TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d7e2483bfc1ec07a35edf95c07458af4aa5ee0b7^2..d7e2483bfc1ec07a35edf95c07458af4aa5ee0b7 / .
commitd7e2483bfc1ec07a35edf95c07458af4aa5ee0b7[log] [tgz]
authorPaul Bakker <p.j.bakker@polarssl.org>Tue Jan 13 16:04:38 2015 +0100
committerPaul Bakker <p.j.bakker@polarssl.org>Tue Jan 13 16:04:38 2015 +0100
tree5526416e5cbf93e890d57be5217df918dd419148
parent8b9bcecaae91b64e78498557b6270efe0138072a [diff]
parentd94232389e60acdf90046a494b112edce74cc56c [diff]
Merge miscellaneous fixes into development

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 551aa1a..91041b6 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt

@@ -108,8 +108,10 @@
     )
 
   ADD_CUSTOM_TARGET(memcheck
+    COMMAND sed -i.bak s+/usr/bin/valgrind+`which valgrind`+ DartConfiguration.tcl
     COMMAND ctest -O memcheck.log -D ExperimentalMemCheck
     COMMAND tail -n1 memcheck.log | grep 'Memory checking results:' > /dev/null
     COMMAND rm -f memcheck.log
+    COMMAND mv DartConfiguration.tcl.bak DartConfiguration.tcl
     )
 endif()

diff --git a/ChangeLog b/ChangeLog
index d5134a5..aa36db2 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,8 +1,14 @@
 PolarSSL ChangeLog (Sorted per branch, date)
 
-= PolarSSL 1.3.z branch
+= 1.3 branch
+
+Reminder: bump SONAME for ABI change (FALLBACK_SCSV, session-hash, EtM)
 
 Security
+   * NULL pointer dereference in the buffer-based allocator when the buffer is
+     full and polarssl_free() is called (found by Jean-Philippe Aumasson)
+     (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
+     not by default).
    * Fix remotely-triggerable uninitialised pointer dereference caused by
      crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
      client certificate) (found using Codenomicon Defensics).
@@ -14,12 +20,20 @@
      (found using Codenomicon Defensics).
 
 Features
+   * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv)
+   * Add support for Extended Master Secret (draft-ietf-tls-session-hash)
+   * Add support for Encrypt-then-MAC (RFC 7366)
    * Add function pk_check_pair() to test if public and private keys match.
    * Add x509_crl_parse_der().
    * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
      length of an X.509 verification chain.
 
 Bugfix
+   * Stack buffer overflow if ctr_drbg_update() is called with too large
+     add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
+   * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
+     if memory_buffer_alloc_init() was called with buf not aligned and len not
+     a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE.
    * User set CFLAGS were ignore by Cmake with gcc (introduced in 1.3.9, found
      by Julian Ospald).
    * Fix potential undefined behaviour in Camellia.

diff --git a/include/polarssl/check_config.h b/include/polarssl/check_config.h
index 328b881..80b037e 100644
--- a/include/polarssl/check_config.h
+++ b/include/polarssl/check_config.h

@@ -257,6 +257,20 @@
 #error "Illegal protocol selection"
 #endif
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) &&   \
+    !defined(POLARSSL_SSL_PROTO_TLS1)   &&      \
+    !defined(POLARSSL_SSL_PROTO_TLS1_1) &&      \
+    !defined(POLARSSL_SSL_PROTO_TLS1_2)
+#error "POLARSSL_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites"
+#endif
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) && \
+    !defined(POLARSSL_SSL_PROTO_TLS1)   &&          \
+    !defined(POLARSSL_SSL_PROTO_TLS1_1) &&          \
+    !defined(POLARSSL_SSL_PROTO_TLS1_2)
+#error "POLARSSL_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites"
+#endif
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS) && defined(POLARSSL_SSL_TLS_C) && \
     ( !defined(POLARSSL_AES_C) || !defined(POLARSSL_SHA256_C) ||            \
       !defined(POLARSSL_CIPHER_MODE_CBC) )

diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 9852aa9..c99b448 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h

@@ -823,6 +823,59 @@
  */
 //#define POLARSSL_SSL_DEBUG_ALL
 
+/** \def POLARSSL_SSL_ENCRYPT_THEN_MAC
+ *
+ * Enable support for Encrypt-then-MAC, RFC 7366.
+ *
+ * This allows peers that both support it to use a more robust protection for
+ * ciphersuites using CBC, providing deep resistance against timing attacks
+ * on the padding or underlying cipher.
+ *
+ * This only affects CBC ciphersuites, and is useless if none is defined.
+ *
+ * Requires: POLARSSL_SSL_PROTO_TLS1    or
+ *           POLARSSL_SSL_PROTO_TLS1_1  or
+ *           POLARSSL_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for Encrypt-then-MAC
+ */
+#define POLARSSL_SSL_ENCRYPT_THEN_MAC
+
+/** \def POLARSSL_SSL_EXTENDED_MASTER_SECRET
+ *
+ * Enable support for Extended Master Secret, aka Session Hash
+ * (draft-ietf-tls-session-hash-02).
+ *
+ * This was introduced as "the proper fix" to the Triple Handshake familiy of
+ * attacks, but it is recommended to always use it (even if you disable
+ * renegotiation), since it actually fixes a more fundamental issue in the
+ * original SSL/TLS design, and has implications beyond Triple Handshake.
+ *
+ * Requires: POLARSSL_SSL_PROTO_TLS1    or
+ *           POLARSSL_SSL_PROTO_TLS1_1  or
+ *           POLARSSL_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for Extended Master Secret.
+ */
+#define POLARSSL_SSL_EXTENDED_MASTER_SECRET
+
+/**
+ * \def POLARSSL_SSL_FALLBACK_SCSV
+ *
+ * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
+ *
+ * For servers, it is recommended to always enable this, unless you support
+ * only one version of TLS, or know for sure that none of your clients
+ * implements a fallback strategy.
+ *
+ * For clients, you only need this if you're using a fallback strategy, which
+ * is not recommended in the first place, unless you absolutely need it to
+ * interoperate with buggy (version-intolerant) servers.
+ *
+ * Comment this macro to disable support for FALLBACK_SCSV
+ */
+#define POLARSSL_SSL_FALLBACK_SCSV
+
 /**
  * \def POLARSSL_SSL_HW_RECORD_ACCEL
  *

diff --git a/include/polarssl/ctr_drbg.h b/include/polarssl/ctr_drbg.h
index bebbfe9..de696dc 100644
--- a/include/polarssl/ctr_drbg.h
+++ b/include/polarssl/ctr_drbg.h

@@ -188,6 +188,10 @@
  * \param ctx           CTR_DRBG context
  * \param additional    Additional data to update state with
  * \param add_len       Length of additional data
+ *
+ * \note                If add_len is greater than CTR_DRBG_MAX_SEED_INPUT,
+ *                      only the first CTR_DRBG_MAX_SEED_INPUT bytes are used,
+ *                      the remaining ones are silently discarded.
  */
 void ctr_drbg_update( ctr_drbg_context *ctx,
                       const unsigned char *additional, size_t add_len );

diff --git a/include/polarssl/memory_buffer_alloc.h b/include/polarssl/memory_buffer_alloc.h
index c449752..a1b4937 100644
--- a/include/polarssl/memory_buffer_alloc.h
+++ b/include/polarssl/memory_buffer_alloc.h

@@ -115,6 +115,15 @@
  */
 int memory_buffer_alloc_verify( void );
 
+#if defined(POLARSSL_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int memory_buffer_alloc_self_test( int verbose );
+#endif
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index f4f8f01..63ec314 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h

@@ -206,6 +206,15 @@
 #define SSL_IS_CLIENT                   0
 #define SSL_IS_SERVER                   1
 
+#define SSL_IS_NOT_FALLBACK             0
+#define SSL_IS_FALLBACK                 1
+
+#define SSL_EXTENDED_MS_DISABLED        0
+#define SSL_EXTENDED_MS_ENABLED         1
+
+#define SSL_ETM_DISABLED                0
+#define SSL_ETM_ENABLED                 1
+
 #define SSL_COMPRESS_NULL               0
 #define SSL_COMPRESS_DEFLATE            1
 
