From c35f51566045be89c49b0a47e153fdb27ec20f8e Mon Sep 17 00:00:00 2001 From: beck <> Date: Mon, 23 Jan 2017 04:55:27 +0000 Subject: move the callbacks from ssl_st to internal ok jsing@ --- src/lib/libssl/bio_ssl.c | 8 +++--- src/lib/libssl/d1_both.c | 20 +++++++------- src/lib/libssl/d1_clnt.c | 12 ++++----- src/lib/libssl/d1_pkt.c | 52 ++++++++++++++++++------------------ src/lib/libssl/d1_srvr.c | 12 ++++----- src/lib/libssl/s23_clnt.c | 28 +++++++++---------- src/lib/libssl/s23_lib.c | 14 +++++----- src/lib/libssl/s23_srvr.c | 18 ++++++------- src/lib/libssl/s3_both.c | 20 +++++++------- src/lib/libssl/s3_clnt.c | 18 ++++++------- src/lib/libssl/s3_lib.c | 14 +++++----- src/lib/libssl/s3_pkt.c | 50 +++++++++++++++++----------------- src/lib/libssl/s3_srvr.c | 18 ++++++------- src/lib/libssl/ssl.h | 32 +++------------------- src/lib/libssl/ssl_cert.c | 6 ++--- src/lib/libssl/ssl_lib.c | 68 +++++++++++++++++++++++------------------------ src/lib/libssl/ssl_locl.h | 33 ++++++++++++++++++++++- src/lib/libssl/ssl_sess.c | 14 +++++----- src/lib/libssl/t1_lib.c | 30 ++++++++++----------- 19 files changed, 237 insertions(+), 230 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c index 6ddbb008e6..42f637a78f 100644 --- a/src/lib/libssl/bio_ssl.c +++ b/src/lib/libssl/bio_ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_ssl.c,v 1.22 2015/09/29 18:08:57 deraadt Exp $ */ +/* $OpenBSD: bio_ssl.c,v 1.23 2017/01/23 04:55:26 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,8 @@ #include #include +#include "ssl_locl.h" + static int ssl_write(BIO *h, const char *buf, int num); static int ssl_read(BIO *h, char *buf, int size); static int ssl_puts(BIO *h, const char *str); @@ -291,9 +293,9 @@ ssl_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_CTRL_RESET: SSL_shutdown(ssl); - if (ssl->handshake_func == ssl->method->ssl_connect) + if (ssl->internal->handshake_func == ssl->method->ssl_connect) SSL_set_connect_state(ssl); - else if (ssl->handshake_func == ssl->method->ssl_accept) + else if (ssl->internal->handshake_func == ssl->method->ssl_accept) SSL_set_accept_state(ssl); SSL_clear(ssl); diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index 2ee4a7ffcf..962b73ed6c 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.42 2017/01/22 09:02:07 jsing Exp $ */ +/* $OpenBSD: d1_both.c,v 1.43 2017/01/23 04:55:26 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -367,11 +367,11 @@ dtls1_do_write(SSL *s, int type) } if (ret == s->init_num) { - if (s->msg_callback) - s->msg_callback(1, s->version, type, + if (s->internal->msg_callback) + s->internal->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), - s, s->msg_callback_arg); + s, s->internal->msg_callback_arg); s->init_off = 0; /* done writing this message */ @@ -445,9 +445,9 @@ again: msg_len += DTLS1_HM_HEADER_LENGTH; tls1_finish_mac(s, p, msg_len); - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, - s, s->msg_callback_arg); + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, + s, s->internal->msg_callback_arg); memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); @@ -834,11 +834,11 @@ again: * 'Finished' MAC. */ if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { - if (s->msg_callback) - s->msg_callback(0, s->version, + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, wire, DTLS1_HM_HEADER_LENGTH, s, - s->msg_callback_arg); + s->internal->msg_callback_arg); s->init_num = 0; goto again; diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 127cda155c..67b874ef6b 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.64 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.65 2017/01/23 04:55:26 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -188,12 +188,12 @@ dtls1_connect(SSL *s) ERR_clear_error(); errno = 0; - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; - s->in_handshake++; + s->internal->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -559,7 +559,7 @@ dtls1_connect(SSL *s) ret = 1; /* s->server=0; */ - s->handshake_func = dtls1_connect; + s->internal->handshake_func = dtls1_connect; s->ctx->internal->stats.sess_connect_good++; if (cb != NULL) @@ -596,7 +596,7 @@ dtls1_connect(SSL *s) } end: - s->in_handshake--; + s->internal->in_handshake--; if (cb != NULL) cb(s, SSL_CB_CONNECT_EXIT, ret); diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index ef9bcaa786..88c2fa9adf 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.52 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.53 2017/01/23 04:55:26 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -596,7 +596,7 @@ again: * anything while listening. */ if (is_next_epoch) { - if ((SSL_in_init(s) || s->in_handshake) && !D1I(s)->listen) { + if ((SSL_in_init(s) || s->internal->in_handshake) && !D1I(s)->listen) { if (dtls1_buffer_record(s, &(D1I(s)->unprocessed_rcds), rr->seq_num) < 0) return (-1); @@ -667,10 +667,10 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) /* Now D1I(s)->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ - if (!s->in_handshake && SSL_in_init(s)) + if (!s->internal->in_handshake && SSL_in_init(s)) { /* type == SSL3_RT_APPLICATION_DATA */ - i = s->handshake_func(s); + i = s->internal->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -875,9 +875,9 @@ start: /* no need to check sequence number on HELLO REQUEST messages */ - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - D1I(s)->handshake_fragment, 4, s, s->msg_callback_arg); + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, + D1I(s)->handshake_fragment, 4, s, s->internal->msg_callback_arg); if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && @@ -886,7 +886,7 @@ start: s->new_session = 1; ssl3_renegotiate(s); if (ssl3_renegotiate_check(s)) { - i = s->handshake_func(s); + i = s->internal->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -922,12 +922,12 @@ start: D1I(s)->alert_fragment_len = 0; - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_ALERT, - D1I(s)->alert_fragment, 2, s, s->msg_callback_arg); + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_ALERT, + D1I(s)->alert_fragment, 2, s, s->internal->msg_callback_arg); - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; @@ -987,9 +987,9 @@ start: rr->length = 0; - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, - rr->data, 1, s, s->msg_callback_arg); + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, + rr->data, 1, s, s->internal->msg_callback_arg); /* We can't process a CCS now, because previous handshake * messages are still missing, so just drop it. @@ -1012,7 +1012,7 @@ start: /* Unexpected handshake message (Client Hello, or protocol violation) */ if ((D1I(s)->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && - !s->in_handshake) { + !s->internal->in_handshake) { struct hm_header_st msg_hdr; /* this may just be a stale retransmit */ @@ -1041,7 +1041,7 @@ start: s->renegotiate = 1; s->new_session = 1; } - i = s->handshake_func(s); + i = s->internal->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -1081,7 +1081,7 @@ start: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: /* we already handled all of these, with the possible exception - * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that + * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that * should not happen when type != rr->type */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); @@ -1123,9 +1123,9 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) { int i; - if (SSL_in_init(s) && !s->in_handshake) + if (SSL_in_init(s) && !s->internal->in_handshake) { - i = s->handshake_func(s); + i = s->internal->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -1422,12 +1422,12 @@ dtls1_dispatch_alert(SSL *s) ) (void)BIO_flush(s->wbio); - if (s->msg_callback) - s->msg_callback(1, s->version, SSL3_RT_ALERT, - s->s3->send_alert, 2, s, s->msg_callback_arg); + if (s->internal->msg_callback) + s->internal->msg_callback(1, s->version, SSL3_RT_ALERT, + s->s3->send_alert, 2, s, s->internal->msg_callback_arg); - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 28a4442445..80af8eb930 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.74 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.75 2017/01/23 04:55:26 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -188,15 +188,15 @@ dtls1_accept(SSL *s) ERR_clear_error(); errno = 0; - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; listen = D1I(s)->listen; /* init things to blank */ - s->in_handshake++; + s->internal->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -643,7 +643,7 @@ dtls1_accept(SSL *s) s->ctx->internal->stats.sess_accept_good++; /* s->server=1; */ - s->handshake_func = dtls1_accept; + s->internal->handshake_func = dtls1_accept; if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_DONE, 1); @@ -684,7 +684,7 @@ dtls1_accept(SSL *s) end: /* BIO_flush(s->wbio); */ - s->in_handshake--; + s->internal->in_handshake--; if (cb != NULL) cb(s, SSL_CB_ACCEPT_EXIT, ret); diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 56c1d53707..aec215d29a 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_clnt.c,v 1.51 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: s23_clnt.c,v 1.52 2017/01/23 04:55:26 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -130,12 +130,12 @@ ssl23_connect(SSL *s) ERR_clear_error(); errno = 0; - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; - s->in_handshake++; + s->internal->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -218,7 +218,7 @@ ssl23_connect(SSL *s) } end: - s->in_handshake--; + s->internal->in_handshake--; if (cb != NULL) cb(s, SSL_CB_CONNECT_EXIT, ret); @@ -332,10 +332,10 @@ ssl23_client_hello(SSL *s) /* SSL3_ST_CW_CLNT_HELLO_B */ ret = ssl23_write_bytes(s); - if ((ret >= 2) && s->msg_callback) { + if ((ret >= 2) && s->internal->msg_callback) { /* Client Hello has been sent; tell msg_callback */ - s->msg_callback(1, s->client_version, SSL3_RT_HANDSHAKE, - s->init_buf->data + 5, ret - 