3 files changed, 28 insertions, 26 deletions

diff --git a/src/tls/tls_channel.cpp b/src/tls/tls_channel.cpp
index dadf26e90..b86066574 100644
--- a/src/tls/tls_channel.cpp
+++ b/src/tls/tls_channel.cpp
@@ -246,13 +246,13 @@ void Channel::send_alert(const Alert& alert)
 
 void Channel::Secure_Renegotiation_State::update(Client_Hello* client_hello)
    {
-   if(initial_handshake)
+   if(initial_handshake())
       {
-      secure_renegotiation = client_hello->secure_renegotiation();
+      m_secure_renegotiation = client_hello->secure_renegotiation();
       }
    else
       {
-      if(secure_renegotiation != client_hello->secure_renegotiation())
+      if(supported() != client_hello->secure_renegotiation())
          throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
                              "Client changed its mind about secure renegotiation");
       }
@@ -261,7 +261,7 @@ void Channel::Secure_Renegotiation_State::update(Client_Hello* client_hello)
       {
       const std::vector<byte>& data = client_hello->renegotiation_info();
 
-      if(initial_handshake)
+      if(initial_handshake())
          {
          if(!data.empty())
             throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
@@ -278,25 +278,26 @@ void Channel::Secure_Renegotiation_State::update(Client_Hello* client_hello)
 
 void Channel::Secure_Renegotiation_State::update(Server_Hello* server_hello)
    {
-   if(initial_handshake)
+   if(initial_handshake())
       {
       /* If the client offered but server rejected, then this toggles
       *  secure_renegotiation to off
       */
-      secure_renegotiation = server_hello->secure_renegotiation();
+      if(m_secure_renegotiation)
+         m_secure_renegotiation = server_hello->secure_renegotiation();
       }
    else
       {
-      if(secure_renegotiation != server_hello->secure_renegotiation())
+      if(supported() != server_hello->secure_renegotiation())
          throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
                              "Server changed its mind about secure renegotiation");
       }
 
-   if(secure_renegotiation)
+   if(supported())
       {
       const std::vector<byte>& data = server_hello->renegotiation_info();
 
-      if(initial_handshake)
+      if(initial_handshake())
          {
          if(!data.empty())
             throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
@@ -310,14 +311,14 @@ void Channel::Secure_Renegotiation_State::update(Server_Hello* server_hello)
          }
       }
 
-   initial_handshake = false;
+   m_initial_handshake = false;
    }
 
 void Channel::Secure_Renegotiation_State::update(Finished* client_finished,
-                                                     Finished* server_finished)
+                                                 Finished* server_finished)
    {
-   client_verify = client_finished->verify_data();
-   server_verify = server_finished->verify_data();
+   m_client_verify = client_finished->verify_data();
+   m_server_verify = server_finished->verify_data();
    }
 
 }
diff --git a/src/tls/tls_channel.h b/src/tls/tls_channel.h
index fc0595064..110509d1c 100644
--- a/src/tls/tls_channel.h
+++ b/src/tls/tls_channel.h
@@ -112,8 +112,8 @@ class BOTAN_DLL Channel
       class Secure_Renegotiation_State
          {
          public:
-            Secure_Renegotiation_State() : initial_handshake(true),
-                                           secure_renegotiation(false)
+            Secure_Renegotiation_State() : m_initial_handshake(true),
+                                           m_secure_renegotiation(false)
                {}
 
             void update(class Client_Hello* client_hello);
@@ -123,21 +123,23 @@ class BOTAN_DLL Channel
                         class Finished* server_finished);
 
             const std::vector<byte>& for_client_hello() const
-               { return client_verify; }
+               { return m_client_verify; }
 
             std::vector<byte> for_server_hello() const
                {
-               std::vector<byte> buf = client_verify;
-               buf += server_verify;
+               std::vector<byte> buf = m_client_verify;
+               buf += m_server_verify;
                return buf;
                }
 
-            bool supported() const { return secure_renegotiation; }
-            bool renegotiation() const { return !initial_handshake; }
+            bool supported() const
+               { return m_secure_renegotiation; }
+
+            bool initial_handshake() const { return m_initial_handshake; }
          private:
-            bool initial_handshake;
-            bool secure_renegotiation;
-            std::vector<byte> client_verify, server_verify;
+            bool m_initial_handshake;
+            bool m_secure_renegotiation;
+            std::vector<byte> m_client_verify, m_server_verify;
          };
 
       Secure_Renegotiation_State secure_renegotiation;
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index 8cdd31074..f8d5894fb 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -287,9 +287,8 @@ void Server::process_handshake_msg(Handshake_Type type,
       else
          state->set_version(policy.pref_version());
 
-      if(secure_renegotiation.renegotiation() &&
-         !secure_renegotiation.supported() &&
-         policy.require_secure_renegotiation())
+      if(policy.require_secure_renegotiation() &&
+         !(secure_renegotiation.initial_handshake() || secure_renegotiation.supported()))
          {
          delete state;
          state = nullptr;