move secure r inside of tls extensions

cyassl/internal.h

@@ -1882,8 +1882,8 @@ typedef struct DtlsMsg {
     typedef struct SecureR_State {
         byte client_verify_data[TLS_FINISHED_SZ]; /* previous handshake value */
         byte server_verify_data[TLS_FINISHED_SZ]; /* previous handshake value */
-        byte secure_renegotation;         /* is current connection using */
+        byte secure_renegotation;      /* extensions flag */
-        byte doing_secure_renegotation;   /* are we doing it now flag */
+        byte previous_handshake_used;  /* did previous handshake use secure r */
         byte enabled;                  /* runtime allowed? */
     } SecureR_State;
 
@@ -2000,7 +2000,10 @@ struct CYASSL {
     #ifdef HAVE_TRUNCATED_HMAC
         byte truncated_hmac;
     #endif
+    #ifdef HAVE_SECURE_RENEGOTIATION
+        SecureR_State secureR_state;    /* secure renegotiation state */
     #endif
+#endif /* HAVE_TLS_EXTENSIONS */
 #ifdef HAVE_NETX
     NetX_Ctx        nxCtx;             /* NetX IO Context */
 #endif
@@ -2024,9 +2027,6 @@ struct CYASSL {
         void* RsaDecCtx;      /* Rsa Private Decrypt   Callback Context */
     #endif /* NO_RSA */
 #endif /* HAVE_PK_CALLBACKS */
-#ifdef HAVE_SECURE_RENEGOTIATION
-    SecureR_State secureR_state;   /* secure renegotiation state */
-#endif
 };
 
 

src/internal.c

@@ -1772,11 +1772,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
     #endif /* NO_RSA */
 #endif /* HAVE_PK_CALLBACKS */
 
-#ifdef HAVE_SECURE_RENEGOTIATION
+#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS)
         ssl->secureR_state.secure_renegotation = 0;
         ssl->secureR_state.doing_secure_renegotation = 0;
         ssl->secureR_state.enabled = 0;
-#endif /* HAVE_SECURE_RENEGOTIATION */
+#endif /* HAVE_SECURE_RENEGOTIATION && HAVE_TLS_EXTENSIONS */
 
     /* all done with init, now can return errors, call other stuff */
 
@@ -4404,7 +4404,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 size,
         }
     }
 
-#ifdef HAVE_SECURE_RENEGOTIATION
+#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS)
     if (ssl->secureR_state.enabled) {
         /* save peer's state */
         if (ssl->options.side == CYASSL_CLIENT_END)
@@ -4414,7 +4414,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 size,
             XMEMCPY(ssl->secureR_state.client_verify_data, input + *inOutIdx,
                     TLS_FINISHED_SZ);
     }
-#endif /* HAVE_SECURE_RENEGOTIATION */
+#endif /* (HAVE_SECURE_RENEGOTIATION) && (HAVE_TLS_EXTENSIONS) */
 
     /* force input exhaustion at ProcessReply consuming padSz */
     *inOutIdx += size + ssl->keys.padSz;
@@ -6732,7 +6732,7 @@ int SendFinished(CYASSL* ssl)
                       ssl->options.side == CYASSL_CLIENT_END ? client : server);
     if (ret != 0) return ret;
 
-#ifdef HAVE_SECURE_RENEGOTIATION
+#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS)
     if (ssl->secureR_state.enabled) {
         if (ssl->options.side == CYASSL_CLIENT_END)
             XMEMCPY(ssl->secureR_state.client_verify_data, hashes,
@@ -6741,7 +6741,7 @@ int SendFinished(CYASSL* ssl)
             XMEMCPY(ssl->secureR_state.server_verify_data, hashes,
                     TLS_FINISHED_SZ);
     }
-#endif /* HAVE_SECURE_RENEGOTIATION */
+#endif /* HAVE_SECURE_RENEGOTIATION && HAVE_TLS_EXTENSIONS */
 
     sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz,
                           handshake);