@@ -308,6 +317,7 @@
  * Signaling ciphersuite values (SCSV)
  */
 #define SSL_EMPTY_RENEGOTIATION_INFO    0xFF   /**< renegotiation info ext */
+#define SSL_FALLBACK_SCSV               0x5600 /**< draft-ietf-tls-downgrade-scsv-00 */
 
 /*
  * Supported Signature and Hash algorithms (For TLS 1.2)
@@ -365,6 +375,7 @@
 #define SSL_ALERT_MSG_PROTOCOL_VERSION      70  /* 0x46 */
 #define SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71  /* 0x47 */
 #define SSL_ALERT_MSG_INTERNAL_ERROR        80  /* 0x50 */
+#define SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86  /* 0x56 */
 #define SSL_ALERT_MSG_USER_CANCELED         90  /* 0x5A */
 #define SSL_ALERT_MSG_NO_RENEGOTIATION     100  /* 0x64 */
 #define SSL_ALERT_MSG_UNSUPPORTED_EXT      110  /* 0x6E */
@@ -401,6 +412,9 @@
 
 #define TLS_EXT_ALPN                        16
 
+#define TLS_EXT_ENCRYPT_THEN_MAC            22 /* 0x16 */
+#define TLS_EXT_EXTENDED_MASTER_SECRET  0x0017 /* 23 */
+
 #define TLS_EXT_SESSION_TICKET              35
 
 #define TLS_EXT_RENEGOTIATION_INFO      0xFF01
@@ -538,6 +552,10 @@
 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
     int trunc_hmac;             /*!< flag for truncated hmac activation   */
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+    int encrypt_then_mac;       /*!< flag for EtM activation                */
+#endif
 };
 
 /*
@@ -652,6 +670,9 @@
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
     int new_session_ticket;             /*!< use NewSessionTicket?    */
 #endif /* POLARSSL_SSL_SESSION_TICKETS */
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    int extended_ms;                    /*!< use Extended Master Secret? */
+#endif
 };
 
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
@@ -697,6 +718,16 @@
     int min_major_ver;          /*!< min. major version used          */
     int min_minor_ver;          /*!< min. minor version used          */
 
+#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
+    char fallback;              /*!< flag for fallback connections    */
+#endif
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+    char encrypt_then_mac;      /*!< flag for encrypt-then-mac        */
+#endif
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    char extended_ms;           /*!< flag for extended master secret  */
+#endif
+
     /*
      * Callbacks (RNG, debug, I/O, verification)
      */
@@ -1372,7 +1403,6 @@
  */
 void ssl_set_max_version( ssl_context *ssl, int major, int minor );
 
-
 /**
  * \brief          Set the minimum accepted SSL/TLS protocol version
  *                 (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
@@ -1388,6 +1418,59 @@
  */
 void ssl_set_min_version( ssl_context *ssl, int major, int minor );
 
+#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
+/**
+ * \brief          Set the fallback flag (client-side only).
+ *                 (Default: SSL_IS_NOT_FALLBACK).
+ *
+ * \note           Set to SSL_IS_FALLBACK when preparing a fallback
+ *                 connection, that is a connection with max_version set to a
+ *                 lower value than the value you're willing to use. Such
+ *                 fallback connections are not recommended but are sometimes
+ *                 necessary to interoperate with buggy (version-intolerant)
+ *                 servers.
+ *
+ * \warning        You should NOT set this to SSL_IS_FALLBACK for
+ *                 non-fallback connections! This would appear to work for a
+ *                 while, then cause failures when the server is upgraded to
+ *                 support a newer TLS version.
+ *
+ * \param ssl      SSL context
+ * \param fallback SSL_IS_NOT_FALLBACK or SSL_IS_FALLBACK
+ */
+void ssl_set_fallback( ssl_context *ssl, char fallback );
+#endif /* POLARSSL_SSL_FALLBACK_SCSV && POLARSSL_SSL_CLI_C */
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+/**
+ * \brief           Enable or disable Encrypt-then-MAC
+ *                  (Default: SSL_ETM_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security
+ *                  improvement, and should not cause any interoperability
+ *                  issue (used only if the peer supports it too).
+ *
+ * \param ssl       SSL context
+ * \param etm       SSL_ETM_ENABLED or SSL_ETM_DISABLED
+ */
+void ssl_set_encrypt_then_mac( ssl_context *ssl, char etm );
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+/**
+ * \brief           Enable or disable Extended Master Secret negotiation.
+ *                  (Default: SSL_EXTENDED_MS_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security fix to the
+ *                  protocol, and should not cause any interoperability issue
+ *                  (used only if the peer supports it too).
+ *
+ * \param ssl       SSL context
+ * \param ems       SSL_EXTENDED_MS_ENABLED or SSL_EXTENDED_MS_DISABLED
+ */
+void ssl_set_extended_master_secret( ssl_context *ssl, char ems );
+#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
+
 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
 /**
  * \brief          Set the maximum fragment length to emit and/or negotiate

diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index 96ee4f1..91e0615 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c

@@ -137,6 +137,9 @@
     int i, j;
     size_t buf_len, use_len;
 
+    if( data_len > CTR_DRBG_MAX_SEED_INPUT )
+        return( POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
     memset( buf, 0, CTR_DRBG_MAX_SEED_INPUT + CTR_DRBG_BLOCKSIZE + 16 );
     aes_init( &aes_ctx );
 
@@ -256,6 +259,11 @@
 
     if( add_len > 0 )
     {
+        /* MAX_INPUT would be more logical here, but we have to match
+         * block_cipher_df()'s limits since we can't propagate errors */
+        if( add_len > CTR_DRBG_MAX_SEED_INPUT )
+            add_len = CTR_DRBG_MAX_SEED_INPUT;
+
         block_cipher_df( add_input, additional, add_len );
         ctr_drbg_update_internal( ctx, add_input );
     }

diff --git a/library/memory_buffer_alloc.c b/library/memory_buffer_alloc.c
index 00ac3f1..4a5be47 100644
--- a/library/memory_buffer_alloc.c
+++ b/library/memory_buffer_alloc.c

@@ -484,7 +484,8 @@
     if( old == NULL )
     {
         hdr->next_free = heap.first_free;
-        heap.first_free->prev_free = hdr;
+        if( heap.first_free != NULL )
+            heap.first_free->prev_free = hdr;
         heap.first_free = hdr;
     }
 
@@ -562,9 +563,11 @@
 
     if( (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE )
     {
+        /* Adjust len first since buf is used in the computation */
+        len -= POLARSSL_MEMORY_ALIGN_MULTIPLE
+             - (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE;
         buf += POLARSSL_MEMORY_ALIGN_MULTIPLE
              - (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE;
-        len -= (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE;
     }
 
     heap.buf = buf;
@@ -586,4 +589,135 @@
     polarssl_zeroize( &heap, sizeof(buffer_alloc_ctx) );
 }
 
