mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 18:15:35 +00:00
Merge remote-tracking branch 'origin/pr/590' into baremetal
This commit is contained in:
commit
c725e4b34e
|
@ -28,6 +28,14 @@ Features
|
||||||
which allows copy-less parsing of DER encoded X.509 CRTs,
|
which allows copy-less parsing of DER encoded X.509 CRTs,
|
||||||
at the cost of additional lifetime constraints on the input
|
at the cost of additional lifetime constraints on the input
|
||||||
buffer, but at the benefit of reduced RAM consumption.
|
buffer, but at the benefit of reduced RAM consumption.
|
||||||
|
* Add new API function mbedtls_ssl_conf_extended_master_secret_enforce() to
|
||||||
|
allow enforcing the usage of ExtendedMasterSecret extension. If the
|
||||||
|
extension is used and this option is enabled, handshakes not leading to
|
||||||
|
the use of the extended master secret will be aborted. On the server,
|
||||||
|
fail the handshake if client doesn't advertise the ExtendedMasterSecret
|
||||||
|
extension. On the client, fail the handshake if the server doesn't
|
||||||
|
consent to the use of the ExtendedMasterSecret extension in its
|
||||||
|
ServerHello.
|
||||||
|
|
||||||
API Changes
|
API Changes
|
||||||
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
|
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
|
||||||
|
|
|
@ -158,6 +158,9 @@
|
||||||
#define MBEDTLS_SSL_EXTENDED_MS_DISABLED 0
|
#define MBEDTLS_SSL_EXTENDED_MS_DISABLED 0
|
||||||
#define MBEDTLS_SSL_EXTENDED_MS_ENABLED 1
|
#define MBEDTLS_SSL_EXTENDED_MS_ENABLED 1
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED 0
|
||||||
|
#define MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED 1
|
||||||
|
|
||||||
#define MBEDTLS_SSL_CID_DISABLED 0
|
#define MBEDTLS_SSL_CID_DISABLED 0
|
||||||
#define MBEDTLS_SSL_CID_ENABLED 1
|
#define MBEDTLS_SSL_CID_ENABLED 1
|
||||||
|
|
||||||
|
@ -1031,6 +1034,9 @@ struct mbedtls_ssl_config
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
unsigned int extended_ms : 1; /*!< negotiate extended master secret? */
|
unsigned int extended_ms : 1; /*!< negotiate extended master secret? */
|
||||||
|
unsigned int enforce_extended_master_secret : 1; /*!< enforce the usage
|
||||||
|
* of extended master
|
||||||
|
* secret */
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
|
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
|
||||||
unsigned int anti_replay : 1; /*!< detect and prevent replay? */
|
unsigned int anti_replay : 1; /*!< detect and prevent replay? */
|
||||||
|
@ -2821,6 +2827,26 @@ void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
|
||||||
* \param ems MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
|
* \param ems MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
|
||||||
*/
|
*/
|
||||||
void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
|
void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Enable or disable Extended Master Secret enforcing.
|
||||||
|
* (Default: MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED)
|
||||||
|
*
|
||||||
|
* \note If the use of extended master secret is configured (see
|
||||||
|
* `mbedtls_ssl_conf_extended_master_secret()`) and this
|
||||||
|
* option is set, handshakes not leading to the use of the
|
||||||
|
* extended master secret will be aborted: On the server, fail
|
||||||
|
* the handshake if the client doesn't advertise the
|
||||||
|
* ExtendedMasterSecret extension. On the client: Fail the
|
||||||
|
* handshake if the server doesn't consent to the use of the
|
||||||
|
* ExtendedMasterSecret extension in its ServerHello.
|
||||||
|
*
|
||||||
|
* \param conf Currently used SSL configuration struct.
