7 files changed, 50 insertions, 47 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 18e34f7b7b..2c272032b5 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.163 2017/01/23 00:12:54 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.164 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -600,7 +600,7 @@ ssl3_client_hello(SSL *s)
                if ((sess == NULL) ||
                    (sess->ssl_version != s->version) ||
                    (!sess->session_id_length && !sess->tlsext_tick) ||
-                    (sess->not_resumable)) {
+                    (sess->internal->not_resumable)) {
                        if (!ssl_get_new_session(s, 0))
                                goto err;
                }
@@ -1037,9 +1037,9 @@ ssl3_get_server_certificate(SSL *s)
        sc = ssl_sess_cert_new();
        if (sc == NULL)
                goto err;
-        if (s->session->sess_cert)
+        if (SSI(s)->sess_cert)
-                ssl_sess_cert_free(s->session->sess_cert);
+                ssl_sess_cert_free(SSI(s)->sess_cert);
-        s->session->sess_cert = sc;
+        SSI(s)->sess_cert = sc;
        sc->cert_chain = sk;
        /*
@@ -1114,7 +1114,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
        int al;
        alg_a = S3I(s)->tmp.new_cipher->algorithm_auth;
-        sc = s->session->sess_cert;
+        sc = SSI(s)->sess_cert;
        if (*nn < 0)
                goto err;
@@ -1281,7 +1281,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
        int al;
        alg_a = S3I(s)->tmp.new_cipher->algorithm_auth;
-        sc = s->session->sess_cert;
+        sc = SSI(s)->sess_cert;
        if (*nn < 0)
                goto err;
@@ -1397,18 +1397,18 @@ ssl3_get_server_key_exchange(SSL *s)
                return (1);
        }
-        if (s->session->sess_cert != NULL) {
+        if (SSI(s)->sess_cert != NULL) {
-                DH_free(s->session->sess_cert->peer_dh_tmp);
+                DH_free(SSI(s)->sess_cert->peer_dh_tmp);
-                s->session->sess_cert->peer_dh_tmp = NULL;
+                SSI(s)->sess_cert->peer_dh_tmp = NULL;
-                EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
+                EC_KEY_free(SSI(s)->sess_cert->peer_ecdh_tmp);
-                s->session->sess_cert->peer_ecdh_tmp = NULL;
+                SSI(s)->sess_cert->peer_ecdh_tmp = NULL;
-                free(s->session->sess_cert->peer_x25519_tmp);
+                free(SSI(s)->sess_cert->peer_x25519_tmp);
-                s->session->sess_cert->peer_x25519_tmp = NULL;
+                SSI(s)->sess_cert->peer_x25519_tmp = NULL;
        } else {
-                s->session->sess_cert = ssl_sess_cert_new();
+                SSI(s)->sess_cert = ssl_sess_cert_new();
-                if (s->session->sess_cert == NULL)
+                if (SSI(s)->sess_cert == NULL)
                        goto err;
        }
@@ -2341,7 +2341,7 @@ ssl3_send_client_key_exchange(SSL *s)
        if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
                alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey;
-                if ((sess_cert = s->session->sess_cert) == NULL) {
+                if ((sess_cert = SSI(s)->sess_cert) == NULL) {
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                            SSL_AD_UNEXPECTED_MESSAGE);
                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
@@ -2636,13 +2636,13 @@ ssl3_check_cert_and_algorithm(SSL *s)
        if (alg_a & SSL_aNULL)
                return (1);
-        sc = s->session->sess_cert;
+        sc = SSI(s)->sess_cert;
        if (sc == NULL) {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
                    ERR_R_INTERNAL_ERROR);
                goto err;
        }
-        dh = s->session->sess_cert->peer_dh_tmp;
+        dh = SSI(s)->sess_cert->peer_dh_tmp;
        /* This is the passed certificate. */
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 990ce2153d..ae2586912c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.120 2017/01/22 09:02:07 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.121 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1928,10 +1928,10 @@ ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp)
        if (s->server != 0)
                return 0;
-        if (s->session == NULL || s->session->sess_cert == NULL)
+        if (s->session == NULL || SSI(s)->sess_cert == NULL)
                return 0;
-        sc = s->session->sess_cert;
+        sc = SSI(s)->sess_cert;
        if ((pkey = EVP_PKEY_new()) == NULL)
                return 0;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index a18b218207..ebdb10cb91 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.142 2017/01/23 00:12:54 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.143 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2593,17 +2593,17 @@ ssl3_get_client_certificate(SSL *s)
         * With the current implementation, sess_cert will always be NULL
         * when we arrive here
         */
-        if (s->session->sess_cert == NULL) {
+        if (SSI(s)->sess_cert == NULL) {
-                s->session->sess_cert = ssl_sess_cert_new();
+                SSI(s)->sess_cert = ssl_sess_cert_new();
-                if (s->session->sess_cert == NULL) {
+                if (SSI(s)->sess_cert == NULL) {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                            ERR_R_MALLOC_FAILURE);
                        goto err;
                }
        }
-        if (s->session->sess_cert->cert_chain != NULL)
+        if (SSI(s)->sess_cert->cert_chain != NULL)
-                sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
+                sk_X509_pop_free(SSI(s)->sess_cert->cert_chain, X509_free);
-        s->session->sess_cert->cert_chain = sk;
+        SSI(s)->sess_cert->cert_chain = sk;
        /*
         * Inconsistency alert: cert_chain does *not* include the
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 5904872c92..dce72d8c25 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.108 2017/01/23 01:04:23 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.109 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -464,28 +464,23 @@ struct ssl_session_st {
        int master_key_length;
        unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
        /* session_id - valid? */
        unsigned int session_id_length;
        unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
        /* this is used to determine whether the session is being reused in
         * the appropriate context. It is up to the application to set this,
         * via SSL_new */
        unsigned int sid_ctx_length;
        unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-        /* Used to indicate that session resumption is not allowed.
