summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2017-01-23 13:36:13 +0000
committerjsing <>2017-01-23 13:36:13 +0000
commit4ae6fa4e9b3c20e6347b1b4ad62b1051ed5d7630 (patch)
tree84ee9c4c985fe1078df40f818b7697846dba1c18 /src
parentd997e8b2da4774b32b9a1e6368bb19aca5bf82c2 (diff)
downloadopenbsd-4ae6fa4e9b3c20e6347b1b4ad62b1051ed5d7630.tar.gz
openbsd-4ae6fa4e9b3c20e6347b1b4ad62b1051ed5d7630.tar.bz2
openbsd-4ae6fa4e9b3c20e6347b1b4ad62b1051ed5d7630.zip
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/bio_ssl.c6
-rw-r--r--src/lib/libssl/d1_both.c14
-rw-r--r--src/lib/libssl/d1_clnt.c32
-rw-r--r--src/lib/libssl/d1_lib.c4
-rw-r--r--src/lib/libssl/d1_meth.c22
-rw-r--r--src/lib/libssl/d1_pkt.c10
-rw-r--r--src/lib/libssl/d1_srvr.c34
-rw-r--r--src/lib/libssl/s23_clnt.c4
-rw-r--r--src/lib/libssl/s23_srvr.c4
-rw-r--r--src/lib/libssl/s3_both.c24
-rw-r--r--src/lib/libssl/s3_clnt.c40
-rw-r--r--src/lib/libssl/s3_lib.c16
-rw-r--r--src/lib/libssl/s3_pkt.c26
-rw-r--r--src/lib/libssl/s3_srvr.c32
-rw-r--r--src/lib/libssl/ssl.h34
-rw-r--r--src/lib/libssl/ssl_lib.c70
-rw-r--r--src/lib/libssl/ssl_locl.h46
-rw-r--r--src/lib/libssl/ssl_sess.c7
-rw-r--r--src/lib/libssl/t1_clnt.c82
-rw-r--r--src/lib/libssl/t1_enc.c4
-rw-r--r--src/lib/libssl/t1_lib.c6
-rw-r--r--src/lib/libssl/t1_meth.c82
-rw-r--r--src/lib/libssl/t1_srvr.c82
23 files changed, 378 insertions, 303 deletions
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index 42f637a78f..81b42b1a4f 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bio_ssl.c,v 1.23 2017/01/23 04:55:26 beck Exp $ */ 1/* $OpenBSD: bio_ssl.c,v 1.24 2017/01/23 13:36:12 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -293,9 +293,9 @@ ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
293 case BIO_CTRL_RESET: 293 case BIO_CTRL_RESET:
294 SSL_shutdown(ssl); 294 SSL_shutdown(ssl);
295 295
296 if (ssl->internal->handshake_func == ssl->method->ssl_connect) 296 if (ssl->internal->handshake_func == ssl->method->internal->ssl_connect)
297 SSL_set_connect_state(ssl); 297 SSL_set_connect_state(ssl);
298 else if (ssl->internal->handshake_func == ssl->method->ssl_accept) 298 else if (ssl->internal->handshake_func == ssl->method->internal->ssl_accept)
299 SSL_set_accept_state(ssl); 299 SSL_set_accept_state(ssl);
300 300
301 SSL_clear(ssl); 301 SSL_clear(ssl);
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index e709caa604..a9a4c1a13b 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_both.c,v 1.45 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: d1_both.c,v 1.46 2017/01/23 13:36:12 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -634,7 +634,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
634 unsigned char devnull [256]; 634 unsigned char devnull [256];
635 635
636 while (frag_len) { 636 while (frag_len) {
637 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 637 i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
638 devnull, frag_len > sizeof(devnull) ? 638 devnull, frag_len > sizeof(devnull) ?
639 sizeof(devnull) : frag_len, 0); 639 sizeof(devnull) : frag_len, 0);
640 if (i <= 0) 640 if (i <= 0)
@@ -646,7 +646,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
646 } 646 }
647 647
648 /* read the body of the fragment (header has already been read */ 648 /* read the body of the fragment (header has already been read */
649 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 649 i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
650 frag->fragment + msg_hdr->frag_off, frag_len, 0); 650 frag->fragment + msg_hdr->frag_off, frag_len, 0);
651 if (i <= 0 || (unsigned long)i != frag_len) 651 if (i <= 0 || (unsigned long)i != frag_len)
652 goto err; 652 goto err;
@@ -724,7 +724,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
724 unsigned char devnull [256]; 724 unsigned char devnull [256];
725 725
726 while (frag_len) { 726 while (frag_len) {
727 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 727 i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
728 devnull, frag_len > sizeof(devnull) ? 728 devnull, frag_len > sizeof(devnull) ?
729 sizeof(devnull) : frag_len, 0); 729 sizeof(devnull) : frag_len, 0);
730 if (i <= 0) 730 if (i <= 0)
@@ -746,7 +746,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
746 746
747 if (frag_len) { 747 if (frag_len) {
748 /* read the body of the fragment (header has already been read */ 748 /* read the body of the fragment (header has already been read */
749 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 749 i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
750 frag->fragment, frag_len, 0); 750 frag->fragment, frag_len, 0);
751 if (i <= 0 || (unsigned long)i != frag_len) 751 if (i <= 0 || (unsigned long)i != frag_len)
752 goto err; 752 goto err;
@@ -790,7 +790,7 @@ again:
790 } 790 }
791 791
792 /* read handshake message header */ 792 /* read handshake message header */
793 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire, 793 i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire,
794 DTLS1_HM_HEADER_LENGTH, 0); 794 DTLS1_HM_HEADER_LENGTH, 0);
795 if (i <= 0) /* nbio, or an error */ 795 if (i <= 0) /* nbio, or an error */
796 { 796 {
@@ -861,7 +861,7 @@ again:
861 if (frag_len > 0) { 861 if (frag_len > 0) {
862 unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; 862 unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH;
863 863
864 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 864 i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
865 &p[frag_off], frag_len, 0); 865 &p[frag_off], frag_len, 0);
866 /* XDTLS: fix this--message fragments cannot span multiple packets */ 866 /* XDTLS: fix this--message fragments cannot span multiple packets */
867 if (i <= 0) { 867 if (i <= 0) {
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 503a1f7fc6..6b5510c1e3 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_clnt.c,v 1.68 2017/01/23 10:22:06 jsing Exp $ */ 1/* $OpenBSD: d1_clnt.c,v 1.69 2017/01/23 13:36:13 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -130,7 +130,7 @@
130static const SSL_METHOD *dtls1_get_client_method(int ver); 130static const SSL_METHOD *dtls1_get_client_method(int ver);
131static int dtls1_get_hello_verify(SSL *s); 131static int dtls1_get_hello_verify(SSL *s);
132 132
133static const SSL_METHOD DTLSv1_client_method_data = { 133static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = {
134 .version = DTLS1_VERSION, 134 .version = DTLS1_VERSION,
135 .min_version = DTLS1_VERSION, 135 .min_version = DTLS1_VERSION,
136 .max_version = DTLS1_VERSION, 136 .max_version = DTLS1_VERSION,
@@ -143,21 +143,25 @@ static const SSL_METHOD DTLSv1_client_method_data = {
143 .ssl_peek = ssl3_peek, 143 .ssl_peek = ssl3_peek,
144 .ssl_write = ssl3_write, 144 .ssl_write = ssl3_write,
145 .ssl_shutdown = dtls1_shutdown, 145 .ssl_shutdown = dtls1_shutdown,
146 .ssl_pending = ssl3_pending,
147 .get_ssl_method = dtls1_get_client_method,
148 .get_timeout = dtls1_default_timeout,
149 .ssl_version = ssl_undefined_void_function,
146 .ssl_renegotiate = ssl3_renegotiate, 150 .ssl_renegotiate = ssl3_renegotiate,
147 .ssl_renegotiate_check = ssl3_renegotiate_check, 151 .ssl_renegotiate_check = ssl3_renegotiate_check,
148 .ssl_get_message = dtls1_get_message, 152 .ssl_get_message = dtls1_get_message,
149 .ssl_read_bytes = dtls1_read_bytes, 153 .ssl_read_bytes = dtls1_read_bytes,
150 .ssl_write_bytes = dtls1_write_app_data_bytes, 154 .ssl_write_bytes = dtls1_write_app_data_bytes,
155 .ssl3_enc = &DTLSv1_enc_data,
156};
157
158static const SSL_METHOD DTLSv1_client_method_data = {
151 .ssl_dispatch_alert = dtls1_dispatch_alert, 159 .ssl_dispatch_alert = dtls1_dispatch_alert,
152 .get_cipher_by_char = ssl3_get_cipher_by_char,
153 .put_cipher_by_char = ssl3_put_cipher_by_char,
154 .ssl_pending = ssl3_pending,
155 .num_ciphers = ssl3_num_ciphers, 160 .num_ciphers = ssl3_num_ciphers,
156 .get_cipher = dtls1_get_cipher, 161 .get_cipher = dtls1_get_cipher,
157 .get_ssl_method = dtls1_get_client_method, 162 .get_cipher_by_char = ssl3_get_cipher_by_char,
158 .get_timeout = dtls1_default_timeout, 163 .put_cipher_by_char = ssl3_put_cipher_by_char,
159 .ssl3_enc = &DTLSv1_enc_data, 164 .internal = &DTLSv1_client_method_internal_data,
160 .ssl_version = ssl_undefined_void_function,
161}; 165};
162 166
163const SSL_METHOD * 167const SSL_METHOD *
@@ -434,12 +438,12 @@ dtls1_connect(SSL *s)
434 s->internal->init_num = 0; 438 s->internal->init_num = 0;
435 439
436 s->session->cipher = S3I(s)->tmp.new_cipher; 440 s->session->cipher = S3I(s)->tmp.new_cipher;
437 if (!s->method->ssl3_enc->setup_key_block(s)) { 441 if (!s->method->internal->ssl3_enc->setup_key_block(s)) {
438 ret = -1; 442 ret = -1;
439 goto end; 443 goto end;
440 } 444 }
441 445
442 if (!s->method->ssl3_enc->change_cipher_state(s, 446 if (!s->method->internal->ssl3_enc->change_cipher_state(s,
443 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 447 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
444 ret = -1; 448 ret = -1;
445 goto end; 449 goto end;
@@ -455,8 +459,8 @@ dtls1_connect(SSL *s)
455 dtls1_start_timer(s); 459 dtls1_start_timer(s);
456 ret = ssl3_send_finished(s, 460 ret = ssl3_send_finished(s,
457 SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B, 461 SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
458 s->method->ssl3_enc->client_finished_label, 462 s->method->internal->ssl3_enc->client_finished_label,
459 s->method->ssl3_enc->client_finished_label_len); 463 s->method->internal->ssl3_enc->client_finished_label_len);
460 if (ret <= 0) 464 if (ret <= 0)
461 goto end; 465 goto end;
462 s->internal->state = SSL3_ST_CW_FLUSH; 466 s->internal->state = SSL3_ST_CW_FLUSH;
@@ -608,7 +612,7 @@ dtls1_get_hello_verify(SSL *s)
608 uint16_t ssl_version; 612 uint16_t ssl_version;
609 CBS hello_verify_request, cookie; 613 CBS hello_verify_request, cookie;
610 614
611 n = s->method->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, 615 n = s->method->internal->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
612 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok); 616 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok);
613 617
614 if (!ok) 618 if (!ok)
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index 697cb434f7..e8c3b10761 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_lib.c,v 1.36 2017/01/22 07:16:38 beck Exp $ */ 1/* $OpenBSD: d1_lib.c,v 1.37 2017/01/23 13:36:13 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -141,7 +141,7 @@ dtls1_new(SSL *s)
141 } 141 }
142 142
143 s->d1 = d1; 143 s->d1 = d1;
144 s->method->ssl_clear(s); 144 s->method->internal->ssl_clear(s);
145 return (1); 145 return (1);
146} 146}
147 147
diff --git a/src/lib/libssl/d1_meth.c b/src/lib/libssl/d1_meth.c
index 4493aa180b..fcd8906c45 100644
--- a/src/lib/libssl/d1_meth.c
+++ b/src/lib/libssl/d1_meth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_meth.c,v 1.12 2017/01/23 10:22:06 jsing Exp $ */ 1/* $OpenBSD: d1_meth.c,v 1.13 2017/01/23 13:36:13 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -65,7 +65,7 @@
65 65
66static const SSL_METHOD *dtls1_get_method(int ver); 66static const SSL_METHOD *dtls1_get_method(int ver);
67 67
68static const SSL_METHOD DTLSv1_method_data = { 68static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = {
69 .version = DTLS1_VERSION, 69 .version = DTLS1_VERSION,
70 .min_version = DTLS1_VERSION, 70 .min_version = DTLS1_VERSION,
71 .max_version = DTLS1_VERSION, 71 .max_version = DTLS1_VERSION,
@@ -78,21 +78,25 @@ static const SSL_METHOD DTLSv1_method_data = {
78 .ssl_peek = ssl3_peek, 78 .ssl_peek = ssl3_peek,
79 .ssl_write = ssl3_write, 79 .ssl_write = ssl3_write,
80 .ssl_shutdown = dtls1_shutdown, 80 .ssl_shutdown = dtls1_shutdown,
81 .ssl_pending = ssl3_pending,
82 .get_ssl_method = dtls1_get_method,
83 .get_timeout = dtls1_default_timeout,
84 .ssl_version = ssl_undefined_void_function,
81 .ssl_renegotiate = ssl3_renegotiate, 85 .ssl_renegotiate = ssl3_renegotiate,
82 .ssl_renegotiate_check = ssl3_renegotiate_check, 86 .ssl_renegotiate_check = ssl3_renegotiate_check,
83 .ssl_get_message = dtls1_get_message, 87 .ssl_get_message = dtls1_get_message,
84 .ssl_read_bytes = dtls1_read_bytes, 88 .ssl_read_bytes = dtls1_read_bytes,
85 .ssl_write_bytes = dtls1_write_app_data_bytes, 89 .ssl_write_bytes = dtls1_write_app_data_bytes,
90 .ssl3_enc = &DTLSv1_enc_data,
91};
92
93static const SSL_METHOD DTLSv1_method_data = {
86 .ssl_dispatch_alert = dtls1_dispatch_alert, 94 .ssl_dispatch_alert = dtls1_dispatch_alert,
87 .get_cipher_by_char = ssl3_get_cipher_by_char,
88 .put_cipher_by_char = ssl3_put_cipher_by_char,
89 .ssl_pending = ssl3_pending,
90 .num_ciphers = ssl3_num_ciphers, 95 .num_ciphers = ssl3_num_ciphers,
91 .get_cipher = dtls1_get_cipher, 96 .get_cipher = dtls1_get_cipher,
92 .get_ssl_method = dtls1_get_method, 97 .get_cipher_by_char = ssl3_get_cipher_by_char,
93 .get_timeout = dtls1_default_timeout, 98 .put_cipher_by_char = ssl3_put_cipher_by_char,
94 .ssl3_enc = &DTLSv1_enc_data, 99 .internal = &DTLSv1_method_internal_data,
95 .ssl_version = ssl_undefined_void_function,
96}; 100};
97 101
98const SSL_METHOD * 102const SSL_METHOD *
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 1dba3d0c4d..c64aa8f106 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.56 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.57 2017/01/23 13:36:13 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -361,7 +361,7 @@ dtls1_process_record(SSL *s)
361 /* decrypt in place in 'rr->input' */ 361 /* decrypt in place in 'rr->input' */
362 rr->data = rr->input; 362 rr->data = rr->input;
363 363
364 enc_err = s->method->ssl3_enc->enc(s, 0); 364 enc_err = s->method->internal->ssl3_enc->enc(s, 0);
365 /* enc_err is: 365 /* enc_err is:
366 * 0: (in non-constant time) if the record is publically invalid. 366 * 0: (in non-constant time) if the record is publically invalid.
