From fdee32bae021d93d570e88a1dbbea0b3bad2c1e0 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 23 Jan 2017 01:22:08 +0000 Subject: Move not_resumable and sess_cert from SSL_SESSION to internal. ok beck@ --- src/lib/libssl/s3_clnt.c | 38 +++++++++++++++++++------------------- src/lib/libssl/s3_lib.c | 6 +++--- src/lib/libssl/s3_srvr.c | 14 +++++++------- src/lib/libssl/ssl.h | 13 ++++--------- src/lib/libssl/ssl_lib.c | 6 +++--- src/lib/libssl/ssl_locl.h | 10 +++++++++- src/lib/libssl/ssl_sess.c | 10 +++++----- 7 files changed, 50 insertions(+), 47 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 18e34f7b7b..2c272032b5 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.163 2017/01/23 00:12:54 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.164 2017/01/23 01:22:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -600,7 +600,7 @@ ssl3_client_hello(SSL *s) if ((sess == NULL) || (sess->ssl_version != s->version) || (!sess->session_id_length && !sess->tlsext_tick) || - (sess->not_resumable)) { + (sess->internal->not_resumable)) { if (!ssl_get_new_session(s, 0)) goto err; } @@ -1037,9 +1037,9 @@ ssl3_get_server_certificate(SSL *s) sc = ssl_sess_cert_new(); if (sc == NULL) goto err; - if (s->session->sess_cert) - ssl_sess_cert_free(s->session->sess_cert); - s->session->sess_cert = sc; + if (SSI(s)->sess_cert) + ssl_sess_cert_free(SSI(s)->sess_cert); + SSI(s)->sess_cert = sc; sc->cert_chain = sk; /* @@ -1114,7 +1114,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) int al; alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; - sc = s->session->sess_cert; + sc = SSI(s)->sess_cert; if (*nn < 0) goto err; @@ -1281,7 +1281,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) int al; alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; - sc = s->session->sess_cert; + sc = SSI(s)->sess_cert; if (*nn < 0) goto err; @@ -1397,18 +1397,18 @@ ssl3_get_server_key_exchange(SSL *s) return (1); } - if (s->session->sess_cert != NULL) { - DH_free(s->session->sess_cert->peer_dh_tmp); - s->session->sess_cert->peer_dh_tmp = NULL; + if (SSI(s)->sess_cert != NULL) { + DH_free(SSI(s)->sess_cert->peer_dh_tmp); + SSI(s)->sess_cert->peer_dh_tmp = NULL; - EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); - s->session->sess_cert->peer_ecdh_tmp = NULL; + EC_KEY_free(SSI(s)->sess_cert->peer_ecdh_tmp); + SSI(s)->sess_cert->peer_ecdh_tmp = NULL; - free(s->session->sess_cert->peer_x25519_tmp); - s->session->sess_cert->peer_x25519_tmp = NULL; + free(SSI(s)->sess_cert->peer_x25519_tmp); + SSI(s)->sess_cert->peer_x25519_tmp = NULL; } else { - s->session->sess_cert = ssl_sess_cert_new(); - if (s->session->sess_cert == NULL) + SSI(s)->sess_cert = ssl_sess_cert_new(); + if (SSI(s)->sess_cert == NULL) goto err; } @@ -2341,7 +2341,7 @@ ssl3_send_client_key_exchange(SSL *s) if (s->state == SSL3_ST_CW_KEY_EXCH_A) { alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; - if ((sess_cert = s->session->sess_cert) == NULL) { + if ((sess_cert = SSI(s)->sess_cert) == NULL) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, @@ -2636,13 +2636,13 @@ ssl3_check_cert_and_algorithm(SSL *s) if (alg_a & SSL_aNULL) return (1); - sc = s->session->sess_cert; + sc = SSI(s)->sess_cert; if (sc == NULL) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR); goto err; } - dh = s->session->sess_cert->peer_dh_tmp; + dh = SSI(s)->sess_cert->peer_dh_tmp; /* This is the passed certificate. */ diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 990ce2153d..ae2586912c 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.120 2017/01/22 09:02:07 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.121 2017/01/23 01:22:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1928,10 +1928,10 @@ ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp) if (s->server != 0) return 0; - if (s->session == NULL || s->session->sess_cert == NULL) + if (s->session == NULL || SSI(s)->sess_cert == NULL) return 0; - sc = s->session->sess_cert; + sc = SSI(s)->sess_cert; if ((pkey = EVP_PKEY_new()) == NULL) return 0; diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index a18b218207..ebdb10cb91 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.142 2017/01/23 00:12:54 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.143 2017/01/23 01:22:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2593,17 +2593,17 @@ ssl3_get_client_certificate(SSL *s) * With the current implementation, sess_cert will always be NULL * when we arrive here */ - if (s->session->sess_cert == NULL) { - s->session->sess_cert = ssl_sess_cert_new(); - if (s->session->sess_cert == NULL) { + if (SSI(s)->sess_cert == NULL) { + SSI(s)->sess_cert = ssl_sess_cert_new(); + if (SSI(s)->sess_cert == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); goto err; } } - if (s->session->sess_cert->cert_chain != NULL) - sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); - s->session->sess_cert->cert_chain = sk; + if (SSI(s)->sess_cert->cert_chain != NULL) + sk_X509_pop_free(SSI(s)->sess_cert->cert_chain, X509_free); + SSI(s)->sess_cert->cert_chain = sk; /* * Inconsistency alert: cert_chain does *not* include the diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 5904872c92..dce72d8c25 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.108 2017/01/23 01:04:23 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.109 2017/01/23 01:22:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -464,28 +464,23 @@ struct ssl_session_st { int master_key_length; unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; + /* session_id - valid? */ unsigned int session_id_length; unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; + /* this is used to determine whether the session is being reused in * the appropriate context. It is up to the application to set this, * via SSL_new */ unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - /* Used to indicate that session resumption is not allowed. - * Applications can also set this bit for a new session via - * not_resumable_session_cb to disable session caching and tickets. */ - int not_resumable; - - /* The cert is the certificate used to establish this connection */ - struct sess_cert_st /* SESS_CERT */ *sess_cert; - /* This is the cert for the other end. * On clients, it will be the same as sess_cert->peer_key->x509 * (the latter is not enough as sess_cert is not retained * in the external representation of sessions, see ssl_asn1.c). */ X509 *peer; + /* when app_verify_callback accepts a session where the peer's certificate * is not ok, we must remember the error for session reuse: */ long verify_result; /* only for servers */ diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index f4bb212865..1e529e85de 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.130 2017/01/23 00:12:54 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.131 2017/01/23 01:22:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -826,10 +826,10 @@ SSL_get_peer_cert_chain(const SSL *s) STACK_OF(X509) *r; if ((s == NULL) || (s->session == NULL) || - (s->session->sess_cert == NULL)) + (SSI(s)->sess_cert == NULL)) r = NULL; else - r = s->session->sess_cert->cert_chain; + r = SSI(s)->sess_cert->cert_chain; /* * If we are a client, cert_chain includes the peer's own diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 3f63b1de2f..2eace2567d 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.152 2017/01/23 00:12:55 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.153 2017/01/23 01:22:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -373,6 +373,14 @@ __BEGIN_HIDDEN_DECLS #define NAMED_CURVE_TYPE 3 typedef struct ssl_session_internal_st { + /* Used to indicate that session resumption is not allowed. + * Applications can also set this bit for a new session via + * not_resumable_session_cb to disable session caching and tickets. */ + int not_resumable; + + /* The cert is the certificate used to establish this connection */ + struct sess_cert_st /* SESS_CERT */ *sess_cert; + size_t tlsext_ecpointformatlist_length; uint8_t *tlsext_ecpointformatlist; /* peer's list */ size_t tlsext_ellipticcurvelist_length; diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 7f03d12d35..2520843cc0 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.56 2017/01/23 00:12:55 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.57 2017/01/23 01:22:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -673,7 +673,7 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); if (ret) { - r->not_resumable = 1; + r->internal->not_resumable = 1; if (ctx->remove_session_cb != NULL) ctx->remove_session_cb(ctx, r); SSL_SESSION_free(r); @@ -699,8 +699,8 @@ SSL_SESSION_free(SSL_SESSION *ss) explicit_bzero(ss->master_key, sizeof ss->master_key); explicit_bzero(ss->session_id, sizeof ss->session_id); - if (ss->sess_cert != NULL) - ssl_sess_cert_free(ss->sess_cert); + if (ss->internal->sess_cert != NULL) + ssl_sess_cert_free(ss->internal->sess_cert); X509_free(ss->peer); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); @@ -910,7 +910,7 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) * save on locking overhead */ (void)lh_SSL_SESSION_delete(p->cache, s); SSL_SESSION_list_remove(p->ctx, s); - s->not_resumable = 1; + s->internal->not_resumable = 1; if (p->ctx->remove_session_cb != NULL) p->ctx->remove_session_cb(p->ctx, s); SSL_SESSION_free(s); -- cgit v1.2.3-55-g6feb