summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/d1_clnt.c6
-rw-r--r--src/lib/libssl/d1_pkt.c10
-rw-r--r--src/lib/libssl/d1_srvr.c12
-rw-r--r--src/lib/libssl/s23_clnt.c10
-rw-r--r--src/lib/libssl/s23_srvr.c6
-rw-r--r--src/lib/libssl/s3_clnt.c15
-rw-r--r--src/lib/libssl/s3_lib.c12
-rw-r--r--src/lib/libssl/s3_pkt.c10
-rw-r--r--src/lib/libssl/s3_srvr.c16
-rw-r--r--src/lib/libssl/ssl.h59
-rw-r--r--src/lib/libssl/ssl_cert.c7
-rw-r--r--src/lib/libssl/ssl_lib.c70
-rw-r--r--src/lib/libssl/ssl_locl.h61
-rw-r--r--src/lib/libssl/ssl_rsa.c34
-rw-r--r--src/lib/libssl/ssl_sess.c44
-rw-r--r--src/lib/libssl/t1_lib.c38
16 files changed, 210 insertions, 200 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 71cd845ac6..127cda155c 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_clnt.c,v 1.63 2017/01/23 00:12:54 jsing Exp $ */ 1/* $OpenBSD: d1_clnt.c,v 1.64 2017/01/23 04:15:28 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -190,8 +190,8 @@ dtls1_connect(SSL *s)
190 190
191 if (s->info_callback != NULL) 191 if (s->info_callback != NULL)
192 cb = s->info_callback; 192 cb = s->info_callback;
193 else if (s->ctx->info_callback != NULL) 193 else if (s->ctx->internal->info_callback != NULL)
194 cb = s->ctx->info_callback; 194 cb = s->ctx->internal->info_callback;
195 195
196 s->in_handshake++; 196 s->in_handshake++;
197 if (!SSL_in_init(s) || SSL_in_before(s)) 197 if (!SSL_in_init(s) || SSL_in_before(s))
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 315960b587..ef9bcaa786 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.51 2017/01/22 09:02:07 jsing Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.52 2017/01/23 04:15:28 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -928,8 +928,8 @@ start:
928 928
929 if (s->info_callback != NULL) 929 if (s->info_callback != NULL)
930 cb = s->info_callback; 930 cb = s->info_callback;
931 else if (s->ctx->info_callback != NULL) 931 else if (s->ctx->internal->info_callback != NULL)
932 cb = s->ctx->info_callback; 932 cb = s->ctx->internal->info_callback;
933 933
934 if (cb != NULL) { 934 if (cb != NULL) {
935 j = (alert_level << 8) | alert_descr; 935 j = (alert_level << 8) | alert_descr;
@@ -1428,8 +1428,8 @@ dtls1_dispatch_alert(SSL *s)
1428 1428
1429 if (s->info_callback != NULL) 1429 if (s->info_callback != NULL)
1430 cb = s->info_callback; 1430 cb = s->info_callback;
1431 else if (s->ctx->info_callback != NULL) 1431 else if (s->ctx->internal->info_callback != NULL)
1432 cb = s->ctx->info_callback; 1432 cb = s->ctx->internal->info_callback;
1433 1433
1434 if (cb != NULL) { 1434 if (cb != NULL) {
1435 j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; 1435 j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 7cb1fdf3de..28a4442445 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.73 2017/01/23 00:12:54 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.74 2017/01/23 04:15:28 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -190,8 +190,8 @@ dtls1_accept(SSL *s)
190 190
191 if (s->info_callback != NULL) 191 if (s->info_callback != NULL)
192 cb = s->info_callback; 192 cb = s->info_callback;
193 else if (s->ctx->info_callback != NULL) 193 else if (s->ctx->internal->info_callback != NULL)
194 cb = s->ctx->info_callback; 194 cb = s->ctx->internal->info_callback;
195 195
196 listen = D1I(s)->listen; 196 listen = D1I(s)->listen;
197 197
@@ -704,9 +704,9 @@ dtls1_send_hello_verify_request(SSL *s)
704 *(p++) = s->version >> 8; 704 *(p++) = s->version >> 8;
705 *(p++) = s->version & 0xFF; 705 *(p++) = s->version & 0xFF;
706 706
707 if (s->ctx->app_gen_cookie_cb == NULL || 707 if (s->ctx->internal->app_gen_cookie_cb == NULL ||
708 s->ctx->app_gen_cookie_cb(s, D1I(s)->cookie, 708 s->ctx->internal->app_gen_cookie_cb(s,
709 &(D1I(s)->cookie_len)) == 0) { 709 D1I(s)->cookie, &(D1I(s)->cookie_len)) == 0) {
710 SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, 710 SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,
711 ERR_R_INTERNAL_ERROR); 711 ERR_R_INTERNAL_ERROR);
712 return 0; 712 return 0;
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index a7ad53fd98..56c1d53707 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s23_clnt.c,v 1.50 2017/01/23 00:12:54 jsing Exp $ */ 1/* $OpenBSD: s23_clnt.c,v 1.51 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -132,8 +132,8 @@ ssl23_connect(SSL *s)
132 132
133 if (s->info_callback != NULL) 133 if (s->info_callback != NULL)
134 cb = s->info_callback; 134 cb = s->info_callback;
135 else if (s->ctx->info_callback != NULL) 135 else if (s->ctx->internal->info_callback != NULL)
136 cb = s->ctx->info_callback; 136 cb = s->ctx->internal->info_callback;
137 137
138 s->in_handshake++; 138 s->in_handshake++;
139 if (!SSL_in_init(s) || SSL_in_before(s)) 139 if (!SSL_in_init(s) || SSL_in_before(s))
@@ -396,8 +396,8 @@ ssl23_get_server_hello(SSL *s)
396 396
397 if (s->info_callback != NULL) 397 if (s->info_callback != NULL)
398 cb = s->info_callback; 398 cb = s->info_callback;
399 else if (s->ctx->info_callback != NULL) 399 else if (s->ctx->internal->info_callback != NULL)
400 cb = s->ctx->info_callback; 400 cb = s->ctx->internal->info_callback;
401 401
402 i = p[5]; 402 i = p[5];
403 if (cb != NULL) { 403 if (cb != NULL) {
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index e4cb633d06..88ff9bb9a8 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s23_srvr.c,v 1.51 2017/01/23 00:12:54 jsing Exp $ */ 1/* $OpenBSD: s23_srvr.c,v 1.52 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -131,8 +131,8 @@ ssl23_accept(SSL *s)
131 131
132 if (s->info_callback != NULL) 132 if (s->info_callback != NULL)
133 cb = s->info_callback; 133 cb = s->info_callback;
134 else if (s->ctx->info_callback != NULL) 134 else if (s->ctx->internal->info_callback != NULL)
135 cb = s->ctx->info_callback; 135 cb = s->ctx->internal->info_callback;
136 136
137 s->in_handshake++; 137 s->in_handshake++;
138 if (!SSL_in_init(s) || SSL_in_before(s)) 138 if (!SSL_in_init(s) || SSL_in_before(s))
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 2c272032b5..54833ded27 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.164 2017/01/23 01:22:08 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.165 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -185,8 +185,8 @@ ssl3_connect(SSL *s)
185 185
186 if (s->info_callback != NULL) 186 if (s->info_callback != NULL)
187 cb = s->info_callback; 187 cb = s->info_callback;
188 else if (s->ctx->info_callback != NULL) 188 else if (s->ctx->internal->info_callback != NULL)
