Secure renegotiation extension should only be sent in case client supports secure renegotiation

(cherry picked from commit 7c3c3899cf)
2024-11-24 19:48:20 +00:00 · 2013-06-24 12:05:39 +02:00 · 2013-06-24 12:05:39 +02:00 · 2013950545
commit 2013950545
parent de65623f3e
1 changed files with 22 additions and 19 deletions
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -983,31 +983,34 @@ static int ssl_write_server_hello( ssl_context *ssl )
    SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
                   ssl->session_negotiate->compression ) );

-    SSL_DEBUG_MSG( 3, ( "server hello, prepping for secure renegotiation extension" ) );
-    ext_len += 5 + ssl->verify_data_len * 2;
+    if( ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION )
+    {
+        SSL_DEBUG_MSG( 3, ( "server hello, prepping for secure renegotiation extension" ) );
+        ext_len += 5 + ssl->verify_data_len * 2;

-    SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d",
-                   ext_len ) );
+        SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d",
+                       ext_len ) );

-    *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
-    *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
+        *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
+        *p++ = (unsigned char)( ( ext_len      ) & 0xFF );

-    /*
-     * Secure renegotiation
-     */
-    SSL_DEBUG_MSG( 3, ( "client hello, secure renegotiation extension" ) );
+        /*
+         * Secure renegotiation
+         */
+        SSL_DEBUG_MSG( 3, ( "client hello, secure renegotiation extension" ) );

-    *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
-    *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
+        *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
+        *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );

-    *p++ = 0x00;
-    *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
-    *p++ = ssl->verify_data_len * 2 & 0xFF;
+        *p++ = 0x00;
+        *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
+        *p++ = ssl->verify_data_len * 2 & 0xFF;

-    memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
-    p += ssl->verify_data_len;
-    memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
-    p += ssl->verify_data_len;
+        memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
+        p += ssl->verify_data_len;
+        memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
+        p += ssl->verify_data_len;
+    }

    ssl->out_msglen  = p - buf;
    ssl->out_msgtype = SSL_MSG_HANDSHAKE;