8 files changed, 111 insertions, 29 deletions
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index 56c79f30aa..3bc1b42583 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.34 2016/11/04 18:33:11 guenther Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.35 2017/01/22 03:50:45 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -105,7 +105,12 @@ dtls1_new(SSL *s)
        if (!ssl3_new(s))
                return (0);
-        if ((d1 = calloc(1, sizeof *d1)) == NULL) {
+        if ((d1 = calloc(1, sizeof(*d1))) == NULL) {
+                ssl3_free(s);
+                return (0);
+        }
+        if ((d1->internal = calloc(1, sizeof(*d1->internal))) == NULL) {
+                free(d1);
                ssl3_free(s);
                return (0);
        }
@@ -199,14 +204,19 @@ dtls1_free(SSL *s)
        pqueue_free(s->d1->sent_messages);
        pqueue_free(s->d1->buffered_app_data.q);
-        explicit_bzero(s->d1, sizeof *s->d1);
+        explicit_bzero(s->d1->internal, sizeof(*s->d1->internal));
+        free(s->d1->internal);
+        explicit_bzero(s->d1, sizeof(*s->d1));
        free(s->d1);
        s->d1 = NULL;
 }
 void
 dtls1_clear(SSL *s)
 {
+        struct dtls1_state_internal_st *internal;
        pqueue unprocessed_rcds;
        pqueue processed_rcds;
        pqueue buffered_messages;
@@ -224,7 +234,10 @@ dtls1_clear(SSL *s)
                dtls1_clear_queues(s);
-                memset(s->d1, 0, sizeof(*(s->d1)));
+                memset(s->d1->internal, 0, sizeof(*s->d1->internal));
+                internal = s->d1->internal;
+                memset(s->d1, 0, sizeof(*s->d1));
+                s->d1->internal = internal;
                if (s->server) {
                        s->d1->cookie_len = sizeof(s->d1->cookie);
diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h
index 8ec0bb8421..812b90592d 100644
--- a/src/lib/libssl/dtls1.h
+++ b/src/lib/libssl/dtls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dtls1.h,v 1.19 2016/12/30 15:10:57 jsing Exp $ */
+/* $OpenBSD: dtls1.h,v 1.20 2017/01/22 03:50:45 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -150,6 +150,8 @@ typedef struct hm_fragment_st {
        unsigned char *reassembly;
 } hm_fragment;
+struct dtls1_state_internal_st;
 typedef struct dtls1_state_st {
        unsigned int send_cookie;
        unsigned char cookie[DTLS1_COOKIE_LENGTH];
@@ -222,7 +224,7 @@ typedef struct dtls1_state_st {
        unsigned int retransmitting;
        unsigned int change_cipher_spec_ok;
+        struct dtls1_state_internal_st *internal;
 } DTLS1_STATE;
 typedef struct dtls1_record_data_st {
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 0dda987d4c..6f5ee4fa50 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.117 2017/01/22 00:09:13 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.118 2017/01/22 03:50:45 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1811,6 +1811,10 @@ ssl3_new(SSL *s)
 {
        if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
                return (0);
+        if ((s->s3->internal = calloc(1, sizeof(*s->s3->internal))) == NULL) {
+                free(s->s3);
+                return (0);
+        }
        s->method->ssl_clear(s);
@@ -1840,14 +1844,19 @@ ssl3_free(SSL *s)
        tls1_free_digest_list(s);
        free(s->s3->alpn_selected);
-        explicit_bzero(s->s3, sizeof *s->s3);
+        explicit_bzero(s->s3->internal, sizeof(*s->s3->internal));
+        free(s->s3->internal);
+        explicit_bzero(s->s3, sizeof(*s->s3));
        free(s->s3);
        s->s3 = NULL;
 }
 void
 ssl3_clear(SSL *s)
 {
+        struct ssl3_state_internal_st *internal;
        unsigned char   *rp, *wp;
        size_t           rlen, wlen;
@@ -1878,7 +1887,10 @@ ssl3_clear(SSL *s)
        free(s->s3->alpn_selected);
        s->s3->alpn_selected = NULL;
-        memset(s->s3, 0, sizeof *s->s3);
+        memset(s->s3->internal, 0, sizeof(*s->s3->internal));
+        internal = s->s3->internal;
+        memset(s->s3, 0, sizeof(*s->s3));
+        s->s3->internal = internal;
        s->s3->rbuf.buf = rp;