189 cb = s->ctx->info_callback; 189 cb = s->ctx->internal->info_callback;
190 190
191 s->in_handshake++; 191 s->in_handshake++;
192 if (!SSL_in_init(s) || SSL_in_before(s)) 192 if (!SSL_in_init(s) || SSL_in_before(s))
@@ -1886,9 +1886,10 @@ ssl3_get_cert_status(SSL *s)
1886 } 1886 }
1887 s->tlsext_ocsp_resplen = (int)stow_len; 1887 s->tlsext_ocsp_resplen = (int)stow_len;
1888 1888
1889 if (s->ctx->tlsext_status_cb) { 1889 if (s->ctx->internal->tlsext_status_cb) {
1890 int ret; 1890 int ret;
1891 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1891 ret = s->ctx->internal->tlsext_status_cb(s,
1892 s->ctx->internal->tlsext_status_arg);
1892 if (ret == 0) { 1893 if (ret == 0) {
1893 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1894 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1894 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, 1895 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
@@ -2762,7 +2763,7 @@ ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2762 return (i); 2763 return (i);
2763 } 2764 }
2764#endif 2765#endif
2765 if (s->ctx->client_cert_cb) 2766 if (s->ctx->internal->client_cert_cb)
2766 i = s->ctx->client_cert_cb(s, px509, ppkey); 2767 i = s->ctx->internal->client_cert_cb(s, px509, ppkey);
2767 return (i); 2768 return (i);
2768} 2769}
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index ae2586912c..92f4c49aa8 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.121 2017/01/23 01:22:08 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.122 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2265,7 +2265,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2265 } 2265 }
2266 break; 2266 break;
2267 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2267 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2268 ctx->tlsext_servername_arg = parg; 2268 ctx->internal->tlsext_servername_arg = parg;
2269 break; 2269 break;
2270 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2270 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2271 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2271 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
@@ -2294,7 +2294,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2294 } 2294 }
2295 2295
2296 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2296 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2297 ctx->tlsext_status_arg = parg; 2297 ctx->internal->tlsext_status_arg = parg;
2298 return 1; 2298 return 1;
2299 break; 2299 break;
2300 2300
@@ -2346,16 +2346,16 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2346 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2346 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
2347 break; 2347 break;
2348 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2348 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2349 ctx->tlsext_servername_callback = 2349 ctx->internal->tlsext_servername_callback =
2350 (int (*)(SSL *, int *, void *))fp; 2350 (int (*)(SSL *, int *, void *))fp;
2351 break; 2351 break;
2352 2352
2353 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2353 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2354 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2354 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2355 break; 2355 break;
2356 2356
2357 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2357 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2358 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2358 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2359 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2359 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2360 break; 2360 break;
2361 2361
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 857d35b5a8..a1d0ef9299 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_pkt.c,v 1.61 2017/01/22 09:02:07 jsing Exp $ */ 1/* $OpenBSD: s3_pkt.c,v 1.62 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1115,8 +1115,8 @@ start:
1115 1115
1116 if (s->info_callback != NULL) 1116 if (s->info_callback != NULL)
1117 cb = s->info_callback; 1117 cb = s->info_callback;
1118 else if (s->ctx->info_callback != NULL) 1118 else if (s->ctx->internal->info_callback != NULL)
1119 cb = s->ctx->info_callback; 1119 cb = s->ctx->internal->info_callback;
1120 1120
1121 if (cb != NULL) { 1121 if (cb != NULL) {
1122 j = (alert_level << 8) | alert_descr; 1122 j = (alert_level << 8) | alert_descr;
@@ -1397,8 +1397,8 @@ ssl3_dispatch_alert(SSL *s)
1397 1397
1398 if (s->info_callback != NULL) 1398 if (s->info_callback != NULL)
1399 cb = s->info_callback; 1399 cb = s->info_callback;
1400 else if (s->ctx->info_callback != NULL) 1400 else if (s->ctx->internal->info_callback != NULL)
1401 cb = s->ctx->info_callback; 1401 cb = s->ctx->internal->info_callback;
1402 1402
1403 if (cb != NULL) { 1403 if (cb != NULL) {
1404 j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; 1404 j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index ebdb10cb91..3f53f27924 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.143 2017/01/23 01:22:08 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.144 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -180,8 +180,8 @@ ssl3_accept(SSL *s)
180 180
181 if (s->info_callback != NULL) 181 if (s->info_callback != NULL)
182 cb = s->info_callback; 182 cb = s->info_callback;
183 else if (s->ctx->info_callback != NULL) 183 else if (s->ctx->internal->info_callback != NULL)
184 cb = s->ctx->info_callback; 184 cb = s->ctx->internal->info_callback;
185 185
186 /* init things to blank */ 186 /* init things to blank */
187 s->in_handshake++; 187 s->in_handshake++;
@@ -870,8 +870,8 @@ ssl3_get_client_hello(SSL *s)
870 cookie_len > 0) { 870 cookie_len > 0) {
871 memcpy(D1I(s)->rcvd_cookie, p, cookie_len); 871 memcpy(D1I(s)->rcvd_cookie, p, cookie_len);
872 872
873 if (s->ctx->app_verify_cookie_cb != NULL) { 873 if (s->ctx->internal->app_verify_cookie_cb != NULL) {
874 if (s->ctx->app_verify_cookie_cb(s, 874 if (s->ctx->internal->app_verify_cookie_cb(s,
875 D1I(s)->rcvd_cookie, cookie_len) == 0) { 875 D1I(s)->rcvd_cookie, cookie_len) == 0) {
876 al = SSL_AD_HANDSHAKE_FAILURE; 876 al = SSL_AD_HANDSHAKE_FAILURE;
877 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 877 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
@@ -2742,9 +2742,9 @@ ssl3_send_newsession_ticket(SSL *s)
2742 * it does all the work otherwise use generated values 2742 * it does all the work otherwise use generated values
2743 * from parent ctx. 2743 * from parent ctx.
