summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2017-01-23 14:35:42 +0000
committerjsing <>2017-01-23 14:35:42 +0000
commitfa9356a54359643aa5b7a6217b6f158080b19d7d (patch)
tree27eab6f3272b4b46f77e786896eae8e697800969
parent4ae6fa4e9b3c20e6347b1b4ad62b1051ed5d7630 (diff)
downloadopenbsd-fa9356a54359643aa5b7a6217b6f158080b19d7d.tar.gz
openbsd-fa9356a54359643aa5b7a6217b6f158080b19d7d.tar.bz2
openbsd-fa9356a54359643aa5b7a6217b6f158080b19d7d.zip
Move options and mode from SSL_CTX and SSL to internal, since these can be
set and cleared via existing functions.
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/d1_pkt.c8
-rw-r--r--src/lib/libssl/s23_clnt.c8
-rw-r--r--src/lib/libssl/s23_srvr.c6
-rw-r--r--src/lib/libssl/s3_both.c6
-rw-r--r--src/lib/libssl/s3_lib.c8
-rw-r--r--src/lib/libssl/s3_pkt.c16
-rw-r--r--src/lib/libssl/s3_srvr.c8
-rw-r--r--src/lib/libssl/ssl.h9
-rw-r--r--src/lib/libssl/ssl_lib.c46
-rw-r--r--src/lib/libssl/ssl_locl.h8
-rw-r--r--src/lib/libssl/t1_enc.c4
-rw-r--r--src/lib/libssl/t1_lib.c9
12 files changed, 70 insertions, 66 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index c64aa8f106..f15b64364e 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.57 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.58 2017/01/23 14:35:42 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -894,7 +894,7 @@ start:
894 return (-1); 894 return (-1);
895 } 895 }
896 896
897 if (!(s->mode & SSL_MODE_AUTO_RETRY)) { 897 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) {
898 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 898 if (s->s3->rbuf.left == 0) /* no read-ahead left? */
899 { 899 {
900 BIO *bio; 900 BIO *bio;
@@ -1049,7 +1049,7 @@ start:
1049 return (-1); 1049 return (-1);
1050 } 1050 }
1051 1051
1052 if (!(s->mode & SSL_MODE_AUTO_RETRY)) { 1052 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) {
1053 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 1053 if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1054 { 1054 {
1055 BIO *bio; 1055 BIO *bio;
@@ -1258,7 +1258,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
1258 * (this is a bit of a boundary violation, but what the heck). 1258 * (this is a bit of a boundary violation, but what the heck).
1259 */ 1259 */
1260 if (s->internal->enc_write_ctx && 1260 if (s->internal->enc_write_ctx &&
1261 (EVP_CIPHER_mode( s->internal->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE)) 1261 (EVP_CIPHER_mode(s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE))
1262 bs = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher); 1262 bs = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher);
1263 else 1263 else
1264 bs = 0; 1264 bs = 0;
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 282e0bd3c7..b2dc912a9c 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s23_clnt.c,v 1.55 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: s23_clnt.c,v 1.56 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -372,15 +372,15 @@ ssl23_get_server_hello(SSL *s)
372 /* we have sslv3 or tls1 (server hello or alert) */ 372 /* we have sslv3 or tls1 (server hello or alert) */
373 373
374 if ((p[2] == TLS1_VERSION_MINOR) && 374 if ((p[2] == TLS1_VERSION_MINOR) &&
375 !(s->options & SSL_OP_NO_TLSv1)) { 375 !(s->internal->options & SSL_OP_NO_TLSv1)) {
376 s->version = TLS1_VERSION; 376 s->version = TLS1_VERSION;
377 s->method = TLSv1_client_method(); 377 s->method = TLSv1_client_method();
378 } else if ((p[2] == TLS1_1_VERSION_MINOR) && 378 } else if ((p[2] == TLS1_1_VERSION_MINOR) &&
379 !(s->options & SSL_OP_NO_TLSv1_1)) { 379 !(s->internal->options & SSL_OP_NO_TLSv1_1)) {
380 s->version = TLS1_1_VERSION; 380 s->version = TLS1_1_VERSION;
381 s->method = TLSv1_1_client_method(); 381 s->method = TLSv1_1_client_method();
382 } else if ((p[2] == TLS1_2_VERSION_MINOR) && 382 } else if ((p[2] == TLS1_2_VERSION_MINOR) &&
383 !(s->options & SSL_OP_NO_TLSv1_2)) { 383 !(s->internal->options & SSL_OP_NO_TLSv1_2)) {
384 s->version = TLS1_2_VERSION; 384 s->version = TLS1_2_VERSION;
385 s->method = TLSv1_2_client_method(); 385 s->method = TLSv1_2_client_method();
386 } else { 386 } else {
