commit b575b54cb9fc211b5fc03bff36d62fa138ca9d98
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Oct 24 15:12:31 2014 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Nov 05 16:00:50 2014 +0100
tree 887e3efefdc52a2cf670e5376e022a6183af114c
parent dd4592774b9f40e8068f5620ca4a801840307e00

Forbid extended master secret with SSLv3

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index d7b16b8..c40d62e 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -365,7 +365,8 @@
 {
     unsigned char *p = buf;
 
-    if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED )
+    if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+        ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
     {
         *olen = 0;
         return;
@@ -816,6 +817,7 @@
                                          size_t len )
 {
     if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == SSL_MINOR_VERSION_0 ||
         len != 0 )
     {
         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index f65338e..ad67c22 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -648,8 +648,11 @@
 
     ((void) buf);
 
-    if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED )
+    if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED &&
+        ssl->minor_ver != SSL_MINOR_VERSION_0 )
+    {
         ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
+    }
 
     return( 0 );
 }
@@ -1686,7 +1689,8 @@
 {
     unsigned char *p = buf;
 
-    if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED )
+    if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == SSL_MINOR_VERSION_0 )
     {
         *olen = 0;
         return;

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index eeac11b..38bc89b 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -475,6 +475,28 @@
             -C "using extended master secret" \
             -S "using extended master secret"
 
+run_test    "Extended Master Secret: client SSLv3, server enabled" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3 force_version=ssl3" \
+            0 \
+            -C "client hello, adding extended_master_secret extension" \
+            -S "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
+run_test    "Extended Master Secret: client enabled, server SSLv3" \
+            "$P_SRV debug_level=3 force_version=ssl3" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -c "client hello, adding extended_master_secret extension" \
+            -s "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
 # Tests for FALLBACK_SCSV
 
 run_test    "Fallback SCSV: default" \