summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbeck <>2017-01-23 04:55:27 +0000
committerbeck <>2017-01-23 04:55:27 +0000
commit98459d42c7a847e84cc12f2d7df5e16e0f44839c (patch)
tree7b3e30aaa4ce396a0dcc28cc981628a669ff50d2
parent779cc82ab96e48a0162ed5caa96bbc04dd3a5c72 (diff)
downloadopenbsd-98459d42c7a847e84cc12f2d7df5e16e0f44839c.tar.gz
openbsd-98459d42c7a847e84cc12f2d7df5e16e0f44839c.tar.bz2
openbsd-98459d42c7a847e84cc12f2d7df5e16e0f44839c.zip
move the callbacks from ssl_st to internal
ok jsing@
Diffstat
-rw-r--r--src/lib/libssl/bio_ssl.c8
-rw-r--r--src/lib/libssl/d1_both.c20
-rw-r--r--src/lib/libssl/d1_clnt.c12
-rw-r--r--src/lib/libssl/d1_pkt.c52
-rw-r--r--src/lib/libssl/d1_srvr.c12
-rw-r--r--src/lib/libssl/s23_clnt.c28
-rw-r--r--src/lib/libssl/s23_lib.c14
-rw-r--r--src/lib/libssl/s23_srvr.c18
-rw-r--r--src/lib/libssl/s3_both.c20
-rw-r--r--src/lib/libssl/s3_clnt.c18
-rw-r--r--src/lib/libssl/s3_lib.c14
-rw-r--r--src/lib/libssl/s3_pkt.c50
-rw-r--r--src/lib/libssl/s3_srvr.c18
-rw-r--r--src/lib/libssl/ssl.h32
-rw-r--r--src/lib/libssl/ssl_cert.c6
-rw-r--r--src/lib/libssl/ssl_lib.c68
-rw-r--r--src/lib/libssl/ssl_locl.h33
-rw-r--r--src/lib/libssl/ssl_sess.c14
-rw-r--r--src/lib/libssl/t1_lib.c30
19 files changed, 237 insertions, 230 deletions
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index 6ddbb008e6..42f637a78f 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bio_ssl.c,v 1.22 2015/09/29 18:08:57 deraadt Exp $ */ 1/* $OpenBSD: bio_ssl.c,v 1.23 2017/01/23 04:55:26 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -66,6 +66,8 @@
66#include <openssl/err.h> 66#include <openssl/err.h>
67#include <openssl/ssl.h> 67#include <openssl/ssl.h>
68 68
69#include "ssl_locl.h"
70
69static int ssl_write(BIO *h, const char *buf, int num); 71static int ssl_write(BIO *h, const char *buf, int num);
70static int ssl_read(BIO *h, char *buf, int size); 72static int ssl_read(BIO *h, char *buf, int size);
71static int ssl_puts(BIO *h, const char *str); 73static int ssl_puts(BIO *h, const char *str);
@@ -291,9 +293,9 @@ ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
291 case BIO_CTRL_RESET: 293 case BIO_CTRL_RESET:
292 SSL_shutdown(ssl); 294 SSL_shutdown(ssl);
293 295
294 if (ssl->handshake_func == ssl->method->ssl_connect) 296 if (ssl->internal->handshake_func == ssl->method->ssl_connect)
295 SSL_set_connect_state(ssl); 297 SSL_set_connect_state(ssl);
296 else if (ssl->handshake_func == ssl->method->ssl_accept) 298 else if (ssl->internal->handshake_func == ssl->method->ssl_accept)
297 SSL_set_accept_state(ssl); 299 SSL_set_accept_state(ssl);
298 300
299 SSL_clear(ssl); 301 SSL_clear(ssl);
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 2ee4a7ffcf..962b73ed6c 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_both.c,v 1.42 2017/01/22 09:02:07 jsing Exp $ */ 1/* $OpenBSD: d1_both.c,v 1.43 2017/01/23 04:55:26 beck Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -367,11 +367,11 @@ dtls1_do_write(SSL *s, int type)
367 } 367 }
368 368
369 if (ret == s->init_num) { 369 if (ret == s->init_num) {
370 if (s->msg_callback) 370 if (s->internal->msg_callback)
371 s->msg_callback(1, s->version, type, 371 s->internal->msg_callback(1, s->version, type,
372 s->init_buf->data, 372 s->init_buf->data,
373 (size_t)(s->init_off + s->init_num), 373 (size_t)(s->init_off + s->init_num),
374 s, s->msg_callback_arg); 374 s, s->internal->msg_callback_arg);
375 375
376 s->init_off = 0; 376 s->init_off = 0;
377 /* done writing this message */ 377 /* done writing this message */
@@ -445,9 +445,9 @@ again:
445 msg_len += DTLS1_HM_HEADER_LENGTH; 445 msg_len += DTLS1_HM_HEADER_LENGTH;
446 446
447 tls1_finish_mac(s, p, msg_len); 447 tls1_finish_mac(s, p, msg_len);
448 if (s->msg_callback) 448 if (s->internal->msg_callback)
449 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, 449 s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len,
450 s, s->msg_callback_arg); 450 s, s->internal->msg_callback_arg);
451 451
452 memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); 452 memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
453 453
@@ -834,11 +834,11 @@ again:
834 * 'Finished' MAC. 834 * 'Finished' MAC.
835 */ 835 */
836 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { 836 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
837 if (s->msg_callback) 837 if (s->internal->msg_callback)
838 s->msg_callback(0, s->version, 838 s->internal->msg_callback(0, s->version,
839 SSL3_RT_HANDSHAKE, wire, 839 SSL3_RT_HANDSHAKE, wire,
840 DTLS1_HM_HEADER_LENGTH, s, 840 DTLS1_HM_HEADER_LENGTH, s,
841 s->msg_callback_arg); 841 s->internal->msg_callback_arg);
842 842
843 s->init_num = 0; 843 s->init_num = 0;
844 goto again; 844 goto again;
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 127cda155c..67b874ef6b 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_clnt.c,v 1.64 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: d1_clnt.c,v 1.65 2017/01/23 04:55:26 beck Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -188,12 +188,12 @@ dtls1_connect(SSL *s)
188 ERR_clear_error(); 188 ERR_clear_error();
189 errno = 0; 189 errno = 0;
190 190
191 if (s->info_callback != NULL) 191 if (s->internal->info_callback != NULL)
192 cb = s->info_callback; 192 cb = s->internal->info_callback;
193 else if (s->ctx->internal->info_callback != NULL) 193 else if (s->ctx->internal->info_callback != NULL)
194 cb = s->ctx->internal->info_callback; 194 cb = s->ctx->internal->info_callback;
195 195
196 s->in_handshake++; 196 s->internal->in_handshake++;
197 if (!SSL_in_init(s) || SSL_in_before(s)) 197 if (!SSL_in_init(s) || SSL_in_before(s))
198 SSL_clear(s); 198 SSL_clear(s);
199 199
@@ -559,7 +559,7 @@ dtls1_connect(SSL *s)
559 559
560 ret = 1; 560 ret = 1;
561 /* s->server=0; */ 561 /* s->server=0; */
562 s->handshake_func = dtls1_connect; 562 s->internal->handshake_func = dtls1_connect;
563 s->ctx->internal->stats.sess_connect_good++; 563 s->ctx->internal->stats.sess_connect_good++;
564 564
565 if (cb != NULL) 565 if (cb != NULL)
@@ -596,7 +596,7 @@ dtls1_connect(SSL *s)
596 } 596 }
597 597
598end: 598end:
599 s->in_handshake--; 599 s->internal->in_handshake--;
600 if (cb != NULL) 600 if (cb != NULL)
601 cb(s, SSL_CB_CONNECT_EXIT, ret); 601 cb(s, SSL_CB_CONNECT_EXIT, ret);
602 602
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index ef9bcaa786..88c2fa9adf 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.52 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.53 2017/01/23 04:55:26 beck Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -596,7 +596,7 @@ again:
596 * anything while listening. 596 * anything while listening.