|
||||||
|
* \param ems_enf MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED or
|
||||||
|
* MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
|
||||||
|
char ems_enf );
|
||||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
|
||||||
#if defined(MBEDTLS_ARC4_C)
|
#if defined(MBEDTLS_ARC4_C)
|
||||||
|
|
|
@ -2085,6 +2085,21 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check if extended master secret is being enforced
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
|
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
||||||
|
ssl->conf->enforce_extended_master_secret ==
|
||||||
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
||||||
|
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||||
|
"secret, while it is enforced") );
|
||||||
|
handshake_failure = 1;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
|
||||||
if( handshake_failure == 1 )
|
if( handshake_failure == 1 )
|
||||||
{
|
{
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
|
|
@ -2035,6 +2035,21 @@ read_record_header:
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check if extended master secret is being enforced
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
|
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
||||||
|
ssl->conf->enforce_extended_master_secret ==
|
||||||
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
||||||
|
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||||
|
"secret, while it is enforced") );
|
||||||
|
handshake_failure = 1;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
|
||||||
if( handshake_failure == 1 )
|
if( handshake_failure == 1 )
|
||||||
{
|
{
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
|
|
@ -8413,6 +8413,12 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
|
||||||
{
|
{
|
||||||
conf->extended_ms = ems;
|
conf->extended_ms = ems;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
|
||||||
|
char ems_enf )
|
||||||
|
{
|
||||||
|
conf->enforce_extended_master_secret = ems_enf;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_ARC4_C)
|
#if defined(MBEDTLS_ARC4_C)
|
||||||
|
@ -10375,6 +10381,8 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
||||||
|
conf->enforce_extended_master_secret =
|
||||||
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
|
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
|
||||||
|
|
|
@ -122,6 +122,7 @@ int main( void )
|
||||||
#define DFL_FALLBACK -1
|
#define DFL_FALLBACK -1
|
||||||
#define DFL_EXTENDED_MS -1
|
#define DFL_EXTENDED_MS -1
|
||||||
#define DFL_ETM -1
|
#define DFL_ETM -1
|
||||||
|
#define DFL_EXTENDED_MS_ENFORCE -1
|
||||||
|
|
||||||
#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
|
#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
|
||||||
#define GET_REQUEST_END "\r\n\r\n"
|
#define GET_REQUEST_END "\r\n\r\n"
|
||||||
|
@ -243,7 +244,8 @@ int main( void )
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
#define USAGE_EMS \
|
#define USAGE_EMS \
|
||||||
" extended_ms=0/1 default: (library default: on)\n"
|
" extended_ms=0/1 default: (library default: on)\n" \
|
||||||
|
" enforce_extended_master_secret=0/1 default: (library default: off)\n"
|
||||||
#else
|
#else
|
||||||
#define USAGE_EMS ""
|
#define USAGE_EMS ""
|
||||||
#endif
|
#endif
|
||||||
|
@ -410,6 +412,8 @@ struct options
|
||||||
int fallback; /* is this a fallback connection? */
|
int fallback; /* is this a fallback connection? */
|
||||||
int dgram_packing; /* allow/forbid datagram packing */
|
int dgram_packing; /* allow/forbid datagram packing */
|
||||||
int extended_ms; /* negotiate extended master secret? */
|
int extended_ms; /* negotiate extended master secret? */
|
||||||
|
int enforce_extended_master_secret; /* Enforce the usage of extended
|
||||||
|
* master secret */
|
||||||
int etm; /* negotiate encrypt then mac? */
|
int etm; /* negotiate encrypt then mac? */
|
||||||
int cid_enabled; /* whether to use the CID extension or not */