        s->s3->wbuf.buf = wp;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 37844bdeaa..e8ad9fb470 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.102 2016/12/30 17:20:51 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.103 2017/01/22 03:50:45 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -353,6 +353,7 @@ extern "C" {
 * 'struct ssl_st *' function parameters used to prototype callbacks
 * in SSL_CTX. */
 typedef struct ssl_st *ssl_crock_st;
 typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
 typedef struct ssl_method_st SSL_METHOD;
 typedef struct ssl_cipher_st SSL_CIPHER;
@@ -455,6 +456,8 @@ struct ssl_method_st {
 * Look in ssl/ssl_asn1.c for more details
 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
 */
+struct ssl_session_internal_st;
 struct ssl_session_st {
        int ssl_version;        /* what ssl version session info is
                                 * being kept in here? */
@@ -513,6 +516,8 @@ struct ssl_session_st {
        unsigned char *tlsext_tick;     /* Session ticket */
        size_t tlsext_ticklen;          /* Session ticket length */
        long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
+        struct ssl_session_internal_st *internal;
 };
 #endif
@@ -687,6 +692,8 @@ struct lhash_st_SSL_SESSION {
        int dummy;
 };
+struct ssl_ctx_internal_st;
 struct ssl_ctx_st {
        const SSL_METHOD *method;
@@ -885,6 +892,8 @@ struct ssl_ctx_st {
        /* SRTP profiles we are willing to do from RFC 5764 */
        STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+        struct ssl_ctx_internal_st *internal;
 };
 #endif
@@ -997,6 +1006,7 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
 #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
 #ifndef OPENSSL_NO_SSL_INTERN
+struct ssl_internal_st;
 struct ssl_st {
        /* protocol version
@@ -1192,6 +1202,7 @@ struct ssl_st {
        void *tls_session_secret_cb_arg;
        SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
+#define session_ctx initial_ctx
        /* Next protocol negotiation. For the client, this is the protocol that
         * we sent in NextProtocol and is set when handling ServerHello
@@ -1203,8 +1214,6 @@ struct ssl_st {
        unsigned char *next_proto_negotiated;
        unsigned char next_proto_negotiated_len;
-#define session_ctx initial_ctx
        STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;       /* What we'll do */
        SRTP_PROTECTION_PROFILE *srtp_profile;                  /* What's been chosen */
@@ -1224,6 +1233,7 @@ struct ssl_st {
                         * 2 if we are a server and are inside a handshake
                         * (i.e. not just sending a HelloRequest) */
+        struct ssl_internal_st *internal;
 };
 #endif
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index c52c0a780e..6344176105 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.43 2016/12/30 15:10:57 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.44 2017/01/22 03:50:45 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -359,6 +359,8 @@ typedef struct ssl3_buffer_st {
 #ifndef OPENSSL_NO_SSL_INTERN
+struct ssl3_state_internal_st;
 typedef struct ssl3_state_st {
        long flags;
        int delay_buf_pop_ret;
@@ -489,6 +491,8 @@ typedef struct ssl3_state_st {
         */
        unsigned char *alpn_selected;
        unsigned int alpn_selected_len;
+        struct ssl3_state_internal_st *internal;
 } SSL3_STATE;
 #endif
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 7eb192eb2c..d9e5166cdd 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.125 2017/01/21 04:16:49 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.126 2017/01/22 03:50:45 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -274,10 +274,15 @@ SSL_new(SSL_CTX *ctx)
                return (NULL);
        }
-        s = calloc(1, sizeof(SSL));
+        if ((s = calloc(1, sizeof(*s))) == NULL) {
-        if (s == NULL)
+                SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
-                goto err;
+                return (NULL);