597 */ 597 */
598 if (is_next_epoch) { 598 if (is_next_epoch) {
599 if ((SSL_in_init(s) || s->in_handshake) && !D1I(s)->listen) { 599 if ((SSL_in_init(s) || s->internal->in_handshake) && !D1I(s)->listen) {
600 if (dtls1_buffer_record(s, &(D1I(s)->unprocessed_rcds), 600 if (dtls1_buffer_record(s, &(D1I(s)->unprocessed_rcds),
601 rr->seq_num) < 0) 601 rr->seq_num) < 0)
602 return (-1); 602 return (-1);
@@ -667,10 +667,10 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
667 667
668 /* Now D1I(s)->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ 668 /* Now D1I(s)->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
669 669
670 if (!s->in_handshake && SSL_in_init(s)) 670 if (!s->internal->in_handshake && SSL_in_init(s))
671 { 671 {
672 /* type == SSL3_RT_APPLICATION_DATA */ 672 /* type == SSL3_RT_APPLICATION_DATA */
673 i = s->handshake_func(s); 673 i = s->internal->handshake_func(s);
674 if (i < 0) 674 if (i < 0)
675 return (i); 675 return (i);
676 if (i == 0) { 676 if (i == 0) {
@@ -875,9 +875,9 @@ start:
875 875
876 /* no need to check sequence number on HELLO REQUEST messages */ 876 /* no need to check sequence number on HELLO REQUEST messages */
877 877
878 if (s->msg_callback) 878 if (s->internal->msg_callback)
879 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 879 s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
880 D1I(s)->handshake_fragment, 4, s, s->msg_callback_arg); 880 D1I(s)->handshake_fragment, 4, s, s->internal->msg_callback_arg);
881 881
882 if (SSL_is_init_finished(s) && 882 if (SSL_is_init_finished(s) &&
883 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 883 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
@@ -886,7 +886,7 @@ start:
886 s->new_session = 1; 886 s->new_session = 1;
887 ssl3_renegotiate(s); 887 ssl3_renegotiate(s);
888 if (ssl3_renegotiate_check(s)) { 888 if (ssl3_renegotiate_check(s)) {
889 i = s->handshake_func(s); 889 i = s->internal->handshake_func(s);
890 if (i < 0) 890 if (i < 0)
891 return (i); 891 return (i);
892 if (i == 0) { 892 if (i == 0) {
@@ -922,12 +922,12 @@ start:
922 922
923 D1I(s)->alert_fragment_len = 0; 923 D1I(s)->alert_fragment_len = 0;
924 924
925 if (s->msg_callback) 925 if (s->internal->msg_callback)
926 s->msg_callback(0, s->version, SSL3_RT_ALERT, 926 s->internal->msg_callback(0, s->version, SSL3_RT_ALERT,
927 D1I(s)->alert_fragment, 2, s, s->msg_callback_arg); 927 D1I(s)->alert_fragment, 2, s, s->internal->msg_callback_arg);
928 928
929 if (s->info_callback != NULL) 929 if (s->internal->info_callback != NULL)
930 cb = s->info_callback; 930 cb = s->internal->info_callback;
931 else if (s->ctx->internal->info_callback != NULL) 931 else if (s->ctx->internal->info_callback != NULL)
932 cb = s->ctx->internal->info_callback; 932 cb = s->ctx->internal->info_callback;
933 933
@@ -987,9 +987,9 @@ start:
987 987
988 rr->length = 0; 988 rr->length = 0;
989 989
990 if (s->msg_callback) 990 if (s->internal->msg_callback)
991 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 991 s->internal->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
992 rr->data, 1, s, s->msg_callback_arg); 992 rr->data, 1, s, s->internal->msg_callback_arg);
993 993
994 /* We can't process a CCS now, because previous handshake 994 /* We can't process a CCS now, because previous handshake
995 * messages are still missing, so just drop it. 995 * messages are still missing, so just drop it.
@@ -1012,7 +1012,7 @@ start:
1012 1012
1013 /* Unexpected handshake message (Client Hello, or protocol violation) */ 1013 /* Unexpected handshake message (Client Hello, or protocol violation) */
1014 if ((D1I(s)->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 1014 if ((D1I(s)->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
1015 !s->in_handshake) { 1015 !s->internal->in_handshake) {
1016 struct hm_header_st msg_hdr; 1016 struct hm_header_st msg_hdr;
1017 1017
1018 /* this may just be a stale retransmit */ 1018 /* this may just be a stale retransmit */
@@ -1041,7 +1041,7 @@ start:
1041 s->renegotiate = 1; 1041 s->renegotiate = 1;
1042 s->new_session = 1; 1042 s->new_session = 1;
1043 } 1043 }
1044 i = s->handshake_func(s); 1044 i = s->internal->handshake_func(s);
1045 if (i < 0) 1045 if (i < 0)
1046 return (i); 1046 return (i);
1047 if (i == 0) { 1047 if (i == 0) {
@@ -1081,7 +1081,7 @@ start:
1081 case SSL3_RT_ALERT: 1081 case SSL3_RT_ALERT:
1082 case SSL3_RT_HANDSHAKE: 1082 case SSL3_RT_HANDSHAKE:
1083 /* we already handled all of these, with the possible exception 1083 /* we already handled all of these, with the possible exception
1084 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that 1084 * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that
1085 * should not happen when type != rr->type */ 1085 * should not happen when type != rr->type */
1086 al = SSL_AD_UNEXPECTED_MESSAGE; 1086 al = SSL_AD_UNEXPECTED_MESSAGE;
1087 SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); 1087 SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
@@ -1123,9 +1123,9 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1123{ 1123{
1124 int i; 1124 int i;
1125 1125
1126 if (SSL_in_init(s) && !s->in_handshake) 1126 if (SSL_in_init(s) && !s->internal->in_handshake)
1127 { 1127 {
1128 i = s->handshake_func(s); 1128 i = s->internal->handshake_func(s);
1129 if (i < 0) 1129 if (i < 0)
1130 return (i); 1130 return (i);
1131 if (i == 0) { 1131 if (i == 0) {
@@ -1422,12 +1422,12 @@ dtls1_dispatch_alert(SSL *s)
1422 ) 1422 )
1423 (void)BIO_flush(s->wbio); 1423 (void)BIO_flush(s->wbio);
1424 1424
1425 if (s->msg_callback) 1425 if (s->internal->msg_callback)
1426 s->msg_callback(1, s->version, SSL3_RT_ALERT, 1426 s->internal->msg_callback(1, s->version, SSL3_RT_ALERT,
1427 s->s3->send_alert, 2, s, s->msg_callback_arg); 1427 s->s3->send_alert, 2, s, s->internal->msg_callback_arg);
1428 1428
1429 if (s->info_callback != NULL) 1429 if (s->internal->info_callback != NULL)
1430 cb = s->info_callback; 1430 cb = s->internal->info_callback;
1431 else if (s->ctx->internal->info_callback != NULL) 1431 else if (s->ctx->internal->info_callback != NULL)
1432 cb = s->ctx->internal->info_callback; 1432 cb = s->ctx->internal->info_callback;
1433 1433
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 28a4442445..80af8eb930 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.74 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.75 2017/01/23 04:55:26 beck Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -188,15 +188,15 @@ dtls1_accept(SSL *s)
188 ERR_clear_error(); 188 ERR_clear_error();
189 errno = 0; 189 errno = 0;
190 190
191 if (s->info_callback != NULL) 191 if (s->internal->info_callback != NULL)
192 cb = s->info_callback; 192 cb = s->internal->info_callback;
193 else if (s->ctx->internal->info_callback != NULL) 193 else if (s->ctx->internal->info_callback != NULL)
194 cb = s->ctx->internal->info_callback; 194 cb = s->ctx->internal->info_callback;
195 195
196 listen = D1I(s)->listen; 196 listen = D1I(s)->listen;
197 197
198 /* init things to blank */ 198 /* init things to blank */
199 s->in_handshake++; 199 s->internal->in_handshake++;
200 if (!SSL_in_init(s) || SSL_in_before(s)) 200 if (!SSL_in_init(s) || SSL_in_before(s))
201 SSL_clear(s); 201 SSL_clear(s);
202 202
@@ -643,7 +643,7 @@ dtls1_accept(SSL *s)
643 643
644 s->ctx->internal->stats.sess_accept_good++; 644 s->ctx->internal->stats.sess_accept_good++;
645 /* s->server=1; */ 645 /* s->server=1; */
646 s->handshake_func = dtls1_accept; 646 s->internal->handshake_func = dtls1_accept;
647 647
648 if (cb != NULL) 648 if (cb != NULL)
649 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 649 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
@@ -684,7 +684,7 @@ dtls1_accept(SSL *s)
684end: 684end:
685 /* BIO_flush(s->wbio); */ 685 /* BIO_flush(s->wbio); */
686 686
687 s->in_handshake--; 687 s->internal->in_handshake--;
688 688
689 if (cb != NULL) 689 if (cb != NULL)
690 cb(s, SSL_CB_ACCEPT_EXIT, ret); 690 cb(s, SSL_CB_ACCEPT_EXIT, ret);
