From f38881420fba9a207cd725b6a35181faeecf26b9 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 23 Jan 2017 05:13:02 +0000 Subject: Move most of the fields in SSL_CTX to internal - the ones that remain are known to be in use. ok beck@ --- src/lib/libssl/d1_srtp.c | 8 +-- src/lib/libssl/s3_clnt.c | 14 ++--- src/lib/libssl/s3_lib.c | 22 +++---- src/lib/libssl/s3_srvr.c | 16 ++--- src/lib/libssl/ssl.h | 55 +---------------- src/lib/libssl/ssl_cert.c | 10 ++-- src/lib/libssl/ssl_lib.c | 147 +++++++++++++++++++++++----------------------- src/lib/libssl/ssl_locl.h | 58 +++++++++++++++++- src/lib/libssl/ssl_rsa.c | 14 ++--- src/lib/libssl/ssl_sess.c | 56 +++++++++--------- src/lib/libssl/t1_lib.c | 11 ++-- 11 files changed, 209 insertions(+), 202 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c index 45ce5b8d3e..7b80d73d14 100644 --- a/src/lib/libssl/d1_srtp.c +++ b/src/lib/libssl/d1_srtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srtp.c,v 1.15 2015/07/31 00:35:06 doug Exp $ */ +/* $OpenBSD: d1_srtp.c,v 1.16 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -217,7 +217,7 @@ ssl_ctx_make_profiles(const char *profiles_string, int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) { - return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles); + return ssl_ctx_make_profiles(profiles, &ctx->internal->srtp_profiles); } int @@ -234,8 +234,8 @@ SSL_get_srtp_profiles(SSL *s) if (s->srtp_profiles != NULL) { return s->srtp_profiles; } else if ((s->ctx != NULL) && - (s->ctx->srtp_profiles != NULL)) { - return s->ctx->srtp_profiles; + (s->ctx->internal->srtp_profiles != NULL)) { + return s->ctx->internal->srtp_profiles; } } diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index c606091e10..8c1a87f38e 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.166 2017/01/23 04:55:26 beck Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.167 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1484,8 +1484,8 @@ ssl3_get_server_key_exchange(SSL *s) q = md_buf; for (num = 2; num > 0; num--) { if (!EVP_DigestInit_ex(&md_ctx, - (num == 2) ? s->ctx->md5 : s->ctx->sha1, - NULL)) { + (num == 2) ? s->ctx->internal->md5 : + s->ctx->internal->sha1, NULL)) { al = SSL_AD_INTERNAL_ERROR; goto f_err; } @@ -2755,10 +2755,10 @@ ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) int i = 0; #ifndef OPENSSL_NO_ENGINE - if (s->ctx->client_cert_engine) { - i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, - SSL_get_client_CA_list(s), - px509, ppkey, NULL, NULL, NULL); + if (s->ctx->internal->client_cert_engine) { + i = ENGINE_load_ssl_client_cert( + s->ctx->internal->client_cert_engine, s, + SSL_get_client_CA_list(s), px509, ppkey, NULL, NULL, NULL); if (i != 0) return (i); } diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 8e52c8bb4a..3e44d5e4c1 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.123 2017/01/23 04:55:26 beck Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.124 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2195,7 +2195,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { CERT *cert; - cert = ctx->cert; + cert = ctx->internal->cert; switch (cmd) { case SSL_CTRL_NEED_TMP_RSA: @@ -2225,7 +2225,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (0); case SSL_CTRL_SET_DH_AUTO: - ctx->cert->dh_tmp_auto = larg; + ctx->internal->cert->dh_tmp_auto = larg; return (1); case SSL_CTRL_SET_TMP_ECDH: @@ -2279,16 +2279,16 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return 0; } if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { - memcpy(ctx->tlsext_tick_key_name, keys, 16); - memcpy(ctx->tlsext_tick_hmac_key, + memcpy(ctx->internal->tlsext_tick_key_name, keys, 16); + memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16); - memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); + memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16); } else { - memcpy(keys, ctx->tlsext_tick_key_name, 16); + memcpy(keys, ctx->internal->tlsext_tick_key_name, 