summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
-rw-r--r--src/lib/libssl/t1_lib.c140
1 files changed, 70 insertions, 70 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 0dbd83fecf..f0a9ed5dc1 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.102 2017/01/23 05:13:02 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.103 2017/01/23 06:45:30 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -201,7 +201,7 @@ tls1_free(SSL *s)
201 if (s == NULL) 201 if (s == NULL)
202 return; 202 return;
203 203
204 free(s->tlsext_session_ticket); 204 free(s->internal->tlsext_session_ticket);
205 ssl3_free(s); 205 ssl3_free(s);
206} 206}
207 207
@@ -376,8 +376,8 @@ tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
376 return; 376 return;
377 } 377 }
378 378
379 *pformats = s->tlsext_ecpointformatlist; 379 *pformats = s->internal->tlsext_ecpointformatlist;
380 *pformatslen = s->tlsext_ecpointformatlist_length; 380 *pformatslen = s->internal->tlsext_ecpointformatlist_length;
381 if (*pformats == NULL) { 381 if (*pformats == NULL) {
382 *pformats = ecformats_default; 382 *pformats = ecformats_default;
383 *pformatslen = sizeof(ecformats_default); 383 *pformatslen = sizeof(ecformats_default);
@@ -399,8 +399,8 @@ tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves,
399 return; 399 return;
400 } 400 }
401 401
402 *pcurves = s->tlsext_ellipticcurvelist; 402 *pcurves = s->internal->tlsext_ellipticcurvelist;
403 *pcurveslen = s->tlsext_ellipticcurvelist_length; 403 *pcurveslen = s->internal->tlsext_ellipticcurvelist_length;
404 if (*pcurves == NULL) { 404 if (*pcurves == NULL) {
405 *pcurves = eccurves_default; 405 *pcurves = eccurves_default;
406 *pcurveslen = sizeof(eccurves_default) / 2; 406 *pcurveslen = sizeof(eccurves_default) / 2;
@@ -690,7 +690,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
690 } 690 }
691 691
692 /* Add RI if renegotiating */ 692 /* Add RI if renegotiating */
693 if (s->renegotiate) { 693 if (s->internal->renegotiate) {
694 int el; 694 int el;
695 695
696 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 696 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
@@ -775,21 +775,21 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
775 775
776 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 776 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
777 int ticklen; 777 int ticklen;
778 if (!s->new_session && s->session && s->session->tlsext_tick) 778 if (!s->internal->new_session && s->session && s->session->tlsext_tick)
779 ticklen = s->session->tlsext_ticklen; 779 ticklen = s->session->tlsext_ticklen;
780 else if (s->session && s->tlsext_session_ticket && 780 else if (s->session && s->internal->tlsext_session_ticket &&
781 s->tlsext_session_ticket->data) { 781 s->internal->tlsext_session_ticket->data) {
782 ticklen = s->tlsext_session_ticket->length; 782 ticklen = s->internal->tlsext_session_ticket->length;
783 s->session->tlsext_tick = malloc(ticklen); 783 s->session->tlsext_tick = malloc(ticklen);
784 if (!s->session->tlsext_tick) 784 if (!s->session->tlsext_tick)
785 return NULL; 785 return NULL;
786 memcpy(s->session->tlsext_tick, 786 memcpy(s->session->tlsext_tick,
787 s->tlsext_session_ticket->data, ticklen); 787 s->internal->tlsext_session_ticket->data, ticklen);
788 s->session->tlsext_ticklen = ticklen; 788 s->session->tlsext_ticklen = ticklen;
789 } else 789 } else
790 ticklen = 0; 790 ticklen = 0;
791 if (ticklen == 0 && s->tlsext_session_ticket && 791 if (ticklen == 0 && s->internal->tlsext_session_ticket &&