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 56c1d53707..aec215d29a 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s23_clnt.c,v 1.51 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: s23_clnt.c,v 1.52 2017/01/23 04:55:26 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -130,12 +130,12 @@ ssl23_connect(SSL *s)
130 ERR_clear_error(); 130 ERR_clear_error();
131 errno = 0; 131 errno = 0;
132 132
133 if (s->info_callback != NULL) 133 if (s->internal->info_callback != NULL)
134 cb = s->info_callback; 134 cb = s->internal->info_callback;
135 else if (s->ctx->internal->info_callback != NULL) 135 else if (s->ctx->internal->info_callback != NULL)
136 cb = s->ctx->internal->info_callback; 136 cb = s->ctx->internal->info_callback;
137 137
138 s->in_handshake++; 138 s->internal->in_handshake++;
139 if (!SSL_in_init(s) || SSL_in_before(s)) 139 if (!SSL_in_init(s) || SSL_in_before(s))
140 SSL_clear(s); 140 SSL_clear(s);
141 141
@@ -218,7 +218,7 @@ ssl23_connect(SSL *s)
218 } 218 }
219 219
220end: 220end:
221 s->in_handshake--; 221 s->internal->in_handshake--;
222 if (cb != NULL) 222 if (cb != NULL)
223 cb(s, SSL_CB_CONNECT_EXIT, ret); 223 cb(s, SSL_CB_CONNECT_EXIT, ret);
224 224
@@ -332,10 +332,10 @@ ssl23_client_hello(SSL *s)
332 /* SSL3_ST_CW_CLNT_HELLO_B */ 332 /* SSL3_ST_CW_CLNT_HELLO_B */
333 ret = ssl23_write_bytes(s); 333 ret = ssl23_write_bytes(s);
334 334
335 if ((ret >= 2) && s->msg_callback) { 335 if ((ret >= 2) && s->internal->msg_callback) {
336 /* Client Hello has been sent; tell msg_callback */ 336 /* Client Hello has been sent; tell msg_callback */
337 s->msg_callback(1, s->client_version, SSL3_RT_HANDSHAKE, 337 s->internal->msg_callback(1, s->client_version, SSL3_RT_HANDSHAKE,
338 s->init_buf->data + 5, ret - 5, s, s->msg_callback_arg); 338 s->init_buf->data + 5, ret - 5, s, s->internal->msg_callback_arg);
339 } 339 }
340 340
341 return ret; 341 return ret;
@@ -394,8 +394,8 @@ ssl23_get_server_hello(SSL *s)
394 void (*cb)(const SSL *ssl, int type, int val) = NULL; 394 void (*cb)(const SSL *ssl, int type, int val) = NULL;
395 int j; 395 int j;
396 396
397 if (s->info_callback != NULL) 397 if (s->internal->info_callback != NULL)
398 cb = s->info_callback; 398 cb = s->internal->info_callback;
399 else if (s->ctx->internal->info_callback != NULL) 399 else if (s->ctx->internal->info_callback != NULL)
400 cb = s->ctx->internal->info_callback; 400 cb = s->ctx->internal->info_callback;
401 401
@@ -405,9 +405,9 @@ ssl23_get_server_hello(SSL *s)
405 cb(s, SSL_CB_READ_ALERT, j); 405 cb(s, SSL_CB_READ_ALERT, j);
406 } 406 }
407 407
408 if (s->msg_callback) 408 if (s->internal->msg_callback)
409 s->msg_callback(0, s->version, SSL3_RT_ALERT, 409 s->internal->msg_callback(0, s->version, SSL3_RT_ALERT,
410 p + 5, 2, s, s->msg_callback_arg); 410 p + 5, 2, s, s->internal->msg_callback_arg);
411 411
412 s->rwstate = SSL_NOTHING; 412 s->rwstate = SSL_NOTHING;
413 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, 413 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
@@ -433,7 +433,7 @@ ssl23_get_server_hello(SSL *s)
433 s->s3->rbuf.left = n; 433 s->s3->rbuf.left = n;
434 s->s3->rbuf.offset = 0; 434 s->s3->rbuf.offset = 0;
435 435
436 s->handshake_func = s->method->ssl_connect; 436 s->internal->handshake_func = s->method->ssl_connect;
437 } else { 437 } else {
438 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL); 438 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL);
439 goto err; 439 goto err;
diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c
index cd594aa3c9..5de30c69e6 100644
--- a/src/lib/libssl/s23_lib.c
+++ b/src/lib/libssl/s23_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s23_lib.c,v 1.18 2014/11/16 14:12:47 jsing Exp $ */ 1/* $OpenBSD: s23_lib.c,v 1.19 2017/01/23 04:55:26 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -74,8 +74,8 @@ ssl23_read(SSL *s, void *buf, int len)
74 int n; 74 int n;
75 75
76 errno = 0; 76 errno = 0;
77 if (SSL_in_init(s) && (!s->in_handshake)) { 77 if (SSL_in_init(s) && (!s->internal->in_handshake)) {
78 n = s->handshake_func(s); 78 n = s->internal->handshake_func(s);
79 if (n < 0) 79 if (n < 0)
80 return (n); 80 return (n);
81 if (n == 0) { 81 if (n == 0) {
@@ -95,8 +95,8 @@ ssl23_peek(SSL *s, void *buf, int len)
95 int n; 95 int n;
96 96
97 errno = 0; 97 errno = 0;
98 if (SSL_in_init(s) && (!s->in_handshake)) { 98 if (SSL_in_init(s) && (!s->internal->in_handshake)) {
99 n = s->handshake_func(s); 99 n = s->internal->handshake_func(s);
100 if (n < 0) 100 if (n < 0)
101 return (n); 101 return (n);
102 if (n == 0) { 102 if (n == 0) {
@@ -116,8 +116,8 @@ ssl23_write(SSL *s, const void *buf, int len)
116 int n; 116 int n;
117 117
118 errno = 0; 118 errno = 0;
119 if (SSL_in_init(s) && (!s->in_handshake)) { 119 if (SSL_in_init(s) && (!s->internal->in_handshake)) {
120 n = s->handshake_func(s); 120 n = s->internal->handshake_func(s);
121 if (n < 0) 121 if (n < 0)
122 return (n); 122 return (n);
123 if (n == 0) { 123 if (n == 0) {
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 88ff9bb9a8..79c2eee521 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s23_srvr.c,v 1.52 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: s23_srvr.c,v 1.53 2017/01/23 04:55:26 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -129,12 +129,12 @@ ssl23_accept(SSL *s)
129 ERR_clear_error(); 129 ERR_clear_error();
130 errno = 0; 130 errno = 0;
131 131
132 if (s->info_callback != NULL) 132 if (s->internal->info_callback != NULL)
133 cb = s->info_callback; 133 cb = s->internal->info_callback;
134 else if (s->ctx->internal->info_callback != NULL) 134 else if (s->ctx->internal->info_callback != NULL)
135 cb = s->ctx->internal->info_callback; 135 cb = s->ctx->internal->info_callback;
136 136
137 s->in_handshake++; 137 s->internal->in_handshake++;
138 if (!SSL_in_init(s) || SSL_in_before(s)) 138 if (!SSL_in_init(s) || SSL_in_before(s))
139 SSL_clear(s); 139 SSL_clear(s);
140 140
@@ -194,7 +194,7 @@ ssl23_accept(SSL *s)
194 } 194 }
195 195
196end: 196end:
197 s->in_handshake--; 197 s->internal->in_handshake--;
198 if (cb != NULL) 198 if (cb != NULL)
199 cb(s, SSL_CB_ACCEPT_EXIT, ret); 199 cb(s, SSL_CB_ACCEPT_EXIT, ret);
200 200
@@ -345,9 +345,9 @@ ssl23_get_client_hello(SSL *s)
345 return -1; 345 return -1;
346 346
347 tls1_finish_mac(s, s->packet + 2, s->packet_length - 2); 347 tls1_finish_mac(s, s->packet + 2, s->packet_length - 2);
348 if (s->msg_callback) 348 if (s->internal->msg_callback)
349 s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, 349 s->internal->msg_callback(0, SSL2_VERSION, 0, s->packet + 2,
350 s->packet_length - 2, s, s->msg_callback_arg); 350 s->packet_length - 2, s, s->internal->msg_callback_arg);
351 351
352 p = s->packet; 352 p = s->packet;
353 p += 5; 353 p += 5;
@@ -450,7 +450,7 @@ ssl23_get_client_hello(SSL *s)
450 s->method = TLSv1_server_method(); 450 s->method = TLSv1_server_method();
451 else 451 else
452 goto unsupported; 452 goto unsupported;
453 s->handshake_func = s->method->ssl_accept; 453 s->internal->handshake_func = s->method->ssl_accept;
454 } else { 454 } else {
455 /* bad, very bad */ 455 /* bad, very bad */
456 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); 456 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 7381286326..4dddcd232a 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_both.c,v 1.51 2017/01/22 09:02:07 jsing Exp $ */ 1/* $OpenBSD: s3_both.c,v 1.52 2017/01/23 04:55:26 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -150,10 +150,10 @@ ssl3_do_write(SSL *s, int type)
150 (unsigned char *)&s->init_buf->data[s->init_off], ret); 150 (unsigned char *)&s->init_buf->data[s->init_off], ret);
151 151
152 if (ret == s->init_num) { 152 if (ret == s->init_num) {
153 if (s->msg_callback) 153 if (s->internal->msg_callback)
154 s->msg_callback(1, s->version, type, s->init_buf->data, 154 s->internal->msg_callback(1, s->version, type, s->init_buf->data,