5, s, s->msg_callback_arg); + s->internal->msg_callback(1, s->client_version, SSL3_RT_HANDSHAKE, + s->init_buf->data + 5, ret - 5, s, s->internal->msg_callback_arg); } return ret; @@ -394,8 +394,8 @@ ssl23_get_server_hello(SSL *s) void (*cb)(const SSL *ssl, int type, int val) = NULL; int j; - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; @@ -405,9 +405,9 @@ ssl23_get_server_hello(SSL *s) cb(s, SSL_CB_READ_ALERT, j); } - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_ALERT, - p + 5, 2, s, s->msg_callback_arg); + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_ALERT, + p + 5, 2, s, s->internal->msg_callback_arg); s->rwstate = SSL_NOTHING; SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, @@ -433,7 +433,7 @@ ssl23_get_server_hello(SSL *s) s->s3->rbuf.left = n; s->s3->rbuf.offset = 0; - s->handshake_func = s->method->ssl_connect; + s->internal->handshake_func = s->method->ssl_connect; } else { SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL); goto err; diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c index cd594aa3c9..5de30c69e6 100644 --- a/src/lib/libssl/s23_lib.c +++ b/src/lib/libssl/s23_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_lib.c,v 1.18 2014/11/16 14:12:47 jsing Exp $ */ +/* $OpenBSD: s23_lib.c,v 1.19 2017/01/23 04:55:26 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -74,8 +74,8 @@ ssl23_read(SSL *s, void *buf, int len) int n; errno = 0; - if (SSL_in_init(s) && (!s->in_handshake)) { - n = s->handshake_func(s); + if (SSL_in_init(s) && (!s->internal->in_handshake)) { + n = s->internal->handshake_func(s); if (n < 0) return (n); if (n == 0) { @@ -95,8 +95,8 @@ ssl23_peek(SSL *s, void *buf, int len) int n; errno = 0; - if (SSL_in_init(s) && (!s->in_handshake)) { - n = s->handshake_func(s); + if (SSL_in_init(s) && (!s->internal->in_handshake)) { + n = s->internal->handshake_func(s); if (n < 0) return (n); if (n == 0) { @@ -116,8 +116,8 @@ ssl23_write(SSL *s, const void *buf, int len) int n; errno = 0; - if (SSL_in_init(s) && (!s->in_handshake)) { - n = s->handshake_func(s); + if (SSL_in_init(s) && (!s->internal->in_handshake)) { + n = s->internal->handshake_func(s); if (n < 0) return (n); if (n == 0) { diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 88ff9bb9a8..79c2eee521 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_srvr.c,v 1.52 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: s23_srvr.c,v 1.53 2017/01/23 04:55:26 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -129,12 +129,12 @@ ssl23_accept(SSL *s) ERR_clear_error(); errno = 0; - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; - s->in_handshake++; + s->internal->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -194,7 +194,7 @@ ssl23_accept(SSL *s) } end: - s->in_handshake--; + s->internal->in_handshake--; if (cb != NULL) cb(s, SSL_CB_ACCEPT_EXIT, ret); @@ -345,9 +345,9 @@ ssl23_get_client_hello(SSL *s) return -1; tls1_finish_mac(s, s->packet + 2, s->packet_length - 2); - if (s->msg_callback) - s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, - s->packet_length - 2, s, s->msg_callback_arg); + if (s->internal->msg_callback) + s->internal->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, + s->packet_length - 2, s, s->internal->msg_callback_arg); p = s->packet; p += 5; @@ -450,7 +450,7 @@ ssl23_get_client_hello(SSL *s) s->method = TLSv1_server_method(); else goto unsupported; - s->handshake_func = s->method->ssl_accept; + s->internal->handshake_func = s->method->ssl_accept; } else { /* bad, very bad */ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c index 7381286326..4dddcd232a 100644 --- a/src/lib/libssl/s3_both.c +++ b/src/lib/libssl/s3_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_both.c,v 1.51 2017/01/22 09:02:07 jsing Exp $ */ +/* $OpenBSD: s3_both.c,v 1.52 2017/01/23 04:55:26 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -150,10 +150,10 @@ ssl3_do_write(SSL *s, int type) (unsigned char *)&s->init_buf->data[s->init_off], ret); if (ret == s->init_num) { - if (s->msg_callback) - s->msg_callback(1, s->version, type, s->init_buf->data, + if (s->internal->msg_callback) + s->internal->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, - s->msg_callback_arg); + s->internal->msg_callback_arg); return (1); } @@ -461,10 +461,10 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) s->init_num = 0; skip_message = 1; - if (s->msg_callback) - s->msg_callback(0, s->version, + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, 4, s, - s->msg_callback_arg); + s->internal->msg_callback_arg); } } } while (skip_message); @@ -525,10 +525,10 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) /* Feed this message into MAC computation. */ tls1_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, - s->msg_callback_arg); + s->internal->msg_callback_arg); *ok = 1; return (s->init_num); diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 54833ded27..c606091e10 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.165 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.166 