation
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 7b5ec8e..82ed04e 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -212,6 +212,9 @@
#define SSL_EXTENDED_MS_DISABLED 0
#define SSL_EXTENDED_MS_ENABLED 1
+#define SSL_ETM_DISABLED 0
+#define SSL_ETM_ENABLED 1
+
#define SSL_COMPRESS_NULL 0
#define SSL_COMPRESS_DEFLATE 1
@@ -409,6 +412,7 @@
#define TLS_EXT_ALPN 16
+#define TLS_EXT_ENCRYPT_THEN_MAC 22 /* 0x16 */
#define TLS_EXT_EXTENDED_MASTER_SECRET 0x0017 /* 23 */
#define TLS_EXT_SESSION_TICKET 35
@@ -548,6 +552,10 @@
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
int trunc_hmac; /*!< flag for truncated hmac activation */
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+ int encrypt_then_mac; /*!< flag for EtM activation */
+#endif
};
/*
@@ -713,6 +721,9 @@
#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
char fallback; /*!< flag for fallback connections */
#endif
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+ char encrypt_then_mac; /*!< flag for encrypt-then-mac */
+#endif
#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
char extended_ms; /*!< flag for extended master secret */
#endif
@@ -1425,6 +1436,21 @@
void ssl_set_fallback( ssl_context *ssl, char fallback );
#endif /* POLARSSL_SSL_FALLBACK_SCSV && POLARSSL_SSL_CLI_C */
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+/**
+ * \brief Enable or disable Encrypt-then-MAC
+ * (Default: SSL_ETM_ENABLED)
+ *
+ * \note This should always be enabled, it is a security
+ * improvement, and should not cause any interoperability
+ * issue (used only if the peer supports it too).
+ *
+ * \param ssl SSL context
+ * \param etm SSL_ETM_ENABLED or SSL_ETM_DISABLED
+ */
+void ssl_set_encrypt_then_mac( ssl_context *ssl, char etm );
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
/**
* \brief Enable or disable Extended Master Secret negotiation.