792 s->tlsext_session_ticket->data == NULL) 792 s->internal->tlsext_session_ticket->data == NULL)
793 goto skip_ext; 793 goto skip_ext;
794 /* Check for enough room 2 for extension type, 2 for len 794 /* Check for enough room 2 for extension type, 2 for len
795 * rest for ticket 795 * rest for ticket
@@ -824,16 +824,16 @@ skip_ext:
824 OCSP_RESPID *id; 824 OCSP_RESPID *id;
825 825
826 idlen = 0; 826 idlen = 0;
827 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 827 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
828 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 828 id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, i);
829 itmp = i2d_OCSP_RESPID(id, NULL); 829 itmp = i2d_OCSP_RESPID(id, NULL);
830 if (itmp <= 0) 830 if (itmp <= 0)
831 return NULL; 831 return NULL;
832 idlen += itmp + 2; 832 idlen += itmp + 2;
833 } 833 }
834 834
835 if (s->tlsext_ocsp_exts) { 835 if (s->internal->tlsext_ocsp_exts) {
836 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 836 extlen = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, NULL);
837 if (extlen < 0) 837 if (extlen < 0)
838 return NULL; 838 return NULL;
839 } else 839 } else
@@ -847,10 +847,10 @@ skip_ext:
847 s2n(extlen + idlen + 5, ret); 847 s2n(extlen + idlen + 5, ret);
848 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 848 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
849 s2n(idlen, ret); 849 s2n(idlen, ret);
850 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 850 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
851 /* save position of id len */ 851 /* save position of id len */
852 unsigned char *q = ret; 852 unsigned char *q = ret;
853 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 853 id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, i);
854 /* skip over id len */ 854 /* skip over id len */
855 ret += 2; 855 ret += 2;
856 itmp = i2d_OCSP_RESPID(id, &ret); 856 itmp = i2d_OCSP_RESPID(id, &ret);
@@ -859,7 +859,7 @@ skip_ext:
859 } 859 }
860 s2n(extlen, ret); 860 s2n(extlen, ret);
861 if (extlen > 0) 861 if (extlen > 0)
862 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 862 i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);
863 } 863 }
864 864
865 if (s->ctx->internal->next_proto_select_cb && 865 if (s->ctx->internal->next_proto_select_cb &&
@@ -917,7 +917,7 @@ skip_ext:
917 * extensions it MUST always appear last. 917 * extensions it MUST always appear last.
918 */ 918 */
919 if (s->options & SSL_OP_TLSEXT_PADDING) { 919 if (s->options & SSL_OP_TLSEXT_PADDING) {
920 int hlen = ret - (unsigned char *)s->init_buf->data; 920 int hlen = ret - (unsigned char *)s->internal->init_buf->data;
921 921
922 /* 922 /*
923 * The code in s23_clnt.c to build ClientHello messages 923 * The code in s23_clnt.c to build ClientHello messages
@@ -964,7 +964,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
964 if (ret >= limit) 964 if (ret >= limit)
965 return NULL; /* this really never occurs, but ... */ 965 return NULL; /* this really never occurs, but ... */
966 966
967 if (!s->hit && s->servername_done == 1 && 967 if (!s->internal->hit && s->internal->servername_done == 1 &&
968 s->session->tlsext_hostname != NULL) { 968 s->session->tlsext_hostname != NULL) {
969 if ((size_t)(limit - ret) < 4) 969 if ((size_t)(limit - ret) < 4)
970 return NULL; 970 return NULL;
@@ -1030,7 +1030,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1030 * extension. 1030 * extension.