2017/01/23 04:55:26 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -183,12 +183,12 @@ ssl3_connect(SSL *s) ERR_clear_error(); errno = 0; - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; - s->in_handshake++; + s->internal->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -543,7 +543,7 @@ ssl3_connect(SSL *s) ret = 1; /* s->server=0; */ - s->handshake_func = ssl3_connect; + s->internal->handshake_func = ssl3_connect; s->ctx->internal->stats.sess_connect_good++; if (cb != NULL) @@ -578,7 +578,7 @@ ssl3_connect(SSL *s) } end: - s->in_handshake--; + s->internal->in_handshake--; if (cb != NULL) cb(s, SSL_CB_CONNECT_EXIT, ret); @@ -800,12 +800,12 @@ ssl3_get_server_hello(SSL *s) * Check if we want to resume the session based on external * pre-shared secret. */ - if (s->tls_session_secret_cb) { + if (s->internal->tls_session_secret_cb) { SSL_CIPHER *pref_cipher = NULL; s->session->master_key_length = sizeof(s->session->master_key); - if (s->tls_session_secret_cb(s, s->session->master_key, + if (s->internal->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, NULL, &pref_cipher, - s->tls_session_secret_cb_arg)) { + s->internal->tls_session_secret_cb_arg)) { s->session->cipher = pref_cipher ? pref_cipher : ssl3_get_cipher_by_value(cipher_suite); s->s3->flags |= SSL3_FLAGS_CCS_OK; diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 92f4c49aa8..8e52c8bb4a 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.122 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.123 2017/01/23 04:55:26 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2102,7 +2102,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } break; case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: - s->tlsext_debug_arg = parg; + s->internal->tlsext_debug_arg = parg; ret = 1; break; @@ -2181,7 +2181,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; break; case SSL_CTRL_SET_TLSEXT_DEBUG_CB: - s->tlsext_debug_cb = (void (*)(SSL *, int , int, + s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int, unsigned char *, int, void *))fp; break; default: @@ -2614,16 +2614,16 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek) SSL3_RT_APPLICATION_DATA, buf, len, peek); if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { /* - * ssl3_read_bytes decided to call s->handshake_func, which + * ssl3_read_bytes decided to call s->internal->handshake_func, which * called ssl3_read_bytes to read handshake data. * However, ssl3_read_bytes actually found application data * and thinks that application data makes sense here; so disable * handshake processing and try to read application data again. */ - s->in_handshake++; + s->internal->in_handshake++; ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek); - s->in_handshake--; + s->internal->in_handshake--; } else S3I(s)->in_read_app_data = 0; @@ -2645,7 +2645,7 @@ ssl3_peek(SSL *s, void *buf, int len) int ssl3_renegotiate(SSL *s) { - if (s->handshake_func == NULL) + if (s->internal->handshake_func == NULL) return (1); if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index a1d0ef9299..004ede2ef0 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_pkt.c,v 1.62 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: s3_pkt.c,v 1.63 2017/01/23 04:55:26 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -513,8 +513,8 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) tot = S3I(s)->wnum; S3I(s)->wnum = 0; - if (SSL_in_init(s) && !s->in_handshake) { - i = s->handshake_func(s); + if (SSL_in_init(s) && !s->internal->in_handshake) { + i = s->internal->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -886,9 +886,9 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * Now S3I(s)->handshake_fragment_len == 0 if * type == SSL3_RT_HANDSHAKE. */ - if (!s->in_handshake && SSL_in_init(s)) { + if (!s->internal->in_handshake && SSL_in_init(s)) { /* type == SSL3_RT_APPLICATION_DATA */ - i = s->handshake_func(s); + i = s->internal->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -1049,17 +1049,17 @@ start: goto f_err; } - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, S3I(s)->handshake_fragment, 4, s, - s->msg_callback_arg); + s->internal->msg_callback_arg); if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && !S3I(s)->renegotiate) { ssl3_renegotiate(s); if (ssl3_renegotiate_check(s)) { - i = s->handshake_func(s); + i = s->internal->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -1109,12 +1109,12 @@ start: S3I(s)->alert_fragment_len = 0; - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_ALERT, - S3I(s)->alert_fragment, 2, s, s->msg_callback_arg); + if (s->internal->msg_callback) + s->internal->msg_callback(0, s->version, SSL3_RT_ALERT, + S3I(s)->alert_fragment, 2, s, s->internal->msg_callback_arg); - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; @@ -1200,10 +1200,10 @@ start: rr->length = 0; - if (s->msg_callback) { - s->msg_callback(0, s->version, + if (s->internal->msg_callback) { + s->internal->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, - s->msg_callback_arg); + s->internal->msg_callback_arg); } S3I(s)->change_cipher_spec = 1; @@ -1214,14 +1214,14 @@ start: } /* Unexpected handshake message (Client Hello, or protocol violation) */ - if ((S3I(s)->handshake_fragment_len >= 4) && !s->in_handshake) { + if ((S3I(s)->handshake_fragment_len >= 4) && !s->internal->in_handshake) { if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; s->renegotiate = 1; s->new_session = 1; } - i = s->handshake_func(s); + i = s->internal->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -1265,7 +1265,7 @@ start: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: /* we already handled all of these, with the possible exception - * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that + * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that * should not happen when type != rr->type */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); @@ -1391,12 +1391,12 @@ ssl3_dispatch_alert(SSL *s) if (s->s3->send_alert[0] == SSL3_AL_FATAL) (void)BIO_flush(s->wbio); - if (s->msg_callback) - s->msg_callback(1, s->version, SSL3_RT_ALERT, - s->s3->send_alert, 2, s, s->msg_callback_arg); + if (s->internal->msg_callback) + s->internal->msg_callback(1, s->version, SSL3_RT_ALERT, + s->s3->send_alert, 2, s, s->internal->msg_callback_arg); - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 3f53f27924..21849487ea 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.144 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.145 2017/01/23 04:55:27 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -178,13 +178,13 @@ ssl3_accept(SSL *s) ERR_clear_error(); errno = 0; - if (s->info_callback != NULL) - cb = s->info_callback; + if (s->internal->info_callback != NULL) + cb = s->internal->info_callback; else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; /* init things to blank */ - s->in_handshake++; + s->internal->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -662,7 +662,7 @@ ssl3_accept(SSL *s) s->ctx->internal->stats.sess_accept_good++; /* s->server=1; */ - s->handshake_func = ssl3_accept; + s->internal->handshake_func = ssl3_accept; if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_DONE, 1); @@ -699,7 +699,7 @@ ssl3_accept(SSL *s) end: /* BIO_flush(s->wbio); */ - s->in_handshake--; + s->internal->in_handshake--; if (cb != NULL) cb(s, SSL_CB_ACCEPT_EXIT, ret); return (ret); @@ -976,13 +976,13 @@ ssl3_get_client_hello(SSL *s) */ arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); - if (!s->hit && s->tls_session_secret_cb) { + if (!s->hit && s->internal->tls_session_secret_cb) { SSL_CIPHER *pref_cipher = NULL; s->session->master_key_length = sizeof(s->session->master_key); - if (s->tls_session_secret_cb(s, s->session->master_key, + if (s->internal->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, ciphers, &pref_cipher, - s->tls_session_secret_cb_arg)) { + s->internal->tls_session_secret_cb_arg)) { s->hit = 1; s->session->ciphers = ciphers; s->session->verify_result = X509_V_OK; diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 2d6a0e757d..4080af8999 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.110 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.111 2017/01/23 04:55:27 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -908,10 +908,6 @@ struct ssl_st { * in SSL_accept or SSL_connect */ int rwstate; - /* true when we are actually in SSL_accept() or SSL_connect() */ - int in_handshake; - int (*handshake_func)(SSL *); - /* Imagine that here's a boolean member "init" that is * switched as soon as SSL_set_{accept/connect}_state * is called for the first time, so that "state" and @@ -947,11 +943,6 @@ struct ssl_st { int read_ahead; /* Read as many input bytes as possible * (for non-blocking reads) */ - /* callback that allows applications to peek at protocol messages */ - void (*msg_callback)(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg); - void *msg_callback_arg; - int hit; /* reusing a previous session */ X509_VERIFY_PARAM *param; @@ -992,16 +983,9 @@ struct ssl_st { /* This can also be in the session once a session is established */ SSL_SESSION *session; - /* Default generate session ID callback. */ - GEN_SESSION_CB generate_session_id; - /* Used in SSL2 and SSL3 */ int verify_mode; /* 0 don't care about verify failure. * 1 fail if verify fails */ - int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ - - void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ - int error; /* error bytes to be written */ int error_code; /* actual code */ @@ -1028,11 +1012,9 @@ struct ssl_st { int client_version; /* what was passed, used for * SSLv3/TLS rollback check */ unsigned int max_send_fragment; - /* TLS extension debug callback */ - void (*tlsext_debug_cb)(SSL *s, int client_server, int type, - unsigned char *data, int len, void *arg); - void *tlsext_debug_arg; + char *tlsext_hostname; + int servername_done; /* no further mod of servername 0 : call the servername extension callback. 