Merge branch 'session-hash' into dtls

* session-hash: Update Changelog for session-hash Make session-hash depend on TLS versions Forbid extended master secret with SSLv3 compat.sh: allow git version of gnutls compat.sh: make options a bit more robust Implement extended master secret Add negotiation of Extended Master Secret Conflicts: include/polarssl/check_config.h programs/ssl/ssl_server2.c
2026-01-08 15:39:22 +01:00 · 2014-11-06 01:25:09 +01:00 · 2014-11-06 01:25:09 +01:00 · 56d985d0a6
commit 56d985d0a6
parent fedba98ede b3c6a97b31
11 changed files with 366 additions and 14 deletions
--- a/tests/compat.sh
+++ b/tests/compat.sh
@ -26,14 +26,19 @@ SRVMEM=0

 # do we have a recent enough GnuTLS?
 if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null; then
-    eval $( $GNUTLS_CLI --version | head -n1 | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' )
-    if [ $MAJOR -lt 3 -o \
-        \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
-        \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
-    then
-        PEER_GNUTLS=""
-    else
+    G_VER="$( $GNUTLS_CLI --version | head -n1 )"
+    if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version
        PEER_GNUTLS=" GnuTLS"
+    else
+        eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' )
+        if [ $MAJOR -lt 3 -o \
+            \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
+            \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
+        then
+            PEER_GNUTLS=""
+        else
+            PEER_GNUTLS=" GnuTLS"
+        fi
    fi
 else
    PEER_GNUTLS=""
@ -102,6 +107,10 @@ get_options() {
        esac
        shift
    done
+
+    # sanitize some options (modes checked later)
+    VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )"
+    TYPES="$( echo $TYPES | tr [a-z] [A-Z] )"
 }

 log() {
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -567,6 +567,63 @@ run_test    "Truncated HMAC: actual test" \
            0 \
            -s "dumping 'computed mac' (10 bytes)"

+# Tests for Extended Master Secret extension
+
+run_test    "Extended Master Secret: default" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -c "client hello, adding extended_master_secret extension" \
+            -s "found extended master secret extension" \
+            -s "server hello, adding extended master secret extension" \
+            -c "found extended_master_secret extension" \
+            -c "using extended master secret" \
+            -s "using extended master secret"
+
+run_test    "Extended Master Secret: client enabled, server disabled" \
+            "$P_SRV debug_level=3 extended_ms=0" \
+            "$P_CLI debug_level=3 extended_ms=1" \
+            0 \
+            -c "client hello, adding extended_master_secret extension" \
+            -s "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
+run_test    "Extended Master Secret: client disabled, server enabled" \
+            "$P_SRV debug_level=3 extended_ms=1" \
+            "$P_CLI debug_level=3 extended_ms=0" \
+            0 \
+            -C "client hello, adding extended_master_secret extension" \
+            -S "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
+run_test    "Extended Master Secret: client SSLv3, server enabled" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3 force_version=ssl3" \
+            0 \
+            -C "client hello, adding extended_master_secret extension" \
+            -S "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
+run_test    "Extended Master Secret: client enabled, server SSLv3" \
+            "$P_SRV debug_level=3 force_version=ssl3" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -c "client hello, adding extended_master_secret extension" \
+            -s "found extended master secret extension" \
+            -S "server hello, adding extended master secret extension" \
+            -C "found extended_master_secret extension" \
+            -C "using extended master secret" \
+            -S "using extended master secret"
+
 # Tests for FALLBACK_SCSV

 run_test    "Fallback SCSV: default" \