Move not_resumable and sess_cert from SSL_SESSION to internal.

ok beck@

7 files changed, 50 insertions, 47 deletions

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 18e34f7b7b..2c272032b5 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.163 2017/01/23 00:12:54 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.164 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -600,7 +600,7 @@ ssl3_client_hello(SSL *s)
                 if ((sess == NULL) ||
                     (sess->ssl_version != s->version) ||
                     (!sess->session_id_length && !sess->tlsext_tick) ||
-                    (sess->not_resumable)) {
+                    (sess->internal->not_resumable)) {
                         if (!ssl_get_new_session(s, 0))
                                 goto err;
                 }
@@ -1037,9 +1037,9 @@ ssl3_get_server_certificate(SSL *s)
         sc = ssl_sess_cert_new();
         if (sc == NULL)
                 goto err;
-        if (s->session->sess_cert)
-                ssl_sess_cert_free(s->session->sess_cert);
-        s->session->sess_cert = sc;
+        if (SSI(s)->sess_cert)
+                ssl_sess_cert_free(SSI(s)->sess_cert);
+        SSI(s)->sess_cert = sc;
 
         sc->cert_chain = sk;
         /*
@@ -1114,7 +1114,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
         int al;
 
         alg_a = S3I(s)->tmp.new_cipher->algorithm_auth;
-        sc = s->session->sess_cert;
+        sc = SSI(s)->sess_cert;
 
         if (*nn < 0)
                 goto err;
@@ -1281,7 +1281,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
         int al;
 
         alg_a = S3I(s)->tmp.new_cipher->algorithm_auth;
-        sc = s->session->sess_cert;
+        sc = SSI(s)->sess_cert;
 
         if (*nn < 0)
                 goto err;
@@ -1397,18 +1397,18 @@ ssl3_get_server_key_exchange(SSL *s)
                 return (1);
         }
 
-        if (s->session->sess_cert != NULL) {
-                DH_free(s->session->sess_cert->peer_dh_tmp);
-                s->session->sess_cert->peer_dh_tmp = NULL;
+        if (SSI(s)->sess_cert != NULL) {
+                DH_free(SSI(s)->sess_cert->peer_dh_tmp);
+                SSI(s)->sess_cert->peer_dh_tmp = NULL;
 
-                EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
-                s->session->sess_cert->peer_ecdh_tmp = NULL;
+                EC_KEY_free(SSI(s)->sess_cert->peer_ecdh_tmp);
+                SSI(s)->sess_cert->peer_ecdh_tmp = NULL;
 
-                free(s->session->sess_cert->peer_x25519_tmp);
-                s->session->sess_cert->peer_x25519_tmp = NULL;
+                free(SSI(s)->sess_cert->peer_x25519_tmp);
+                SSI(s)->sess_cert->peer_x25519_tmp = NULL;
         } else {
-                s->session->sess_cert = ssl_sess_cert_new();
-                if (s->session->sess_cert == NULL)
+                SSI(s)->sess_cert = ssl_sess_cert_new();
+                if (SSI(s)->sess_cert == NULL)
                         goto err;
         }
 
@@ -2341,7 +2341,7 @@ ssl3_send_client_key_exchange(SSL *s)
         if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
                 alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey;
 
-                if ((sess_cert = s->session->sess_cert) == NULL) {
+                if ((sess_cert = SSI(s)->sess_cert) == NULL) {
                         ssl3_send_alert(s, SSL3_AL_FATAL,
                             SSL_AD_UNEXPECTED_MESSAGE);
                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
@@ -2636,13 +2636,13 @@ ssl3_check_cert_and_algorithm(SSL *s)
         if (alg_a & SSL_aNULL)
                 return (1);
 
-        sc = s->session->sess_cert;
+        sc = SSI(s)->sess_cert;
         if (sc == NULL) {
                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
                     ERR_R_INTERNAL_ERROR);
                 goto err;
         }
-        dh = s->session->sess_cert->peer_dh_tmp;
+        dh = SSI(s)->sess_cert->peer_dh_tmp;
 
         /* This is the passed certificate. */
 
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 990ce2153d..ae2586912c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.120 2017/01/22 09:02:07 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.121 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1928,10 +1928,10 @@ ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp)
 
         if (s->server != 0)
                 return 0;
-        if (s->session == NULL || s->session->sess_cert == NULL)
+        if (s->session == NULL || SSI(s)->sess_cert == NULL)
                 return 0;
 
