Implement initial negotiation of EtM
Not implemented yet:
- actually using EtM
- conditions on renegotiation
diff --git a/include/polarssl/check_config.h b/include/polarssl/check_config.h
index b4ae541..80b037e 100644
--- a/include/polarssl/check_config.h
+++ b/include/polarssl/check_config.h
@@ -257,6 +257,13 @@
#error "Illegal protocol selection"
#endif
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) && \
+ !defined(POLARSSL_SSL_PROTO_TLS1) && \
+ !defined(POLARSSL_SSL_PROTO_TLS1_1) && \
+ !defined(POLARSSL_SSL_PROTO_TLS1_2)
+#error "POLARSSL_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites"
+#endif
+
#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) && \
!defined(POLARSSL_SSL_PROTO_TLS1) && \
!defined(POLARSSL_SSL_PROTO_TLS1_1) && \
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index dfe2764..6e736e2 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -811,6 +811,24 @@
*/
//#define POLARSSL_SSL_DEBUG_ALL
+/** \def POLARSSL_SSL_ENCRYPT_THEN_MAC
+ *
+ * Enable support for Encrypt-then-MAC, RFC 7366.
+ *
+ * This allows peers that both support it to use a more robust protection for
+ * ciphersuites using CBC, providing deep resistance against timing attacks
+ * on the padding or underlying cipher.
+ *
+ * This only affects CBC ciphersuites, and is useless if none is defined.
+ *
+ * Requires: POLARSSL_SSL_PROTO_TLS1 or
+ * POLARSSL_SSL_PROTO_TLS1_1 or
+ * POLARSSL_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for Encrypt-then-MAC
+ */
+#define POLARSSL_SSL_ENCRYPT_THEN_MAC
+
/** \def POLARSSL_SSL_EXTENDED_MASTER_SECRET
*
* Enable support for Extended Master Secret, aka Session Hash
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 7b5ec8e..82ed04e 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -212,6 +212,9 @@
#define SSL_EXTENDED_MS_DISABLED 0
#define SSL_EXTENDED_MS_ENABLED 1
+#define SSL_ETM_DISABLED 0
+#define SSL_ETM_ENABLED 1
+
#define SSL_COMPRESS_NULL 0
#define SSL_COMPRESS_DEFLATE 1
@@ -409,6 +412,7 @@
#define TLS_EXT_ALPN 16
+#define TLS_EXT_ENCRYPT_THEN_MAC 22 /* 0x16 */
#define TLS_EXT_EXTENDED_MASTER_SECRET 0x0017 /* 23 */
#define TLS_EXT_SESSION_TICKET 35
@@ -548,6 +552,10 @@
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
int trunc_hmac; /*!< flag for truncated hmac activation */
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+ int encrypt_then_mac; /*!< flag for EtM activation */
+#endif
};
/*
@@ -713,6 +721,9 @@
#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
char fallback; /*!< flag for fallback connections */
#endif
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+ char encrypt_then_mac; /*!< flag for encrypt-then-mac */
+#endif
#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
char extended_ms; /*!< flag for extended master secret */
#endif
@@ -1425,6 +1436,21 @@
void ssl_set_fallback( ssl_context *ssl, char fallback );
#endif /* POLARSSL_SSL_FALLBACK_SCSV && POLARSSL_SSL_CLI_C */
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+/**
+ * \brief Enable or disable Encrypt-then-MAC
+ * (Default: SSL_ETM_ENABLED)
+ *
+ * \note This should always be enabled, it is a security
+ * improvement, and should not cause any interoperability
+ * issue (used only if the peer supports it too).
+ *
+ * \param ssl SSL context
+ * \param etm SSL_ETM_ENABLED or SSL_ETM_DISABLED
+ */
+void ssl_set_encrypt_then_mac( ssl_context *ssl, char etm );
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
/**
* \brief Enable or disable Extended Master Secret negotiation.