From: jsing Date: Sun, 2 Oct 2022 16:36:41 +0000 (+0000) Subject: Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=6f7f653bdce12c3bf7154538acc2a490fa5fbf65;p=openbsd Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL. These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@ --- diff --git a/lib/libssl/bio_ssl.c b/lib/libssl/bio_ssl.c index e86b9d83f2c..e78bbc18511 100644 --- a/lib/libssl/bio_ssl.c +++ b/lib/libssl/bio_ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_ssl.c,v 1.33 2022/01/14 09:12:53 tb Exp $ */ +/* $OpenBSD: bio_ssl.c,v 1.34 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -294,10 +294,10 @@ ssl_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_CTRL_RESET: SSL_shutdown(ssl); - if (ssl->internal->handshake_func == + if (ssl->handshake_func == ssl->method->ssl_connect) SSL_set_connect_state(ssl); - else if (ssl->internal->handshake_func == + else if (ssl->handshake_func == ssl->method->ssl_accept) SSL_set_accept_state(ssl); diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index fd7c07a4d5c..4f7f8be6cef 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.81 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: d1_both.c,v 1.82 2022/10/02 16:36:41 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -206,7 +206,7 @@ dtls1_hm_fragment_free(hm_fragment *frag) free(frag); } -/* send s->internal->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ +/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ int dtls1_do_write(SSL *s, int type) { @@ -237,15 +237,15 @@ dtls1_do_write(SSL *s, int type) OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */ - if (s->internal->init_off == 0 && type == SSL3_RT_HANDSHAKE) - OPENSSL_assert(s->internal->init_num == + if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) + OPENSSL_assert(s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); - if (!tls12_record_layer_write_overhead(s->internal->rl, &overhead)) + if (!tls12_record_layer_write_overhead(s->rl, &overhead)) return -1; frag_off = 0; - while (s->internal->init_num) { + while (s->init_num) { curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - DTLS1_RT_HEADER_LENGTH - overhead; @@ -258,22 +258,22 @@ dtls1_do_write(SSL *s, int type) overhead; } - if (s->internal->init_num > curr_mtu) + if (s->init_num > curr_mtu) len = curr_mtu; else - len = s->internal->init_num; + len = s->init_num; /* XDTLS: this function is too long. split out the CCS part */ if (type == SSL3_RT_HANDSHAKE) { - if (s->internal->init_off != 0) { - OPENSSL_assert(s->internal->init_off > DTLS1_HM_HEADER_LENGTH); - s->internal->init_off -= DTLS1_HM_HEADER_LENGTH; - s->internal->init_num += DTLS1_HM_HEADER_LENGTH; + if (s->init_off != 0) { + OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH); + s->init_off -= DTLS1_HM_HEADER_LENGTH; + s->init_num += DTLS1_HM_HEADER_LENGTH; - if (s->internal->init_num > curr_mtu) + if (s->init_num > curr_mtu) len = curr_mtu; else - len = s->internal->init_num; + len = s->init_num; } dtls1_fix_message_header(s, frag_off, @@ -281,14 +281,14 @@ dtls1_do_write(SSL *s, int type) if (!dtls1_write_message_header(&s->d1->w_msg_hdr, s->d1->w_msg_hdr.frag_off, s->d1->w_msg_hdr.frag_len, - (unsigned char *)&s->internal->init_buf->data[s->internal->init_off])) + (unsigned char *)&s->init_buf->data[s->init_off])) return -1; OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH); } ret = dtls1_write_bytes(s, type, - &s->internal->init_buf->data[s->internal->init_off], len); + &s->init_buf->data[s->init_off], len); if (ret < 0) { /* * Might need to update MTU here, but we don't know @@ -319,7 +319,7 @@ dtls1_do_write(SSL *s, int type) * but in that case we'll ignore the result * anyway */ - unsigned char *p = (unsigned char *)&s->internal->init_buf->data[s->internal->init_off]; + unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off]; const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; int xlen; @@ -340,21 +340,21 @@ dtls1_do_write(SSL *s, int type) tls1_transcript_record(s, p, xlen); } - if (ret == s->internal->init_num) { - if (s->internal->msg_callback) - s->internal->msg_callback(1, s->version, type, - s->internal->init_buf->data, - (size_t)(s->internal->init_off + s->internal->init_num), - s, s->internal->msg_callback_arg); + if (ret == s->init_num) { + if (s->msg_callback) + s->msg_callback(1, s->version, type, + s->init_buf->data, + (size_t)(s->init_off + s->init_num), + s, s->msg_callback_arg); - s->internal->init_off = 0; + s->init_off = 0; /* done writing this message */ - s->internal->init_num = 