summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorjsing <>2017-01-23 05:13:02 +0000
committerjsing <>2017-01-23 05:13:02 +0000
commitf38881420fba9a207cd725b6a35181faeecf26b9 (patch)
tree50ca3784f76b348ba017005a955c6a288b176b57 /src/lib
parentc35f51566045be89c49b0a47e153fdb27ec20f8e (diff)
downloadopenbsd-f38881420fba9a207cd725b6a35181faeecf26b9.tar.gz
openbsd-f38881420fba9a207cd725b6a35181faeecf26b9.tar.bz2
openbsd-f38881420fba9a207cd725b6a35181faeecf26b9.zip
Move most of the fields in SSL_CTX to internal - the ones that remain are
known to be in use. ok beck@
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libssl/d1_srtp.c8
-rw-r--r--src/lib/libssl/s3_clnt.c14
-rw-r--r--src/lib/libssl/s3_lib.c22
-rw-r--r--src/lib/libssl/s3_srvr.c16
-rw-r--r--src/lib/libssl/ssl.h55
-rw-r--r--src/lib/libssl/ssl_cert.c10
-rw-r--r--src/lib/libssl/ssl_lib.c147
-rw-r--r--src/lib/libssl/ssl_locl.h58
-rw-r--r--src/lib/libssl/ssl_rsa.c14
-rw-r--r--src/lib/libssl/ssl_sess.c56
-rw-r--r--src/lib/libssl/t1_lib.c11
11 files changed, 209 insertions, 202 deletions
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index 45ce5b8d3e..7b80d73d14 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srtp.c,v 1.15 2015/07/31 00:35:06 doug Exp $ */ 1/* $OpenBSD: d1_srtp.c,v 1.16 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -217,7 +217,7 @@ ssl_ctx_make_profiles(const char *profiles_string,
217int 217int
218SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) 218SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles)
219{ 219{
220 return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles); 220 return ssl_ctx_make_profiles(profiles, &ctx->internal->srtp_profiles);
221} 221}
222 222
223int 223int
@@ -234,8 +234,8 @@ SSL_get_srtp_profiles(SSL *s)
234 if (s->srtp_profiles != NULL) { 234 if (s->srtp_profiles != NULL) {
235 return s->srtp_profiles; 235 return s->srtp_profiles;
236 } else if ((s->ctx != NULL) && 236 } else if ((s->ctx != NULL) &&
237 (s->ctx->srtp_profiles != NULL)) { 237 (s->ctx->internal->srtp_profiles != NULL)) {
238 return s->ctx->srtp_profiles; 238 return s->ctx->internal->srtp_profiles;
239 } 239 }
240 } 240 }
241 241
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index c606091e10..8c1a87f38e 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.166 2017/01/23 04:55:26 beck Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.167 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1484,8 +1484,8 @@ ssl3_get_server_key_exchange(SSL *s)
1484 q = md_buf; 1484 q = md_buf;
1485 for (num = 2; num > 0; num--) { 1485 for (num = 2; num > 0; num--) {
1486 if (!EVP_DigestInit_ex(&md_ctx, 1486 if (!EVP_DigestInit_ex(&md_ctx,
1487 (num == 2) ? s->ctx->md5 : s->ctx->sha1, 1487 (num == 2) ? s->ctx->internal->md5 :
1488 NULL)) { 1488 s->ctx->internal->sha1, NULL)) {
1489 al = SSL_AD_INTERNAL_ERROR; 1489 al = SSL_AD_INTERNAL_ERROR;
1490 goto f_err; 1490 goto f_err;
1491 } 1491 }
@@ -2755,10 +2755,10 @@ ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2755 int i = 0; 2755 int i = 0;
2756 2756
2757#ifndef OPENSSL_NO_ENGINE 2757#ifndef OPENSSL_NO_ENGINE
2758 if (s->ctx->client_cert_engine) { 2758 if (s->ctx->internal->client_cert_engine) {
2759 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 2759 i = ENGINE_load_ssl_client_cert(
2760 SSL_get_client_CA_list(s), 2760 s->ctx->internal->client_cert_engine, s,
2761 px509, ppkey, NULL, NULL, NULL); 2761 SSL_get_client_CA_list(s), px509, ppkey, NULL, NULL, NULL);
2762 if (i != 0) 2762 if (i != 0)
2763 return (i); 2763 return (i);
2764 } 2764 }
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 8e52c8bb4a..3e44d5e4c1 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.123 2017/01/23 04:55:26 beck Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.124 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2195,7 +2195,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2195{ 2195{
2196 CERT *cert; 2196 CERT *cert;
2197 2197
2198 cert = ctx->cert; 2198 cert = ctx->internal->cert;
2199 2199
2200 switch (cmd) { 2200 switch (cmd) {
2201 case SSL_CTRL_NEED_TMP_RSA: 2201 case SSL_CTRL_NEED_TMP_RSA:
@@ -2225,7 +2225,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2225 return (0); 2225 return (0);
2226 2226
2227 case SSL_CTRL_SET_DH_AUTO: 2227 case SSL_CTRL_SET_DH_AUTO:
2228 ctx->cert->dh_tmp_auto = larg; 2228 ctx->internal->cert->dh_tmp_auto = larg;
2229 return (1); 2229 return (1);
2230 2230
2231 case SSL_CTRL_SET_TMP_ECDH: 2231 case SSL_CTRL_SET_TMP_ECDH:
@@ -2279,16 +2279,16 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2279 return 0; 2279 return 0;
2280 } 2280 }
2281 if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { 2281 if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
2282 memcpy(ctx->tlsext_tick_key_name, keys, 16); 2282 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16);
2283 memcpy(ctx->tlsext_tick_hmac_key, 2283 memcpy(ctx->internal->tlsext_tick_hmac_key,
2284 keys + 16, 16); 2284 keys + 16, 16);
2285 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); 2285 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16);
2286 } else { 2286 } else {
2287 memcpy(keys, ctx->tlsext_tick_key_name, 16); 2287 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16);
2288 memcpy(keys + 16, 2288 memcpy(keys + 16,
2289 ctx->tlsext_tick_hmac_key, 16); 2289 ctx->internal->tlsext_tick_hmac_key, 16);
2290 memcpy(keys + 32, 2290 memcpy(keys + 32,
2291 ctx->tlsext_tick_aes_key, 16); 2291 ctx->internal->tlsext_tick_aes_key, 16);
2292 } 2292 }
2293 return 1; 2293 return 1;
2294 } 2294 }
@@ -2299,7 +2299,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2299 break; 2299 break;
2300 2300
2301 case SSL_CTRL_SET_ECDH_AUTO: 2301 case SSL_CTRL_SET_ECDH_AUTO:
2302 ctx->cert->ecdh_tmp_auto = larg; 2302 ctx->internal->cert->ecdh_tmp_auto = larg;
2303 return 1; 2303 return 1;
2304 2304
2305 /* A Thawte special :-) */ 2305 /* A Thawte special :-) */
@@ -2333,7 +2333,7 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2333{ 2333{
2334 CERT *cert; 2334 CERT *cert;
2335 2335
2336 cert = ctx->cert; 2336 cert = ctx->internal->cert;
2337 2337
2338 switch (cmd) { 2338 switch (cmd) {
2339 case SSL_CTRL_SET_TMP_RSA_CB: 2339 case SSL_CTRL_SET_TMP_RSA_CB:
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 21849487ea..5717d5edda 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.145 2017/01/23 04:55:27 beck Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.146 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1129,7 +1129,7 @@ ssl3_send_server_hello(SSL *s)
1129 * so the following won't overwrite an ID that we're supposed 1129 * so the following won't overwrite an ID that we're supposed
1130 * to send back. 1130 * to send back.