|
int cid_enabled; /* whether to use the CID extension or not */
|
||||||
int cid_enabled_renego; /* whether to use the CID extension or not
|
int cid_enabled_renego; /* whether to use the CID extension or not
|
||||||
|
@ -825,6 +829,7 @@ int main( int argc, char *argv[] )
|
||||||
opt.dtls_mtu = DFL_DTLS_MTU;
|
opt.dtls_mtu = DFL_DTLS_MTU;
|
||||||
opt.fallback = DFL_FALLBACK;
|
opt.fallback = DFL_FALLBACK;
|
||||||
opt.extended_ms = DFL_EXTENDED_MS;
|
opt.extended_ms = DFL_EXTENDED_MS;
|
||||||
|
opt.enforce_extended_master_secret = DFL_EXTENDED_MS_ENFORCE;
|
||||||
opt.etm = DFL_ETM;
|
opt.etm = DFL_ETM;
|
||||||
opt.dgram_packing = DFL_DGRAM_PACKING;
|
opt.dgram_packing = DFL_DGRAM_PACKING;
|
||||||
|
|
||||||
|
@ -1025,6 +1030,21 @@ int main( int argc, char *argv[] )
|
||||||
default: goto usage;
|
default: goto usage;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else if( strcmp( p, "enforce_extended_master_secret" ) == 0 )
|
||||||
|
{
|
||||||
|
switch( atoi( q ) )
|
||||||
|
{
|
||||||
|
case 0:
|
||||||
|
opt.enforce_extended_master_secret =
|
||||||
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED;
|
||||||
|
break;
|
||||||
|
case 1:
|
||||||
|
opt.enforce_extended_master_secret =
|
||||||
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED;
|
||||||
|
break;
|
||||||
|
default: goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
else if( strcmp( p, "curves" ) == 0 )
|
else if( strcmp( p, "curves" ) == 0 )
|
||||||
opt.curves = q;
|
opt.curves = q;
|
||||||
else if( strcmp( p, "etm" ) == 0 )
|
else if( strcmp( p, "etm" ) == 0 )
|
||||||
|
@ -1638,6 +1658,9 @@ int main( int argc, char *argv[] )
|
||||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
if( opt.extended_ms != DFL_EXTENDED_MS )
|
if( opt.extended_ms != DFL_EXTENDED_MS )
|
||||||
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
|
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
|
||||||
|
if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE )
|
||||||
|
mbedtls_ssl_conf_extended_master_secret_enforce( &conf,
|
||||||
|
opt.enforce_extended_master_secret );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||||
|
|
|
@ -163,6 +163,7 @@ int main( void )
|
||||||
#define DFL_DGRAM_PACKING 1
|
#define DFL_DGRAM_PACKING 1
|
||||||
#define DFL_EXTENDED_MS -1
|
#define DFL_EXTENDED_MS -1
|
||||||
#define DFL_ETM -1
|
#define DFL_ETM -1
|
||||||
|
#define DFL_EXTENDED_MS_ENFORCE -1
|
||||||
|
|
||||||
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
||||||
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
||||||
|
@ -342,7 +343,8 @@ int main( void )
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
#define USAGE_EMS \
|
#define USAGE_EMS \
|
||||||
" extended_ms=0/1 default: (library default: on)\n"
|
" extended_ms=0/1 default: (library default: on)\n" \
|
||||||
|
" enforce_extended_master_secret=0/1 default: (library default: off)\n"
|
||||||
#else
|
#else
|
||||||
#define USAGE_EMS ""
|
#define USAGE_EMS ""
|
||||||
#endif
|
#endif
|
||||||
|
@ -525,6 +527,8 @@ struct options
|
||||||
const char *alpn_string; /* ALPN supported protocols */
|
const char *alpn_string; /* ALPN supported protocols */
|
||||||
const char *dhm_file; /* the file with the DH parameters */
|
const char *dhm_file; /* the file with the DH parameters */
|
||||||
int extended_ms; /* allow negotiation of extended MS? */
|
int extended_ms; /* allow negotiation of extended MS? */
|
||||||
|
int enforce_extended_master_secret; /* Enforce the usage of extended
|
||||||
|
* master secret */
|
||||||
int etm; /* allow negotiation of encrypt-then-MAC? */
|
int etm; /* allow negotiation of encrypt-then-MAC? */
|
||||||
int transport; /* TLS or DTLS? */
|
int transport; /* TLS or DTLS? */
|
||||||
int cookies; /* Use cookies for DTLS? -1 to break them */
|
int cookies; /* Use cookies for DTLS? -1 to break them */
|
||||||
|
@ -1494,6 +1498,7 @@ int main( int argc, char *argv[] )
|
