diff options
| author | jsing <> | 2021-06-30 18:04:06 +0000 |
|---|---|---|
| committer | jsing <> | 2021-06-30 18:04:06 +0000 |
| commit | f10208a76db206460e96c8cf49a915d09538ab21 (patch) | |
| tree | faa7cc470a3bd4e999d41af306237c63acea368c /src | |
| parent | 3cdac1818a4ed4bf937ad8d44b26bdf7ab8fd4e4 (diff) | |
| download | openbsd-f10208a76db206460e96c8cf49a915d09538ab21.tar.gz openbsd-f10208a76db206460e96c8cf49a915d09538ab21.tar.bz2 openbsd-f10208a76db206460e96c8cf49a915d09538ab21.zip | |
Move some structs from public to private headers.
Move struct ssl_cipher_st, struct ssl_method_st, struct ssl_session_st and
struct ssl3_state_st from public to private headers. These are already
under #ifdef LIBRESSL_INTERNAL and are no longer publicly visible.
ok inoguchi@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl.h | 109 | ||||
| -rw-r--r-- | src/lib/libssl/ssl3.h | 17 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 107 |
3 files changed, 108 insertions, 125 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 4719a50c7e..4158d62cd8 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.194 2021/06/13 15:51:10 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.195 2021/06/30 18:04:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -377,113 +377,6 @@ typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, | |||
| 377 | typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, | 377 | typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, |
| 378 | STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); | 378 | STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); |
| 379 | 379 | ||
| 380 | #ifdef LIBRESSL_INTERNAL | ||
| 381 | |||
| 382 | /* used to hold info on the particular ciphers used */ | ||
| 383 | struct ssl_cipher_st { | ||
| 384 | int valid; | ||
| 385 | const char *name; /* text name */ | ||
| 386 | unsigned long id; /* id, 4 bytes, first is version */ | ||
| 387 | |||
| 388 | unsigned long algorithm_mkey; /* key exchange algorithm */ | ||
| 389 | unsigned long algorithm_auth; /* server authentication */ | ||
| 390 | unsigned long algorithm_enc; /* symmetric encryption */ | ||
| 391 | unsigned long algorithm_mac; /* symmetric authentication */ | ||
| 392 | unsigned long algorithm_ssl; /* (major) protocol version */ | ||
| 393 | |||
| 394 | unsigned long algo_strength; /* strength and export flags */ | ||
| 395 | unsigned long algorithm2; /* Extra flags */ | ||
| 396 | int strength_bits; /* Number of bits really used */ | ||
| 397 | int alg_bits; /* Number of bits for algorithm */ | ||
| 398 | }; | ||
| 399 | |||
| 400 | |||
| 401 | /* Used to hold functions for SSLv3/TLSv1 functions */ | ||
| 402 | struct ssl_method_internal_st; | ||
| 403 | |||
| 404 | struct ssl_method_st { | ||
| 405 | int (*ssl_dispatch_alert)(SSL *s); | ||
| 406 | int (*num_ciphers)(void); | ||
| 407 | const SSL_CIPHER *(*get_cipher)(unsigned int ncipher); | ||
| 408 | const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); | ||
| 409 | int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr); | ||
| 410 | |||
| 411 | const struct ssl_method_internal_st *internal; | ||
| 412 | }; | ||
| 413 | |||
| 414 | /* Lets make this into an ASN.1 type structure as follows | ||
| 415 | * SSL_SESSION_ID ::= SEQUENCE { | ||
| 416 | * version INTEGER, -- structure version number | ||
| 417 | * SSLversion INTEGER, -- SSL version number | ||
| 418 | * Cipher OCTET STRING, -- the 3 byte cipher ID | ||
| 419 | * Session_ID OCTET STRING, -- the Session ID | ||
| 420 | * Master_key OCTET STRING, -- the master key | ||
| 421 | * KRB5_principal OCTET STRING -- optional Kerberos principal | ||
| 422 | * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time | ||
| 423 | * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds | ||