+#if defined(POLARSSL_SELF_TEST)
+static int check_pointer( void *p )
+{
+    if( p == NULL )
+        return( -1 );
+
+    if( (size_t) p % POLARSSL_MEMORY_ALIGN_MULTIPLE != 0 )
+        return( -1 );
+
+    return( 0 );
+}
+
+static int check_all_free( )
+{
+    if( heap.current_alloc_size != 0 ||
+        heap.first != heap.first_free ||
+        (void *) heap.first != (void *) heap.buf )
+    {
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+#define TEST_ASSERT( condition )            \
+    if( ! (condition) )                     \
+    {                                       \
+        if( verbose != 0 )                  \
+            polarssl_printf( "failed\n" );  \
+                                            \
+        ret = 1;                            \
+        goto cleanup;                       \
+    }
+
+int memory_buffer_alloc_self_test( int verbose )
+{
+    unsigned char buf[1024];
+    unsigned char *p, *q, *r, *end;
+    int ret = 0;
+
+    if( verbose != 0 )
+        polarssl_printf( "  MBA test #1 (basic alloc-free cycle): " );
+
+    memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+    p = polarssl_malloc( 1 );
+    q = polarssl_malloc( 128 );
+    r = polarssl_malloc( 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 &&
+                 check_pointer( q ) == 0 &&
+                 check_pointer( r ) == 0 );
+
+    polarssl_free( r );
+    polarssl_free( q );
+    polarssl_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    /* Memorize end to compare with the next test */
+    end = heap.buf + heap.len;
+
+    memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        polarssl_printf( "passed\n" );
+
+    if( verbose != 0 )
+        polarssl_printf( "  MBA test #2 (buf not aligned): " );
+
+    memory_buffer_alloc_init( buf + 1, sizeof( buf ) - 1 );
+
+    TEST_ASSERT( heap.buf + heap.len == end );
+
+    p = polarssl_malloc( 1 );
+    q = polarssl_malloc( 128 );
+    r = polarssl_malloc( 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 &&
+                 check_pointer( q ) == 0 &&
+                 check_pointer( r ) == 0 );
+
+    polarssl_free( r );
+    polarssl_free( q );
+    polarssl_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        polarssl_printf( "passed\n" );
+
+    if( verbose != 0 )
+        polarssl_printf( "  MBA test #3 (full): " );
+
+    memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+    p = polarssl_malloc( sizeof( buf ) - sizeof( memory_header ) );
+
+    TEST_ASSERT( check_pointer( p ) == 0 );
+    TEST_ASSERT( polarssl_malloc( 1 ) == NULL );
+
+    polarssl_free( p );
+
+    p = polarssl_malloc( sizeof( buf ) - 2 * sizeof( memory_header ) - 16 );
+    q = polarssl_malloc( 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 && check_pointer( q ) == 0 );
+    TEST_ASSERT( polarssl_malloc( 1 ) == NULL );
+
+    polarssl_free( q );
+
+    TEST_ASSERT( polarssl_malloc( 17 ) == NULL );
+
+    polarssl_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        polarssl_printf( "passed\n" );
+
+cleanup:
+    memory_buffer_alloc_free( );
+
+    return( ret );
+}
+#endif /* POLARSSL_SELF_TEST */
+
 #endif /* POLARSSL_MEMORY_BUFFER_ALLOC_C */

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 39e593a..0db9e23 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c

@@ -364,6 +364,58 @@
 }
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
+                                       unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->encrypt_then_mac == SSL_ETM_DISABLED ||
+        ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
+                        "extension" ) );
+
+    *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+static void ssl_write_extended_ms_ext( ssl_context *ssl,
+                                       unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+        ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
+                        "extension" ) );
+
+    *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
 static void ssl_write_session_ticket_ext( ssl_context *ssl,
                                           unsigned char *buf, size_t *olen )
@@ -601,6 +653,17 @@
         *p++ = (unsigned char)( ciphersuites[i]      );
     }
 
+    /* Some versions of OpenSSL don't handle it correctly if not at end */
+#if defined(POLARSSL_SSL_FALLBACK_SCSV)
+    if( ssl->fallback == SSL_IS_FALLBACK )
+    {
+        SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
+        *p++ = (unsigned char)( SSL_FALLBACK_SCSV >> 8 );
+        *p++ = (unsigned char)( SSL_FALLBACK_SCSV      );
+        n++;
+    }
+#endif
+
     *q++ = (unsigned char)( n >> 7 );
     *q++ = (unsigned char)( n << 1 );
 
@@ -657,6 +720,16 @@
     ext_len += olen;
 #endif
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+    ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
     ext_len += olen;
@@ -775,6 +848,46 @@
 }
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext( ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->encrypt_then_mac == SSL_ETM_DISABLED ||
+        ssl->minor_ver == SSL_MINOR_VERSION_0 ||
+        len != 0 )
+    {
+        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->encrypt_then_mac = SSL_ETM_ENABLED;
+
+    return( 0 );
+}
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext( ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == SSL_MINOR_VERSION_0 ||
+        len != 0 )
+    {
+        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
+
+    return( 0 );
+}
+#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
                                          const unsigned char *buf,
@@ -1147,6 +1260,32 @@
             break;
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+        case TLS_EXT_ENCRYPT_THEN_MAC:
+            SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
+
+            if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+        case TLS_EXT_EXTENDED_MASTER_SECRET:
+            SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
+
+            if( ( ret = ssl_parse_extended_ms_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
         case TLS_EXT_SESSION_TICKET:
             SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
@@ -2259,12 +2398,6 @@
         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
     }
 
-    if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
-        return( ret );
-    }
-
     ssl->out_msglen  = i + n;
     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = SSL_HS_CLIENT_KEY_EXCHANGE;
@@ -2289,9 +2422,16 @@
 static int ssl_write_certificate_verify( ssl_context *ssl )
 {
     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+    int ret;
 
     SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
 
+    if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
+    {
+        SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
+        return( ret );
+    }
+
     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
@@ -2318,6 +2458,12 @@
 
     SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
 
+    if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
+    {
+        SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
+        return( ret );
+    }
+
     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 21f3c13..7bcec57 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -637,6 +637,52 @@
 }
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext( ssl_context *ssl,
+                                      const unsigned char *buf,
+                                      size_t len )
+{
+    if( len != 0 )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->encrypt_then_mac == SSL_ETM_ENABLED &&
+        ssl->minor_ver != SSL_MINOR_VERSION_0 )
+    {
+        ssl->session_negotiate->encrypt_then_mac = SSL_ETM_ENABLED;
+    }
+
+    return( 0 );
+}
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext( ssl_context *ssl,
+                                      const unsigned char *buf,
+                                      size_t len )
+{
+    if( len != 0 )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED &&
+        ssl->minor_ver != SSL_MINOR_VERSION_0 )
+    {
+        ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
+    }
+
+    return( 0 );
+}
+#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
                                          unsigned char *buf,
@@ -1054,6 +1100,30 @@
         }
     }
 
+#if defined(POLARSSL_SSL_FALLBACK_SCSV)
+    for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
+    {
+        if( p[0] == 0 &&
+            p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
+            p[2] == (unsigned char)( ( SSL_FALLBACK_SCSV      ) & 0xff ) )
+        {
+            SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
+
+            if( ssl->minor_ver < ssl->max_minor_ver )
+            {
+                SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
+
+                ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
+                                        SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
+
+                return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            break;
+        }
+    }
+#endif /* POLARSSL_SSL_FALLBACK_SCSV */
+
     ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
     ciphersuite_info = NULL;
 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
@@ -1367,6 +1437,29 @@
         }
     }
 
+#if defined(POLARSSL_SSL_FALLBACK_SCSV)
+    for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
+    {
+        if( p[0] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
+            p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV      ) & 0xff ) )
+        {
+            SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) );
+
+            if( ssl->minor_ver < ssl->max_minor_ver )
+            {
+                SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) );
+
+                ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
+                                        SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
+
+                return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            break;
+        }
+    }
+#endif /* POLARSSL_SSL_FALLBACK_SCSV */
+
     ext = buf + 44 + sess_len + ciph_len + comp_len;
 
     while( ext_len )
@@ -1457,6 +1550,26 @@
             break;
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+        case TLS_EXT_ENCRYPT_THEN_MAC:
+            SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
+
+            ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
+            if( ret != 0 )
+                return( ret );
+            break;
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+        case TLS_EXT_EXTENDED_MASTER_SECRET:
+            SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
+
+            ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
+            if( ret != 0 )
+                return( ret );
+            break;
+#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
         case TLS_EXT_SESSION_TICKET:
             SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
@@ -1606,6 +1719,76 @@
 }
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
+                                            unsigned char *buf,
+                                            size_t *olen )
+{
+    unsigned char *p = buf;
+    const ssl_ciphersuite_t *suite = NULL;
+    const cipher_info_t *cipher = NULL;
+
+    if( ssl->session_negotiate->encrypt_then_mac == SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    /*
+     * RFC 7366: "If a server receives an encrypt-then-MAC request extension
+     * from a client and then selects a stream or Authenticated Encryption
+     * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
+     * encrypt-then-MAC response extension back to the client."
+     */
+    if( ( suite = ssl_ciphersuite_from_id(
+                    ssl->session_negotiate->ciphersuite ) ) == NULL ||
+        ( cipher = cipher_info_from_type( suite->cipher ) ) == NULL ||
+        cipher->mode != POLARSSL_MODE_CBC )
+    {
+        *olen = 0;
+        return;
+    }
+
+    SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
+
+    *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+static void ssl_write_extended_ms_ext( ssl_context *ssl,
+                                       unsigned char *buf,
+                                       size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
+                        "extension" ) );
+
+    *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
 static void ssl_write_session_ticket_ext( ssl_context *ssl,
                                           unsigned char *buf,
@@ -1909,6 +2092,16 @@
     ext_len += olen;
 #endif
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+    ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
     ext_len += olen;