0; + s->init_num = 0; return (1); } - s->internal->init_off += ret; - s->internal->init_num -= ret; + s->init_off += ret; + s->init_num -= ret; frag_off += (ret -= DTLS1_HM_HEADER_LENGTH); } } @@ -377,7 +377,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) int i, al, ok; /* - * s3->internal->tmp is used to store messages that are unexpected, caused + * s3->tmp is used to store messages that are unexpected, caused * by the absence of an optional handshake message */ if (s->s3->hs.tls12.reuse_message) { @@ -387,8 +387,8 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto fatal_err; } - s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; - s->internal->init_num = (int)s->s3->hs.tls12.message_size; + s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; + s->init_num = (int)s->s3->hs.tls12.message_size; return 1; } @@ -403,7 +403,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) else if (i <= 0 && !ok) return i; - p = (unsigned char *)s->internal->init_buf->data; + p = (unsigned char *)s->init_buf->data; msg_len = msg_hdr->msg_len; /* reconstruct message header */ @@ -413,9 +413,9 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) msg_len += DTLS1_HM_HEADER_LENGTH; tls1_transcript_record(s, p, msg_len); - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, - s, s->internal->msg_callback_arg); + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, + s, s->msg_callback_arg); memset(msg_hdr, 0, sizeof(struct hm_header_st)); @@ -423,7 +423,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) if (!s->d1->listen) s->d1->handshake_read_seq++; - s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; + s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; return 1; fatal_err: @@ -457,7 +457,7 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) * msg_len is limited to 2^24, but is effectively checked * against max above */ - if (!BUF_MEM_grow_clean(s->internal->init_buf, + if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { SSLerror(s, ERR_R_BUF_LIB); return SSL_AD_INTERNAL_ERROR; @@ -486,8 +486,8 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) /* * (0) check whether the desired fragment is available * if so: - * (1) copy over the fragment to s->internal->init_buf->data[] - * (2) update s->internal->init_num + * (1) copy over the fragment to s->init_buf->data[] + * (2) update s->init_num */ pitem *item; hm_fragment *frag; @@ -512,7 +512,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) if (al == 0) /* no alert */ { - unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; + unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; memcpy(&p[frag->msg_header.frag_off], frag->fragment, frag->msg_header.frag_len); } @@ -526,7 +526,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) } ssl3_send_alert(s, SSL3_AL_FATAL, al); - s->internal->init_num = 0; + s->init_num = 0; *ok = 0; return -1; } else @@ -544,8 +544,8 @@ dtls1_max_handshake_message_len(const SSL *s) unsigned long max_len; max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; - if (max_len < (unsigned long)s->internal->max_cert_list) - return s->internal->max_cert_list; + if (max_len < (unsigned long)s->max_cert_list) + return s->max_cert_list; return max_len; } @@ -749,7 +749,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) /* see if we have the required fragment already */ if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) { if (*ok) - s->internal->init_num = frag_len; + s->init_num = frag_len; return frag_len; } @@ -758,7 +758,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) DTLS1_HM_HEADER_LENGTH, 0); if (i <= 0) { /* nbio, or an error */ - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; *ok = 0; return i; } @@ -797,13 +797,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) * 'Finished' MAC. */ if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, wire, DTLS1_HM_HEADER_LENGTH, s, - s->internal->msg_callback_arg); + s->msg_callback_arg); - s->internal->init_num = 0; + s->init_num = 0; goto again; } else /* Incorrectly formated Hello request */ @@ -821,13 +821,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) s->s3->hs.state = stn; if (frag_len > 0) { - unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; + unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[frag_off], frag_len, 0); /* XDTLS: fix this--message fragments cannot span multiple packets */ if (i <= 0) { - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; *ok = 0; return i; } @@ -845,18 +845,18 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) } /* - * Note