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index f85b50994e..1cd6721d1f 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s23_srvr.c,v 1.56 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: s23_srvr.c,v 1.57 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -279,7 +279,7 @@ ssl23_get_client_hello(SSL *s)
279 279
280 if (!ssl_max_shared_version(s, client_version, 280 if (!ssl_max_shared_version(s, client_version,
281 &shared_version)) { 281 &shared_version)) {
282 if (s->options & SSL_OP_NO_TLSv1) 282 if (s->internal->options & SSL_OP_NO_TLSv1)
283 goto unsupported; 283 goto unsupported;
284 /* 284 /*
285 * We won't be able to use TLS of course, 285 * We won't be able to use TLS of course,
@@ -310,7 +310,7 @@ ssl23_get_client_hello(SSL *s)
310 * only to "backward" versions of TLS. If we have moved 310 * only to "backward" versions of TLS. If we have moved
311 * on to modernity, just say no. 311 * on to modernity, just say no.
312 */ 312 */
313 if (s->options & SSL_OP_NO_TLSv1) 313 if (s->internal->options & SSL_OP_NO_TLSv1)
314 goto unsupported; 314 goto unsupported;
315 315
316 type = 2; 316 type = 2;
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 7490a183fb..033831e23d 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_both.c,v 1.55 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: s3_both.c,v 1.56 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -352,7 +352,7 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x)
352 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 352 if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
353 goto err; 353 goto err;
354 354
355 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) 355 if ((s->internal->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
356 no_chain = 1; 356 no_chain = 1;
357 357
358 /* TLSv1 sends a chain with nothing in it, instead of an alert. */ 358 /* TLSv1 sends a chain with nothing in it, instead of an alert. */
@@ -698,7 +698,7 @@ ssl3_setup_write_buffer(SSL *s)
698 if (s->s3->wbuf.buf == NULL) { 698 if (s->s3->wbuf.buf == NULL) {
699 len = s->max_send_fragment + 699 len = s->max_send_fragment +
700 SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; 700 SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
701 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 701 if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
702 len += headerlen + align + 702 len += headerlen + align +
703 SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; 703 SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
704 704
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index a42ac73335..18a4cb64e8 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.127 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.128 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2056,7 +2056,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2056 return (ret); 2056 return (ret);
2057 } 2057 }
2058 ecdh = (EC_KEY *)parg; 2058 ecdh = (EC_KEY *)parg;
2059 if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) { 2059 if (!(s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
2060 if (!EC_KEY_generate_key(ecdh)) { 2060 if (!EC_KEY_generate_key(ecdh)) {
2061 EC_KEY_free(ecdh); 2061 EC_KEY_free(ecdh);
2062 SSLerr(SSL_F_SSL3_CTRL, 2062 SSLerr(SSL_F_SSL3_CTRL,
@@ -2243,7 +2243,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2243 ERR_R_EC_LIB); 2243 ERR_R_EC_LIB);
2244 return 0; 2244 return 0;
2245 } 2245 }
2246 if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) { 2246 if (!(ctx->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
2247 if (!EC_KEY_generate_key(ecdh)) { 2247 if (!EC_KEY_generate_key(ecdh)) {
2248 EC_KEY_free(ecdh); 2248 EC_KEY_free(ecdh);
2249 SSLerr(SSL_F_SSL3_CTX_CTRL, 2249 SSLerr(SSL_F_SSL3_CTX_CTRL,
@@ -2413,7 +2413,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2413 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2413 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2414 */ 2414 */
2415 2415
2416 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2416 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2417 prio = srvr; 2417 prio = srvr;
2418 allow = clnt; 2418 allow = clnt;