||||||
opt.dgram_packing = DFL_DGRAM_PACKING;
|
opt.dgram_packing = DFL_DGRAM_PACKING;
|
||||||
opt.badmac_limit = DFL_BADMAC_LIMIT;
|
opt.badmac_limit = DFL_BADMAC_LIMIT;
|
||||||
opt.extended_ms = DFL_EXTENDED_MS;
|
opt.extended_ms = DFL_EXTENDED_MS;
|
||||||
|
opt.enforce_extended_master_secret = DFL_EXTENDED_MS_ENFORCE;
|
||||||
opt.etm = DFL_ETM;
|
opt.etm = DFL_ETM;
|
||||||
|
|
||||||
for( i = 1; i < argc; i++ )
|
for( i = 1; i < argc; i++ )
|
||||||
|
@ -1813,6 +1818,21 @@ int main( int argc, char *argv[] )
|
||||||
default: goto usage;
|
default: goto usage;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else if( strcmp( p, "enforce_extended_master_secret" ) == 0 )
|
||||||
|
{
|
||||||
|
switch( atoi( q ) )
|
||||||
|
{
|
||||||
|
case 0:
|
||||||
|
opt.enforce_extended_master_secret =
|
||||||
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED;
|
||||||
|
break;
|
||||||
|
case 1:
|
||||||
|
opt.enforce_extended_master_secret =
|
||||||
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED;
|
||||||
|
break;
|
||||||
|
default: goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
else if( strcmp( p, "etm" ) == 0 )
|
else if( strcmp( p, "etm" ) == 0 )
|
||||||
{
|
{
|
||||||
switch( atoi( q ) )
|
switch( atoi( q ) )
|
||||||
|
@ -2440,6 +2460,9 @@ int main( int argc, char *argv[] )
|
||||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
if( opt.extended_ms != DFL_EXTENDED_MS )
|
if( opt.extended_ms != DFL_EXTENDED_MS )
|
||||||
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
|
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
|
||||||
|
if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE )
|
||||||
|
mbedtls_ssl_conf_extended_master_secret_enforce( &conf,
|
||||||
|
opt.enforce_extended_master_secret );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||||
|
|
|
@ -1763,7 +1763,7 @@ run_test "Encrypt then MAC: client enabled, server SSLv3" \
|
||||||
|
|
||||||
# Tests for Extended Master Secret extension
|
# Tests for Extended Master Secret extension
|
||||||
|
|
||||||
run_test "Extended Master Secret: default" \
|
run_test "Extended Master Secret: default (not enforcing)" \
|
||||||
"$P_SRV debug_level=3" \
|
"$P_SRV debug_level=3" \
|
||||||
"$P_CLI debug_level=3" \
|
"$P_CLI debug_level=3" \
|
||||||
0 \
|
0 \
|
||||||
|
@ -1774,7 +1774,60 @@ run_test "Extended Master Secret: default" \
|
||||||
-c "session hash for extended master secret" \
|
-c "session hash for extended master secret" \
|
||||||
-s "session hash for extended master secret"
|
-s "session hash for extended master secret"
|
||||||
|
|
||||||
run_test "Extended Master Secret: client enabled, server disabled" \
|
run_test "Extended Master Secret: both enabled, both enforcing" \
|
||||||
|
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
|
||||||
|
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
|
||||||
|
0 \
|
||||||
|
-c "client hello, adding extended_master_secret extension" \
|
||||||
|
-s "found extended master secret extension" \
|
||||||
|
-s "server hello, adding extended master secret extension" \
|
||||||
|
-c "found extended_master_secret extension" \
|
||||||
|
-c "session hash for extended master secret" \
|
||||||
|
-s "session hash for extended master secret"
|
||||||
|
|
||||||
|
run_test "Extended Master Secret: both enabled, client enforcing" \
|
||||||
|
"$P_SRV debug_level=3 enforce_extended_master_secret=0" \
|
||||||
|
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
|
||||||
|
0 \
|
||||||
|
-c "client hello, adding extended_master_secret extension" \
|
||||||
|
-s "found extended master secret extension" \
|
||||||
|
-s "server hello, adding extended master secret extension" \
|
||||||
|
-c "found extended_master_secret extension" \
|
||||||
|
-c "session hash for extended master secret" \
|
||||||
|
-s "session hash for extended master secret"
|
||||||
|
|
||||||
|
run_test "Extended Master Secret: both enabled, server enforcing" \