+        }
+        if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) {
+                free(s);
+                SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
+                return (NULL);
+        }
        s->options = ctx->options;
        s->mode = ctx->mode;
@@ -361,7 +366,7 @@ SSL_new(SSL_CTX *ctx)
        return (s);
-err:
+ err:
        SSL_free(s);
        SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
        return (NULL);
@@ -549,7 +554,6 @@ SSL_free(SSL *s)
        SSL_CTX_free(s->ctx);
        free(s->next_proto_negotiated);
        free(s->alpn_client_proto_list);
@@ -558,6 +562,7 @@ SSL_free(SSL *s)
                sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
 #endif
+        free(s->internal);
        free(s);
 }
@@ -1792,21 +1797,28 @@ ssl_session_LHASH_COMP(const void *arg1, const void *arg2)
 SSL_CTX *
 SSL_CTX_new(const SSL_METHOD *meth)
 {
-        SSL_CTX *ret = NULL;
+        SSL_CTX *ret;
        if (meth == NULL) {
                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED);
                return (NULL);
        }
+        if ((ret = calloc(1, sizeof(*ret))) == NULL) {
+                SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
+                return (NULL);
+        }
+        if ((ret->internal = calloc(1, sizeof(*ret->internal))) == NULL) {
+                free(ret);
+                SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
+                return (NULL);
+        }
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
                SSLerr(SSL_F_SSL_CTX_NEW,
                    SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
                goto err;
        }
-        ret = calloc(1, sizeof(SSL_CTX));
-        if (ret == NULL)
-                goto err;
        ret->method = meth;
@@ -1993,6 +2005,7 @@ SSL_CTX_free(SSL_CTX *a)
        free(a->alpn_client_proto_list);
+        free(a->internal);
        free(a);
 }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 5748875092..50f527aad5 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.145 2017/01/21 04:18:18 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.146 2017/01/22 03:50:45 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -372,6 +372,26 @@ __BEGIN_HIDDEN_DECLS
 #define EXPLICIT_CHAR2_CURVE_TYPE  2
 #define NAMED_CURVE_TYPE           3
+typedef struct ssl_session_internal_st {
+} SSL_SESSION_INTERNAL;
+typedef struct ssl_ctx_internal_st {
+} SSL_CTX_INTERNAL;
+typedef struct ssl_internal_st {
+} SSL_INTERNAL;
+typedef struct ssl3_state_internal_st {
+} SSL3_STATE_INTERNAL;
+typedef struct dtls1_state_internal_st {
+} DTLS1_STATE_INTERNAL;
 typedef struct cert_pkey_st {
        X509 *x509;
        EVP_PKEY *privatekey;
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index f6e2642aeb..0970633a86 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.53 2016/11/02 11:21:05 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.54 2017/01/22 03:50:45 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -199,10 +199,14 @@ SSL_SESSION_new(void)
 {
        SSL_SESSION *ss;
-        ss = calloc(1, sizeof(SSL_SESSION));
+        if ((ss = calloc(1, sizeof(*ss))) == NULL) {
-        if (ss == NULL) {
                SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
-                return (0);
+                return (NULL);
+        }
+        if ((ss->internal = calloc(1, sizeof(*ss->internal))) == NULL) {
+                free(ss);
+                SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
+                return (NULL);
        }
        ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
@@ -706,6 +710,10 @@ SSL_SESSION_free(SSL_SESSION *ss)
        free(ss->tlsext_ecpointformatlist);
        ss->tlsext_ellipticcurvelist_length = 0;
        free(ss->tlsext_ellipticcurvelist);
+        explicit_bzero(ss->internal, sizeof(*ss->internal));
+        free(ss->internal);
        explicit_bzero(ss, sizeof(*ss));
        free(ss);
 }

diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c index 56c79f30aa..3bc1b42583 100644 --- a/src/lib/libssl/d1_lib.c +++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_lib.c,v 1.34 2016/11/04 18:33:11 guenther Exp $ */	1	/* $OpenBSD: d1_lib.c,v 1.35 2017/01/22 03:50:45 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -105,7 +105,12 @@ dtls1_new(SSL *s)
105		105
106	if (!ssl3_new(s))	106	if (!ssl3_new(s))
107	return (0);	107	return (0);
108	if ((d1 = calloc(1, sizeof *d1)) == NULL) {	108	if ((d1 = calloc(1, sizeof(*d1))) == NULL) {
		109	ssl3_free(s);
		110	return (0);
		111	}
		112	if ((d1->internal = calloc(1, sizeof(*d1->internal))) == NULL) {
		113	free(d1);
109	ssl3_free(s);	114	ssl3_free(s);
110	return (0);	115	return (0);
111	}	116	}
@@ -199,14 +204,19 @@ dtls1_free(SSL *s)
199	pqueue_free(s->d1->sent_messages);	204	pqueue_free(s->d1->sent_messages);
200	pqueue_free(s->d1->buffered_app_data.q);	205	pqueue_free(s->d1->buffered_app_data.q);
201		206
202	explicit_bzero(s->d1, sizeof *s->d1);	207	explicit_bzero(s->d1->internal, sizeof(*s->d1->internal));
		208	free(s->d1->internal);
		209
		210	explicit_bzero(s->d1, sizeof(*s->d1));
203	free(s->d1);	211	free(s->d1);
		212
204	s->d1 = NULL;	213	s->d1 = NULL;
205	}	214	}
206		215
207	void	216	void
208	dtls1_clear(SSL *s)	217	dtls1_clear(SSL *s)
209	{	218	{
		219	struct dtls1_state_internal_st *internal;
210	pqueue unprocessed_rcds;	220	pqueue unprocessed_rcds;
211	pqueue processed_rcds;	221	pqueue processed_rcds;
212	pqueue buffered_messages;	222	pqueue buffered_messages;
@@ -224,7 +234,10 @@ dtls1_clear(SSL *s)
224		234
225	dtls1_clear_queues(s);	235	dtls1_clear_queues(s);
226		236
227	memset(s->d1, 0, sizeof(*(s->d1)));	237	memset(s->d1->internal, 0, sizeof(*s->d1->internal));
		238	internal = s->d1->internal;
		239	memset(s->d1, 0, sizeof(*s->d1));
		240	s->d1->internal = internal;
228		241
229	if (s->server) {	242	if (s->server) {
230	s->d1->cookie_len = sizeof(s->d1->cookie);	243	s->d1->cookie_len = sizeof(s->d1->cookie);


diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h index 8ec0bb8421..812b90592d 100644 --- a/src/lib/libssl/dtls1.h +++ b/src/lib/libssl/dtls1.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: dtls1.h,v 1.19 2016/12/30 15:10:57 jsing Exp $ */	1	/* $OpenBSD: dtls1.h,v 1.20 2017/01/22 03:50:45 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -150,6 +150,8 @@ typedef struct hm_fragment_st {
150	unsigned char *reassembly;	150	unsigned char *reassembly;
151	} hm_fragment;	151	} hm_fragment;
152		152
		153	struct dtls1_state_internal_st;
		154
153	typedef struct dtls1_state_st {	155	typedef struct dtls1_state_st {
154	unsigned int send_cookie;	156	unsigned int send_cookie;
155	unsigned char cookie[DTLS1_COOKIE_LENGTH];	157	unsigned char cookie[DTLS1_COOKIE_LENGTH];
@@ -222,7 +224,7 @@ typedef struct dtls1_state_st {
222	unsigned int retransmitting;	224	unsigned int retransmitting;
223	unsigned int change_cipher_spec_ok;	225	unsigned int change_cipher_spec_ok;
224		226
225		227	struct dtls1_state_internal_st *internal;
226	} DTLS1_STATE;	228	} DTLS1_STATE;
227		229
228	typedef struct dtls1_record_data_st {	230	typedef struct dtls1_record_data_st {


diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 0dda987d4c..6f5ee4fa50 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.117 2017/01/22 00:09:13 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.118 2017/01/22 03:50:45 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1811,6 +1811,10 @@ ssl3_new(SSL *s)
1811	{	1811	{
1812	if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)	1812	if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1813	return (0);	1813	return (0);
		1814	if ((s->s3->internal = calloc(1, sizeof(*s->s3->internal))) == NULL) {
		1815	free(s->s3);
		1816	return (0);
		1817	}
1814		1818
1815	s->method->ssl_clear(s);	1819	s->method->ssl_clear(s);
1816		1820
@@ -1840,14 +1844,19 @@ ssl3_free(SSL *s)
1840	tls1_free_digest_list(s);	1844	tls1_free_digest_list(s);
1841	free(s->s3->alpn_selected);	1845	free(s->s3->alpn_selected);
1842		1846
1843	explicit_bzero(s->s3, sizeof *s->s3);	1847	explicit_bzero(s->s3->internal, sizeof(*s->s3->internal));
		1848	free(s->s3->internal);
		1849
		1850	explicit_bzero(s->s3, sizeof(*s->s3));
1844	free(s->s3);	1851	free(s->s3);
		1852
1845	s->s3 = NULL;	1853	s->s3 = NULL;
1846	}	1854	}
1847		1855
1848	void	1856	void
1849	ssl3_clear(SSL *s)	1857	ssl3_clear(SSL *s)
1850	{	1858	{
		1859	struct ssl3_state_internal_st *internal;
1851	unsigned char rp, wp;	1860	unsigned char rp, wp;
1852	size_t rlen, wlen;	1861	size_t rlen, wlen;
1853		1862
@@ -1878,7 +1887,10 @@ ssl3_clear(SSL *s)
1878	free(s->s3->alpn_selected);	1887	free(s->s3->alpn_selected);
1879	s->s3->alpn_selected = NULL;	1888	s->s3->alpn_selected = NULL;
1880		1889
1881	memset(s->s3, 0, sizeof *s->s3);	1890	memset(s->s3->internal, 0, sizeof(*s->s3->internal));
		1891	internal = s->s3->internal;
		1892	memset(s->s3, 0, sizeof(*s->s3));
		1893	s->s3->internal = internal;
1882		1894
1883	s->s3->rbuf.buf = rp;	1895	s->s3->rbuf.buf = rp;
1884	s->s3->wbuf.buf = wp;	1896	s->s3->wbuf.buf = wp;


diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 37844bdeaa..e8ad9fb470 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.102 2016/12/30 17:20:51 jsing Exp $ */	1	/* $OpenBSD: ssl.h,v 1.103 2017/01/22 03:50:45 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -353,6 +353,7 @@ extern "C" {
353	* 'struct ssl_st *' function parameters used to prototype callbacks	353	* 'struct ssl_st *' function parameters used to prototype callbacks
354	* in SSL_CTX. */	354	* in SSL_CTX. */
355	typedef struct ssl_st *ssl_crock_st;	355	typedef struct ssl_st *ssl_crock_st;
		356
356	typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;	357	typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
357	typedef struct ssl_method_st SSL_METHOD;	358	typedef struct ssl_method_st SSL_METHOD;
358	typedef struct ssl_cipher_st SSL_CIPHER;	359	typedef struct ssl_cipher_st SSL_CIPHER;
@@ -455,6 +456,8 @@ struct ssl_method_st {
455	* Look in ssl/ssl_asn1.c for more details	456	* Look in ssl/ssl_asn1.c for more details
456	* I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).	457	* I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
457	*/	458	*/
		459	struct ssl_session_internal_st;
		460
458	struct ssl_session_st {	461	struct ssl_session_st {
459	int ssl_version; /* what ssl version session info is	462	int ssl_version; /* what ssl version session info is
460	* being kept in here? */	463	* being kept in here? */
@@ -513,6 +516,8 @@ struct ssl_session_st {
513	unsigned char tlsext_tick; / Session ticket */	516	unsigned char tlsext_tick; / Session ticket */
514	size_t tlsext_ticklen; /* Session ticket length */	517	size_t tlsext_ticklen; /* Session ticket length */
515	long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */	518	long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
		519
		520	struct ssl_session_internal_st *internal;
516	};	521	};
517		522
518	#endif	523	#endif
@@ -687,6 +692,8 @@ struct lhash_st_SSL_SESSION {
687	int dummy;	692	int dummy;
688	};	693	};
689		694
		695	struct ssl_ctx_internal_st;
		696
690	struct ssl_ctx_st {	697	struct ssl_ctx_st {
691	const SSL_METHOD *method;	698	const SSL_METHOD *method;
692		699
@@ -885,6 +892,8 @@ struct ssl_ctx_st {
885		892
886	/* SRTP profiles we are willing to do from RFC 5764 */	893	/* SRTP profiles we are willing to do from RFC 5764 */
887	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;	894	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
		895
		896	struct ssl_ctx_internal_st *internal;
888	};	897	};
889		898
890	#endif	899	#endif
@@ -997,6 +1006,7 @@ void SSL_get0_alpn_selected(const SSL ssl, const unsigned char *data,
997	#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2	1006	#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
998		1007
999	#ifndef OPENSSL_NO_SSL_INTERN	1008	#ifndef OPENSSL_NO_SSL_INTERN
		1009	struct ssl_internal_st;
1000		1010
1001	struct ssl_st {	1011	struct ssl_st {
1002	/* protocol version	1012	/* protocol version
@@ -1192,6 +1202,7 @@ struct ssl_st {
1192	void *tls_session_secret_cb_arg;	1202	void *tls_session_secret_cb_arg;
1193		1203