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 736eac6..7eec364 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -470,10 +470,47 @@
         SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
                        handshake->pmslen );
 
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+        if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_ENABLED )
+        {
+            unsigned char session_hash[48];
+            size_t hash_len;
+
+            SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
+
+            ssl->handshake->calc_verify( ssl, session_hash );
+
+#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
+            {
+#if defined(POLARSSL_SHA512_C)
+                if( ssl->transform_negotiate->ciphersuite_info->mac ==
+                    POLARSSL_MD_SHA384 )
+                {
+                    hash_len = 48;
+                }
+                else
+#endif
+                    hash_len = 32;
+            }
+            else
+#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
+                hash_len = 36;
+
+            SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
+
+            handshake->tls_prf( handshake->premaster, handshake->pmslen,
+                                "extended master secret",
+                                session_hash, hash_len, session->master, 48 );
+
+        }
+        else
+#endif
         handshake->tls_prf( handshake->premaster, handshake->pmslen,
                             "master secret",
                             handshake->randbytes, 64, session->master, 48 );
 
+
         polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) );
     }
     else
@@ -564,12 +601,23 @@
         {
             /*
              * GenericBlockCipher:
-             * first multiple of blocklen greater than maclen
-             * + IV except for SSL3 and TLS 1.0
+             * 1. if EtM is in use: one block plus MAC
+             *    otherwise: * first multiple of blocklen greater than maclen
+             * 2. IV except for SSL3 and TLS 1.0
              */
-            transform->minlen = transform->maclen
-                                + cipher_info->block_size
-                                - transform->maclen % cipher_info->block_size;
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+            if( session->encrypt_then_mac == SSL_ETM_ENABLED )
+            {
+                transform->minlen = transform->maclen
+                                  + cipher_info->block_size;
+            }
+            else
+#endif
+            {
+                transform->minlen = transform->maclen
+                                  + cipher_info->block_size
+                                  - transform->maclen % cipher_info->block_size;
+            }
 
 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
             if( ssl->minor_ver == SSL_MINOR_VERSION_0 ||
@@ -1033,28 +1081,44 @@
 }
 #endif /* POLARSSL_SSL_PROTO_SSL3 */
 
+#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) ||     \
+    ( defined(POLARSSL_CIPHER_MODE_CBC) &&                                  \
+      ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
+#define POLARSSL_SOME_MODES_USE_MAC
+#endif
+
 /*
  * Encryption/decryption functions
  */
 static int ssl_encrypt_buf( ssl_context *ssl )
 {
     size_t i;
-    const cipher_mode_t mode = cipher_get_cipher_mode(
-                                        &ssl->transform_out->cipher_ctx_enc );
+    cipher_mode_t mode;
+    int auth_done = 0;
 
     SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
 
+    if( ssl->session_out == NULL || ssl->transform_out == NULL )
+    {
+        SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    mode = cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
+
     SSL_DEBUG_BUF( 4, "before encrypt: output payload",
                       ssl->out_msg, ssl->out_msglen );
 
     /*
-     * Add MAC before encrypt, except for AEAD modes
+     * Add MAC before if needed
      */
-#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) ||     \
-    ( defined(POLARSSL_CIPHER_MODE_CBC) &&                                  \
-      ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
-    if( mode != POLARSSL_MODE_GCM &&
-        mode != POLARSSL_MODE_CCM )
+#if defined(POLARSSL_SOME_MODES_USE_MAC)
+    if( mode == POLARSSL_MODE_STREAM ||
+        ( mode == POLARSSL_MODE_CBC
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+          && ssl->session_out->encrypt_then_mac == SSL_ETM_DISABLED
+#endif
+        ) )
     {
 #if defined(POLARSSL_SSL_PROTO_SSL3)
         if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
@@ -1089,6 +1153,7 @@
                        ssl->transform_out->maclen );
 
         ssl->out_msglen += ssl->transform_out->maclen;
+        auth_done++;
     }
 #endif /* AEAD not the only option */
 
@@ -1207,6 +1272,7 @@
         }
 
         ssl->out_msglen += taglen;
+        auth_done++;
 
         SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
     }
@@ -1292,6 +1358,40 @@
                     ssl->transform_out->ivlen );
         }
 #endif
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+        if( auth_done == 0 )
+        {
+            /*
+             * MAC(MAC_write_key, seq_num +
+             *     TLSCipherText.type +
+             *     TLSCipherText.version +
+             *     length_of( (IV +) ENC(...) ) +
+             *     IV + // except for TLS 1.0
+             *     ENC(content + padding + padding_length));
+             */
+            unsigned char pseudo_hdr[13];
+
+            SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
+
+            memcpy( pseudo_hdr +  0, ssl->out_ctr, 8 );
+            memcpy( pseudo_hdr +  8, ssl->out_hdr, 3 );
+            pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
+            pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen      ) & 0xFF );
+
+            SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
+
+            md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
+            md_hmac_update( &ssl->transform_out->md_ctx_enc,
+                             ssl->out_iv, ssl->out_msglen );
+            md_hmac_finish( &ssl->transform_out->md_ctx_enc,
+                             ssl->out_iv + ssl->out_msglen );
+            md_hmac_reset( &ssl->transform_out->md_ctx_enc );
+
+            ssl->out_msglen += ssl->transform_out->maclen;
+            auth_done++;
+        }
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
     }
     else
 #endif /* POLARSSL_CIPHER_MODE_CBC &&
@@ -1301,6 +1401,13 @@
         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
     }
 
+    /* Make extra sure authentication was performed, exactly once */
+    if( auth_done != 1 )
+    {
+        SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+    }
+
     for( i = 8; i > 0; i-- )
         if( ++ssl->out_ctr[i - 1] != 0 )
             break;
@@ -1322,16 +1429,22 @@
 static int ssl_decrypt_buf( ssl_context *ssl )
 {
     size_t i;
-    const cipher_mode_t mode = cipher_get_cipher_mode(
-                                        &ssl->transform_in->cipher_ctx_dec );
-#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) ||     \
-    ( defined(POLARSSL_CIPHER_MODE_CBC) &&                                  \
-      ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
+    cipher_mode_t mode;
+    int auth_done = 0;
+#if defined(POLARSSL_SOME_MODES_USE_MAC)
     size_t padlen = 0, correct = 1;
 #endif
 
     SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
 
+    if( ssl->session_in == NULL || ssl->transform_in == NULL )
+    {
+        SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    mode = cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
+
     if( ssl->in_msglen < ssl->transform_in->minlen )
     {
         SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
@@ -1428,6 +1541,7 @@
 
             return( ret );
         }
+        auth_done++;
 
         if( olen != dec_msglen )
         {
@@ -1454,13 +1568,6 @@
         /*
          * Check immediate ciphertext sanity
          */
-        if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
-                           ssl->in_msglen, ssl->transform_in->ivlen ) );
-            return( POLARSSL_ERR_SSL_INVALID_MAC );
-        }
-
 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
         if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
             minlen += ssl->transform_in->ivlen;
@@ -1480,6 +1587,59 @@
         dec_msg = ssl->in_msg;
         dec_msg_result = ssl->in_msg;
 
