From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 14 Jun 2021 09:40:31 +0000 (+0200)
Subject: Disabling Encrypt-then-MAC extension in s_client/s_server
X-Git-Tag: openssl-3.0.0-beta1~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4832560be3b2a709557497cd881f8c390ba7ec34;p=thirdparty%2Fopenssl.git

Disabling Encrypt-then-MAC extension in s_client/s_server

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15735)
---

diff --git a/apps/include/opt.h b/apps/include/opt.h
index b77c5a52e5f..96e78e4b79b 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -163,7 +163,7 @@
         OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
         OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
         OPT_S_MINPROTO, OPT_S_MAXPROTO, \
-        OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST
+        OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S_NO_ETM, OPT_S__LAST
 
 # define OPT_S_OPTIONS \
         OPT_SECTION("TLS/SSL"), \
@@ -216,7 +216,9 @@
         {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
             "Perform all sorts of protocol violations for testing purposes"}, \
         {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
-            "Disable TLSv1.3 middlebox compat mode" }
+            "Disable TLSv1.3 middlebox compat mode" }, \
+        {"no_etm", OPT_S_NO_ETM, '-', \
+            "Disable Encrypt-then-Mac extension"}
 
 # define OPT_S_CASES \
         OPT_S__FIRST: case OPT_S__LAST: break; \
@@ -250,7 +252,8 @@
         case OPT_S_MINPROTO: \
         case OPT_S_MAXPROTO: \
         case OPT_S_DEBUGBROKE: \
-        case OPT_S_NO_MIDDLEBOX
+        case OPT_S_NO_MIDDLEBOX: \
+        case OPT_S_NO_ETM
 
 #define IS_NO_PROT_FLAG(o) \
  (o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 144e367d4ec..6328cd07d97 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -56,6 +56,7 @@ B<openssl> B<s_client>
 [B<-msg>]
 [B<-timeout>]
 [B<-mtu> I<size>]
+[B<-no_etm>]
 [B<-keymatexport> I<label>]
 [B<-keymatexportlen> I<len>]
 [B<-msgfile> I<filename>]
@@ -448,6 +449,10 @@ Enable send/receive timeout on DTLS connections.
 
 Set MTU of the link layer to the specified size.
 
+=item B<-no_etm>
+
+Disable Encrypt-then-MAC negotiation.
+
 =item B<-keymatexport> I<label>
 
 Export keying material using the specified label.
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index c4289a12e35..115eceb0e32 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -70,6 +70,7 @@ B<openssl> B<s_server>
 [B<-verify_quiet>]
 [B<-ign_eof>]
 [B<-no_ign_eof>]
+[B<-no_etm>]
 [B<-status>]
 [B<-status_verbose>]
 [B<-status_timeout> I<int>]
@@ -487,6 +488,10 @@ Ignore input EOF (default: when B<-quiet>).
 
 Do not ignore input EOF.
 
+=item B<-no_etm>
+
+Disable Encrypt-then-MAC negotiation.
+
 =item B<-status>
 
 Enables certificate status request support (aka OCSP stapling).
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index 133ad3c416e..f4c20aa3925 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -185,6 +185,7 @@ $OpenSSL::safe::opt_s_synopsis = ""
 . "[B<-no_resumption_on_reneg>]\n"
 . "[B<-legacy_server_connect>]\n"
 . "[B<-no_legacy_server_connect>]\n"
+. "[B<-no_etm>]\n"
 . "[B<-allow_no_dhe_kex>]\n"
 . "[B<-prioritize_chacha>]\n"
 . "[B<-strict>]\n"
@@ -205,7 +206,7 @@ $OpenSSL::safe::opt_s_item = ""
 . "B<-client_renegotiation>,\n"
 . "B<-legacy_renegotiation>, B<-no_renegotiation>,\n"
 . "B<-no_resumption_on_reneg>,\n"
-. "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
+. "B<-legacy_server_connect>, B<-no_legacy_server_connect>, B<-no_etm>\n"
 . "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
 . "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"
 . "I<curves>, B<-named_curve> I<curve>, B<-cipher> I<ciphers>, B<-ciphersuites>\n"
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index b15c8471766..c0cbbe5e2cf 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -676,7 +676,8 @@ typedef struct {
 #define SSL_CONF_CMD_SWITCH(name, flags) \
         {0, NULL, name, flags, SSL_CONF_TYPE_NONE}
 
-/* See apps/apps.h if you change this table. */
+/* See apps/include/opt.h if you change this table. */
+/* The SSL_CONF_CMD_SWITCH should be the same order as ssl_cmd_switches */
 static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
     SSL_CONF_CMD_SWITCH("no_ssl3", 0),
     SSL_CONF_CMD_SWITCH("no_tls1", 0),
@@ -701,6 +702,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
     SSL_CONF_CMD_SWITCH("no_middlebox", 0),
     SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER),
     SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER),
+    SSL_CONF_CMD_SWITCH("no_etm", 0),
     SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0),
     SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0),
     SSL_CONF_CMD_STRING(Curves, "curves", 0),
@@ -790,6 +792,8 @@ static const ssl_switch_tbl ssl_cmd_switches[] = {
     {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV},
     /* no_anti_replay */
     {SSL_OP_NO_ANTI_REPLAY, 0},
+    /* no Encrypt-then-Mac */
+    {SSL_OP_NO_ENCRYPT_THEN_MAC, 0},
 };
 
 static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)