367 * 1: if the padding is valid 367 * 1: if the padding is valid
@@ -417,7 +417,7 @@ dtls1_process_record(SSL *s)
417 mac = &rr->data[rr->length]; 417 mac = &rr->data[rr->length];
418 } 418 }
419 419
420 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */); 420 i = s->method->internal->ssl3_enc->mac(s, md, 0 /* not send */);
421 if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) 421 if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
422 enc_err = -1; 422 enc_err = -1;
423 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) 423 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
@@ -1279,7 +1279,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
1279 * wr->data still points in the wb->buf */ 1279 * wr->data still points in the wb->buf */
1280 1280
1281 if (mac_size != 0) { 1281 if (mac_size != 0) {
1282 if (s->method->ssl3_enc->mac(s, &(p[wr->length + bs]), 1) < 0) 1282 if (s->method->internal->ssl3_enc->mac(s, &(p[wr->length + bs]), 1) < 0)
1283 goto err; 1283 goto err;
1284 wr->length += mac_size; 1284 wr->length += mac_size;
1285 } 1285 }
@@ -1298,7 +1298,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
1298 wr->length += bs; 1298 wr->length += bs;
1299 } 1299 }
1300 1300
1301 s->method->ssl3_enc->enc(s, 1); 1301 s->method->internal->ssl3_enc->enc(s, 1);
1302 1302
1303 /* record length after mac and block padding */ 1303 /* record length after mac and block padding */
1304/* if (type == SSL3_RT_APPLICATION_DATA || 1304/* if (type == SSL3_RT_APPLICATION_DATA ||
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 2a68483169..1787412bf5 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.78 2017/01/23 10:22:06 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.79 2017/01/23 13:36:13 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -128,7 +128,7 @@
128static const SSL_METHOD *dtls1_get_server_method(int ver); 128static const SSL_METHOD *dtls1_get_server_method(int ver);
129static int dtls1_send_hello_verify_request(SSL *s); 129static int dtls1_send_hello_verify_request(SSL *s);
130 130
131static const SSL_METHOD DTLSv1_server_method_data = { 131static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
132 .version = DTLS1_VERSION, 132 .version = DTLS1_VERSION,
133 .min_version = DTLS1_VERSION, 133 .min_version = DTLS1_VERSION,
134 .max_version = DTLS1_VERSION, 134 .max_version = DTLS1_VERSION,
@@ -141,21 +141,25 @@ static const SSL_METHOD DTLSv1_server_method_data = {
141 .ssl_peek = ssl3_peek, 141 .ssl_peek = ssl3_peek,
142 .ssl_write = ssl3_write, 142 .ssl_write = ssl3_write,
143 .ssl_shutdown = dtls1_shutdown, 143 .ssl_shutdown = dtls1_shutdown,
144 .ssl_pending = ssl3_pending,
145 .get_ssl_method = dtls1_get_server_method,
146 .get_timeout = dtls1_default_timeout,
147 .ssl_version = ssl_undefined_void_function,
144 .ssl_renegotiate = ssl3_renegotiate, 148 .ssl_renegotiate = ssl3_renegotiate,
145 .ssl_renegotiate_check = ssl3_renegotiate_check, 149 .ssl_renegotiate_check = ssl3_renegotiate_check,
146 .ssl_get_message = dtls1_get_message, 150 .ssl_get_message = dtls1_get_message,
147 .ssl_read_bytes = dtls1_read_bytes, 151 .ssl_read_bytes = dtls1_read_bytes,
148 .ssl_write_bytes = dtls1_write_app_data_bytes, 152 .ssl_write_bytes = dtls1_write_app_data_bytes,
153 .ssl3_enc = &DTLSv1_enc_data,
154};
155
156static const SSL_METHOD DTLSv1_server_method_data = {
149 .ssl_dispatch_alert = dtls1_dispatch_alert, 157 .ssl_dispatch_alert = dtls1_dispatch_alert,
150 .get_cipher_by_char = ssl3_get_cipher_by_char,
151 .put_cipher_by_char = ssl3_put_cipher_by_char,
152 .ssl_pending = ssl3_pending,
153 .num_ciphers = ssl3_num_ciphers, 158 .num_ciphers = ssl3_num_ciphers,
154 .get_cipher = dtls1_get_cipher, 159 .get_cipher = dtls1_get_cipher,
155 .get_ssl_method = dtls1_get_server_method, 160 .get_cipher_by_char = ssl3_get_cipher_by_char,
156 .get_timeout = dtls1_default_timeout, 161 .put_cipher_by_char = ssl3_put_cipher_by_char,
157 .ssl3_enc = &DTLSv1_enc_data, 162 .internal = &DTLSv1_server_method_internal_data,
158 .ssl_version = ssl_undefined_void_function,
159}; 163};
160 164
161const SSL_METHOD * 165const SSL_METHOD *
@@ -519,9 +523,9 @@ dtls1_accept(SSL *s)
519 523
520 /* We need to get hashes here so if there is 524 /* We need to get hashes here so if there is
521 * a client cert, it can be verified */ 525 * a client cert, it can be verified */
522 s->method->ssl3_enc->cert_verify_mac(s, 526 s->method->internal->ssl3_enc->cert_verify_mac(s,
523 NID_md5, &(S3I(s)->tmp.cert_verify_md[0])); 527 NID_md5, &(S3I(s)->tmp.cert_verify_md[0]));
524 s->method->ssl3_enc->cert_verify_mac(s, 528 s->method->internal->ssl3_enc->cert_verify_mac(s,
525 NID_sha1, 529 NID_sha1,
526 &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 530 &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
527 } 531 }
@@ -579,7 +583,7 @@ dtls1_accept(SSL *s)
579 case SSL3_ST_SW_CHANGE_B: 583 case SSL3_ST_SW_CHANGE_B:
580 584
581 s->session->cipher = S3I(s)->tmp.new_cipher; 585 s->session->cipher = S3I(s)->tmp.new_cipher;
582 if (!s->method->ssl3_enc->setup_key_block(s)) { 586 if (!s->method->internal->ssl3_enc->setup_key_block(s)) {
583 ret = -1; 587 ret = -1;
584 goto end; 588 goto end;
585 } 589 }
@@ -594,7 +598,7 @@ dtls1_accept(SSL *s)
594 s->internal->state = SSL3_ST_SW_FINISHED_A; 598 s->internal->state = SSL3_ST_SW_FINISHED_A;
595 s->internal->init_num = 0; 599 s->internal->init_num = 0;
596 600
597 if (!s->method->ssl3_enc->change_cipher_state(s, 601 if (!s->method->internal->ssl3_enc->change_cipher_state(s,
598 SSL3_CHANGE_CIPHER_SERVER_WRITE)) { 602 SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
599 ret = -1; 603 ret = -1;
600 goto end; 604 goto end;
@@ -607,8 +611,8 @@ dtls1_accept(SSL *s)
607 case SSL3_ST_SW_FINISHED_B: 611 case SSL3_ST_SW_FINISHED_B:
608 ret = ssl3_send_finished(s, 612 ret = ssl3_send_finished(s,
609 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B, 613 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
610 s->method->ssl3_enc->server_finished_label, 614 s->method->internal->ssl3_enc->server_finished_label,
611 s->method->ssl3_enc->server_finished_label_len); 615 s->method->internal->ssl3_enc->server_finished_label_len);
612 if (ret <= 0) 616 if (ret <= 0)
613 goto end; 617 goto end;
614 s->internal->state = SSL3_ST_SW_FLUSH; 618 s->internal->state = SSL3_ST_SW_FLUSH;
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index ccaee02564..282e0bd3c7 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s23_clnt.c,v 1.54 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: s23_clnt.c,v 1.55 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -433,7 +433,7 @@ ssl23_get_server_hello(SSL *s)
433 s->s3->rbuf.left = n; 433 s->s3->rbuf.left = n;
434 s->s3->rbuf.offset = 0; 434 s->s3->rbuf.offset = 0;
435 435
436 s->internal->handshake_func = s->method->ssl_connect; 436 s->internal->handshake_func = s->method->internal->ssl_connect;
437 } else { 437 } else {
438 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL); 438 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL);
439 goto err; 439 goto err;
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 4dd94eb7b8..f85b50994e 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s23_srvr.c,v 1.55 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: s23_srvr.c,v 1.56 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -450,7 +450,7 @@ ssl23_get_client_hello(SSL *s)
450 s->method = TLSv1_server_method(); 450 s->method = TLSv1_server_method();
451 else 451 else
452 goto unsupported; 452 goto unsupported;
453 s->internal->handshake_func = s->method->ssl_accept; 453 s->internal->handshake_func = s->method->internal->ssl_accept;
454 } else { 454 } else {
455 /* bad, very bad */ 455 /* bad, very bad */
456 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); 456 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 23fdcd2065..7490a183fb 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_both.c,v 1.54 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: s3_both.c,v 1.55 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -170,10 +170,10 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
170 int md_len; 170 int md_len;
171 171
172 if (s->internal->state == a) { 172 if (s->internal->state == a) {
173 md_len = s->method->ssl3_enc->finish_mac_length; 173 md_len = s->method->internal->ssl3_enc->finish_mac_length;
174 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); 174 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
175 175
176 if (s->method->ssl3_enc->final_finish_mac(s, sender, slen, 176 if (s->method->internal->ssl3_enc->final_finish_mac(s, sender, slen,
177 S3I(s)->tmp.finish_md) != md_len) 177 S3I(s)->tmp.finish_md) != md_len)
178 return (0); 178 return (0);
179 S3I(s)->tmp.finish_md_len = md_len; 179 S3I(s)->tmp.finish_md_len = md_len;
@@ -217,15 +217,15 @@ ssl3_take_mac(SSL *s)
217 return; 217 return;
218 218
219 if (s->internal->state & SSL_ST_CONNECT) { 219 if (s->internal->state & SSL_ST_CONNECT) {
220 sender = s->method->ssl3_enc->server_finished_label; 220 sender = s->method->internal->ssl3_enc->server_finished_label;
221 slen = s->method->ssl3_enc->server_finished_label_len; 221 slen = s->method->internal->ssl3_enc->server_finished_label_len;
222 } else { 222 } else {
223 sender = s->method->ssl3_enc->client_finished_label; 223 sender = s->method->internal->ssl3_enc->client_finished_label;
224 slen = s->method->ssl3_enc->client_finished_label_len; 224 slen = s->method->internal->ssl3_enc->client_finished_label_len;
225 } 225 }
226 226
227 S3I(s)->tmp.peer_finish_md_len = 227 S3I(s)->tmp.peer_finish_md_len =
228 s->method->ssl3_enc->final_finish_mac(s, sender, slen, 228 s->method->internal->ssl3_enc->final_finish_mac(s, sender, slen,
229 S3I(s)->tmp.peer_finish_md); 229 S3I(s)->tmp.peer_finish_md);
230} 230}
231 231
@@ -237,7 +237,7 @@ ssl3_get_finished(SSL *s, int a, int b)
237 CBS cbs; 237 CBS cbs;
238 238
239 /* should actually be 36+4 :-) */ 239 /* should actually be 36+4 :-) */
240 n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok); 240 n = s->method->internal->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok);
241 if (!ok) 241 if (!ok)
242 return ((int)n); 242 return ((int)n);
243 243
@@ -249,7 +249,7 @@ ssl3_get_finished(SSL *s, int a, int b)
249 } 249 }
250 S3I(s)->change_cipher_spec = 0; 250 S3I(s)->change_cipher_spec = 0;
251 251
252 md_len = s->method->ssl3_enc->finish_mac_length; 252 md_len = s->method->internal->ssl3_enc->finish_mac_length;
253 253
254 if (n < 0) { 254 if (n < 0) {
255 al = SSL_AD_DECODE_ERROR; 255 al = SSL_AD_DECODE_ERROR;
@@ -438,7 +438,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
438 438
439 do { 439 do {
440 while (s->internal->init_num < 4) { 440 while (s->internal->init_num < 4) {
441 i = s->method->ssl_read_bytes(s, 441 i = s->method->internal->ssl_read_bytes(s,
442 SSL3_RT_HANDSHAKE, &p[s->internal->init_num], 442 SSL3_RT_HANDSHAKE, &p[s->internal->init_num],
443 4 - s->internal->init_num, 0); 443 4 - s->internal->init_num, 0);
444 if (i <= 0) { 444 if (i <= 0) {
@@ -507,7 +507,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
507 p = s->internal->init_msg; 507 p = s->internal->init_msg;
508 n = S3I(s)->tmp.message_size - s->internal->init_num; 508 n = S3I(s)->tmp.message_size - s->internal->init_num;
509 while (n > 0) { 509 while (n > 0) {
510 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 510 i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
511 &p[s->internal->init_num], n, 0); 511 &p[s->internal->init_num], n, 0);
512 if (i <= 0) { 512 if (i <= 0) {
513 s->internal->rwstate = SSL_READING; 513 s->internal->rwstate = SSL_READING;
