From 0f157a9ac8d269cb234cff4f5cd07800027490ff Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 23 Jan 2017 04:15:28 +0000 Subject: Move callback function pointers and argument pointers from SSL_CTX to internal. ok beck@ --- src/lib/libssl/d1_clnt.c | 6 ++-- src/lib/libssl/d1_pkt.c | 10 +++---- src/lib/libssl/d1_srvr.c | 12 ++++---- src/lib/libssl/s23_clnt.c | 10 +++---- src/lib/libssl/s23_srvr.c | 6 ++-- src/lib/libssl/s3_clnt.c | 15 +++++----- src/lib/libssl/s3_lib.c | 12 ++++---- src/lib/libssl/s3_pkt.c | 10 +++---- src/lib/libssl/s3_srvr.c | 16 +++++------ src/lib/libssl/ssl.h | 59 +-------------------------------------- src/lib/libssl/ssl_cert.c | 7 +++-- src/lib/libssl/ssl_lib.c | 70 +++++++++++++++++++++++------------------------ src/lib/libssl/ssl_locl.h | 61 ++++++++++++++++++++++++++++++++++++++++- src/lib/libssl/ssl_rsa.c | 34 +++++++++++------------ src/lib/libssl/ssl_sess.c | 44 ++++++++++++++--------------- src/lib/libssl/t1_lib.c | 38 ++++++++++++++----------- 16 files changed, 210 insertions(+), 200 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 71cd845ac6..127cda155c 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.63 2017/01/23 00:12:54 jsing Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.64 2017/01/23 04:15:28 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -190,8 +190,8 @@ dtls1_connect(SSL *s) if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 315960b587..ef9bcaa786 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.51 2017/01/22 09:02:07 jsing Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.52 2017/01/23 04:15:28 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -928,8 +928,8 @@ start: if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; if (cb != NULL) { j = (alert_level << 8) | alert_descr; @@ -1428,8 +1428,8 @@ dtls1_dispatch_alert(SSL *s) if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; if (cb != NULL) { j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 7cb1fdf3de..28a4442445 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.73 2017/01/23 00:12:54 jsing Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.74 2017/01/23 04:15:28 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -190,8 +190,8 @@ dtls1_accept(SSL *s) if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; listen = D1I(s)->listen; @@ -704,9 +704,9 @@ dtls1_send_hello_verify_request(SSL *s) *(p++) = s->version >> 8; *(p++) = s->version & 0xFF; - if (s->ctx->app_gen_cookie_cb == NULL || - s->ctx->app_gen_cookie_cb(s, D1I(s)->cookie, - &(D1I(s)->cookie_len)) == 0) { + if (s->ctx->internal->app_gen_cookie_cb == NULL || + s->ctx->internal->app_gen_cookie_cb(s, + D1I(s)->cookie, &(D1I(s)->cookie_len)) == 0) { SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR); return 0; diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index a7ad53fd98..56c1d53707 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_clnt.c,v 1.50 2017/01/23 00:12:54 jsing Exp $ */ +/* $OpenBSD: s23_clnt.c,v 1.51 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -132,8 +132,8 @@ ssl23_connect(SSL *s) if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) @@ -396,8 +396,8 @@ ssl23_get_server_hello(SSL *s) if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; i = p[5]; if (cb != NULL) { diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index e4cb633d06..88ff9bb9a8 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_srvr.c,v 1.51 2017/01/23 00:12:54 jsing Exp $ */ +/* $OpenBSD: s23_srvr.c,v 1.52 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -131,8 +131,8 @@ ssl23_accept(SSL *s) if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 2c272032b5..54833ded27 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.164 2017/01/23 01:22:08 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.165 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -185,8 +185,8 @@ ssl3_connect(SSL *s) if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) @@ -1886,9 +1886,10 @@ ssl3_get_cert_status(SSL *s) } s->tlsext_ocsp_resplen = (int)stow_len; - if (s->ctx->tlsext_status_cb) { + if (s->ctx->internal->tlsext_status_cb) { int ret; - ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); + ret = s->ctx->internal->tlsext_status_cb(s, + s->ctx->internal->tlsext_status_arg); if (ret == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; SSLerr(SSL_F_SSL3_GET_CERT_STATUS, @@ -2762,7 +2763,7 @@ ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) return (i); } #endif - if (s->ctx->client_cert_cb) - i = s->ctx->client_cert_cb(s, px509, ppkey); + if (s->ctx->internal->client_cert_cb) + i = s->ctx->internal->client_cert_cb(s, px509, ppkey); return (i); } diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index ae2586912c..92f4c49aa8 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.121 2017/01/23 01:22:08 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.122 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2265,7 +2265,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) } break; case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: - ctx->tlsext_servername_arg = parg; + ctx->internal->tlsext_servername_arg = parg; break; case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: @@ -2294,7 +2294,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) } case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: - ctx->tlsext_status_arg = parg; + ctx->internal->tlsext_status_arg = parg; return 1; break; @@ -2346,16 +2346,16 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; break; case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: - ctx->tlsext_servername_callback = + ctx->internal->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: - ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; + ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp; break; case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: - ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, + ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; break; diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 857d35b5a8..a1d0ef9299 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_pkt.c,v 1.61 2017/01/22 09:02:07 jsing Exp $ */ +/* $OpenBSD: s3_pkt.c,v 1.62 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1115,8 +1115,8 @@ start: if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; if (cb != NULL) { j = (alert_level << 8) | alert_descr; @@ -1397,8 +1397,8 @@ ssl3_dispatch_alert(SSL *s) if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; if (cb != NULL) { j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index ebdb10cb91..3f53f27924 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.143 2017/01/23 01:22:08 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.144 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -180,8 +180,8 @@ ssl3_accept(SSL *s) if (s->info_callback != NULL) cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->internal->info_callback != NULL) + cb = s->ctx->internal->info_callback; /* init things to blank */ s->in_handshake++; @@ -870,8 +870,8 @@ ssl3_get_client_hello(SSL *s) cookie_len > 0) { memcpy(D1I(s)->rcvd_cookie, p, cookie_len); - if (s->ctx->app_verify_cookie_cb != NULL) { - if (s->ctx->app_verify_cookie_cb(s, + if (s->ctx->internal->app_verify_cookie_cb != NULL) { + if (s->ctx->internal->app_verify_cookie_cb(s, D1I(s)->rcvd_cookie, cookie_len) == 0) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, @@ -2742,9 +2742,9 @@ ssl3_send_newsession_ticket(SSL *s) * it does all the work otherwise use generated values * from parent ctx. */ - if (tctx->tlsext_ticket_key_cb) { - if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, - &hctx, 1) < 0) { + if (tctx->internal->tlsext_ticket_key_cb) { + if (tctx->internal->tlsext_ticket_key_cb(s, + key_name, iv, &ctx, &hctx, 1) < 0) { EVP_CIPHER_CTX_cleanup(&ctx); goto err; } diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index dce72d8c25..2d6a0e757d 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.109 2017/01/23 01:22:08 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.110 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -712,42 +712,8 @@ struct ssl_ctx_st { * life easier to set things up */ long session_timeout; - /* If this callback is not null, it will be called each - * time a session id is added to the cache. If this function - * returns 1, it means that the callback will do a - * SSL_SESSION_free() when it has finished using it. Otherwise, - * on 0, it means the callback has finished with it. - * If remove_session_cb is not null, it will be called when - * a session-id is removed from the cache. After the call, - * OpenSSL will SSL_SESSION_free() it. */ - int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); - void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); - SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, - unsigned char *data, int len, int *copy); - int references; - /* if defined, these override the X509_verify_cert() calls */ - int (*app_verify_callback)(X509_STORE_CTX *, void *); - void *app_verify_arg; - - /* Default password callback. */ - pem_password_cb *default_passwd_callback; - - /* Default password callback user data. */ - void *default_passwd_callback_userdata; - - /* get client cert callback */ - int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); - - /* cookie generate callback */ - int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, - unsigned int *cookie_len); - - /* verify cookie callback */ - int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, - unsigned int cookie_len); - CRYPTO_EX_DATA ex_data; const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ @@ -757,12 +723,9 @@ struct ssl_ctx_st { /* Default values used when no per-SSL value is defined follow */ - void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */ - /* what we put in client cert requests */ STACK_OF(X509_NAME) *client_CA; - /* Default values to use in SSL structures follow (these are copied by SSL_new) */ unsigned long options; @@ -772,18 +735,9 @@ struct ssl_ctx_st { struct cert_st /* CERT */ *cert; int read_ahead; - /* callback that allows applications to peek at protocol messages */ - void (*msg_callback)(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg); - void *msg_callback_arg; - int verify_mode; unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ - - /* Default generate session ID callback. */ - GEN_SESSION_CB generate_session_id; X509_VERIFY_PARAM *param; @@ -801,21 +755,10 @@ struct ssl_ctx_st { ENGINE *client_cert_engine; #endif - /* TLS extensions servername callback */ - int (*tlsext_servername_callback)(SSL*, int *, void *); - void *tlsext_servername_arg; /* RFC 4507 session ticket keys */ unsigned char tlsext_tick_key_name[16]; unsigned char tlsext_tick_hmac_key[16]; unsigned char tlsext_tick_aes_key[16]; - /* Callback to support customisation of ticket key setting */ - int (*tlsext_ticket_key_cb)(SSL *ssl, unsigned char *name, - unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); - - /* certificate status request info */ - /* Callback for status request */ - int (*tlsext_status_cb)(SSL *ssl, void *arg); - void *tlsext_status_arg; /* SRTP profiles we are willing to do from RFC 5764 */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index d520a6d249..603deb4218 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.54 2017/01/22 09:02:07 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.55 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -443,8 +443,9 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) if (s->verify_callback) X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); - if (s->ctx->app_verify_callback != NULL) - ret = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); + if (s->ctx->internal->app_verify_callback != NULL) + ret = s->ctx->internal->app_verify_callback(&ctx, + s->ctx->internal->app_verify_arg); else ret = X509_verify_cert(&ctx); diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 1e529e85de..6e3e042fe6 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.131 2017/01/23 01:22:08 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.132 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -307,14 +307,14 @@ SSL_new(SSL_CTX *ctx) s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ s->read_ahead = ctx->read_ahead; - s->msg_callback = ctx->msg_callback; - s->msg_callback_arg = ctx->msg_callback_arg; + s->msg_callback = ctx->internal->msg_callback; + s->msg_callback_arg = ctx->internal->msg_callback_arg; s->verify_mode = ctx->verify_mode; s->sid_ctx_length = ctx->sid_ctx_length; OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); - s->verify_callback = ctx->default_verify_callback; - s->generate_session_id = ctx->generate_session_id; + s->verify_callback = ctx->internal->default_verify_callback; + s->generate_session_id = ctx->internal->generate_session_id; s->param = X509_VERIFY_PARAM_new(); if (!s->param) @@ -406,7 +406,7 @@ int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - ctx->generate_session_id = cb; + ctx->internal->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); return (1); } @@ -758,7 +758,7 @@ SSL_CTX_get_verify_depth(const SSL_CTX *ctx) int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) { - return (ctx->default_verify_callback); + return (ctx->internal->default_verify_callback); } void @@ -1131,7 +1131,7 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: - ctx->msg_callback_arg = parg; + ctx->internal->msg_callback_arg = parg; return (1); case SSL_CTRL_GET_MAX_CERT_LIST: @@ -1201,7 +1201,7 @@ SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: - ctx->msg_callback = (void (*)(int write_p, int version, + ctx->internal->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); return (1); @@ -1831,36 +1831,36 @@ SSL_CTX_new(const SSL_METHOD *meth) /* We take the system default */ ret->session_timeout = meth->get_timeout(); - ret->new_session_cb = 0; - ret->remove_session_cb = 0; - ret->get_session_cb = 0; - ret->generate_session_id = 0; + ret->internal->new_session_cb = 0; + ret->internal->remove_session_cb = 0; + ret->internal->get_session_cb = 0; + ret->internal->generate_session_id = 0; memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats)); ret->references = 1; ret->quiet_shutdown = 0; - ret->info_callback = NULL; + ret->internal->info_callback = NULL; - ret->app_verify_callback = 0; - ret->app_verify_arg = NULL; + ret->internal->app_verify_callback = 0; + ret->internal->app_verify_arg = NULL; ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; ret->read_ahead = 0; - ret->msg_callback = 0; - ret->msg_callback_arg = NULL; + ret->internal->msg_callback = 0; + ret->internal->msg_callback_arg = NULL; ret->verify_mode = SSL_VERIFY_NONE; ret->sid_ctx_length = 0; - ret->default_verify_callback = NULL; + ret->internal->default_verify_callback = NULL; if ((ret->cert = ssl_cert_new()) == NULL) goto err; - ret->default_passwd_callback = 0; - ret->default_passwd_callback_userdata = NULL; - ret->client_cert_cb = 0; - ret->app_gen_cookie_cb = 0; - ret->app_verify_cookie_cb = 0; + ret->internal->default_passwd_callback = 0; + ret->internal->default_passwd_callback_userdata = NULL; + ret->internal->client_cert_cb = 0; + ret->internal->app_gen_cookie_cb = 0; + ret->internal->app_verify_cookie_cb = 0; ret->sessions = lh_SSL_SESSION_new(); if (ret->sessions == NULL) @@ -1901,16 +1901,16 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; - ret->tlsext_servername_callback = 0; - ret->tlsext_servername_arg = NULL; + ret->internal->tlsext_servername_callback = 0; + ret->internal->tlsext_servername_arg = NULL; /* Setup RFC4507 ticket keys */ arc4random_buf(ret->tlsext_tick_key_name, 16); arc4random_buf(ret->tlsext_tick_hmac_key, 16); arc4random_buf(ret->tlsext_tick_aes_key, 16); - ret->tlsext_status_cb = 0; - ret->tlsext_status_arg = NULL; + ret->internal->tlsext_status_cb = 0; + ret->internal->tlsext_status_arg = NULL; ret->internal->next_protos_advertised_cb = 0; ret->internal->next_proto_select_cb = 0; @@ -2012,28 +2012,28 @@ SSL_CTX_free(SSL_CTX *a) void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) { - ctx->default_passwd_callback = cb; + ctx->internal->default_passwd_callback = cb; } void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) { - ctx->default_passwd_callback_userdata = u; + ctx->internal->default_passwd_callback_userdata = u; } void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg) { - ctx->app_verify_callback = cb; - ctx->app_verify_arg = arg; + ctx->internal->app_verify_callback = cb; + ctx->internal->app_verify_arg = arg; } void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *)) { ctx->verify_mode = mode; - ctx->default_verify_callback = cb; + ctx->internal->default_verify_callback = cb; } void @@ -2275,9 +2275,9 @@ ssl_update_cache(SSL *s, int mode) i = s->session_ctx->session_cache_mode; if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) || SSL_CTX_add_session(s->session_ctx, s->session)) - && (s->session_ctx->new_session_cb != NULL)) { + && (s->session_ctx->internal->new_session_cb != NULL)) { CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION); - if (!s->session_ctx->new_session_cb(s, s->session)) + if (!s->session_ctx->internal->new_session_cb(s, s->session)) SSL_SESSION_free(s->session); } diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 2eace2567d..4d8659a493 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.153 2017/01/23 01:22:08 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.154 