1031 */ 1031 */
1032 1032
1033 if (s->tlsext_ticket_expected && 1033 if (s->internal->tlsext_ticket_expected &&
1034 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1034 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1035 if ((size_t)(limit - ret) < 4) 1035 if ((size_t)(limit - ret) < 4)
1036 return NULL; 1036 return NULL;
@@ -1039,7 +1039,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1039 s2n(0, ret); 1039 s2n(0, ret);
1040 } 1040 }
1041 1041
1042 if (s->tlsext_status_expected) { 1042 if (s->internal->tlsext_status_expected) {
1043 if ((size_t)(limit - ret) < 4) 1043 if ((size_t)(limit - ret) < 4)
1044 return NULL; 1044 return NULL;
1045 1045
@@ -1048,7 +1048,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1048 } 1048 }
1049 1049
1050#ifndef OPENSSL_NO_SRTP 1050#ifndef OPENSSL_NO_SRTP
1051 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1051 if (SSL_IS_DTLS(s) && s->internal->srtp_profile) {
1052 int el; 1052 int el;
1053 1053
1054 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1054 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
@@ -1203,12 +1203,12 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1203 int renegotiate_seen = 0; 1203 int renegotiate_seen = 0;
1204 int sigalg_seen = 0; 1204 int sigalg_seen = 0;
1205 1205
1206 s->servername_done = 0; 1206 s->internal->servername_done = 0;
1207 s->tlsext_status_type = -1; 1207 s->tlsext_status_type = -1;
1208 S3I(s)->next_proto_neg_seen = 0; 1208 S3I(s)->next_proto_neg_seen = 0;
1209 free(S3I(s)->alpn_selected); 1209 free(S3I(s)->alpn_selected);
1210 S3I(s)->alpn_selected = NULL; 1210 S3I(s)->alpn_selected = NULL;
1211 s->srtp_profile = NULL; 1211 s->internal->srtp_profile = NULL;
1212 1212
1213 if (data == end) 1213 if (data == end)
1214 goto ri_check; 1214 goto ri_check;
@@ -1281,10 +1281,10 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1281 *al = SSL_AD_DECODE_ERROR; 1281 *al = SSL_AD_DECODE_ERROR;
1282 return 0; 1282 return 0;
1283 } 1283 }
1284 if (s->servername_done == 0) 1284 if (s->internal->servername_done == 0)
1285 switch (servname_type) { 1285 switch (servname_type) {
1286 case TLSEXT_NAMETYPE_host_name: 1286 case TLSEXT_NAMETYPE_host_name:
1287 if (!s->hit) { 1287 if (!s->internal->hit) {
1288 if (s->session->tlsext_hostname) { 1288 if (s->session->tlsext_hostname) {
1289 *al = SSL_AD_DECODE_ERROR; 1289 *al = SSL_AD_DECODE_ERROR;
1290 return 0; 1290 return 0;
@@ -1306,11 +1306,11 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1306 *al = TLS1_AD_UNRECOGNIZED_NAME; 1306 *al = TLS1_AD_UNRECOGNIZED_NAME;
1307 return 0; 1307 return 0;
1308 } 1308 }
1309 s->servername_done = 1; 1309 s->internal->servername_done = 1;
1310 1310
1311 1311
1312 } else { 1312 } else {
1313 s->servername_done = s->session->tlsext_hostname && 1313 s->internal->servername_done = s->session->tlsext_hostname &&
1314 strlen(s->session->tlsext_hostname) == len && 1314 strlen(s->session->tlsext_hostname) == len &&
1315 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1315 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1316 } 1316 }
@@ -1345,7 +1345,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1345 return 0; 1345 return 0;
1346 } 1346 }
1347 1347
1348 if (!s->hit) { 1348 if (!s->internal->hit) {
1349 free(SSI(s)->tlsext_ecpointformatlist); 1349 free(SSI(s)->tlsext_ecpointformatlist);
1350 SSI(s)->tlsext_ecpointformatlist = NULL; 1350 SSI(s)->tlsext_ecpointformatlist = NULL;
1351 SSI(s)->tlsext_ecpointformatlist_length = 0; 1351 SSI(s)->tlsext_ecpointformatlist_length = 0;
@@ -1377,7 +1377,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1377 } 1377 }
1378 curveslen /= 2; 1378 curveslen /= 2;
1379 1379
1380 if (!s->hit) { 1380 if (!s->internal->hit) {
1381 if (SSI(s)->tlsext_ellipticcurvelist) { 1381 if (SSI(s)->tlsext_ellipticcurvelist) {
1382 *al = TLS1_AD_DECODE_ERROR; 1382 *al = TLS1_AD_DECODE_ERROR;
1383 return 0; 1383 return 0;
@@ -1447,13 +1447,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1447 * previous handshake to prevent 1447 * previous handshake to prevent
1448 * unbounded memory growth. 1448 * unbounded memory growth.