that s->internal->init_num is *not* used as current offset in - * s->internal->init_buf->data, but as a counter summing up fragments' + * Note that s->init_num is *not* used as current offset in + * s->init_buf->data, but as a counter summing up fragments' * lengths: as soon as they sum up to handshake packet * length, we assume we have got all the fragments. */ - s->internal->init_num = frag_len; + s->init_num = frag_len; *ok = 1; return frag_len; fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); - s->internal->init_num = 0; + s->init_num = 0; *ok = 0; return (-1); @@ -948,17 +948,17 @@ dtls1_buffer_message(SSL *s, int is_ccs) * This function is called immediately after a message has * been serialized */ - OPENSSL_assert(s->internal->init_off == 0); + OPENSSL_assert(s->init_off == 0); - frag = dtls1_hm_fragment_new(s->internal->init_num, 0); + frag = dtls1_hm_fragment_new(s->init_num, 0); if (frag == NULL) return 0; - memcpy(frag->fragment, s->internal->init_buf->data, s->internal->init_num); + memcpy(frag->fragment, s->init_buf->data, s->init_num); OPENSSL_assert(s->d1->w_msg_hdr.msg_len + (is_ccs ? DTLS1_CCS_HEADER_LENGTH : DTLS1_HM_HEADER_LENGTH) == - (unsigned int)s->internal->init_num); + (unsigned int)s->init_num); frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; frag->msg_header.seq = s->d1->w_msg_hdr.seq; @@ -970,7 +970,7 @@ dtls1_buffer_message(SSL *s, int is_ccs) /* save current state*/ frag->msg_header.saved_retransmit_state.session = s->session; frag->msg_header.saved_retransmit_state.epoch = - tls12_record_layer_write_epoch(s->internal->rl); + tls12_record_layer_write_epoch(s->rl); memset(seq64be, 0, sizeof(seq64be)); seq64be[6] = (unsigned char)(dtls1_get_queue_priority( @@ -1001,8 +1001,8 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, struct dtls1_retransmit_state saved_state; /* - OPENSSL_assert(s->internal->init_num == 0); - OPENSSL_assert(s->internal->init_off == 0); + OPENSSL_assert(s->init_num == 0); + OPENSSL_assert(s->init_off == 0); */ /* XDTLS: the requested message ought to be found, otherwise error */ @@ -1027,9 +1027,9 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, else header_length = DTLS1_HM_HEADER_LENGTH; - memcpy(s->internal->init_buf->data, frag->fragment, + memcpy(s->init_buf->data, frag->fragment, frag->msg_header.msg_len + header_length); - s->internal->init_num = frag->msg_header.msg_len + header_length; + s->init_num = frag->msg_header.msg_len + header_length; dtls1_set_message_header_int(s, frag->msg_header.type, frag->msg_header.msg_len, frag->msg_header.seq, 0, @@ -1037,13 +1037,13 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, /* save current state */ saved_state.session = s->session; - saved_state.epoch = tls12_record_layer_write_epoch(s->internal->rl); + saved_state.epoch = tls12_record_layer_write_epoch(s->rl); s->d1->retransmitting = 1; /* restore state in which the message was originally sent */ s->session = frag->msg_header.saved_retransmit_state.session; - if (!tls12_record_layer_use_write_epoch(s->internal->rl, + if (!tls12_record_layer_use_write_epoch(s->rl, frag->msg_header.saved_retransmit_state.epoch)) return 0; @@ -1052,7 +1052,7 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, /* restore current state */ s->session = saved_state.session; - if (!tls12_record_layer_use_write_epoch(s->internal->rl, + if (!tls12_record_layer_use_write_epoch(s->rl, saved_state.epoch)) return 0; @@ -1073,7 +1073,7 @@ dtls1_clear_record_buffer(SSL *s) item = pqueue_pop(s->d1->sent_messages)) { frag = item->data; if (frag->msg_header.is_ccs) - tls12_record_layer_write_epoch_done(s->internal->rl, + tls12_record_layer_write_epoch_done(s->rl, frag->msg_header.saved_retransmit_state.epoch); dtls1_hm_fragment_free(frag); pitem_free(item); diff --git a/lib/libssl/d1_lib.c b/lib/libssl/d1_lib.c index 770734e6ffb..cf4c5100d5e 100644 --- a/lib/libssl/d1_lib.c +++ b/lib/libssl/d1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_lib.c,v 1.61 2021/10/23 13:36:03 jsing Exp $ */ +/* $OpenBSD: d1_lib.c,v 1.62 2022/10/02 16:36:41 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -187,7 +187,7 @@ dtls1_clear(SSL *s) memset(s->d1, 0, sizeof(*s->d1)); s->d1->unprocessed_rcds.epoch = - tls12_record_layer_read_epoch(s->internal->rl) + 1; + tls12_record_layer_read_epoch(s->rl) + 1; if (s->server) { s->d1->cookie_len = sizeof(s->d1->cookie); diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c index 456f871a436..1431434ba86 100644 --- a/lib/libssl/d1_pkt.c +++ b/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.123 2022/03/26 15:05:53 jsing Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.124 2022/10/02 16:36:41 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -193,8 +193,8 @@ dtls1_copy_record(SSL *s, DTLS1_RECORD_DATA_INTERNAL *rdata) { ssl3_release_buffer(&s->s3->rbuf); - s->internal->packet = rdata->packet; - s->internal->packet_length = rdata->packet_length; + s->packet = rdata->packet; + s->packet_length = rdata->packet_length; memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD_INTERNAL)); @@ -216,15 +216,15 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) if (rdata == NULL || item == NULL) goto init_err; - rdata->packet = s->internal->packet; - rdata->packet_length = s->internal->packet_length; + rdata->packet = s->packet; + rdata->packet_length = s->packet_length; memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD_INTERNAL)); item->data = rdata; - s->internal->packet = NULL; - s->internal->packet_length = 0; + s->packet = NULL; + s->packet_length = 0; memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER_INTERNAL)); memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD_INTERNAL)); @@ -271,13 +271,13 @@ dtls1_process_buffered_record(SSL *s) { /* Check if epoch is current. */ if (s->d1->unprocessed_rcds.epoch != - tls12_record_layer_read_epoch(s->internal->rl)) + tls12_record_layer_read_epoch(s->rl)) return (0); /* Update epoch once all unprocessed records have been processed. */ if (pqueue_peek(s->d1->unprocessed_rcds.q) == NULL) { s->d1->unprocessed_rcds.epoch = - tls12_record_layer_read_epoch(s->internal->rl) + 1; + tls12_record_layer_read_epoch(s->rl) + 1; return (0); } @@ -298,11 +298,11 @@ dtls1_process_record(SSL *s) uint8_t *out; size_t out_len; - tls12_record_layer_set_version(s->internal->rl, s->version); + tls12_record_layer_set_version(s->rl, s->version); - if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, - s->internal->packet_length, &out, &out_len)) { - tls12_record_layer_alert(s->internal->rl, &alert_desc); + if (!tls12_record_layer_open_record(s->rl, s->packet, + s->packet_length, &out, &out_len)) { + tls12_record_layer_alert(s->rl, &alert_desc); if (alert_desc == 0) goto err; @@ -327,7 +327,7 @@ dtls1_process_record(SSL *s) rr->length = out_len; rr->off = 0; - s->internal->packet_length = 0; + s->packet_length = 0; return (1); @@ -341,9 +341,9 @@ dtls1_process_record(SSL *s) * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. * When it finishes, one packet has been decoded and can be found in - * ssl->s3->internal->rrec.type - is the type of record - * ssl->s3->internal->rrec.data, - data - * ssl->s3->internal->rrec.length, - number of bytes + * ssl->s3->rrec.type - is the type of record + * ssl->s3->rrec.data, - data + * ssl->s3->rrec.length, - number of bytes */ /* used only by dtls1_read_bytes */ int @@ -364,12 +364,12 @@ dtls1_get_record(SSL *s) again: /* dump this record on all retries */ rr->length = 0; - s->internal->packet_length = 0; + s->packet_length = 0; } /* check if we have the header */ - if ((s->internal->rstate != SSL_ST_READ_BODY) || - (s->internal->packet_length < DTLS1_RT_HEADER_LENGTH)) { + if ((s->rstate != SSL_ST_READ_BODY) || + (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { CBS header, seq_no; uint16_t epoch, len, ssl_version; uint8_t type; @@ -382,9 +382,9 @@ dtls1_get_record(SSL *s) if (n != DTLS1_RT_HEADER_LENGTH) goto again; - s->internal->rstate = SSL_ST_READ_BODY; + s->rstate = SSL_ST_READ_BODY; - CBS_init(&header, s->internal->packet, s->internal->packet_length); + CBS_init(&header, s->packet, s->packet_length); /* Pull apart the header into the DTLS1_RECORD */ if (!CBS_get_u8(&header, &type)) @@ -409,7 +409,7 @@ dtls1_get_record(SSL *s) rr->length = len; /* unexpected version, silently discard */ - if (!s->internal->first_packet && ssl_version != s->version) + if (!s->first_packet && ssl_version != s->version) goto again; /* wrong version, silently discard record */ @@ -420,11 +420,11 @@ dtls1_get_record(SSL *s) if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) goto again; - /* now s->internal->rstate == SSL_ST_READ_BODY */ + /* now s->rstate == SSL_ST_READ_BODY */ p = (unsigned char *)CBS_data(&header); } - /* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */ + /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ n = ssl3_packet_extend(s, DTLS1_RT_HEADER_LENGTH + rr->length); if (n <= 0) @@ -434,7 +434,7 @@ dtls1_get_record(SSL *s) if (n != DTLS1_RT_HEADER_LENGTH + rr->length) goto again; - s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ + s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ /* match epochs. NULL means the packet is dropped on the floor */ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); @@ -463,7 +463,7 @@ dtls1_get_record(SSL *s) * anything while listening. */ if (is_next_epoch) { - if ((SSL_in_init(s) || s->internal->in_handshake) && !s->d1->listen) { + if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { if (dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) return (-1); @@ -490,7 +490,7 @@ dtls1_read_handshake_unexpected(SSL *s) CBS cbs; int ret; - if (s->internal->in_handshake) { + if (s->in_handshake) { SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } @@ -506,7 +506,7 @@ dtls1_read_handshake_unexpected(SSL *s) return -1; /* XXX - probably should drop/continue. */ /* This may just be a stale retransmit. */ - if (rr->epoch != tls12_record_layer_read_epoch(s->internal->rl)) { + if (rr->epoch != tls12_record_layer_read_epoch(s->rl)) { rr->length = 0; return 1; } @@ -556,7 +556,7 @@ dtls1_read_handshake_unexpected(SSL *s) s->d1->handshake_read_seq++; /* XXX - why is this set here but not in ssl3? */ - s->internal->new_session = 1; + s->new_session = 1; if (!ssl3_renegotiate(s)) return 1; @@ -589,7 +589,7 @@ dtls1_read_handshake_unexpected(SSL *s) return -1; } - if ((s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { + if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); return -1; @@ -609,8 +609,8 @@ dtls1_read_handshake_unexpected(SSL *s) } s->s3->hs.state = SSL_ST_ACCEPT; - s->internal->renegotiate = 1; - s->internal->new_session = 1; + s->renegotiate = 1; + s->new_session = 1; } else if (hs_msg_hdr.type == SSL3_MT_FINISHED && s->server) { /* @@ -634,14 +634,14 @@ dtls1_read_handshake_unexpected(SSL *s) return -1; } - if ((ret = s->internal->handshake_func(s)) < 0) + if ((ret = s->handshake_func(s)) < 0) return ret; if (ret == 0) { SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } - if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { + if (!(s->mode & SSL_MODE_AUTO_RETRY)) { if (s->s3->rbuf.left == 0) { ssl_force_want_read(s); return -1; @@ -710,8 +710,8 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } - if (SSL_in_init(s) && !s->internal->in_handshake) { - if ((ret = s->internal->handshake_func(s)) < 0) + if (SSL_in_init(s) && !s->in_handshake) { + if ((ret = s->handshake_func(s)) < 0) return ret; if (ret == 0) { SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); @@ -733,7 +733,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; rr = &s->s3->rrec; @@ -747,7 +747,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (dtls1_handle_timeout(s) > 0) goto start; - if (rr->length == 0 || s->internal->rstate == SSL_ST_READ_BODY) { + if (rr->length == 0 || s->rstate == SSL_ST_READ_BODY) { if ((ret = dtls1_get_record(s)) <= 0) { /* Anything other than a timeout is an error. */ if ((ret = dtls1_read_failed(s, ret)) <= 0) @@ -783,8 +783,8 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * If the other end has shut down, throw anything we read away (even in * 'peek' mode). */ - if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { + s->rwstate = SSL_NOTHING; rr->length = 0; return 0; } @@ -796,7 +796,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * are doing a handshake for the first time. */ if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA && - !tls12_record_layer_read_protected(s->internal->rl)) { + !tls12_record_layer_read_protected(s->rl)) { SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); @@ -817,7 +817,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) rr->length -= n; rr->off += n; if (rr->length == 0) { - s->internal->rstate = SSL_ST_READ_HEADER; + s->rstate = SSL_ST_READ_HEADER; rr->off = 0; } } @@ -836,8 +836,8 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) goto start; } - if (s->internal->shutdown & SSL_SENT_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; + if (s->shutdown & SSL_SENT_SHUTDOWN) { + s->rwstate = SSL_NOTHING; rr->length = 0; return (0); } @@ -891,9 +891,9 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) { int i; - if (SSL_in_init(s) && !s->internal->in_handshake) + if (SSL_in_init(s) && !s->in_handshake) { - i = s->internal->handshake_func(s); + i = s->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -920,7 +920,7 @@ dtls1_write_bytes(SSL *s, int type, const void *buf, int len) int i; OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; i = do_dtls1_write(s, type, buf, len); return i; } @@ -959,9 +959,9 