155 (size_t)(s->init_off + s->init_num), s, 155 (size_t)(s->init_off + s->init_num), s,
156 s->msg_callback_arg); 156 s->internal->msg_callback_arg);
157 return (1); 157 return (1);
158 } 158 }
159 159
@@ -461,10 +461,10 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
461 s->init_num = 0; 461 s->init_num = 0;
462 skip_message = 1; 462 skip_message = 1;
463 463
464 if (s->msg_callback) 464 if (s->internal->msg_callback)
465 s->msg_callback(0, s->version, 465 s->internal->msg_callback(0, s->version,
466 SSL3_RT_HANDSHAKE, p, 4, s, 466 SSL3_RT_HANDSHAKE, p, 4, s,
467 s->msg_callback_arg); 467 s->internal->msg_callback_arg);
468 } 468 }
469 } 469 }
470 } while (skip_message); 470 } while (skip_message);
@@ -525,10 +525,10 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
525 525
526 /* Feed this message into MAC computation. */ 526 /* Feed this message into MAC computation. */
527 tls1_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); 527 tls1_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
528 if (s->msg_callback) 528 if (s->internal->msg_callback)
529 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 529 s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
530 s->init_buf->data, (size_t)s->init_num + 4, s, 530 s->init_buf->data, (size_t)s->init_num + 4, s,
531 s->msg_callback_arg); 531 s->internal->msg_callback_arg);
532 532
533 *ok = 1; 533 *ok = 1;
534 return (s->init_num); 534 return (s->init_num);
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 54833ded27..c606091e10 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.165 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.166 2017/01/23 04:55:26 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -183,12 +183,12 @@ ssl3_connect(SSL *s)
183 ERR_clear_error(); 183 ERR_clear_error();
184 errno = 0; 184 errno = 0;
185 185
186 if (s->info_callback != NULL) 186 if (s->internal->info_callback != NULL)
187 cb = s->info_callback; 187 cb = s->internal->info_callback;
188 else if (s->ctx->internal->info_callback != NULL) 188 else if (s->ctx->internal->info_callback != NULL)
189 cb = s->ctx->internal->info_callback; 189 cb = s->ctx->internal->info_callback;
190 190
191 s->in_handshake++; 191 s->internal->in_handshake++;
192 if (!SSL_in_init(s) || SSL_in_before(s)) 192 if (!SSL_in_init(s) || SSL_in_before(s))
193 SSL_clear(s); 193 SSL_clear(s);
194 194
@@ -543,7 +543,7 @@ ssl3_connect(SSL *s)
543 543
544 ret = 1; 544 ret = 1;
545 /* s->server=0; */ 545 /* s->server=0; */
546 s->handshake_func = ssl3_connect; 546 s->internal->handshake_func = ssl3_connect;
547 s->ctx->internal->stats.sess_connect_good++; 547 s->ctx->internal->stats.sess_connect_good++;
548 548
549 if (cb != NULL) 549 if (cb != NULL)
@@ -578,7 +578,7 @@ ssl3_connect(SSL *s)
578 } 578 }
579 579
580end: 580end:
581 s->in_handshake--; 581 s->internal->in_handshake--;
582 if (cb != NULL) 582 if (cb != NULL)
583 cb(s, SSL_CB_CONNECT_EXIT, ret); 583 cb(s, SSL_CB_CONNECT_EXIT, ret);
584 584
@@ -800,12 +800,12 @@ ssl3_get_server_hello(SSL *s)
800 * Check if we want to resume the session based on external 800 * Check if we want to resume the session based on external
801 * pre-shared secret. 801 * pre-shared secret.
802 */ 802 */
803 if (s->tls_session_secret_cb) { 803 if (s->internal->tls_session_secret_cb) {
804 SSL_CIPHER *pref_cipher = NULL; 804 SSL_CIPHER *pref_cipher = NULL;
805 s->session->master_key_length = sizeof(s->session->master_key); 805 s->session->master_key_length = sizeof(s->session->master_key);
806 if (s->tls_session_secret_cb(s, s->session->master_key, 806 if (s->internal->tls_session_secret_cb(s, s->session->master_key,
807 &s->session->master_key_length, NULL, &pref_cipher, 807 &s->session->master_key_length, NULL, &pref_cipher,
808 s->tls_session_secret_cb_arg)) { 808 s->internal->tls_session_secret_cb_arg)) {
809 s->session->cipher = pref_cipher ? pref_cipher : 809 s->session->cipher = pref_cipher ? pref_cipher :
810 ssl3_get_cipher_by_value(cipher_suite); 810 ssl3_get_cipher_by_value(cipher_suite);
811 s->s3->flags |= SSL3_FLAGS_CCS_OK; 811 s->s3->flags |= SSL3_FLAGS_CCS_OK;
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 92f4c49aa8..8e52c8bb4a 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.122 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.123 2017/01/23 04:55:26 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2102,7 +2102,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2102 } 2102 }
2103 break; 2103 break;
2104 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 2104 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
2105 s->tlsext_debug_arg = parg; 2105 s->internal->tlsext_debug_arg = parg;
2106 ret = 1; 2106 ret = 1;
2107 break; 2107 break;
2108 2108
@@ -2181,7 +2181,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2181 s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2181 s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
2182 break; 2182 break;
2183 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2183 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2184 s->tlsext_debug_cb = (void (*)(SSL *, int , int, 2184 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int,
2185 unsigned char *, int, void *))fp; 2185 unsigned char *, int, void *))fp;
2186 break; 2186 break;
2187 default: 2187 default:
@@ -2614,16 +2614,16 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2614 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2614 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2615 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { 2615 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) {
2616 /* 2616 /*
2617 * ssl3_read_bytes decided to call s->handshake_func, which 2617 * ssl3_read_bytes decided to call s->internal->handshake_func, which
2618 * called ssl3_read_bytes to read handshake data. 2618 * called ssl3_read_bytes to read handshake data.
2619 * However, ssl3_read_bytes actually found application data 2619 * However, ssl3_read_bytes actually found application data
2620 * and thinks that application data makes sense here; so disable 2620 * and thinks that application data makes sense here; so disable
2621 * handshake processing and try to read application data again. 2621 * handshake processing and try to read application data again.
2622 */ 2622 */
2623 s->in_handshake++; 2623 s->internal->in_handshake++;
2624 ret = s->method->ssl_read_bytes(s, 2624 ret = s->method->ssl_read_bytes(s,
2625 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2625 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2626 s->in_handshake--; 2626 s->internal->in_handshake--;
2627 } else 2627 } else
2628 S3I(s)->in_read_app_data = 0; 2628 S3I(s)->in_read_app_data = 0;
2629 2629
@@ -2645,7 +2645,7 @@ ssl3_peek(SSL *s, void *buf, int len)
2645int 2645int
2646ssl3_renegotiate(SSL *s) 2646ssl3_renegotiate(SSL *s)
2647{ 2647{
2648 if (s->handshake_func == NULL) 2648 if (s->internal->handshake_func == NULL)
2649 return (1); 2649 return (1);
2650 2650
2651 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2651 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index a1d0ef9299..004ede2ef0 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_pkt.c,v 1.62 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: s3_pkt.c,v 1.63 2017/01/23 04:55:26 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -513,8 +513,8 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
513 tot = S3I(s)->wnum; 513 tot = S3I(s)->wnum;
514 S3I(s)->wnum = 0; 514 S3I(s)->wnum = 0;
515 515
516 if (SSL_in_init(s) && !s->in_handshake) { 516 if (SSL_in_init(s) && !s->internal->in_handshake) {
517 i = s->handshake_func(s); 517 i = s->internal->handshake_func(s);
518 if (i < 0) 518 if (i < 0)
519 return (i); 519 return (i);
520 if (i == 0) { 520 if (i == 0) {
@@ -886,9 +886,9 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
886 * Now S3I(s)->handshake_fragment_len == 0 if 886 * Now S3I(s)->handshake_fragment_len == 0 if
887 * type == SSL3_RT_HANDSHAKE. 887 * type == SSL3_RT_HANDSHAKE.