+        /*
+         * Authenticate before decrypt if enabled
+         */
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+        if( ssl->session_in->encrypt_then_mac == SSL_ETM_ENABLED )
+        {
+            unsigned char computed_mac[POLARSSL_SSL_MAX_MAC_SIZE];
+            unsigned char pseudo_hdr[13];
+
+            SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
+
+            dec_msglen -= ssl->transform_in->maclen;
+            ssl->in_msglen -= ssl->transform_in->maclen;
+
+            memcpy( pseudo_hdr +  0, ssl->in_ctr, 8 );
+            memcpy( pseudo_hdr +  8, ssl->in_hdr, 3 );
+            pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
+            pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen      ) & 0xFF );
+
+            SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
+
+            md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
+            md_hmac_update( &ssl->transform_in->md_ctx_dec,
+                             ssl->in_iv, ssl->in_msglen );
+            md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac );
+            md_hmac_reset( &ssl->transform_in->md_ctx_dec );
+
+            SSL_DEBUG_BUF( 4, "message  mac", ssl->in_iv + ssl->in_msglen,
+                                              ssl->transform_in->maclen );
+            SSL_DEBUG_BUF( 4, "computed mac", computed_mac,
+                                              ssl->transform_in->maclen );
+
+            if( safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac,
+                              ssl->transform_in->maclen ) != 0 )
+            {
+                SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
+
+                return( POLARSSL_ERR_SSL_INVALID_MAC );
+            }
+            auth_done++;
+        }
+#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
+
+        /*
+         * Check length sanity
+         */
+        if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
+        {
+            SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
+                           ssl->in_msglen, ssl->transform_in->ivlen ) );
+            return( POLARSSL_ERR_SSL_INVALID_MAC );
+        }
+
 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
         /*
          * Initialize for prepended IV for block cipher in TLS v1.1 and up
@@ -1524,7 +1684,8 @@
 
         padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
 
-        if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
+        if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
+            auth_done == 0 )
         {
 #if defined(POLARSSL_SSL_DEBUG_ALL)
             SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
@@ -1598,6 +1759,8 @@
             SSL_DEBUG_MSG( 1, ( "should never happen" ) );
             return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
         }
+
+        ssl->in_msglen -= padlen;
     }
     else
 #endif /* POLARSSL_CIPHER_MODE_CBC &&
@@ -1611,17 +1774,15 @@
                    ssl->in_msg, ssl->in_msglen );
 
     /*
-     * Always compute the MAC (RFC4346, CBCTIME), except for AEAD of course
+     * Authenticate if not done yet.
+     * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
      */
-#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) ||     \
-    ( defined(POLARSSL_CIPHER_MODE_CBC) &&                                  \
-      ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
-    if( mode != POLARSSL_MODE_GCM &&
-        mode != POLARSSL_MODE_CCM )
+#if defined(POLARSSL_SOME_MODES_USE_MAC)
+    if( auth_done == 0 )
     {
         unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
 
-        ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
+        ssl->in_msglen -= ssl->transform_in->maclen;
 
         ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
         ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen      );
@@ -1691,6 +1852,7 @@
 #endif
             correct = 0;
         }
+        auth_done++;
 
         /*
          * Finally check the correct flag
@@ -1698,7 +1860,14 @@
         if( correct == 0 )
             return( POLARSSL_ERR_SSL_INVALID_MAC );
     }
-#endif /* AEAD not the only option */
+#endif /* POLARSSL_SOME_MODES_USE_MAC */
+
+    /* Make extra sure authentication was performed, exactly once */
+    if( auth_done != 1 )
+    {
+        SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+    }
 
     if( ssl->in_msglen == 0 )
     {
@@ -1734,6 +1903,10 @@
     return( 0 );
 }
 
+#undef MAC_NONE
+#undef MAC_PLAINTEXT
+#undef MAC_CIPHERTEXT
+
 #if defined(POLARSSL_ZLIB_SUPPORT)
 /*
  * Compression/decompression functions
@@ -3106,6 +3279,12 @@
 
     if( ssl->session )
     {
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+        /* RFC 7366 3.1: keep the EtM state */
+        ssl->session_negotiate->encrypt_then_mac =
+                  ssl->session->encrypt_then_mac;
+#endif
+
         ssl_session_free( ssl->session );
         polarssl_free( ssl->session );
     }
@@ -3471,6 +3650,14 @@
     memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
     memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
 
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+    ssl->encrypt_then_mac = SSL_ETM_ENABLED;
+#endif
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    ssl->extended_ms = SSL_EXTENDED_MS_ENABLED;
+#endif
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
     ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
 #endif
@@ -4016,6 +4203,27 @@
     }
 }
 
+#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
+void ssl_set_fallback( ssl_context *ssl, char fallback )
+{
+    ssl->fallback = fallback;
+}
+#endif
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+void ssl_set_encrypt_then_mac( ssl_context *ssl, char etm )
+{
+    ssl->encrypt_then_mac = etm;
+}
+#endif
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+void ssl_set_extended_master_secret( ssl_context *ssl, char ems )
+{
+    ssl->extended_ms = ems;
+}
+#endif
+
 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
 {

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 56c46d7..3457828 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c

@@ -95,6 +95,9 @@
 #define DFL_RECO_DELAY          0
 #define DFL_TICKETS             SSL_SESSION_TICKETS_ENABLED
 #define DFL_ALPN_STRING         NULL
+#define DFL_FALLBACK            -1
+#define DFL_EXTENDED_MS         -1
+#define DFL_ETM                 -1
 
 #define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
 #define GET_REQUEST_END "\r\n\r\n"
@@ -132,6 +135,9 @@
     int reco_delay;             /* delay in seconds before resuming session */
     int tickets;                /* enable / disable session tickets         */
     const char *alpn_string;    /* ALPN supported protocols                 */
+    int fallback;               /* is this a fallback connection?           */
+    int extended_ms;            /* negotiate extended master secret?        */
+    int etm;                    /* negotiate encrypt then mac?              */
 } opt;
 
 static void my_debug( void *ctx, int level, const char *str )
@@ -284,6 +290,27 @@
 #define USAGE_ALPN ""
 #endif /* POLARSSL_SSL_ALPN */
 
+#if defined(POLARSSL_SSL_FALLBACK_SCSV)
+#define USAGE_FALLBACK \
+    "    fallback=0/1        default: (library default: off)\n"
+#else
+#define USAGE_FALLBACK ""
+#endif
+
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+#define USAGE_EMS \
+    "    extended_ms=0/1     default: (library default: on)\n"
+#else
+#define USAGE_EMS ""
+#endif
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+#define USAGE_ETM \
+    "    etm=0/1             default: (library default: on)\n"
+#else
+#define USAGE_ETM ""
+#endif
+
 #define USAGE \
     "\n usage: ssl_client2 param=<>...\n"                   \
     "\n acceptable parameters:\n"                           \
@@ -313,6 +340,9 @@
     USAGE_MAX_FRAG_LEN                                      \
     USAGE_TRUNC_HMAC                                        \
     USAGE_ALPN                                              \
+    USAGE_FALLBACK                                          \
+    USAGE_EMS                                               \
+    USAGE_ETM                                               \
     "\n"                                                    \
     "    min_version=%%s      default: \"\" (ssl3)\n"       \
     "    max_version=%%s      default: \"\" (tls1_2)\n"     \
@@ -413,6 +443,9 @@
     opt.reco_delay          = DFL_RECO_DELAY;
     opt.tickets             = DFL_TICKETS;
     opt.alpn_string         = DFL_ALPN_STRING;
+    opt.fallback            = DFL_FALLBACK;
+    opt.extended_ms         = DFL_EXTENDED_MS;
+    opt.etm                 = DFL_ETM;
 
     for( i = 1; i < argc; i++ )
     {
@@ -519,6 +552,33 @@
         {
             opt.alpn_string = q;
         }
+        else if( strcmp( p, "fallback" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0: opt.fallback = SSL_IS_NOT_FALLBACK; break;
+                case 1: opt.fallback = SSL_IS_FALLBACK; break;
+                default: goto usage;
+            }
+        }
+        else if( strcmp( p, "extended_ms" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0: opt.extended_ms = SSL_EXTENDED_MS_DISABLED; break;
+                case 1: opt.extended_ms = SSL_EXTENDED_MS_ENABLED; break;
+                default: goto usage;
+            }
+        }
+        else if( strcmp( p, "etm" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0: opt.etm = SSL_ETM_DISABLED; break;
+                case 1: opt.etm = SSL_ETM_ENABLED; break;
+                default: goto usage;
+            }
+        }
         else if( strcmp( p, "min_version" ) == 0 )
         {
             if( strcmp( q, "ssl3" ) == 0 )
@@ -882,6 +942,16 @@
         }
 #endif
 
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    if( opt.extended_ms != DFL_EXTENDED_MS )
+        ssl_set_extended_master_secret( &ssl, opt.extended_ms );
+#endif
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+    if( opt.etm != DFL_ETM )
+        ssl_set_encrypt_then_mac( &ssl, opt.etm );
+#endif
+
 #if defined(POLARSSL_SSL_ALPN)
     if( opt.alpn_string != NULL )
         if( ( ret = ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 )
@@ -952,6 +1022,10 @@
         ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
     if( opt.max_version != -1 )
         ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
+#if defined(POLARSSL_SSL_FALLBACK_SCSV)
+    if( opt.fallback != DFL_FALLBACK )
+        ssl_set_fallback( &ssl, opt.fallback );
+#endif
 