2419 } else { 2419 } else {
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 40ab55b6ee..a9737a7f40 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_pkt.c,v 1.67 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: s3_pkt.c,v 1.68 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -238,7 +238,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
238 238
239 if (i <= 0) { 239 if (i <= 0) {
240 rb->left = left; 240 rb->left = left;
241 if (s->mode & SSL_MODE_RELEASE_BUFFERS && 241 if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS &&
242 !SSL_IS_DTLS(s)) { 242 !SSL_IS_DTLS(s)) {
243 if (len + left == 0) 243 if (len + left == 0)
244 ssl3_release_read_buffer(s); 244 ssl3_release_read_buffer(s);
@@ -540,7 +540,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
540 } 540 }
541 541
542 if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA && 542 if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA &&
543 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { 543 (s->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {
544 /* 544 /*
545 * Next chunk of data should get another prepended 545 * Next chunk of data should get another prepended
546 * empty fragment in ciphersuites with known-IV 546 * empty fragment in ciphersuites with known-IV
@@ -770,7 +770,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
770 770
771 /* XXXX */ 771 /* XXXX */
772 if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) && 772 if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) &&
773 !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || 773 !(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) ||
774 (S3I(s)->wpend_type != type)) { 774 (S3I(s)->wpend_type != type)) {
775 SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY); 775 SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY);
776 return (-1); 776 return (-1);
@@ -790,7 +790,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
790 if (i == wb->left) { 790 if (i == wb->left) {
791 wb->left = 0; 791 wb->left = 0;
792 wb->offset += i; 792 wb->offset += i;
793 if (s->mode & SSL_MODE_RELEASE_BUFFERS && 793 if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS &&
794 !SSL_IS_DTLS(s)) 794 !SSL_IS_DTLS(s))
795 ssl3_release_write_buffer(s); 795 ssl3_release_write_buffer(s);
796 s->internal->rwstate = SSL_NOTHING; 796 s->internal->rwstate = SSL_NOTHING;
@@ -983,7 +983,7 @@ start:
983 if (rr->length == 0) { 983 if (rr->length == 0) {
984 s->internal->rstate = SSL_ST_READ_HEADER; 984 s->internal->rstate = SSL_ST_READ_HEADER;
985 rr->off = 0; 985 rr->off = 0;
986 if (s->mode & SSL_MODE_RELEASE_BUFFERS && 986 if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS &&
987 s->s3->rbuf.left == 0) 987 s->s3->rbuf.left == 0)
988 ssl3_release_read_buffer(s); 988 ssl3_release_read_buffer(s);
989 } 989 }
@@ -1068,7 +1068,7 @@ start:
1068 return (-1); 1068 return (-1);
1069 } 1069 }
1070 1070
1071 if (!(s->mode & SSL_MODE_AUTO_RETRY)) { 1071 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) {
1072 if (s->s3->rbuf.left == 0) { 1072 if (s->s3->rbuf.left == 0) {
1073 /* no read-ahead left? */ 1073 /* no read-ahead left? */
1074 /* In the case where we try to read application data, 1074 /* In the case where we try to read application data,
@@ -1230,7 +1230,7 @@ start:
1230 return (-1); 1230 return (-1);
1231 } 1231 }
1232 1232
1233 if (!(s->mode & SSL_MODE_AUTO_RETRY)) { 1233 if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) {
1234 if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ 1234 if (s->s3->rbuf.left == 0) { /* no read-ahead left? */
1235 BIO *bio; 1235 BIO *bio;
1236 /* In the case where we try to read application data, 1236 /* In the case where we try to read application data,
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 59320ea0f6..4c6caf0eed 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.149 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.150 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -824,7 +824,7 @@ ssl3_get_client_hello(SSL *s)
824 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be 824 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
825 * ignored. 825 * ignored.