1449 */ 1449 */
1450 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 1450 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids,
1451 OCSP_RESPID_free); 1451 OCSP_RESPID_free);
1452 s->tlsext_ocsp_ids = NULL; 1452 s->internal->tlsext_ocsp_ids = NULL;
1453 if (dsize > 0) { 1453 if (dsize > 0) {
1454 s->tlsext_ocsp_ids = 1454 s->internal->tlsext_ocsp_ids =
1455 sk_OCSP_RESPID_new_null(); 1455 sk_OCSP_RESPID_new_null();
1456 if (s->tlsext_ocsp_ids == NULL) { 1456 if (s->internal->tlsext_ocsp_ids == NULL) {
1457 *al = SSL_AD_INTERNAL_ERROR; 1457 *al = SSL_AD_INTERNAL_ERROR;
1458 return 0; 1458 return 0;
1459 } 1459 }
@@ -1487,7 +1487,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1487 return 0; 1487 return 0;
1488 } 1488 }
1489 if (!sk_OCSP_RESPID_push( 1489 if (!sk_OCSP_RESPID_push(
1490 s->tlsext_ocsp_ids, id)) { 1490 s->internal->tlsext_ocsp_ids, id)) {
1491 OCSP_RESPID_free(id); 1491 OCSP_RESPID_free(id);
1492 *al = SSL_AD_INTERNAL_ERROR; 1492 *al = SSL_AD_INTERNAL_ERROR;
1493 return 0; 1493 return 0;
@@ -1507,15 +1507,15 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1507 } 1507 }
1508 sdata = data; 1508 sdata = data;
1509 if (dsize > 0) { 1509 if (dsize > 0) {
1510 if (s->tlsext_ocsp_exts) { 1510 if (s->internal->tlsext_ocsp_exts) {
1511 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1511 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
1512 X509_EXTENSION_free); 1512 X509_EXTENSION_free);
1513 } 1513 }
1514 1514
1515 s->tlsext_ocsp_exts = 1515 s->internal->tlsext_ocsp_exts =
1516 d2i_X509_EXTENSIONS(NULL, 1516 d2i_X509_EXTENSIONS(NULL,
1517 &sdata, dsize); 1517 &sdata, dsize);
1518 if (!s->tlsext_ocsp_exts || 1518 if (!s->internal->tlsext_ocsp_exts ||
1519 (data + dsize != sdata)) { 1519 (data + dsize != sdata)) {
1520 *al = SSL_AD_DECODE_ERROR; 1520 *al = SSL_AD_DECODE_ERROR;
1521 return 0; 1521 return 0;
@@ -1534,7 +1534,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1534 /* We shouldn't accept this extension on a 1534 /* We shouldn't accept this extension on a
1535 * renegotiation. 1535 * renegotiation.
