Do not allow dropping Extended Master Secret extension on renegotiaton

Abort renegotiation if server receives client hello with Extended Master Secret extension dropped in comparison to the initial session. Fixes #9754 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12045)
author: Tomas Mraz <tmraz@fedoraproject.org> 2020-06-04 11:40:29 +0200
committer: Tomas Mraz <tmraz@fedoraproject.org> 2020-06-09 14:11:19 +0200
commit: 11d3235e2b5a1dc9f48c040b1f1b6bea86ffc745 (patch)
tree: 30a7c0f99180ec1712fc5d59e698646448389082 /ssl/statem
parent: 7646610b6a2c53ae50ed453c88291c23630e7850 (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 3c023486da..9086348618 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1169,13 +1169,26 @@ static int init_etm(SSL *s, unsigned int context)
 
 static int init_ems(SSL *s, unsigned int context)
 {
-    s->s3.flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+    if (s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) {
+        s->s3.flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+        s->s3.flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+    }
 
     return 1;
 }
 
 static int final_ems(SSL *s, unsigned int context, int sent)
 {
+    /*
+     * Check extended master secret extension is not dropped on
+     * renegotiation.
+     */
+    if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS)
+        && (s->s3.flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+                 SSL_R_INCONSISTENT_EXTMS);
+        return 0;
+    }
     if (!s->server && s->hit) {
         /*
          * Check extended master secret extension is consistent with
author	Tomas Mraz <tmraz@fedoraproject.org>	2020-06-04 11:40:29 +0200
committer	Tomas Mraz <tmraz@fedoraproject.org>	2020-06-09 14:11:19 +0200
commit	11d3235e2b5a1dc9f48c040b1f1b6bea86ffc745 (patch)
tree	30a7c0f99180ec1712fc5d59e698646448389082 /ssl/statem
parent	7646610b6a2c53ae50ed453c88291c23630e7850 (diff)