From d43892e9652017c33ea2cf69639dc9a01090be5f Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 23 Jan 2017 14:35:42 +0000 Subject: Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions. --- src/lib/libssl/d1_pkt.c | 8 ++++---- src/lib/libssl/s23_clnt.c | 8 ++++---- src/lib/libssl/s23_srvr.c | 6 +++--- src/lib/libssl/s3_both.c | 6 +++--- src/lib/libssl/s3_lib.c | 8 ++++---- src/lib/libssl/s3_pkt.c | 16 ++++++++-------- src/lib/libssl/s3_srvr.c | 8 ++++---- src/lib/libssl/ssl.h | 9 +++------ src/lib/libssl/ssl_lib.c | 46 +++++++++++++++++++++++----------------------- src/lib/libssl/ssl_locl.h | 8 +++++++- src/lib/libssl/t1_enc.c | 4 ++-- src/lib/libssl/t1_lib.c | 9 +++++---- 12 files changed, 70 insertions(+), 66 deletions(-) (limited to 'src') diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index c64aa8f106..f15b64364e 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.57 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.58 2017/01/23 14:35:42 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -894,7 +894,7 @@ start: return (-1); } - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { + if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { if (s->s3->rbuf.left == 0) /* no read-ahead left? */ { BIO *bio; @@ -1049,7 +1049,7 @@ start: return (-1); } - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { + if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { if (s->s3->rbuf.left == 0) /* no read-ahead left? */ { BIO *bio; @@ -1258,7 +1258,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) * (this is a bit of a boundary violation, but what the heck). */ if (s->internal->enc_write_ctx && - (EVP_CIPHER_mode( s->internal->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE)) + (EVP_CIPHER_mode(s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) bs = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher); else bs = 0; diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 282e0bd3c7..b2dc912a9c 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_clnt.c,v 1.55 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: s23_clnt.c,v 1.56 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -372,15 +372,15 @@ ssl23_get_server_hello(SSL *s) /* we have sslv3 or tls1 (server hello or alert) */ if ((p[2] == TLS1_VERSION_MINOR) && - !(s->options & SSL_OP_NO_TLSv1)) { + !(s->internal->options & SSL_OP_NO_TLSv1)) { s->version = TLS1_VERSION; s->method = TLSv1_client_method(); } else if ((p[2] == TLS1_1_VERSION_MINOR) && - !(s->options & SSL_OP_NO_TLSv1_1)) { + !(s->internal->options & SSL_OP_NO_TLSv1_1)) { s->version = TLS1_1_VERSION; s->method = TLSv1_1_client_method(); } else if ((p[2] == TLS1_2_VERSION_MINOR) && - !(s->options & SSL_OP_NO_TLSv1_2)) { + !(s->internal->options & SSL_OP_NO_TLSv1_2)) { s->version = TLS1_2_VERSION; s->method = TLSv1_2_client_method(); } else { diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index f85b50994e..1cd6721d1f 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_srvr.c,v 1.56 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: s23_srvr.c,v 1.57 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -279,7 +279,7 @@ ssl23_get_client_hello(SSL *s) if (!ssl_max_shared_version(s, client_version, &shared_version)) { - if (s->options & SSL_OP_NO_TLSv1) + if (s->internal->options & SSL_OP_NO_TLSv1) goto unsupported; /* * We won't be able to use TLS of course, @@ -310,7 +310,7 @@ ssl23_get_client_hello(SSL *s) * only to "backward" versions of TLS. If we have moved * on to modernity, just say no. */ - if (s->options & SSL_OP_NO_TLSv1) + if (s->internal->options & SSL_OP_NO_TLSv1) goto unsupported; type = 2; diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c index 7490a183fb..033831e23d 100644 --- a/src/lib/libssl/s3_both.c +++ b/src/lib/libssl/s3_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_both.c,v 1.55 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: s3_both.c,v 1.56 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -352,7 +352,7 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x) if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) goto err; - if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) + if ((s->internal->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) no_chain = 1; /* TLSv1 sends a chain with nothing in it, instead of an alert. */ @@ -698,7 +698,7 @@ ssl3_setup_write_buffer(SSL *s) if (s->s3->wbuf.buf == NULL) { len = s->max_send_fragment + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; - if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index a42ac73335..18a4cb64e8 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.127 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.128 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2056,7 +2056,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (ret); } ecdh = (EC_KEY *)parg; - if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) { + if (!(s->internal->options & SSL_OP_SINGLE_ECDH_USE)) { if (!EC_KEY_generate_key(ecdh)) { EC_KEY_free(ecdh); SSLerr(SSL_F_SSL3_CTRL, @@ -2243,7 +2243,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ERR_R_EC_LIB); return 0; } - if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) { + if (!