AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Forbid extended master secret with SSLv3

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-10-24 15:12:31 +02:00
parent dd4592774b
commit b575b54cb9
3 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
library/ssl_cli.c
View File

@ -365,7 +365,8 @@ static void ssl_write_extended_ms_ext( ssl_context *ssl,
{
unsigned char *p = buf;
if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED )
if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
{
*olen = 0;
return;
@ -816,6 +817,7 @@ static int ssl_parse_extended_ms_ext( ssl_context *ssl,
size_t len )
{
if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
ssl->minor_ver == SSL_MINOR_VERSION_0 ||
len != 0 )
{
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );

8
library/ssl_srv.c
View File

@ -648,8 +648,11 @@ static int ssl_parse_extended_ms_ext( ssl_context *ssl,
((void) buf);
if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED )
if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED &&
ssl->minor_ver != SSL_MINOR_VERSION_0 )
{
ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
}
return( 0 );
}
@ -1686,7 +1689,8 @@ static void ssl_write_extended_ms_ext( ssl_context *ssl,
{
unsigned char *p = buf;
if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED )
if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED ||
ssl->minor_ver == SSL_MINOR_VERSION_0 )
{
*olen = 0;
return;

22
tests/ssl-opt.sh
View File

@ -475,6 +475,28 @@ run_test "Extended Master Secret: client disabled, server enabled" \
-C "using extended master secret" \
-S "using extended master secret"
run_test "Extended Master Secret: client SSLv3, server enabled" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3 force_version=ssl3" \
0 \
-C "client hello, adding extended_master_secret extension" \
-S "found extended master secret extension" \
-S "server hello, adding extended master secret extension" \
-C "found extended_master_secret extension" \
-C "using extended master secret" \
-S "using extended master secret"
run_test "Extended Master Secret: client enabled, server SSLv3" \
"$P_SRV debug_level=3 force_version=ssl3" \
"$P_CLI debug_level=3" \
0 \
-c "client hello, adding extended_master_secret extension" \
-s "found extended master secret extension" \
-S "server hello, adding extended master secret extension" \
-C "found extended_master_secret extension" \
-C "using extended master secret" \
-S "using extended master secret"
# Tests for FALLBACK_SCSV
run_test "Fallback SCSV: default" \