826 */ 826 */
827 if ((s->internal->new_session && (s->options & 827 if ((s->internal->new_session && (s->internal->options &
828 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { 828 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
829 if (!ssl_get_new_session(s, 1)) 829 if (!ssl_get_new_session(s, 1))
830 goto err; 830 goto err;
@@ -1315,7 +1315,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
1315 1315
1316 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1316 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1317 (EC_KEY_get0_private_key(ecdh) == NULL) || 1317 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1318 (s->options & SSL_OP_SINGLE_ECDH_USE)) { 1318 (s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
1319 if (!EC_KEY_generate_key(ecdh)) { 1319 if (!EC_KEY_generate_key(ecdh)) {
1320 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1320 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1321 ERR_R_ECDH_LIB); 1321 ERR_R_ECDH_LIB);
@@ -1769,7 +1769,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
1769 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such 1769 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
1770 * clients. 1770 * clients.
1771 */ 1771 */
1772 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 1772 if (!((s->internal->options & SSL_OP_TLS_ROLLBACK_BUG) &&
1773 (p[0] == (s->version >> 8)) && 1773 (p[0] == (s->version >> 8)) &&
1774 (p[1] == (s->version & 0xff)))) { 1774 (p[1] == (s->version & 0xff)))) {
1775 al = SSL_AD_DECODE_ERROR; 1775 al = SSL_AD_DECODE_ERROR;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 037f46c400..28b7de6667 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl.h,v 1.118 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: ssl.h,v 1.119 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -672,9 +672,6 @@ struct ssl_ctx_st {
672 672
673 /* Default values to use in SSL structures follow (these are copied by SSL_new) */ 673 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
674 674
675 unsigned long options;
676 unsigned long mode;
677
678 STACK_OF(X509) *extra_certs; 675 STACK_OF(X509) *extra_certs;
679 676
680 int verify_mode; 677 int verify_mode;
@@ -852,10 +849,10 @@ struct ssl_st {
852 long verify_result; 849 long verify_result;
853 850
854 int references; 851 int references;
855 unsigned long options; /* protocol behaviour */ 852
856 unsigned long mode; /* API behaviour */
857 int client_version; /* what was passed, used for 853 int client_version; /* what was passed, used for
858 * SSLv3/TLS rollback check */ 854 * SSLv3/TLS rollback check */
855
859 unsigned int max_send_fragment; 856 unsigned int max_send_fragment;
860 857
861 char *tlsext_hostname; 858 char *tlsext_hostname;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index edcbe9d20a..20b671022d 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.139 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.140 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -284,8 +284,8 @@ SSL_new(SSL_CTX *ctx)
284 return (NULL); 284 return (NULL);
285 } 285 }
286 286
287 s->options = ctx->options; 287 s->internal->options = ctx->internal->options;
288 s->mode = ctx->mode; 288 s->internal->mode = ctx->internal->mode;
289 s->internal->max_cert_list = ctx->internal->max_cert_list; 289 s->internal->max_cert_list = ctx->internal->max_cert_list;
290 290
291 if (ctx->internal->cert != NULL) { 291 if (ctx->internal->cert != NULL) {
@@ -1059,13 +1059,13 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1059 return (1); 1059 return (1);
1060 1060
1061 case SSL_CTRL_OPTIONS: 1061 case SSL_CTRL_OPTIONS:
1062 return (s->options|=larg); 1062 return (s->internal->options|=larg);
1063 case SSL_CTRL_CLEAR_OPTIONS: 1063 case SSL_CTRL_CLEAR_OPTIONS:
1064 return (s->options&=~larg); 1064 return (s->internal->options&=~larg);
1065 case SSL_CTRL_MODE: 1065 case SSL_CTRL_MODE:
1066 return (s->mode|=larg); 1066 return (s->internal->mode|=larg);
1067 case SSL_CTRL_CLEAR_MODE: 1067 case SSL_CTRL_CLEAR_MODE:
1068 return (s->mode &=~larg); 1068 return (s->internal->mode &=~larg);
1069 case SSL_CTRL_GET_MAX_CERT_LIST: 1069 case SSL_CTRL_GET_MAX_CERT_LIST:
1070 return (s->internal->max_cert_list); 1070 return (s->internal->max_cert_list);
1071 case SSL_CTRL_SET_MAX_CERT_LIST: 1071 case SSL_CTRL_SET_MAX_CERT_LIST:
@@ -1181,13 +1181,13 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1181 case SSL_CTRL_SESS_CACHE_FULL: 1181 case SSL_CTRL_SESS_CACHE_FULL:
1182 return (ctx->internal->stats.sess_cache_full); 1182 return (ctx->internal->stats.sess_cache_full);
1183 case SSL_CTRL_OPTIONS: 1183 case SSL_CTRL_OPTIONS:
1184 return (ctx->options|=larg); 1184 return (ctx->internal->options|=larg);
1185 case SSL_CTRL_CLEAR_OPTIONS: 1185 case SSL_CTRL_CLEAR_OPTIONS:
1186 return (ctx->options&=~larg); 1186 return (ctx->internal->options&=~larg);
1187 case SSL_CTRL_MODE: 1187 case SSL_CTRL_MODE:
1188 return (ctx->mode|=larg); 1188 return (ctx->internal->mode|=larg);
1189 case SSL_CTRL_CLEAR_MODE: 1189 case SSL_CTRL_CLEAR_MODE:
1190 return (ctx->mode&=~larg); 1190 return (ctx->internal->mode&=~larg);
1191 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 1191 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1192 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 1192 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1193 return (0); 1193 return (0);
@@ -1941,7 +1941,7 @@ SSL_CTX_new(const SSL_METHOD *meth)
1941 * Default is to connect to non-RI servers. When RI is more widely 1941 * Default is to connect to non-RI servers. When RI is more widely
1942 * deployed might change this. 1942 * deployed might change this.
1943 */ 1943 */
1944 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; 1944 ret->internal->options |= SSL_OP_LEGACY_SERVER_CONNECT;
1945 1945
1946 return (ret); 1946 return (ret);
1947err: 1947err:
@@ -2516,18 +2516,18 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
2516 min_version = 0; 2516 min_version = 0;
2517 max_version = TLS1_2_VERSION; 2517 max_version = TLS1_2_VERSION;
2518 2518
2519 if ((s->options & SSL_OP_NO_TLSv1) == 0) 2519 if ((s->internal->options & SSL_OP_NO_TLSv1) == 0)
2520 min_version = TLS1_VERSION; 2520 min_version = TLS1_VERSION;
2521 else if ((s->options & SSL_OP_NO_TLSv1_1) == 0) 2521 else if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0)
2522 min_version = TLS1_1_VERSION; 2522 min_version = TLS1_1_VERSION;
2523 else if ((s->options & SSL_OP_NO_TLSv1_2) == 0) 2523 else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0)
2524 min_version = TLS1_2_VERSION; 2524 min_version = TLS1_2_VERSION;
2525 2525
2526 if ((s->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) 2526 if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
2527 max_version = TLS1_1_VERSION; 2527 max_version = TLS1_1_VERSION;
2528 if ((s->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) 2528 if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
2529 max_version = TLS1_VERSION; 2529 max_version = TLS1_VERSION;
2530 if ((s->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) 2530 if ((s->internal->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
2531 max_version = 0; 2531 max_version = 0;
2532 2532
2533 /* Everything has been disabled... */ 2533 /* Everything has been disabled... */
@@ -2586,13 +2586,13 @@ ssl_max_server_version(SSL *s)
2586 if (SSL_IS_DTLS(s)) 2586 if (SSL_IS_DTLS(s))
2587 return (DTLS1_VERSION); 2587 return (DTLS1_VERSION);
2588 2588
2589 if ((s->options & SSL_OP_NO_TLSv1_2) == 0 && 2589 if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0 &&
2590 max_version >= TLS1_2_VERSION) 2590 max_version >= TLS1_2_VERSION)
2591 return (TLS1_2_VERSION); 2591 return (TLS1_2_VERSION);
2592 if ((s->options & SSL_OP_NO_TLSv1_1) == 0 && 2592 if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0 &&
2593 max_version >= TLS1_1_VERSION) 2593 max_version >= TLS1_1_VERSION)
2594 return (TLS1_1_VERSION); 2594 return (TLS1_1_VERSION);
2595 if ((s->options & SSL_OP_NO_TLSv1) == 0 && 2595 if ((s->internal->options & SSL_OP_NO_TLSv1) == 0 &&
2596 max_version >= TLS1_VERSION) 2596 max_version >= TLS1_VERSION)
2597 return (TLS1_VERSION); 2597 return (TLS1_VERSION);
2598 2598
@@ -2642,8 +2642,8 @@ SSL_dup(SSL *s)
2642 s->sid_ctx, s->sid_ctx_length); 2642 s->sid_ctx, s->sid_ctx_length);
2643 } 2643 }
2644 2644
2645 ret->options = s->options; 2645 ret->internal->options = s->internal->options;
2646 ret->mode = s->mode; 2646 ret->internal->mode = s->internal->mode;
2647 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); 2647 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
2648 SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); 2648 SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