2744 */ 2744 */
2745 if (tctx->tlsext_ticket_key_cb) { 2745 if (tctx->internal->tlsext_ticket_key_cb) {
2746 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 2746 if (tctx->internal->tlsext_ticket_key_cb(s,
2747 &hctx, 1) < 0) { 2747 key_name, iv, &ctx, &hctx, 1) < 0) {
2748 EVP_CIPHER_CTX_cleanup(&ctx); 2748 EVP_CIPHER_CTX_cleanup(&ctx);
2749 goto err; 2749 goto err;
2750 } 2750 }
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index dce72d8c25..2d6a0e757d 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl.h,v 1.109 2017/01/23 01:22:08 jsing Exp $ */ 1/* $OpenBSD: ssl.h,v 1.110 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -712,42 +712,8 @@ struct ssl_ctx_st {
712 * life easier to set things up */ 712 * life easier to set things up */
713 long session_timeout; 713 long session_timeout;
714 714
715 /* If this callback is not null, it will be called each
716 * time a session id is added to the cache. If this function
717 * returns 1, it means that the callback will do a
718 * SSL_SESSION_free() when it has finished using it. Otherwise,
719 * on 0, it means the callback has finished with it.
720 * If remove_session_cb is not null, it will be called when
721 * a session-id is removed from the cache. After the call,
722 * OpenSSL will SSL_SESSION_free() it. */
723 int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess);
724 void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
725 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
726 unsigned char *data, int len, int *copy);
727
728 int references; 715 int references;
729 716
730 /* if defined, these override the X509_verify_cert() calls */
731 int (*app_verify_callback)(X509_STORE_CTX *, void *);
732 void *app_verify_arg;
733
734 /* Default password callback. */
735 pem_password_cb *default_passwd_callback;
736
737 /* Default password callback user data. */
738 void *default_passwd_callback_userdata;
739
740 /* get client cert callback */
741 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
742
743 /* cookie generate callback */
744 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
745 unsigned int *cookie_len);
746
747 /* verify cookie callback */
748 int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie,
749 unsigned int cookie_len);
750
751 CRYPTO_EX_DATA ex_data; 717 CRYPTO_EX_DATA ex_data;
752 718
753 const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ 719 const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
@@ -757,12 +723,9 @@ struct ssl_ctx_st {
757 723
758 /* Default values used when no per-SSL value is defined follow */ 724 /* Default values used when no per-SSL value is defined follow */
759 725
760 void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
761
762 /* what we put in client cert requests */ 726 /* what we put in client cert requests */
763 STACK_OF(X509_NAME) *client_CA; 727 STACK_OF(X509_NAME) *client_CA;
764 728
765
766 /* Default values to use in SSL structures follow (these are copied by SSL_new) */ 729 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
767 730
768 unsigned long options; 731 unsigned long options;
@@ -772,18 +735,9 @@ struct ssl_ctx_st {
772 struct cert_st /* CERT */ *cert; 735 struct cert_st /* CERT */ *cert;
773 int read_ahead; 736 int read_ahead;
774 737
775 /* callback that allows applications to peek at protocol messages */
776 void (*msg_callback)(int write_p, int version, int content_type,
777 const void *buf, size_t len, SSL *ssl, void *arg);
778 void *msg_callback_arg;
779
780 int verify_mode; 738 int verify_mode;
781 unsigned int sid_ctx_length; 739 unsigned int sid_ctx_length;
782 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 740 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
783 int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
784
785 /* Default generate session ID callback. */
786 GEN_SESSION_CB generate_session_id;
787 741
788 X509_VERIFY_PARAM *param; 742 X509_VERIFY_PARAM *param;
789 743
@@ -801,21 +755,10 @@ struct ssl_ctx_st {
801 ENGINE *client_cert_engine; 755 ENGINE *client_cert_engine;
802#endif 756#endif
803 757
804 /* TLS extensions servername callback */
805 int (*tlsext_servername_callback)(SSL*, int *, void *);
806 void *tlsext_servername_arg;
807 /* RFC 4507 session ticket keys */ 758 /* RFC 4507 session ticket keys */
808 unsigned char tlsext_tick_key_name[16]; 759 unsigned char tlsext_tick_key_name[16];
809 unsigned char tlsext_tick_hmac_key[16]; 760 unsigned char tlsext_tick_hmac_key[16];
810 unsigned char tlsext_tick_aes_key[16]; 761 unsigned char tlsext_tick_aes_key[16];
811 /* Callback to support customisation of ticket key setting */
812 int (*tlsext_ticket_key_cb)(SSL *ssl, unsigned char *name,
813 unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
814
815 /* certificate status request info */
816 /* Callback for status request */
817 int (*tlsext_status_cb)(SSL *ssl, void *arg);
818 void *tlsext_status_arg;
819 762
820 /* SRTP profiles we are willing to do from RFC 5764 */ 763 /* SRTP profiles we are willing to do from RFC 5764 */