16); memcpy(keys + 16, - ctx->tlsext_tick_hmac_key, 16); + ctx->internal->tlsext_tick_hmac_key, 16); memcpy(keys + 32, - ctx->tlsext_tick_aes_key, 16); + ctx->internal->tlsext_tick_aes_key, 16); } return 1; } @@ -2299,7 +2299,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; case SSL_CTRL_SET_ECDH_AUTO: - ctx->cert->ecdh_tmp_auto = larg; + ctx->internal->cert->ecdh_tmp_auto = larg; return 1; /* A Thawte special :-) */ @@ -2333,7 +2333,7 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) { CERT *cert; - cert = ctx->cert; + cert = ctx->internal->cert; switch (cmd) { case SSL_CTRL_SET_TMP_RSA_CB: diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 21849487ea..5717d5edda 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.145 2017/01/23 04:55:27 beck Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.146 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1129,7 +1129,7 @@ ssl3_send_server_hello(SSL *s) * so the following won't overwrite an ID that we're supposed * to send back. */ - if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) + if (!(s->ctx->internal->session_cache_mode & SSL_SESS_CACHE_SERVER) && !s->hit) s->session->session_id_length = 0; @@ -1553,8 +1553,8 @@ ssl3_send_server_key_exchange(SSL *s) j = 0; for (num = 2; num > 0; num--) { if (!EVP_DigestInit_ex(&md_ctx, - (num == 2) ? s->ctx->md5 : - s->ctx->sha1, NULL)) + (num == 2) ? s->ctx->internal->md5 : + s->ctx->internal->sha1, NULL)) goto err; EVP_DigestUpdate(&md_ctx, s->s3->client_random, @@ -2751,10 +2751,10 @@ ssl3_send_newsession_ticket(SSL *s) } else { arc4random_buf(iv, 16); EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, - tctx->tlsext_tick_aes_key, iv); - HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, - tlsext_tick_md(), NULL); - memcpy(key_name, tctx->tlsext_tick_key_name, 16); + tctx->internal->tlsext_tick_aes_key, iv); + HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key, + 16, tlsext_tick_md(), NULL); + memcpy(key_name, tctx->internal->tlsext_tick_key_name, 16); } /* diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 4080af8999..9fc6c5e976 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.111 2017/01/23 04:55:27 beck Exp $ */ +/* $OpenBSD: ssl.h,v 1.112 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -689,23 +689,8 @@ struct ssl_ctx_st { const SSL_METHOD *method; STACK_OF(SSL_CIPHER) *cipher_list; - /* same as above but sorted for lookup */ - STACK_OF(SSL_CIPHER) *cipher_list_by_id; struct x509_store_st /* X509_STORE */ *cert_store; - struct lhash_st_SSL_SESSION *sessions; - /* Most session-ids that will be cached, default is - * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ - unsigned long session_cache_size; - struct ssl_session_st *session_cache_head; - struct ssl_session_st *session_cache_tail; - - /* This can have one of 2 values, ored together, - * SSL_SESS_CACHE_CLIENT, - * SSL_SESS_CACHE_SERVER, - * Default is SSL_SESSION_CACHE_SERVER, which means only - * SSL_accept which cache SSL_SESSIONS. */ - int session_cache_mode; /* If timeout is not 0, it is the default timeout value set * when SSL_new() is called. This has been put in to make @@ -714,26 +699,12 @@ struct ssl_ctx_st { int references; - CRYPTO_EX_DATA ex_data; - - const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ - const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */ - - STACK_OF(X509) *extra_certs; - - /* Default values used when no per-SSL value is defined follow */ - - /* what we put in client cert requests */ - STACK_OF(X509_NAME) *client_CA; - /* Default values to use in SSL structures follow (these are copied by SSL_new) */ unsigned long options; unsigned long mode; - long max_cert_list; - struct cert_st /* CERT */ *cert; - int read_ahead; + STACK_OF(X509) *extra_certs; int verify_mode; unsigned int sid_ctx_length; @@ -741,28 +712,6 @@ struct ssl_ctx_st { X509_VERIFY_PARAM *param; - int quiet_shutdown; - - /* Maximum amount of