1131 */ 1131 */
1132 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1132 if (!(s->ctx->internal->session_cache_mode & SSL_SESS_CACHE_SERVER)
1133 && !s->hit) 1133 && !s->hit)
1134 s->session->session_id_length = 0; 1134 s->session->session_id_length = 0;
1135 1135
@@ -1553,8 +1553,8 @@ ssl3_send_server_key_exchange(SSL *s)
1553 j = 0; 1553 j = 0;
1554 for (num = 2; num > 0; num--) { 1554 for (num = 2; num > 0; num--) {
1555 if (!EVP_DigestInit_ex(&md_ctx, 1555 if (!EVP_DigestInit_ex(&md_ctx,
1556 (num == 2) ? s->ctx->md5 : 1556 (num == 2) ? s->ctx->internal->md5 :
1557 s->ctx->sha1, NULL)) 1557 s->ctx->internal->sha1, NULL))
1558 goto err; 1558 goto err;
1559 EVP_DigestUpdate(&md_ctx, 1559 EVP_DigestUpdate(&md_ctx,
1560 s->s3->client_random, 1560 s->s3->client_random,
@@ -2751,10 +2751,10 @@ ssl3_send_newsession_ticket(SSL *s)
2751 } else { 2751 } else {
2752 arc4random_buf(iv, 16); 2752 arc4random_buf(iv, 16);
2753 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2753 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2754 tctx->tlsext_tick_aes_key, iv); 2754 tctx->internal->tlsext_tick_aes_key, iv);
2755 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2755 HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key,
2756 tlsext_tick_md(), NULL); 2756 16, tlsext_tick_md(), NULL);
2757 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 2757 memcpy(key_name, tctx->internal->tlsext_tick_key_name, 16);
2758 } 2758 }
2759 2759
2760 /* 2760 /*
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 4080af8999..9fc6c5e976 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl.h,v 1.111 2017/01/23 04:55:27 beck Exp $ */ 1/* $OpenBSD: ssl.h,v 1.112 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -689,23 +689,8 @@ struct ssl_ctx_st {
689 const SSL_METHOD *method; 689 const SSL_METHOD *method;
690 690
691 STACK_OF(SSL_CIPHER) *cipher_list; 691 STACK_OF(SSL_CIPHER) *cipher_list;
692 /* same as above but sorted for lookup */
693 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
694 692
695 struct x509_store_st /* X509_STORE */ *cert_store; 693 struct x509_store_st /* X509_STORE */ *cert_store;
696 struct lhash_st_SSL_SESSION *sessions;
697 /* Most session-ids that will be cached, default is
698 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
699 unsigned long session_cache_size;
700 struct ssl_session_st *session_cache_head;
701 struct ssl_session_st *session_cache_tail;
702
703 /* This can have one of 2 values, ored together,
704 * SSL_SESS_CACHE_CLIENT,
705 * SSL_SESS_CACHE_SERVER,
706 * Default is SSL_SESSION_CACHE_SERVER, which means only
707 * SSL_accept which cache SSL_SESSIONS. */
708 int session_cache_mode;
709 694
710 /* If timeout is not 0, it is the default timeout value set 695 /* If timeout is not 0, it is the default timeout value set
711 * when SSL_new() is called. This has been put in to make 696 * when SSL_new() is called. This has been put in to make
@@ -714,26 +699,12 @@ struct ssl_ctx_st {
714 699
715 int references; 700 int references;
716 701
717 CRYPTO_EX_DATA ex_data;
718
719 const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
720 const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */
721
722 STACK_OF(X509) *extra_certs;
723
724 /* Default values used when no per-SSL value is defined follow */
725
726 /* what we put in client cert requests */
727 STACK_OF(X509_NAME) *client_CA;
728
729 /* Default values to use in SSL structures follow (these are copied by SSL_new) */ 702 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
730 703
731 unsigned long options; 704 unsigned long options;
732 unsigned long mode; 705 unsigned long mode;
733 long max_cert_list;
734 706
735 struct cert_st /* CERT */ *cert; 707 STACK_OF(X509) *extra_certs;
736 int read_ahead;
737 708
738 int verify_mode; 709 int verify_mode;
739 unsigned int sid_ctx_length; 710 unsigned int sid_ctx_length;
@@ -741,28 +712,6 @@ struct ssl_ctx_st {
741 712
742 X509_VERIFY_PARAM *param; 713 X509_VERIFY_PARAM *param;
743 714
744 int quiet_shutdown;
745
746 /* Maximum amount of data to send in one fragment.
747 * actual record size can be more than this due to
748 * padding and MAC overheads.