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index a6feb68e91..055f8d1f3a 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.169 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.170 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -419,12 +419,12 @@ ssl3_connect(SSL *s)
419 s->internal->init_num = 0; 419 s->internal->init_num = 0;
420 420
421 s->session->cipher = S3I(s)->tmp.new_cipher; 421 s->session->cipher = S3I(s)->tmp.new_cipher;
422 if (!s->method->ssl3_enc->setup_key_block(s)) { 422 if (!s->method->internal->ssl3_enc->setup_key_block(s)) {
423 ret = -1; 423 ret = -1;
424 goto end; 424 goto end;
425 } 425 }
426 426
427 if (!s->method->ssl3_enc->change_cipher_state(s, 427 if (!s->method->internal->ssl3_enc->change_cipher_state(s,
428 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 428 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
429 ret = -1; 429 ret = -1;
430 goto end; 430 goto end;
@@ -444,8 +444,8 @@ ssl3_connect(SSL *s)
444 case SSL3_ST_CW_FINISHED_B: 444 case SSL3_ST_CW_FINISHED_B:
445 ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, 445 ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
446 SSL3_ST_CW_FINISHED_B, 446 SSL3_ST_CW_FINISHED_B,
447 s->method->ssl3_enc->client_finished_label, 447 s->method->internal->ssl3_enc->client_finished_label,
448 s->method->ssl3_enc->client_finished_label_len); 448 s->method->internal->ssl3_enc->client_finished_label_len);
449 if (ret <= 0) 449 if (ret <= 0)
450 goto end; 450 goto end;
451 s->s3->flags |= SSL3_FLAGS_CCS_OK; 451 s->s3->flags |= SSL3_FLAGS_CCS_OK;
@@ -730,7 +730,7 @@ ssl3_get_server_hello(SSL *s)
730 int i, al, ok; 730 int i, al, ok;
731 long n; 731 long n;
732 732
733 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, 733 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
734 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok); 734 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok);
735 735
736 if (!ok) 736 if (!ok)
@@ -950,7 +950,7 @@ ssl3_get_server_certificate(SSL *s)
950 SESS_CERT *sc; 950 SESS_CERT *sc;
951 EVP_PKEY *pkey = NULL; 951 EVP_PKEY *pkey = NULL;
952 952
953 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, 953 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_A,
954 SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list, &ok); 954 SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list, &ok);
955 955
956 if (!ok) 956 if (!ok)
@@ -1373,7 +1373,7 @@ ssl3_get_server_key_exchange(SSL *s)
1373 * Use same message size as in ssl3_get_certificate_request() 1373 * Use same message size as in ssl3_get_certificate_request()
1374 * as ServerKeyExchange message may be skipped. 1374 * as ServerKeyExchange message may be skipped.
1375 */ 1375 */
1376 n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, 1376 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1377 SSL3_ST_CR_KEY_EXCH_B, -1, s->internal->max_cert_list, &ok); 1377 SSL3_ST_CR_KEY_EXCH_B, -1, s->internal->max_cert_list, &ok);
1378 if (!ok) 1378 if (!ok)
1379 return ((int)n); 1379 return ((int)n);
@@ -1579,7 +1579,7 @@ ssl3_get_certificate_request(SSL *s)
1579 const unsigned char *q; 1579 const unsigned char *q;
1580 STACK_OF(X509_NAME) *ca_sk = NULL; 1580 STACK_OF(X509_NAME) *ca_sk = NULL;
1581 1581
1582 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A, 1582 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A,
1583 SSL3_ST_CR_CERT_REQ_B, -1, s->internal->max_cert_list, &ok); 1583 SSL3_ST_CR_CERT_REQ_B, -1, s->internal->max_cert_list, &ok);
1584 1584
1585 if (!ok) 1585 if (!ok)
@@ -1756,7 +1756,7 @@ ssl3_get_new_session_ticket(SSL *s)
1756 long n; 1756 long n;
1757 CBS cbs, session_ticket; 1757 CBS cbs, session_ticket;
1758 1758
1759 n = s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, 1759 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
1760 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok); 1760 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok);
1761 if (!ok) 1761 if (!ok)
1762 return ((int)n); 1762 return ((int)n);
@@ -1836,7 +1836,7 @@ ssl3_get_cert_status(SSL *s)
1836 long n; 1836 long n;
1837 uint8_t status_type; 1837 uint8_t status_type;
1838 1838
1839 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A, 1839 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
1840 SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS, 1840 SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,
1841 16384, &ok); 1841 16384, &ok);
1842 1842
@@ -1915,7 +1915,7 @@ ssl3_get_server_done(SSL *s)
1915 int ok, ret = 0; 1915 int ok, ret = 0;
1916 long n; 1916 long n;
1917 1917
1918 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A, 1918 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
1919 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE, 1919 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
1920 30, /* should be very small, like 0 :-) */ &ok); 1920 30, /* should be very small, like 0 :-) */ &ok);
1921 1921
@@ -1979,7 +1979,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1979 goto err; 1979 goto err;
1980 1980
1981 s->session->master_key_length = 1981 s->session->master_key_length =
1982 s->method->ssl3_enc->generate_master_secret(s, 1982 s->method->internal->ssl3_enc->generate_master_secret(s,
1983 s->session->master_key, pms, sizeof(pms)); 1983 s->session->master_key, pms, sizeof(pms));
1984 1984
1985 ret = 1; 1985 ret = 1;
@@ -2034,7 +2034,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
2034 2034
2035 /* Generate master key from the result. */ 2035 /* Generate master key from the result. */
2036 s->session->master_key_length = 2036 s->session->master_key_length =
2037 s->method->ssl3_enc->generate_master_secret(s, 2037 s->method->internal->ssl3_enc->generate_master_secret(s,
2038 s->session->master_key, key, key_len); 2038 s->session->master_key, key, key_len);
2039 2039
2040 if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc)) 2040 if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))
@@ -2109,7 +2109,7 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
2109 2109
2110 /* Generate master key from the result. */ 2110 /* Generate master key from the result. */
2111 s->session->master_key_length = 2111 s->session->master_key_length =
2112 s->method->ssl3_enc->generate_master_secret(s, 2112 s->method->internal->ssl3_enc->generate_master_secret(s,
2113 s->session->master_key, key, key_len); 2113 s->session->master_key, key, key_len);
2114 2114
2115 encoded_len = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh), 2115 encoded_len = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
@@ -2178,7 +2178,7 @@ ssl3_send_client_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, CBB *cbb)
2178 2178
2179 /* Generate master key from the result. */ 2179 /* Generate master key from the result. */
2180 s->session->master_key_length = 2180 s->session->master_key_length =
2181 s->method->ssl3_enc->generate_master_secret(s, 2181 s->method->internal->ssl3_enc->generate_master_secret(s,
2182 s->session->master_key, shared_key, X25519_KEY_LENGTH); 2182 s->session->master_key, shared_key, X25519_KEY_LENGTH);
2183 2183
2184 ret = 1; 2184 ret = 1;
@@ -2318,7 +2318,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
2318 } 2318 }
2319 EVP_PKEY_CTX_free(pkey_ctx); 2319 EVP_PKEY_CTX_free(pkey_ctx);
2320 s->session->master_key_length = 2320 s->session->master_key_length =
2321 s->method->ssl3_enc->generate_master_secret(s, 2321 s->method->internal->ssl3_enc->generate_master_secret(s,
2322 s->session->master_key, premaster_secret, 32); 2322 s->session->master_key, premaster_secret, 32);
2323 2323
2324 ret = 1; 2324 ret = 1;
@@ -2415,7 +2415,7 @@ ssl3_send_client_verify(SSL *s)
2415 EVP_PKEY_sign_init(pctx); 2415 EVP_PKEY_sign_init(pctx);
2416 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) { 2416 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
2417 if (!SSL_USE_SIGALGS(s)) 2417 if (!SSL_USE_SIGALGS(s))
2418 s->method->ssl3_enc->cert_verify_mac(s, 2418 s->method->internal->ssl3_enc->cert_verify_mac(s,
2419 NID_sha1, &(data[MD5_DIGEST_LENGTH])); 2419 NID_sha1, &(data[MD5_DIGEST_LENGTH]));
2420 } else { 2420 } else {
2421 ERR_clear_error(); 2421 ERR_clear_error();
@@ -2449,7 +2449,7 @@ ssl3_send_client_verify(SSL *s)
2449 if (!tls1_digest_cached_records(s)) 2449 if (!tls1_digest_cached_records(s))
2450 goto err; 2450 goto err;
2451 } else if (pkey->type == EVP_PKEY_RSA) { 2451 } else if (pkey->type == EVP_PKEY_RSA) {
2452 s->method->ssl3_enc->cert_verify_mac( 2452 s->method->internal->ssl3_enc->cert_verify_mac(
2453 s, NID_md5, &(data[0])); 2453 s, NID_md5, &(data[0]));
2454 if (RSA_sign(NID_md5_sha1, data, 2454 if (RSA_sign(NID_md5_sha1, data,
2455 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]), 2455 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
@@ -2737,7 +2737,7 @@ ssl3_check_finished(SSL *s)
2737 return (1); 2737 return (1);
2738 /* this function is called when we really expect a Certificate 2738 /* this function is called when we really expect a Certificate
2739 * message, so permit appropriate message length */ 2739 * message, so permit appropriate message length */
2740 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, 2740 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_A,
2741 SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list, &ok); 2741 SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list, &ok);
2742 if (!ok) 2742 if (!ok)
2743 return ((int)n); 2743 return ((int)n);
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 09af18ea95..a42ac73335 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.126 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.127 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1816,7 +1816,7 @@ ssl3_new(SSL *s)
1816 return (0); 1816 return (0);
1817 } 1817 }
1818 1818
1819 s->method->ssl_clear(s); 1819 s->method->internal->ssl_clear(s);
1820 1820
1821 return (1); 1821 return (1);
1822} 1822}
@@ -2533,7 +2533,7 @@ ssl3_shutdown(SSL *s)
2533 } 2533 }
2534 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2534 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2535 /* If we are waiting for a close from our peer, we are closed */ 2535 /* If we are waiting for a close from our peer, we are closed */
2536 s->method->ssl_read_bytes(s, 0, NULL, 0, 0); 2536 s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0);
2537 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2537 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2538 return(-1); /* return WANT_READ */ 2538 return(-1); /* return WANT_READ */
2539 } 2539 }
@@ -2592,8 +2592,8 @@ ssl3_write(SSL *s, const void *buf, int len)
2592 ret = S3I(s)->delay_buf_pop_ret; 2592 ret = S3I(s)->delay_buf_pop_ret;
2593 S3I(s)->delay_buf_pop_ret = 0; 2593 S3I(s)->delay_buf_pop_ret = 0;
2594 } else { 2594 } else {
2595 ret = s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2595 ret = s->method->internal->ssl_write_bytes(s,
2596 buf, len); 2596 SSL3_RT_APPLICATION_DATA, buf, len);
2597 if (ret <= 0) 2597 if (ret <= 0)
2598 return (ret); 2598 return (ret);
2599 } 2599 }
@@ -2610,7 +2610,7 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2610 if (S3I(s)->renegotiate) 2610 if (S3I(s)->renegotiate)
2611 ssl3_renegotiate_check(s); 2611 ssl3_renegotiate_check(s);
2612 S3I(s)->in_read_app_data = 1; 2612 S3I(s)->in_read_app_data = 1;
2613 ret = s->method->ssl_read_bytes(s, 2613 ret = s->method->internal->ssl_read_bytes(s,
2614 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2614 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2615 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { 2615 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) {
2616 /* 2616 /*
@@ -2621,7 +2621,7 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2621 * handshake processing and try to read application data again. 2621 * handshake processing and try to read application data again.