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -392,6 +392,65 @@ typedef struct ssl_ctx_internal_st { uint16_t min_version; uint16_t max_version; + /* If this callback is not null, it will be called each + * time a session id is added to the cache. If this function + * returns 1, it means that the callback will do a + * SSL_SESSION_free() when it has finished using it. Otherwise, + * on 0, it means the callback has finished with it. + * If remove_session_cb is not null, it will be called when + * a session-id is removed from the cache. After the call, + * OpenSSL will SSL_SESSION_free() it. */ + int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); + void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); + SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, + unsigned char *data, int len, int *copy); + + /* if defined, these override the X509_verify_cert() calls */ + int (*app_verify_callback)(X509_STORE_CTX *, void *); + void *app_verify_arg; + + /* Default password callback. */ + pem_password_cb *default_passwd_callback; + + /* Default password callback user data. */ + void *default_passwd_callback_userdata; + + /* get client cert callback */ + int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); + + /* cookie generate callback */ + int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, + unsigned int *cookie_len); + + /* verify cookie callback */ + int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, + unsigned int cookie_len); + + void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */ + + /* callback that allows applications to peek at protocol messages */ + void (*msg_callback)(int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl, void *arg); + void *msg_callback_arg; + + int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ + + /* Default generate session ID callback. */ + GEN_SESSION_CB generate_session_id; + + /* TLS extensions servername callback */ + int (*tlsext_servername_callback)(SSL*, int *, void *); + void *tlsext_servername_arg; + + /* Callback to support customisation of ticket key setting */ + int (*tlsext_ticket_key_cb)(SSL *ssl, unsigned char *name, + unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); + + /* certificate status request info */ + /* Callback for status request */ + int (*tlsext_status_cb)(SSL *ssl, void *arg); + void *tlsext_status_arg; + struct { int sess_connect; /* SSL new conn - started */ int sess_connect_renegotiate;/* SSL reneg - requested */ diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 7481524942..647cc4bfd8 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_rsa.c,v 1.21 2016/03/11 07:08:45 mmcc Exp $ */ +/* $OpenBSD: ssl_rsa.c,v 1.22 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -108,8 +108,8 @@ SSL_use_certificate_file(SSL *ssl, const char *file, int type) } else if (type == SSL_FILETYPE_PEM) { j = ERR_R_PEM_LIB; x = PEM_read_bio_X509(in, NULL, - ssl->ctx->default_passwd_callback, - ssl->ctx->default_passwd_callback_userdata); + ssl->ctx->internal->default_passwd_callback, + ssl->ctx->internal->default_passwd_callback_userdata); } else { SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); goto end; @@ -236,8 +236,8 @@ SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) } else if (type == SSL_FILETYPE_PEM) { j = ERR_R_PEM_LIB; rsa = PEM_read_bio_RSAPrivateKey(in, NULL, - ssl->ctx->default_passwd_callback, - ssl->ctx->default_passwd_callback_userdata); + ssl->ctx->internal->default_passwd_callback, + ssl->ctx->internal->default_passwd_callback_userdata); } else { SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); goto end; @@ -308,8 +308,8 @@ SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) if (type == SSL_FILETYPE_PEM) { j = ERR_R_PEM_LIB; pkey = PEM_read_bio_PrivateKey(in, NULL, - ssl->ctx->default_passwd_callback, - ssl->ctx->default_passwd_callback_userdata); + ssl->ctx->internal->default_passwd_callback, + ssl->ctx->internal->default_passwd_callback_userdata); } else if (type == SSL_FILETYPE_ASN1) { j = ERR_R_ASN1_LIB; pkey = d2i_PrivateKey_bio(in, NULL); @@ -440,8 +440,8 @@ SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) x = d2i_X509_bio(in, NULL); } else if (type == SSL_FILETYPE_PEM) { j = ERR_R_PEM_LIB; - x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); + x = PEM_read_bio_X509(in, NULL, ctx->internal->default_passwd_callback, + ctx->internal->default_passwd_callback_userdata); } else { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); goto end; @@ -526,8 +526,8 @@ SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) } else if (type == SSL_FILETYPE_PEM) { j = ERR_R_PEM_LIB; rsa = PEM_read_bio_RSAPrivateKey(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); + ctx->internal->default_passwd_callback, + ctx->internal->default_passwd_callback_userdata); } else { SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); goto end; @@ -596,8 +596,8 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) if (type == SSL_FILETYPE_PEM) { j = ERR_R_PEM_LIB; pkey = PEM_read_bio_PrivateKey(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); + ctx->internal->default_passwd_callback, + ctx->internal->default_passwd_callback_userdata); } else if (type == SSL_FILETYPE_ASN1) { j = ERR_R_ASN1_LIB; pkey = d2i_PrivateKey_bio(in, NULL); @@ -650,8 +650,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ - x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); + x = PEM_read_bio_X509_AUX(in, NULL, ctx->internal->default_passwd_callback, + ctx->internal->default_passwd_callback_userdata); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); goto end; @@ -677,8 +677,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) } while ((ca = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) != NULL) { + ctx->internal->default_passwd_callback, + ctx->internal->default_passwd_callback_userdata)) != NULL) { r = SSL_CTX_add_extra_chain_cert(ctx, ca); if (!r) { X509_free(ca); diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 2520843cc0..8700e851c6 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.57 2017/01/23 01:22:08 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.58 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -328,8 +328,8 @@ ssl_get_new_session(SSL *s, int session) CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); if (s->generate_session_id) cb = s->generate_session_id; - else if (s->session_ctx->generate_session_id) - cb = s->session_ctx->generate_session_id; + else if (s->session_ctx->internal->generate_session_id) + cb = s->session_ctx->internal->generate_session_id; CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); /* Choose a session ID. */ @@ -470,11 +470,11 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, } if (try_session_cache && ret == NULL && - s->session_ctx->get_session_cb != NULL) { + s->session_ctx->internal->get_session_cb != NULL) { int copy = 1; - if ((ret = s->session_ctx->get_session_cb(s, session_id, - len, ©))) { + if ((ret = s->session_ctx->internal->get_session_cb(s, + session_id, len, ©))) { s->session_ctx->internal->stats.sess_cb_hit++; /* @@ -674,8 +674,8 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) if (ret) { r->internal->not_resumable = 1; - if (ctx->remove_session_cb != NULL) - ctx->remove_session_cb(ctx, r); + if (ctx->internal->remove_session_cb != NULL) + ctx->internal->remove_session_cb(ctx, r); SSL_SESSION_free(r); } } else @@ -911,8 +911,8 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) (void)lh_SSL_SESSION_delete(p->cache, s); SSL_SESSION_list_remove(p->ctx, s); s->internal->not_resumable = 1; - if (p->ctx->remove_session_cb != NULL) - p->ctx->remove_session_cb(p->ctx, s); + if (p->ctx->internal->remove_session_cb != NULL) + p->ctx->internal->remove_session_cb(p->ctx, s); SSL_SESSION_free(s); } } @@ -1013,67 +1013,67 @@ SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*cb)(struct ssl_st *ssl, SSL_SESSION *sess)) { - ctx->new_session_cb = cb; + ctx->internal->new_session_cb = cb; } int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess) { - return ctx->new_session_cb; + return ctx->internal->new_session_cb; } void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess)) { - ctx->remove_session_cb = cb; + ctx->internal->remove_session_cb = cb; } void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess) { - return ctx->remove_session_cb; + return ctx->internal->remove_session_cb; } void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl, unsigned char *data, int len, int *copy)) { - ctx->get_session_cb = cb; + ctx->internal->get_session_cb = cb; } SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, int len, int *copy) { - return ctx->get_session_cb; + return ctx->internal->get_session_cb; } void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int