     /*
      * 4. Handshake

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index ba1f29c..9d4443f 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c

@@ -116,6 +116,8 @@
 #define DFL_SNI                 NULL
 #define DFL_ALPN_STRING         NULL
 #define DFL_DHM_FILE            NULL
+#define DFL_EXTENDED_MS         -1
+#define DFL_ETM                 -1
 
 #define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
     "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n"  \
@@ -176,6 +178,8 @@
     char *sni;                  /* string describing sni information        */
     const char *alpn_string;    /* ALPN supported protocols                 */
     const char *dhm_file;       /* the file with the DH parameters          */
+    char extended_ms;           /* allow negotiation of extended MS?        */
+    char etm;                   /* allow negotiation of encrypt-then-MAC?   */
 } opt;
 
 static void my_debug( void *ctx, int level, const char *str )
@@ -299,6 +303,20 @@
 #define USAGE_ALPN ""
 #endif /* POLARSSL_SSL_ALPN */
 
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+#define USAGE_EMS \
+    "    extended_ms=0/1     default: (library default: on)\n"
+#else
+#define USAGE_EMS ""
+#endif
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+#define USAGE_ETM \
+    "    etm=0/1             default: (library default: on)\n"
+#else
+#define USAGE_ETM ""
+#endif
+
 #define USAGE \
     "\n usage: ssl_server2 param=<>...\n"                   \
     "\n acceptable parameters:\n"                           \
@@ -324,6 +342,8 @@
     USAGE_CACHE                                             \
     USAGE_MAX_FRAG_LEN                                      \
     USAGE_ALPN                                              \
+    USAGE_EMS                                               \
+    USAGE_ETM                                               \
     "\n"                                                    \
     "    min_version=%%s      default: \"ssl3\"\n"          \
     "    max_version=%%s      default: \"tls1_2\"\n"        \
@@ -714,6 +734,8 @@
     opt.sni                 = DFL_SNI;
     opt.alpn_string         = DFL_ALPN_STRING;
     opt.dhm_file            = DFL_DHM_FILE;
+    opt.extended_ms         = DFL_EXTENDED_MS;
+    opt.etm                 = DFL_ETM;
 
     for( i = 1; i < argc; i++ )
     {
@@ -881,6 +903,24 @@
         {
             opt.alpn_string = q;
         }
+        else if( strcmp( p, "extended_ms" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0: opt.extended_ms = SSL_EXTENDED_MS_DISABLED; break;
+                case 1: opt.extended_ms = SSL_EXTENDED_MS_ENABLED; break;
+                default: goto usage;
+            }
+        }
+        else if( strcmp( p, "etm" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0: opt.etm = SSL_ETM_DISABLED; break;
+                case 1: opt.etm = SSL_ETM_ENABLED; break;
+                default: goto usage;
+            }
+        }
         else if( strcmp( p, "tickets" ) == 0 )
         {
             opt.tickets = atoi( q );
@@ -1258,6 +1298,16 @@
     };
 #endif
 
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    if( opt.extended_ms != DFL_EXTENDED_MS )
+        ssl_set_extended_master_secret( &ssl, opt.extended_ms );
+#endif
+
+#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
+    if( opt.etm != DFL_ETM )
+        ssl_set_encrypt_then_mac( &ssl, opt.etm );
+#endif
+
 #if defined(POLARSSL_SSL_ALPN)
     if( opt.alpn_string != NULL )
         if( ( ret = ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 )

diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index edf3d52..3e68e36 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c

@@ -226,16 +226,23 @@
 #if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C) && defined(POLARSSL_MEMORY_DEBUG)
         memory_buffer_alloc_status();
 #endif
+    }
 
+#if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C)
+    memory_buffer_alloc_free();
+
+    if( ( ret = memory_buffer_alloc_self_test( v ) ) != 0 )
+        return( ret );
+#endif
+
+    if( v != 0 )
+    {
         printf( "  [ All tests passed ]\n\n" );
 #if defined(_WIN32)
         printf( "  Press Enter to exit this program.\n" );
         fflush( stdout ); getchar();
 #endif
     }
-#if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C)
-    memory_buffer_alloc_free();
-#endif
 
     return( ret );
 }

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 7887e21..3cd7e37 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt

@@ -73,6 +73,7 @@
 add_test_suite(hmac_shax)
 add_test_suite(md)
 add_test_suite(mdx)
+add_test_suite(memory_buffer_alloc)
 add_test_suite(mpi)
 add_test_suite(pbkdf2)
 add_test_suite(pem)

diff --git a/tests/Makefile b/tests/Makefile
index c37b790..37e1aac 100644
--- a/tests/Makefile
+++ b/tests/Makefile

@@ -59,6 +59,7 @@
 		test_suite_hmac_drbg.nopr						\
 		test_suite_hmac_drbg.pr							\
 		test_suite_md			test_suite_mdx			\
+		test_suite_memory_buffer_alloc					\
 		test_suite_mpi			test_suite_pbkdf2		\
 		test_suite_pem									\
 		test_suite_pkcs1_v21	test_suite_pkcs5		\
@@ -336,6 +337,10 @@
 	echo   "  CC    	$@.c"
 	$(CC) $(CFLAGS) $(OFLAGS) $@.c	$(LDFLAGS) -o $@
 
+test_suite_memory_buffer_alloc: test_suite_memory_buffer_alloc.c $(DEP)
+	echo   "  CC    	$@.c"
+	$(CC) $(CFLAGS) $(OFLAGS) $@.c	$(LDFLAGS) -o $@
+
 test_suite_mpi: test_suite_mpi.c $(DEP)
 	echo   "  CC    	$@.c"
 	$(CC) $(CFLAGS) $(OFLAGS) $@.c	$(LDFLAGS) -o $@

diff --git a/tests/compat.sh b/tests/compat.sh
index 861d20e..bebd0a8 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh

@@ -26,14 +26,19 @@
 
 # do we have a recent enough GnuTLS?
 if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null; then
-    eval $( $GNUTLS_CLI --version | head -n1 | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' )
-    if [ $MAJOR -lt 3 -o \
-        \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
-        \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
-    then
-        PEER_GNUTLS=""
-    else
+    G_VER="$( $GNUTLS_CLI --version | head -n1 )"
+    if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version
         PEER_GNUTLS=" GnuTLS"
+    else
+        eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' )
+        if [ $MAJOR -lt 3 -o \
+            \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
+            \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
+        then
+            PEER_GNUTLS=""
+        else
+            PEER_GNUTLS=" GnuTLS"
+        fi
     fi
 else
     PEER_GNUTLS=""
@@ -51,16 +56,16 @@
 
 print_usage() {
     echo "Usage: $0"
-    echo -e "  -h|--help\tPrint this help."
-    echo -e "  -f|--filter\tOnly matching ciphersuites are tested (Default: '$FILTER')"
-    echo -e "  -e|--exclude\tMatching ciphersuites are excluded (Default: '$EXCLUDE')"
-    echo -e "  -m|--modes\tWhich modes to perform (Default: '$MODES')"
-    echo -e "  -t|--types\tWhich key exchange type to perform (Default: '$TYPES')"
-    echo -e "  -V|--verify\tWhich verification modes to perform (Default: '$VERIFIES')"
-    echo -e "  -p|--peers\tWhich peers to use (Default: '$PEERS')"
-    echo -e "            \tAlso available: GnuTLS (needs v3.2.15 or higher)"
-    echo -e "  -M|--memcheck\tCheck memory leaks and errors."
-    echo -e "  -v|--verbose\tSet verbose output."
+    printf "  -h|--help\tPrint this help.\n"
+    printf "  -f|--filter\tOnly matching ciphersuites are tested (Default: '$FILTER')\n"
+    printf "  -e|--exclude\tMatching ciphersuites are excluded (Default: '$EXCLUDE')\n"
+    printf "  -m|--modes\tWhich modes to perform (Default: '$MODES')\n"
+    printf "  -t|--types\tWhich key exchange type to perform (Default: '$TYPES')\n"
+    printf "  -V|--verify\tWhich verification modes to perform (Default: '$VERIFIES')\n"
+    printf "  -p|--peers\tWhich peers to use (Default: '$PEERS')\n"
+    printf "            \tAlso available: GnuTLS (needs v3.2.15 or higher)\n"
+    printf "  -M|--memcheck\tCheck memory leaks and errors.\n"
+    printf "  -v|--verbose\tSet verbose output.\n"
 }
 
