Forbid extended master secret with SSLv3
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index d7b16b8..c40d62e 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -365,7 +365,8 @@
{
unsigned char *p = buf;
- if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED )
+ if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+ ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
{
*olen = 0;
return;
@@ -816,6 +817,7 @@
size_t len )
{
if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+ ssl->minor_ver == SSL_MINOR_VERSION_0 ||
len != 0 )
{
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index f65338e..ad67c22 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -648,8 +648,11 @@
((void) buf);
- if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED )
+ if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED &&
+ ssl->minor_ver != SSL_MINOR_VERSION_0 )
+ {
ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
+ }
return( 0 );
}
@@ -1686,7 +1689,8 @@
{
unsigned char *p = buf;
- if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED )
+ if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+ ssl->minor_ver == SSL_MINOR_VERSION_0 )
{
*olen = 0;
return;