821 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; 764 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index d520a6d249..603deb4218 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.54 2017/01/22 09:02:07 jsing Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.55 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -443,8 +443,9 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
443 if (s->verify_callback) 443 if (s->verify_callback)
444 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); 444 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
445 445
446 if (s->ctx->app_verify_callback != NULL) 446 if (s->ctx->internal->app_verify_callback != NULL)
447 ret = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); 447 ret = s->ctx->internal->app_verify_callback(&ctx,
448 s->ctx->internal->app_verify_arg);
448 else 449 else
449 ret = X509_verify_cert(&ctx); 450 ret = X509_verify_cert(&ctx);
450 451
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 1e529e85de..6e3e042fe6 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.131 2017/01/23 01:22:08 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.132 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -307,14 +307,14 @@ SSL_new(SSL_CTX *ctx)
307 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ 307 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
308 308
309 s->read_ahead = ctx->read_ahead; 309 s->read_ahead = ctx->read_ahead;
310 s->msg_callback = ctx->msg_callback; 310 s->msg_callback = ctx->internal->msg_callback;
311 s->msg_callback_arg = ctx->msg_callback_arg; 311 s->msg_callback_arg = ctx->internal->msg_callback_arg;
312 s->verify_mode = ctx->verify_mode; 312 s->verify_mode = ctx->verify_mode;
313 s->sid_ctx_length = ctx->sid_ctx_length; 313 s->sid_ctx_length = ctx->sid_ctx_length;
314 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); 314 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
315 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); 315 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
316 s->verify_callback = ctx->default_verify_callback; 316 s->verify_callback = ctx->internal->default_verify_callback;
317 s->generate_session_id = ctx->generate_session_id; 317 s->generate_session_id = ctx->internal->generate_session_id;
318 318
319 s->param = X509_VERIFY_PARAM_new(); 319 s->param = X509_VERIFY_PARAM_new();
320 if (!s->param) 320 if (!s->param)
@@ -406,7 +406,7 @@ int
406SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) 406SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
407{ 407{
408 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 408 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
409 ctx->generate_session_id = cb; 409 ctx->internal->generate_session_id = cb;
410 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 410 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
411 return (1); 411 return (1);
412} 412}
@@ -758,7 +758,7 @@ SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
758 758
759int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) 759int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *)
760{ 760{
761 return (ctx->default_verify_callback); 761 return (ctx->internal->default_verify_callback);
762} 762}
763 763
764void 764void
@@ -1131,7 +1131,7 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1131 return (l); 1131 return (l);
1132 1132
1133 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 1133 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1134 ctx->msg_callback_arg = parg; 1134 ctx->internal->msg_callback_arg = parg;
1135 return (1); 1135 return (1);
1136 1136
1137 case SSL_CTRL_GET_MAX_CERT_LIST: 1137 case SSL_CTRL_GET_MAX_CERT_LIST:
@@ -1201,7 +1201,7 @@ SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1201{ 1201{
1202 switch (cmd) { 1202 switch (cmd) {
1203 case SSL_CTRL_SET_MSG_CALLBACK: 1203 case SSL_CTRL_SET_MSG_CALLBACK:
1204 ctx->msg_callback = (void (*)(int write_p, int version, 1204 ctx->internal->msg_callback = (void (*)(int write_p, int version,
1205 int content_type, const void *buf, size_t len, SSL *ssl, 1205 int content_type, const void *buf, size_t len, SSL *ssl,
1206 void *arg))(fp); 1206 void *arg))(fp);
1207 return (1); 1207 return (1);
@@ -1831,36 +1831,36 @@ SSL_CTX_new(const SSL_METHOD *meth)
1831 /* We take the system default */ 1831 /* We take the system default */
1832 ret->session_timeout = meth->get_timeout(); 1832 ret->session_timeout = meth->get_timeout();
1833 1833
1834 ret->new_session_cb = 0; 1834 ret->internal->new_session_cb = 0;
1835 ret->remove_session_cb = 0; 1835 ret->internal->remove_session_cb = 0;
1836 ret->get_session_cb = 0; 1836 ret->internal->get_session_cb = 0;
1837 ret->generate_session_id = 0; 1837 ret->internal->generate_session_id = 0;
1838 1838
1839 memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats)); 1839 memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats));
1840 1840
1841 ret->references = 1; 1841 ret->references = 1;
1842 ret->quiet_shutdown = 0; 1842 ret->quiet_shutdown = 0;
1843 1843
1844 ret->info_callback = NULL; 1844 ret->internal->info_callback = NULL;
1845 1845
1846 ret->app_verify_callback = 0; 1846 ret->internal->app_verify_callback = 0;
1847 ret->app_verify_arg = NULL; 1847 ret->internal->app_verify_arg = NULL;
1848 1848
1849 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; 1849 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