1536 * 1536 *
1537 * s->new_session will be set on renegotiation, but we 1537 * s->internal->new_session will be set on renegotiation, but we
1538 * probably shouldn't rely that it couldn't be set on 1538 * probably shouldn't rely that it couldn't be set on
1539 * the initial renegotation too in certain cases (when 1539 * the initial renegotation too in certain cases (when
1540 * there's some other reason to disallow resuming an 1540 * there's some other reason to disallow resuming an
@@ -1580,7 +1580,7 @@ ri_check:
1580 1580
1581 /* Need RI if renegotiating */ 1581 /* Need RI if renegotiating */
1582 1582
1583 if (!renegotiate_seen && s->renegotiate) { 1583 if (!renegotiate_seen && s->internal->renegotiate) {
1584 *al = SSL_AD_HANDSHAKE_FAILURE; 1584 *al = SSL_AD_HANDSHAKE_FAILURE;
1585 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1585 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1586 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1586 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
@@ -1673,7 +1673,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1673 return 0; 1673 return 0;
1674 } 1674 }
1675 1675
1676 if (!s->hit) { 1676 if (!s->internal->hit) {
1677 free(SSI(s)->tlsext_ecpointformatlist); 1677 free(SSI(s)->tlsext_ecpointformatlist);
1678 SSI(s)->tlsext_ecpointformatlist = NULL; 1678 SSI(s)->tlsext_ecpointformatlist = NULL;
1679 SSI(s)->tlsext_ecpointformatlist_length = 0; 1679 SSI(s)->tlsext_ecpointformatlist_length = 0;
@@ -1699,7 +1699,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1699 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1699 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1700 return 0; 1700 return 0;
1701 } 1701 }
1702 s->tlsext_ticket_expected = 1; 1702 s->internal->tlsext_ticket_expected = 1;
1703 } 1703 }
1704 else if (type == TLSEXT_TYPE_status_request && 1704 else if (type == TLSEXT_TYPE_status_request &&
1705 s->version != DTLS1_VERSION) { 1705 s->version != DTLS1_VERSION) {
@@ -1711,7 +1711,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1711 return 0; 1711 return 0;
1712 } 1712 }
1713 /* Set flag to expect CertificateStatus message */ 1713 /* Set flag to expect CertificateStatus message */
1714 s->tlsext_status_expected = 1; 1714 s->internal->tlsext_status_expected = 1;
1715 } 1715 }
1716 else if (type == TLSEXT_TYPE_next_proto_neg && 1716 else if (type == TLSEXT_TYPE_next_proto_neg &&
1717 S3I(s)->tmp.finish_md_len == 0) { 1717 S3I(s)->tmp.finish_md_len == 0) {
@@ -1804,7 +1804,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1804 return 0; 1804 return 0;
1805 } 1805 }
1806 1806
1807 if (!s->hit && tlsext_servername == 1) { 1807 if (!s->internal->hit && tlsext_servername == 1) {
1808 if (s->tlsext_hostname) { 1808 if (s->tlsext_hostname) {
1809 if (s->session->tlsext_hostname == NULL) { 1809 if (s->session->tlsext_hostname == NULL) {
1810 s->session->tlsext_hostname = 1810 s->session->tlsext_hostname =
@@ -1874,7 +1874,7 @@ ssl_check_clienthello_tlsext_early(SSL *s)
1874 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1874 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1875 return 1; 1875 return 1;
1876 case SSL_TLSEXT_ERR_NOACK: 1876 case SSL_TLSEXT_ERR_NOACK:
1877 s->servername_done = 0; 1877 s->internal->servername_done = 0;
1878 default: 1878 default:
1879 return 1; 1879 return 1;
1880 } 1880 }
@@ -1898,7 +1898,7 @@ ssl_check_clienthello_tlsext_late(SSL *s)