749 */
750 unsigned int max_send_fragment;
751
752#ifndef OPENSSL_NO_ENGINE
753 /* Engine to pass requests for client certs to
754 */
755 ENGINE *client_cert_engine;
756#endif
757
758 /* RFC 4507 session ticket keys */
759 unsigned char tlsext_tick_key_name[16];
760 unsigned char tlsext_tick_hmac_key[16];
761 unsigned char tlsext_tick_aes_key[16];
762
763 /* SRTP profiles we are willing to do from RFC 5764 */
764 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
765
766 struct ssl_ctx_internal_st *internal; 715 struct ssl_ctx_internal_st *internal;
767}; 716};
768 717
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 13591aec9c..496fcf85bc 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.56 2017/01/23 04:55:27 beck Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.57 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -492,13 +492,13 @@ SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
492void 492void
493SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) 493SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
494{ 494{
495 set_client_CA_list(&(ctx->client_CA), name_list); 495 set_client_CA_list(&(ctx->internal->client_CA), name_list);
496} 496}
497 497
498STACK_OF(X509_NAME) * 498STACK_OF(X509_NAME) *
499SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) 499SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
500{ 500{
501 return (ctx->client_CA); 501 return (ctx->internal->client_CA);
502} 502}
503 503
504STACK_OF(X509_NAME) * 504STACK_OF(X509_NAME) *
@@ -515,7 +515,7 @@ SSL_get_client_CA_list(const SSL *s)
515 if (s->client_CA != NULL) 515 if (s->client_CA != NULL)
516 return (s->client_CA); 516 return (s->client_CA);
517 else 517 else
518 return (s->ctx->client_CA); 518 return (s->ctx->internal->client_CA);
519 } 519 }
520} 520}
521 521
@@ -548,7 +548,7 @@ SSL_add_client_CA(SSL *ssl, X509 *x)
548int 548int
549SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) 549SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
550{ 550{
551 return (add_client_CA(&(ctx->client_CA), x)); 551 return (add_client_CA(&(ctx->internal->client_CA), x));
552} 552}
553 553
554static int 554static int
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index c9af96e48e..036a13b36a 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.133 2017/01/23 04:55:27 beck Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.134 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -251,7 +251,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
251 ctx->method = meth; 251 ctx->method = meth;
252 252
253 sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), 253 sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
254 &(ctx->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST); 254 &(ctx->internal->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST);
255 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { 255 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
256 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, 256 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,
257 SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 257 SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
@@ -286,9 +286,9 @@ SSL_new(SSL_CTX *ctx)
286 286
287 s->options = ctx->options; 287 s->options = ctx->options;
288 s->mode = ctx->mode; 288 s->mode = ctx->mode;
289 s->max_cert_list = ctx->max_cert_list; 289 s->max_cert_list = ctx->internal->max_cert_list;
290 290
291 if (ctx->cert != NULL) { 291 if (ctx->internal->cert != NULL) {
292 /* 292 /*
293 * Earlier library versions used to copy the pointer to 293 * Earlier library versions used to copy the pointer to
294 * the CERT, not its contents; only when setting new 294 * the CERT, not its contents; only when setting new
@@ -300,13 +300,13 @@ SSL_new(SSL_CTX *ctx)
300 * Now we don't look at the SSL_CTX's CERT after having 300 * Now we don't look at the SSL_CTX's CERT after having
301 * duplicated it once. 301 * duplicated it once.
302 */ 302 */
303 s->cert = ssl_cert_dup(ctx->cert); 303 s->cert = ssl_cert_dup(ctx->internal->cert);
304 if (s->cert == NULL) 304 if (s->cert == NULL)
305 goto err; 305 goto err;
306 } else 306 } else
307 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ 307 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
308 308
309 s->read_ahead = ctx->read_ahead; 309 s->read_ahead = ctx->internal->read_ahead;
310 s->internal->msg_callback = ctx->internal->msg_callback; 310 s->internal->msg_callback = ctx->internal->msg_callback;
311 s->internal->msg_callback_arg = ctx->internal->msg_callback_arg; 311 s->internal->msg_callback_arg = ctx->internal->msg_callback_arg;
312 s->verify_mode = ctx->verify_mode; 312 s->verify_mode = ctx->verify_mode;
@@ -320,8 +320,8 @@ SSL_new(SSL_CTX *ctx)
320 if (!s->param) 320 if (!s->param)
321 goto err; 321 goto err;
322 X509_VERIFY_PARAM_inherit(s->param, ctx->param); 322 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
323 s->quiet_shutdown = ctx->quiet_shutdown; 323 s->quiet_shutdown = ctx->internal->quiet_shutdown;
324 s->max_send_fragment = ctx->max_send_fragment; 324 s->max_send_fragment = ctx->internal->max_send_fragment;
325 325
326 CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); 326 CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
327 s->ctx = ctx; 327 s->ctx = ctx;
@@ -441,7 +441,7 @@ SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
441 memcpy(r.session_id, id, id_len); 441 memcpy(r.session_id, id, id_len);
442 442
443 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 443 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
444 p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r); 444 p = lh_SSL_SESSION_retrieve(ssl->ctx->internal->sessions, &r);
445 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 445 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
446 return (p != NULL); 446 return (p != NULL);
447} 447}
@@ -876,19 +876,19 @@ SSL_copy_session_id(SSL *t, const SSL *f)
876int 876int
877SSL_CTX_check_private_key(const SSL_CTX *ctx) 877SSL_CTX_check_private_key(const SSL_CTX *ctx)
878{ 878{
879 if ((ctx == NULL) || (ctx->cert == NULL) || 879 if ((ctx == NULL) || (ctx->internal->cert == NULL) ||
