summaryrefslogtreecommitdiff
path: root/lib/algorithms/ciphersuites.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/algorithms/ciphersuites.c')
-rw-r--r--lib/algorithms/ciphersuites.c21
1 files changed, 21 insertions, 0 deletions
diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c
index 02023ce2a9..ac1fdf9f41 100644
--- a/lib/algorithms/ciphersuites.c
+++ b/lib/algorithms/ciphersuites.c
@@ -1405,6 +1405,14 @@ const char *gnutls_cipher_suite_info(size_t idx,
continue; \
}
+#define CIPHER_CHECK(algo) \
+ if (session->internals.priorities->force_etm && !have_etm) { \
+ const cipher_entry_st *_cipher; \
+ _cipher = cipher_to_entry(algo); \
+ if (_cipher == NULL || _gnutls_cipher_type(_cipher) == CIPHER_BLOCK) \
+ continue; \
+ }
+
#define KX_SRP_CHECKS(kx, action) \
if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS) { \
if (!_gnutls_get_cred(session, GNUTLS_CRD_SRP)) { \
@@ -1450,11 +1458,20 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
gnutls_credentials_type_t cred_type = GNUTLS_CRD_CERTIFICATE; /* default for TLS1.3 */
unsigned int no_cert_found = 0;
const gnutls_group_entry_st *sgroup = NULL;
+ gnutls_ext_priv_data_t epriv;
+ unsigned have_etm = 0;
if (version == NULL) {
return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
}
+ /* we figure whether etm is negotiated by checking the raw extension data
+ * because we only set (security_params) EtM to true only after the ciphersuite is
+ * negotiated. */
+ ret = _gnutls_hello_ext_get_priv(session, GNUTLS_EXTENSION_ETM, &epriv);
+ if (ret >= 0 && ((intptr_t)epriv) != 0)
+ have_etm = 1;
+
/* If we didn't receive the supported_groups extension, then
* we should assume that SECP256R1 is supported; that is required
* by RFC4492, probably to allow SSLv2 hellos negotiate elliptic curve
@@ -1474,6 +1491,8 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
kx = peer_clist->entry[i]->kx_algorithm;
+ CIPHER_CHECK(peer_clist->entry[i]->block_algorithm);
+
if (!version->tls13_sem)
cred_type = _gnutls_map_kx_get_cred(kx, 1);
@@ -1510,6 +1529,8 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
for (j = 0; j < session->internals.priorities->cs.size; j++) {
VERSION_CHECK(session->internals.priorities->cs.entry[j]);
+ CIPHER_CHECK(session->internals.priorities->cs.entry[j]->block_algorithm);
+
for (i = 0; i < peer_clist->size; i++) {
_gnutls_debug_log("checking %.2x.%.2x (%s) for compatibility\n",
(unsigned)peer_clist->entry[i]->id[0],
View Lorry Controller Status