1194	SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */	1204	SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
		1205	#define session_ctx initial_ctx
1195		1206
1196	/* Next protocol negotiation. For the client, this is the protocol that	1207	/* Next protocol negotiation. For the client, this is the protocol that
1197	* we sent in NextProtocol and is set when handling ServerHello	1208	* we sent in NextProtocol and is set when handling ServerHello
@@ -1203,8 +1214,6 @@ struct ssl_st {
1203	unsigned char *next_proto_negotiated;	1214	unsigned char *next_proto_negotiated;
1204	unsigned char next_proto_negotiated_len;	1215	unsigned char next_proto_negotiated_len;
1205		1216
1206	#define session_ctx initial_ctx
1207
1208	STACK_OF(SRTP_PROTECTION_PROFILE) srtp_profiles; / What we'll do */	1217	STACK_OF(SRTP_PROTECTION_PROFILE) srtp_profiles; / What we'll do */
1209	SRTP_PROTECTION_PROFILE srtp_profile; / What's been chosen */	1218	SRTP_PROTECTION_PROFILE srtp_profile; / What's been chosen */
1210		1219
@@ -1224,6 +1233,7 @@ struct ssl_st {
1224	* 2 if we are a server and are inside a handshake	1233	* 2 if we are a server and are inside a handshake
1225	* (i.e. not just sending a HelloRequest) */	1234	* (i.e. not just sending a HelloRequest) */
1226		1235
		1236	struct ssl_internal_st *internal;
1227	};	1237	};
1228		1238
1229	#endif	1239	#endif


diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h index c52c0a780e..6344176105 100644 --- a/src/lib/libssl/ssl3.h +++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl3.h,v 1.43 2016/12/30 15:10:57 jsing Exp $ */	1	/* $OpenBSD: ssl3.h,v 1.44 2017/01/22 03:50:45 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -359,6 +359,8 @@ typedef struct ssl3_buffer_st {
359		359
360	#ifndef OPENSSL_NO_SSL_INTERN	360	#ifndef OPENSSL_NO_SSL_INTERN
361		361
		362	struct ssl3_state_internal_st;
		363
362	typedef struct ssl3_state_st {	364	typedef struct ssl3_state_st {
363	long flags;	365	long flags;
364	int delay_buf_pop_ret;	366	int delay_buf_pop_ret;
@@ -489,6 +491,8 @@ typedef struct ssl3_state_st {
489	*/	491	*/
490	unsigned char *alpn_selected;	492	unsigned char *alpn_selected;
491	unsigned int alpn_selected_len;	493	unsigned int alpn_selected_len;
		494
		495	struct ssl3_state_internal_st *internal;
492	} SSL3_STATE;	496	} SSL3_STATE;
493		497
494	#endif	498	#endif


diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 7eb192eb2c..d9e5166cdd 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.125 2017/01/21 04:16:49 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.126 2017/01/22 03:50:45 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -274,10 +274,15 @@ SSL_new(SSL_CTX *ctx)
274	return (NULL);	274	return (NULL);
275	}	275	}
276		276
277	s = calloc(1, sizeof(SSL));	277	if ((s = calloc(1, sizeof(*s))) == NULL) {
278	if (s == NULL)	278	SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
279	goto err;	279	return (NULL);
280		280	}
		281	if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) {
		282	free(s);
		283	SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
		284	return (NULL);
		285	}
281		286
282	s->options = ctx->options;	287	s->options = ctx->options;
283	s->mode = ctx->mode;	288	s->mode = ctx->mode;
@@ -361,7 +366,7 @@ SSL_new(SSL_CTX *ctx)
361		366
362	return (s);	367	return (s);
363		368
364	err:	369	err:
365	SSL_free(s);	370	SSL_free(s);
366	SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);	371	SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
367	return (NULL);	372	return (NULL);
@@ -549,7 +554,6 @@ SSL_free(SSL *s)
549		554
550	SSL_CTX_free(s->ctx);	555	SSL_CTX_free(s->ctx);
551		556
552
553	free(s->next_proto_negotiated);	557	free(s->next_proto_negotiated);
554	free(s->alpn_client_proto_list);	558	free(s->alpn_client_proto_list);
555		559
@@ -558,6 +562,7 @@ SSL_free(SSL *s)
558	sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);	562	sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
559	#endif	563	#endif
560		564
		565	free(s->internal);
561	free(s);	566	free(s);
562	}	567	}
563		568