1898 certpkey = ssl_get_server_send_pkey(s); 1898 certpkey = ssl_get_server_send_pkey(s);
1899 /* If no certificate can't return certificate status */ 1899 /* If no certificate can't return certificate status */
1900 if (certpkey == NULL) { 1900 if (certpkey == NULL) {
1901 s->tlsext_status_expected = 0; 1901 s->internal->tlsext_status_expected = 0;
1902 return 1; 1902 return 1;
1903 } 1903 }
1904 /* Set current certificate to one we will use so 1904 /* Set current certificate to one we will use so
@@ -1910,14 +1910,14 @@ ssl_check_clienthello_tlsext_late(SSL *s)
1910 switch (r) { 1910 switch (r) {
1911 /* We don't want to send a status request response */ 1911 /* We don't want to send a status request response */
1912 case SSL_TLSEXT_ERR_NOACK: 1912 case SSL_TLSEXT_ERR_NOACK:
1913 s->tlsext_status_expected = 0; 1913 s->internal->tlsext_status_expected = 0;
1914 break; 1914 break;
1915 /* status request response should be sent */ 1915 /* status request response should be sent */
1916 case SSL_TLSEXT_ERR_OK: 1916 case SSL_TLSEXT_ERR_OK:
1917 if (s->tlsext_ocsp_resp) 1917 if (s->internal->tlsext_ocsp_resp)
1918 s->tlsext_status_expected = 1; 1918 s->internal->tlsext_status_expected = 1;
1919 else 1919 else
1920 s->tlsext_status_expected = 0; 1920 s->internal->tlsext_status_expected = 0;
1921 break; 1921 break;
1922 /* something bad happened */ 1922 /* something bad happened */
1923 case SSL_TLSEXT_ERR_ALERT_FATAL: 1923 case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1926,7 +1926,7 @@ ssl_check_clienthello_tlsext_late(SSL *s)
1926 goto err; 1926 goto err;
1927 } 1927 }
1928 } else 1928 } else
1929 s->tlsext_status_expected = 0; 1929 s->internal->tlsext_status_expected = 0;
1930 1930
1931err: 1931err:
1932 switch (ret) { 1932 switch (ret) {
@@ -1953,8 +1953,8 @@ ssl_check_serverhello_tlsext(SSL *s)
1953 */ 1953 */
1954 unsigned long alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; 1954 unsigned long alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey;
1955 unsigned long alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; 1955 unsigned long alg_a = S3I(s)->tmp.new_cipher->algorithm_auth;
1956 if ((s->tlsext_ecpointformatlist != NULL) && 1956 if ((s->internal->tlsext_ecpointformatlist != NULL) &&
1957 (s->tlsext_ecpointformatlist_length > 0) && 1957 (s->internal->tlsext_ecpointformatlist_length > 0) &&
1958 (SSI(s)->tlsext_ecpointformatlist != NULL) && 1958 (SSI(s)->tlsext_ecpointformatlist != NULL) &&
1959 (SSI(s)->tlsext_ecpointformatlist_length > 0) && 1959 (SSI(s)->tlsext_ecpointformatlist_length > 0) &&
1960 ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { 1960 ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
@@ -1986,15 +1986,15 @@ ssl_check_serverhello_tlsext(SSL *s)
1986 /* If we've requested certificate status and we wont get one 1986 /* If we've requested certificate status and we wont get one
1987 * tell the callback 1987 * tell the callback
1988 */ 1988 */
1989 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1989 if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) &&
1990 s->ctx && s->ctx->internal->tlsext_status_cb) { 1990 s->ctx && s->ctx->internal->tlsext_status_cb) {
1991 int r; 1991 int r;
1992 /* Set resp to NULL, resplen to -1 so callback knows 1992 /* Set resp to NULL, resplen to -1 so callback knows
1993 * there is no response. 1993 * there is no response.