888 */ 888 */
889 if (!s->in_handshake && SSL_in_init(s)) { 889 if (!s->internal->in_handshake && SSL_in_init(s)) {
890 /* type == SSL3_RT_APPLICATION_DATA */ 890 /* type == SSL3_RT_APPLICATION_DATA */
891 i = s->handshake_func(s); 891 i = s->internal->handshake_func(s);
892 if (i < 0) 892 if (i < 0)
893 return (i); 893 return (i);
894 if (i == 0) { 894 if (i == 0) {
@@ -1049,17 +1049,17 @@ start:
1049 goto f_err; 1049 goto f_err;
1050 } 1050 }
1051 1051
1052 if (s->msg_callback) 1052 if (s->internal->msg_callback)
1053 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 1053 s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1054 S3I(s)->handshake_fragment, 4, s, 1054 S3I(s)->handshake_fragment, 4, s,
1055 s->msg_callback_arg); 1055 s->internal->msg_callback_arg);
1056 1056
1057 if (SSL_is_init_finished(s) && 1057 if (SSL_is_init_finished(s) &&
1058 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 1058 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1059 !S3I(s)->renegotiate) { 1059 !S3I(s)->renegotiate) {
1060 ssl3_renegotiate(s); 1060 ssl3_renegotiate(s);
1061 if (ssl3_renegotiate_check(s)) { 1061 if (ssl3_renegotiate_check(s)) {
1062 i = s->handshake_func(s); 1062 i = s->internal->handshake_func(s);
1063 if (i < 0) 1063 if (i < 0)
1064 return (i); 1064 return (i);
1065 if (i == 0) { 1065 if (i == 0) {
@@ -1109,12 +1109,12 @@ start:
1109 1109
1110 S3I(s)->alert_fragment_len = 0; 1110 S3I(s)->alert_fragment_len = 0;
1111 1111
1112 if (s->msg_callback) 1112 if (s->internal->msg_callback)
1113 s->msg_callback(0, s->version, SSL3_RT_ALERT, 1113 s->internal->msg_callback(0, s->version, SSL3_RT_ALERT,
1114 S3I(s)->alert_fragment, 2, s, s->msg_callback_arg); 1114 S3I(s)->alert_fragment, 2, s, s->internal->msg_callback_arg);
1115 1115
1116 if (s->info_callback != NULL) 1116 if (s->internal->info_callback != NULL)
1117 cb = s->info_callback; 1117 cb = s->internal->info_callback;
1118 else if (s->ctx->internal->info_callback != NULL) 1118 else if (s->ctx->internal->info_callback != NULL)
1119 cb = s->ctx->internal->info_callback; 1119 cb = s->ctx->internal->info_callback;
1120 1120
@@ -1200,10 +1200,10 @@ start:
1200 1200
1201 rr->length = 0; 1201 rr->length = 0;
1202 1202
1203 if (s->msg_callback) { 1203 if (s->internal->msg_callback) {
1204 s->msg_callback(0, s->version, 1204 s->internal->msg_callback(0, s->version,
1205 SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, 1205 SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s,
1206 s->msg_callback_arg); 1206 s->internal->msg_callback_arg);
1207 } 1207 }
1208 1208
1209 S3I(s)->change_cipher_spec = 1; 1209 S3I(s)->change_cipher_spec = 1;
@@ -1214,14 +1214,14 @@ start:
1214 } 1214 }
1215 1215
1216 /* Unexpected handshake message (Client Hello, or protocol violation) */ 1216 /* Unexpected handshake message (Client Hello, or protocol violation) */
1217 if ((S3I(s)->handshake_fragment_len >= 4) && !s->in_handshake) { 1217 if ((S3I(s)->handshake_fragment_len >= 4) && !s->internal->in_handshake) {
1218 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && 1218 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1219 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { 1219 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
1220 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1220 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1221 s->renegotiate = 1; 1221 s->renegotiate = 1;
1222 s->new_session = 1; 1222 s->new_session = 1;
1223 } 1223 }
1224 i = s->handshake_func(s); 1224 i = s->internal->handshake_func(s);
1225 if (i < 0) 1225 if (i < 0)
1226 return (i); 1226 return (i);
1227 if (i == 0) { 1227 if (i == 0) {
@@ -1265,7 +1265,7 @@ start:
1265 case SSL3_RT_ALERT: 1265 case SSL3_RT_ALERT:
1266 case SSL3_RT_HANDSHAKE: 1266 case SSL3_RT_HANDSHAKE:
1267 /* we already handled all of these, with the possible exception 1267 /* we already handled all of these, with the possible exception
1268 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that 1268 * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that
1269 * should not happen when type != rr->type */ 1269 * should not happen when type != rr->type */
1270 al = SSL_AD_UNEXPECTED_MESSAGE; 1270 al = SSL_AD_UNEXPECTED_MESSAGE;
1271 SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); 1271 SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
@@ -1391,12 +1391,12 @@ ssl3_dispatch_alert(SSL *s)
1391 if (s->s3->send_alert[0] == SSL3_AL_FATAL) 1391 if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1392 (void)BIO_flush(s->wbio); 1392 (void)BIO_flush(s->wbio);
1393 1393
1394 if (s->msg_callback) 1394 if (s->internal->msg_callback)
1395 s->msg_callback(1, s->version, SSL3_RT_ALERT, 1395 s->internal->msg_callback(1, s->version, SSL3_RT_ALERT,
1396 s->s3->send_alert, 2, s, s->msg_callback_arg); 1396 s->s3->send_alert, 2, s, s->internal->msg_callback_arg);
1397 1397
1398 if (s->info_callback != NULL) 1398 if (s->internal->info_callback != NULL)
1399 cb = s->info_callback; 1399 cb = s->internal->info_callback;
1400 else if (s->ctx->internal->info_callback != NULL) 1400 else if (s->ctx->internal->info_callback != NULL)
1401 cb = s->ctx->internal->info_callback; 1401 cb = s->ctx->internal->info_callback;
1402 1402
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 3f53f27924..21849487ea 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.144 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.145 2017/01/23 04:55:27 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -178,13 +178,13 @@ ssl3_accept(SSL *s)
178 ERR_clear_error(); 178 ERR_clear_error();
179 errno = 0; 179 errno = 0;
180 180
181 if (s->info_callback != NULL) 181 if (s->internal->info_callback != NULL)
182 cb = s->info_callback; 182 cb = s->internal->info_callback;
183 else if (s->ctx->internal->info_callback != NULL) 183 else if (s->ctx->internal->info_callback != NULL)
184 cb = s->ctx->internal->info_callback; 184 cb = s->ctx->internal->info_callback;
185 185
186 /* init things to blank */ 186 /* init things to blank */
187 s->in_handshake++; 187 s->internal->in_handshake++;
188 if (!SSL_in_init(s) || SSL_in_before(s)) 188 if (!SSL_in_init(s) || SSL_in_before(s))
189 SSL_clear(s); 189 SSL_clear(s);
190 190
@@ -662,7 +662,7 @@ ssl3_accept(SSL *s)
662 662
663 s->ctx->internal->stats.sess_accept_good++; 663 s->ctx->internal->stats.sess_accept_good++;
664 /* s->server=1; */ 664 /* s->server=1; */
665 s->handshake_func = ssl3_accept; 665 s->internal->handshake_func = ssl3_accept;
666 666
667 if (cb != NULL) 667 if (cb != NULL)
668 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 668 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
@@ -699,7 +699,7 @@ ssl3_accept(SSL *s)
699end: 699end:
700 /* BIO_flush(s->wbio); */ 700 /* BIO_flush(s->wbio); */
701 701
702 s->in_handshake--; 702 s->internal->in_handshake--;
703 if (cb != NULL) 703 if (cb != NULL)
704 cb(s, SSL_CB_ACCEPT_EXIT, ret); 704 cb(s, SSL_CB_ACCEPT_EXIT, ret);
705 return (ret); 705 return (ret);
@@ -976,13 +976,13 @@ ssl3_get_client_hello(SSL *s)
976 */ 976 */
977 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 977 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
978 978
979 if (!s->hit && s->tls_session_secret_cb) { 979 if (!s->hit && s->internal->tls_session_secret_cb) {
980 SSL_CIPHER *pref_cipher = NULL; 980 SSL_CIPHER *pref_cipher = NULL;
981 981
982 s->session->master_key_length = sizeof(s->session->master_key); 982 s->session->master_key_length = sizeof(s->session->master_key);
983 if (s->tls_session_secret_cb(s, s->session->master_key, 983 if (s->internal->tls_session_secret_cb(s, s->session->master_key,
984 &s->session->master_key_length, ciphers, &pref_cipher, 984 &s->session->master_key_length, ciphers, &pref_cipher,
985 s->tls_session_secret_cb_arg)) { 985 s->internal->tls_session_secret_cb_arg)) {
986 s->hit = 1; 986 s->hit = 1;
987 s->session->ciphers = ciphers; 987 s->session->ciphers = ciphers;
988 s->session->verify_result = X509_V_OK; 988 s->session->verify_result = X509_V_OK;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 2d6a0e757d..4080af8999 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl.h,v 1.110 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: ssl.h,v 1.111 2017/01/23 04:55:27 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -908,10 +908,6 @@ struct ssl_st {
908 * in SSL_accept or SSL_connect */ 908 * in SSL_accept or SSL_connect */
909 int rwstate; 909 int rwstate;
910 910
911 /* true when we are actually in SSL_accept() or SSL_connect() */
912 int in_handshake;
913 int (*handshake_func)(SSL *);
914
915 /* Imagine that here's a boolean member "init" that is 911 /* Imagine that here's a boolean member "init" that is
916 * switched as soon as SSL_set_{accept/connect}_state 912 * switched as soon as SSL_set_{accept/connect}_state
917 * is called for the first time, so that "state" and 913 * is called for the first time, so that "state" and
@@ -947,11 +943,6 @@ struct ssl_st {
947 int read_ahead; /* Read as many input bytes as possible 943 int read_ahead; /* Read as many input bytes as possible
948 * (for non-blocking reads) */ 944 * (for non-blocking reads) */
949 945
950 /* callback that allows applications to peek at protocol messages */
951 void (*msg_callback)(int write_p, int version, int content_type,
952 const void *buf, size_t len, SSL *ssl, void *arg);
953 void *msg_callback_arg;
954
955 int hit; /* reusing a previous session */ 946 int hit; /* reusing a previous session */
956 947
957 X509_VERIFY_PARAM *param; 948 X509_VERIFY_PARAM *param;
@@ -992,16 +983,9 @@ struct ssl_st {
992 /* This can also be in the session once a session is established */ 983 /* This can also be in the session once a session is established */
993 SSL_SESSION *session; 984 SSL_SESSION *session;
994 985
995 /* Default generate session ID callback. */
996 GEN_SESSION_CB generate_session_id;
997
998 /* Used in SSL2 and SSL3 */ 986 /* Used in SSL2 and SSL3 */
999 int verify_mode; /* 0 don't care about verify failure. 987 int verify_mode; /* 0 don't care about verify failure.
1000 * 1 fail if verify fails */ 988 * 1 fail if verify fails */
1001 int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
1002
1003 void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
1004
1005 int error; /* error bytes to be written */ 989 int error; /* error bytes to be written */
1006 int error_code; /* actual code */ 990 int error_code; /* actual code */
1007 991
@@ -1028,11 +1012,9 @@ struct ssl_st {
1028 int client_version; /* what was passed, used for 1012 int client_version; /* what was passed, used for
1029 * SSLv3/TLS rollback check */ 1013 * SSLv3/TLS rollback check */
1030 unsigned int max_send_fragment; 1014 unsigned int max_send_fragment;
1031 /* TLS extension debug callback */ 1015
1032 void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
1033 unsigned char *data, int len, void *arg);
1034 void *tlsext_debug_arg;
1035 char *tlsext_hostname; 1016 char *tlsext_hostname;
1017
1036 int servername_done; /* no further mod of servername 1018 int servername_done; /* no further mod of servername
1037 0 : call the servername extension callback. 1019 0 : call the servername extension callback.
1038 1 : prepare 2, allow last ack just after in server callback. 1020 1 : prepare 2, allow last ack just after in server callback.
@@ -1060,14 +1042,6 @@ struct ssl_st {
1060 /* TLS Session Ticket extension override */ 1042 /* TLS Session Ticket extension override */
1061 TLS_SESSION_TICKET_EXT *tlsext_session_ticket; 1043 TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
1062 1044
1063 /* TLS Session Ticket extension callback */
1064 tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
1065 void *tls_session_ticket_ext_cb_arg;
1066
1067 /* TLS pre-shared secret session resumption */
1068 tls_session_secret_cb_fn tls_session_secret_cb;
1069 void *tls_session_secret_cb_arg;
1070
1071 SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ 1045 SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
1072#define session_ctx initial_ctx 1046#define session_ctx initial_ctx
1073 1047
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 603deb4218..13591aec9c 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.55 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.56 2017/01/23 04:55:27 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -440,8 +440,8 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
440 */ 440 */
441 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param); 441 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
442 442
443 if (s->verify_callback) 443 if (s->internal->verify_callback)
444 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); 444 X509_STORE_CTX_set_verify_cb(&ctx, s->internal->verify_callback);
445 445
446 if (s->ctx->internal->app_verify_callback != NULL) 446 if (s->ctx->internal->app_verify_callback != NULL)
447 ret = s->ctx->internal->app_verify_callback(&ctx, 447 ret = s->ctx->internal->app_verify_callback(&ctx,
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 6e3e042fe6..c9af96e48e 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.132 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.133 2017/01/23 04:55:27 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -230,7 +230,7 @@ SSL_clear(SSL *s)
230 * Check to see if we were changed into a different method, if 230 * Check to see if we were changed into a different method, if
231 * so, revert back if we are not doing session-id reuse. 231 * so, revert back if we are not doing session-id reuse.
232 */ 232 */
233 if (!s->in_handshake && (s->session == NULL) && 233 if (!s->internal->in_handshake && (s->session == NULL) &&
234 (s->method != s->ctx->method)) { 234 (s->method != s->ctx->method)) {
235 s->method->ssl_free(s); 235 s->method->ssl_free(s);
236 s->method = s->ctx->method; 236 s->method = s->ctx->method;
@@ -307,14 +307,14 @@ SSL_new(SSL_CTX *ctx)
307 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ 307 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
308 308
309 s->read_ahead = ctx->read_ahead; 309 s->read_ahead = ctx->read_ahead;
310 s->msg_callback = ctx->internal->msg_callback; 310 s->internal->msg_callback = ctx->internal->msg_callback;
311 s->msg_callback_arg = ctx->internal->msg_callback_arg; 311 s->internal->msg_callback_arg = ctx->internal->msg_callback_arg;
312 s->verify_mode = ctx->verify_mode; 312 s->verify_mode = ctx->verify_mode;
313 s->sid_ctx_length = ctx->sid_ctx_length; 313 s->sid_ctx_length = ctx->sid_ctx_length;
314 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); 314 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
315 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); 315 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
316 s->verify_callback = ctx->internal->default_verify_callback; 316 s->internal->verify_callback = ctx->internal->default_verify_callback;
317 s->generate_session_id = ctx->internal->generate_session_id; 317 s->internal->generate_session_id = ctx->internal->generate_session_id;
318 318
319 s->param = X509_VERIFY_PARAM_new(); 319 s->param = X509_VERIFY_PARAM_new();
320 if (!s->param) 320 if (!s->param)
@@ -325,8 +325,8 @@ SSL_new(SSL_CTX *ctx)
325 325
326 CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); 326 CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
327 s->ctx = ctx; 327 s->ctx = ctx;
328 s->tlsext_debug_cb = 0; 328 s->internal->tlsext_debug_cb = 0;
329 s->tlsext_debug_arg = NULL; 329 s->internal->tlsext_debug_arg = NULL;
330 s->tlsext_ticket_expected = 0; 330 s->tlsext_ticket_expected = 0;
331 s->tlsext_status_type = -1; 331 s->tlsext_status_type = -1;
332 s->tlsext_status_expected = 0; 332 s->tlsext_status_expected = 0;
@@ -415,7 +415,7 @@ int
415SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) 415SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
416{ 416{
417 CRYPTO_w_lock(CRYPTO_LOCK_SSL); 417 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
418 ssl->generate_session_id = cb; 418 ssl->internal->generate_session_id = cb;
419 CRYPTO_w_unlock(CRYPTO_LOCK_SSL); 419 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
420 return (1); 420 return (1);
421} 421}
@@ -741,7 +741,7 @@ SSL_get_verify_depth(const SSL *s)
741int 741int
742(*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *) 742(*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *)
743{ 743{
744 return (s->verify_callback); 744 return (s->internal->verify_callback);
745} 745}
746 746
747int 747int
@@ -767,7 +767,7 @@ SSL_set_verify(SSL *s, int mode,
767{ 767{
768 s->verify_mode = mode; 768 s->verify_mode = mode;
769 if (callback != NULL) 769 if (callback != NULL)
770 s->verify_callback = callback; 770 s->internal->verify_callback = callback;
771} 771}
772 772
773void 773void
@@ -922,7 +922,7 @@ SSL_check_private_key(const SSL *ssl)
922int 922int
923SSL_accept(SSL *s) 923SSL_accept(SSL *s)
924{ 924{
925 if (s->handshake_func == NULL) 925 if (s->internal->handshake_func == NULL)
926 SSL_set_accept_state(s); /* Not properly initialized yet */ 926 SSL_set_accept_state(s); /* Not properly initialized yet */
927 927
928 return (s->method->ssl_accept(s)); 928 return (s->method->ssl_accept(s));
@@ -931,7 +931,7 @@ SSL_accept(SSL *s)
931int 931int
932SSL_connect(SSL *s) 932SSL_connect(SSL *s)
933{ 933{
934 if (s->handshake_func == NULL) 934 if (s->internal->handshake_func == NULL)
935 SSL_set_connect_state(s); /* Not properly initialized yet */ 935 SSL_set_connect_state(s); /* Not properly initialized yet */
936 936
937 return (s->method->ssl_connect(s)); 937 return (s->method->ssl_connect(s));
@@ -946,7 +946,7 @@ SSL_get_default_timeout(const SSL *s)
946int 946int
947SSL_read(SSL *s, void *buf, int num) 947SSL_read(SSL *s, void *buf, int num)
948{ 948{
949 if (s->handshake_func == NULL) { 949 if (s->internal->handshake_func == NULL) {
950 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); 950 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
951 return (-1); 951 return (-1);
952 } 952 }
@@ -961,7 +961,7 @@ SSL_read(SSL *s, void *buf, int num)
961int 961int
962SSL_peek(SSL *s, void *buf, int num) 962SSL_peek(SSL *s, void *buf, int num)
963{ 963{
964 if (s->handshake_func == NULL) { 964 if (s->internal->handshake_func == NULL) {
965 SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); 965 SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
966 return (-1); 966 return (-1);
967 } 967 }
@@ -975,7 +975,7 @@ SSL_peek(SSL *s, void *buf, int num)
975int 975int
976SSL_write(SSL *s, const void *buf, int num) 976SSL_write(SSL *s, const void *buf, int num)
977{ 977{
978 if (s->handshake_func == NULL) { 978 if (s->internal->handshake_func == NULL) {
979 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); 979 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
980 return (-1); 980 return (-1);
981 } 981 }
@@ -998,7 +998,7 @@ SSL_shutdown(SSL *s)
998 * even if blocking I/O is used (see ssl3_shutdown). 998 * even if blocking I/O is used (see ssl3_shutdown).