-         * Applications can also set this bit for a new session via
-         * not_resumable_session_cb to disable session caching and tickets. */
-        int not_resumable;
-        /* The cert is the certificate used to establish this connection */
-        struct sess_cert_st /* SESS_CERT */ *sess_cert;
        /* This is the cert for the other end.
         * On clients, it will be the same as sess_cert->peer_key->x509
         * (the latter is not enough as sess_cert is not retained
         * in the external representation of sessions, see ssl_asn1.c). */
        X509 *peer;
        /* when app_verify_callback accepts a session where the peer's certificate
         * is not ok, we must remember the error for session reuse: */
        long verify_result; /* only for servers */
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index f4bb212865..1e529e85de 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.130 2017/01/23 00:12:54 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.131 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -826,10 +826,10 @@ SSL_get_peer_cert_chain(const SSL *s)
        STACK_OF(X509)  *r;
        if ((s == NULL) || (s->session == NULL) ||
-            (s->session->sess_cert == NULL))
+            (SSI(s)->sess_cert == NULL))
                r = NULL;
        else
-                r = s->session->sess_cert->cert_chain;
+                r = SSI(s)->sess_cert->cert_chain;
        /*
         * If we are a client, cert_chain includes the peer's own
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3f63b1de2f..2eace2567d 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.152 2017/01/23 00:12:55 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.153 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -373,6 +373,14 @@ __BEGIN_HIDDEN_DECLS
 #define NAMED_CURVE_TYPE           3
 typedef struct ssl_session_internal_st {
+        /* Used to indicate that session resumption is not allowed.
+         * Applications can also set this bit for a new session via
+         * not_resumable_session_cb to disable session caching and tickets. */
+        int not_resumable;
+        /* The cert is the certificate used to establish this connection */
+        struct sess_cert_st /* SESS_CERT */ *sess_cert;
        size_t tlsext_ecpointformatlist_length;
        uint8_t *tlsext_ecpointformatlist; /* peer's list */
        size_t tlsext_ellipticcurvelist_length;
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 7f03d12d35..2520843cc0 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.56 2017/01/23 00:12:55 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.57 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -673,7 +673,7 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
                        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
                if (ret) {
-                        r->not_resumable = 1;
+                        r->internal->not_resumable = 1;
                        if (ctx->remove_session_cb != NULL)
                                ctx->remove_session_cb(ctx, r);
                        SSL_SESSION_free(r);
@@ -699,8 +699,8 @@ SSL_SESSION_free(SSL_SESSION *ss)
        explicit_bzero(ss->master_key, sizeof ss->master_key);
        explicit_bzero(ss->session_id, sizeof ss->session_id);
-        if (ss->sess_cert != NULL)
+        if (ss->internal->sess_cert != NULL)
-                ssl_sess_cert_free(ss->sess_cert);
+                ssl_sess_cert_free(ss->internal->sess_cert);
        X509_free(ss->peer);
        if (ss->ciphers != NULL)
                sk_SSL_CIPHER_free(ss->ciphers);
@@ -910,7 +910,7 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
                 * save on locking overhead */
                (void)lh_SSL_SESSION_delete(p->cache, s);
                SSL_SESSION_list_remove(p->ctx, s);
-                s->not_resumable = 1;
+                s->internal->not_resumable = 1;
                if (p->ctx->remove_session_cb != NULL)
                        p->ctx->remove_session_cb(p->ctx, s);
                SSL_SESSION_free(s);