mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-22 16:51:08 +00:00
Changes according to review comments
This commit is contained in:
Jarno Lamsa
parent
41b359114d
commit
20095afc58
|
|
@ -2831,16 +2831,21 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
|
|||
* \brief Enable or disable Extended Master Secret enforcing.
|
||||
* (Default: MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED)
|
||||
*
|
||||
* \note This enforces the peer to use the Extended Master Secret
|
||||
* extension, if the option is enabled and the peer doesn't
|
||||
* support the extension, the connection is dropped.
|
||||
* \note If the use of extended master secret is configured (see
|
||||
* `mbedtls_ssl_conf_extended_master_secret()`) and this
|
||||
* option is set, handshakes not leading to the use of the
|
||||
* extended master secret will be aborted: On the server, fail
|
||||
* the handshake if the client doesn't advertise the
|
||||
* ExtendedMasterSecret extension. On the client: Fail the
|
||||
* handshake if the server doesn't consent to the use of the
|
||||
* ExtendedMasterSecret extension in its ServerHello.
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param conf Currently used SSL configuration struct.
|
||||
* \param ems_enf MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED or
|
||||
* MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED
|
||||
*/
|
||||
void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
|
||||
char ems_enf );
|
||||
char ems_enf );
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
|
|
|
|||
|
|
@ -2097,7 +2097,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
||||
ssl->conf->enforce_extended_master_secret ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
|
||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||
"secret, while it is enforced") );
|
||||
|
|
|
|||
|
|
@ -2031,7 +2031,7 @@ read_record_header:
|
|||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
||||
ssl->conf->enforce_extended_master_secret ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
|
||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||
"secret, while it is enforced") );
|
||||
|
|
|
|||
|
|
@ -1763,7 +1763,7 @@ run_test "Encrypt then MAC: client enabled, server SSLv3" \
|
|||
|
||||
# Tests for Extended Master Secret extension
|
||||
|
||||
run_test "Extended Master Secret enforced: default" \
|
||||
run_test "Extended Master Secret: default (both enabled, both enforcing)" \
|
||||
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
|
||||
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
|
||||
0 \
|
||||
|
|
@ -1774,8 +1774,30 @@ run_test "Extended Master Secret enforced: default" \
|
|||
-c "session hash for extended master secret" \
|
||||
-s "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret enforced: client enabled, server disabled" \
|
||||
"$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=1" \
|
||||
run_test "Extended Master Secret: both enabled, client enforcing" \
|
||||
"$P_SRV debug_level=3 enforce_extended_master_secret=0" \
|
||||
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
|
||||
0 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
-s "found extended master secret extension" \
|
||||
-s "server hello, adding extended master secret extension" \
|
||||
-c "found extended_master_secret extension" \
|
||||
-c "session hash for extended master secret" \
|
||||
-s "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret: both enabled, server enforcing" \
|
||||
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
|
||||
"$P_CLI debug_level=3 enforce_extended_master_secret=0" \
|
||||
0 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
-s "found extended master secret extension" \
|
||||
-s "server hello, adding extended master secret extension" \
|
||||
-c "found extended_master_secret extension" \
|
||||
-c "session hash for extended master secret" \
|
||||
-s "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret: client enabled, server disabled, client enforcing" \
|
||||
"$P_SRV debug_level=3 extended_ms=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||
1 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
|
|
@ -1784,9 +1806,9 @@ run_test "Extended Master Secret enforced: client enabled, server disabled" \
|
|||
-C "found extended_master_secret extension" \
|
||||
-c "Peer not offering extended master secret, while it is enforced"
|
||||
|
||||
run_test "Extended Master Secret enforced: client disabled, server enabled" \
|
||||
run_test "Extended Master Secret enforced: client disabled, server enabled, server enforcing" \
|
||||
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||
"$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=1" \
|
||||
"$P_CLI debug_level=3 extended_ms=0" \
|
||||
1 \
|
||||
-C "client hello, adding extended_master_secret extension" \
|
||||
-S "found extended master secret extension" \
|
||||
|
|
@ -1794,7 +1816,7 @@ run_test "Extended Master Secret enforced: client disabled, server enabled" \
|
|||
-C "found extended_master_secret extension" \
|
||||
-s "Peer not offering extended master secret, while it is enforced"
|
||||
|
||||
run_test "Extended Master Secret not enforced: default" \
|
||||
run_test "Extended Master Secret: default (not enforcing)" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI debug_level=3" \
|
||||
0 \
|
||||
|
|
@ -1805,7 +1827,7 @@ run_test "Extended Master Secret not enforced: default" \
|
|||
-c "session hash for extended master secret" \
|
||||
-s "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret not enforced: client enabled, server disabled" \
|
||||
run_test "Extended Master Secret: client enabled, server disabled, not enforcing" \
|
||||
"$P_SRV debug_level=3 extended_ms=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=1" \
|
||||
0 \
|
||||
|
|
@ -1816,7 +1838,7 @@ run_test "Extended Master Secret not enforced: client enabled, server disable
|
|||
-C "session hash for extended master secret" \
|
||||
-S "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret not enforced: client disabled, server enabled" \
|
||||
run_test "Extended Master Secret: client disabled, server enabled, not enforcing" \
|
||||
"$P_SRV debug_level=3 extended_ms=1" \
|
||||
"$P_CLI debug_level=3 extended_ms=0" \
|
||||
0 \
|
||||
|
|
@ -1827,6 +1849,17 @@ run_test "Extended Master Secret not enforced: client disabled, server enable
|
|||
-C "session hash for extended master secret" \
|
||||
-S "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret: client disabled, server disabled" \
|
||||
"$P_SRV debug_level=3 extended_ms=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=0" \
|
||||
0 \
|
||||
-C "client hello, adding extended_master_secret extension" \
|
||||
-S "found extended master secret extension" \
|
||||
-S "server hello, adding extended master secret extension" \
|
||||
-C "found extended_master_secret extension" \
|
||||
-C "session hash for extended master secret" \
|
||||
-S "session hash for extended master secret"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
|
||||
run_test "Extended Master Secret: client SSLv3, server enabled" \
|
||||
"$P_SRV debug_level=3 min_version=ssl3" \
|
||||
|
|
|
|||
Loading…
Reference in a new issue