999 */ 999 */
1000 1000
1001 if (s->handshake_func == NULL) { 1001 if (s->internal->handshake_func == NULL) {
1002 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); 1002 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
1003 return (-1); 1003 return (-1);
1004 } 1004 }
@@ -1055,7 +1055,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1055 return (l); 1055 return (l);
1056 1056
1057 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 1057 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1058 s->msg_callback_arg = parg; 1058 s->internal->msg_callback_arg = parg;
1059 return (1); 1059 return (1);
1060 1060
1061 case SSL_CTRL_OPTIONS: 1061 case SSL_CTRL_OPTIONS:
@@ -1101,7 +1101,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1101{ 1101{
1102 switch (cmd) { 1102 switch (cmd) {
1103 case SSL_CTRL_SET_MSG_CALLBACK: 1103 case SSL_CTRL_SET_MSG_CALLBACK:
1104 s->msg_callback = (void (*)(int write_p, int version, 1104 s->internal->msg_callback = (void (*)(int write_p, int version,
1105 int content_type, const void *buf, size_t len, 1105 int content_type, const void *buf, size_t len,
1106 SSL *ssl, void *arg))(fp); 1106 SSL *ssl, void *arg))(fp);
1107 return (1); 1107 return (1);
@@ -2305,8 +2305,8 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
2305 int ret = 1; 2305 int ret = 1;
2306 2306
2307 if (s->method != meth) { 2307 if (s->method != meth) {
2308 if (s->handshake_func != NULL) 2308 if (s->internal->handshake_func != NULL)
2309 conn = (s->handshake_func == s->method->ssl_connect); 2309 conn = (s->internal->handshake_func == s->method->ssl_connect);
2310 2310
2311 if (s->method->version == meth->version) 2311 if (s->method->version == meth->version)
2312 s->method = meth; 2312 s->method = meth;
@@ -2317,9 +2317,9 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
2317 } 2317 }
2318 2318
2319 if (conn == 1) 2319 if (conn == 1)
2320 s->handshake_func = meth->ssl_connect; 2320 s->internal->handshake_func = meth->ssl_connect;
2321 else if (conn == 0) 2321 else if (conn == 0)
2322 s->handshake_func = meth->ssl_accept; 2322 s->internal->handshake_func = meth->ssl_accept;
2323 } 2323 }
2324 return (ret); 2324 return (ret);
2325} 2325}
@@ -2407,7 +2407,7 @@ SSL_do_handshake(SSL *s)
2407{ 2407{
2408 int ret = 1; 2408 int ret = 1;
2409 2409
2410 if (s->handshake_func == NULL) { 2410 if (s->internal->handshake_func == NULL) {
2411 SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET); 2411 SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET);
2412 return (-1); 2412 return (-1);
2413 } 2413 }
@@ -2415,7 +2415,7 @@ SSL_do_handshake(SSL *s)
2415 s->method->ssl_renegotiate_check(s); 2415 s->method->ssl_renegotiate_check(s);
2416 2416
2417 if (SSL_in_init(s) || SSL_in_before(s)) { 2417 if (SSL_in_init(s) || SSL_in_before(s)) {
2418 ret = s->handshake_func(s); 2418 ret = s->internal->handshake_func(s);
2419 } 2419 }
2420 return (ret); 2420 return (ret);
2421} 2421}
@@ -2430,7 +2430,7 @@ SSL_set_accept_state(SSL *s)
2430 s->server = 1; 2430 s->server = 1;
2431 s->shutdown = 0; 2431 s->shutdown = 0;
2432 s->state = SSL_ST_ACCEPT|SSL_ST_BEFORE; 2432 s->state = SSL_ST_ACCEPT|SSL_ST_BEFORE;
2433 s->handshake_func = s->method->ssl_accept; 2433 s->internal->handshake_func = s->method->ssl_accept;
2434 /* clear the current cipher */ 2434 /* clear the current cipher */
2435 ssl_clear_cipher_ctx(s); 2435 ssl_clear_cipher_ctx(s);
2436 ssl_clear_hash_ctx(&s->read_hash); 2436 ssl_clear_hash_ctx(&s->read_hash);
@@ -2443,7 +2443,7 @@ SSL_set_connect_state(SSL *s)
2443 s->server = 0; 2443 s->server = 0;
2444 s->shutdown = 0; 2444 s->shutdown = 0;
2445 s->state = SSL_ST_CONNECT|SSL_ST_BEFORE; 2445 s->state = SSL_ST_CONNECT|SSL_ST_BEFORE;
2446 s->handshake_func = s->method->ssl_connect; 2446 s->internal->handshake_func = s->method->ssl_connect;
2447 /* clear the current cipher */ 2447 /* clear the current cipher */
2448 ssl_clear_cipher_ctx(s); 2448 ssl_clear_cipher_ctx(s);
2449 ssl_clear_hash_ctx(&s->read_hash); 2449 ssl_clear_hash_ctx(&s->read_hash);
@@ -2643,12 +2643,12 @@ SSL_dup(SSL *s)
2643 ret->mode = s->mode; 2643 ret->mode = s->mode;
2644 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); 2644 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
2645 SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); 2645 SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
2646 ret->msg_callback = s->msg_callback; 2646 ret->internal->msg_callback = s->internal->msg_callback;
2647 ret->msg_callback_arg = s->msg_callback_arg; 2647 ret->internal->msg_callback_arg = s->internal->msg_callback_arg;
2648 SSL_set_verify(ret, SSL_get_verify_mode(s), 2648 SSL_set_verify(ret, SSL_get_verify_mode(s),
2649 SSL_get_verify_callback(s)); 2649 SSL_get_verify_callback(s));
2650 SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); 2650 SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
2651 ret->generate_session_id = s->generate_session_id; 2651 ret->internal->generate_session_id = s->internal->generate_session_id;
2652 2652
2653 SSL_set_info_callback(ret, SSL_get_info_callback(s)); 2653 SSL_set_info_callback(ret, SSL_get_info_callback(s));
2654 2654
@@ -2672,8 +2672,8 @@ SSL_dup(SSL *s)
2672 ret->wbio = ret->rbio; 2672 ret->wbio = ret->rbio;
2673 } 2673 }
2674 ret->rwstate = s->rwstate; 2674 ret->rwstate = s->rwstate;
2675 ret->in_handshake = s->in_handshake; 2675 ret->internal->in_handshake = s->internal->in_handshake;
2676 ret->handshake_func = s->handshake_func; 2676 ret->internal->handshake_func = s->internal->handshake_func;
2677 ret->server = s->server; 2677 ret->server = s->server;
2678 ret->renegotiate = s->renegotiate; 2678 ret->renegotiate = s->renegotiate;
2679 ret->new_session = s->new_session; 2679 ret->new_session = s->new_session;
@@ -2929,12 +2929,12 @@ SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len)
2929void 2929void
2930SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) 2930SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val))
2931{ 2931{
2932 ssl->info_callback = cb; 2932 ssl->internal->info_callback = cb;
2933} 2933}
2934 2934
2935void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val) 2935void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val)
2936{ 2936{
2937 return (ssl->info_callback); 2937 return (ssl->internal->info_callback);
2938} 2938}
2939 2939
2940int 2940int
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 4d8659a493..60bb5597e8 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.154 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.155 2017/01/23 04:55:27 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -527,6 +527,37 @@ typedef struct ssl_internal_st {
527 /* Client list of supported protocols in wire format. */ 527 /* Client list of supported protocols in wire format. */
528 unsigned char *alpn_client_proto_list; 528 unsigned char *alpn_client_proto_list;
529 unsigned int alpn_client_proto_list_len; 529 unsigned int alpn_client_proto_list_len;
530
531 /* XXX Callbacks */
532
533 /* true when we are actually in SSL_accept() or SSL_connect() */
534 int in_handshake;
535 int (*handshake_func)(SSL *);
536 /* callback that allows applications to peek at protocol messages */
537 void (*msg_callback)(int write_p, int version, int content_type,
538 const void *buf, size_t len, SSL *ssl, void *arg);
539 void *msg_callback_arg;
540
541 /* Default generate session ID callback. */
542 GEN_SESSION_CB generate_session_id;
543
544 int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
545
546 void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
547
548 /* TLS extension debug callback */
549 void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
550 unsigned char *data, int len, void *arg);
551 void *tlsext_debug_arg;
552
553 /* TLS Session Ticket extension callback */
554 tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