-        sc = s->session->sess_cert;
+        sc = SSI(s)->sess_cert;
 
         if ((pkey = EVP_PKEY_new()) == NULL)
                 return 0;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index a18b218207..ebdb10cb91 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.142 2017/01/23 00:12:54 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.143 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2593,17 +2593,17 @@ ssl3_get_client_certificate(SSL *s)
          * With the current implementation, sess_cert will always be NULL
          * when we arrive here
          */
-        if (s->session->sess_cert == NULL) {
-                s->session->sess_cert = ssl_sess_cert_new();
-                if (s->session->sess_cert == NULL) {
+        if (SSI(s)->sess_cert == NULL) {
+                SSI(s)->sess_cert = ssl_sess_cert_new();
+                if (SSI(s)->sess_cert == NULL) {
                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                             ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
         }
-        if (s->session->sess_cert->cert_chain != NULL)
-                sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
-        s->session->sess_cert->cert_chain = sk;
+        if (SSI(s)->sess_cert->cert_chain != NULL)
+                sk_X509_pop_free(SSI(s)->sess_cert->cert_chain, X509_free);
+        SSI(s)->sess_cert->cert_chain = sk;
 
         /*
          * Inconsistency alert: cert_chain does *not* include the
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 5904872c92..dce72d8c25 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.108 2017/01/23 01:04:23 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.109 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -464,28 +464,23 @@ struct ssl_session_st {
 
         int master_key_length;
         unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
+
         /* session_id - valid? */
         unsigned int session_id_length;
         unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+
         /* this is used to determine whether the session is being reused in
          * the appropriate context. It is up to the application to set this,
          * via SSL_new */
         unsigned int sid_ctx_length;
         unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
 
-        /* Used to indicate that session resumption is not allowed.
-         * Applications can also set this bit for a new session via
-         * not_resumable_session_cb to disable session caching and tickets. */
-        int not_resumable;
-
-        /* The cert is the certificate used to establish this connection */
-        struct sess_cert_st /* SESS_CERT */ *sess_cert;
-
         /* This is the cert for the other end.
          * On clients, it will be the same as sess_cert->peer_key->x509
          * (the latter is not enough as sess_cert is not retained
          * in the external representation of sessions, see ssl_asn1.c). */
         X509 *peer;
+
         /* when app_verify_callback accepts a session where the peer's certificate
          * is not ok, we must remember the error for session reuse: */
         long verify_result; /* only for servers */
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index f4bb212865..1e529e85de 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.130 2017/01/23 00:12:54 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.131 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -826,10 +826,10 @@ SSL_get_peer_cert_chain(const SSL *s)
         STACK_OF(X509)  *r;
 
         if ((s == NULL) || (s->session == NULL) ||
-            (s->session->sess_cert == NULL))
+            (SSI(s)->sess_cert == NULL))
                 r = NULL;
         else
-                r = s->session->sess_cert->cert_chain;
+                r = SSI(s)->sess_cert->cert_chain;
 
         /*
          * If we are a client, cert_chain includes the peer's own
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3f63b1de2f..2eace2567d 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.152 2017/01/23 00:12:55 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.153 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -373,6 +373,14 @@ __BEGIN_HIDDEN_DECLS
 #define NAMED_CURVE_TYPE           3
 
 typedef struct ssl_session_internal_st {
+        /* Used to indicate that session resumption is not allowed.
+         * Applications can also set this bit for a new session via
+         * not_resumable_session_cb to disable session caching and tickets. */
+        int not_resumable;
+
+        /* The cert is the certificate used to establish this connection */
+        struct sess_cert_st /* SESS_CERT */ *sess_cert;
+
         size_t tlsext_ecpointformatlist_length;
         uint8_t *tlsext_ecpointformatlist; /* peer's list */
         size_t tlsext_ellipticcurvelist_length;
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 7f03d12d35..2520843cc0 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.56 2017/01/23 00:12:55 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.57 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -673,7 +673,7 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
                         CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
 
                 if (ret) {
-                        r->not_resumable = 1;
+                        r->internal->not_resumable = 1;
                         if (ctx->remove_session_cb != NULL)
                                 ctx->remove_session_cb(ctx, r);
                         SSL_SESSION_free(r);
@@ -699,8 +699,8 @@ SSL_SESSION_free(SSL_SESSION *ss)
 
         explicit_bzero(ss->master_key, sizeof ss->master_key);
         explicit_bzero(ss->session_id, sizeof ss->session_id);
-        if (ss->sess_cert != NULL)
-                ssl_sess_cert_free(ss->sess_cert);
+        if (ss->internal->sess_cert != NULL)
+                ssl_sess_cert_free(ss->internal->sess_cert);
         X509_free(ss->peer);
         if (ss->ciphers != NULL)
                 sk_SSL_CIPHER_free(ss->ciphers);
@@ -910,7 +910,7 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
                  * save on locking overhead */
                 (void)lh_SSL_SESSION_delete(p->cache, s);
                 SSL_SESSION_list_remove(p->ctx, s);
-                s->not_resumable = 1;
+                s->internal->not_resumable = 1;
                 if (p->ctx->remove_session_cb != NULL)
                         p->ctx->remove_session_cb(p->ctx, s);
                 SSL_SESSION_free(s);