1850 ret->read_ahead = 0; 1850 ret->read_ahead = 0;
1851 ret->msg_callback = 0; 1851 ret->internal->msg_callback = 0;
1852 ret->msg_callback_arg = NULL; 1852 ret->internal->msg_callback_arg = NULL;
1853 ret->verify_mode = SSL_VERIFY_NONE; 1853 ret->verify_mode = SSL_VERIFY_NONE;
1854 ret->sid_ctx_length = 0; 1854 ret->sid_ctx_length = 0;
1855 ret->default_verify_callback = NULL; 1855 ret->internal->default_verify_callback = NULL;
1856 if ((ret->cert = ssl_cert_new()) == NULL) 1856 if ((ret->cert = ssl_cert_new()) == NULL)
1857 goto err; 1857 goto err;
1858 1858
1859 ret->default_passwd_callback = 0; 1859 ret->internal->default_passwd_callback = 0;
1860 ret->default_passwd_callback_userdata = NULL; 1860 ret->internal->default_passwd_callback_userdata = NULL;
1861 ret->client_cert_cb = 0; 1861 ret->internal->client_cert_cb = 0;
1862 ret->app_gen_cookie_cb = 0; 1862 ret->internal->app_gen_cookie_cb = 0;
1863 ret->app_verify_cookie_cb = 0; 1863 ret->internal->app_verify_cookie_cb = 0;
1864 1864
1865 ret->sessions = lh_SSL_SESSION_new(); 1865 ret->sessions = lh_SSL_SESSION_new();
1866 if (ret->sessions == NULL) 1866 if (ret->sessions == NULL)
@@ -1901,16 +1901,16 @@ SSL_CTX_new(const SSL_METHOD *meth)
1901 1901
1902 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1902 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1903 1903
1904 ret->tlsext_servername_callback = 0; 1904 ret->internal->tlsext_servername_callback = 0;
1905 ret->tlsext_servername_arg = NULL; 1905 ret->internal->tlsext_servername_arg = NULL;
1906 1906
1907 /* Setup RFC4507 ticket keys */ 1907 /* Setup RFC4507 ticket keys */
1908 arc4random_buf(ret->tlsext_tick_key_name, 16); 1908 arc4random_buf(ret->tlsext_tick_key_name, 16);
1909 arc4random_buf(ret->tlsext_tick_hmac_key, 16); 1909 arc4random_buf(ret->tlsext_tick_hmac_key, 16);
1910 arc4random_buf(ret->tlsext_tick_aes_key, 16); 1910 arc4random_buf(ret->tlsext_tick_aes_key, 16);
1911 1911
1912 ret->tlsext_status_cb = 0; 1912 ret->internal->tlsext_status_cb = 0;
1913 ret->tlsext_status_arg = NULL; 1913 ret->internal->tlsext_status_arg = NULL;
1914 1914
1915 ret->internal->next_protos_advertised_cb = 0; 1915 ret->internal->next_protos_advertised_cb = 0;
1916 ret->internal->next_proto_select_cb = 0; 1916 ret->internal->next_proto_select_cb = 0;
@@ -2012,28 +2012,28 @@ SSL_CTX_free(SSL_CTX *a)
2012void 2012void
2013SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) 2013SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
2014{ 2014{
2015 ctx->default_passwd_callback = cb; 2015 ctx->internal->default_passwd_callback = cb;
2016} 2016}
2017 2017
2018void 2018void
2019SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) 2019SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
2020{ 2020{
2021 ctx->default_passwd_callback_userdata = u; 2021 ctx->internal->default_passwd_callback_userdata = u;
2022} 2022}
2023 2023
2024void 2024void
2025SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, 2025SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,
2026 void *), void *arg) 2026 void *), void *arg)
2027{ 2027{
2028 ctx->app_verify_callback = cb; 2028 ctx->internal->app_verify_callback = cb;
2029 ctx->app_verify_arg = arg; 2029 ctx->internal->app_verify_arg = arg;
2030} 2030}
2031 2031
2032void 2032void
2033SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *)) 2033SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *))
2034{ 2034{
2035 ctx->verify_mode = mode; 2035 ctx->verify_mode = mode;
2036 ctx->default_verify_callback = cb; 2036 ctx->internal->default_verify_callback = cb;
2037} 2037}
2038 2038
2039void 2039void
@@ -2275,9 +2275,9 @@ ssl_update_cache(SSL *s, int mode)
2275 i = s->session_ctx->session_cache_mode; 2275 i = s->session_ctx->session_cache_mode;
2276 if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) 2276 if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
2277 || SSL_CTX_add_session(s->session_ctx, s->session)) 2277 || SSL_CTX_add_session(s->session_ctx, s->session))
2278 && (s->session_ctx->new_session_cb != NULL)) { 2278 && (s->session_ctx->internal->new_session_cb != NULL)) {
2279 CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION); 2279 CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION);
2280 if (!s->session_ctx->new_session_cb(s, s->session)) 2280 if (!s->session_ctx->internal->new_session_cb(s, s->session))
2281 SSL_SESSION_free(s->session); 2281 SSL_SESSION_free(s->session);
2282 } 2282 }
2283 2283
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 2eace2567d..4d8659a493 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.153 2017/01/23 01:22:08 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.154 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -392,6 +392,65 @@ typedef struct ssl_ctx_internal_st {
392 uint16_t min_version; 392 uint16_t min_version;
393 uint16_t max_version; 393 uint16_t max_version;
394 394
395 /* If this callback is not null, it will be called each
396 * time a session id is added to the cache. If this function
397 * returns 1, it means that the callback will do a
398 * SSL_SESSION_free() when it has finished using it. Otherwise,
399 * on 0, it means the callback has finished with it.