2622 */ 2622 */
2623 s->internal->in_handshake++; 2623 s->internal->in_handshake++;
2624 ret = s->method->ssl_read_bytes(s, 2624 ret = s->method->internal->ssl_read_bytes(s,
2625 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2625 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2626 s->internal->in_handshake--; 2626 s->internal->in_handshake--;
2627 } else 2627 } else
@@ -2687,7 +2687,7 @@ ssl_get_algorithm2(SSL *s)
2687{ 2687{
2688 long alg2 = S3I(s)->tmp.new_cipher->algorithm2; 2688 long alg2 = S3I(s)->tmp.new_cipher->algorithm2;
2689 2689
2690 if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF && 2690 if (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
2691 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) 2691 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
2692 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; 2692 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
2693 return alg2; 2693 return alg2;
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 228c5f536c..40ab55b6ee 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_pkt.c,v 1.66 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: s3_pkt.c,v 1.67 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -382,7 +382,7 @@ again:
382 /* decrypt in place in 'rr->input' */ 382 /* decrypt in place in 'rr->input' */
383 rr->data = rr->input; 383 rr->data = rr->input;
384 384
385 enc_err = s->method->ssl3_enc->enc(s, 0); 385 enc_err = s->method->internal->ssl3_enc->enc(s, 0);
386 /* enc_err is: 386 /* enc_err is:
387 * 0: (in non-constant time) if the record is publically invalid. 387 * 0: (in non-constant time) if the record is publically invalid.
388 * 1: if the padding is valid 388 * 1: if the padding is valid
@@ -438,7 +438,7 @@ again:
438 mac = &rr->data[rr->length]; 438 mac = &rr->data[rr->length];
439 } 439 }
440 440
441 i = s->method->ssl3_enc->mac(s,md,0 /* not send */); 441 i = s->method->internal->ssl3_enc->mac(s,md,0 /* not send */);
442 if (i < 0 || mac == NULL || 442 if (i < 0 || mac == NULL ||
443 timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) 443 timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
444 enc_err = -1; 444 enc_err = -1;
@@ -710,7 +710,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
710 * wr->data still points in the wb->buf */ 710 * wr->data still points in the wb->buf */
711 711
712 if (mac_size != 0) { 712 if (mac_size != 0) {
713 if (s->method->ssl3_enc->mac(s, 713 if (s->method->internal->ssl3_enc->mac(s,
714 &(p[wr->length + eivlen]), 1) < 0) 714 &(p[wr->length + eivlen]), 1) < 0)
715 goto err; 715 goto err;
716 wr->length += mac_size; 716 wr->length += mac_size;
@@ -727,7 +727,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
727 } 727 }
728 728
729 /* ssl3_enc can only have an error on read */ 729 /* ssl3_enc can only have an error on read */
730 s->method->ssl3_enc->enc(s, 1); 730 s->method->internal->ssl3_enc->enc(s, 1);
731 731
732 /* record length after mac and block padding */ 732 /* record length after mac and block padding */
733 s2n(wr->length, plen); 733 s2n(wr->length, plen);
@@ -1323,25 +1323,25 @@ ssl3_do_change_cipher_spec(SSL *s)
1323 } 1323 }
1324 1324
1325 s->session->cipher = S3I(s)->tmp.new_cipher; 1325 s->session->cipher = S3I(s)->tmp.new_cipher;
1326 if (!s->method->ssl3_enc->setup_key_block(s)) 1326 if (!s->method->internal->ssl3_enc->setup_key_block(s))
1327 return (0); 1327 return (0);
1328 } 1328 }
1329 1329
1330 if (!s->method->ssl3_enc->change_cipher_state(s, i)) 1330 if (!s->method->internal->ssl3_enc->change_cipher_state(s, i))
1331 return (0); 1331 return (0);
1332 1332
1333 /* we have to record the message digest at 1333 /* we have to record the message digest at
1334 * this point so we can get it before we read 1334 * this point so we can get it before we read
1335 * the finished message */ 1335 * the finished message */
1336 if (s->internal->state & SSL_ST_CONNECT) { 1336 if (s->internal->state & SSL_ST_CONNECT) {
1337 sender = s->method->ssl3_enc->server_finished_label; 1337 sender = s->method->internal->ssl3_enc->server_finished_label;
1338 slen = s->method->ssl3_enc->server_finished_label_len; 1338 slen = s->method->internal->ssl3_enc->server_finished_label_len;
1339 } else { 1339 } else {
1340 sender = s->method->ssl3_enc->client_finished_label; 1340 sender = s->method->internal->ssl3_enc->client_finished_label;
1341 slen = s->method->ssl3_enc->client_finished_label_len; 1341 slen = s->method->internal->ssl3_enc->client_finished_label_len;
1342 } 1342 }
1343 1343
1344 i = s->method->ssl3_enc->final_finish_mac(s, sender, slen, 1344 i = s->method->internal->ssl3_enc->final_finish_mac(s, sender, slen,
1345 S3I(s)->tmp.peer_finish_md); 1345 S3I(s)->tmp.peer_finish_md);
1346 if (i == 0) { 1346 if (i == 0) {
1347 SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); 1347 SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
@@ -1356,7 +1356,7 @@ int
1356ssl3_send_alert(SSL *s, int level, int desc) 1356ssl3_send_alert(SSL *s, int level, int desc)
1357{ 1357{
1358 /* Map tls/ssl alert value to correct one */ 1358 /* Map tls/ssl alert value to correct one */
1359 desc = s->method->ssl3_enc->alert_value(desc); 1359 desc = s->method->internal->ssl3_enc->alert_value(desc);
1360 if (desc < 0) 1360 if (desc < 0)
1361 return -1; 1361 return -1;
1362 /* If a fatal one, remove from cache */ 1362 /* If a fatal one, remove from cache */
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index fa958d96f8..59320ea0f6 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.148 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.149 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -519,7 +519,7 @@ ssl3_accept(SSL *s)
519 if (S3I(s)->handshake_dgst[dgst_num]) { 519 if (S3I(s)->handshake_dgst[dgst_num]) {
520 int dgst_size; 520 int dgst_size;
521 521
522 s->method->ssl3_enc->cert_verify_mac(s, 522 s->method->internal->ssl3_enc->cert_verify_mac(s,
523 EVP_MD_CTX_type( 523 EVP_MD_CTX_type(
524 S3I(s)->handshake_dgst[dgst_num]), 524 S3I(s)->handshake_dgst[dgst_num]),
525 &(S3I(s)->tmp.cert_verify_md[offset])); 525 &(S3I(s)->tmp.cert_verify_md[offset]));
@@ -598,7 +598,7 @@ ssl3_accept(SSL *s)
598 case SSL3_ST_SW_CHANGE_B: 598 case SSL3_ST_SW_CHANGE_B:
599 599
600 s->session->cipher = S3I(s)->tmp.new_cipher; 600 s->session->cipher = S3I(s)->tmp.new_cipher;
601 if (!s->method->ssl3_enc->setup_key_block(s)) { 601 if (!s->method->internal->ssl3_enc->setup_key_block(s)) {
602 ret = -1; 602 ret = -1;
603 goto end; 603 goto end;
604 } 604 }
@@ -611,7 +611,7 @@ ssl3_accept(SSL *s)
611 s->internal->state = SSL3_ST_SW_FINISHED_A; 611 s->internal->state = SSL3_ST_SW_FINISHED_A;
612 s->internal->init_num = 0; 612 s->internal->init_num = 0;
613 613
614 if (!s->method->ssl3_enc->change_cipher_state( 614 if (!s->method->internal->ssl3_enc->change_cipher_state(
615 s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) { 615 s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
616 ret = -1; 616 ret = -1;
617 goto end; 617 goto end;
@@ -623,8 +623,8 @@ ssl3_accept(SSL *s)
623 case SSL3_ST_SW_FINISHED_B: 623 case SSL3_ST_SW_FINISHED_B:
624 ret = ssl3_send_finished(s, 624 ret = ssl3_send_finished(s,
625 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B, 625 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
626 s->method->ssl3_enc->server_finished_label, 626 s->method->internal->ssl3_enc->server_finished_label,
627 s->method->ssl3_enc->server_finished_label_len); 627 s->method->internal->ssl3_enc->server_finished_label_len);
628 if (ret <= 0) 628 if (ret <= 0)
629 goto end; 629 goto end;
630 s->internal->state = SSL3_ST_SW_FLUSH; 630 s->internal->state = SSL3_ST_SW_FLUSH;
@@ -742,7 +742,7 @@ ssl3_get_client_hello(SSL *s)
742 s->internal->state = SSL3_ST_SR_CLNT_HELLO_B; 742 s->internal->state = SSL3_ST_SR_CLNT_HELLO_B;
743 } 743 }
744 s->internal->first_packet = 1; 744 s->internal->first_packet = 1;
745 n = s->method->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, 745 n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
746 SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, 746 SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO,
747 SSL3_RT_MAX_PLAIN_LENGTH, &ok); 747 SSL3_RT_MAX_PLAIN_LENGTH, &ok);
748 748
@@ -1803,7 +1803,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
1803 } 1803 }
1804 1804
1805 s->session->master_key_length = 1805 s->session->master_key_length =
1806 s->method->ssl3_enc->generate_master_secret(s, 1806 s->method->internal->ssl3_enc->generate_master_secret(s,
1807 s->session->master_key, p, i); 1807 s->session->master_key, p, i);
1808 1808
1809 explicit_bzero(p, i); 1809 explicit_bzero(p, i);
@@ -1859,7 +1859,7 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n)
1859 } 1859 }
1860 1860
1861 s->session->master_key_length = 1861 s->session->master_key_length =
1862 s->method->ssl3_enc->generate_master_secret( 1862 s->method->internal->ssl3_enc->generate_master_secret(
1863 s, s->session->master_key, p, key_size); 1863 s, s->session->master_key, p, key_size);
1864 1864
1865 explicit_bzero(p, key_size); 1865 explicit_bzero(p, key_size);
@@ -2013,7 +2013,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
2013 2013
2014 /* Compute the master secret */ 2014 /* Compute the master secret */
2015 s->session->master_key_length = 2015 s->session->master_key_length =
2016 s->method->ssl3_enc->generate_master_secret( 2016 s->method->internal->ssl3_enc->generate_master_secret(
2017 s, s->session->master_key, p, i); 2017 s, s->session->master_key, p, i);
2018 2018
2019 explicit_bzero(p, i); 2019 explicit_bzero(p, i);
@@ -2055,7 +2055,7 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, unsigned char *p, long n)
2055 S3I(s)->tmp.x25519 = NULL; 2055 S3I(s)->tmp.x25519 = NULL;
2056 2056
2057 s->session->master_key_length = 2057 s->session->master_key_length =
2058 s->method->ssl3_enc->generate_master_secret( 2058 s->method->internal->ssl3_enc->generate_master_secret(
2059 s, s->session->master_key, shared_key, X25519_KEY_LENGTH); 2059 s, s->session->master_key, shared_key, X25519_KEY_LENGTH);
2060 2060
2061 ret = 1; 2061 ret = 1;
@@ -2131,7 +2131,7 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n)
2131 } 2131 }
2132 /* Generate master secret */ 2132 /* Generate master secret */
2133 s->session->master_key_length = 2133 s->session->master_key_length =
2134 s->method->ssl3_enc->generate_master_secret( 2134 s->method->internal->ssl3_enc->generate_master_secret(
2135 s, s->session->master_key, premaster_secret, 32); 2135 s, s->session->master_key, premaster_secret, 32);
2136 /* Check if pubkey from client certificate was used */ 2136 /* Check if pubkey from client certificate was used */
2137 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, 2137 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1,
@@ -2164,7 +2164,7 @@ ssl3_get_client_key_exchange(SSL *s)
2164 long n; 2164 long n;
2165 2165
2166 /* 2048 maxlen is a guess. How long a key does that permit? */ 2166 /* 2048 maxlen is a guess. How long a key does that permit? */
2167 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, 2167 n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
2168 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok); 2168 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
2169 if (!ok) 2169 if (!ok)
2170 return ((int)n); 2170 return ((int)n);
@@ -2213,7 +2213,7 @@ ssl3_get_cert_verify(SSL *s)
2213 EVP_MD_CTX mctx; 2213 EVP_MD_CTX mctx;
2214 EVP_MD_CTX_init(&mctx); 2214 EVP_MD_CTX_init(&mctx);
2215 2215
2216 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A, 2216 n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2217 SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok); 2217 SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok);
2218 if (!ok) 2218 if (!ok)
2219 return ((int)n); 2219 return ((int)n);
@@ -2476,7 +2476,7 @@ ssl3_get_client_certificate(SSL *s)
2476 const unsigned char *q; 2476 const unsigned char *q;
2477 STACK_OF(X509) *sk = NULL; 2477 STACK_OF(X509) *sk = NULL;
2478 2478
2479 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, 2479 n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B,
2480 -1, s->internal->max_cert_list, &ok); 2480 -1, s->internal->max_cert_list, &ok);
2481 2481
2482 if (!ok) 2482 if (!ok)
@@ -2867,7 +2867,7 @@ ssl3_get_next_proto(SSL *s)
2867 } 2867 }
2868 2868
2869 /* 514 maxlen is enough for the payload format below */ 2869 /* 514 maxlen is enough for the payload format below */
2870 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A, 2870 n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