data to send in one fragment. - * actual record size can be more than this due to - * padding and MAC overheads. - */ - unsigned int max_send_fragment; - -#ifndef OPENSSL_NO_ENGINE - /* Engine to pass requests for client certs to - */ - ENGINE *client_cert_engine; -#endif - - /* RFC 4507 session ticket keys */ - unsigned char tlsext_tick_key_name[16]; - unsigned char tlsext_tick_hmac_key[16]; - unsigned char tlsext_tick_aes_key[16]; - - /* SRTP profiles we are willing to do from RFC 5764 */ - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; - struct ssl_ctx_internal_st *internal; }; diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index 13591aec9c..496fcf85bc 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.56 2017/01/23 04:55:27 beck Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.57 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -492,13 +492,13 @@ SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(ctx->client_CA), name_list); + set_client_CA_list(&(ctx->internal->client_CA), name_list); } STACK_OF(X509_NAME) * SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { - return (ctx->client_CA); + return (ctx->internal->client_CA); } STACK_OF(X509_NAME) * @@ -515,7 +515,7 @@ SSL_get_client_CA_list(const SSL *s) if (s->client_CA != NULL) return (s->client_CA); else - return (s->ctx->client_CA); + return (s->ctx->internal->client_CA); } } @@ -548,7 +548,7 @@ SSL_add_client_CA(SSL *ssl, X509 *x) int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) { - return (add_client_CA(&(ctx->client_CA), x)); + return (add_client_CA(&(ctx->internal->client_CA), x)); } static int diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index c9af96e48e..036a13b36a 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.133 2017/01/23 04:55:27 beck Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.134 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -251,7 +251,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), - &(ctx->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST); + &(ctx->internal->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); @@ -286,9 +286,9 @@ SSL_new(SSL_CTX *ctx) s->options = ctx->options; s->mode = ctx->mode; - s->max_cert_list = ctx->max_cert_list; + s->max_cert_list = ctx->internal->max_cert_list; - if (ctx->cert != NULL) { + if (ctx->internal->cert != NULL) { /* * Earlier library versions used to copy the pointer to * the CERT, not its contents; only when setting new @@ -300,13 +300,13 @@ SSL_new(SSL_CTX *ctx) * Now we don't look at the SSL_CTX's CERT after having * duplicated it once. */ - s->cert = ssl_cert_dup(ctx->cert); + s->cert = ssl_cert_dup(ctx->internal->cert); if (s->cert == NULL) goto err; } else s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ - s->read_ahead = ctx->read_ahead; + s->read_ahead = ctx->internal->read_ahead; s->internal->msg_callback = ctx->internal->msg_callback; s->internal->msg_callback_arg = ctx->internal->msg_callback_arg; s->verify_mode = ctx->verify_mode; @@ -320,8 +320,8 @@ SSL_new(SSL_CTX *ctx) if (!s->param) goto err; X509_VERIFY_PARAM_inherit(s->param, ctx->param); - s->quiet_shutdown = ctx->quiet_shutdown; - s->max_send_fragment = ctx->max_send_fragment; + s->quiet_shutdown = ctx->internal->quiet_shutdown; + s->max_send_fragment = ctx->internal->max_send_fragment; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->ctx = ctx; @@ -441,7 +441,7 @@ SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, memcpy(r.session_id, id, id_len); CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r); + p = lh_SSL_SESSION_retrieve(ssl->ctx->internal->sessions, &r); CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); return (p != NULL); } @@ -876,19 +876,19 @@ SSL_copy_session_id(SSL *t, const SSL *f) int SSL_CTX_check_private_key(const SSL_CTX *ctx) { - if ((ctx == NULL) || (ctx->cert == NULL) || - (ctx->cert->key->x509 == NULL)) { + if ((ctx == NULL) || (ctx->internal->cert == NULL) || + (ctx->internal->cert->key->x509 == NULL)) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); return (0); } - if (ctx->cert->key->privatekey == NULL) { + if (ctx->internal->cert->key->privatekey == NULL) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); return (0); } - return (X509_check_private_key(ctx->cert->key->x509, - ctx->cert->key->privatekey)); + return (X509_check_private_key(ctx->internal->cert->key->x509, + ctx->internal->cert->key->privatekey)); } /* Fix this function so that it takes an optional type parameter */ @@ -1114,7 +1114,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) struct lhash_st_SSL_SESSION * SSL_CTX_sessions(SSL_CTX *ctx) { - return (ctx->sessions); + return (ctx->internal->sessions); } long @@ -1124,10 +1124,10 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return (ctx->read_ahead); + return (ctx->internal->read_ahead); case SSL_CTRL_SET_READ_AHEAD: - l = ctx->read_ahead; - ctx->read_ahead = larg; + l = ctx->internal->read_ahead; + ctx->internal->read_ahead = larg; return (l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: @@ -1135,27 +1135,27 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (1); case SSL_CTRL_GET_MAX_CERT_LIST: - return (ctx->max_cert_list); + return (ctx->internal->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: - l = ctx->max_cert_list; - ctx->max_cert_list = larg; + l = ctx->internal->max_cert_list; + ctx->internal->max_cert_list = larg; return (l); case SSL_CTRL_SET_SESS_CACHE_SIZE: - l = ctx->session_cache_size; - ctx->session_cache_size = larg; + l = ctx->internal->session_cache_size; + ctx->internal->session_cache_size = larg; return (l); case SSL_CTRL_GET_SESS_CACHE_SIZE: - return (ctx->session_cache_size); + return (ctx->internal->session_cache_size); case SSL_CTRL_SET_SESS_CACHE_MODE: - l = ctx->session_cache_mode; - ctx->session_cache_mode = larg; + l = ctx->internal->session_cache_mode; + ctx->internal->session_cache_mode = larg; return (l); case SSL_CTRL_GET_SESS_CACHE_MODE: - return (ctx->session_cache_mode); + return (ctx->internal->session_cache_mode); case SSL_CTRL_SESS_NUMBER: - return (lh_SSL_SESSION_num_items(ctx->sessions)); + return (lh_SSL_SESSION_num_items(ctx->internal->sessions)); case SSL_CTRL_SESS_CONNECT: return (ctx->internal->stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: @@ -1189,7 +1189,7 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return (0); - ctx->max_send_fragment = larg; + ctx->internal->max_send_fragment = larg; return (1); default: return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); @@ -1264,8 +1264,8 @@ ssl_get_ciphers_by_id(SSL *s) if (s->cipher_list_by_id != NULL) { return (s->cipher_list_by_id); } else if ((s->ctx != NULL) && - (s->ctx->cipher_list_by_id != NULL)) { - return (s->ctx->cipher_list_by_id); + (s->ctx->internal->cipher_list_by_id != NULL)) { + return (s->ctx->internal->cipher_list_by_id); } } return (NULL); @@ -1296,14 +1296,14 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) STACK_OF(SSL_CIPHER) *sk; sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - &ctx->cipher_list_by_id, str); + &ctx->internal->cipher_list_by_id, str); /* * ssl_create_cipher_list may return an empty stack if it * was unable to find a cipher matching the given rule string * (for example if the rule string specifies a cipher which * has been disabled). This is not an error as far as * ssl_create_cipher_list is concerned, and hence - * ctx->cipher_list and ctx->cipher_list_by_id has been + * ctx->cipher_list and ctx->internal->cipher_list_by_id has been * updated. */ if (sk == NULL) @@ -1823,10 +1823,10 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->method = meth; ret->cert_store = NULL; - ret->session_cache_mode = SSL_SESS_CACHE_SERVER; - ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; - ret->session_cache_head = NULL; - ret->session_cache_tail = NULL; + ret->internal->session_cache_mode = SSL_SESS_CACHE_SERVER; + ret->internal->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; + ret->internal->session_cache_head = NULL; + ret->internal->session_cache_tail = NULL; /* We take the system default */ ret->session_timeout = meth->get_timeout(); @@ -1839,21 +1839,21 @@ SSL_CTX_new(const SSL_METHOD *meth) memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats)); ret->references = 1; - ret->quiet_shutdown = 0; + ret->internal->quiet_shutdown = 0; ret->internal->info_callback = NULL; ret->internal->app_verify_callback = 0; ret->internal->app_verify_arg = NULL; - ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; - ret->read_ahead = 0; + ret->internal->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; + ret->internal->read_ahead = 0; ret->internal->msg_callback = 0; ret->internal->msg_callback_arg = NULL; ret->verify_mode = SSL_VERIFY_NONE; ret->sid_ctx_length = 0; ret->internal->default_verify_callback = NULL; - if ((ret->cert = ssl_cert_new()) == NULL) + if ((ret->internal->cert = ssl_cert_new()) == NULL) goto err; ret->internal->default_passwd_callback = 0; @@ -1862,15 +1862,15 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->internal->app_gen_cookie_cb = 0; ret->internal->app_verify_cookie_cb = 0; - ret->sessions = lh_SSL_SESSION_new(); - if (ret->sessions == NULL) + ret->internal->sessions = lh_SSL_SESSION_new(); + if (ret->internal->sessions == NULL) goto err; ret->cert_store = X509_STORE_new(); if (ret->cert_store == NULL) goto err; ssl_create_cipher_list(ret->method, &ret->cipher_list, - &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); + &ret->internal->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); @@ -1881,41 +1881,42 @@ SSL_CTX_new(const SSL_METHOD *meth) if (!ret->param) goto err; - if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { + if ((ret->internal->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); goto err2; } - if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { + if ((ret->internal->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); goto err2; } - if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) + if ((ret->internal->client_CA = sk_X509_NAME_new_null()) == NULL) goto err; - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->internal->ex_data); ret->extra_certs = NULL; - ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; + ret->internal->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; ret->internal->tlsext_servername_callback = 0; ret->internal->tlsext_servername_arg = NULL; /* Setup RFC4507 ticket keys */ - arc4random_buf(ret->tlsext_tick_key_name, 16); - arc4random_buf(ret->tlsext_tick_hmac_key, 16); - arc4random_buf(ret->tlsext_tick_aes_key, 16); + arc4random_buf(ret->internal->tlsext_tick_key_name, 16); + arc4random_buf(ret->internal->tlsext_tick_hmac_key, 16); + arc4random_buf(ret->internal->tlsext_tick_aes_key, 16); ret->internal->tlsext_status_cb = 0; ret->internal->tlsext_status_arg = NULL; ret->internal->next_protos_advertised_cb = 0; ret->internal->next_proto_select_cb = 0; + #ifndef OPENSSL_NO_ENGINE - ret->client_cert_engine = NULL; + ret->internal->client_cert_engine = NULL; #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO #define eng_strx(x) #x #define eng_str(x) eng_strx(x) @@ -1972,35 +1973,35 @@ SSL_CTX_free(SSL_CTX *a) * free ex_data, then finally free the cache. * (See ticket [openssl.org #212].) */ - if (a->sessions != NULL) + if (a->internal->sessions != NULL) SSL_CTX_flush_sessions(a, 0); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->internal->ex_data); - if (a->sessions != NULL) - lh_SSL_SESSION_free(a->sessions); + if (a->internal->sessions != NULL) + lh_SSL_SESSION_free(a->internal->sessions); if (a->cert_store != NULL) X509_STORE_free(a->cert_store); if (a->cipher_list != NULL) sk_SSL_CIPHER_free(a->cipher_list); - if (a->cipher_list_by_id != NULL) - sk_SSL_CIPHER_free(a->cipher_list_by_id); - if (a->cert != NULL) - ssl_cert_free(a->cert); - if (a->client_CA != NULL) - sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); + if (a->internal->cipher_list_by_id != NULL) + sk_SSL_CIPHER_free(a->internal->cipher_list_by_id); + if (a->internal->cert != NULL) + ssl_cert_free(a->internal->cert); + if (a->internal->client_CA != NULL) + sk_X509_NAME_pop_free(a->internal->client_CA, X509_NAME_free); if (a->extra_certs != NULL) sk_X509_pop_free(a->extra_certs, X509_free); #ifndef OPENSSL_NO_SRTP - if (a->srtp_profiles) - sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); + if (a->internal->srtp_profiles) + sk_SRTP_PROTECTION_PROFILE_free(a->internal->srtp_profiles); #endif #ifndef OPENSSL_NO_ENGINE - if (a->client_cert_engine) - ENGINE_finish(a->client_cert_engine); + if (a->internal->client_cert_engine) + ENGINE_finish(a->internal->client_cert_engine); #endif free(a->internal->alpn_client_proto_list); @@ -2272,7 +2273,7 @@ ssl_update_cache(SSL *s, int mode) if (s->session->session_id_length == 0) return; - i = s->session_ctx->session_cache_mode; + i = s->session_ctx->internal->session_cache_mode; if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) || SSL_CTX_add_session(s->session_ctx, s->session)) && (s->session_ctx->internal->new_session_cb != NULL)) { @@ -2839,13 +2840,13 @@ ssl_free_wbio_buffer(SSL *s) void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) { - ctx->quiet_shutdown = mode; + ctx->internal->quiet_shutdown = mode; } int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { - return (ctx->quiet_shutdown); + return (ctx->internal->quiet_shutdown); } void @@ -2893,7 +2894,7 @@ SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) return (ssl->ctx); if (ctx == NULL) ctx = ssl->initial_ctx; - ssl->cert = ssl_cert_dup(ctx->cert); + ssl->cert = ssl_cert_dup(ctx->internal->cert); if (ocert != NULL) { int i; /* Copy negotiated digests from original certificate. */ @@ -2992,13 +2993,13 @@ SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); + return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg)); } void * SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) { - return (CRYPTO_get_ex_data(&s->ex_data, idx)); + return (CRYPTO_get_ex_data(&s->internal->ex_data, idx)); } int diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 60bb5597e8..83ffb1103f 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.155 2017/01/23 04:55:27 beck Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.156 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -451,6 +451,21 @@ typedef struct ssl_ctx_internal_st { int (*tlsext_status_cb)(SSL *ssl, void *arg); void *tlsext_status_arg; + struct lhash_st_SSL_SESSION *sessions; + + /* Most session-ids that will be cached, default is + * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ + unsigned long session_cache_size; + struct ssl_session_st *session_cache_head; + struct ssl_session_st *session_cache_tail; + + /* This can have one of 2 values, ored together, + * SSL_SESS_CACHE_CLIENT, + * SSL_SESS_CACHE_SERVER, + * Default is SSL_SESSION_CACHE_SERVER, which means only + * SSL_accept which cache SSL_SESSIONS. */ + int session_cache_mode; + struct { int sess_connect; /* SSL new conn - started */ int sess_connect_renegotiate;/* SSL reneg - requested */ @@ -470,6 +485,47 @@ typedef struct ssl_ctx_internal_st { * processes - spooky :-) */ } stats; + CRYPTO_EX_DATA ex_data; + + /* same cipher_list but sorted for lookup */ + STACK_OF(SSL_CIPHER) *cipher_list_by_id; + + struct cert_st /* CERT */ *cert; + + const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ + const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */ + + /* Default values used when no per-SSL value is defined follow */ + + /* what we put in client cert requests */ + STACK_OF(X509_NAME) *client_CA; + + long max_cert_list; + + int read_ahead; + + int quiet_shutdown; + + /* Maximum amount of data to send in one fragment. + * actual record size can be more than this due to + * padding and