From 4b7097025305b219694dd8b04f84155cd12fb71d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 4 Jun 2020 11:40:29 +0200 Subject: [PATCH] Do not allow dropping Extended Master Secret extension on renegotiaton Abort renegotiation if server receives client hello with Extended Master Secret extension dropped in comparison to the initial session. Fixes #9754 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12099) --- CHANGES | 4 ++++ include/openssl/ssl3.h | 3 +++ ssl/statem/extensions.c | 14 +++++++++++++- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 8b2fd3f8bd..ae0d232526 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes between 1.1.1g and 1.1.1h [xx XXX xxxx] + *) Handshake now fails if Extended Master Secret extension is dropped + on renegotiation. + [Tomas Mraz] + *) The Oracle Developer Studio compiler will start reporting deprecated APIs Changes between 1.1.1f and 1.1.1g [21 Apr 2020] diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 8d01fcc487..407db0b5f0 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -292,6 +292,9 @@ extern "C" { # define TLS1_FLAGS_STATELESS 0x0800 +/* Set if extended master secret extension required on renegotiation */ +# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000 + # define SSL3_MT_HELLO_REQUEST 0 # define SSL3_MT_CLIENT_HELLO 1 # define SSL3_MT_SERVER_HELLO 2 diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 4ef8b417b8..c785ab785d 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int context) static int init_ems(SSL *s, unsigned int context) { - if (!s->server) + if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; + s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS; + } return 1; } static int final_ems(SSL *s, unsigned int context, int sent) { + /* + * Check extended master secret extension is not dropped on + * renegotiation. + */ + if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) + && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, + SSL_R_INCONSISTENT_EXTMS); + return 0; + } if (!s->server && s->hit) { /* * Check extended master secret extension is consistent with -- 2.25.1