1994 */ 1994 */
1995 free(s->tlsext_ocsp_resp); 1995 free(s->internal->tlsext_ocsp_resp);
1996 s->tlsext_ocsp_resp = NULL; 1996 s->internal->tlsext_ocsp_resp = NULL;
1997 s->tlsext_ocsp_resplen = -1; 1997 s->internal->tlsext_ocsp_resplen = -1;
1998 r = s->ctx->internal->tlsext_status_cb(s, 1998 r = s->ctx->internal->tlsext_status_cb(s,
1999 s->ctx->internal->tlsext_status_arg); 1999 s->ctx->internal->tlsext_status_arg);
2000 if (r == 0) { 2000 if (r == 0) {
@@ -2017,7 +2017,7 @@ ssl_check_serverhello_tlsext(SSL *s)
2017 2017
2018 return 1; 2018 return 1;
2019 case SSL_TLSEXT_ERR_NOACK: 2019 case SSL_TLSEXT_ERR_NOACK:
2020 s->servername_done = 0; 2020 s->internal->servername_done = 0;
2021 default: 2021 default:
2022 return 1; 2022 return 1;
2023 } 2023 }
@@ -2037,7 +2037,7 @@ ssl_check_serverhello_tlsext(SSL *s)
2037 * 2037 *
2038 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key 2038 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
2039 * ciphersuite, in which case we have no use for session tickets and one will 2039 * ciphersuite, in which case we have no use for session tickets and one will
2040 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2040 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1.
2041 * 2041 *
2042 * Returns: 2042 * Returns:
2043 * -1: fatal error, either from parsing or decrypting the ticket. 2043 * -1: fatal error, either from parsing or decrypting the ticket.
@@ -2049,12 +2049,12 @@ ssl_check_serverhello_tlsext(SSL *s)
2049 * 3: a ticket was successfully decrypted and *ret was set. 2049 * 3: a ticket was successfully decrypted and *ret was set.
2050 * 2050 *
2051 * Side effects: 2051 * Side effects:
2052 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2052 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue
2053 * a new session ticket to the client because the client indicated support 2053 * a new session ticket to the client because the client indicated support
2054 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have 2054 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
2055 * a session ticket or we couldn't use the one it gave us, or if 2055 * a session ticket or we couldn't use the one it gave us, or if
2056 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2056 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2057 * Otherwise, s->tlsext_ticket_expected is set to 0. 2057 * Otherwise, s->internal->tlsext_ticket_expected is set to 0.
2058 */ 2058 */
2059int 2059int
2060tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2060tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
@@ -2064,7 +2064,7 @@ tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2064 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2064 CBS session_id, cookie, cipher_list, compress_algo, extensions;
2065 2065
2066 *ret = NULL; 2066 *ret = NULL;
2067 s->tlsext_ticket_expected = 0; 2067 s->internal->tlsext_ticket_expected = 0;
2068 2068
2069 /* If tickets disabled behave as if no ticket present 2069 /* If tickets disabled behave as if no ticket present
2070 * to permit stateful resumption. 2070 * to permit stateful resumption.
@@ -2116,7 +2116,7 @@ tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2116 if (CBS_len(&ext_data) == 0) { 2116 if (CBS_len(&ext_data) == 0) {
2117 /* The client will accept a ticket but doesn't 2117 /* The client will accept a ticket but doesn't
2118 * currently have one. */ 2118 * currently have one. */
2119 s->tlsext_ticket_expected = 1; 2119 s->internal->tlsext_ticket_expected = 1;
2120 return 1; 2120 return 1;
2121 } 2121 }
2122 if (s->internal->tls_session_secret_cb) { 2122 if (s->internal->tls_session_secret_cb) {
@@ -2133,12 +2133,12 @@ tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2133 2133
2134 switch (r) { 2134 switch (r) {
2135 case 2: /* ticket couldn't be decrypted */ 2135 case 2: /* ticket couldn't be decrypted */
2136 s->tlsext_ticket_expected = 1; 2136 s->internal->tlsext_ticket_expected = 1;
2137 return 2; 2137 return 2;
2138 case 3: /* ticket was decrypted */ 2138 case 3: /* ticket was decrypted */
2139 return r; 2139 return r;
2140 case 4: /* ticket decrypted but need to renew */ 2140 case 4: /* ticket decrypted but need to renew */
2141 s->tlsext_ticket_expected = 1; 2141 s->internal->tlsext_ticket_expected = 1;
2142 return 3; 2142 return 3;
2143 default: /* fatal error */ 2143 default: /* fatal error */
2144 return -1; 2144 return -1;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 22:06:29 +0000