| 424 | * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate | ||
| 425 | * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context | ||
| 426 | * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer' | ||
| 427 | * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension | ||
| 428 | * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint | ||
| 429 | * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity | ||
| 430 | * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket | ||
| 431 | * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only) | ||
| 432 | * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method | ||
| 433 | * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username | ||
| 434 | * } | ||
| 435 | * Look in ssl/ssl_asn1.c for more details | ||
| 436 | * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). | ||
| 437 | */ | ||
| 438 | struct ssl_session_internal_st; | ||
| 439 | |||
| 440 | struct ssl_session_st { | ||
| 441 | int ssl_version; /* what ssl version session info is | ||
| 442 | * being kept in here? */ | ||
| 443 | |||
| 444 | int master_key_length; | ||
| 445 | unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; | ||
| 446 | |||
| 447 | /* session_id - valid? */ | ||
| 448 | unsigned int session_id_length; | ||
| 449 | unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; | ||
| 450 | |||
| 451 | /* this is used to determine whether the session is being reused in | ||
| 452 | * the appropriate context. It is up to the application to set this, | ||
| 453 | * via SSL_new */ | ||
| 454 | unsigned int sid_ctx_length; | ||
| 455 | unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; | ||
| 456 | |||
| 457 | /* This is the cert for the other end. */ | ||
| 458 | X509 *peer; | ||
| 459 | |||
| 460 | /* when app_verify_callback accepts a session where the peer's certificate | ||
| 461 | * is not ok, we must remember the error for session reuse: */ | ||
| 462 | long verify_result; /* only for servers */ | ||
| 463 | |||
| 464 | long timeout; | ||
| 465 | time_t time; | ||
| 466 | int references; | ||
| 467 | |||
| 468 | const SSL_CIPHER *cipher; | ||
| 469 | unsigned long cipher_id; /* when ASN.1 loaded, this | ||
| 470 | * needs to be used to load | ||
| 471 | * the 'cipher' structure */ | ||
| 472 | |||
| 473 | STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ | ||
| 474 | |||
| 475 | char *tlsext_hostname; | ||
| 476 | |||
| 477 | /* RFC4507 info */ | ||
| 478 | unsigned char *tlsext_tick; /* Session ticket */ | ||
| 479 | size_t tlsext_ticklen; /* Session ticket length */ | ||
| 480 | long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ | ||
| 481 | |||
| 482 | struct ssl_session_internal_st *internal; | ||
| 483 | }; | ||
| 484 | |||
| 485 | #endif | ||
| 486 | |||
| 487 | /* Allow initial connection to servers that don't support RI */ | 380 | /* Allow initial connection to servers that don't support RI */ |
| 488 | #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L | 381 | #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L |
| 489 | 382 | ||
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h index 04c12bca9c..48ca208264 100644 --- a/src/lib/libssl/ssl3.h +++ b/src/lib/libssl/ssl3.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl3.h,v 1.54 2021/06/13 15:47:11 jsing Exp $ */ | 1 | /* $OpenBSD: ssl3.h,v 1.55 2021/06/30 18:04:06 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -357,21 +357,6 @@ typedef struct ssl3_buffer_st { | |||
| 357 | #define TLS1_FLAGS_FREEZE_TRANSCRIPT 0x0020 | 357 | #define TLS1_FLAGS_FREEZE_TRANSCRIPT 0x0020 |
| 358 | #define SSL3_FLAGS_CCS_OK 0x0080 | 358 | #define SSL3_FLAGS_CCS_OK 0x0080 |
| 359 | 359 | ||
| 360 | #ifdef LIBRESSL_INTERNAL | ||
| 361 | |||
| 362 | struct ssl3_state_internal_st; | ||
