From c6dab2b029901c6e898eb6044df181faf076c1eb Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Mon, 23 May 2016 14:27:02 +0100
Subject: [PATCH] Fix non compliance SSLv3 in server extension handling.

The server code parses the client hello extensions even when the
protocol is SSLv3 and this behaviour is non compliant with rfc6101.
Also the server sends extensions in the server hello and omitting
them may prevent interoperability problems.
---
 ChangeLog         |  2 ++
 library/ssl_srv.c | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 3b32873b2..d9fce9234 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -34,6 +34,8 @@ Changes
    * Disabled SSLv3 in the default configuration.
    * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
      Skalozub).
+   * Fix non-compliance server extension handling. Extensions for SSLv3 are now
+     ignored, as required by RFC6101.
 
 = mbed TLS 2.2.1 released 2016-01-05
 
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 9fc21a5ef..5a51cbbd2 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1507,6 +1507,12 @@ read_record_header:
         ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
 #endif
 
+    /* Do not parse the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    {
+#endif
+
     /*
      * Check the extension length
      */
@@ -1692,8 +1698,13 @@ read_record_header:
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
         }
+
     }
 
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
     for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
     {
@@ -2363,6 +2374,12 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
                    ssl->session_negotiate->compression ) );
 
+    /* Do not write the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    {
+#endif
+
     /*
      *  First write extensions, then the total length
      */
@@ -2419,6 +2436,10 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
         p += ext_len;
     }
 
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
     ssl->out_msglen  = p - buf;
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;