[openssl] OpenSSL_1_1_1-stable update

Thu Jun 11 07:08:07 UTC 2020

The branch OpenSSL_1_1_1-stable has been updated
       via  4b7097025305b219694dd8b04f84155cd12fb71d (commit)
      from  5bd03afcbe6e6fd7dba2d85d5c67a5a0140b4a7d (commit)


- Log -----------------------------------------------------------------
commit 4b7097025305b219694dd8b04f84155cd12fb71d
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Thu Jun 4 11:40:29 2020 +0200

    Do not allow dropping Extended Master Secret extension on renegotiaton
    
    Abort renegotiation if server receives client hello with Extended Master
    Secret extension dropped in comparison to the initial session.
    
    Fixes #9754
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/12099)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                 |  4 ++++
 include/openssl/ssl3.h  |  3 +++
 ssl/statem/extensions.c | 14 +++++++++++++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 8b2fd3f8bd..ae0d232526 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
 
  Changes between 1.1.1g and 1.1.1h [xx XXX xxxx]
 
+  *) Handshake now fails if Extended Master Secret extension is dropped
+     on renegotiation.
+     [Tomas Mraz]
+
   *) The Oracle Developer Studio compiler will start reporting deprecated APIs
 
  Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 8d01fcc487..407db0b5f0 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -292,6 +292,9 @@ extern "C" {
 
 # define TLS1_FLAGS_STATELESS                    0x0800
 
+/* Set if extended master secret extension required on renegotiation */
+# define TLS1_FLAGS_REQUIRED_EXTMS               0x1000
+
 # define SSL3_MT_HELLO_REQUEST                   0
 # define SSL3_MT_CLIENT_HELLO                    1
 # define SSL3_MT_SERVER_HELLO                    2
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 4ef8b417b8..c785ab785d 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int context)
 
 static int init_ems(SSL *s, unsigned int context)
 {
-    if (!s->server)
+    if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
         s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+        s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+    }
 
     return 1;
 }
 
 static int final_ems(SSL *s, unsigned int context, int sent)
 {
+    /*
+     * Check extended master secret extension is not dropped on
+     * renegotiation.
+     */
+    if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+        && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+                 SSL_R_INCONSISTENT_EXTMS);
+        return 0;
+    }
     if (!s->server && s->hit) {
         /*
          * Check extended master secret extension is consistent with
