Secure renegotiation extension should only be sent in case client supports secure renegotiation
(cherry picked from commit 7c3c3899cf528f00b346f465e69d5a59f9e8410e)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 708663c..5625644 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -983,31 +983,34 @@
SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
ssl->session_negotiate->compression ) );
- SSL_DEBUG_MSG( 3, ( "server hello, prepping for secure renegotiation extension" ) );
- ext_len += 5 + ssl->verify_data_len * 2;
+ if( ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION )
+ {
+ SSL_DEBUG_MSG( 3, ( "server hello, prepping for secure renegotiation extension" ) );
+ ext_len += 5 + ssl->verify_data_len * 2;
- SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d",
- ext_len ) );
+ SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d",
+ ext_len ) );
- *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
- *p++ = (unsigned char)( ( ext_len ) & 0xFF );
+ *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( ext_len ) & 0xFF );
- /*
- * Secure renegotiation
- */
- SSL_DEBUG_MSG( 3, ( "client hello, secure renegotiation extension" ) );
+ /*
+ * Secure renegotiation
+ */
+ SSL_DEBUG_MSG( 3, ( "client hello, secure renegotiation extension" ) );
- *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
- *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
- *p++ = 0x00;
- *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
- *p++ = ssl->verify_data_len * 2 & 0xFF;
+ *p++ = 0x00;
+ *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
+ *p++ = ssl->verify_data_len * 2 & 0xFF;
- memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
- p += ssl->verify_data_len;
- memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
- p += ssl->verify_data_len;
+ memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
+ p += ssl->verify_data_len;
+ memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
+ p += ssl->verify_data_len;
+ }
ssl->out_msglen = p - buf;
ssl->out_msgtype = SSL_MSG_HANDSHAKE;