Wire up the extension processing for encrypt_then_mac

author: Peter Dettman <peter.dettman@bouncycastle.org> 2014-01-28 05:59:30 +0400
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2014-01-28 05:59:30 +0400
commit: b67358982e98475a03b00e06f69da1594fec48ff (patch)
tree: 38c354f2ac8ed204a89e81c458edf75ded1b40c7 /core/src/main/java/org/bouncycastle/crypto/tls
parent: 18e91d52dff4fd1035bfdda30d9a7b26054b8145 (diff)
5 files changed, 20 insertions, 0 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java
index b17a8abd..c811eec3 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java
@@ -19,6 +19,7 @@ public abstract class AbstractTlsServer
     protected short[] offeredCompressionMethods;
     protected Hashtable clientExtensions;
 
+    protected boolean encryptThenMACOffered;
     protected short maxFragmentLengthOffered;
     protected boolean truncatedHMacOffered;
     protected Vector supportedSignatureAlgorithms;
@@ -41,6 +42,11 @@ public abstract class AbstractTlsServer
         this.cipherFactory = cipherFactory;
     }
 
+    protected boolean allowEncryptThenMAC()
+    {
+        return true;
+    }
+
     protected boolean allowTruncatedHMac()
     {
         return false;
@@ -126,6 +132,7 @@ public abstract class AbstractTlsServer
 
         if (clientExtensions != null)
         {
+            this.encryptThenMACOffered = TlsExtensionsUtils.hasEncryptThenMACExtension(clientExtensions);
             this.maxFragmentLengthOffered = TlsExtensionsUtils.getMaxFragmentLengthExtension(clientExtensions);
             this.truncatedHMacOffered = TlsExtensionsUtils.hasTruncatedHMacExtension(clientExtensions);
 
@@ -226,6 +233,11 @@ public abstract class AbstractTlsServer
     public Hashtable getServerExtensions()
         throws IOException
     {
+        if (this.encryptThenMACOffered && allowEncryptThenMAC())
+        {
+            TlsExtensionsUtils.addEncryptThenMACExtension(checkServerExtensions());
+        }
+
         if (this.maxFragmentLengthOffered >= 0)
         {
             TlsExtensionsUtils.addMaxFragmentLengthExtension(checkServerExtensions(), this.maxFragmentLengthOffered);
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
index c0159f5c..fb058e79 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
@@ -715,6 +715,8 @@ public class DTLSClientProtocol
                 }
             }
 
+            securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(serverExtensions);
+
             state.maxFragmentLength = evaluateMaxFragmentLengthExtension(state.clientExtensions, serverExtensions,
                 AlertDescription.illegal_parameter);
 
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
index 7fc23226..d6d6a8d9 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
@@ -389,6 +389,8 @@ public class DTLSServerProtocol
 
         if (state.serverExtensions != null)
         {
+            securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(state.serverExtensions);
+
             state.maxFragmentLength = evaluateMaxFragmentLengthExtension(state.clientExtensions, state.serverExtensions,
                 AlertDescription.internal_error);
 
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
index f339df27..a51b788f 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
@@ -769,6 +769,8 @@ public class TlsClientProtocol
 
         if (sessionServerExtensions != null)
         {
+            this.securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(sessionServerExtensions);
+
             this.securityParameters.maxFragmentLength = processMaxFragmentLengthExtension(sessionClientExtensions,
                 sessionServerExtensions, AlertDescription.illegal_parameter);
 
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
index fee99652..c09e8050 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
@@ -695,6 +695,8 @@ public class TlsServerProtocol
 
         if (this.serverExtensions != null)
         {
+            this.securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(this.serverExtensions);
+
             this.securityParameters.maxFragmentLength = processMaxFragmentLengthExtension(clientExtensions,
                 this.serverExtensions, AlertDescription.internal_error);
author	Peter Dettman <peter.dettman@bouncycastle.org>	2014-01-28 05:59:30 +0400
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2014-01-28 05:59:30 +0400
commit	b67358982e98475a03b00e06f69da1594fec48ff (patch)
tree	38c354f2ac8ed204a89e81c458edf75ded1b40c7 /core/src/main/java/org/bouncycastle/crypto/tls
parent	18e91d52dff4fd1035bfdda30d9a7b26054b8145 (diff)