2871 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok); 2871 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
2872 if (!ok) 2872 if (!ok)
2873 return ((int)n); 2873 return ((int)n);
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 87237fcc9b..037f46c400 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl.h,v 1.117 2017/01/23 10:22:06 jsing Exp $ */ 1/* $OpenBSD: ssl.h,v 1.118 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -396,36 +396,16 @@ struct ssl_cipher_st {
396 396
397 397
398/* Used to hold functions for SSLv3/TLSv1 functions */ 398/* Used to hold functions for SSLv3/TLSv1 functions */
399struct ssl_method_internal_st;
400
399struct ssl_method_st { 401struct ssl_method_st {
400 int version;
401 uint16_t min_version;
402 uint16_t max_version;
403 int (*ssl_new)(SSL *s);
404 void (*ssl_clear)(SSL *s);
405 void (*ssl_free)(SSL *s);
406 int (*ssl_accept)(SSL *s);
407 int (*ssl_connect)(SSL *s);
408 int (*ssl_read)(SSL *s, void *buf, int len);
409 int (*ssl_peek)(SSL *s, void *buf, int len);
410 int (*ssl_write)(SSL *s, const void *buf, int len);
411 int (*ssl_shutdown)(SSL *s);
412 int (*ssl_renegotiate)(SSL *s);
413 int (*ssl_renegotiate_check)(SSL *s);
414 long (*ssl_get_message)(SSL *s, int st1, int stn, int mt,
415 long max, int *ok);
416 int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf,
417 int len, int peek);
418 int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
419 int (*ssl_dispatch_alert)(SSL *s); 402 int (*ssl_dispatch_alert)(SSL *s);
420 const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
421 int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr);
422 int (*ssl_pending)(const SSL *s);
423 int (*num_ciphers)(void); 403 int (*num_ciphers)(void);
424 const SSL_CIPHER *(*get_cipher)(unsigned ncipher); 404 const SSL_CIPHER *(*get_cipher)(unsigned ncipher);
425 const struct ssl_method_st *(*get_ssl_method)(int version); 405 const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
426 long (*get_timeout)(void); 406 int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr);
427 struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ 407
428 int (*ssl_version)(void); 408 const struct ssl_method_internal_st *internal;
429}; 409};
430 410
431/* Lets make this into an ASN.1 type structure as follows 411/* Lets make this into an ASN.1 type structure as follows
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 7592249dcb..edcbe9d20a 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.138 2017/01/23 10:22:06 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.139 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -212,7 +212,7 @@ SSL_clear(SSL *s)
212 212
213 s->internal->state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 213 s->internal->state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
214 214
215 s->version = s->method->version; 215 s->version = s->method->internal->version;
216 s->client_version = s->version; 216 s->client_version = s->version;
217 s->internal->rwstate = SSL_NOTHING; 217 s->internal->rwstate = SSL_NOTHING;
218 s->internal->rstate = SSL_ST_READ_HEADER; 218 s->internal->rstate = SSL_ST_READ_HEADER;
@@ -232,12 +232,12 @@ SSL_clear(SSL *s)
232 */ 232 */
233 if (!s->internal->in_handshake && (s->session == NULL) && 233 if (!s->internal->in_handshake && (s->session == NULL) &&
234 (s->method != s->ctx->method)) { 234 (s->method != s->ctx->method)) {
235 s->method->ssl_free(s); 235 s->method->internal->ssl_free(s);
236 s->method = s->ctx->method; 236 s->method = s->ctx->method;
237 if (!s->method->ssl_new(s)) 237 if (!s->method->internal->ssl_new(s))
238 return (0); 238 return (0);
239 } else 239 } else
240 s->method->ssl_clear(s); 240 s->method->internal->ssl_clear(s);
241 241
242 return (1); 242 return (1);
243} 243}
@@ -354,11 +354,11 @@ SSL_new(SSL_CTX *ctx)
354 354
355 s->method = ctx->method; 355 s->method = ctx->method;
356 356
357 if (!s->method->ssl_new(s)) 357 if (!s->method->internal->ssl_new(s))
358 goto err; 358 goto err;
359 359
360 s->references = 1; 360 s->references = 1;
361 s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1; 361 s->server = (ctx->method->internal->ssl_accept == ssl_undefined_function) ? 0 : 1;
362 362
363 SSL_clear(s); 363 SSL_clear(s);
364 364
@@ -550,7 +550,7 @@ SSL_free(SSL *s)
550 sk_X509_NAME_pop_free(s->internal->client_CA, X509_NAME_free); 550 sk_X509_NAME_pop_free(s->internal->client_CA, X509_NAME_free);
551 551
552 if (s->method != NULL) 552 if (s->method != NULL)
553 s->method->ssl_free(s); 553 s->method->internal->ssl_free(s);
554 554
555 SSL_CTX_free(s->ctx); 555 SSL_CTX_free(s->ctx);
556 556
@@ -799,7 +799,7 @@ SSL_pending(const SSL *s)
799 * (Note that SSL_pending() is often used as a boolean value, 799 * (Note that SSL_pending() is often used as a boolean value,
800 * so we'd better not return -1.) 800 * so we'd better not return -1.)
801 */ 801 */
802 return (s->method->ssl_pending(s)); 802 return (s->method->internal->ssl_pending(s));
803} 803}
804 804
805X509 * 805X509 *
@@ -856,9 +856,9 @@ SSL_copy_session_id(SSL *t, const SSL *f)
856 * vice-versa. 856 * vice-versa.
857 */ 857 */
858 if (t->method != f->method) { 858 if (t->method != f->method) {
859 t->method->ssl_free(t); /* cleanup current */ 859 t->method->internal->ssl_free(t); /* cleanup current */
860 t->method=f->method; /* change method */ 860 t->method = f->method; /* change method */
861 t->method->ssl_new(t); /* setup new */ 861 t->method->internal->ssl_new(t); /* setup new */
862 } 862 }
863 863
864 tmp = t->cert; 864 tmp = t->cert;
@@ -925,7 +925,7 @@ SSL_accept(SSL *s)
925 if (s->internal->handshake_func == NULL) 925 if (s->internal->handshake_func == NULL)
926 SSL_set_accept_state(s); /* Not properly initialized yet */ 926 SSL_set_accept_state(s); /* Not properly initialized yet */
927 927
928 return (s->method->ssl_accept(s)); 928 return (s->method->internal->ssl_accept(s));
929} 929}
930 930
931int 931int
@@ -934,13 +934,13 @@ SSL_connect(SSL *s)
934 if (s->internal->handshake_func == NULL) 934 if (s->internal->handshake_func == NULL)
935 SSL_set_connect_state(s); /* Not properly initialized yet */ 935 SSL_set_connect_state(s); /* Not properly initialized yet */
936 936
937 return (s->method->ssl_connect(s)); 937 return (s->method->internal->ssl_connect(s));
938} 938}
939 939
940long 940long
941SSL_get_default_timeout(const SSL *s) 941SSL_get_default_timeout(const SSL *s)
942{ 942{
943 return (s->method->get_timeout()); 943 return (s->method->internal->get_timeout());
944} 944}
945 945
946int 946int
@@ -955,7 +955,7 @@ SSL_read(SSL *s, void *buf, int num)
955 s->internal->rwstate = SSL_NOTHING; 955 s->internal->rwstate = SSL_NOTHING;
956 return (0); 956 return (0);
957 } 957 }
958 return (s->method->ssl_read(s, buf, num)); 958 return (s->method->internal->ssl_read(s, buf, num));
959} 959}
960 960
961int 961int
@@ -969,7 +969,7 @@ SSL_peek(SSL *s, void *buf, int num)
969 if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { 969 if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) {
970 return (0); 970 return (0);
971 } 971 }
972 return (s->method->ssl_peek(s, buf, num)); 972 return (s->method->internal->ssl_peek(s, buf, num));
973} 973}
974 974
975int 975int
@@ -985,7 +985,7 @@ SSL_write(SSL *s, const void *buf, int num)
985 SSLerr(SSL_F_SSL_WRITE, SSL_R_PROTOCOL_IS_SHUTDOWN); 985 SSLerr(SSL_F_SSL_WRITE, SSL_R_PROTOCOL_IS_SHUTDOWN);
986 return (-1); 986 return (-1);
987 } 987 }
988 return (s->method->ssl_write(s, buf, num)); 988 return (s->method->internal->ssl_write(s, buf, num));
989} 989}
990 990
991int 991int
@@ -1004,7 +1004,7 @@ SSL_shutdown(SSL *s)
1004 } 1004 }
1005 1005
1006 if ((s != NULL) && !SSL_in_init(s)) 1006 if ((s != NULL) && !SSL_in_init(s))
1007 return (s->method->ssl_shutdown(s)); 1007 return (s->method->internal->ssl_shutdown(s));
1008 else 1008 else
1009 return (1); 1009 return (1);
1010} 1010}
@@ -1017,7 +1017,7 @@ SSL_renegotiate(SSL *s)
1017 1017
1018 s->internal->new_session = 1; 1018 s->internal->new_session = 1;
1019 1019
1020 return (s->method->ssl_renegotiate(s)); 1020 return (s->method->internal->ssl_renegotiate(s));
1021} 1021}
1022 1022
1023int 1023int
@@ -1028,7 +1028,7 @@ SSL_renegotiate_abbreviated(SSL *s)
1028 1028
1029 s->internal->new_session = 0; 1029 s->internal->new_session = 0;
1030 1030
1031 return (s->method->ssl_renegotiate(s)); 1031 return (s->method->internal->ssl_renegotiate(s));
1032} 1032}
1033 1033
1034int 1034int
@@ -1737,7 +1737,7 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1737 const char *label, size_t llen, const unsigned char *p, size_t plen, 1737 const char *label, size_t llen, const unsigned char *p, size_t plen,
1738 int use_context) 1738 int use_context)
1739{ 1739{
1740 return (s->method->ssl3_enc->export_keying_material(s, out, olen, 1740 return (s->method->internal->ssl3_enc->export_keying_material(s, out, olen,
1741 label, llen, p, plen, use_context)); 1741 label, llen, p, plen, use_context));
1742} 1742}
1743 1743
@@ -1831,7 +1831,7 @@ SSL_CTX_new(const SSL_METHOD *meth)
1831 ret->internal->session_cache_tail = NULL; 1831 ret->internal->session_cache_tail = NULL;
1832 1832
1833 /* We take the system default */ 1833 /* We take the system default */
1834 ret->session_timeout = meth->get_timeout(); 1834 ret->session_timeout = meth->internal->get_timeout();
1835 1835
1836 ret->internal->new_session_cb = 0; 1836 ret->internal->new_session_cb = 0;
1837 ret->internal->remove_session_cb = 0; 1837 ret->internal->remove_session_cb = 0;
@@ -2309,20 +2309,20 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
2309 2309
2310 if (s->method != meth) { 2310 if (s->method != meth) {
2311 if (s->internal->handshake_func != NULL) 2311 if (s->internal->handshake_func != NULL)
2312 conn = (s->internal->handshake_func == s->method->ssl_connect); 2312 conn = (s->internal->handshake_func == s->method->internal->ssl_connect);
2313 2313
2314 if (s->method->version == meth->version) 2314 if (s->method->internal->version == meth->internal->version)
2315 s->method = meth; 2315 s->method = meth;
2316 else { 2316 else {
2317 s->method->ssl_free(s); 2317 s->method->internal->ssl_free(s);
2318 s->method = meth; 2318 s->method = meth;
2319 ret = s->method->ssl_new(s); 2319 ret = s->method->internal->ssl_new(s);
2320 } 2320 }
2321 2321
2322 if (conn == 1) 2322 if (conn == 1)
2323 s->internal->handshake_func = meth->ssl_connect; 2323 s->internal->handshake_func = meth->internal->ssl_connect;
2324 else if (conn == 0) 2324 else if (conn == 0)
2325 s->internal->handshake_func = meth->ssl_accept; 2325 s->internal->handshake_func = meth->internal->ssl_accept;
2326 } 2326 }
2327 return (ret); 2327 return (ret);
2328} 2328}
@@ -2415,7 +2415,7 @@ SSL_do_handshake(SSL *s)
2415 return (-1); 2415 return (-1);
2416 } 2416 }
2417 2417
2418 s->method->ssl_renegotiate_check(s); 2418 s->method->internal->ssl_renegotiate_check(s);
2419 2419
2420 if (SSL_in_init(s) || SSL_in_before(s)) { 2420 if (SSL_in_init(s) || SSL_in_before(s)) {
2421 ret = s->internal->handshake_func(s); 2421 ret = s->internal->handshake_func(s);
@@ -2433,7 +2433,7 @@ SSL_set_accept_state(SSL *s)
2433 s->server = 1; 2433 s->server = 1;
2434 s->internal->shutdown = 0; 2434 s->internal->shutdown = 0;
2435 s->internal->state = SSL_ST_ACCEPT|SSL_ST_BEFORE; 2435 s->internal->state = SSL_ST_ACCEPT|SSL_ST_BEFORE;
2436 s->internal->handshake_func = s->method->ssl_accept; 2436 s->internal->handshake_func = s->method->internal->ssl_accept;
2437 /* clear the current cipher */ 2437 /* clear the current cipher */
2438 ssl_clear_cipher_ctx(s); 2438 ssl_clear_cipher_ctx(s);
2439 ssl_clear_hash_ctx(&s->read_hash); 2439 ssl_clear_hash_ctx(&s->read_hash);
@@ -2446,7 +2446,7 @@ SSL_set_connect_state(SSL *s)
2446 s->server = 0; 2446 s->server = 0;
2447 s->internal->shutdown = 0; 2447 s->internal->shutdown = 0;
2448 s->internal->state = SSL_ST_CONNECT|SSL_ST_BEFORE; 2448 s->internal->state = SSL_ST_CONNECT|SSL_ST_BEFORE;
2449 s->internal->handshake_func = s->method->ssl_connect; 2449 s->internal->handshake_func = s->method->internal->ssl_connect;
2450 /* clear the current cipher */ 2450 /* clear the current cipher */
2451 ssl_clear_cipher_ctx(s); 2451 ssl_clear_cipher_ctx(s);
2452 ssl_clear_hash_ctx(&s->read_hash); 2452 ssl_clear_hash_ctx(&s->read_hash);
@@ -2581,7 +2581,7 @@ ssl_max_server_version(SSL *s)
2581 * The SSL method will be changed during version negotiation, as such 2581 * The SSL method will be changed during version negotiation, as such
2582 * we want to use the SSL method from the context. 2582 * we want to use the SSL method from the context.
