Merge branch 'development' into dtls
* development:
Fix error code description.
generate_errors.pl now errors on duplicate codes
Avoid nested if's without braces.
Move renego SCSV after actual ciphersuites
Fix send_close_notify usage.
Rename variable for clarity
Improve script portability
Conflicts:
library/ssl_srv.c
programs/ssl/ssl_client2.c
programs/ssl/ssl_server2.c
tests/ssl-opt.sh
diff --git a/library/error.c b/library/error.c
index b3c2153..068c84d 100644
--- a/library/error.c
+++ b/library/error.c
@@ -386,7 +386,7 @@
if( use_ret == -(POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE) )
snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE) )
- snprintf( buf, buflen, "SSL - DESCRIPTION MISSING" );
+ snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED) )
snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
if( use_ret == -(POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED) )
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 774cce4..c002cc5 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -635,16 +635,18 @@
*/
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-#endif
- if( ssl->session_negotiate->ticket != NULL &&
- ssl->session_negotiate->ticket_len != 0 )
{
- ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
+#endif
+ if( ssl->session_negotiate->ticket != NULL &&
+ ssl->session_negotiate->ticket_len != 0 )
+ {
+ ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
- if( ret != 0 )
- return( ret );
+ if( ret != 0 )
+ return( ret );
- ssl->session_negotiate->length = n = 32;
+ ssl->session_negotiate->length = n = 32;
+ }
}
#endif /* POLARSSL_SSL_SESSION_TICKETS */
@@ -691,18 +693,6 @@
q = p;
p += 2;
- /*
- * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
- */
-#if defined(POLARSSL_SSL_RENEGOTIATION)
- if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-#endif
- {
- *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
- *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
- n++;
- }
-
for( i = 0; ciphersuites[i] != 0; i++ )
{
ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
@@ -732,6 +722,18 @@
*p++ = (unsigned char)( ciphersuites[i] );
}
+ /*
+ * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+ */
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+ if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
+#endif
+ {
+ *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
+ *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
+ n++;
+ }
+
/* Some versions of OpenSSL don't handle it correctly if not at end */
#if defined(POLARSSL_SSL_FALLBACK_SCSV)
if( ssl->fallback == SSL_IS_FALLBACK )
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index e6948ef..fc86809 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1294,10 +1294,12 @@
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
- if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
{
- SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
- return( ret );
+ if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
+ {
+ SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
+ return( ret );
+ }
}
buf = ssl->in_hdr;
@@ -1351,8 +1353,11 @@
/* For DTLS if this is the initial handshake, remember the client sequence
* number to use it in our next message (RFC 6347 4.2.1) */
#if defined(POLARSSL_SSL_PROTO_DTLS)
- if( ssl->transport == SSL_TRANSPORT_DATAGRAM &&
- ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
+ if( ssl->transport == SSL_TRANSPORT_DATAGRAM
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+ && ssl->renegotiation == SSL_INITIAL_HANDSHAKE
+#endif
+ )
{
/* Epoch should be 0 for initial handshakes */
if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )