#endif
if (which & SSL3_CC_READ) {
+ if (s->ext.use_etm)
+ s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
+ else
+ s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
+
if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
else
mac_secret = &(s->s3->read_mac_secret[0]);
mac_secret_size = &(s->s3->read_mac_secret_size);
} else {
+ if (s->ext.use_etm)
+ s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
+ else
+ s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
+
if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
else
int taglen;
if (s->s3->tmp.
new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
- taglen = 8;
+ taglen = EVP_CCM8_TLS_TAG_LEN;
else
- taglen = 16;
+ taglen = EVP_CCM_TLS_TAG_LEN;
if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
|| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
|| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
if (s->s3->tmp.key_block_length != 0)
return (1);
- if (!ssl_cipher_get_evp
- (s->session, &c, &hash, &mac_type, &mac_secret_size, &comp,
- SSL_USE_ETM(s))) {
+ if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size,
+ &comp, s->ext.use_etm)) {
SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return (0);
}
int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
size_t len, size_t *secret_size)
{
- if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
+ /*
+ * TODO(TLS1.3): We haven't implemented TLS1.3 key derivation yet. For now
+ * we will just force no use of EMS (which adds complications around the
+ * handshake hash). This will need to be removed later
+ */
+ if ((s->session->flags & SSL_SESS_FLAG_EXTMS)
+ && !SSL_IS_TLS13(s)) {
unsigned char hash[EVP_MAX_MD_SIZE * 2];
size_t hashlen;
/*