880 (ctx->cert->key->x509 == NULL)) { 880 (ctx->internal->cert->key->x509 == NULL)) {
881 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, 881 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
882 SSL_R_NO_CERTIFICATE_ASSIGNED); 882 SSL_R_NO_CERTIFICATE_ASSIGNED);
883 return (0); 883 return (0);
884 } 884 }
885 if (ctx->cert->key->privatekey == NULL) { 885 if (ctx->internal->cert->key->privatekey == NULL) {
886 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, 886 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
887 SSL_R_NO_PRIVATE_KEY_ASSIGNED); 887 SSL_R_NO_PRIVATE_KEY_ASSIGNED);
888 return (0); 888 return (0);
889 } 889 }
890 return (X509_check_private_key(ctx->cert->key->x509, 890 return (X509_check_private_key(ctx->internal->cert->key->x509,
891 ctx->cert->key->privatekey)); 891 ctx->internal->cert->key->privatekey));
892} 892}
893 893
894/* Fix this function so that it takes an optional type parameter */ 894/* Fix this function so that it takes an optional type parameter */
@@ -1114,7 +1114,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1114struct lhash_st_SSL_SESSION * 1114struct lhash_st_SSL_SESSION *
1115SSL_CTX_sessions(SSL_CTX *ctx) 1115SSL_CTX_sessions(SSL_CTX *ctx)
1116{ 1116{
1117 return (ctx->sessions); 1117 return (ctx->internal->sessions);
1118} 1118}
1119 1119
1120long 1120long
@@ -1124,10 +1124,10 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1124 1124
1125 switch (cmd) { 1125 switch (cmd) {
1126 case SSL_CTRL_GET_READ_AHEAD: 1126 case SSL_CTRL_GET_READ_AHEAD:
1127 return (ctx->read_ahead); 1127 return (ctx->internal->read_ahead);
1128 case SSL_CTRL_SET_READ_AHEAD: 1128 case SSL_CTRL_SET_READ_AHEAD:
1129 l = ctx->read_ahead; 1129 l = ctx->internal->read_ahead;
1130 ctx->read_ahead = larg; 1130 ctx->internal->read_ahead = larg;
1131 return (l); 1131 return (l);
1132 1132
1133 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 1133 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
@@ -1135,27 +1135,27 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1135 return (1); 1135 return (1);
1136 1136
1137 case SSL_CTRL_GET_MAX_CERT_LIST: 1137 case SSL_CTRL_GET_MAX_CERT_LIST:
1138 return (ctx->max_cert_list); 1138 return (ctx->internal->max_cert_list);
1139 case SSL_CTRL_SET_MAX_CERT_LIST: 1139 case SSL_CTRL_SET_MAX_CERT_LIST:
1140 l = ctx->max_cert_list; 1140 l = ctx->internal->max_cert_list;
1141 ctx->max_cert_list = larg; 1141 ctx->internal->max_cert_list = larg;
1142 return (l); 1142 return (l);
1143 1143
1144 case SSL_CTRL_SET_SESS_CACHE_SIZE: 1144 case SSL_CTRL_SET_SESS_CACHE_SIZE:
1145 l = ctx->session_cache_size; 1145 l = ctx->internal->session_cache_size;
1146 ctx->session_cache_size = larg; 1146 ctx->internal->session_cache_size = larg;
1147 return (l); 1147 return (l);
1148 case SSL_CTRL_GET_SESS_CACHE_SIZE: 1148 case SSL_CTRL_GET_SESS_CACHE_SIZE:
1149 return (ctx->session_cache_size); 1149 return (ctx->internal->session_cache_size);
1150 case SSL_CTRL_SET_SESS_CACHE_MODE: 1150 case SSL_CTRL_SET_SESS_CACHE_MODE:
1151 l = ctx->session_cache_mode; 1151 l = ctx->internal->session_cache_mode;
1152 ctx->session_cache_mode = larg; 1152 ctx->internal->session_cache_mode = larg;
1153 return (l); 1153 return (l);
1154 case SSL_CTRL_GET_SESS_CACHE_MODE: 1154 case SSL_CTRL_GET_SESS_CACHE_MODE:
1155 return (ctx->session_cache_mode); 1155 return (ctx->internal->session_cache_mode);
1156 1156
1157 case SSL_CTRL_SESS_NUMBER: 1157 case SSL_CTRL_SESS_NUMBER:
1158 return (lh_SSL_SESSION_num_items(ctx->sessions)); 1158 return (lh_SSL_SESSION_num_items(ctx->internal->sessions));
1159 case SSL_CTRL_SESS_CONNECT: 1159 case SSL_CTRL_SESS_CONNECT:
1160 return (ctx->internal->stats.sess_connect); 1160 return (ctx->internal->stats.sess_connect);
1161 case SSL_CTRL_SESS_CONNECT_GOOD: 1161 case SSL_CTRL_SESS_CONNECT_GOOD:
@@ -1189,7 +1189,7 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1189 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 1189 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1190 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 1190 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1191 return (0); 1191 return (0);
1192 ctx->max_send_fragment = larg; 1192 ctx->internal->max_send_fragment = larg;
1193 return (1); 1193 return (1);
1194 default: 1194 default:
1195 return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); 1195 return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg));
@@ -1264,8 +1264,8 @@ ssl_get_ciphers_by_id(SSL *s)
1264 if (s->cipher_list_by_id != NULL) { 1264 if (s->cipher_list_by_id != NULL) {
1265 return (s->cipher_list_by_id); 1265 return (s->cipher_list_by_id);
1266 } else if ((s->ctx != NULL) && 1266 } else if ((s->ctx != NULL) &&
1267 (s->ctx->cipher_list_by_id != NULL)) { 1267 (s->ctx->internal->cipher_list_by_id != NULL)) {
1268 return (s->ctx->cipher_list_by_id); 1268 return (s->ctx->internal->cipher_list_by_id);
1269 } 1269 }
1270 } 1270 }
1271 return (NULL); 1271 return (NULL);
@@ -1296,14 +1296,14 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1296 STACK_OF(SSL_CIPHER) *sk; 1296 STACK_OF(SSL_CIPHER) *sk;
1297 1297
1298 sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, 1298 sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
1299 &ctx->cipher_list_by_id, str); 1299 &ctx->internal->cipher_list_by_id, str);
1300 /* 1300 /*
1301 * ssl_create_cipher_list may return an empty stack if it 1301 * ssl_create_cipher_list may return an empty stack if it
1302 * was unable to find a cipher matching the given rule string 1302 * was unable to find a cipher matching the given rule string
1303 * (for example if the rule string specifies a cipher which 1303 * (for example if the rule string specifies a cipher which
1304 * has been disabled). This is not an error as far as 1304 * has been disabled). This is not an error as far as
1305 * ssl_create_cipher_list is concerned, and hence 1305 * ssl_create_cipher_list is concerned, and hence
1306 * ctx->cipher_list and ctx->cipher_list_by_id has been 1306 * ctx->cipher_list and ctx->internal->cipher_list_by_id has been
1307 * updated. 1307 * updated.