2649 ret->internal->msg_callback = s->internal->msg_callback; 2649 ret->internal->msg_callback = s->internal->msg_callback;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index df1e12bf39..d0d72cbfdf 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.161 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.162 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -434,6 +434,9 @@ typedef struct ssl_ctx_internal_st {
434 uint16_t min_version; 434 uint16_t min_version;
435 uint16_t max_version; 435 uint16_t max_version;
436 436
437 unsigned long options;
438 unsigned long mode;
439
437 /* If this callback is not null, it will be called each 440 /* If this callback is not null, it will be called each
438 * time a session id is added to the cache. If this function 441 * time a session id is added to the cache. If this function
439 * returns 1, it means that the callback will do a 442 * returns 1, it means that the callback will do a
@@ -612,6 +615,9 @@ typedef struct ssl_internal_st {
612 uint16_t min_version; 615 uint16_t min_version;
613 uint16_t max_version; 616 uint16_t max_version;
614 617
618 unsigned long options; /* protocol behaviour */
619 unsigned long mode; /* API behaviour */
620
615 /* Next protocol negotiation. For the client, this is the protocol that 621 /* Next protocol negotiation. For the client, this is the protocol that
616 * we sent in NextProtocol and is set when handling ServerHello 622 * we sent in NextProtocol and is set when handling ServerHello
617 * extensions. 623 * extensions.
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index c0abe762e6..3181b63e39 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.92 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.93 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -783,7 +783,7 @@ tls1_setup_key_block(SSL *s)
783 if (!tls1_generate_key_block(s, key_block, tmp_block, key_block_len)) 783 if (!tls1_generate_key_block(s, key_block, tmp_block, key_block_len))
784 goto err; 784 goto err;
785 785
786 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && 786 if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
787 s->method->internal->version <= TLS1_VERSION) { 787 s->method->internal->version <= TLS1_VERSION) {
788 /* 788 /*
789 * Enable vulnerability countermeasure for CBC ciphers with 789 * Enable vulnerability countermeasure for CBC ciphers with
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 8e7b1b5167..00af9778ad 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.105 2017/01/23 13:36:13 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.106 2017/01/23 14:35:42 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -435,7 +435,7 @@ tls1_get_shared_curve(SSL *s)
435 return (NID_undef); 435 return (NID_undef);
436 436
437 /* Return first preference shared curve. */ 437 /* Return first preference shared curve. */
438 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 438 server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
439 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 439 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen);
440 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 440 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen);
441 441
@@ -916,7 +916,7 @@ skip_ext:
916 * NB: because this code works out the length of all existing 916 * NB: because this code works out the length of all existing
917 * extensions it MUST always appear last. 917 * extensions it MUST always appear last.
918 */ 918 */
919 if (s->options & SSL_OP_TLSEXT_PADDING) { 919 if (s->internal->options & SSL_OP_TLSEXT_PADDING) {
920 int hlen = ret - (unsigned char *)s->internal->init_buf->data; 920 int hlen = ret - (unsigned char *)s->internal->init_buf->data;
921 921
922 /* 922 /*
@@ -1832,7 +1832,8 @@ ri_check:
1832 * which doesn't support RI so for the immediate future tolerate RI 1832 * which doesn't support RI so for the immediate future tolerate RI
1833 * absence on initial connect only. 1833 * absence on initial connect only.
1834 */ 1834 */
1835 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1835 if (!renegotiate_seen &&
1836 !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1836 *al = SSL_AD_HANDSHAKE_FAILURE; 1837 *al = SSL_AD_HANDSHAKE_FAILURE;
1837 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1838 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1838 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1839 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-31 09:17:49 +0000