|
||||||
|
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
|
||||||
|
"$P_CLI debug_level=3 enforce_extended_master_secret=0" \
|
||||||
|
0 \
|
||||||
|
-c "client hello, adding extended_master_secret extension" \
|
||||||
|
-s "found extended master secret extension" \
|
||||||
|
-s "server hello, adding extended master secret extension" \
|
||||||
|
-c "found extended_master_secret extension" \
|
||||||
|
-c "session hash for extended master secret" \
|
||||||
|
-s "session hash for extended master secret"
|
||||||
|
|
||||||
|
run_test "Extended Master Secret: client enabled, server disabled, client enforcing" \
|
||||||
|
"$P_SRV debug_level=3 extended_ms=0" \
|
||||||
|
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||||
|
1 \
|
||||||
|
-c "client hello, adding extended_master_secret extension" \
|
||||||
|
-s "found extended master secret extension" \
|
||||||
|
-S "server hello, adding extended master secret extension" \
|
||||||
|
-C "found extended_master_secret extension" \
|
||||||
|
-c "Peer not offering extended master secret, while it is enforced"
|
||||||
|
|
||||||
|
run_test "Extended Master Secret enforced: client disabled, server enabled, server enforcing" \
|
||||||
|
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||||
|
"$P_CLI debug_level=3 extended_ms=0" \
|
||||||
|
1 \
|
||||||
|
-C "client hello, adding extended_master_secret extension" \
|
||||||
|
-S "found extended master secret extension" \
|
||||||
|
-S "server hello, adding extended master secret extension" \
|
||||||
|
-C "found extended_master_secret extension" \
|
||||||
|
-s "Peer not offering extended master secret, while it is enforced"
|
||||||
|
|
||||||
|
run_test "Extended Master Secret: client enabled, server disabled, not enforcing" \
|
||||||
"$P_SRV debug_level=3 extended_ms=0" \
|
"$P_SRV debug_level=3 extended_ms=0" \
|
||||||
"$P_CLI debug_level=3 extended_ms=1" \
|
"$P_CLI debug_level=3 extended_ms=1" \
|
||||||
0 \
|
0 \
|
||||||
|
@ -1785,7 +1838,7 @@ run_test "Extended Master Secret: client enabled, server disabled" \
|
||||||
-C "session hash for extended master secret" \
|
-C "session hash for extended master secret" \
|
||||||
-S "session hash for extended master secret"
|
-S "session hash for extended master secret"
|
||||||
|
|
||||||
run_test "Extended Master Secret: client disabled, server enabled" \
|
run_test "Extended Master Secret: client disabled, server enabled, not enforcing" \
|
||||||
"$P_SRV debug_level=3 extended_ms=1" \
|
"$P_SRV debug_level=3 extended_ms=1" \
|
||||||
"$P_CLI debug_level=3 extended_ms=0" \
|
"$P_CLI debug_level=3 extended_ms=0" \
|
||||||
0 \
|
0 \
|
||||||
|
@ -1796,6 +1849,17 @@ run_test "Extended Master Secret: client disabled, server enabled" \
|
||||||
-C "session hash for extended master secret" \
|
-C "session hash for extended master secret" \
|
||||||
-S "session hash for extended master secret"
|
-S "session hash for extended master secret"
|
||||||
|
|
||||||
|
run_test "Extended Master Secret: client disabled, server disabled" \
|
||||||
|
"$P_SRV debug_level=3 extended_ms=0" \
|
||||||
|
"$P_CLI debug_level=3 extended_ms=0" \
|
||||||
|
0 \
|
||||||
|
-C "client hello, adding extended_master_secret extension" \
|
||||||
|
-S "found extended master secret extension" \
|
||||||
|
-S "server hello, adding extended master secret extension" \
|
||||||
|
-C "found extended_master_secret extension" \
|
||||||
|
-C "session hash for extended master secret" \
|
||||||
|
-S "session hash for extended master secret"
|
||||||
|
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
|
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
|
||||||
run_test "Extended Master Secret: client SSLv3, server enabled" \
|
run_test "Extended Master Secret: client SSLv3, server enabled" \
|
||||||
"$P_SRV debug_level=3 min_version=ssl3" \
|
"$P_SRV debug_level=3 min_version=ssl3" \
|
||||||
|
|
Loading…
Reference in a new issue