Fix encrypt-then-mac implementation for DTLS
OpenSSL 1.1.0 will negotiate EtM on DTLS but will then not actually *do* it. If we use DTLSv1.2 that will hopefully be harmless since we'll tend to use an AEAD ciphersuite anyway. But if we're using DTLSv1, then we certainly will end up using CBC, so EtM is relevant — and we fail to interoperate with anything that implements EtM correctly. Fixing it in HEAD and 1.1.0c will mean that 1.1.0[ab] are incompatible with 1.1.0c+... for the limited case of non-AEAD ciphers, where they're *already* incompatible with other implementations due to this bug anyway. That seems reasonable enough, so let's do it. The only alternative is just to turn it off for ever... which *still* leaves 1.0.0[ab] failing to communicate with non-OpenSSL implementations anyway. Tested against itself as well as against GnuTLS both with and without EtM. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
Showing
想要评论请 注册 或 登录