draft-ietf-tls-encrypt-then-mac-033 updates

author: Peter Dettman <peter.dettman@bouncycastle.org> 2014-07-22 19:05:49 +0400
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2014-07-22 19:05:49 +0400
commit: 6008b9c96a09f4d570a5f1ec8dd4f05331694007 (patch)
tree: 573e2c010df4c75db12fb4a823b2fa384f09bfee /core
parent: 29becdd4a0c9b76e1fa35a4bd82e446382a6a8df (diff)
4 files changed, 35 insertions, 7 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java
index c811eec3..dd5c4409 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java
@@ -235,7 +235,15 @@ public abstract class AbstractTlsServer
     {
         if (this.encryptThenMACOffered && allowEncryptThenMAC())
         {
-            TlsExtensionsUtils.addEncryptThenMACExtension(checkServerExtensions());
+            /*
+             * draft-ietf-tls-encrypt-then-mac-03 3. If a server receives an encrypt-then-MAC
+             * request extension from a client and then selects a stream or AEAD cipher suite, it
+             * MUST NOT send an encrypt-then-MAC response extension back to the client.
+             */
+            if (TlsUtils.isBlockCipherSuite(this.selectedCipherSuite))
+            {
+                TlsExtensionsUtils.addEncryptThenMACExtension(checkServerExtensions());
+            }
         }
 
         if (this.maxFragmentLengthOffered >= 0)
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
index 73cfd60b..b88d8f33 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
@@ -718,7 +718,18 @@ public class DTLSClientProtocol
                 }
             }
 
-            securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(serverExtensions);
+            /*
+             * draft-ietf-tls-encrypt-then-mac-03 3. If a server receives an encrypt-then-MAC
+             * request extension from a client and then selects a stream or AEAD cipher suite, it
+             * MUST NOT send an encrypt-then-MAC response extension back to the client.
+             */
+            boolean serverSentEncryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(serverExtensions);
+            if (serverSentEncryptThenMAC && !TlsUtils.isBlockCipherSuite(state.selectedCipherSuite))
+            {
+                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
+            }
+
+            securityParameters.encryptThenMAC = serverSentEncryptThenMAC;
 
             state.maxFragmentLength = evaluateMaxFragmentLengthExtension(state.clientExtensions, serverExtensions,
                 AlertDescription.illegal_parameter);
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ExtensionType.java b/core/src/main/java/org/bouncycastle/crypto/tls/ExtensionType.java
index 02b3bf22..c0a7a90a 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/ExtensionType.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/ExtensionType.java
@@ -49,11 +49,9 @@ public class ExtensionType
     public static final int session_ticket = 35;
 
     /*
-     * draft-gutmann-tls-encrypt-then-mac-05
-     * 
-     * NOTE: This value has not yet been reserved by the IETF 
+     * draft-ietf-tls-encrypt-then-mac-03
      */
-    public static final int encrypt_then_mac = 66;
+    public static final int encrypt_then_mac = 22;
 
     /*
      * RFC 5746 3.2.
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
index 5f064560..d4d19ef7 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
@@ -775,7 +775,18 @@ public class TlsClientProtocol
 
         if (sessionServerExtensions != null)
         {
-            this.securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(sessionServerExtensions);
+            /*
+             * draft-ietf-tls-encrypt-then-mac-03 3. If a server receives an encrypt-then-MAC
+             * request extension from a client and then selects a stream or AEAD cipher suite, it
+             * MUST NOT send an encrypt-then-MAC response extension back to the client.
+             */
+            boolean serverSentEncryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(sessionServerExtensions);
+            if (serverSentEncryptThenMAC && !TlsUtils.isBlockCipherSuite(selectedCipherSuite))
+            {
+                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
+            }
+
+            this.securityParameters.encryptThenMAC = serverSentEncryptThenMAC;
 
             this.securityParameters.maxFragmentLength = processMaxFragmentLengthExtension(sessionClientExtensions,
                 sessionServerExtensions, AlertDescription.illegal_parameter);
author	Peter Dettman <peter.dettman@bouncycastle.org>	2014-07-22 19:05:49 +0400
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2014-07-22 19:05:49 +0400
commit	6008b9c96a09f4d570a5f1ec8dd4f05331694007 (patch)
tree	573e2c010df4c75db12fb4a823b2fa384f09bfee /core
parent	29becdd4a0c9b76e1fa35a4bd82e446382a6a8df (diff)