Merge branch 'development' into dtls

* development: Fix error code description. generate_errors.pl now errors on duplicate codes Avoid nested if's without braces. Move renego SCSV after actual ciphersuites Fix send_close_notify usage. Rename variable for clarity Improve script portability Conflicts: library/ssl_srv.c programs/ssl/ssl_client2.c programs/ssl/ssl_server2.c tests/ssl-opt.sh
2015-01-22 13:30:33 +00:00 · 2015-01-22 13:30:33 +00:00 · 3a173f497b
commit 3a173f497b
parent 23eb74d8b5 11c919208d
8 changed files with 50 additions and 36 deletions
--- a/library/error.c
+++ b/library/error.c
@ -386,7 +386,7 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
        if( use_ret == -(POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE) )
            snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
        if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE) )
-            snprintf( buf, buflen, "SSL - DESCRIPTION MISSING" );
+            snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
        if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED) )
            snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
        if( use_ret == -(POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED) )
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -635,16 +635,18 @@ static int ssl_write_client_hello( ssl_context *ssl )
     */
 #if defined(POLARSSL_SSL_RENEGOTIATION)
    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-#endif
-    if( ssl->session_negotiate->ticket != NULL &&
-        ssl->session_negotiate->ticket_len != 0 )
    {
-        ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
+#endif
+        if( ssl->session_negotiate->ticket != NULL &&
+                ssl->session_negotiate->ticket_len != 0 )
+        {
+            ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );

-        if( ret != 0 )
-            return( ret );
+            if( ret != 0 )
+                return( ret );

-        ssl->session_negotiate->length = n = 32;
+            ssl->session_negotiate->length = n = 32;
+        }
    }
 #endif /* POLARSSL_SSL_SESSION_TICKETS */

@ -691,18 +693,6 @@ static int ssl_write_client_hello( ssl_context *ssl )
    q = p;
    p += 2;

-    /*
-     * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
-     */
-#if defined(POLARSSL_SSL_RENEGOTIATION)
-    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-#endif
-    {
-        *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
-        *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO      );
-        n++;
-    }
-
    for( i = 0; ciphersuites[i] != 0; i++ )
    {
        ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
@ -732,6 +722,18 @@ static int ssl_write_client_hello( ssl_context *ssl )
        *p++ = (unsigned char)( ciphersuites[i]      );
    }

+    /*
+     * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
+        *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO      );
+        n++;
+    }
+
    /* Some versions of OpenSSL don't handle it correctly if not at end */
 #if defined(POLARSSL_SSL_FALLBACK_SCSV)
    if( ssl->fallback == SSL_IS_FALLBACK )
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -1294,10 +1294,12 @@ read_record_header:
 #if defined(POLARSSL_SSL_RENEGOTIATION)
    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
 #endif
-    if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
    {
-        SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
-        return( ret );
+        if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
+        {
+            SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
+            return( ret );
+        }
    }

    buf = ssl->in_hdr;
@ -1351,8 +1353,11 @@ read_record_header:
    /* For DTLS if this is the initial handshake, remember the client sequence
     * number to use it in our next message (RFC 6347 4.2.1) */
 #if defined(POLARSSL_SSL_PROTO_DTLS)
-    if( ssl->transport == SSL_TRANSPORT_DATAGRAM &&
-        ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
+    if( ssl->transport == SSL_TRANSPORT_DATAGRAM 
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+        && ssl->renegotiation == SSL_INITIAL_HANDSHAKE
+#endif
+        )
    {
        /* Epoch should be 0 for initial handshakes */
        if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )