From 61314f3971149ac6664994e3d7a9f3b7d8f3722a Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 10 Jun 2021 16:40:28 -0700
Subject: [PATCH] Added build error for insecure build combination of secure
 renegotiation enabled with extended master secret disabled when session
 resumption is enabled.

---
 wolfssl/wolfcrypt/settings.h | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index e1a92d0aa..3787cf36c 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -2464,6 +2464,27 @@ extern void uITRON4_free(void *p) ;
     #undef WOLFSSL_DH_EXTRA
 #endif
 
+/* Check for insecure build combination:
+ * secure renegotiation   [enabled]
+ * extended master secret [disabled]
+ * session resumption     [enabled]
+ */
+#if defined(HAVE_SECURE_RENEGOTIATION) && !defined(HAVE_EXTENDED_MASTER) && \
+    (defined(HAVE_SESSION_TICKET) || !defined(NO_SESSION_CACHE))
+    /* secure renegotiation requires extended master secret with resumption */
+    #ifndef _MSC_VER
+        #warning Extended master secret must be enabled with secure renegotiation and session resumption
+    #else
+        #pragma message("Warning: Extended master secret must be enabled with secure renegotiation and session resumption")
+    #endif
+
+    /* Note: "--enable-renegotiation-indication" ("HAVE_RENEGOTIATION_INDICATION")
+     * only sends the secure renegotiation extension, but is not actually supported. 
+     * This was added because some TLS peers required it even if not used, so we call 
+     * this "(FAKE Secure Renegotiation)"
+     */
+#endif
+
 
 #ifdef __cplusplus
     }   /* extern "C" */