(D)TLS: Only offer reneg info with pre-1.3

Author: peterdettman

tls/src/main/java/org/bouncycastle/tls/DTLSClientProtocol.java

@@ -534,19 +534,27 @@ protected byte[] generateClientHello(ClientHandshakeState state)
             state.clientExtensions.remove(TlsExtensionsUtils.EXT_extended_master_secret);
         }
 
-        // Cipher Suites (and SCSV)
+        // NOT renegotiating
+        if (offeringDTLSv12Minus)
         {
             /*
-             * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
-             * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
-             * ClientHello. Including both is NOT RECOMMENDED.
+             * RFC 5746 3.4. Client Behavior: Initial Handshake (both full and session-resumption)
+             */
+
+            /*
+             * The client MUST include either an empty "renegotiation_info" extension, or the
+             * TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the ClientHello.
+             * Including both is NOT RECOMMENDED.
              */
-            boolean noRenegExt = (null == TlsUtils.getExtensionData(state.clientExtensions, TlsProtocol.EXT_RenegotiationInfo));
-            boolean noRenegSCSV = !Arrays.contains(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
+            boolean noRenegExt = (null == TlsUtils.getExtensionData(state.clientExtensions,
+                TlsProtocol.EXT_RenegotiationInfo));
+            boolean noRenegSCSV = !Arrays.contains(state.offeredCipherSuites,
+                CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
 
             if (noRenegExt && noRenegSCSV)
             {
-                state.offeredCipherSuites = Arrays.append(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
+                state.offeredCipherSuites = Arrays.append(state.offeredCipherSuites,
+                    CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
             }
         }
 

tls/src/main/java/org/bouncycastle/tls/TlsClientProtocol.java

@@ -1902,8 +1902,6 @@ protected void sendClientHello()
             this.clientExtensions.remove(TlsExtensionsUtils.EXT_extended_master_secret);
         }
 
-        boolean hasRenegSCSV = Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
-
         if (securityParameters.isRenegotiating())
         {
             /*
@@ -1920,7 +1918,7 @@ protected void sendClientHello()
              * The client MUST include the "renegotiation_info" extension in the ClientHello,
              * containing the saved client_verify_data. The SCSV MUST NOT be included.
              */
-            if (hasRenegSCSV)
+            if (Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV))
             {
                 throw new TlsFatalAlert(AlertDescription.internal_error,
                     "Renegotiation cannot use TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
@@ -1930,7 +1928,7 @@ protected void sendClientHello()
 
             this.clientExtensions.put(EXT_RenegotiationInfo, createRenegotiationInfo(saved.getLocalVerifyData()));
         }
-        else
+        else if (offeringTLSv12Minus)
         {
             /*
              * RFC 5746 3.4. Client Behavior: Initial Handshake (both full and session-resumption)
@@ -1942,11 +1940,10 @@ protected void sendClientHello()
              * Including both is NOT RECOMMENDED.
              */
             boolean noRenegExt = (null == TlsUtils.getExtensionData(clientExtensions, EXT_RenegotiationInfo));
-            boolean noRenegSCSV = !hasRenegSCSV;
+            boolean noRenegSCSV = !Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
 
             if (noRenegExt && noRenegSCSV)
             {
-                // TODO[tls13] Probably want to not add this if no pre-TLSv13 versions offered?
                 offeredCipherSuites = Arrays.append(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
             }
         }