Move most of the fields in SSL_CTX to internal - the ones that remain are

known to be in use.

ok beck@

1 files changed, 57 insertions, 1 deletions

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 60bb5597e8..83ffb1103f 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.155 2017/01/23 04:55:27 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.156 2017/01/23 05:13:02 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -451,6 +451,21 @@ typedef struct ssl_ctx_internal_st {
         int (*tlsext_status_cb)(SSL *ssl, void *arg);
         void *tlsext_status_arg;
 
+        struct lhash_st_SSL_SESSION *sessions;
+
+        /* Most session-ids that will be cached, default is
+         * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
+        unsigned long session_cache_size;
+        struct ssl_session_st *session_cache_head;
+        struct ssl_session_st *session_cache_tail;
+
+        /* This can have one of 2 values, ored together,
+         * SSL_SESS_CACHE_CLIENT,
+         * SSL_SESS_CACHE_SERVER,
+         * Default is SSL_SESSION_CACHE_SERVER, which means only
+         * SSL_accept which cache SSL_SESSIONS. */
+        int session_cache_mode;
+
         struct {
                 int sess_connect;       /* SSL new conn - started */
                 int sess_connect_renegotiate;/* SSL reneg - requested */
@@ -470,6 +485,47 @@ typedef struct ssl_ctx_internal_st {
                                          * processes - spooky :-) */
         } stats;
 
+        CRYPTO_EX_DATA ex_data;
+
+        /* same cipher_list but sorted for lookup */
+        STACK_OF(SSL_CIPHER) *cipher_list_by_id;
+
+        struct cert_st /* CERT */ *cert;
+
+        const EVP_MD *md5;      /* For SSLv3/TLSv1 'ssl3-md5' */
+        const EVP_MD *sha1;     /* For SSLv3/TLSv1 'ssl3-sha1' */
+
+        /* Default values used when no per-SSL value is defined follow */
+
+        /* what we put in client cert requests */
+        STACK_OF(X509_NAME) *client_CA;
+
+        long max_cert_list;
+
+        int read_ahead;
+
+        int quiet_shutdown;
+
+        /* Maximum amount of data to send in one fragment.
+         * actual record size can be more than this due to
+         * padding and MAC overheads.
+         */
+        unsigned int max_send_fragment;
+
+#ifndef OPENSSL_NO_ENGINE
+        /* Engine to pass requests for client certs to
+         */
+        ENGINE *client_cert_engine;
+#endif
+
+        /* RFC 4507 session ticket keys */
+        unsigned char tlsext_tick_key_name[16];
+        unsigned char tlsext_tick_hmac_key[16];
+        unsigned char tlsext_tick_aes_key[16];
+
+        /* SRTP profiles we are willing to do from RFC 5764 */
+        STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+
         /* Next protocol negotiation information */
         /* (for experimental NPN extension). */