Add negotiation of Extended Master Secret (But not the actual thing yet.)

commit: 367381fdddb68e72c408fed763b955f620abf451 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Mon Oct 20 18:40:56 2014 +0200
committer: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Nov 05 16:00:49 2014 +0100
tree: fc613d395494254365988f229390c0da225c7441
parent: 178f9d6e190d0f19ee9485e059e258650b5dac98 [diff] [blame]
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 875709c..7b5ec8e 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h

@@ -209,6 +209,9 @@
 #define SSL_IS_NOT_FALLBACK             0
 #define SSL_IS_FALLBACK                 1
 
+#define SSL_EXTENDED_MS_DISABLED        0
+#define SSL_EXTENDED_MS_ENABLED         1
+
 #define SSL_COMPRESS_NULL               0
 #define SSL_COMPRESS_DEFLATE            1
 
@@ -406,6 +409,8 @@
 
 #define TLS_EXT_ALPN                        16
 
+#define TLS_EXT_EXTENDED_MASTER_SECRET  0x0017 /* 23 */
+
 #define TLS_EXT_SESSION_TICKET              35
 
 #define TLS_EXT_RENEGOTIATION_INFO      0xFF01
@@ -657,6 +662,9 @@
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
     int new_session_ticket;             /*!< use NewSessionTicket?    */
 #endif /* POLARSSL_SSL_SESSION_TICKETS */
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    int extended_ms;                    /*!< use Extended Master Secret? */
+#endif
 };
 
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
@@ -705,6 +713,9 @@
 #if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
     char fallback;              /*!< flag for fallback connections    */
 #endif
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    char extended_ms;           /*!< flag for extended master secret  */
+#endif
 
     /*
      * Callbacks (RNG, debug, I/O, verification)
@@ -1414,6 +1425,21 @@
 void ssl_set_fallback( ssl_context *ssl, char fallback );
 #endif /* POLARSSL_SSL_FALLBACK_SCSV && POLARSSL_SSL_CLI_C */
 
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+/**
+ * \brief           Enable or disable Extended Master Secret negotiation.
+ *                  (Default: SSL_EXTENDED_MS_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security fix to the
+ *                  protocol, and should not cause any interoperability issue
+ *                  (used only if the peer supports it too).
+ *
+ * \param ssl       SSL context
+ * \param ems       SSL_EXTENDED_MS_ENABLED or SSL_EXTENDED_MS_DISABLED
+ */
+void ssl_set_extended_master_secret( ssl_context *ssl, char ems );
+#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
+
 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
 /**
  * \brief          Set the maximum fragment length to emit and/or negotiate
commit	367381fdddb68e72c408fed763b955f620abf451	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Mon Oct 20 18:40:56 2014 +0200
committer	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Wed Nov 05 16:00:49 2014 +0100
tree	fc613d395494254365988f229390c0da225c7441
parent	178f9d6e190d0f19ee9485e059e258650b5dac98 [diff] [blame]