MAC overheads. + */ + unsigned int max_send_fragment; + +#ifndef OPENSSL_NO_ENGINE + /* Engine to pass requests for client certs to + */ + ENGINE *client_cert_engine; +#endif + + /* RFC 4507 session ticket keys */ + unsigned char tlsext_tick_key_name[16]; + unsigned char tlsext_tick_hmac_key[16]; + unsigned char tlsext_tick_aes_key[16]; + + /* SRTP profiles we are willing to do from RFC 5764 */ + STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; + /* Next protocol negotiation information */ /* (for experimental NPN extension). */ diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 647cc4bfd8..cbb1c0b562 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_rsa.c,v 1.22 2017/01/23 04:15:28 jsing Exp $ */ +/* $OpenBSD: ssl_rsa.c,v 1.23 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -353,11 +353,11 @@ SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); return (0); } - if (!ssl_cert_inst(&ctx->cert)) { + if (!ssl_cert_inst(&ctx->internal->cert)) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); return (0); } - return (ssl_set_cert(ctx->cert, x)); + return (ssl_set_cert(ctx->internal->cert, x)); } static int @@ -486,7 +486,7 @@ SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); return (0); } - if (!ssl_cert_inst(&ctx->cert)) { + if (!ssl_cert_inst(&ctx->internal->cert)) { SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); return (0); } @@ -498,7 +498,7 @@ SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) RSA_up_ref(rsa); EVP_PKEY_assign_RSA(pkey, rsa); - ret = ssl_set_pkey(ctx->cert, pkey); + ret = ssl_set_pkey(ctx->internal->cert, pkey); EVP_PKEY_free(pkey); return (ret); } @@ -569,11 +569,11 @@ SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) ERR_R_PASSED_NULL_PARAMETER); return (0); } - if (!ssl_cert_inst(&ctx->cert)) { + if (!ssl_cert_inst(&ctx->internal->cert)) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); return (0); } - return (ssl_set_pkey(ctx->cert, pkey)); + return (ssl_set_pkey(ctx->internal->cert, pkey)); } int diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 541b143384..c114e6ec07 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.59 2017/01/23 04:55:27 beck Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.60 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -449,7 +449,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, } if (try_session_cache && ret == NULL && - !(s->session_ctx->session_cache_mode & + !(s->session_ctx->internal->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { SSL_SESSION data; data.ssl_version = s->version; @@ -457,7 +457,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, memcpy(data.session_id, session_id, len); CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data); + ret = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data); if (ret != NULL) { /* Don't allow other threads to steal it. */ CRYPTO_add(&ret->references, 1, @@ -493,7 +493,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, * Add the externally cached session to the internal * cache as well if and only if we are supposed to. */ - if (!(s->session_ctx->session_cache_mode & + if (!(s->session_ctx->internal->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) /* * The following should not return 1, @@ -593,12 +593,12 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) * later. */ CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - s = lh_SSL_SESSION_insert(ctx->sessions, c); + s = lh_SSL_SESSION_insert(ctx->internal->sessions, c); /* * s != NULL iff we already had a session with the given PID. * In this case, s == c should hold (then we did not really modify - * ctx->sessions), or we're in trouble. + * ctx->internal->sessions), or we're in trouble. */ if (s != NULL && s != c) { /* We *are* in trouble ... */ @@ -638,7 +638,7 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) { if (!remove_session_lock(ctx, - ctx->session_cache_tail, 0)) + ctx->internal->session_cache_tail, 