Merge branch 'session-hash' into dtls

* session-hash: Update Changelog for session-hash Make session-hash depend on TLS versions Forbid extended master secret with SSLv3 compat.sh: allow git version of gnutls compat.sh: make options a bit more robust Implement extended master secret Add negotiation of Extended Master Secret Conflicts: include/polarssl/check_config.h programs/ssl/ssl_server2.c
2025-07-29 11:41:15 +03:00 · 2014-11-06 01:25:09 +01:00
parent fedba98ede b3c6a97b31
commit 56d985d0a6
11 changed files with 366 additions and 14 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -544,10 +544,47 @@ int ssl_derive_keys( ssl_context *ssl )
        SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
                       handshake->pmslen );

+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+        if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_ENABLED )
+        {
+            unsigned char session_hash[48];
+            size_t hash_len;
+
+            SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
+
+            ssl->handshake->calc_verify( ssl, session_hash );
+
+#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
+            {
+#if defined(POLARSSL_SHA512_C)
+                if( ssl->transform_negotiate->ciphersuite_info->mac ==
+                    POLARSSL_MD_SHA384 )
+                {
+                    hash_len = 48;
+                }
+                else
+#endif
+                    hash_len = 32;
+            }
+            else
+#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
+                hash_len = 36;
+
+            SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
+
+            handshake->tls_prf( handshake->premaster, handshake->pmslen,
+                                "extended master secret",
+                                session_hash, hash_len, session->master, 48 );
+
+        }
+        else
+#endif
        handshake->tls_prf( handshake->premaster, handshake->pmslen,
                            "master secret",
                            handshake->randbytes, 64, session->master, 48 );

+
        polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) );
    }
    else
@ -4726,6 +4763,10 @@ int ssl_init( ssl_context *ssl )
    /* No error is possible, SSL_TRANSPORT_STREAM always valid */
    (void) ssl_set_transport( ssl, SSL_TRANSPORT_STREAM );

+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+    ssl->extended_ms = SSL_EXTENDED_MS_ENABLED;
+#endif
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
    ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
 #endif
@ -5418,6 +5459,13 @@ void ssl_set_fallback( ssl_context *ssl, char fallback )
 }
 #endif

+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
+void ssl_set_extended_master_secret( ssl_context *ssl, char ems )
+{
+    ssl->extended_ms = ems;
+}
+#endif
+
 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
 {