move secure r inside of tls extensions

cyassl/internal.h

@@ -1882,9 +1882,9 @@ typedef struct DtlsMsg {
     typedef struct SecureR_State {
         byte client_verify_data[TLS_FINISHED_SZ]; /* previous handshake value */
         byte server_verify_data[TLS_FINISHED_SZ]; /* previous handshake value */
-        byte secure_renegotation;         /* is current connection using */
-        byte doing_secure_renegotation;   /* are we doing it now flag */
-        byte enabled;                     /* runtime allowed? */
+        byte secure_renegotation;      /* extensions flag */
+        byte previous_handshake_used;  /* did previous handshake use secure r */
+        byte enabled;                  /* runtime allowed? */
     } SecureR_State;
 
 #endif
@@ -1994,13 +1994,16 @@ struct CYASSL {
 #endif
 #ifdef HAVE_TLS_EXTENSIONS
     TLSX* extensions;                  /* RFC 6066 TLS Extensions data */
-#ifdef HAVE_MAX_FRAGMENT
-    word16 max_fragment;
-#endif
-#ifdef HAVE_TRUNCATED_HMAC
-    byte truncated_hmac;
-#endif
-#endif
+    #ifdef HAVE_MAX_FRAGMENT
+        word16 max_fragment;
+    #endif
+    #ifdef HAVE_TRUNCATED_HMAC
+        byte truncated_hmac;
+    #endif
+    #ifdef HAVE_SECURE_RENEGOTIATION
+        SecureR_State secureR_state;    /* secure renegotiation state */
+    #endif
+#endif /* HAVE_TLS_EXTENSIONS */
 #ifdef HAVE_NETX
     NetX_Ctx        nxCtx;             /* NetX IO Context */
 #endif
@@ -2024,9 +2027,6 @@ struct CYASSL {
         void* RsaDecCtx;      /* Rsa Private Decrypt   Callback Context */
     #endif /* NO_RSA */
 #endif /* HAVE_PK_CALLBACKS */
-#ifdef HAVE_SECURE_RENEGOTIATION
-    SecureR_State secureR_state;   /* secure renegotiation state */
-#endif
 };
 
 

src/internal.c

@@ -1772,11 +1772,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
     #endif /* NO_RSA */
 #endif /* HAVE_PK_CALLBACKS */
 
-#ifdef HAVE_SECURE_RENEGOTIATION
+#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS)
         ssl->secureR_state.secure_renegotation = 0;
         ssl->secureR_state.doing_secure_renegotation = 0;
         ssl->secureR_state.enabled = 0;
-#endif /* HAVE_SECURE_RENEGOTIATION */
+#endif /* HAVE_SECURE_RENEGOTIATION && HAVE_TLS_EXTENSIONS */
 
     /* all done with init, now can return errors, call other stuff */
 
@@ -4404,7 +4404,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 size,
         }
     }
 
-#ifdef HAVE_SECURE_RENEGOTIATION
+#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS)
     if (ssl->secureR_state.enabled) {
         /* save peer's state */
         if (ssl->options.side == CYASSL_CLIENT_END)
@@ -4414,7 +4414,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 size,
             XMEMCPY(ssl->secureR_state.client_verify_data, input + *inOutIdx,
                     TLS_FINISHED_SZ);
     }
-#endif /* HAVE_SECURE_RENEGOTIATION */
+#endif /* (HAVE_SECURE_RENEGOTIATION) && (HAVE_TLS_EXTENSIONS) */
 
     /* force input exhaustion at ProcessReply consuming padSz */
     *inOutIdx += size + ssl->keys.padSz;
@@ -6732,7 +6732,7 @@ int SendFinished(CYASSL* ssl)
                       ssl->options.side == CYASSL_CLIENT_END ? client : server);
     if (ret != 0) return ret;
 
-#ifdef HAVE_SECURE_RENEGOTIATION
+#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS)
     if (ssl->secureR_state.enabled) {
         if (ssl->options.side == CYASSL_CLIENT_END)
             XMEMCPY(ssl->secureR_state.client_verify_data, hashes,
@@ -6741,7 +6741,7 @@ int SendFinished(CYASSL* ssl)
             XMEMCPY(ssl->secureR_state.server_verify_data, hashes,
                     TLS_FINISHED_SZ);
     }
-#endif /* HAVE_SECURE_RENEGOTIATION */
+#endif /* HAVE_SECURE_RENEGOTIATION && HAVE_TLS_EXTENSIONS */
 
     sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz,
                           handshake);