1308 */ 1308 */
1309 if (sk == NULL) 1309 if (sk == NULL)
@@ -1823,10 +1823,10 @@ SSL_CTX_new(const SSL_METHOD *meth)
1823 ret->method = meth; 1823 ret->method = meth;
1824 1824
1825 ret->cert_store = NULL; 1825 ret->cert_store = NULL;
1826 ret->session_cache_mode = SSL_SESS_CACHE_SERVER; 1826 ret->internal->session_cache_mode = SSL_SESS_CACHE_SERVER;
1827 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 1827 ret->internal->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
1828 ret->session_cache_head = NULL; 1828 ret->internal->session_cache_head = NULL;
1829 ret->session_cache_tail = NULL; 1829 ret->internal->session_cache_tail = NULL;
1830 1830
1831 /* We take the system default */ 1831 /* We take the system default */
1832 ret->session_timeout = meth->get_timeout(); 1832 ret->session_timeout = meth->get_timeout();
@@ -1839,21 +1839,21 @@ SSL_CTX_new(const SSL_METHOD *meth)
1839 memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats)); 1839 memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats));
1840 1840
1841 ret->references = 1; 1841 ret->references = 1;
1842 ret->quiet_shutdown = 0; 1842 ret->internal->quiet_shutdown = 0;
1843 1843
1844 ret->internal->info_callback = NULL; 1844 ret->internal->info_callback = NULL;
1845 1845
1846 ret->internal->app_verify_callback = 0; 1846 ret->internal->app_verify_callback = 0;
1847 ret->internal->app_verify_arg = NULL; 1847 ret->internal->app_verify_arg = NULL;
1848 1848
1849 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; 1849 ret->internal->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
1850 ret->read_ahead = 0; 1850 ret->internal->read_ahead = 0;
1851 ret->internal->msg_callback = 0; 1851 ret->internal->msg_callback = 0;
1852 ret->internal->msg_callback_arg = NULL; 1852 ret->internal->msg_callback_arg = NULL;
1853 ret->verify_mode = SSL_VERIFY_NONE; 1853 ret->verify_mode = SSL_VERIFY_NONE;
1854 ret->sid_ctx_length = 0; 1854 ret->sid_ctx_length = 0;
1855 ret->internal->default_verify_callback = NULL; 1855 ret->internal->default_verify_callback = NULL;
1856 if ((ret->cert = ssl_cert_new()) == NULL) 1856 if ((ret->internal->cert = ssl_cert_new()) == NULL)
1857 goto err; 1857 goto err;
1858 1858
1859 ret->internal->default_passwd_callback = 0; 1859 ret->internal->default_passwd_callback = 0;
@@ -1862,15 +1862,15 @@ SSL_CTX_new(const SSL_METHOD *meth)
1862 ret->internal->app_gen_cookie_cb = 0; 1862 ret->internal->app_gen_cookie_cb = 0;
1863 ret->internal->app_verify_cookie_cb = 0; 1863 ret->internal->app_verify_cookie_cb = 0;
1864 1864
1865 ret->sessions = lh_SSL_SESSION_new(); 1865 ret->internal->sessions = lh_SSL_SESSION_new();
1866 if (ret->sessions == NULL) 1866 if (ret->internal->sessions == NULL)
1867 goto err; 1867 goto err;
1868 ret->cert_store = X509_STORE_new(); 1868 ret->cert_store = X509_STORE_new();
1869 if (ret->cert_store == NULL) 1869 if (ret->cert_store == NULL)
1870 goto err; 1870 goto err;
1871 1871
1872 ssl_create_cipher_list(ret->method, &ret->cipher_list, 1872 ssl_create_cipher_list(ret->method, &ret->cipher_list,
1873 &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); 1873 &ret->internal->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST);
1874 if (ret->cipher_list == NULL || 1874 if (ret->cipher_list == NULL ||
1875 sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { 1875 sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
1876 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); 1876 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
@@ -1881,41 +1881,42 @@ SSL_CTX_new(const SSL_METHOD *meth)
1881 if (!ret->param) 1881 if (!ret->param)
1882 goto err; 1882 goto err;
1883 1883
1884 if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { 1884 if ((ret->internal->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
1885 SSLerr(SSL_F_SSL_CTX_NEW, 1885 SSLerr(SSL_F_SSL_CTX_NEW,
1886 SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); 1886 SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
1887 goto err2; 1887 goto err2;
1888 } 1888 }
1889 if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { 1889 if ((ret->internal->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
1890 SSLerr(SSL_F_SSL_CTX_NEW, 1890 SSLerr(SSL_F_SSL_CTX_NEW,
1891 SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); 1891 SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
1892 goto err2; 1892 goto err2;
1893 } 1893 }
1894 1894
1895 if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) 1895 if ((ret->internal->client_CA = sk_X509_NAME_new_null()) == NULL)
1896 goto err; 1896 goto err;
1897 1897
1898 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); 1898 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->internal->ex_data);
1899 1899
1900 ret->extra_certs = NULL; 1900 ret->extra_certs = NULL;
1901 1901
1902 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1902 ret->internal->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1903 1903
1904 ret->internal->tlsext_servername_callback = 0; 1904 ret->internal->tlsext_servername_callback = 0;
1905 ret->internal->tlsext_servername_arg = NULL; 1905 ret->internal->tlsext_servername_arg = NULL;
1906 1906
1907 /* Setup RFC4507 ticket keys */ 1907 /* Setup RFC4507 ticket keys */
1908 arc4random_buf(ret->tlsext_tick_key_name, 16); 1908 arc4random_buf(ret->internal->tlsext_tick_key_name, 16);
1909 arc4random_buf(ret->tlsext_tick_hmac_key, 16); 1909 arc4random_buf(ret->internal->tlsext_tick_hmac_key, 16);
1910 arc4random_buf(ret->tlsext_tick_aes_key, 16); 1910 arc4random_buf(ret->internal->tlsext_tick_aes_key, 16);
1911 1911
1912 ret->internal->tlsext_status_cb = 0; 1912 ret->internal->tlsext_status_cb = 0;
1913 ret->internal->tlsext_status_arg = NULL; 1913 ret->internal->tlsext_status_arg = NULL;
1914 1914
1915 ret->internal->next_protos_advertised_cb = 0; 1915 ret->internal->next_protos_advertised_cb = 0;
1916 ret->internal->next_proto_select_cb = 0; 1916 ret->internal->next_proto_select_cb = 0;
1917
1917#ifndef OPENSSL_NO_ENGINE 1918#ifndef OPENSSL_NO_ENGINE
1918 ret->client_cert_engine = NULL; 1919 ret->internal->client_cert_engine = NULL;
1919#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO 1920#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
1920#define eng_strx(x) #x 1921#define eng_strx(x) #x
1921#define eng_str(x) eng_strx(x) 1922#define eng_str(x) eng_strx(x)
@@ -1972,35 +1973,35 @@ SSL_CTX_free(SSL_CTX *a)
1972 * free ex_data, then finally free the cache. 1973 * free ex_data, then finally free the cache.
