Make renegotiation a compile-time option
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 27abb3e..f0ce377 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -114,6 +114,7 @@
}
#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
+#if defined(POLARSSL_SSL_RENEGOTIATION)
static void ssl_write_renegotiation_ext( ssl_context *ssl,
unsigned char *buf,
size_t *olen )
@@ -141,6 +142,7 @@
*olen = 5 + ssl->verify_data_len;
}
+#endif /* POLARSSL_SSL_RENEGOTIATION */
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
@@ -464,7 +466,9 @@
return( POLARSSL_ERR_SSL_NO_RNG );
}
+#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
+#endif
{
ssl->major_ver = ssl->min_major_ver;
ssl->minor_ver = ssl->min_minor_ver;
@@ -528,7 +532,10 @@
*/
n = ssl->session_negotiate->length;
- if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
+ if( n < 16 || n > 32 ||
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+ ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
+#endif
ssl->handshake->resume == 0 )
{
n = 0;
@@ -539,8 +546,10 @@
* RFC 5077 section 3.4: "When presenting a ticket, the client MAY
* generate and include a Session ID in the TLS ClientHello."
*/
- if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
- ssl->session_negotiate->ticket != NULL &&
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+ if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
+#endif
+ if( ssl->session_negotiate->ticket != NULL &&
ssl->session_negotiate->ticket_len != 0 )
{
ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
@@ -570,7 +579,9 @@
/*
* Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*/
+#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
+#endif
{
*p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
*p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
@@ -625,8 +636,10 @@
ext_len += olen;
#endif
+#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
+#endif
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
@@ -694,21 +707,8 @@
{
int ret;
- if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
- {
- if( len != 1 || buf[0] != 0x0 )
- {
- SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
-
- if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
- return( ret );
-
- return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
- }
-
- ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
- }
- else
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+ if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
{
/* Check verify-data in constant-time. The length OTOH is no secret */
if( len != 1 + ssl->verify_data_len * 2 ||
@@ -718,7 +718,7 @@
safer_memcmp( buf + 1 + ssl->verify_data_len,
ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
{
- SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
+ SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
return( ret );
@@ -726,6 +726,21 @@
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
}
}
+ else
+#endif /* POLARSSL_SSL_RENEGOTIATION */
+ {
+ if( len != 1 || buf[0] != 0x00 )
+ {
+ SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
+
+ if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
+ return( ret );
+
+ return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+ }
+
+ ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
+ }
return( 0 );
}
@@ -902,6 +917,7 @@
if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
{
+#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_RENEGOTIATION )
{
ssl->renego_records_seen++;
@@ -917,6 +933,7 @@
SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
}
+#endif /* POLARSSL_SSL_RENEGOTIATION */
SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
@@ -1025,8 +1042,10 @@
/*
* Check if the session can be resumed
*/
- if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
- ssl->handshake->resume == 0 || n == 0 ||
+ if( ssl->handshake->resume == 0 || n == 0 ||
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+ ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
+#endif
ssl->session_negotiate->ciphersuite != i ||
ssl->session_negotiate->compression != comp ||
ssl->session_negotiate->length != n ||
@@ -1201,6 +1220,7 @@
SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1;
}
+#if defined(POLARSSL_SSL_RENEGOTIATION)
else if( ssl->renegotiation == SSL_RENEGOTIATION &&
ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
renegotiation_info_seen == 0 )
@@ -1222,6 +1242,7 @@
SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
handshake_failure = 1;
}
+#endif /* POLARSSL_SSL_RENEGOTIATION */
if( handshake_failure == 1 )
{