From 7d3186d18ad9e1ad9755514ded08dd79670db7e3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Aug 2022 22:43:18 +0200 Subject: [PATCH] Disable MBEDTLS_SSL_RENEGOTIATION in tls13-only configuration There's no renegotiation in TLS 1.3, so this option should have no effect. Insist on having it disabled, to avoid the risk of accidentally having different behavior in TLS 1.3 if the option is enabled (as happened in https://github.com/Mbed-TLS/mbedtls/issues/6200). Signed-off-by: Gilles Peskine --- include/mbedtls/check_config.h | 5 +++++ tests/configs/tls13-only.h | 1 + 2 files changed, 6 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ac374d2a4..2d2fae581 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -936,6 +936,11 @@ #error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_RENEGOTIATION) && \ + !defined(MBEDTLS_SSL_PROTO_TLS1_2) +#error "MBEDTLS_SSL_RENEGOTIATION defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_SSL_TICKET_C) && ( !defined(MBEDTLS_CIPHER_C) && \ !defined(MBEDTLS_USE_PSA_CRYPTO) ) #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index 963086f31..1f212e7d8 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -29,6 +29,7 @@ /* Disable TLS 1.2 and 1.2-specific features */ #undef MBEDTLS_SSL_ENCRYPT_THEN_MAC #undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#undef MBEDTLS_SSL_RENEGOTIATION #undef MBEDTLS_SSL_PROTO_TLS1_2 #undef MBEDTLS_SSL_PROTO_DTLS #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY