Check for the enforcing and fail handshake if the peer doesn't support

commit: 842be1680097c23429c3c307b782c79fa18aa654 [log] [tgz]
author: Jarno Lamsa <jarno.lamsa@arm.com> Mon Jun 10 15:05:33 2019 +0300
committer: Jarno Lamsa <jarno.lamsa@arm.com> Mon Jun 10 15:05:33 2019 +0300
tree: 563b79d7d8a2d6f56553b2b5efdc0a6e07ac88c9
parent: d9382f85e7b8f5d518a4ad713045f2891b705280 [diff] [blame]
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index c152bc3..0c65d85 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -2024,6 +2024,21 @@
     }
 #endif /* MBEDTLS_SSL_RENEGOTIATION */
 
+    /*
+     * Check if extended master secret is being enforced
+     */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        ssl->conf->enforce_extended_master_secret ==
+        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
+        ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
+                                    "secret, while it is enforced") );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
     if( handshake_failure == 1 )
     {
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
commit	842be1680097c23429c3c307b782c79fa18aa654	[log] [tgz]
author	Jarno Lamsa <jarno.lamsa@arm.com>	Mon Jun 10 15:05:33 2019 +0300
committer	Jarno Lamsa <jarno.lamsa@arm.com>	Mon Jun 10 15:05:33 2019 +0300
tree	563b79d7d8a2d6f56553b2b5efdc0a6e07ac88c9
parent	d9382f85e7b8f5d518a4ad713045f2891b705280 [diff] [blame]