| 363 | |||
| 364 | typedef struct ssl3_state_st { | ||
| 365 | long flags; | ||
| 366 | |||
| 367 | unsigned char server_random[SSL3_RANDOM_SIZE]; | ||
| 368 | unsigned char client_random[SSL3_RANDOM_SIZE]; | ||
| 369 | |||
| 370 | struct ssl3_state_internal_st *internal; | ||
| 371 | } SSL3_STATE; | ||
| 372 | |||
| 373 | #endif | ||
| 374 | |||
| 375 | /* SSLv3 */ | 360 | /* SSLv3 */ |
| 376 | /*client */ | 361 | /*client */ |
| 377 | /* extra state */ | 362 | /* extra state */ |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 200219c141..10fa9b6c17 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.352 2021/06/27 19:23:51 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.353 2021/06/30 18:04:06 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -361,6 +361,23 @@ __BEGIN_HIDDEN_DECLS | |||
| 361 | #define EXPLICIT_CHAR2_CURVE_TYPE 2 | 361 | #define EXPLICIT_CHAR2_CURVE_TYPE 2 |
| 362 | #define NAMED_CURVE_TYPE 3 | 362 | #define NAMED_CURVE_TYPE 3 |
| 363 | 363 | ||
| 364 | struct ssl_cipher_st { | ||
| 365 | int valid; | ||
| 366 | const char *name; /* text name */ | ||
| 367 | unsigned long id; /* id, 4 bytes, first is version */ | ||
| 368 | |||
| 369 | unsigned long algorithm_mkey; /* key exchange algorithm */ | ||
| 370 | unsigned long algorithm_auth; /* server authentication */ | ||
| 371 | unsigned long algorithm_enc; /* symmetric encryption */ | ||
| 372 | unsigned long algorithm_mac; /* symmetric authentication */ | ||
| 373 | unsigned long algorithm_ssl; /* (major) protocol version */ | ||
| 374 | |||
| 375 | unsigned long algo_strength; /* strength and export flags */ | ||
| 376 | unsigned long algorithm2; /* Extra flags */ | ||
| 377 | int strength_bits; /* Number of bits really used */ | ||
| 378 | int alg_bits; /* Number of bits for algorithm */ | ||
| 379 | }; | ||
| 380 | |||
| 364 | typedef struct ssl_method_internal_st { | 381 | typedef struct ssl_method_internal_st { |
| 365 | int dtls; | 382 | int dtls; |
| 366 | int server; | 383 | int server; |
| @@ -388,6 +405,16 @@ typedef struct ssl_method_internal_st { | |||
| 388 | unsigned int enc_flags; /* SSL_ENC_FLAG_* */ | 405 | unsigned int enc_flags; /* SSL_ENC_FLAG_* */ |
| 389 | } SSL_METHOD_INTERNAL; | 406 | } SSL_METHOD_INTERNAL; |
| 390 | 407 | ||
| 408 | struct ssl_method_st { | ||
| 409 | int (*ssl_dispatch_alert)(SSL *s); | ||
| 410 | int (*num_ciphers)(void); | ||
| 411 | const SSL_CIPHER *(*get_cipher)(unsigned int ncipher); | ||
| 412 | const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); | ||
| 413 | int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr); | ||
| 414 | |||
| 415 | const struct ssl_method_internal_st *internal; | ||
| 416 | }; | ||
| 417 | |||
| 391 | typedef struct ssl_session_internal_st { | 418 | typedef struct ssl_session_internal_st { |
| 392 | CRYPTO_EX_DATA ex_data; /* application specific data */ | 419 | CRYPTO_EX_DATA ex_data; /* application specific data */ |
| 393 | 420 | ||
| @@ -410,6 +437,75 @@ typedef struct ssl_session_internal_st { | |||
| 410 | } SSL_SESSION_INTERNAL; | 437 | } SSL_SESSION_INTERNAL; |
| 411 | #define SSI(s) (s->session->internal) | 438 | #define SSI(s) (s->session->internal) |
| 412 | 439 | ||
| 440 | /* Lets make this into an ASN.1 type structure as follows | ||
| 441 | * SSL_SESSION_ID ::= SEQUENCE { | ||
| 442 | * version INTEGER, -- structure version number | ||
| 443 | * SSLversion INTEGER, -- SSL version number | ||
| 444 | * Cipher OCTET STRING, -- the 3 byte cipher ID | ||
| 445 | * Session_ID OCTET STRING, -- the Session ID | ||
| 446 | * Master_key OCTET STRING, -- the master key | ||
| 447 | * KRB5_principal OCTET STRING -- optional Kerberos principal | ||
| 448 | * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time | ||