2583 */ 2583 */
2584 max_version = s->ctx->method->version; 2584 max_version = s->ctx->method->internal->version;
2585 2585
2586 if (SSL_IS_DTLS(s)) 2586 if (SSL_IS_DTLS(s))
2587 return (DTLS1_VERSION); 2587 return (DTLS1_VERSION);
@@ -2625,9 +2625,9 @@ SSL_dup(SSL *s)
2625 * and thus we can't use SSL_copy_session_id. 2625 * and thus we can't use SSL_copy_session_id.
2626 */ 2626 */
2627 2627
2628 ret->method->ssl_free(ret); 2628 ret->method->internal->ssl_free(ret);
2629 ret->method = s->method; 2629 ret->method = s->method;
2630 ret->method->ssl_new(ret); 2630 ret->method->internal->ssl_new(ret);
2631 2631
2632 if (s->cert != NULL) { 2632 if (s->cert != NULL) {
2633 if (ret->cert != NULL) { 2633 if (ret->cert != NULL) {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 1aac55f101..df1e12bf39 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.160 2017/01/23 08:48:44 beck Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.161 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -327,19 +327,20 @@ __BEGIN_HIDDEN_DECLS
327#define SSL_C_PKEYLENGTH(c) 1024 327#define SSL_C_PKEYLENGTH(c) 1024
328 328
329/* Check if an SSL structure is using DTLS. */ 329/* Check if an SSL structure is using DTLS. */
330#define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) 330#define SSL_IS_DTLS(s) \
331 (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
331 332
332/* See if we need explicit IV. */ 333/* See if we need explicit IV. */
333#define SSL_USE_EXPLICIT_IV(s) \ 334#define SSL_USE_EXPLICIT_IV(s) \
334 (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) 335 (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV)
335 336
336/* See if we use signature algorithms extension. */ 337/* See if we use signature algorithms extension. */
337#define SSL_USE_SIGALGS(s) \ 338#define SSL_USE_SIGALGS(s) \
338 (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS) 339 (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS)
339 340
340/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ 341/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
341#define SSL_USE_TLS1_2_CIPHERS(s) \ 342#define SSL_USE_TLS1_2_CIPHERS(s) \
342 (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) 343 (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
343 344
344/* Mostly for SSLv3 */ 345/* Mostly for SSLv3 */
345#define SSL_PKEY_RSA_ENC 0 346#define SSL_PKEY_RSA_ENC 0
@@ -372,6 +373,41 @@ __BEGIN_HIDDEN_DECLS
372#define EXPLICIT_CHAR2_CURVE_TYPE 2 373#define EXPLICIT_CHAR2_CURVE_TYPE 2
373#define NAMED_CURVE_TYPE 3 374#define NAMED_CURVE_TYPE 3
374 375
376typedef struct ssl_method_internal_st {
377 int version;
378
379 uint16_t min_version;
380 uint16_t max_version;
381
382 int (*ssl_new)(SSL *s);
383 void (*ssl_clear)(SSL *s);
384 void (*ssl_free)(SSL *s);
385
386 int (*ssl_accept)(SSL *s);
387 int (*ssl_connect)(SSL *s);
388 int (*ssl_read)(SSL *s, void *buf, int len);
389 int (*ssl_peek)(SSL *s, void *buf, int len);
390 int (*ssl_write)(SSL *s, const void *buf, int len);
391 int (*ssl_shutdown)(SSL *s);
392
393 int (*ssl_renegotiate)(SSL *s);
394 int (*ssl_renegotiate_check)(SSL *s);
395
396 long (*ssl_get_message)(SSL *s, int st1, int stn, int mt,
397 long max, int *ok);
398 int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf,
399 int len, int peek);
400 int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
401
402 int (*ssl_pending)(const SSL *s);
403 const struct ssl_method_st *(*get_ssl_method)(int version);
404
405 long (*get_timeout)(void);
406 int (*ssl_version)(void);
407
408 struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
409} SSL_METHOD_INTERNAL;
410
375typedef struct ssl_session_internal_st { 411typedef struct ssl_session_internal_st {
376 CRYPTO_EX_DATA ex_data; /* application specific data */ 412 CRYPTO_EX_DATA ex_data; /* application specific data */
377 413
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 52a04d3094..f44fdcc419 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sess.c,v 1.62 2017/01/23 06:45:30 beck Exp $ */ 1/* $OpenBSD: ssl_sess.c,v 1.63 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -725,9 +725,9 @@ SSL_set_session(SSL *s, SSL_SESSION *session)
725 const SSL_METHOD *meth; 725 const SSL_METHOD *meth;
726 726
727 if (session != NULL) { 727 if (session != NULL) {
728 meth = s->ctx->method->get_ssl_method(session->ssl_version); 728 meth = s->ctx->method->internal->get_ssl_method(session->ssl_version);
729 if (meth == NULL) 729 if (meth == NULL)
730 meth = s->method->get_ssl_method(session->ssl_version); 730 meth = s->method->internal->get_ssl_method(session->ssl_version);
731 if (meth == NULL) { 731 if (meth == NULL) {
732 SSLerr(SSL_F_SSL_SET_SESSION, 732 SSLerr(SSL_F_SSL_SET_SESSION,
733 SSL_R_UNABLE_TO_FIND_SSL_METHOD); 733 SSL_R_UNABLE_TO_FIND_SSL_METHOD);
@@ -739,7 +739,6 @@ SSL_set_session(SSL *s, SSL_SESSION *session)
739 return (0); 739 return (0);
740 } 740 }
741 741
742
743 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ 742 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
744 CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION); 743 CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
745 if (s->session != NULL) 744 if (s->session != NULL)
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c
index d07e54d9f7..5b8f7cd412 100644
--- a/src/lib/libssl/t1_clnt.c
+++ b/src/lib/libssl/t1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_clnt.c,v 1.21 2017/01/23 10:22:06 jsing Exp $ */ 1/* $OpenBSD: t1_clnt.c,v 1.22 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -66,7 +66,7 @@
66 66
67static const SSL_METHOD *tls1_get_client_method(int ver); 67static const SSL_METHOD *tls1_get_client_method(int ver);
68 68
69static const SSL_METHOD TLS_client_method_data = { 69static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = {
70 .version = TLS1_2_VERSION, 70 .version = TLS1_2_VERSION,
71 .min_version = TLS1_VERSION, 71 .min_version = TLS1_VERSION,
72 .max_version = TLS1_2_VERSION, 72 .max_version = TLS1_2_VERSION,
@@ -79,24 +79,28 @@ static const SSL_METHOD TLS_client_method_data = {
79 .ssl_peek = ssl23_peek, 79 .ssl_peek = ssl23_peek,
80 .ssl_write = ssl23_write, 80 .ssl_write = ssl23_write,
81 .ssl_shutdown = ssl_undefined_function, 81 .ssl_shutdown = ssl_undefined_function,
82 .ssl_pending = ssl_undefined_const_function,
83 .get_ssl_method = tls1_get_client_method,
84 .get_timeout = ssl23_default_timeout,
85 .ssl_version = ssl_undefined_void_function,
82 .ssl_renegotiate = ssl_undefined_function, 86 .ssl_renegotiate = ssl_undefined_function,
83 .ssl_renegotiate_check = ssl_ok, 87 .ssl_renegotiate_check = ssl_ok,
84 .ssl_get_message = ssl3_get_message, 88 .ssl_get_message = ssl3_get_message,
85 .ssl_read_bytes = ssl3_read_bytes, 89 .ssl_read_bytes = ssl3_read_bytes,
86 .ssl_write_bytes = ssl3_write_bytes, 90 .ssl_write_bytes = ssl3_write_bytes,
91 .ssl3_enc = &ssl3_undef_enc_method,
92};
93
94static const SSL_METHOD TLS_client_method_data = {
87 .ssl_dispatch_alert = ssl3_dispatch_alert, 95 .ssl_dispatch_alert = ssl3_dispatch_alert,
88 .get_cipher_by_char = ssl3_get_cipher_by_char,
89 .put_cipher_by_char = ssl3_put_cipher_by_char,
90 .ssl_pending = ssl_undefined_const_function,
91 .num_ciphers = ssl3_num_ciphers, 96 .num_ciphers = ssl3_num_ciphers,
92 .get_cipher = ssl3_get_cipher, 97 .get_cipher = ssl3_get_cipher,
93 .get_ssl_method = tls1_get_client_method, 98 .get_cipher_by_char = ssl3_get_cipher_by_char,
94 .get_timeout = ssl23_default_timeout, 99 .put_cipher_by_char = ssl3_put_cipher_by_char,
95 .ssl3_enc = &ssl3_undef_enc_method, 100 .internal = &TLS_client_method_internal_data,
96 .ssl_version = ssl_undefined_void_function,
97}; 101};
98 102
99static const SSL_METHOD TLSv1_client_method_data = { 103static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = {
100 .version = TLS1_VERSION, 104 .version = TLS1_VERSION,
101 .min_version = TLS1_VERSION, 105 .min_version = TLS1_VERSION,
102 .max_version = TLS1_VERSION, 106 .max_version = TLS1_VERSION,
@@ -109,24 +113,28 @@ static const SSL_METHOD TLSv1_client_method_data = {
109 .ssl_peek = ssl3_peek, 113 .ssl_peek = ssl3_peek,
110 .ssl_write = ssl3_write, 114 .ssl_write = ssl3_write,
111 .ssl_shutdown = ssl3_shutdown, 115 .ssl_shutdown = ssl3_shutdown,
116 .ssl_pending = ssl3_pending,
117 .get_ssl_method = tls1_get_client_method,
118 .get_timeout = tls1_default_timeout,
119 .ssl_version = ssl_undefined_void_function,
112 .ssl_renegotiate = ssl3_renegotiate, 120 .ssl_renegotiate = ssl3_renegotiate,
113 .ssl_renegotiate_check = ssl3_renegotiate_check, 121 .ssl_renegotiate_check = ssl3_renegotiate_check,
114 .ssl_get_message = ssl3_get_message, 122 .ssl_get_message = ssl3_get_message,
115 .ssl_read_bytes = ssl3_read_bytes, 123 .ssl_read_bytes = ssl3_read_bytes,
116 .ssl_write_bytes = ssl3_write_bytes, 124 .ssl_write_bytes = ssl3_write_bytes,
125 .ssl3_enc = &TLSv1_enc_data,
126};
127
128static const SSL_METHOD TLSv1_client_method_data = {
117 .ssl_dispatch_alert = ssl3_dispatch_alert, 129 .ssl_dispatch_alert = ssl3_dispatch_alert,
118 .get_cipher_by_char = ssl3_get_cipher_by_char,
119 .put_cipher_by_char = ssl3_put_cipher_by_char,
120 .ssl_pending = ssl3_pending,
121 .num_ciphers = ssl3_num_ciphers, 130 .num_ciphers = ssl3_num_ciphers,
122 .get_cipher = ssl3_get_cipher, 131 .get_cipher = ssl3_get_cipher,
123 .get_ssl_method = tls1_get_client_method, 132 .get_cipher_by_char = ssl3_get_cipher_by_char,
124 .get_timeout = tls1_default_timeout, 133 .put_cipher_by_char = ssl3_put_cipher_by_char,
125 .ssl3_enc = &TLSv1_enc_data, 134 .internal = &TLSv1_client_method_internal_data,
126 .ssl_version = ssl_undefined_void_function,
127}; 135};
128 136
129static const SSL_METHOD TLSv1_1_client_method_data = { 137static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = {
130 .version = TLS1_1_VERSION, 138 .version = TLS1_1_VERSION,
131 .min_version = TLS1_1_VERSION, 139 .min_version = TLS1_1_VERSION,
132 .max_version = TLS1_1_VERSION, 140 .max_version = TLS1_1_VERSION,
@@ -139,24 +147,28 @@ static const SSL_METHOD TLSv1_1_client_method_data = {
139 .ssl_peek = ssl3_peek, 147 .ssl_peek = ssl3_peek,
140 .ssl_write = ssl3_write, 148 .ssl_write = ssl3_write,
141 .ssl_shutdown = ssl3_shutdown, 149 .ssl_shutdown = ssl3_shutdown,
150 .ssl_pending = ssl3_pending,
151 .get_ssl_method = tls1_get_client_method,
152 .get_timeout = tls1_default_timeout,
153 .ssl_version = ssl_undefined_void_function,
142 .ssl_renegotiate = ssl3_renegotiate, 154 .ssl_renegotiate = ssl3_renegotiate,
143 .ssl_renegotiate_check = ssl3_renegotiate_check, 155 .ssl_renegotiate_check = ssl3_renegotiate_check,
144 .ssl_get_message = ssl3_get_message, 156 .ssl_get_message = ssl3_get_message,
145 .ssl_read_bytes = ssl3_read_bytes, 157 .ssl_read_bytes = ssl3_read_bytes,