@@ -1792,21 +1797,28 @@ ssl_session_LHASH_COMP(const void arg1, const void arg2)
1792	SSL_CTX *	1797	SSL_CTX *
1793	SSL_CTX_new(const SSL_METHOD *meth)	1798	SSL_CTX_new(const SSL_METHOD *meth)
1794	{	1799	{
1795	SSL_CTX *ret = NULL;	1800	SSL_CTX *ret;
1796		1801
1797	if (meth == NULL) {	1802	if (meth == NULL) {
1798	SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED);	1803	SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED);
1799	return (NULL);	1804	return (NULL);
1800	}	1805	}
1801		1806
		1807	if ((ret = calloc(1, sizeof(*ret))) == NULL) {
		1808	SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
		1809	return (NULL);
		1810	}
		1811	if ((ret->internal = calloc(1, sizeof(*ret->internal))) == NULL) {
		1812	free(ret);
		1813	SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
		1814	return (NULL);
		1815	}
		1816
1802	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {	1817	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
1803	SSLerr(SSL_F_SSL_CTX_NEW,	1818	SSLerr(SSL_F_SSL_CTX_NEW,
1804	SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);	1819	SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1805	goto err;	1820	goto err;
1806	}	1821	}
1807	ret = calloc(1, sizeof(SSL_CTX));
1808	if (ret == NULL)
1809	goto err;
1810		1822
1811	ret->method = meth;	1823	ret->method = meth;
1812		1824
@@ -1993,6 +2005,7 @@ SSL_CTX_free(SSL_CTX *a)
1993		2005
1994	free(a->alpn_client_proto_list);	2006	free(a->alpn_client_proto_list);
1995		2007
		2008	free(a->internal);
1996	free(a);	2009	free(a);
1997	}	2010	}
1998		2011


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 5748875092..50f527aad5 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.145 2017/01/21 04:18:18 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.146 2017/01/22 03:50:45 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -372,6 +372,26 @@ __BEGIN_HIDDEN_DECLS
372	#define EXPLICIT_CHAR2_CURVE_TYPE 2	372	#define EXPLICIT_CHAR2_CURVE_TYPE 2
373	#define NAMED_CURVE_TYPE 3	373	#define NAMED_CURVE_TYPE 3
374		374
		375	typedef struct ssl_session_internal_st {
		376
		377	} SSL_SESSION_INTERNAL;
		378
		379	typedef struct ssl_ctx_internal_st {
		380
		381	} SSL_CTX_INTERNAL;
		382
		383	typedef struct ssl_internal_st {
		384
		385	} SSL_INTERNAL;
		386
		387	typedef struct ssl3_state_internal_st {
		388
		389	} SSL3_STATE_INTERNAL;
		390
		391	typedef struct dtls1_state_internal_st {
		392
		393	} DTLS1_STATE_INTERNAL;
		394
375	typedef struct cert_pkey_st {	395	typedef struct cert_pkey_st {
376	X509 *x509;	396	X509 *x509;
377	EVP_PKEY *privatekey;	397	EVP_PKEY *privatekey;


diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index f6e2642aeb..0970633a86 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sess.c,v 1.53 2016/11/02 11:21:05 jsing Exp $ */	1	/* $OpenBSD: ssl_sess.c,v 1.54 2017/01/22 03:50:45 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -199,10 +199,14 @@ SSL_SESSION_new(void)
199	{	199	{
200	SSL_SESSION *ss;	200	SSL_SESSION *ss;
201		201
202	ss = calloc(1, sizeof(SSL_SESSION));	202	if ((ss = calloc(1, sizeof(*ss))) == NULL) {
203	if (ss == NULL) {
204	SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);	203	SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
205	return (0);	204	return (NULL);
		205	}
		206	if ((ss->internal = calloc(1, sizeof(*ss->internal))) == NULL) {
		207	free(ss);
		208	SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
		209	return (NULL);
206	}	210	}
207		211
208	ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */	212	ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
@@ -706,6 +710,10 @@ SSL_SESSION_free(SSL_SESSION *ss)
706	free(ss->tlsext_ecpointformatlist);	710	free(ss->tlsext_ecpointformatlist);
707	ss->tlsext_ellipticcurvelist_length = 0;	711	ss->tlsext_ellipticcurvelist_length = 0;
708	free(ss->tlsext_ellipticcurvelist);	712	free(ss->tlsext_ellipticcurvelist);
		713
		714	explicit_bzero(ss->internal, sizeof(*ss->internal));
		715	free(ss->internal);
		716
709	explicit_bzero(ss, sizeof(*ss));	717	explicit_bzero(ss, sizeof(*ss));
710	free(ss);	718	free(ss);
711	}	719	}