mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-28 19:21:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Forbid extended master secret with SSLv3

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-10-24 15:12:31 +02:00
parent dd4592774b
commit b575b54cb9
3 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
library/ssl_cli.c
View File

@ -365,7 +365,8 @@ static void ssl_write_extended_ms_ext( ssl_context *ssl,
{ {
unsigned char *p = buf; unsigned char *p = buf;
if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ) if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
{ {
*olen = 0; *olen = 0;
return; return;
@ -816,6 +817,7 @@ static int ssl_parse_extended_ms_ext( ssl_context *ssl,
size_t len ) size_t len )
{ {
if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED || if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
ssl->minor_ver == SSL_MINOR_VERSION_0 ||
len != 0 ) len != 0 )
{ {
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );

8
library/ssl_srv.c
View File

@ -648,8 +648,11 @@ static int ssl_parse_extended_ms_ext( ssl_context *ssl,
((void) buf); ((void) buf);
if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED ) if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED &&
ssl->minor_ver != SSL_MINOR_VERSION_0 )
{
ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED; ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
}
return( 0 ); return( 0 );
} }
@ -1686,7 +1689,8 @@ static void ssl_write_extended_ms_ext( ssl_context *ssl,
{ {
unsigned char *p = buf; unsigned char *p = buf;
if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED ) if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED ||
ssl->minor_ver == SSL_MINOR_VERSION_0 )
{ {
*olen = 0; *olen = 0;
return; return;

22
tests/ssl-opt.sh
View File

@ -475,6 +475,28 @@ run_test "Extended Master Secret: client disabled, server enabled" \
-C "using extended master secret" \ -C "using extended master secret" \
-S "using extended master secret" -S "using extended master secret"
run_test "Extended Master Secret: client SSLv3, server enabled" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3 force_version=ssl3" \
0 \
-C "client hello, adding extended_master_secret extension" \
-S "found extended master secret extension" \
-S "server hello, adding extended master secret extension" \
-C "found extended_master_secret extension" \
-C "using extended master secret" \
-S "using extended master secret"
run_test "Extended Master Secret: client enabled, server SSLv3" \
"$P_SRV debug_level=3 force_version=ssl3" \
"$P_CLI debug_level=3" \
0 \
-c "client hello, adding extended_master_secret extension" \
-s "found extended master secret extension" \
-S "server hello, adding extended master secret extension" \
-C "found extended_master_secret extension" \
-C "using extended master secret" \
-S "using extended master secret"
# Tests for FALLBACK_SCSV # Tests for FALLBACK_SCSV
run_test "Fallback SCSV: default" \ run_test "Fallback SCSV: default" \