0)) break; else ctx->internal->stats.sess_cache_full++; @@ -664,9 +664,9 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) if ((c != NULL) && (c->session_id_length != 0)) { if (lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) { + if ((r = lh_SSL_SESSION_retrieve(ctx->internal->sessions, c)) == c) { ret = 1; - r = lh_SSL_SESSION_delete(ctx->sessions, c); + r = lh_SSL_SESSION_delete(ctx->internal->sessions, c); SSL_SESSION_list_remove(ctx, c); } if (lck) @@ -934,7 +934,7 @@ SSL_CTX_flush_sessions(SSL_CTX *s, long t) TIMEOUT_PARAM tp; tp.ctx = s; - tp.cache = s->sessions; + tp.cache = s->internal->sessions; if (tp.cache == NULL) return; tp.time = t; @@ -965,23 +965,23 @@ SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) if ((s->next == NULL) || (s->prev == NULL)) return; - if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) { + if (s->next == (SSL_SESSION *)&(ctx->internal->session_cache_tail)) { /* last element in list */ - if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { + if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) { /* only one element in list */ - ctx->session_cache_head = NULL; - ctx->session_cache_tail = NULL; + ctx->internal->session_cache_head = NULL; + ctx->internal->session_cache_tail = NULL; } else { - ctx->session_cache_tail = s->prev; + ctx->internal->session_cache_tail = s->prev; s->prev->next = - (SSL_SESSION *)&(ctx->session_cache_tail); + (SSL_SESSION *)&(ctx->internal->session_cache_tail); } } else { - if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { + if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) { /* first element in list */ - ctx->session_cache_head = s->next; + ctx->internal->session_cache_head = s->next; s->next->prev = - (SSL_SESSION *)&(ctx->session_cache_head); + (SSL_SESSION *)&(ctx->internal->session_cache_head); } else { /* middle of list */ s->next->prev = s->prev; @@ -997,16 +997,16 @@ SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) if ((s->next != NULL) && (s->prev != NULL)) SSL_SESSION_list_remove(ctx, s); - if (ctx->session_cache_head == NULL) { - ctx->session_cache_head = s; - ctx->session_cache_tail = s; - s->prev = (SSL_SESSION *)&(ctx->session_cache_head); - s->next = (SSL_SESSION *)&(ctx->session_cache_tail); + if (ctx->internal->session_cache_head == NULL) { + ctx->internal->session_cache_head = s; + ctx->internal->session_cache_tail = s; + s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head); + s->next = (SSL_SESSION *)&(ctx->internal->session_cache_tail); } else { - s->next = ctx->session_cache_head; + s->next = ctx->internal->session_cache_head; s->next->prev = s; - s->prev = (SSL_SESSION *)&(ctx->session_cache_head); - ctx->session_cache_head = s; + s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head); + ctx->internal->session_cache_head = s; } } @@ -1091,7 +1091,7 @@ SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) ENGINE_finish(e); return 0; } - ctx->client_cert_engine = e; + ctx->internal->client_cert_engine = e; return 1; } #endif diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index b2d9883900..0dbd83fecf 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.101 2017/01/23 04:55:27 beck Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.102 2017/01/23 05:13:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2206,12 +2206,13 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, renew_ticket = 1; } else { /* Check key name matches */ - if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) + if (timingsafe_memcmp(etick, + tctx->internal->tlsext_tick_key_name, 16)) return 2; - HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, - tlsext_tick_md(), NULL); + HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key, + 16, tlsext_tick_md(), NULL); EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, - tctx->tlsext_tick_aes_key, etick + 16); + tctx->internal->tlsext_tick_aes_key, etick + 16); } /* -- cgit v1.2.3-55-g6feb