The branch OpenSSL_1_1_0-stable has been updated via c5e8bd1d8aa9dafdb515b6c055f1ac95c12f138d (commit) via 619c589bdb2fc52e4f180db548222e2b7ab169d8 (commit) from 6717d1cf7db731e1087d84aa5195c3d0e71c4d30 (commit)
- Log ----------------------------------------------------------------- commit c5e8bd1d8aa9dafdb515b6c055f1ac95c12f138d Author: Emilia Kasper <emi...@openssl.org> Date: Fri Nov 25 17:05:30 2016 +0100 Test mac-then-encrypt Verify that the encrypt-then-mac negotiation is handled correctly. Additionally, when compiled with no-asm, this test ensures coverage for the constant-time MAC copying code in ssl3_cbc_copy_mac. The proxy-based CBC padding test covers that as well but it's nevertheless better to have an explicit handshake test for mac-then-encrypt. Reviewed-by: Andy Polyakov <ap...@openssl.org> (cherry picked from commit b3618f44a7b8504bfb0a64e8a33e6b8e56d4d516) commit 619c589bdb2fc52e4f180db548222e2b7ab169d8 Author: David Woodhouse <david.woodho...@intel.com> Date: Fri Oct 14 00:26:38 2016 +0100 Add SSL_OP_NO_ENCRYPT_THEN_MAC Reviewed-by: Tim Hudson <t...@openssl.org> Reviewed-by: Matt Caswell <m...@openssl.org> (cherry picked from commit cde6145ba19a2fce039cf054a89e49f67c623c59) ----------------------------------------------------------------------- Summary of changes: CHANGES | 2 + doc/ssl/SSL_CTX_set_options.pod | 8 ++ include/openssl/ssl.h | 2 + ssl/ssl_conf.c | 1 + ssl/t1_lib.c | 9 +- test/recipes/80-test_ssl_new.t | 2 +- test/ssl-tests/19-mac-then-encrypt.conf | 156 +++++++++++++++++++++++++++++ test/ssl-tests/19-mac-then-encrypt.conf.in | 89 ++++++++++++++++ 8 files changed, 265 insertions(+), 4 deletions(-) create mode 100644 test/ssl-tests/19-mac-then-encrypt.conf create mode 100644 test/ssl-tests/19-mac-then-encrypt.conf.in diff --git a/CHANGES b/CHANGES index f13c6d1..b237273 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,8 @@ *) Ignore the '-named_curve auto' value for compatibility of applications with OpenSSL 1.0.2. [Tomas Mraz <tm...@fedoraproject.org>] + *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd. + [Emilia Käsper] Changes between 1.1.0e and 1.1.0f [25 May 2017] diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 635b470..63609f3 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -189,6 +189,14 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched servers B<only>: this option is currently set by default. See the B<SECURE RENEGOTIATION> section for more details. +=item SSL_OP_NO_ENCRYPT_THEN_MAC + +Normally clients and servers will transparently attempt to negotiate the +RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. + +If this option is set, Encrypt-then-MAC is disabled. Clients will not +propose, and servers will not accept the extension. + =back =head1 SECURE RENEGOTIATION diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 940a5f0..4e7f82f 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -297,6 +297,8 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); # define SSL_OP_NO_COMPRESSION 0x00020000U /* Permit unsafe legacy renegotiation */ # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U +/* Disable encrypt-then-mac */ +# define SSL_OP_NO_ENCRYPT_THEN_MAC 0x00080000U /* * Set on servers to choose the cipher according to the server's preferences */ diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 88e4103..8b7c6fe 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -357,6 +357,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), + SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), }; if (value == NULL) return -3; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 55abba9..b2cfff5 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1356,8 +1356,9 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, * silently failed to actually do it. It is fixed in 1.1.1 but to * ease the transition especially from 1.1.0b to 1.1.0c, we just * disable it in 1.1.0. + * Also skip if SSL_OP_NO_ENCRYPT_THEN_MAC is set. */ - if (!SSL_IS_DTLS(s)) { + if (!SSL_IS_DTLS(s) && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) { /*- * check for enough space. * 4 bytes for the ETM type and extension length @@ -2285,7 +2286,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) return 0; } #endif - else if (type == TLSEXT_TYPE_encrypt_then_mac) + else if (type == TLSEXT_TYPE_encrypt_then_mac && + !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) s->tlsext_use_etm = 1; /* * Note: extended master secret extension handled in @@ -2605,7 +2607,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) #endif else if (type == TLSEXT_TYPE_encrypt_then_mac) { /* Ignore if inappropriate ciphersuite */ - if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD + if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) && + s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) s->tlsext_use_etm = 1; } else if (type == TLSEXT_TYPE_extended_master_secret) { diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 2f6a69a..e986c76 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -29,7 +29,7 @@ map { s/\^// } @conf_files if $^O eq "VMS"; # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 18; # = scalar @conf_srcs +plan tests => 19; # = scalar @conf_srcs # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. diff --git a/test/ssl-tests/19-mac-then-encrypt.conf b/test/ssl-tests/19-mac-then-encrypt.conf new file mode 100644 index 0000000..40480ed --- /dev/null +++ b/test/ssl-tests/19-mac-then-encrypt.conf @@ -0,0 +1,156 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 6 + +test-0 = 0-disable-encrypt-then-mac-server-sha +test-1 = 1-disable-encrypt-then-mac-client-sha +test-2 = 2-disable-encrypt-then-mac-both-sha +test-3 = 3-disable-encrypt-then-mac-server-sha2 +test-4 = 4-disable-encrypt-then-mac-client-sha2 +test-5 = 5-disable-encrypt-then-mac-both-sha2 +# =========================================================== + +[0-disable-encrypt-then-mac-server-sha] +ssl_conf = 0-disable-encrypt-then-mac-server-sha-ssl + +[0-disable-encrypt-then-mac-server-sha-ssl] +server = 0-disable-encrypt-then-mac-server-sha-server +client = 0-disable-encrypt-then-mac-server-sha-client + +[0-disable-encrypt-then-mac-server-sha-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -EncryptThenMac +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-disable-encrypt-then-mac-server-sha-client] +CipherString = AES128-SHA +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ExpectedResult = Success + + +# =========================================================== + +[1-disable-encrypt-then-mac-client-sha] +ssl_conf = 1-disable-encrypt-then-mac-client-sha-ssl + +[1-disable-encrypt-then-mac-client-sha-ssl] +server = 1-disable-encrypt-then-mac-client-sha-server +client = 1-disable-encrypt-then-mac-client-sha-client + +[1-disable-encrypt-then-mac-client-sha-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-disable-encrypt-then-mac-client-sha-client] +CipherString = AES128-SHA +Options = -EncryptThenMac +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success + + +# =========================================================== + +[2-disable-encrypt-then-mac-both-sha] +ssl_conf = 2-disable-encrypt-then-mac-both-sha-ssl + +[2-disable-encrypt-then-mac-both-sha-ssl] +server = 2-disable-encrypt-then-mac-both-sha-server +client = 2-disable-encrypt-then-mac-both-sha-client + +[2-disable-encrypt-then-mac-both-sha-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -EncryptThenMac +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[2-disable-encrypt-then-mac-both-sha-client] +CipherString = AES128-SHA +Options = -EncryptThenMac +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-2] +ExpectedResult = Success + + +# =========================================================== + +[3-disable-encrypt-then-mac-server-sha2] +ssl_conf = 3-disable-encrypt-then-mac-server-sha2-ssl + +[3-disable-encrypt-then-mac-server-sha2-ssl] +server = 3-disable-encrypt-then-mac-server-sha2-server +client = 3-disable-encrypt-then-mac-server-sha2-client + +[3-disable-encrypt-then-mac-server-sha2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -EncryptThenMac +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-disable-encrypt-then-mac-server-sha2-client] +CipherString = AES128-SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success + + +# =========================================================== + +[4-disable-encrypt-then-mac-client-sha2] +ssl_conf = 4-disable-encrypt-then-mac-client-sha2-ssl + +[4-disable-encrypt-then-mac-client-sha2-ssl] +server = 4-disable-encrypt-then-mac-client-sha2-server +client = 4-disable-encrypt-then-mac-client-sha2-client + +[4-disable-encrypt-then-mac-client-sha2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[4-disable-encrypt-then-mac-client-sha2-client] +CipherString = AES128-SHA256 +Options = -EncryptThenMac +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-4] +ExpectedResult = Success + + +# =========================================================== + +[5-disable-encrypt-then-mac-both-sha2] +ssl_conf = 5-disable-encrypt-then-mac-both-sha2-ssl + +[5-disable-encrypt-then-mac-both-sha2-ssl] +server = 5-disable-encrypt-then-mac-both-sha2-server +client = 5-disable-encrypt-then-mac-both-sha2-client + +[5-disable-encrypt-then-mac-both-sha2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -EncryptThenMac +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[5-disable-encrypt-then-mac-both-sha2-client] +CipherString = AES128-SHA256 +Options = -EncryptThenMac +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] +ExpectedResult = Success + + diff --git a/test/ssl-tests/19-mac-then-encrypt.conf.in b/test/ssl-tests/19-mac-then-encrypt.conf.in new file mode 100644 index 0000000..01afe25 --- /dev/null +++ b/test/ssl-tests/19-mac-then-encrypt.conf.in @@ -0,0 +1,89 @@ +# -*- mode: perl; -*- +# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +## SSL test configurations + +package ssltests; + +our @tests = ( + { + name => "disable-encrypt-then-mac-server-sha", + server => { + "Options" => "-EncryptThenMac", + }, + client => { + "CipherString" => "AES128-SHA", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-client-sha", + server => { + }, + client => { + "CipherString" => "AES128-SHA", + "Options" => "-EncryptThenMac", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-both-sha", + server => { + "Options" => "-EncryptThenMac", + }, + client => { + "CipherString" => "AES128-SHA", + "Options" => "-EncryptThenMac", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-server-sha2", + server => { + "Options" => "-EncryptThenMac", + }, + client => { + "CipherString" => "AES128-SHA256", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-client-sha2", + server => { + }, + client => { + "CipherString" => "AES128-SHA256", + "Options" => "-EncryptThenMac", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-both-sha2", + server => { + "Options" => "-EncryptThenMac", + }, + client => { + "CipherString" => "AES128-SHA256", + "Options" => "-EncryptThenMac", + }, + test => { + "ExpectedResult" => "Success", + }, + }, +); _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits