Changes according to review comments
This commit is contained in:
Jarno Lamsa
parent
41b359114d
commit
20095afc58
4 changed files with 53 additions and 15 deletions
|
|
@ -2831,16 +2831,21 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
|
||||||
* \brief Enable or disable Extended Master Secret enforcing.
|
* \brief Enable or disable Extended Master Secret enforcing.
|
||||||
* (Default: MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED)
|
* (Default: MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED)
|
||||||
*
|
*
|
||||||
* \note This enforces the peer to use the Extended Master Secret
|
* \note If the use of extended master secret is configured (see
|
||||||
* extension, if the option is enabled and the peer doesn't
|
* `mbedtls_ssl_conf_extended_master_secret()`) and this
|
||||||
* support the extension, the connection is dropped.
|
* option is set, handshakes not leading to the use of the
|
||||||
|
* extended master secret will be aborted: On the server, fail
|
||||||
|
* the handshake if the client doesn't advertise the
|
||||||
|
* ExtendedMasterSecret extension. On the client: Fail the
|
||||||
|
* handshake if the server doesn't consent to the use of the
|
||||||
|
* ExtendedMasterSecret extension in its ServerHello.
|
||||||
*
|
*
|
||||||
* \param conf SSL configuration
|
* \param conf Currently used SSL configuration struct.
|
||||||
* \param ems_enf MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED or
|
* \param ems_enf MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED or
|
||||||
* MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED
|
* MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED
|
||||||
*/
|
*/
|
||||||
void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
|
void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
|
||||||
char ems_enf );
|
char ems_enf );
|
||||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
|
||||||
#if defined(MBEDTLS_ARC4_C)
|
#if defined(MBEDTLS_ARC4_C)
|
||||||
|
|
|
||||||
|
|
@ -2097,7 +2097,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
||||||
ssl->conf->enforce_extended_master_secret ==
|
ssl->conf->enforce_extended_master_secret ==
|
||||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
||||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
|
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||||
"secret, while it is enforced") );
|
"secret, while it is enforced") );
|
||||||
|
|
|
||||||
|
|
@ -2031,7 +2031,7 @@ read_record_header:
|
||||||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
||||||
ssl->conf->enforce_extended_master_secret ==
|
ssl->conf->enforce_extended_master_secret ==
|
||||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
||||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
|
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||||
"secret, while it is enforced") );
|
"secret, while it is enforced") );
|
||||||
|
|
|
||||||
|
|
@ -1763,7 +1763,7 @@ run_test "Encrypt then MAC: client enabled, server SSLv3" \
|
||||||
|
|
||||||
# Tests for Extended Master Secret extension
|
# Tests for Extended Master Secret extension
|
||||||
|
|
||||||
run_test "Extended Master Secret enforced: default" \
|
run_test "Extended Master Secret: default (both enabled, both enforcing)" \
|
||||||
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
|
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
|
||||||
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
|
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
|
||||||
0 \
|
0 \
|
||||||
|
|
@ -1774,8 +1774,30 @@ run_test "Extended Master Secret enforced: default" \
|
||||||
-c "session hash for extended master secret" \
|
-c "session hash for extended master secret" \
|
||||||
-s "session hash for extended master secret"
|
-s "session hash for extended master secret"
|
||||||
|
|
||||||
run_test "Extended Master Secret enforced: client enabled, server disabled" \
|
run_test "Extended Master Secret: both enabled, client enforcing" \
|
||||||
"$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=1" \
|
"$P_SRV debug_level=3 enforce_extended_master_secret=0" \
|
||||||
|
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
|
||||||
|
0 \
|
||||||
|
-c "client hello, adding extended_master_secret extension" \
|
||||||
|
-s "found extended master secret extension" \
|
||||||
|
-s "server hello, adding extended master secret extension" \
|
||||||
|
-c "found extended_master_secret extension" \
|
||||||
|
-c "session hash for extended master secret" \
|
||||||
|
-s "session hash for extended master secret"
|
||||||
|
|
||||||
|
run_test "Extended Master Secret: both enabled, server enforcing" \
|
||||||
|
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
|
||||||
|
"$P_CLI debug_level=3 enforce_extended_master_secret=0" \
|
||||||
|
0 \
|
||||||
|
-c "client hello, adding extended_master_secret extension" \
|
||||||
|
-s "found extended master secret extension" \
|
||||||
|
-s "server hello, adding extended master secret extension" \
|
||||||
|
-c "found extended_master_secret extension" \
|
||||||
|
-c "session hash for extended master secret" \
|
||||||
|
-s "session hash for extended master secret"
|
||||||
|
|
||||||
|
run_test "Extended Master Secret: client enabled, server disabled, client enforcing" \
|
||||||
|
"$P_SRV debug_level=3 extended_ms=0" \
|
||||||
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||||
1 \
|
1 \
|
||||||
-c "client hello, adding extended_master_secret extension" \
|
-c "client hello, adding extended_master_secret extension" \
|
||||||
|
|
@ -1784,9 +1806,9 @@ run_test "Extended Master Secret enforced: client enabled, server disabled" \
|
||||||
-C "found extended_master_secret extension" \
|
-C "found extended_master_secret extension" \
|
||||||
-c "Peer not offering extended master secret, while it is enforced"
|
-c "Peer not offering extended master secret, while it is enforced"
|
||||||
|
|
||||||
run_test "Extended Master Secret enforced: client disabled, server enabled" \
|
run_test "Extended Master Secret enforced: client disabled, server enabled, server enforcing" \
|
||||||
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||||
"$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=1" \
|
"$P_CLI debug_level=3 extended_ms=0" \
|
||||||
1 \
|
1 \
|
||||||
-C "client hello, adding extended_master_secret extension" \
|
-C "client hello, adding extended_master_secret extension" \
|
||||||
-S "found extended master secret extension" \
|
-S "found extended master secret extension" \
|
||||||
|
|
@ -1794,7 +1816,7 @@ run_test "Extended Master Secret enforced: client disabled, server enabled" \
|
||||||
-C "found extended_master_secret extension" \
|
-C "found extended_master_secret extension" \
|
||||||
-s "Peer not offering extended master secret, while it is enforced"
|
-s "Peer not offering extended master secret, while it is enforced"
|
||||||
|
|
||||||
run_test "Extended Master Secret not enforced: default" \
|
run_test "Extended Master Secret: default (not enforcing)" \
|
||||||
"$P_SRV debug_level=3" \
|
"$P_SRV debug_level=3" \
|
||||||
"$P_CLI debug_level=3" \
|
"$P_CLI debug_level=3" \
|
||||||
0 \
|
0 \
|
||||||
|
|
@ -1805,7 +1827,7 @@ run_test "Extended Master Secret not enforced: default" \
|
||||||
-c "session hash for extended master secret" \
|
-c "session hash for extended master secret" \
|
||||||
-s "session hash for extended master secret"
|
-s "session hash for extended master secret"
|
||||||
|
|
||||||
run_test "Extended Master Secret not enforced: client enabled, server disabled" \
|
run_test "Extended Master Secret: client enabled, server disabled, not enforcing" \
|
||||||
"$P_SRV debug_level=3 extended_ms=0" \
|
"$P_SRV debug_level=3 extended_ms=0" \
|
||||||
"$P_CLI debug_level=3 extended_ms=1" \
|
"$P_CLI debug_level=3 extended_ms=1" \
|
||||||
0 \
|
0 \
|
||||||
|
|
@ -1816,7 +1838,7 @@ run_test "Extended Master Secret not enforced: client enabled, server disable
|
||||||
-C "session hash for extended master secret" \
|
-C "session hash for extended master secret" \
|
||||||
-S "session hash for extended master secret"
|
-S "session hash for extended master secret"
|
||||||
|
|
||||||
run_test "Extended Master Secret not enforced: client disabled, server enabled" \
|
run_test "Extended Master Secret: client disabled, server enabled, not enforcing" \
|
||||||
"$P_SRV debug_level=3 extended_ms=1" \
|
"$P_SRV debug_level=3 extended_ms=1" \
|
||||||
"$P_CLI debug_level=3 extended_ms=0" \
|
"$P_CLI debug_level=3 extended_ms=0" \
|
||||||
0 \
|
0 \
|
||||||
|
|
@ -1827,6 +1849,17 @@ run_test "Extended Master Secret not enforced: client disabled, server enable
|
||||||
-C "session hash for extended master secret" \
|
-C "session hash for extended master secret" \
|
||||||
-S "session hash for extended master secret"
|
-S "session hash for extended master secret"
|
||||||
|
|
||||||
|
run_test "Extended Master Secret: client disabled, server disabled" \
|
||||||
|
"$P_SRV debug_level=3 extended_ms=0" \
|
||||||
|
"$P_CLI debug_level=3 extended_ms=0" \
|
||||||
|
0 \
|
||||||
|
-C "client hello, adding extended_master_secret extension" \
|
||||||
|
-S "found extended master secret extension" \
|
||||||
|
-S "server hello, adding extended master secret extension" \
|
||||||
|
-C "found extended_master_secret extension" \
|
||||||
|
-C "session hash for extended master secret" \
|
||||||
|
-S "session hash for extended master secret"
|
||||||
|
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
|
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
|
||||||
run_test "Extended Master Secret: client SSLv3, server enabled" \
|
run_test "Extended Master Secret: client SSLv3, server enabled" \
|
||||||
"$P_SRV debug_level=3 min_version=ssl3" \
|
"$P_SRV debug_level=3 min_version=ssl3" \
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue