|
|
9f6ef3 |
diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
|
|
|
9f6ef3 |
--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
|
|
|
9f6ef3 |
+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
|
|
|
9f6ef3 |
@@ -292,6 +292,9 @@ extern "C" {
|
|
|
9f6ef3 |
|
|
|
9f6ef3 |
# define TLS1_FLAGS_STATELESS 0x0800
|
|
|
9f6ef3 |
|
|
|
9f6ef3 |
+/* Set if extended master secret extension required on renegotiation */
|
|
|
9f6ef3 |
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
|
|
|
9f6ef3 |
+
|
|
|
9f6ef3 |
# define SSL3_MT_HELLO_REQUEST 0
|
|
|
9f6ef3 |
# define SSL3_MT_CLIENT_HELLO 1
|
|
|
9f6ef3 |
# define SSL3_MT_SERVER_HELLO 2
|
|
|
9f6ef3 |
diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
|
|
|
9f6ef3 |
--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
|
|
|
9f6ef3 |
+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
|
|
|
9f6ef3 |
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
|
|
|
9f6ef3 |
|
|
|
9f6ef3 |
static int init_ems(SSL *s, unsigned int context)
|
|
|
9f6ef3 |
{
|
|
|
9f6ef3 |
- if (!s->server)
|
|
|
9f6ef3 |
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
|
|
|
9f6ef3 |
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
|
|
|
9f6ef3 |
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
|
|
|
9f6ef3 |
+ }
|
|
|
9f6ef3 |
|
|
|
9f6ef3 |
return 1;
|
|
|
9f6ef3 |
}
|
|
|
9f6ef3 |
|
|
|
9f6ef3 |
static int final_ems(SSL *s, unsigned int context, int sent)
|
|
|
9f6ef3 |
{
|
|
|
9f6ef3 |
+ /*
|
|
|
9f6ef3 |
+ * Check extended master secret extension is not dropped on
|
|
|
9f6ef3 |
+ * renegotiation.
|
|
|
9f6ef3 |
+ */
|
|
|
9f6ef3 |
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
|
|
|
9f6ef3 |
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
|
|
|
9f6ef3 |
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
|
|
|
9f6ef3 |
+ SSL_R_INCONSISTENT_EXTMS);
|
|
|
9f6ef3 |
+ return 0;
|
|
|
9f6ef3 |
+ }
|
|
|
9f6ef3 |
if (!s->server && s->hit) {
|
|
|
9f6ef3 |
/*
|
|
|
9f6ef3 |
* Check extended master secret extension is consistent with
|