1973 * (See ticket [openssl.org #212].) 1974 * (See ticket [openssl.org #212].)
1974 */ 1975 */
1975 if (a->sessions != NULL) 1976 if (a->internal->sessions != NULL)
1976 SSL_CTX_flush_sessions(a, 0); 1977 SSL_CTX_flush_sessions(a, 0);
1977 1978
1978 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); 1979 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->internal->ex_data);
1979 1980
1980 if (a->sessions != NULL) 1981 if (a->internal->sessions != NULL)
1981 lh_SSL_SESSION_free(a->sessions); 1982 lh_SSL_SESSION_free(a->internal->sessions);
1982 1983
1983 if (a->cert_store != NULL) 1984 if (a->cert_store != NULL)
1984 X509_STORE_free(a->cert_store); 1985 X509_STORE_free(a->cert_store);
1985 if (a->cipher_list != NULL) 1986 if (a->cipher_list != NULL)
1986 sk_SSL_CIPHER_free(a->cipher_list); 1987 sk_SSL_CIPHER_free(a->cipher_list);
1987 if (a->cipher_list_by_id != NULL) 1988 if (a->internal->cipher_list_by_id != NULL)
1988 sk_SSL_CIPHER_free(a->cipher_list_by_id); 1989 sk_SSL_CIPHER_free(a->internal->cipher_list_by_id);
1989 if (a->cert != NULL) 1990 if (a->internal->cert != NULL)
1990 ssl_cert_free(a->cert); 1991 ssl_cert_free(a->internal->cert);
1991 if (a->client_CA != NULL) 1992 if (a->internal->client_CA != NULL)
1992 sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); 1993 sk_X509_NAME_pop_free(a->internal->client_CA, X509_NAME_free);
1993 if (a->extra_certs != NULL) 1994 if (a->extra_certs != NULL)
1994 sk_X509_pop_free(a->extra_certs, X509_free); 1995 sk_X509_pop_free(a->extra_certs, X509_free);
1995 1996
1996#ifndef OPENSSL_NO_SRTP 1997#ifndef OPENSSL_NO_SRTP
1997 if (a->srtp_profiles) 1998 if (a->internal->srtp_profiles)
1998 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); 1999 sk_SRTP_PROTECTION_PROFILE_free(a->internal->srtp_profiles);
1999#endif 2000#endif
2000 2001
2001#ifndef OPENSSL_NO_ENGINE 2002#ifndef OPENSSL_NO_ENGINE
2002 if (a->client_cert_engine) 2003 if (a->internal->client_cert_engine)
2003 ENGINE_finish(a->client_cert_engine); 2004 ENGINE_finish(a->internal->client_cert_engine);
2004#endif 2005#endif
2005 2006
2006 free(a->internal->alpn_client_proto_list); 2007 free(a->internal->alpn_client_proto_list);
@@ -2272,7 +2273,7 @@ ssl_update_cache(SSL *s, int mode)
2272 if (s->session->session_id_length == 0) 2273 if (s->session->session_id_length == 0)
2273 return; 2274 return;
2274 2275
2275 i = s->session_ctx->session_cache_mode; 2276 i = s->session_ctx->internal->session_cache_mode;
2276 if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) 2277 if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
2277 || SSL_CTX_add_session(s->session_ctx, s->session)) 2278 || SSL_CTX_add_session(s->session_ctx, s->session))
2278 && (s->session_ctx->internal->new_session_cb != NULL)) { 2279 && (s->session_ctx->internal->new_session_cb != NULL)) {
@@ -2839,13 +2840,13 @@ ssl_free_wbio_buffer(SSL *s)
2839void 2840void
2840SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) 2841SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
2841{ 2842{
2842 ctx->quiet_shutdown = mode; 2843 ctx->internal->quiet_shutdown = mode;
2843} 2844}
2844 2845
2845int 2846int
2846SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) 2847SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
2847{ 2848{
2848 return (ctx->quiet_shutdown); 2849 return (ctx->internal->quiet_shutdown);
2849} 2850}
2850 2851
2851void 2852void
@@ -2893,7 +2894,7 @@ SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
2893 return (ssl->ctx); 2894 return (ssl->ctx);
2894 if (ctx == NULL) 2895 if (ctx == NULL)
2895 ctx = ssl->initial_ctx; 2896 ctx = ssl->initial_ctx;
2896 ssl->cert = ssl_cert_dup(ctx->cert); 2897 ssl->cert = ssl_cert_dup(ctx->internal->cert);
2897 if (ocert != NULL) { 2898 if (ocert != NULL) {
2898 int i; 2899 int i;
2899 /* Copy negotiated digests from original certificate. */ 2900 /* Copy negotiated digests from original certificate. */
@@ -2992,13 +2993,13 @@ SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
2992int 2993int
2993SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) 2994SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
2994{ 2995{
2995 return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); 2996 return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg));
2996} 2997}
2997 2998
2998void * 2999void *
2999SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) 3000SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
3000{ 3001{
3001 return (CRYPTO_get_ex_data(&s->ex_data, idx)); 3002 return (CRYPTO_get_ex_data(&s->internal->ex_data, idx));
3002} 3003}
3003 3004
3004int 3005int
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 60bb5597e8..83ffb1103f 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.155 2017/01/23 04:55:27 beck Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.156 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -451,6 +451,21 @@ typedef struct ssl_ctx_internal_st {
451 int (*tlsext_status_cb)(SSL *ssl, void *arg); 451 int (*tlsext_status_cb)(SSL *ssl, void *arg);
452 void *tlsext_status_arg; 452 void *tlsext_status_arg;
453 453
454 struct lhash_st_SSL_SESSION *sessions;
455
456 /* Most session-ids that will be cached, default is
457 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
458 unsigned long session_cache_size;
459 struct ssl_session_st *session_cache_head;
460 struct ssl_session_st *session_cache_tail;
461
462 /* This can have one of 2 values, ored together,
463 * SSL_SESS_CACHE_CLIENT,
464 * SSL_SESS_CACHE_SERVER,
465 * Default is SSL_SESSION_CACHE_SERVER, which means only
466 * SSL_accept which cache SSL_SESSIONS. */
467 int session_cache_mode;
468
454 struct { 469 struct {
455 int sess_connect; /* SSL new conn - started */ 470 int sess_connect; /* SSL new conn - started */
456 int sess_connect_renegotiate;/* SSL reneg - requested */ 471 int sess_connect_renegotiate;/* SSL reneg - requested */
@@ -470,6 +485,47 @@ typedef struct ssl_ctx_internal_st {
470 * processes - spooky :-) */ 485 * processes - spooky :-) */
471 } stats; 486 } stats;
472 487
488 CRYPTO_EX_DATA ex_data;
489
490 /* same cipher_list but sorted for lookup */
491 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
492
493 struct cert_st /* CERT */ *cert;
494
495 const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
496 const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */
497
498 /* Default values used when no per-SSL value is defined follow */
499
500 /* what we put in client cert requests */
501 STACK_OF(X509_NAME) *client_CA;
502
503 long max_cert_list;
504
505 int read_ahead;
506
507 int quiet_shutdown;
508
509 /* Maximum amount of data to send in one fragment.