(ctx->internal->options & SSL_OP_SINGLE_ECDH_USE)) { if (!EC_KEY_generate_key(ecdh)) { EC_KEY_free(ecdh); SSLerr(SSL_F_SSL3_CTX_CTRL, @@ -2413,7 +2413,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * but would have to pay with the price of sk_SSL_CIPHER_dup(). */ - if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { + if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { prio = srvr; allow = clnt; } else { diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 40ab55b6ee..a9737a7f40 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_pkt.c,v 1.67 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: s3_pkt.c,v 1.68 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -238,7 +238,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) if (i <= 0) { rb->left = left; - if (s->mode & SSL_MODE_RELEASE_BUFFERS && + if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s)) { if (len + left == 0) ssl3_release_read_buffer(s); @@ -540,7 +540,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA && - (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { + (s->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { /* * Next chunk of data should get another prepended * empty fragment in ciphersuites with known-IV @@ -770,7 +770,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) /* XXXX */ if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) && - !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || + !(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || (S3I(s)->wpend_type != type)) { SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY); return (-1); @@ -790,7 +790,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) if (i == wb->left) { wb->left = 0; wb->offset += i; - if (s->mode & SSL_MODE_RELEASE_BUFFERS && + if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s)) ssl3_release_write_buffer(s); s->internal->rwstate = SSL_NOTHING; @@ -983,7 +983,7 @@ start: if (rr->length == 0) { s->internal->rstate = SSL_ST_READ_HEADER; rr->off = 0; - if (s->mode & SSL_MODE_RELEASE_BUFFERS && + if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) ssl3_release_read_buffer(s); } @@ -1068,7 +1068,7 @@ start: return (-1); } - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { + if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ /* In the case where we try to read application data, @@ -1230,7 +1230,7 @@ start: return (-1); } - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { + if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ BIO *bio; /* In the case where we try to read application data, diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 59320ea0f6..4c6caf0eed 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.149 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.150 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -824,7 +824,7 @@ ssl3_get_client_hello(SSL *s) * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be * ignored. */ - if ((s->internal->new_session && (s->options & + if ((s->internal->new_session && (s->internal->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s, 1)) goto err; @@ -1315,7 +1315,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) if ((EC_KEY_get0_public_key(ecdh) == NULL) || (EC_KEY_get0_private_key(ecdh) == NULL) || - (s->options & SSL_OP_SINGLE_ECDH_USE)) { + (s->internal->options & SSL_OP_SINGLE_ECDH_USE)) { if (!EC_KEY_generate_key(ecdh)) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); @@ -1769,7 +1769,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n) * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such * clients. */ - if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && + if (!((s->internal->options & SSL_OP_TLS_ROLLBACK_BUG) && (p[0] == (s->version >> 8)) && (p[1] == (s->version & 0xff)))) { al = SSL_AD_DECODE_ERROR; diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 037f46c400..28b7de6667 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.118 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.119 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -672,9 +672,6 @@ struct ssl_ctx_st { /* Default values to use in SSL structures follow (these are copied by SSL_new) */ - unsigned long options; - unsigned long mode; - STACK_OF(X509) *extra_certs; int verify_mode; @@ -852,10 +849,10 @@ struct ssl_st { long verify_result; int references; - unsigned long options; /* protocol behaviour */ - unsigned long mode; /* API behaviour */ + int client_version; /* what was passed, used for * SSLv3/TLS rollback check */ + unsigned int max_send_fragment; char *tlsext_hostname; diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index edcbe9d20a..20b671022d 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.139 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.140 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -284,8 +284,8 @@ SSL_new(SSL_CTX *ctx) return (NULL); } - s->options = ctx->options; - s->mode = ctx->mode; + s->internal->options = ctx->internal->options; + s->internal->mode = ctx->internal->mode; s->internal->max_cert_list = ctx->internal->max_cert_list; if (ctx->internal->cert != NULL) { @@ -1059,13 +1059,13 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg) return (1); case SSL_CTRL_OPTIONS: - return (s->options|=larg); + return (s->internal->options|=larg); case SSL_CTRL_CLEAR_OPTIONS: - return (s->options&=~larg); + return (s->internal->options&=~larg); case SSL_CTRL_MODE: - return (s->mode|=larg); + return (s->internal->mode|=larg); case SSL_CTRL_CLEAR_MODE: - return (s->mode &=~larg); + return (s->internal->mode &=~larg); case SSL_CTRL_GET_MAX_CERT_LIST: return (s->internal->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: @@ -1181,13 +1181,13 