val)) { - ctx->info_callback = cb; + ctx->internal->info_callback = cb; } void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val) { - return ctx->info_callback; + return ctx->internal->info_callback; } void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)) { - ctx->client_cert_cb = cb; + ctx->internal->client_cert_cb = cb; } int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509, EVP_PKEY **pkey) { - return ctx->client_cert_cb; + return ctx->internal->client_cert_cb; } #ifndef OPENSSL_NO_ENGINE @@ -1100,14 +1100,14 @@ void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) { - ctx->app_gen_cookie_cb = cb; + ctx->internal->app_gen_cookie_cb = cb; } void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) { - ctx->app_verify_cookie_cb = cb; + ctx->internal->app_verify_cookie_cb = cb; } int diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index d1d20b6bda..08818f4870 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.99 2017/01/22 09:02:07 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.100 2017/01/23 04:15:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1859,10 +1859,12 @@ ssl_check_clienthello_tlsext_early(SSL *s) * ssl3_choose_cipher in s3_lib.c. */ - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) - ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) - ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); + if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) + ret = s->ctx->internal->tlsext_servername_callback(s, &al, + s->ctx->internal->tlsext_servername_arg); + else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) + ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, + s->initial_ctx->internal->tlsext_servername_arg); switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -1890,7 +1892,7 @@ ssl_check_clienthello_tlsext_late(SSL *s) * has been chosen because this may influence which certificate is sent */ if ((s->tlsext_status_type != -1) && - s->ctx && s->ctx->tlsext_status_cb) { + s->ctx && s->ctx->internal->tlsext_status_cb) { int r; CERT_PKEY *certpkey; certpkey = ssl_get_server_send_pkey(s); @@ -1903,7 +1905,8 @@ ssl_check_clienthello_tlsext_late(SSL *s) * SSL_get_certificate et al can pick it up. */ s->cert->key = certpkey; - r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); + r = s->ctx->internal->tlsext_status_cb(s, + s->ctx->internal->tlsext_status_arg); switch (r) { /* We don't want to send a status request response */ case SSL_TLSEXT_ERR_NOACK: @@ -1973,16 +1976,18 @@ ssl_check_serverhello_tlsext(SSL *s) } ret = SSL_TLSEXT_ERR_OK; - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) - ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) - ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); + if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) + ret = s->ctx->internal->tlsext_servername_callback(s, &al, + s->ctx->internal->tlsext_servername_arg); + else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) + ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, + s->initial_ctx->internal->tlsext_servername_arg); /* If we've requested certificate status and we wont get one * tell the callback */ if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && - s->ctx && s->ctx->tlsext_status_cb) { + s->ctx && s->ctx->internal->tlsext_status_cb) { int r; /* Set resp to NULL, resplen to -1 so callback knows * there is no response. @@ -1990,7 +1995,8 @@ ssl_check_serverhello_tlsext(SSL *s) free(s->tlsext_ocsp_resp); s->tlsext_ocsp_resp = NULL; s->tlsext_ocsp_resplen = -1; - r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); + r = s->ctx->internal->tlsext_status_cb(s, + s->ctx->internal->tlsext_status_arg); if (r == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; ret = SSL_TLSEXT_ERR_ALERT_FATAL; @@ -2182,10 +2188,10 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, /* Initialize session ticket encryption and HMAC contexts */ HMAC_CTX_init(&hctx); EVP_CIPHER_CTX_init(&ctx); - if (tctx->tlsext_ticket_key_cb) { + if (tctx->internal->tlsext_ticket_key_cb) { unsigned char *nctick = (unsigned char *)etick; - int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, - &ctx, &hctx, 0); + int rv = tctx->internal->tlsext_ticket_key_cb(s, + nctick, nctick + 16, &ctx, &hctx, 0); if (rv < 0) { HMAC_CTX_cleanup(&hctx); EVP_CIPHER_CTX_cleanup(&ctx); -- cgit v1.2.3-55-g6feb