400 * If remove_session_cb is not null, it will be called when
401 * a session-id is removed from the cache. After the call,
402 * OpenSSL will SSL_SESSION_free() it. */
403 int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess);
404 void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
405 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
406 unsigned char *data, int len, int *copy);
407
408 /* if defined, these override the X509_verify_cert() calls */
409 int (*app_verify_callback)(X509_STORE_CTX *, void *);
410 void *app_verify_arg;
411
412 /* Default password callback. */
413 pem_password_cb *default_passwd_callback;
414
415 /* Default password callback user data. */
416 void *default_passwd_callback_userdata;
417
418 /* get client cert callback */
419 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
420
421 /* cookie generate callback */
422 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
423 unsigned int *cookie_len);
424
425 /* verify cookie callback */
426 int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie,
427 unsigned int cookie_len);
428
429 void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
430
431 /* callback that allows applications to peek at protocol messages */
432 void (*msg_callback)(int write_p, int version, int content_type,
433 const void *buf, size_t len, SSL *ssl, void *arg);
434 void *msg_callback_arg;
435
436 int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
437
438 /* Default generate session ID callback. */
439 GEN_SESSION_CB generate_session_id;
440
441 /* TLS extensions servername callback */
442 int (*tlsext_servername_callback)(SSL*, int *, void *);
443 void *tlsext_servername_arg;
444
445 /* Callback to support customisation of ticket key setting */
446 int (*tlsext_ticket_key_cb)(SSL *ssl, unsigned char *name,
447 unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
448
449 /* certificate status request info */
450 /* Callback for status request */
451 int (*tlsext_status_cb)(SSL *ssl, void *arg);
452 void *tlsext_status_arg;
453
395 struct { 454 struct {
396 int sess_connect; /* SSL new conn - started */ 455 int sess_connect; /* SSL new conn - started */
397 int sess_connect_renegotiate;/* SSL reneg - requested */ 456 int sess_connect_renegotiate;/* SSL reneg - requested */
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 7481524942..647cc4bfd8 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_rsa.c,v 1.21 2016/03/11 07:08:45 mmcc Exp $ */ 1/* $OpenBSD: ssl_rsa.c,v 1.22 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -108,8 +108,8 @@ SSL_use_certificate_file(SSL *ssl, const char *file, int type)
108 } else if (type == SSL_FILETYPE_PEM) { 108 } else if (type == SSL_FILETYPE_PEM) {
109 j = ERR_R_PEM_LIB; 109 j = ERR_R_PEM_LIB;
110 x = PEM_read_bio_X509(in, NULL, 110 x = PEM_read_bio_X509(in, NULL,
111 ssl->ctx->default_passwd_callback, 111 ssl->ctx->internal->default_passwd_callback,
112 ssl->ctx->default_passwd_callback_userdata); 112 ssl->ctx->internal->default_passwd_callback_userdata);
113 } else { 113 } else {
114 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 114 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
115 goto end; 115 goto end;
@@ -236,8 +236,8 @@ SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
236 } else if (type == SSL_FILETYPE_PEM) { 236 } else if (type == SSL_FILETYPE_PEM) {
237 j = ERR_R_PEM_LIB; 237 j = ERR_R_PEM_LIB;
238 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 238 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
239 ssl->ctx->default_passwd_callback, 239 ssl->ctx->internal->default_passwd_callback,
240 ssl->ctx->default_passwd_callback_userdata); 240 ssl->ctx->internal->default_passwd_callback_userdata);
241 } else { 241 } else {
242 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 242 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
243 goto end; 243 goto end;
@@ -308,8 +308,8 @@ SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
308 if (type == SSL_FILETYPE_PEM) { 308 if (type == SSL_FILETYPE_PEM) {
309 j = ERR_R_PEM_LIB; 309 j = ERR_R_PEM_LIB;
310 pkey = PEM_read_bio_PrivateKey(in, NULL, 310 pkey = PEM_read_bio_PrivateKey(in, NULL,
311 ssl->ctx->default_passwd_callback, 311 ssl->ctx->internal->default_passwd_callback,
312 ssl->ctx->default_passwd_callback_userdata); 312 ssl->ctx->internal->default_passwd_callback_userdata);
313 } else if (type == SSL_FILETYPE_ASN1) { 313 } else if (type == SSL_FILETYPE_ASN1) {
314 j = ERR_R_ASN1_LIB; 314 j = ERR_R_ASN1_LIB;
315 pkey = d2i_PrivateKey_bio(in, NULL); 315 pkey = d2i_PrivateKey_bio(in, NULL);
@@ -440,8 +440,8 @@ SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
440 x = d2i_X509_bio(in, NULL); 440 x = d2i_X509_bio(in, NULL);
441 } else if (type == SSL_FILETYPE_PEM) { 441 } else if (type == SSL_FILETYPE_PEM) {
442 j = ERR_R_PEM_LIB; 442 j = ERR_R_PEM_LIB;
443 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, 443 x = PEM_read_bio_X509(in, NULL, ctx->internal->default_passwd_callback,
444 ctx->default_passwd_callback_userdata); 444 ctx->internal->default_passwd_callback_userdata);
445 } else { 445 } else {
446 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 446 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
447 goto end; 447 goto end;
@@ -526,8 +526,8 @@ SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
526 } else if (type == SSL_FILETYPE_PEM) { 526 } else if (type == SSL_FILETYPE_PEM) {
527 j = ERR_R_PEM_LIB; 527 j = ERR_R_PEM_LIB;
528 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 528 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
529 ctx->default_passwd_callback, 529 ctx->internal->default_passwd_callback,
530 ctx->default_passwd_callback_userdata); 530 ctx->internal->default_passwd_callback_userdata);
531 } else { 531 } else {
532 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 532 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
533 goto end; 533 goto end;
@@ -596,8 +596,8 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
596 if (type == SSL_FILETYPE_PEM) { 596 if (type == SSL_FILETYPE_PEM) {
597 j = ERR_R_PEM_LIB; 597 j = ERR_R_PEM_LIB;
598 pkey = PEM_read_bio_PrivateKey(in, NULL, 598 pkey = PEM_read_bio_PrivateKey(in, NULL,
599 ctx->default_passwd_callback, 599 ctx->internal->default_passwd_callback,
600 ctx->default_passwd_callback_userdata); 600 ctx->internal->default_passwd_callback_userdata);
601 } else if (type == SSL_FILETYPE_ASN1) { 601 } else if (type == SSL_FILETYPE_ASN1) {
602 j = ERR_R_ASN1_LIB; 602 j = ERR_R_ASN1_LIB;
603 pkey = d2i_PrivateKey_bio(in, NULL); 603 pkey = d2i_PrivateKey_bio(in, NULL);
@@ -650,8 +650,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
650 650
651 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ 651 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
652 652
653 x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, 653 x = PEM_read_bio_X509_AUX(in, NULL, ctx->internal->default_passwd_callback,
654 ctx->default_passwd_callback_userdata); 654 ctx->internal->default_passwd_callback_userdata);
655 if (x == NULL) { 655 if (x == NULL) {
656 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); 656 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
657 goto end; 657 goto end;
@@ -677,8 +677,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
677 } 677 }
678 678
679 while ((ca = PEM_read_bio_X509(in, NULL, 679 while ((ca = PEM_read_bio_X509(in, NULL,
