diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2015-12-04 19:48:15 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-12-08 16:32:39 +0000 |
commit | e7f0d9210c4a421e6306cd9a0c486c3e96be4d25 (patch) | |
tree | 4d25ae6bed3a5c5255c688e3459542eef1b7612e /ssl/ssl_sess.c | |
parent | 686cf15e9dfd3263ec05019f4b2b52253cdcf38e (diff) |
Extended master secret fixes and checks.
Add new flag TLS1_FLAGS_RECEIVED_EXTMS which is set when the peer sends
the extended master secret extension.
Server now sends extms if and only if the client sent extms.
Check consistency of extms extension when resuming sessions following (where
practical) RFC7627.
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'ssl/ssl_sess.c')
-rw-r--r-- | ssl/ssl_sess.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 5265b15983..aff615e0e6 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -497,6 +497,10 @@ int ssl_get_new_session(SSL *s, int session) ss->ssl_version = s->version; ss->verify_result = X509_V_OK; + /* If client supports extended master secret set it in session */ + if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) + ss->flags |= SSL_SESS_FLAG_EXTMS; + return (1); } @@ -533,8 +537,8 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) if (len == 0) try_session_cache = 0; - /* sets s->tlsext_ticket_expected */ - r = tls1_process_ticket(s, ext, session_id, &ret); + /* sets s->tlsext_ticket_expected and extended master secret flag */ + r = tls_check_serverhello_tlsext_early(s, ext, session_id, &ret); switch (r) { case -1: /* Error during processing */ fatal = 1; @@ -670,6 +674,20 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) goto err; } + /* Check extended master secret extension consistency */ + if (ret->flags & SSL_SESS_FLAG_EXTMS) { + /* If old session includes extms, but new does not: abort handshake */ + if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)) { + SSLerr(SSL_F_SSL_GET_PREV_SESSION, SSL_R_INCONSISTENT_EXTMS); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + fatal = 1; + goto err; + } + } else if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { + /* If new session includes extms, but old does not: do not resume */ + goto err; + } + s->session_ctx->stats.sess_hit++; SSL_SESSION_free(s->session); |