 get_options() {
@@ -102,6 +107,10 @@
         esac
         shift
     done
+
+    # sanitize some options (modes checked later)
+    VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )"
+    TYPES="$( echo $TYPES | tr [a-z] [A-Z] )"
 }
 
 log() {
@@ -121,7 +130,7 @@
   done
 
   # normalize whitespace
-  echo "$NEW_LIST" | sed -e 's/[[:space:]]\+/ /g' -e 's/^ //' -e 's/ $//'
+  echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
 }
 
 filter_ciphersuites()
@@ -834,9 +843,9 @@
     VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
     TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`"
     TITLE="$TITLE $MODE,$VERIF $2"
-    echo -n "$TITLE "
+    printf "$TITLE "
     LEN=$(( 72 - `echo "$TITLE" | wc -c` ))
-    for i in `seq 1 $LEN`; do echo -n '.'; done; echo -n ' '
+    for i in `seq 1 $LEN`; do printf '.'; done; printf ' '
 
     # run the command and interpret result
     case $1 in
@@ -1095,9 +1104,9 @@
 
 if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ];
 then
-    echo -n "FAILED"
+    printf "FAILED"
 else
-    echo -n "PASSED"
+    printf "PASSED"
 fi
 
 if [ "$MEMCHECK" -gt 0 ]; then

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index ebb8d97..30c19d5 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh

@@ -41,7 +41,7 @@
 {
     make clean
 
-    find -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} \+
+    find . -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} \+
     rm -f include/Makefile include/polarssl/Makefile programs/*/Makefile
     git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile
     git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 4eafed4..f1ff917 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh

@@ -34,10 +34,10 @@
 
 print_usage() {
     echo "Usage: $0 [options]"
-    echo -e "  -h|--help\tPrint this help."
-    echo -e "  -m|--memcheck\tCheck memory leaks and errors."
-    echo -e "  -f|--filter\tOnly matching tests are executed (default: '$FILTER')"
-    echo -e "  -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')"
+    printf "  -h|--help\tPrint this help.\n"
+    printf "  -m|--memcheck\tCheck memory leaks and errors.\n"
+    printf "  -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
+    printf "  -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
 }
 
 get_options() {
@@ -80,6 +80,21 @@
     fi
 }
 
+# skip next test if OpenSSL doesn't support FALLBACK_SCSV
+requires_openssl_with_fallback_scsv() {
+    if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
+        if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
+        then
+            OPENSSL_HAS_FBSCSV="YES"
+        else
+            OPENSSL_HAS_FBSCSV="NO"
+        fi
+    fi
+    if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
+        SKIP_NEXT="YES"
+    fi
+}
+
 # skip next test if GnuTLS isn't available
 requires_gnutls() {
     if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
@@ -96,10 +111,10 @@
 
 # print_name <name>
 print_name() {
-    echo -n "$1 "
+    printf "$1 "
     LEN=$(( 72 - `echo "$1" | wc -c` ))
-    for i in `seq 1 $LEN`; do echo -n '.'; done
-    echo -n ' '
+    for i in `seq 1 $LEN`; do printf '.'; done
+    printf ' '
 
     TESTS=$(( $TESTS + 1 ))
 }
@@ -148,7 +163,8 @@
         WATCHDOG_PID=$!
 
         # make a tight loop, server usually takes less than 1 sec to start
-        until lsof -nbi TCP:"$PORT" | grep LISTEN >/dev/null; do :; done
+        until lsof -nbi TCP:"$PORT" 2>/dev/null | grep LISTEN >/dev/null; 
+        do :; done
 
         kill $WATCHDOG_PID
         wait $WATCHDOG_PID
@@ -232,14 +248,14 @@
     if is_polar "$SRV_CMD"; then
         if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
         else
-            fail "server failed to start"
+            fail "server or client failed to reach handshake stage"
             return
         fi
     fi
     if is_polar "$CLI_CMD"; then
         if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
         else
-            fail "client failed to start"
+            fail "server or client failed to reach handshake stage"
             return
         fi
     fi
@@ -425,6 +441,227 @@
             0 \
             -s "dumping 'computed mac' (10 bytes)"
 