1 : prepare 2, allow last ack just after in server callback. @@ -1060,14 +1042,6 @@ struct ssl_st { /* TLS Session Ticket extension override */ TLS_SESSION_TICKET_EXT *tlsext_session_ticket; - /* TLS Session Ticket extension callback */ - tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; - void *tls_session_ticket_ext_cb_arg; - - /* TLS pre-shared secret session resumption */ - tls_session_secret_cb_fn tls_session_secret_cb; - void *tls_session_secret_cb_arg; - SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ #define session_ctx initial_ctx diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index 603deb4218..13591aec9c 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.55 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.56 2017/01/23 04:55:27 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -440,8 +440,8 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) */ X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param); - if (s->verify_callback) - X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); + if (s->internal->verify_callback) + X509_STORE_CTX_set_verify_cb(&ctx, s->internal->verify_callback); if (s->ctx->internal->app_verify_callback != NULL) ret = s->ctx->internal->app_verify_callback(&ctx, diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 6e3e042fe6..c9af96e48e 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.132 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.133 2017/01/23 04:55:27 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -230,7 +230,7 @@ SSL_clear(SSL *s) * Check to see if we were changed into a different method, if * so, revert back if we are not doing session-id reuse. */ - if (!s->in_handshake && (s->session == NULL) && + if (!s->internal->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) { s->method->ssl_free(s); s->method = s->ctx->method; @@ -307,14 +307,14 @@ SSL_new(SSL_CTX *ctx) s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ s->read_ahead = ctx->read_ahead; - s->msg_callback = ctx->internal->msg_callback; - s->msg_callback_arg = ctx->internal->msg_callback_arg; + s->internal->msg_callback = ctx->internal->msg_callback; + s->internal->msg_callback_arg = ctx->internal->msg_callback_arg; s->verify_mode = ctx->verify_mode; s->sid_ctx_length = ctx->sid_ctx_length; OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); - s->verify_callback = ctx->internal->default_verify_callback; - s->generate_session_id = ctx->internal->generate_session_id; + s->internal->verify_callback = ctx->internal->default_verify_callback; + s->internal->generate_session_id = ctx->internal->generate_session_id; s->param = X509_VERIFY_PARAM_new(); if (!s->param) @@ -325,8 +325,8 @@ SSL_new(SSL_CTX *ctx) CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->ctx = ctx; - s->tlsext_debug_cb = 0; - s->tlsext_debug_arg = NULL; + s->internal->tlsext_debug_cb = 0; + s->internal->tlsext_debug_arg = NULL; s->tlsext_ticket_expected = 0; s->tlsext_status_type = -1; s->tlsext_status_expected = 0; @@ -415,7 +415,7 @@ int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); - ssl->generate_session_id = cb; + ssl->internal->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL); return (1); } @@ -741,7 +741,7 @@ SSL_get_verify_depth(const SSL *s) int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *) { - return (s->verify_callback); + return (s->internal->verify_callback); } int @@ -767,7 +767,7 @@ SSL_set_verify(SSL *s, int mode, { s->verify_mode = mode; if (callback != NULL) - s->verify_callback = callback; + s->internal->verify_callback = callback; } void @@ -922,7 +922,7 @@ SSL_check_private_key(const SSL *ssl) int SSL_accept(SSL *s) { - if (s->handshake_func == NULL) + if (s->internal->handshake_func == NULL) SSL_set_accept_state(s); /* Not properly initialized yet */ return (s->method->ssl_accept(s)); @@ -931,7 +931,7 @@ SSL_accept(SSL *s) int SSL_connect(SSL *s) { - if (s->handshake_func == NULL) + if (s->internal->handshake_func == NULL) SSL_set_connect_state(s); /* Not properly initialized yet */ return (s->method->ssl_connect(s)); @@ -946,7 +946,7 @@ SSL_get_default_timeout(const SSL *s) int SSL_read(SSL *s, void *buf, int num) { - if (s->handshake_func == NULL) { + if (s->internal->handshake_func == NULL) { SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); return (-1); } @@ -961,7 +961,7 @@ SSL_read(SSL *s, void *buf, int num) int SSL_peek(SSL *s, void *buf, int num) { - if (s->handshake_func == NULL) { + if (s->internal->handshake_func == NULL) { SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); return (-1); } @@ -975,7 +975,7 @@ SSL_peek(SSL *s, void *buf, int num) int SSL_write(SSL *s, const void *buf, int num) { - if (s->handshake_func == NULL) { + if (s->internal->handshake_func == NULL) { SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); return (-1); } @@ -998,7 +998,7 @@ SSL_shutdown(SSL *s) * even if blocking I/O is used (see ssl3_shutdown). */ - if (s->handshake_func == NULL) { + if (s->internal->handshake_func == NULL) { SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); return (-1); } @@ -1055,7 +1055,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg) return (l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: - s->msg_callback_arg = parg; + s->internal->msg_callback_arg = parg; return (1); case SSL_CTRL_OPTIONS: @@ -1101,7 +1101,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: - s->msg_callback = (void (*)(int write_p, int version, + s->internal->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); return (1); @@ -2305,8 +2305,8 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) int ret = 1; if (s->method != meth) { - if (s->handshake_func != NULL) - conn = (s->handshake_func == s->method->ssl_connect); + if (s->internal->handshake_func != NULL) + conn = (s->internal->handshake_func == s->method->ssl_connect); if (s->method->version == meth->version) s->method = meth; @@ -2317,9 +2317,9 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) } if (conn == 1) - s->handshake_func = meth->ssl_connect; + s->internal->handshake_func = meth->ssl_connect; else if (conn == 0) - s->handshake_func = meth->ssl_accept; + s->internal->handshake_func = meth->ssl_accept; } return (ret); } @@ -2407,7 +2407,7 @@ SSL_do_handshake(SSL *s) { int ret = 1; - if (s->handshake_func == NULL) { + if (s->internal->handshake_func == NULL) { SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET); return (-1); } @@ -2415,7 +2415,7 @@ SSL_do_handshake(SSL *s) s->method->ssl_renegotiate_check(s); if (SSL_in_init(s) || SSL_in_before(s)) { - ret = s->handshake_func(s); + ret = s->internal->handshake_func(s); } return (ret); } @@ -2430,7 +2430,7 @@ SSL_set_accept_state(SSL *s) s->server = 1; s->shutdown = 0; s->state = SSL_ST_ACCEPT|SSL_ST_BEFORE; - s->handshake_func = s->method->ssl_accept; + s->internal->handshake_func = s->method->ssl_accept; /* clear the current cipher */ ssl_clear_cipher_ctx(s); ssl_clear_hash_ctx(&s->read_hash); @@ -2443,7 +2443,7 @@ SSL_set_connect_state(SSL *s) s->server = 0; s->shutdown = 0; s->state = SSL_ST_CONNECT|SSL_ST_BEFORE; - s->handshake_func = s->method->ssl_connect; + s->internal->handshake_func = s->method->ssl_connect; /* clear the current cipher */ ssl_clear_cipher_ctx(s); ssl_clear_hash_ctx(&s->read_hash); @@ -2643,12 +2643,12 @@ SSL_dup(SSL *s) ret->mode = s->mode; SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); - ret->msg_callback = s->msg_callback; - ret->msg_callback_arg = s->msg_callback_arg; + ret->internal->msg_callback = s->internal->msg_callback; + ret->internal->msg_callback_arg = s->internal->msg_callback_arg; SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s)); SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); - ret->generate_session_id = s->generate_session_id; + ret->internal->generate_session_id = s->internal->generate_session_id; SSL_set_info_callback(ret, SSL_get_info_callback(s)); @@ -2672,8 +2672,8 @@ SSL_dup(SSL *s) ret->wbio = ret->rbio; } ret->rwstate = s->rwstate; - ret->in_handshake = s->in_handshake; - ret->handshake_func = s->handshake_func; + ret->internal->in_handshake = s->internal->in_handshake; + ret->internal->handshake_func = s->internal->handshake_func; ret->server = s->server; ret->renegotiate = s->renegotiate; ret->new_session = s->new_session; @@ -2929,12 +2929,12 @@ SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) void SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) { - ssl->info_callback = cb; + ssl->internal->info_callback = cb; } void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val) { - return (ssl->info_callback); + return (ssl->internal->info_callback); } int diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 4d8659a493..60bb5597e8 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.154 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.155 2017/01/23 04:55:27 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -527,6 +527,37 @@ typedef struct ssl_internal_st { /* Client list of supported protocols in wire format. */ unsigned char *alpn_client_proto_list; unsigned int alpn_client_proto_list_len; + + /* XXX Callbacks */ + + /* true when we are actually in SSL_accept() or SSL_connect() */ + int in_handshake; + int (*handshake_func)(SSL *); + /* callback that allows applications to peek at protocol messages */ + void (*msg_callback)(int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl, void *arg); + void *msg_callback_arg; + + /* Default generate session ID callback. */ + GEN_SESSION_CB generate_session_id; + + int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ + + void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ + + /* TLS extension debug callback */ + void (*tlsext_debug_cb)(SSL *s, int client_server, int type, + unsigned char *data, int len, void *arg); + void *tlsext_debug_arg; + + /* TLS Session Ticket extension callback */ + tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; + void *tls_session_ticket_ext_cb_arg; + + /* TLS pre-shared secret session resumption */ + tls_session_secret_cb_fn tls_session_secret_cb; + void *tls_session_secret_cb_arg; + } SSL_INTERNAL; typedef struct ssl3_state_internal_st { diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 8700e851c6..541b143384 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.58 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.59 2017/01/23 04:55:27 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -326,8 +326,8 @@ ssl_get_new_session(SSL *s, int session) /* Choose which callback will set the session ID. */ CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - if (s->generate_session_id) - cb = s->generate_session_id; + if (s->internal->generate_session_id) + cb = s->internal->generate_session_id; else if (s->session_ctx->internal->generate_session_id) cb = s->session_ctx->internal->generate_session_id; CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); @@ -849,8 +849,8 @@ SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, { if (s == NULL) return (0); - s->tls_session_secret_cb = tls_session_secret_cb; - s->tls_session_secret_cb_arg = arg; + s->internal->tls_session_secret_cb = tls_session_secret_cb; + s->internal->tls_session_secret_cb_arg = arg; return (1); } @@ -860,8 +860,8 @@ SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, { if (s == NULL) return (0); - s->tls_session_ticket_ext_cb = cb; - s->tls_session_ticket_ext_cb_arg = arg; + s->internal->tls_session_ticket_ext_cb = cb; + s->internal->tls_session_ticket_ext_cb_arg = arg; return (1); } diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 08818f4870..b2d9883900 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.100 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.101 2017/01/23 04:55:27 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1227,9 +1227,9 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, if (end - data < size) goto err; - if (s->tlsext_debug_cb) - s->tlsext_debug_cb(s, 0, type, data, size, - s->tlsext_debug_arg); + if (s->internal->tlsext_debug_cb) + s->internal->tlsext_debug_cb(s, 0, type, data, size, + s->internal->tlsext_debug_arg); /* The servername extension is treated as follows: - Only the hostname type is supported with a maximum length of 255. @@ -1395,8 +1395,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } } else if (type == TLSEXT_TYPE_session_ticket) { - if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { + if (s->internal->tls_session_ticket_ext_cb && + !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } @@ -1645,9 +1645,9 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) if (end - data < size) goto err; - if (s->tlsext_debug_cb) - s->tlsext_debug_cb(s, 1, type, data, size, - s->tlsext_debug_arg); + if (s->internal->tlsext_debug_cb) + s->internal->tlsext_debug_cb(s, 1, type, data, size, + s->internal->tlsext_debug_arg); if (type == TLSEXT_TYPE_server_name) { if (s->tlsext_hostname == NULL || size > 0) { @@ -1690,8 +1690,8 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) } } else if (type == TLSEXT_TYPE_session_ticket) { - if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { + if (s->internal->tls_session_ticket_ext_cb && + !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } @@ -2035,7 +2035,7 @@ ssl_check_serverhello_tlsext(SSL *s) * ret: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. * - * If s->tls_session_secret_cb is set then we are expecting a pre-shared key + * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key * ciphersuite, in which case we have no use for session tickets and one will * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. * @@ -2044,14 +2044,14 @@ ssl_check_serverhello_tlsext(SSL *s) * 0: no ticket was found (or was ignored, based on settings). * 1: a zero length extension was found, indicating that the client supports * session tickets but doesn't currently have one to offer. - * 2: either s->tls_session_secret_cb was set, or a ticket was offered but + * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but * couldn't be decrypted because of a non-fatal error. * 3: a ticket was successfully decrypted and *ret was set. * * Side effects: * Sets s->tlsext_ticket_expected to 1 if the server will have to issue * a new session ticket to the client because the client indicated support - * (and s->tls_session_secret_cb is NULL) but the client either doesn't have + * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have * a session ticket or we couldn't use the one it gave us, or if * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. * Otherwise, s->tlsext_ticket_expected is set to 0. @@ -2119,7 +2119,7 @@ tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, s->tlsext_ticket_expected = 1; return 1; } - if (s->tls_session_secret_cb) { + if (s->internal->tls_session_secret_cb) { /* Indicate that the ticket couldn't be * decrypted rather than generating the session * from ticket now, trigger abbreviated -- cgit v1.2.3-55-g6feb