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SESS_CACHE_FULL: return (ctx->internal->stats.sess_cache_full); case SSL_CTRL_OPTIONS: - return (ctx->options|=larg); + return (ctx->internal->options|=larg); case SSL_CTRL_CLEAR_OPTIONS: - return (ctx->options&=~larg); + return (ctx->internal->options&=~larg); case SSL_CTRL_MODE: - return (ctx->mode|=larg); + return (ctx->internal->mode|=larg); case SSL_CTRL_CLEAR_MODE: - return (ctx->mode&=~larg); + return (ctx->internal->mode&=~larg); case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return (0); @@ -1941,7 +1941,7 @@ SSL_CTX_new(const SSL_METHOD *meth) * Default is to connect to non-RI servers. When RI is more widely * deployed might change this. */ - ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + ret->internal->options |= SSL_OP_LEGACY_SERVER_CONNECT; return (ret); err: @@ -2516,18 +2516,18 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) min_version = 0; max_version = TLS1_2_VERSION; - if ((s->options & SSL_OP_NO_TLSv1) == 0) + if ((s->internal->options & SSL_OP_NO_TLSv1) == 0) min_version = TLS1_VERSION; - else if ((s->options & SSL_OP_NO_TLSv1_1) == 0) + else if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0) min_version = TLS1_1_VERSION; - else if ((s->options & SSL_OP_NO_TLSv1_2) == 0) + else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0) min_version = TLS1_2_VERSION; - if ((s->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) + if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) max_version = TLS1_1_VERSION; - if ((s->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) + if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) max_version = TLS1_VERSION; - if ((s->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) + if ((s->internal->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) max_version = 0; /* Everything has been disabled... */ @@ -2586,13 +2586,13 @@ ssl_max_server_version(SSL *s) if (SSL_IS_DTLS(s)) return (DTLS1_VERSION); - if ((s->options & SSL_OP_NO_TLSv1_2) == 0 && + if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0 && max_version >= TLS1_2_VERSION) return (TLS1_2_VERSION); - if ((s->options & SSL_OP_NO_TLSv1_1) == 0 && + if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0 && max_version >= TLS1_1_VERSION) return (TLS1_1_VERSION); - if ((s->options & SSL_OP_NO_TLSv1) == 0 && + if ((s->internal->options & SSL_OP_NO_TLSv1) == 0 && max_version >= TLS1_VERSION) return (TLS1_VERSION); @@ -2642,8 +2642,8 @@ SSL_dup(SSL *s) s->sid_ctx, s->sid_ctx_length); } - ret->options = s->options; - ret->mode = s->mode; + ret->internal->options = s->internal->options; + ret->internal->mode = s->internal->mode; SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); ret->internal->msg_callback = s->internal->msg_callback; diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index df1e12bf39..d0d72cbfdf 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.161 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.162 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -434,6 +434,9 @@ typedef struct ssl_ctx_internal_st { uint16_t min_version; uint16_t max_version; + unsigned long options; + unsigned long mode; + /* If this callback is not null, it will be called each * time a session id is added to the cache. If this function * returns 1, it means that the callback will do a @@ -612,6 +615,9 @@ typedef struct ssl_internal_st { uint16_t min_version; uint16_t max_version; + unsigned long options; /* protocol behaviour */ + unsigned long mode; /* API behaviour */ + /* Next protocol negotiation. For the client, this is the protocol that * we sent in NextProtocol and is set when handling ServerHello * extensions. diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index c0abe762e6..3181b63e39 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.92 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.93 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -783,7 +783,7 @@ tls1_setup_key_block(SSL *s) if (!tls1_generate_key_block(s, key_block, tmp_block, key_block_len)) goto err; - if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && + if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && s->method->internal->version <= TLS1_VERSION) { /* * Enable vulnerability countermeasure for CBC ciphers with diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 8e7b1b5167..00af9778ad 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.105 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.106 2017/01/23 14:35:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -435,7 +435,7 @@ tls1_get_shared_curve(SSL *s) return (NID_undef); /* Return first preference shared curve. */ - server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); + server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE); tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); @@ -916,7 +916,7 @@ skip_ext: * NB: because this code works out the length of all existing * extensions it MUST always appear last. */ - if (s->options & SSL_OP_TLSEXT_PADDING) { + if (s->internal->options & SSL_OP_TLSEXT_PADDING) { int hlen = ret - (unsigned char *)s->internal->init_buf->data; /* @@ -1832,7 +1832,8 @@ ri_check: * which doesn't support RI so for the immediate future tolerate RI * absence on initial connect only. */ - if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { + if (!renegotiate_seen && + !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); -- cgit v1.2.3-55-g6feb