| 449 | * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds | ||
| 450 | * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate | ||
| 451 | * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context | ||
| 452 | * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer' | ||
| 453 | * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension | ||
| 454 | * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint | ||
| 455 | * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity | ||
| 456 | * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket | ||
| 457 | * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only) | ||
| 458 | * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method | ||
| 459 | * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username | ||
| 460 | * } | ||
| 461 | * Look in ssl/ssl_asn1.c for more details | ||
| 462 | * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). | ||
| 463 | */ | ||
| 464 | struct ssl_session_st { | ||
| 465 | int ssl_version; /* what ssl version session info is | ||
| 466 | * being kept in here? */ | ||
| 467 | |||
| 468 | int master_key_length; | ||
| 469 | unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; | ||
| 470 | |||
| 471 | /* session_id - valid? */ | ||
| 472 | unsigned int session_id_length; | ||
| 473 | unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; | ||
| 474 | |||
| 475 | /* this is used to determine whether the session is being reused in | ||
| 476 | * the appropriate context. It is up to the application to set this, | ||
| 477 | * via SSL_new */ | ||
| 478 | unsigned int sid_ctx_length; | ||
| 479 | unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; | ||
| 480 | |||
| 481 | /* This is the cert for the other end. */ | ||
| 482 | X509 *peer; | ||
| 483 | |||
| 484 | /* when app_verify_callback accepts a session where the peer's certificate | ||
| 485 | * is not ok, we must remember the error for session reuse: */ | ||
| 486 | long verify_result; /* only for servers */ | ||
| 487 | |||
| 488 | long timeout; | ||
| 489 | time_t time; | ||
| 490 | int references; | ||
| 491 | |||
| 492 | const SSL_CIPHER *cipher; | ||
| 493 | unsigned long cipher_id; /* when ASN.1 loaded, this | ||
| 494 | * needs to be used to load | ||
| 495 | * the 'cipher' structure */ | ||
| 496 | |||
| 497 | STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ | ||
| 498 | |||
| 499 | char *tlsext_hostname; | ||
| 500 | |||
| 501 | /* RFC4507 info */ | ||
| 502 | unsigned char *tlsext_tick; /* Session ticket */ | ||
| 503 | size_t tlsext_ticklen; /* Session ticket length */ | ||
| 504 | long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ | ||
| 505 | |||
| 506 | struct ssl_session_internal_st *internal; | ||
| 507 | }; | ||
| 508 | |||
| 413 | typedef struct cert_pkey_st { | 509 | typedef struct cert_pkey_st { |
| 414 | X509 *x509; | 510 | X509 *x509; |
| 415 | EVP_PKEY *privatekey; | 511 | EVP_PKEY *privatekey; |
| @@ -985,6 +1081,15 @@ typedef struct ssl3_state_internal_st { | |||
| 985 | } SSL3_STATE_INTERNAL; | 1081 | } SSL3_STATE_INTERNAL; |
| 986 | #define S3I(s) (s->s3->internal) | 1082 | #define S3I(s) (s->s3->internal) |
| 987 | 1083 | ||
| 1084 | typedef struct ssl3_state_st { | ||
| 1085 | long flags; | ||
| 1086 | |||
| 1087 | unsigned char server_random[SSL3_RANDOM_SIZE]; | ||
| 1088 | unsigned char client_random[SSL3_RANDOM_SIZE]; | ||
| 1089 | |||
| 1090 | struct ssl3_state_internal_st *internal; | ||
| 1091 | } SSL3_STATE; | ||
| 1092 | |||
| 988 | typedef struct cert_st { | 1093 | typedef struct cert_st { |
| 989 | /* Current active set */ | 1094 | /* Current active set */ |
| 990 | CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array | 1095 | CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array |