X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fssl%2Fssl_hs_server.t0;h=817642901a957ba335c1f9099ba33b092f33d016;hp=c155e793cbcbd8097fa104066b76db4b78d5b0d2;hb=e8ccee8bcdae80cdf74c6d7327f1c7572589fae3;hpb=7561e7d6c86171257a4153d95202b0791b3612a8

diff --git a/src/ssl/ssl_hs_server.t0 b/src/ssl/ssl_hs_server.t0
index c155e79..8176429 100644
--- a/src/ssl/ssl_hs_server.t0
+++ b/src/ssl/ssl_hs_server.t0
@@ -268,7 +268,6 @@ do_ecdhe_part2(br_ssl_server_context *ctx, int prf_id,
 	0 8191 "offsetof(br_ssl_server_context, " field + ")" + make-CX
 	postpone literal postpone ; ;
 
-addr-ctx: flags
 addr-ctx: client_max_version
 addr-ctx: client_suites
 addr-ctx: client_suites_num
@@ -282,10 +281,6 @@ addr-ctx: sign_hash_id
 	addr-client_suites
 	CX 0 1023 { BR_MAX_CIPHER_SUITES * sizeof(br_suite_translated) } ;
 
-\ Check a server flag by index.
-: flag? ( index -- bool )
-	addr-flags get32 swap >> 1 and neg ;
-
 \ Read the client SNI extension.
 : read-client-sni ( lim -- lim )
 	\ Open extension value.
@@ -690,6 +685,7 @@ cc: save-session ( -- ) {
 
 	\ We are not resuming, so a new session ID should be generated.
 	addr-session_id 32 mkrand
+	32 addr-session_id_len set8
 
 	\ Translate common cipher suites, then squeeze out holes: there
 	\ may be holes because of the way we fill the list when the
@@ -1011,18 +1007,17 @@ cc: do-ecdhe-part2 ( len prf_id -- ) {
 			endof
 			0x01 of
 				\ Reject renegotiations if the peer does not
-				\ support secure renegotiation. As allowed
-				\ by RFC 5246, we do not send a
-				\ no_renegotiation alert and just ignore the
-				\ HelloRequest.
+				\ support secure renegotiation, or if the
+				\ "no renegotiation" flag is set.
 				drop
-				addr-reneg get8 1 <> if
-					0 do-handshake
-				else
+				addr-reneg get8 1 = 1 flag? or if
 					flush-record
 					begin can-output? not while
 						wait-co drop
 					repeat
+					100 send-warning
+				else
+					0 do-handshake
 				then
 			endof
 			ERR_UNEXPECTED fail