680 ctx->default_passwd_callback, 680 ctx->internal->default_passwd_callback,
681 ctx->default_passwd_callback_userdata)) != NULL) { 681 ctx->internal->default_passwd_callback_userdata)) != NULL) {
682 r = SSL_CTX_add_extra_chain_cert(ctx, ca); 682 r = SSL_CTX_add_extra_chain_cert(ctx, ca);
683 if (!r) { 683 if (!r) {
684 X509_free(ca); 684 X509_free(ca);
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 2520843cc0..8700e851c6 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sess.c,v 1.57 2017/01/23 01:22:08 jsing Exp $ */ 1/* $OpenBSD: ssl_sess.c,v 1.58 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -328,8 +328,8 @@ ssl_get_new_session(SSL *s, int session)
328 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 328 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
329 if (s->generate_session_id) 329 if (s->generate_session_id)
330 cb = s->generate_session_id; 330 cb = s->generate_session_id;
331 else if (s->session_ctx->generate_session_id) 331 else if (s->session_ctx->internal->generate_session_id)
332 cb = s->session_ctx->generate_session_id; 332 cb = s->session_ctx->internal->generate_session_id;
333 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 333 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
334 334
335 /* Choose a session ID. */ 335 /* Choose a session ID. */
@@ -470,11 +470,11 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
470 } 470 }
471 471
472 if (try_session_cache && ret == NULL && 472 if (try_session_cache && ret == NULL &&
473 s->session_ctx->get_session_cb != NULL) { 473 s->session_ctx->internal->get_session_cb != NULL) {
474 int copy = 1; 474 int copy = 1;
475 475
476 if ((ret = s->session_ctx->get_session_cb(s, session_id, 476 if ((ret = s->session_ctx->internal->get_session_cb(s,
477 len, &copy))) { 477 session_id, len, &copy))) {
478 s->session_ctx->internal->stats.sess_cb_hit++; 478 s->session_ctx->internal->stats.sess_cb_hit++;
479 479
480 /* 480 /*
@@ -674,8 +674,8 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
674 674
675 if (ret) { 675 if (ret) {
676 r->internal->not_resumable = 1; 676 r->internal->not_resumable = 1;
677 if (ctx->remove_session_cb != NULL) 677 if (ctx->internal->remove_session_cb != NULL)
678 ctx->remove_session_cb(ctx, r); 678 ctx->internal->remove_session_cb(ctx, r);
679 SSL_SESSION_free(r); 679 SSL_SESSION_free(r);
680 } 680 }
681 } else 681 } else
@@ -911,8 +911,8 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
911 (void)lh_SSL_SESSION_delete(p->cache, s); 911 (void)lh_SSL_SESSION_delete(p->cache, s);
912 SSL_SESSION_list_remove(p->ctx, s); 912 SSL_SESSION_list_remove(p->ctx, s);
913 s->internal->not_resumable = 1; 913 s->internal->not_resumable = 1;
914 if (p->ctx->remove_session_cb != NULL) 914 if (p->ctx->internal->remove_session_cb != NULL)
915 p->ctx->remove_session_cb(p->ctx, s); 915 p->ctx->internal->remove_session_cb(p->ctx, s);
916 SSL_SESSION_free(s); 916 SSL_SESSION_free(s);
917 } 917 }
918} 918}
@@ -1013,67 +1013,67 @@ SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
1013void 1013void
1014SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, 1014SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
1015 int (*cb)(struct ssl_st *ssl, SSL_SESSION *sess)) { 1015 int (*cb)(struct ssl_st *ssl, SSL_SESSION *sess)) {
1016 ctx->new_session_cb = cb; 1016 ctx->internal->new_session_cb = cb;
1017} 1017}
1018 1018
1019int 1019int
1020(*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess) 1020(*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
1021{ 1021{
1022 return ctx->new_session_cb; 1022 return ctx->internal->new_session_cb;
1023} 1023}
1024 1024
1025void 1025void
1026SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, 1026SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
1027 void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess)) 1027 void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess))
1028{ 1028{
1029 ctx->remove_session_cb = cb; 1029 ctx->internal->remove_session_cb = cb;
1030} 1030}
1031 1031
1032void 1032void
1033(*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess) 1033(*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess)
1034{ 1034{
1035 return ctx->remove_session_cb; 1035 return ctx->internal->remove_session_cb;
1036} 1036}
1037 1037
1038void 1038void
1039SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl, 1039SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl,
1040 unsigned char *data, int len, int *copy)) 1040 unsigned char *data, int len, int *copy))
1041{ 1041{
1042 ctx->get_session_cb = cb; 1042 ctx->internal->get_session_cb = cb;
1043} 1043}
1044 1044
1045SSL_SESSION * 1045SSL_SESSION *
1046(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, 1046(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data,
1047 int len, int *copy) 1047 int len, int *copy)
1048{ 1048{
1049 return ctx->get_session_cb; 1049 return ctx->internal->get_session_cb;
1050} 1050}
1051 1051
1052void 1052void
1053SSL_CTX_set_info_callback(SSL_CTX *ctx, 1053SSL_CTX_set_info_callback(SSL_CTX *ctx,
1054 void (*cb)(const SSL *ssl, int type, int val)) 1054 void (*cb)(const SSL *ssl, int type, int val))
1055{ 1055{
1056 ctx->info_callback = cb; 1056 ctx->internal->info_callback = cb;
1057} 1057}
1058 1058
1059void 1059void
1060(*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val) 1060(*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val)
1061{ 1061{
1062 return ctx->info_callback; 1062 return ctx->internal->info_callback;
1063} 1063}
1064 1064
1065void 1065void
1066SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, 1066SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
1067 int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)) 1067 int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
1068{ 1068{
1069 ctx->client_cert_cb = cb; 1069 ctx->internal->client_cert_cb = cb;
1070} 1070}
1071 1071
1072int 1072int
1073(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509, 1073(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509,
1074 EVP_PKEY **pkey) 1074 EVP_PKEY **pkey)
1075{ 1075{
1076 return ctx->client_cert_cb; 1076 return ctx->internal->client_cert_cb;
1077} 1077}
1078 1078
1079#ifndef OPENSSL_NO_ENGINE 1079#ifndef OPENSSL_NO_ENGINE
@@ -1100,14 +1100,14 @@ void
1100SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, 1100SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
1101 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) 1101 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
1102{ 1102{
1103 ctx->app_gen_cookie_cb = cb; 1103 ctx->internal->app_gen_cookie_cb = cb;
1104} 1104}
1105 1105
1106void 1106void
1107SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, 1107SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
1108 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) 1108 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
1109{ 1109{
1110 ctx->app_verify_cookie_cb = cb; 1110 ctx->internal->app_verify_cookie_cb = cb;
1111} 1111}
1112 1112
1113int 1113int
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index d1d20b6bda..08818f4870 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.99 2017/01/22 09:02:07 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.100 2017/01/23 04:15:28 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1859,10 +1859,12 @@ ssl_check_clienthello_tlsext_early(SSL *s)
1859 * ssl3_choose_cipher in s3_lib.c. 1859 * ssl3_choose_cipher in s3_lib.c.
1860 */ 1860 */
1861 1861
1862 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1862 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
1863 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1863 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
1864 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1864 s->ctx->internal->tlsext_servername_arg);
1865 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1865 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
1866 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
1867 s->initial_ctx->internal->tlsext_servername_arg);
1866 1868
1867 switch (ret) { 1869 switch (ret) {
1868 case SSL_TLSEXT_ERR_ALERT_FATAL: 1870 case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1890,7 +1892,7 @@ ssl_check_clienthello_tlsext_late(SSL *s)
1890 * has been chosen because this may influence which certificate is sent 1892 * has been chosen because this may influence which certificate is sent
1891 */ 1893 */
1892 if ((s->tlsext_status_type != -1) && 1894 if ((s->tlsext_status_type != -1) &&
1893 s->ctx && s->ctx->tlsext_status_cb) { 1895 s->ctx && s->ctx->internal->tlsext_status_cb) {
1894 int r; 1896 int r;
1895 CERT_PKEY *certpkey; 1897 CERT_PKEY *certpkey;
1896 certpkey = ssl_get_server_send_pkey(s); 1898 certpkey = ssl_get_server_send_pkey(s);
@@ -1903,7 +1905,8 @@ ssl_check_clienthello_tlsext_late(SSL *s)
1903 * SSL_get_certificate et al can pick it up. 1905 * SSL_get_certificate et al can pick it up.
1904 */ 1906 */
1905 s->cert->key = certpkey; 1907 s->cert->key = certpkey;
1906 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1908 r = s->ctx->internal->tlsext_status_cb(s,
1909 s->ctx->internal->tlsext_status_arg);
1907 switch (r) { 1910 switch (r) {
1908 /* We don't want to send a status request response */ 1911 /* We don't want to send a status request response */
1909 case SSL_TLSEXT_ERR_NOACK: 1912 case SSL_TLSEXT_ERR_NOACK:
@@ -1973,16 +1976,18 @@ ssl_check_serverhello_tlsext(SSL *s)
1973 } 1976 }
1974 ret = SSL_TLSEXT_ERR_OK; 1977 ret = SSL_TLSEXT_ERR_OK;
1975 1978
1976 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1979 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
1977 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1980 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
1978 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1981 s->ctx->internal->tlsext_servername_arg);
1979 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1982 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
1983 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
1984 s->initial_ctx->internal->tlsext_servername_arg);
1980 1985
1981 /* If we've requested certificate status and we wont get one 1986 /* If we've requested certificate status and we wont get one
1982 * tell the callback 1987 * tell the callback
1983 */ 1988 */
1984 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1989 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) &&
1985 s->ctx && s->ctx->tlsext_status_cb) { 1990 s->ctx && s->ctx->internal->tlsext_status_cb) {
1986 int r; 1991 int r;
1987 /* Set resp to NULL, resplen to -1 so callback knows 1992 /* Set resp to NULL, resplen to -1 so callback knows
1988 * there is no response. 1993 * there is no response.
@@ -1990,7 +1995,8 @@ ssl_check_serverhello_tlsext(SSL *s)
1990 free(s->tlsext_ocsp_resp); 1995 free(s->tlsext_ocsp_resp);
1991 s->tlsext_ocsp_resp = NULL; 1996 s->tlsext_ocsp_resp = NULL;
1992 s->tlsext_ocsp_resplen = -1; 1997 s->tlsext_ocsp_resplen = -1;
1993 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1998 r = s->ctx->internal->tlsext_status_cb(s,
1999 s->ctx->internal->tlsext_status_arg);
1994 if (r == 0) { 2000 if (r == 0) {
1995 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2001 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1996 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2002 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
@@ -2182,10 +2188,10 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2182 /* Initialize session ticket encryption and HMAC contexts */ 2188 /* Initialize session ticket encryption and HMAC contexts */
2183 HMAC_CTX_init(&hctx); 2189 HMAC_CTX_init(&hctx);
2184 EVP_CIPHER_CTX_init(&ctx); 2190 EVP_CIPHER_CTX_init(&ctx);
2185 if (tctx->tlsext_ticket_key_cb) { 2191 if (tctx->internal->tlsext_ticket_key_cb) {
2186 unsigned char *nctick = (unsigned char *)etick; 2192 unsigned char *nctick = (unsigned char *)etick;
2187 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2193 int rv = tctx->internal->tlsext_ticket_key_cb(s,
2188 &ctx, &hctx, 0); 2194 nctick, nctick + 16, &ctx, &hctx, 0);
2189 if (rv < 0) { 2195 if (rv < 0) {
2190 HMAC_CTX_cleanup(&hctx); 2196 HMAC_CTX_cleanup(&hctx);
2191 EVP_CIPHER_CTX_cleanup(&ctx); 2197 EVP_CIPHER_CTX_cleanup(&ctx);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 03:11:29 +0000