+# Tests for Encrypt-then-MAC extension
+
+run_test    "Encrypt then MAC: default" \
+            "$P_SRV debug_level=3 \
+             force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -c "client hello, adding encrypt_then_mac extension" \
+            -s "found encrypt then mac extension" \
+            -s "server hello, adding encrypt then mac extension" \
+            -c "found encrypt_then_mac extension" \
+            -c "using encrypt then mac" \
+            -s "using encrypt then mac"
+
+run_test    "Encrypt then MAC: client enabled, server disabled" \
+            "$P_SRV debug_level=3 etm=0 \
+             force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            "$P_CLI debug_level=3 etm=1" \
+            0 \
+            -c "client hello, adding encrypt_then_mac extension" \
+            -s "found encrypt then mac extension" \
+            -S "server hello, adding encrypt then mac extension" \
+            -C "found encrypt_then_mac extension" \
+            -C "using encrypt then mac" \
+            -S "using encrypt then mac"
+
+run_test    "Encrypt then MAC: client enabled, aead cipher" \
+            "$P_SRV debug_level=3 etm=1 \
+             force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
+            "$P_CLI debug_level=3 etm=1" \
+            0 \
+            -c "client hello, adding encrypt_then_mac extension" \
+            -s "found encrypt then mac extension" \
+            -S "server hello, adding encrypt then mac extension" \
+            -C "found encrypt_then_mac extension" \
+            -C "using encrypt then mac" \
+            -S "using encrypt then mac"
+
+run_test    "Encrypt then MAC: client enabled, stream cipher" \
+            "$P_SRV debug_level=3 etm=1 \
+             force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
+            "$P_CLI debug_level=3 etm=1" \
+            0 \
+            -c "client hello, adding encrypt_then_mac extension" \
+            -s "found encrypt then mac extension" \
+            -S "server hello, adding encrypt then mac extension" \
+            -C "found encrypt_then_mac extension" \
+            -C "using encrypt then mac" \
+            -S "using encrypt then mac"
+
+run_test    "Encrypt then MAC: client disabled, server enabled" \
+            "$P_SRV debug_level=3 etm=1 \
+             force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            "$P_CLI debug_level=3 etm=0" \
+            0 \
+            -C "client hello, adding encrypt_then_mac extension" \
+            -S "found encrypt then mac extension" \
+            -S "server hello, adding encrypt then mac extension" \
+            -C "found encrypt_then_mac extension" \
+            -C "using encrypt then mac" \
+            -S "using encrypt then mac"
+
+run_test    "Encrypt then MAC: client SSLv3, server enabled" \
+            "$P_SRV debug_level=3 \
+             force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            "$P_CLI debug_level=3 force_version=ssl3" \
+            0 \
+            -C "client hello, adding encrypt_then_mac extension" \
+            -S "found encrypt then mac extension" \
+            -S "server hello, adding encrypt then mac extension" \
+            -C "found encrypt_then_mac extension" \
+            -C "using encrypt then mac" \
+            -S "using encrypt then mac"
+
+run_test    "Encrypt then MAC: client enabled, server SSLv3" \
+            "$P_SRV debug_level=3 force_version=ssl3 \
+             force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -c "client hello, adding encrypt_then_mac extension" \
+            -s "found encrypt then mac extension" \
+            -S "server hello, adding encrypt then mac extension" \
+            -C "found encrypt_then_mac extension" \
+            -C "using encrypt then mac" \
+            -S "using encrypt then mac"
+
+# Tests for Extended Master Secret extension
+
+run_test    "Extended Master Secret: default" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -c "client hello, adding extended_master_secret extension" \
+            -s "found extended master secret extension" \
+            -s "server hello, adding extended master secret extension" \
+            -c "found extended_master_secret extension" \
+            -c "using extended master secret" \
+            -s "using extended master secret"
+
+run_test    "Extended Master Secret: client enabled, server disabled" \
+            "$P_SRV debug_level=3 extended_ms=0" \
+            "$P_CLI debug_level=3 extended_ms=1" \
+            0 \
+            -c "client hello, adding extended_master_secret extension" \
+            -s "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
+run_test    "Extended Master Secret: client disabled, server enabled" \
+            "$P_SRV debug_level=3 extended_ms=1" \
+            "$P_CLI debug_level=3 extended_ms=0" \
+            0 \
+            -C "client hello, adding extended_master_secret extension" \
+            -S "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
+run_test    "Extended Master Secret: client SSLv3, server enabled" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3 force_version=ssl3" \
+            0 \
+            -C "client hello, adding extended_master_secret extension" \
+            -S "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
+run_test    "Extended Master Secret: client enabled, server SSLv3" \
+            "$P_SRV debug_level=3 force_version=ssl3" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -c "client hello, adding extended_master_secret extension" \
+            -s "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
+# Tests for FALLBACK_SCSV
+
+run_test    "Fallback SCSV: default" \
+            "$P_SRV" \
+            "$P_CLI debug_level=3 force_version=tls1_1" \
+            0 \
+            -C "adding FALLBACK_SCSV" \
+            -S "received FALLBACK_SCSV" \
+            -S "inapropriate fallback" \
+            -C "is a fatal alert message (msg 86)"
+
+run_test    "Fallback SCSV: explicitly disabled" \
+            "$P_SRV" \
+            "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
+            0 \
+            -C "adding FALLBACK_SCSV" \
+            -S "received FALLBACK_SCSV" \
+            -S "inapropriate fallback" \
+            -C "is a fatal alert message (msg 86)"
+
+run_test    "Fallback SCSV: enabled" \
+            "$P_SRV" \
+            "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
+            1 \
+            -c "adding FALLBACK_SCSV" \
+            -s "received FALLBACK_SCSV" \
+            -s "inapropriate fallback" \
+            -c "is a fatal alert message (msg 86)"
+
+run_test    "Fallback SCSV: enabled, max version" \
+            "$P_SRV" \
+            "$P_CLI debug_level=3 fallback=1" \
+            0 \
+            -c "adding FALLBACK_SCSV" \
+            -s "received FALLBACK_SCSV" \
+            -S "inapropriate fallback" \
+            -C "is a fatal alert message (msg 86)"
+
+requires_openssl_with_fallback_scsv
+run_test    "Fallback SCSV: default, openssl server" \
+            "$O_SRV" \
+            "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
+            0 \
+            -C "adding FALLBACK_SCSV" \
+            -C "is a fatal alert message (msg 86)"
+
+requires_openssl_with_fallback_scsv
+run_test    "Fallback SCSV: enabled, openssl server" \
+            "$O_SRV" \
+            "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
+            1 \
+            -c "adding FALLBACK_SCSV" \
+            -c "is a fatal alert message (msg 86)"
+
+requires_openssl_with_fallback_scsv
+run_test    "Fallback SCSV: disabled, openssl client" \
+            "$P_SRV" \
+            "$O_CLI -tls1_1" \
+            0 \
+            -S "received FALLBACK_SCSV" \
+            -S "inapropriate fallback"
+
+requires_openssl_with_fallback_scsv
+run_test    "Fallback SCSV: enabled, openssl client" \
+            "$P_SRV" \
+            "$O_CLI -tls1_1 -fallback_scsv" \
+            1 \
+            -s "received FALLBACK_SCSV" \
+            -s "inapropriate fallback"
+
+requires_openssl_with_fallback_scsv
+run_test    "Fallback SCSV: enabled, max version, openssl client" \
+            "$P_SRV" \
+            "$O_CLI -fallback_scsv" \
+            0 \
+            -s "received FALLBACK_SCSV" \
+            -S "inapropriate fallback"
+
 # Tests for Session Tickets
 
 run_test    "Session resume using tickets: basic" \
@@ -1628,6 +1865,13 @@
             0 \
             -s "Read from client: 1 bytes read"
 
+run_test    "Small packet TLS 1.0 BlockCipher without EtM" \
+            "$P_SRV" \
+            "$P_CLI request_size=1 force_version=tls1 etm=0 \
+             force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
+            0 \
+            -s "Read from client: 1 bytes read"
+
 run_test    "Small packet TLS 1.0 BlockCipher truncated MAC" \
             "$P_SRV" \
             "$P_CLI request_size=1 force_version=tls1 \
@@ -1651,6 +1895,13 @@
             0 \
             -s "Read from client: 1 bytes read"
 
+run_test    "Small packet TLS 1.1 BlockCipher without EtM" \
+            "$P_SRV" \
+            "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
+             force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
+            0 \
+            -s "Read from client: 1 bytes read"
+
 run_test    "Small packet TLS 1.1 StreamCipher" \
             "$P_SRV" \
             "$P_CLI request_size=1 force_version=tls1_1 \
@@ -1681,6 +1932,13 @@
             0 \
             -s "Read from client: 1 bytes read"
 
+run_test    "Small packet TLS 1.2 BlockCipher without EtM" \
+            "$P_SRV" \
+            "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
+             force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
+            0 \
+            -s "Read from client: 1 bytes read"
+
 run_test    "Small packet TLS 1.2 BlockCipher larger MAC" \
             "$P_SRV" \
             "$P_CLI request_size=1 force_version=tls1_2 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
@@ -1848,9 +2106,9 @@
 echo "------------------------------------------------------------------------"
 
 if [ $FAILS = 0 ]; then
-    echo -n "PASSED"
+    printf "PASSED"
 else
-    echo -n "FAILED"
+    printf "FAILED"
 fi
 PASSES=$(( $TESTS - $FAILS ))
 echo " ($PASSES / $TESTS tests ($SKIPS skipped))"

diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index 318ca9a..fae56f4 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function

@@ -211,7 +211,8 @@
     char buf[5000];
     char *params[50];
 
-#if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C)
+#if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C) && \
+    !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
     unsigned char alloc_buf[1000000];
     memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) );
 #endif
@@ -298,7 +299,8 @@
     fprintf( stdout, " (%d / %d tests (%d skipped))\n",
              total_tests - total_errors, total_tests, total_skipped );
 
-#if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C)
+#if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C) && \
+    !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
 #if defined(POLARSSL_MEMORY_DEBUG)
     memory_buffer_alloc_status();
 #endif

diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function
index fd9f087..a36bab2 100644
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function

@@ -141,6 +141,10 @@
     }
     TEST_ASSERT( last_idx == test_offset_idx );
 
+    /* Call update with too much data (sizeof entropy > MAX(_SEED)_INPUT)
+     * (just make sure it doesn't cause memory corruption) */
+    ctr_drbg_update( &ctx, entropy, sizeof( entropy ) );
+
     /* Now enable PR, so the next few calls should all reseed */
     ctr_drbg_set_prediction_resistance( &ctx, CTR_DRBG_PR_ON );
     TEST_ASSERT( ctr_drbg_random( &ctx, out, sizeof( out ) ) == 0 );

diff --git a/tests/suites/test_suite_memory_buffer_alloc.data b/tests/suites/test_suite_memory_buffer_alloc.data
new file mode 100644
index 0000000..2542d4d
--- /dev/null
+++ b/tests/suites/test_suite_memory_buffer_alloc.data

@@ -0,0 +1,2 @@
+Memory buffer alloc self test
+memory_buffer_alloc_self_test:

diff --git a/tests/suites/test_suite_memory_buffer_alloc.function b/tests/suites/test_suite_memory_buffer_alloc.function
new file mode 100644
index 0000000..88c36ab
--- /dev/null
+++ b/tests/suites/test_suite_memory_buffer_alloc.function

@@ -0,0 +1,16 @@
+/* BEGIN_HEADER */
+#include <polarssl/memory_buffer_alloc.h>
+#define TEST_SUITE_MEMORY_BUFFER_ALLOC
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:POLARSSL_MEMORY_BUFFER_ALLOC_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */
+void memory_buffer_alloc_self_test( )
+{
+    TEST_ASSERT( memory_buffer_alloc_self_test( 0 ) == 0 );
+}
+/* END_CASE */