Check for the enforcing and fail handshake if the peer doesn't support
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index be80de7..64870b1 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2090,6 +2090,21 @@
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
+ /*
+ * Check if extended master secret is being enforced
+ */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+ ssl->conf->enforce_extended_master_secret ==
+ MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
+ ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
+ "secret, while it is enforced") );
+ handshake_failure = 1;
+ }
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
if( handshake_failure == 1 )
{
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index c152bc3..0c65d85 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2024,6 +2024,21 @@
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
+ /*
+ * Check if extended master secret is being enforced
+ */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+ ssl->conf->enforce_extended_master_secret ==
+ MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
+ ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
+ "secret, while it is enforced") );
+ handshake_failure = 1;
+ }
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
if( handshake_failure == 1 )
{
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ca9131a..27e55d9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8343,7 +8343,7 @@
}
void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
- char ems_enf );
+ char ems_enf )
{
conf->enforce_extended_master_secret = ems_enf;
}