510 * actual record size can be more than this due to
511 * padding and MAC overheads.
512 */
513 unsigned int max_send_fragment;
514
515#ifndef OPENSSL_NO_ENGINE
516 /* Engine to pass requests for client certs to
517 */
518 ENGINE *client_cert_engine;
519#endif
520
521 /* RFC 4507 session ticket keys */
522 unsigned char tlsext_tick_key_name[16];
523 unsigned char tlsext_tick_hmac_key[16];
524 unsigned char tlsext_tick_aes_key[16];
525
526 /* SRTP profiles we are willing to do from RFC 5764 */
527 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
528
473 /* Next protocol negotiation information */ 529 /* Next protocol negotiation information */
474 /* (for experimental NPN extension). */ 530 /* (for experimental NPN extension). */
475 531
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 647cc4bfd8..cbb1c0b562 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_rsa.c,v 1.22 2017/01/23 04:15:28 jsing Exp $ */ 1/* $OpenBSD: ssl_rsa.c,v 1.23 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -353,11 +353,11 @@ SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
353 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 353 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
354 return (0); 354 return (0);
355 } 355 }
356 if (!ssl_cert_inst(&ctx->cert)) { 356 if (!ssl_cert_inst(&ctx->internal->cert)) {
357 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); 357 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
358 return (0); 358 return (0);
359 } 359 }
360 return (ssl_set_cert(ctx->cert, x)); 360 return (ssl_set_cert(ctx->internal->cert, x));
361} 361}
362 362
363static int 363static int
@@ -486,7 +486,7 @@ SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
486 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 486 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
487 return (0); 487 return (0);
488 } 488 }
489 if (!ssl_cert_inst(&ctx->cert)) { 489 if (!ssl_cert_inst(&ctx->internal->cert)) {
490 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); 490 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
491 return (0); 491 return (0);
492 } 492 }
@@ -498,7 +498,7 @@ SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
498 RSA_up_ref(rsa); 498 RSA_up_ref(rsa);
499 EVP_PKEY_assign_RSA(pkey, rsa); 499 EVP_PKEY_assign_RSA(pkey, rsa);
500 500
501 ret = ssl_set_pkey(ctx->cert, pkey); 501 ret = ssl_set_pkey(ctx->internal->cert, pkey);
502 EVP_PKEY_free(pkey); 502 EVP_PKEY_free(pkey);
503 return (ret); 503 return (ret);
504} 504}
@@ -569,11 +569,11 @@ SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
569 ERR_R_PASSED_NULL_PARAMETER); 569 ERR_R_PASSED_NULL_PARAMETER);
570 return (0); 570 return (0);
571 } 571 }
572 if (!ssl_cert_inst(&ctx->cert)) { 572 if (!ssl_cert_inst(&ctx->internal->cert)) {
573 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); 573 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
574 return (0); 574 return (0);
575 } 575 }
576 return (ssl_set_pkey(ctx->cert, pkey)); 576 return (ssl_set_pkey(ctx->internal->cert, pkey));
577} 577}
578 578
579int 579int
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 541b143384..c114e6ec07 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sess.c,v 1.59 2017/01/23 04:55:27 beck Exp $ */ 1/* $OpenBSD: ssl_sess.c,v 1.60 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -449,7 +449,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
449 } 449 }
450 450
451 if (try_session_cache && ret == NULL && 451 if (try_session_cache && ret == NULL &&
452 !(s->session_ctx->session_cache_mode & 452 !(s->session_ctx->internal->session_cache_mode &
453 SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { 453 SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
454 SSL_SESSION data; 454 SSL_SESSION data;
455 data.ssl_version = s->version; 455 data.ssl_version = s->version;
@@ -457,7 +457,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
457 memcpy(data.session_id, session_id, len); 457 memcpy(data.session_id, session_id, len);
458 458
459 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 459 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
460 ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data); 460 ret = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data);
461 if (ret != NULL) { 461 if (ret != NULL) {
462 /* Don't allow other threads to steal it. */ 462 /* Don't allow other threads to steal it. */
463 CRYPTO_add(&ret->references, 1, 463 CRYPTO_add(&ret->references, 1,
@@ -493,7 +493,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
493 * Add the externally cached session to the internal 493 * Add the externally cached session to the internal
494 * cache as well if and only if we are supposed to. 494 * cache as well if and only if we are supposed to.
495 */ 495 */
496 if (!(s->session_ctx->session_cache_mode & 496 if (!(s->session_ctx->internal->session_cache_mode &
497 SSL_SESS_CACHE_NO_INTERNAL_STORE)) 497 SSL_SESS_CACHE_NO_INTERNAL_STORE))
498 /* 498 /*
499 * The following should not return 1, 499 * The following should not return 1,
@@ -593,12 +593,12 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
593 * later. 593 * later.
594 */ 594 */
595 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 595 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
596 s = lh_SSL_SESSION_insert(ctx->sessions, c); 596 s = lh_SSL_SESSION_insert(ctx->internal->sessions, c);
597 597
598 /* 598 /*
599 * s != NULL iff we already had a session with the given PID. 599 * s != NULL iff we already had a session with the given PID.
600 * In this case, s == c should hold (then we did not really modify 600 * In this case, s == c should hold (then we did not really modify
601 * ctx->sessions), or we're in trouble. 601 * ctx->internal->sessions), or we're in trouble.
602 */ 602 */
603 if (s != NULL && s != c) { 603 if (s != NULL && s != c) {
604 /* We *are* in trouble ... */ 604 /* We *are* in trouble ... */
@@ -638,7 +638,7 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
638 while (SSL_CTX_sess_number(ctx) > 638 while (SSL_CTX_sess_number(ctx) >
639 SSL_CTX_sess_get_cache_size(ctx)) { 639 SSL_CTX_sess_get_cache_size(ctx)) {
640 if (!remove_session_lock(ctx, 640 if (!remove_session_lock(ctx,
641 ctx->session_cache_tail, 0)) 641 ctx->internal->session_cache_tail, 0))
642 break; 642 break;
643 else 643 else
644 ctx->internal->stats.sess_cache_full++; 644 ctx->internal->stats.sess_cache_full++;
@@ -664,9 +664,9 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
664 if ((c != NULL) && (c->session_id_length != 0)) { 664 if ((c != NULL) && (c->session_id_length != 0)) {
665 if (lck) 665 if (lck)
666 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 666 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
667 if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) { 667 if ((r = lh_SSL_SESSION_retrieve(ctx->internal->sessions, c)) == c) {
668 ret = 1; 668 ret = 1;
669 r = lh_SSL_SESSION_delete(ctx->sessions, c); 669 r = lh_SSL_SESSION_delete(ctx->internal->sessions, c);
670 SSL_SESSION_list_remove(ctx, c); 670 SSL_SESSION_list_remove(ctx, c);
671 } 671 }
672 if (lck) 672 if (lck)
@@ -934,7 +934,7 @@ SSL_CTX_flush_sessions(SSL_CTX *s, long t)
934 TIMEOUT_PARAM tp; 934 TIMEOUT_PARAM tp;
935 935
936 tp.ctx = s; 936 tp.ctx = s;
937 tp.cache = s->sessions; 937 tp.cache = s->internal->sessions;
938 if (tp.cache == NULL) 938 if (tp.cache == NULL)
939 return; 939 return;
940 tp.time = t; 940 tp.time = t;
@@ -965,23 +965,23 @@ SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
965 if ((s->next == NULL) || (s->prev == NULL)) 965 if ((s->next == NULL) || (s->prev == NULL))
966 return; 966 return;
967 967
968 if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) { 968 if (s->next == (SSL_SESSION *)&(ctx->internal->session_cache_tail)) {
969 /* last element in list */ 969 /* last element in list */
970 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { 970 if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) {
971 /* only one element in list */ 971 /* only one element in list */
972 ctx->session_cache_head = NULL; 972 ctx->internal->session_cache_head = NULL;
973 ctx->session_cache_tail = NULL; 973 ctx->internal->session_cache_tail = NULL;
974 } else { 974 } else {
975 ctx->session_cache_tail = s->prev; 975 ctx->internal->session_cache_tail = s->prev;
976 s->prev->next = 976 s->prev->next =
977 (SSL_SESSION *)&(ctx->session_cache_tail); 977 (SSL_SESSION *)&(ctx->internal->session_cache_tail);
978 } 978 }
979 } else { 979 } else {
980 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { 980 if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) {
981 /* first element in list */ 981 /* first element in list */
982 ctx->session_cache_head = s->next; 982 ctx->internal->session_cache_head = s->next;
983 s->next->prev = 983 s->next->prev =
984 (SSL_SESSION *)&(ctx->session_cache_head); 984 (SSL_SESSION *)&(ctx->internal->session_cache_head);
985 } else { 985 } else {
986 /* middle of list */ 986 /* middle of list */
987 s->next->prev = s->prev; 987 s->next->prev = s->prev;
@@ -997,16 +997,16 @@ SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
997 if ((s->next != NULL) && (s->prev != NULL)) 997 if ((s->next != NULL) && (s->prev != NULL))
998 SSL_SESSION_list_remove(ctx, s); 998 SSL_SESSION_list_remove(ctx, s);
999 999
1000 if (ctx->session_cache_head == NULL) { 1000 if (ctx->internal->session_cache_head == NULL) {
1001 ctx->session_cache_head = s; 1001 ctx->internal->session_cache_head = s;
1002 ctx->session_cache_tail = s; 1002 ctx->internal->session_cache_tail = s;
1003 s->prev = (SSL_SESSION *)&(ctx->session_cache_head); 1003 s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head);
1004 s->next = (SSL_SESSION *)&(ctx->session_cache_tail); 1004 s->next = (SSL_SESSION *)&(ctx->internal->session_cache_tail);
1005 } else { 1005 } else {
1006 s->next = ctx->session_cache_head; 1006 s->next = ctx->internal->session_cache_head;
1007 s->next->prev = s; 1007 s->next->prev = s;
1008 s->prev = (SSL_SESSION *)&(ctx->session_cache_head); 1008 s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head);
1009 ctx->session_cache_head = s; 1009 ctx->internal->session_cache_head = s;
1010 } 1010 }
1011} 1011}
1012 1012
@@ -1091,7 +1091,7 @@ SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
1091 ENGINE_finish(e); 1091 ENGINE_finish(e);
1092 return 0; 1092 return 0;
1093 } 1093 }
1094 ctx->client_cert_engine = e; 1094 ctx->internal->client_cert_engine = e;
1095 return 1; 1095 return 1;
1096} 1096}
1097#endif 1097#endif
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b2d9883900..0dbd83fecf 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.101 2017/01/23 04:55:27 beck Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.102 2017/01/23 05:13:02 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2206,12 +2206,13 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2206 renew_ticket = 1; 2206 renew_ticket = 1;
2207 } else { 2207 } else {
2208 /* Check key name matches */ 2208 /* Check key name matches */
2209 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2209 if (timingsafe_memcmp(etick,
2210 tctx->internal->tlsext_tick_key_name, 16))
2210 return 2; 2211 return 2;
2211 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2212 HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key,
2212 tlsext_tick_md(), NULL); 2213 16, tlsext_tick_md(), NULL);
2213 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2214 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2214 tctx->tlsext_tick_aes_key, etick + 16); 2215 tctx->internal->tlsext_tick_aes_key, etick + 16);
2215 } 2216 }
2216 2217
2217 /* 2218 /*
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 08:29:51 +0000