555 void *tls_session_ticket_ext_cb_arg;
556
557 /* TLS pre-shared secret session resumption */
558 tls_session_secret_cb_fn tls_session_secret_cb;
559 void *tls_session_secret_cb_arg;
560
530} SSL_INTERNAL; 561} SSL_INTERNAL;
531 562
532typedef struct ssl3_state_internal_st { 563typedef struct ssl3_state_internal_st {
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 8700e851c6..541b143384 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sess.c,v 1.58 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: ssl_sess.c,v 1.59 2017/01/23 04:55:27 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -326,8 +326,8 @@ ssl_get_new_session(SSL *s, int session)
326 326
327 /* Choose which callback will set the session ID. */ 327 /* Choose which callback will set the session ID. */
328 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 328 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
329 if (s->generate_session_id) 329 if (s->internal->generate_session_id)
330 cb = s->generate_session_id; 330 cb = s->internal->generate_session_id;
331 else if (s->session_ctx->internal->generate_session_id) 331 else if (s->session_ctx->internal->generate_session_id)
332 cb = s->session_ctx->internal->generate_session_id; 332 cb = s->session_ctx->internal->generate_session_id;
333 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 333 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
@@ -849,8 +849,8 @@ SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s,
849{ 849{
850 if (s == NULL) 850 if (s == NULL)
851 return (0); 851 return (0);
852 s->tls_session_secret_cb = tls_session_secret_cb; 852 s->internal->tls_session_secret_cb = tls_session_secret_cb;
853 s->tls_session_secret_cb_arg = arg; 853 s->internal->tls_session_secret_cb_arg = arg;
854 return (1); 854 return (1);
855} 855}
856 856
@@ -860,8 +860,8 @@ SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
860{ 860{
861 if (s == NULL) 861 if (s == NULL)
862 return (0); 862 return (0);
863 s->tls_session_ticket_ext_cb = cb; 863 s->internal->tls_session_ticket_ext_cb = cb;
864 s->tls_session_ticket_ext_cb_arg = arg; 864 s->internal->tls_session_ticket_ext_cb_arg = arg;
865 return (1); 865 return (1);
866} 866}
867 867
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 08818f4870..b2d9883900 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.100 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.101 2017/01/23 04:55:27 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1227,9 +1227,9 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1227 if (end - data < size) 1227 if (end - data < size)
1228 goto err; 1228 goto err;
1229 1229
1230 if (s->tlsext_debug_cb) 1230 if (s->internal->tlsext_debug_cb)
1231 s->tlsext_debug_cb(s, 0, type, data, size, 1231 s->internal->tlsext_debug_cb(s, 0, type, data, size,
1232 s->tlsext_debug_arg); 1232 s->internal->tlsext_debug_arg);
1233/* The servername extension is treated as follows: 1233/* The servername extension is treated as follows:
1234 1234
1235 - Only the hostname type is supported with a maximum length of 255. 1235 - Only the hostname type is supported with a maximum length of 255.
@@ -1395,8 +1395,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1395 } 1395 }
1396 } 1396 }
1397 else if (type == TLSEXT_TYPE_session_ticket) { 1397 else if (type == TLSEXT_TYPE_session_ticket) {
1398 if (s->tls_session_ticket_ext_cb && 1398 if (s->internal->tls_session_ticket_ext_cb &&
1399 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1399 !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) {
1400 *al = TLS1_AD_INTERNAL_ERROR; 1400 *al = TLS1_AD_INTERNAL_ERROR;
1401 return 0; 1401 return 0;
1402 } 1402 }
@@ -1645,9 +1645,9 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1645 if (end - data < size) 1645 if (end - data < size)
1646 goto err; 1646 goto err;
1647 1647
1648 if (s->tlsext_debug_cb) 1648 if (s->internal->tlsext_debug_cb)
1649 s->tlsext_debug_cb(s, 1, type, data, size, 1649 s->internal->tlsext_debug_cb(s, 1, type, data, size,
1650 s->tlsext_debug_arg); 1650 s->internal->tlsext_debug_arg);
1651 1651
1652 if (type == TLSEXT_TYPE_server_name) { 1652 if (type == TLSEXT_TYPE_server_name) {
1653 if (s->tlsext_hostname == NULL || size > 0) { 1653 if (s->tlsext_hostname == NULL || size > 0) {
@@ -1690,8 +1690,8 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1690 } 1690 }
1691 } 1691 }
1692 else if (type == TLSEXT_TYPE_session_ticket) { 1692 else if (type == TLSEXT_TYPE_session_ticket) {
1693 if (s->tls_session_ticket_ext_cb && 1693 if (s->internal->tls_session_ticket_ext_cb &&
1694 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1694 !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) {
1695 *al = TLS1_AD_INTERNAL_ERROR; 1695 *al = TLS1_AD_INTERNAL_ERROR;
1696 return 0; 1696 return 0;
1697 } 1697 }
@@ -2035,7 +2035,7 @@ ssl_check_serverhello_tlsext(SSL *s)
2035 * ret: (output) on return, if a ticket was decrypted, then this is set to 2035 * ret: (output) on return, if a ticket was decrypted, then this is set to
2036 * point to the resulting session. 2036 * point to the resulting session.
2037 * 2037 *
2038 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2038 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
2039 * ciphersuite, in which case we have no use for session tickets and one will 2039 * ciphersuite, in which case we have no use for session tickets and one will
2040 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2040 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2041 * 2041 *
@@ -2044,14 +2044,14 @@ ssl_check_serverhello_tlsext(SSL *s)
2044 * 0: no ticket was found (or was ignored, based on settings). 2044 * 0: no ticket was found (or was ignored, based on settings).
2045 * 1: a zero length extension was found, indicating that the client supports 2045 * 1: a zero length extension was found, indicating that the client supports
2046 * session tickets but doesn't currently have one to offer. 2046 * session tickets but doesn't currently have one to offer.
2047 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2047 * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but
2048 * couldn't be decrypted because of a non-fatal error. 2048 * couldn't be decrypted because of a non-fatal error.
2049 * 3: a ticket was successfully decrypted and *ret was set. 2049 * 3: a ticket was successfully decrypted and *ret was set.
2050 * 2050 *
2051 * Side effects: 2051 * Side effects:
2052 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2052 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2053 * a new session ticket to the client because the client indicated support 2053 * a new session ticket to the client because the client indicated support
2054 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2054 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
2055 * a session ticket or we couldn't use the one it gave us, or if 2055 * a session ticket or we couldn't use the one it gave us, or if
2056 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2056 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2057 * Otherwise, s->tlsext_ticket_expected is set to 0. 2057 * Otherwise, s->tlsext_ticket_expected is set to 0.
@@ -2119,7 +2119,7 @@ tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2119 s->tlsext_ticket_expected = 1; 2119 s->tlsext_ticket_expected = 1;
2120 return 1; 2120 return 1;
2121 } 2121 }
2122 if (s->tls_session_secret_cb) { 2122 if (s->internal->tls_session_secret_cb) {
2123 /* Indicate that the ticket couldn't be 2123 /* Indicate that the ticket couldn't be
2124 * decrypted rather than generating the session 2124 * decrypted rather than generating the session
2125 * from ticket now, trigger abbreviated 2125 * from ticket now, trigger abbreviated
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-25 05:16:42 +0000