From 7a5e2bec753ea6bd49aa020b3d658e95a7c91006 Mon Sep 17 00:00:00 2001
From: Jarno Lamsa <jarno.lamsa@arm.com>
Date: Mon, 10 Jun 2019 10:13:03 +0300
Subject: [PATCH] Create a new flag for enforcing the extended master secret

If the flag is enabled, drop the connection if peer doesn't support
extended master secret extension.
---
 include/mbedtls/ssl.h | 18 ++++++++++++++++++
 library/ssl_tls.c     |  6 ++++++
 2 files changed, 24 insertions(+)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 7f073afba..a3a5d4f55 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1031,6 +1031,9 @@ struct mbedtls_ssl_config
 #endif
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
     unsigned int extended_ms : 1;   /*!< negotiate extended master secret?  */
+    unsigned int enforce_extended_master_secret : 1; /*!< enforce the usage
+                                                      *   of extended master
+                                                      *   secret            */
 #endif
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
     unsigned int anti_replay : 1;   /*!< detect and prevent replay?         */
@@ -2820,6 +2823,21 @@ void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
  * \param ems       MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
  */
 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
+
+/**
+ * \brief           Enable or disable Extended Master Secret enforcing.
+ *                  (Default: MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED)
+ *
+ * \note            This enforces the peer to use the Extended Master Secret
+ *                  extension, if the option is enabled and the peer doesn't
+ *                  support the extension, the connection is dropped.
+ *
+ * \param conf      SSL configuration
+ * \param ems_enf   MBEDTLS_SSL_EXTENDED_MS_ENFROCE_ENABLED or
+ *                  MBEDTLS_SSL_EXTENDED_MS_DISABLED
+ */
+void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
+                                                        char ems_enf);
 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
 
 #if defined(MBEDTLS_ARC4_C)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b61453fe5..8cf9a497e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8341,6 +8341,12 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
 {
     conf->extended_ms = ems;
 }
+
+void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
+                                                        char ems_enf);
+{
+    conf->enforce_extended_master_secret = ems_enf;
+}
 #endif
 
 #if defined(MBEDTLS_ARC4_C)