146 .ssl_write_bytes = ssl3_write_bytes, 158 .ssl_write_bytes = ssl3_write_bytes,
159 .ssl3_enc = &TLSv1_1_enc_data,
160};
161
162static const SSL_METHOD TLSv1_1_client_method_data = {
147 .ssl_dispatch_alert = ssl3_dispatch_alert, 163 .ssl_dispatch_alert = ssl3_dispatch_alert,
148 .get_cipher_by_char = ssl3_get_cipher_by_char,
149 .put_cipher_by_char = ssl3_put_cipher_by_char,
150 .ssl_pending = ssl3_pending,
151 .num_ciphers = ssl3_num_ciphers, 164 .num_ciphers = ssl3_num_ciphers,
152 .get_cipher = ssl3_get_cipher, 165 .get_cipher = ssl3_get_cipher,
153 .get_ssl_method = tls1_get_client_method, 166 .get_cipher_by_char = ssl3_get_cipher_by_char,
154 .get_timeout = tls1_default_timeout, 167 .put_cipher_by_char = ssl3_put_cipher_by_char,
155 .ssl3_enc = &TLSv1_1_enc_data, 168 .internal = &TLSv1_1_client_method_internal_data,
156 .ssl_version = ssl_undefined_void_function,
157}; 169};
158 170
159static const SSL_METHOD TLSv1_2_client_method_data = { 171static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = {
160 .version = TLS1_2_VERSION, 172 .version = TLS1_2_VERSION,
161 .min_version = TLS1_2_VERSION, 173 .min_version = TLS1_2_VERSION,
162 .max_version = TLS1_2_VERSION, 174 .max_version = TLS1_2_VERSION,
@@ -169,21 +181,25 @@ static const SSL_METHOD TLSv1_2_client_method_data = {
169 .ssl_peek = ssl3_peek, 181 .ssl_peek = ssl3_peek,
170 .ssl_write = ssl3_write, 182 .ssl_write = ssl3_write,
171 .ssl_shutdown = ssl3_shutdown, 183 .ssl_shutdown = ssl3_shutdown,
184 .ssl_pending = ssl3_pending,
185 .get_ssl_method = tls1_get_client_method,
186 .get_timeout = tls1_default_timeout,
187 .ssl_version = ssl_undefined_void_function,
172 .ssl_renegotiate = ssl3_renegotiate, 188 .ssl_renegotiate = ssl3_renegotiate,
173 .ssl_renegotiate_check = ssl3_renegotiate_check, 189 .ssl_renegotiate_check = ssl3_renegotiate_check,
174 .ssl_get_message = ssl3_get_message, 190 .ssl_get_message = ssl3_get_message,
175 .ssl_read_bytes = ssl3_read_bytes, 191 .ssl_read_bytes = ssl3_read_bytes,
176 .ssl_write_bytes = ssl3_write_bytes, 192 .ssl_write_bytes = ssl3_write_bytes,
193 .ssl3_enc = &TLSv1_2_enc_data,
194};
195
196static const SSL_METHOD TLSv1_2_client_method_data = {
177 .ssl_dispatch_alert = ssl3_dispatch_alert, 197 .ssl_dispatch_alert = ssl3_dispatch_alert,
178 .get_cipher_by_char = ssl3_get_cipher_by_char,
179 .put_cipher_by_char = ssl3_put_cipher_by_char,
180 .ssl_pending = ssl3_pending,
181 .num_ciphers = ssl3_num_ciphers, 198 .num_ciphers = ssl3_num_ciphers,
182 .get_cipher = ssl3_get_cipher, 199 .get_cipher = ssl3_get_cipher,
183 .get_ssl_method = tls1_get_client_method, 200 .get_cipher_by_char = ssl3_get_cipher_by_char,
184 .get_timeout = tls1_default_timeout, 201 .put_cipher_by_char = ssl3_put_cipher_by_char,
185 .ssl3_enc = &TLSv1_2_enc_data, 202 .internal = &TLSv1_2_client_method_internal_data,
186 .ssl_version = ssl_undefined_void_function,
187}; 203};
188 204
189static const SSL_METHOD * 205static const SSL_METHOD *
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 2100faac22..c0abe762e6 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.91 2017/01/23 08:08:06 beck Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.92 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -784,7 +784,7 @@ tls1_setup_key_block(SSL *s)
784 goto err; 784 goto err;
785 785
786 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && 786 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
787 s->method->version <= TLS1_VERSION) { 787 s->method->internal->version <= TLS1_VERSION) {
788 /* 788 /*
789 * Enable vulnerability countermeasure for CBC ciphers with 789 * Enable vulnerability countermeasure for CBC ciphers with
790 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 790 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index fb01bfcfac..8e7b1b5167 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.104 2017/01/23 08:48:45 beck Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.105 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -191,7 +191,7 @@ tls1_new(SSL *s)
191{ 191{
192 if (!ssl3_new(s)) 192 if (!ssl3_new(s))
193 return (0); 193 return (0);
194 s->method->ssl_clear(s); 194 s->method->internal->ssl_clear(s);
195 return (1); 195 return (1);
196} 196}
197 197
@@ -209,7 +209,7 @@ void
209tls1_clear(SSL *s) 209tls1_clear(SSL *s)
210{ 210{
211 ssl3_clear(s); 211 ssl3_clear(s);
212 s->version = s->method->version; 212 s->version = s->method->internal->version;
213} 213}
214 214
215 215
diff --git a/src/lib/libssl/t1_meth.c b/src/lib/libssl/t1_meth.c
index 521839184c..51c129b2c9 100644
--- a/src/lib/libssl/t1_meth.c
+++ b/src/lib/libssl/t1_meth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_meth.c,v 1.20 2017/01/23 10:22:06 jsing Exp $ */ 1/* $OpenBSD: t1_meth.c,v 1.21 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -64,7 +64,7 @@
64 64
65static const SSL_METHOD *tls1_get_method(int ver); 65static const SSL_METHOD *tls1_get_method(int ver);
66 66
67static const SSL_METHOD TLS_method_data = { 67static const SSL_METHOD_INTERNAL TLS_method_internal_data = {
68 .version = TLS1_2_VERSION, 68 .version = TLS1_2_VERSION,
69 .min_version = TLS1_VERSION, 69 .min_version = TLS1_VERSION,
70 .max_version = TLS1_2_VERSION, 70 .max_version = TLS1_2_VERSION,
@@ -77,24 +77,28 @@ static const SSL_METHOD TLS_method_data = {
77 .ssl_peek = ssl23_peek, 77 .ssl_peek = ssl23_peek,
78 .ssl_write = ssl23_write, 78 .ssl_write = ssl23_write,
79 .ssl_shutdown = ssl_undefined_function, 79 .ssl_shutdown = ssl_undefined_function,
80 .ssl_pending = ssl_undefined_const_function,
81 .get_ssl_method = tls1_get_method,
82 .get_timeout = ssl23_default_timeout,
83 .ssl_version = ssl_undefined_void_function,
80 .ssl_renegotiate = ssl_undefined_function, 84 .ssl_renegotiate = ssl_undefined_function,
81 .ssl_renegotiate_check = ssl_ok, 85 .ssl_renegotiate_check = ssl_ok,
82 .ssl_get_message = ssl3_get_message, 86 .ssl_get_message = ssl3_get_message,
83 .ssl_read_bytes = ssl3_read_bytes, 87 .ssl_read_bytes = ssl3_read_bytes,
84 .ssl_write_bytes = ssl3_write_bytes, 88 .ssl_write_bytes = ssl3_write_bytes,
89 .ssl3_enc = &ssl3_undef_enc_method,
90};
91
92static const SSL_METHOD TLS_method_data = {
85 .ssl_dispatch_alert = ssl3_dispatch_alert, 93 .ssl_dispatch_alert = ssl3_dispatch_alert,
86 .get_cipher_by_char = ssl3_get_cipher_by_char,
87 .put_cipher_by_char = ssl3_put_cipher_by_char,
88 .ssl_pending = ssl_undefined_const_function,
89 .num_ciphers = ssl3_num_ciphers, 94 .num_ciphers = ssl3_num_ciphers,
90 .get_cipher = ssl3_get_cipher, 95 .get_cipher = ssl3_get_cipher,
91 .get_ssl_method = tls1_get_method, 96 .get_cipher_by_char = ssl3_get_cipher_by_char,
92 .get_timeout = ssl23_default_timeout, 97 .put_cipher_by_char = ssl3_put_cipher_by_char,
93 .ssl3_enc = &ssl3_undef_enc_method, 98 .internal = &TLS_method_internal_data,
94 .ssl_version = ssl_undefined_void_function,
95}; 99};
96 100
97static const SSL_METHOD TLSv1_method_data = { 101static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = {
98 .version = TLS1_VERSION, 102 .version = TLS1_VERSION,
99 .min_version = TLS1_VERSION, 103 .min_version = TLS1_VERSION,
100 .max_version = TLS1_VERSION, 104 .max_version = TLS1_VERSION,
@@ -107,24 +111,28 @@ static const SSL_METHOD TLSv1_method_data = {
107 .ssl_peek = ssl3_peek, 111 .ssl_peek = ssl3_peek,
108 .ssl_write = ssl3_write, 112 .ssl_write = ssl3_write,
109 .ssl_shutdown = ssl3_shutdown, 113 .ssl_shutdown = ssl3_shutdown,
114 .ssl_pending = ssl3_pending,
115 .get_ssl_method = tls1_get_method,
116 .get_timeout = tls1_default_timeout,
117 .ssl_version = ssl_undefined_void_function,
110 .ssl_renegotiate = ssl3_renegotiate, 118 .ssl_renegotiate = ssl3_renegotiate,
111 .ssl_renegotiate_check = ssl3_renegotiate_check, 119 .ssl_renegotiate_check = ssl3_renegotiate_check,
112 .ssl_get_message = ssl3_get_message, 120 .ssl_get_message = ssl3_get_message,
113 .ssl_read_bytes = ssl3_read_bytes, 121 .ssl_read_bytes = ssl3_read_bytes,
114 .ssl_write_bytes = ssl3_write_bytes, 122 .ssl_write_bytes = ssl3_write_bytes,
123 .ssl3_enc = &TLSv1_enc_data,
124};
125
126static const SSL_METHOD TLSv1_method_data = {
115 .ssl_dispatch_alert = ssl3_dispatch_alert, 127 .ssl_dispatch_alert = ssl3_dispatch_alert,
116 .get_cipher_by_char = ssl3_get_cipher_by_char,
117 .put_cipher_by_char = ssl3_put_cipher_by_char,
118 .ssl_pending = ssl3_pending,
119 .num_ciphers = ssl3_num_ciphers, 128 .num_ciphers = ssl3_num_ciphers,
120 .get_cipher = ssl3_get_cipher, 129 .get_cipher = ssl3_get_cipher,
121 .get_ssl_method = tls1_get_method, 130 .get_cipher_by_char = ssl3_get_cipher_by_char,
122 .get_timeout = tls1_default_timeout, 131 .put_cipher_by_char = ssl3_put_cipher_by_char,
123 .ssl3_enc = &TLSv1_enc_data, 132 .internal = &TLSv1_method_internal_data,
124 .ssl_version = ssl_undefined_void_function,
125}; 133};
126 134
127static const SSL_METHOD TLSv1_1_method_data = { 135static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = {
128 .version = TLS1_1_VERSION, 136 .version = TLS1_1_VERSION,
129 .min_version = TLS1_1_VERSION, 137 .min_version = TLS1_1_VERSION,
130 .max_version = TLS1_1_VERSION, 138 .max_version = TLS1_1_VERSION,
@@ -137,24 +145,28 @@ static const SSL_METHOD TLSv1_1_method_data = {
137 .ssl_peek = ssl3_peek, 145 .ssl_peek = ssl3_peek,
138 .ssl_write = ssl3_write, 146 .ssl_write = ssl3_write,
139 .ssl_shutdown = ssl3_shutdown, 147 .ssl_shutdown = ssl3_shutdown,
148 .ssl_pending = ssl3_pending,
149 .get_ssl_method = tls1_get_method,
150 .get_timeout = tls1_default_timeout,
151 .ssl_version = ssl_undefined_void_function,
140 .ssl_renegotiate = ssl3_renegotiate, 152 .ssl_renegotiate = ssl3_renegotiate,
141 .ssl_renegotiate_check = ssl3_renegotiate_check, 153 .ssl_renegotiate_check = ssl3_renegotiate_check,
142 .ssl_get_message = ssl3_get_message, 154 .ssl_get_message = ssl3_get_message,
143 .ssl_read_bytes = ssl3_read_bytes, 155 .ssl_read_bytes = ssl3_read_bytes,
144 .ssl_write_bytes = ssl3_write_bytes, 156 .ssl_write_bytes = ssl3_write_bytes,
157 .ssl3_enc = &TLSv1_1_enc_data,
158};
159
160static const SSL_METHOD TLSv1_1_method_data = {
145 .ssl_dispatch_alert = ssl3_dispatch_alert, 161 .ssl_dispatch_alert = ssl3_dispatch_alert,
146 .get_cipher_by_char = ssl3_get_cipher_by_char,
147 .put_cipher_by_char = ssl3_put_cipher_by_char,
148 .ssl_pending = ssl3_pending,
149 .num_ciphers = ssl3_num_ciphers, 162 .num_ciphers = ssl3_num_ciphers,
150 .get_cipher = ssl3_get_cipher, 163 .get_cipher = ssl3_get_cipher,
151 .get_ssl_method = tls1_get_method, 164 .get_cipher_by_char = ssl3_get_cipher_by_char,
152 .get_timeout = tls1_default_timeout, 165 .put_cipher_by_char = ssl3_put_cipher_by_char,
153 .ssl3_enc = &TLSv1_1_enc_data, 166 .internal = &TLSv1_1_method_internal_data,
