Check for the enforcing and fail handshake if the peer doesn't support

2025-02-03 00:10:58 +00:00 · 2019-06-10 15:05:33 +03:00 · 2019-06-10 15:05:33 +03:00 · 842be16800
parent d9382f85e7
commit 842be16800
3 changed files with 31 additions and 1 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -2090,6 +2090,21 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
    }
 #endif /* MBEDTLS_SSL_RENEGOTIATION */

+    /*
+     * Check if extended master secret is being enforced
+     */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        ssl->conf->enforce_extended_master_secret ==
+        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
+        ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
+                                    "secret, while it is enforced") );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
    if( handshake_failure == 1 )
    {
        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -2024,6 +2024,21 @@ read_record_header:
    }
 #endif /* MBEDTLS_SSL_RENEGOTIATION */

+    /*
+     * Check if extended master secret is being enforced
+     */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        ssl->conf->enforce_extended_master_secret ==
+        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
+        ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
+                                    "secret, while it is enforced") );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
    if( handshake_failure == 1 )
    {
        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -8343,7 +8343,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
 }

 void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
-                                                        char ems_enf );
+                                                        char ems_enf )
 {
    conf->enforce_extended_master_secret = ems_enf;
 }