154 .ssl_version = ssl_undefined_void_function,
155}; 167};
156 168
157static const SSL_METHOD TLSv1_2_method_data = { 169static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = {
158 .version = TLS1_2_VERSION, 170 .version = TLS1_2_VERSION,
159 .min_version = TLS1_2_VERSION, 171 .min_version = TLS1_2_VERSION,
160 .max_version = TLS1_2_VERSION, 172 .max_version = TLS1_2_VERSION,
@@ -167,21 +179,25 @@ static const SSL_METHOD TLSv1_2_method_data = {
167 .ssl_peek = ssl3_peek, 179 .ssl_peek = ssl3_peek,
168 .ssl_write = ssl3_write, 180 .ssl_write = ssl3_write,
169 .ssl_shutdown = ssl3_shutdown, 181 .ssl_shutdown = ssl3_shutdown,
182 .ssl_pending = ssl3_pending,
183 .get_ssl_method = tls1_get_method,
184 .get_timeout = tls1_default_timeout,
185 .ssl_version = ssl_undefined_void_function,
170 .ssl_renegotiate = ssl3_renegotiate, 186 .ssl_renegotiate = ssl3_renegotiate,
171 .ssl_renegotiate_check = ssl3_renegotiate_check, 187 .ssl_renegotiate_check = ssl3_renegotiate_check,
172 .ssl_get_message = ssl3_get_message, 188 .ssl_get_message = ssl3_get_message,
173 .ssl_read_bytes = ssl3_read_bytes, 189 .ssl_read_bytes = ssl3_read_bytes,
174 .ssl_write_bytes = ssl3_write_bytes, 190 .ssl_write_bytes = ssl3_write_bytes,
191 .ssl3_enc = &TLSv1_2_enc_data,
192};
193
194static const SSL_METHOD TLSv1_2_method_data = {
175 .ssl_dispatch_alert = ssl3_dispatch_alert, 195 .ssl_dispatch_alert = ssl3_dispatch_alert,
176 .get_cipher_by_char = ssl3_get_cipher_by_char,
177 .put_cipher_by_char = ssl3_put_cipher_by_char,
178 .ssl_pending = ssl3_pending,
179 .num_ciphers = ssl3_num_ciphers, 196 .num_ciphers = ssl3_num_ciphers,
180 .get_cipher = ssl3_get_cipher, 197 .get_cipher = ssl3_get_cipher,
181 .get_ssl_method = tls1_get_method, 198 .get_cipher_by_char = ssl3_get_cipher_by_char,
182 .get_timeout = tls1_default_timeout, 199 .put_cipher_by_char = ssl3_put_cipher_by_char,
183 .ssl3_enc = &TLSv1_2_enc_data, 200 .internal = &TLSv1_2_method_internal_data,
184 .ssl_version = ssl_undefined_void_function,
185}; 201};
186 202
187static const SSL_METHOD * 203static const SSL_METHOD *
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c
index e0b247441a..3083ed65a4 100644
--- a/src/lib/libssl/t1_srvr.c
+++ b/src/lib/libssl/t1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_srvr.c,v 1.22 2017/01/23 10:22:06 jsing Exp $ */ 1/* $OpenBSD: t1_srvr.c,v 1.23 2017/01/23 13:36:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -67,7 +67,7 @@
67 67
68static const SSL_METHOD *tls1_get_server_method(int ver); 68static const SSL_METHOD *tls1_get_server_method(int ver);
69 69
70static const SSL_METHOD TLS_server_method_data = { 70static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = {
71 .version = TLS1_2_VERSION, 71 .version = TLS1_2_VERSION,
72 .min_version = TLS1_VERSION, 72 .min_version = TLS1_VERSION,
73 .max_version = TLS1_2_VERSION, 73 .max_version = TLS1_2_VERSION,
@@ -80,24 +80,28 @@ static const SSL_METHOD TLS_server_method_data = {
80 .ssl_peek = ssl23_peek, 80 .ssl_peek = ssl23_peek,
81 .ssl_write = ssl23_write, 81 .ssl_write = ssl23_write,
82 .ssl_shutdown = ssl_undefined_function, 82 .ssl_shutdown = ssl_undefined_function,
83 .ssl_pending = ssl_undefined_const_function,
84 .get_ssl_method = tls1_get_server_method,
85 .get_timeout = ssl23_default_timeout,
86 .ssl_version = ssl_undefined_void_function,
83 .ssl_renegotiate = ssl_undefined_function, 87 .ssl_renegotiate = ssl_undefined_function,
84 .ssl_renegotiate_check = ssl_ok, 88 .ssl_renegotiate_check = ssl_ok,
85 .ssl_get_message = ssl3_get_message, 89 .ssl_get_message = ssl3_get_message,
86 .ssl_read_bytes = ssl3_read_bytes, 90 .ssl_read_bytes = ssl3_read_bytes,
87 .ssl_write_bytes = ssl3_write_bytes, 91 .ssl_write_bytes = ssl3_write_bytes,
92 .ssl3_enc = &ssl3_undef_enc_method,
93};
94
95static const SSL_METHOD TLS_server_method_data = {
88 .ssl_dispatch_alert = ssl3_dispatch_alert, 96 .ssl_dispatch_alert = ssl3_dispatch_alert,
89 .get_cipher_by_char = ssl3_get_cipher_by_char,
90 .put_cipher_by_char = ssl3_put_cipher_by_char,
91 .ssl_pending = ssl_undefined_const_function,
92 .num_ciphers = ssl3_num_ciphers, 97 .num_ciphers = ssl3_num_ciphers,
93 .get_cipher = ssl3_get_cipher, 98 .get_cipher = ssl3_get_cipher,
94 .get_ssl_method = tls1_get_server_method, 99 .get_cipher_by_char = ssl3_get_cipher_by_char,
95 .get_timeout = ssl23_default_timeout, 100 .put_cipher_by_char = ssl3_put_cipher_by_char,
96 .ssl3_enc = &ssl3_undef_enc_method, 101 .internal = &TLS_server_method_internal_data,
97 .ssl_version = ssl_undefined_void_function,
98}; 102};
99 103
100static const SSL_METHOD TLSv1_server_method_data = { 104static const SSL_METHOD_INTERNAL TLSv1_server_method_internal_data = {
101 .version = TLS1_VERSION, 105 .version = TLS1_VERSION,
102 .min_version = TLS1_VERSION, 106 .min_version = TLS1_VERSION,
103 .max_version = TLS1_VERSION, 107 .max_version = TLS1_VERSION,
@@ -110,24 +114,28 @@ static const SSL_METHOD TLSv1_server_method_data = {
110 .ssl_peek = ssl3_peek, 114 .ssl_peek = ssl3_peek,
111 .ssl_write = ssl3_write, 115 .ssl_write = ssl3_write,
112 .ssl_shutdown = ssl3_shutdown, 116 .ssl_shutdown = ssl3_shutdown,
117 .ssl_pending = ssl3_pending,
118 .get_ssl_method = tls1_get_server_method,
119 .get_timeout = tls1_default_timeout,
120 .ssl_version = ssl_undefined_void_function,
113 .ssl_renegotiate = ssl3_renegotiate, 121 .ssl_renegotiate = ssl3_renegotiate,
114 .ssl_renegotiate_check = ssl3_renegotiate_check, 122 .ssl_renegotiate_check = ssl3_renegotiate_check,
115 .ssl_get_message = ssl3_get_message, 123 .ssl_get_message = ssl3_get_message,
116 .ssl_read_bytes = ssl3_read_bytes, 124 .ssl_read_bytes = ssl3_read_bytes,
117 .ssl_write_bytes = ssl3_write_bytes, 125 .ssl_write_bytes = ssl3_write_bytes,
126 .ssl3_enc = &TLSv1_enc_data,
127};
128
129static const SSL_METHOD TLSv1_server_method_data = {
118 .ssl_dispatch_alert = ssl3_dispatch_alert, 130 .ssl_dispatch_alert = ssl3_dispatch_alert,
119 .get_cipher_by_char = ssl3_get_cipher_by_char,
120 .put_cipher_by_char = ssl3_put_cipher_by_char,
121 .ssl_pending = ssl3_pending,
122 .num_ciphers = ssl3_num_ciphers, 131 .num_ciphers = ssl3_num_ciphers,
123 .get_cipher = ssl3_get_cipher, 132 .get_cipher = ssl3_get_cipher,
124 .get_ssl_method = tls1_get_server_method, 133 .get_cipher_by_char = ssl3_get_cipher_by_char,
125 .get_timeout = tls1_default_timeout, 134 .put_cipher_by_char = ssl3_put_cipher_by_char,
126 .ssl3_enc = &TLSv1_enc_data, 135 .internal = &TLSv1_server_method_internal_data,
127 .ssl_version = ssl_undefined_void_function,
128}; 136};
129 137
130static const SSL_METHOD TLSv1_1_server_method_data = { 138static const SSL_METHOD_INTERNAL TLSv1_1_server_method_internal_data = {
131 .version = TLS1_1_VERSION, 139 .version = TLS1_1_VERSION,
132 .min_version = TLS1_1_VERSION, 140 .min_version = TLS1_1_VERSION,
133 .max_version = TLS1_1_VERSION, 141 .max_version = TLS1_1_VERSION,
@@ -140,24 +148,28 @@ static const SSL_METHOD TLSv1_1_server_method_data = {
140 .ssl_peek = ssl3_peek, 148 .ssl_peek = ssl3_peek,
141 .ssl_write = ssl3_write, 149 .ssl_write = ssl3_write,
142 .ssl_shutdown = ssl3_shutdown, 150 .ssl_shutdown = ssl3_shutdown,
151 .ssl_pending = ssl3_pending,
152 .get_ssl_method = tls1_get_server_method,
153 .get_timeout = tls1_default_timeout,
154 .ssl_version = ssl_undefined_void_function,
143 .ssl_renegotiate = ssl3_renegotiate, 155 .ssl_renegotiate = ssl3_renegotiate,
144 .ssl_renegotiate_check = ssl3_renegotiate_check, 156 .ssl_renegotiate_check = ssl3_renegotiate_check,
145 .ssl_get_message = ssl3_get_message, 157 .ssl_get_message = ssl3_get_message,
146 .ssl_read_bytes = ssl3_read_bytes, 158 .ssl_read_bytes = ssl3_read_bytes,
147 .ssl_write_bytes = ssl3_write_bytes, 159 .ssl_write_bytes = ssl3_write_bytes,
160 .ssl3_enc = &TLSv1_1_enc_data,
161};
162
163static const SSL_METHOD TLSv1_1_server_method_data = {
148 .ssl_dispatch_alert = ssl3_dispatch_alert, 164 .ssl_dispatch_alert = ssl3_dispatch_alert,
149 .get_cipher_by_char = ssl3_get_cipher_by_char,
150 .put_cipher_by_char = ssl3_put_cipher_by_char,
151 .ssl_pending = ssl3_pending,
152 .num_ciphers = ssl3_num_ciphers, 165 .num_ciphers = ssl3_num_ciphers,
153 .get_cipher = ssl3_get_cipher, 166 .get_cipher = ssl3_get_cipher,
154 .get_ssl_method = tls1_get_server_method, 167 .get_cipher_by_char = ssl3_get_cipher_by_char,
155 .get_timeout = tls1_default_timeout, 168 .put_cipher_by_char = ssl3_put_cipher_by_char,
156 .ssl3_enc = &TLSv1_1_enc_data, 169 .internal = &TLSv1_1_server_method_internal_data,
157 .ssl_version = ssl_undefined_void_function,
158}; 170};
159 171
160static const SSL_METHOD TLSv1_2_server_method_data = { 172static const SSL_METHOD_INTERNAL TLSv1_2_server_method_internal_data = {
161 .version = TLS1_2_VERSION, 173 .version = TLS1_2_VERSION,
162 .min_version = TLS1_2_VERSION, 174 .min_version = TLS1_2_VERSION,
163 .max_version = TLS1_2_VERSION, 175 .max_version = TLS1_2_VERSION,
@@ -170,21 +182,25 @@ static const SSL_METHOD TLSv1_2_server_method_data = {
170 .ssl_peek = ssl3_peek, 182 .ssl_peek = ssl3_peek,
171 .ssl_write = ssl3_write, 183 .ssl_write = ssl3_write,
172 .ssl_shutdown = ssl3_shutdown, 184 .ssl_shutdown = ssl3_shutdown,
185 .ssl_pending = ssl3_pending,
186 .get_ssl_method = tls1_get_server_method,
187 .get_timeout = tls1_default_timeout,
188 .ssl_version = ssl_undefined_void_function,
173 .ssl_renegotiate = ssl3_renegotiate, 189 .ssl_renegotiate = ssl3_renegotiate,
174 .ssl_renegotiate_check = ssl3_renegotiate_check, 190 .ssl_renegotiate_check = ssl3_renegotiate_check,
175 .ssl_get_message = ssl3_get_message, 191 .ssl_get_message = ssl3_get_message,
176 .ssl_read_bytes = ssl3_read_bytes, 192 .ssl_read_bytes = ssl3_read_bytes,
177 .ssl_write_bytes = ssl3_write_bytes, 193 .ssl_write_bytes = ssl3_write_bytes,
194 .ssl3_enc = &TLSv1_2_enc_data,
195};
196
197static const SSL_METHOD TLSv1_2_server_method_data = {
178 .ssl_dispatch_alert = ssl3_dispatch_alert, 198 .ssl_dispatch_alert = ssl3_dispatch_alert,
179 .get_cipher_by_char = ssl3_get_cipher_by_char,
180 .put_cipher_by_char = ssl3_put_cipher_by_char,
181 .ssl_pending = ssl3_pending,
182 .num_ciphers = ssl3_num_ciphers, 199 .num_ciphers = ssl3_num_ciphers,
183 .get_cipher = ssl3_get_cipher, 200 .get_cipher = ssl3_get_cipher,
184 .get_ssl_method = tls1_get_server_method, 201 .get_cipher_by_char = ssl3_get_cipher_by_char,
185 .get_timeout = tls1_default_timeout, 202 .put_cipher_by_char = ssl3_put_cipher_by_char,
186 .ssl3_enc = &TLSv1_2_enc_data, 203 .internal = &TLSv1_2_server_method_internal_data,
187 .ssl_version = ssl_undefined_void_function,
188}; 204};
189 205
190static const SSL_METHOD * 206static const SSL_METHOD *
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-25 05:07:05 +0000