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) if (!CBB_init_fixed(&cbb, wb->buf, wb->len)) goto err; - tls12_record_layer_set_version(s->internal->rl, s->version); + tls12_record_layer_set_version(s->rl, s->version); - if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) + if (!tls12_record_layer_seal_record(s->rl, type, buf, len, &cbb)) goto err; if (!CBB_finish(&cbb, NULL, &out_len)) @@ -1035,7 +1035,7 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) *is_next_epoch = 0; - read_epoch = tls12_record_layer_read_epoch(s->internal->rl); + read_epoch = tls12_record_layer_read_epoch(s->rl); read_epoch_next = read_epoch + 1; /* In current epoch, accept HM, CCS, DATA, & ALERT */ diff --git a/lib/libssl/d1_srtp.c b/lib/libssl/d1_srtp.c index 793fa868d77..1c23409736d 100644 --- a/lib/libssl/d1_srtp.c +++ b/lib/libssl/d1_srtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srtp.c,v 1.30 2022/01/28 13:11:56 inoguchi Exp $ */ +/* $OpenBSD: d1_srtp.c,v 1.31 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -227,13 +227,13 @@ ssl_ctx_make_profiles(const char *profiles_string, int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) { - return ssl_ctx_make_profiles(profiles, &ctx->internal->srtp_profiles); + return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles); } int SSL_set_tlsext_use_srtp(SSL *s, const char *profiles) { - return ssl_ctx_make_profiles(profiles, &s->internal->srtp_profiles); + return ssl_ctx_make_profiles(profiles, &s->srtp_profiles); } @@ -241,11 +241,11 @@ STACK_OF(SRTP_PROTECTION_PROFILE) * SSL_get_srtp_profiles(SSL *s) { if (s != NULL) { - if (s->internal->srtp_profiles != NULL) { - return s->internal->srtp_profiles; + if (s->srtp_profiles != NULL) { + return s->srtp_profiles; } else if ((s->ctx != NULL) && - (s->ctx->internal->srtp_profiles != NULL)) { - return s->ctx->internal->srtp_profiles; + (s->ctx->srtp_profiles != NULL)) { + return s->ctx->srtp_profiles; } } @@ -256,7 +256,7 @@ SRTP_PROTECTION_PROFILE * SSL_get_selected_srtp_profile(SSL *s) { /* XXX cast away the const */ - return (SRTP_PROTECTION_PROFILE *)s->internal->srtp_profile; + return (SRTP_PROTECTION_PROFILE *)s->srtp_profile; } #endif diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 989165b2078..52ad16a697a 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.238 2022/08/21 19:39:44 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.239 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1441,7 +1441,7 @@ ssl3_cipher_get_value(const SSL_CIPHER *c) int ssl3_pending(const SSL *s) { - if (s->internal->rstate == SSL_ST_READ_BODY) + if (s->rstate == SSL_ST_READ_BODY) return 0; return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? @@ -1493,13 +1493,13 @@ ssl3_handshake_msg_finish(SSL *s, CBB *handshake) if (outlen > INT_MAX) goto err; - if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen)) + if (!BUF_MEM_grow_clean(s->init_buf, outlen)) goto err; - memcpy(s->internal->init_buf->data, data, outlen); + memcpy(s->init_buf->data, data, outlen); - s->internal->init_num = (int)outlen; - s->internal->init_off = 0; + s->init_num = (int)outlen; + s->init_off = 0; if (SSL_is_dtls(s)) { unsigned long len; @@ -1572,7 +1572,7 @@ ssl3_free(SSL *s) tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); - sk_X509_pop_free(s->internal->verified_chain, X509_free); + sk_X509_pop_free(s->verified_chain, X509_free); tls1_transcript_free(s); tls1_transcript_hash_free(s); @@ -1595,8 +1595,8 @@ ssl3_clear(SSL *s) tls1_cleanup_key_block(s); sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); - sk_X509_pop_free(s->internal->verified_chain, X509_free); - s->internal->verified_chain = NULL; + sk_X509_pop_free(s->verified_chain, X509_free); + s->verified_chain = NULL; freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); s->s3->hs.sigalgs = NULL; @@ -1656,7 +1656,7 @@ ssl3_clear(SSL *s) s->s3->num_renegotiations = 0; s->s3->in_read_app_data = 0; - s->internal->packet_length = 0; + s->packet_length = 0; s->version = TLS1_VERSION; s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); @@ -1725,7 +1725,7 @@ _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) static int _SSL_session_reused(SSL *s) { - return s->internal->hit; + return s->hit; } static int @@ -1834,7 +1834,7 @@ _SSL_set_tlsext_host_name(SSL *s, const char *name) static int _SSL_set_tlsext_debug_arg(SSL *s, void *arg) { - s->internal->tlsext_debug_arg = arg; + s->tlsext_debug_arg = arg; return 1; } @@ -1854,7 +1854,7 @@ _SSL_set_tlsext_status_type(SSL *s, int type) static int _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) { - *exts = s->internal->tlsext_ocsp_exts; + *exts = s->tlsext_ocsp_exts; return 1; } @@ -1862,14 +1862,14 @@ static int _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) { /* XXX - leak... */ - s->internal->tlsext_ocsp_exts = exts; + s->tlsext_ocsp_exts = exts; return 1; } static int _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) { - *ids = s->internal->tlsext_ocsp_ids; + *ids = s->tlsext_ocsp_ids; return 1; } @@ -1877,17 +1877,17 @@ static int _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) { /* XXX - leak... */ - s->internal->tlsext_ocsp_ids = ids; + s->tlsext_ocsp_ids = ids; return 1; } static int _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) { - if (s->internal->tlsext_ocsp_resp != NULL && - s->internal->tlsext_ocsp_resp_len < INT_MAX) { - *resp = s->internal->tlsext_ocsp_resp; - return (int)s->internal->tlsext_ocsp_resp_len; + if (s->tlsext_ocsp_resp != NULL && + s->tlsext_ocsp_resp_len < INT_MAX) { + *resp = s->tlsext_ocsp_resp; + return (int)s->tlsext_ocsp_resp_len; } *resp = NULL; @@ -1898,15 +1898,15 @@ _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) static int _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) { - free(s->internal->tlsext_ocsp_resp); - s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resp_len = 0; + free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resp_len = 0; if (resp_len < 0) return 0; - s->internal->tlsext_ocsp_resp = resp; - s->internal->tlsext_ocsp_resp_len = (size_t)resp_len; + s->tlsext_ocsp_resp = resp; + s->tlsext_ocsp_resp_len = (size_t)resp_len; return 1; } @@ -1955,15 +1955,15 @@ SSL_clear_chain_certs(SSL *ssl) int SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) { - return tls1_set_groups(&s->internal->tlsext_supportedgroups, - &s->internal->tlsext_supportedgroups_length, groups, groups_len); + return tls1_set_groups(&s->tlsext_supportedgroups, + &s->tlsext_supportedgroups_length, groups, groups_len); } int SSL_set1_groups_list(SSL *s, const char *groups) { - return tls1_set_group_list(&s->internal->tlsext_supportedgroups, - &s->internal->tlsext_supportedgroups_length, groups); + return tls1_set_group_list(&s->tlsext_supportedgroups, + &s->tlsext_supportedgroups_length, groups); } static int @@ -2183,7 +2183,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) return 1; case SSL_CTRL_SET_TLSEXT_DEBUG_CB: - s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int, + s->tlsext_debug_cb = (void (*)(SSL *, int , int, unsigned char *, int, void *))fp; return 1; } @@ -2211,8 +2211,8 @@ _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) return 0; } - DH_free(ctx->internal->cert->dhe_params); - ctx->internal->cert->dhe_params = dhe_params; + DH_free(ctx->cert->dhe_params); + ctx->cert->dhe_params = dhe_params; return 1; } @@ -2220,7 +2220,7 @@ _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) static int _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) { - ctx->internal->cert->dhe_params_auto = state; + ctx->cert->dhe_params_auto = state; return 1; } @@ -2248,7 +2248,7 @@ _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) static int _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) { - ctx->internal->tlsext_servername_arg = arg; + ctx->tlsext_servername_arg = arg; return 1; } @@ -2263,9 +2263,9 @@ _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) return 0; } - memcpy(keys, ctx->internal->tlsext_tick_key_name, 16); - memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16); - memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16); + memcpy(keys, ctx->tlsext_tick_key_name, 16); + memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); + memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); return 1; } @@ -2281,9 +2281,9 @@ _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) return 0; } - memcpy(ctx->internal->tlsext_tick_key_name, keys, 16); - memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16); - memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16); + memcpy(ctx->tlsext_tick_key_name, keys, 16); + memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); + memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); return 1; } @@ -2291,14 +2291,14 @@ _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) static int _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) { - *arg = ctx->internal->tlsext_status_arg; + *arg = ctx->tlsext_status_arg; return 1; } static int _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) { - ctx->internal->tlsext_status_arg = arg; + ctx->tlsext_status_arg = arg; return 1; } @@ -2331,8 +2331,8 @@ SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) { *out_chain = NULL; - if (ctx->internal->cert->key != NULL) - *out_chain = ctx->internal->cert->key->chain; + if (ctx->cert->key != NULL) + *out_chain = ctx->cert->key->chain; return 1; } @@ -2361,7 +2361,7 @@ _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) { *certs = ctx->extra_certs; if (*certs == NULL) - *certs = ctx->internal->cert->key->chain; + *certs = ctx->cert->key->chain; return 1; } @@ -2384,15 +2384,15 @@ _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) { - return tls1_set_groups(&ctx->internal->tlsext_supportedgroups, - &ctx->internal->tlsext_supportedgroups_length, groups, groups_len); + return tls1_set_groups(&ctx->tlsext_supportedgroups, + &ctx->tlsext_supportedgroups_length, groups, groups_len); } int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) { - return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups, - &ctx->internal->tlsext_supportedgroups_length, groups); + return tls1_set_group_list(&ctx->tlsext_supportedgroups, + &ctx->tlsext_supportedgroups_length, groups); } long @@ -2507,7 +2507,7 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) return 0; case SSL_CTRL_SET_TMP_DH_CB: - ctx->internal->cert->dhe_params_cb = + ctx->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; return 1; @@ -2515,20 +2515,20 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) return 1; case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: - ctx->internal->tlsext_servername_callback = + ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; return 1; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: - *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb; + *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb; return 1; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: - ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp; + ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; return 1; case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: - ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, + ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; return 1; } @@ -2559,7 +2559,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * but would have to pay with the price of sk_SSL_CIPHER_dup(). */ - if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { prio = srvr; allow = clnt; } else { @@ -2670,13 +2670,13 @@ ssl3_shutdown(SSL *s) * Don't do anything much if we have not done the handshake or * we don't want to send messages :-) */ - if ((s->internal->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { - s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); + if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { + s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); return (1); } - if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) { - s->internal->shutdown|=SSL_SENT_SHUTDOWN; + if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { + s->shutdown|=SSL_SENT_SHUTDOWN; ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); /* * Our shutdown alert has been sent now, and if it still needs @@ -2696,15 +2696,15 @@ ssl3_shutdown(SSL *s) */ return (ret); } - } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { + } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ s->method->ssl_read_bytes(s, 0, NULL, 0, 0); - if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { + if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { return (-1); /* return WANT_READ */ } } - if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && + if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && !s->s3->alert_dispatch) return (1); else @@ -2737,16 +2737,16 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek) peek); if ((ret == -1) && (s->s3->in_read_app_data == 2)) { /* - * ssl3_read_bytes decided to call s->internal->handshake_func, + * ssl3_read_bytes decided to call s->handshake_func, * which called ssl3_read_bytes to read handshake data. * However, ssl3_read_bytes actually found application data * and thinks that application data makes sense here; so disable * handshake processing and try to read application data again. */ - s->internal->in_handshake++; + s->in_handshake++; ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek); - s->internal->in_handshake--; + s->in_handshake--; } else s->s3->in_read_app_data = 0; @@ -2768,7 +2768,7 @@ ssl3_peek(SSL *s, void *buf, int len) int ssl3_renegotiate(SSL *s) { - if (s->internal->handshake_func == NULL) + if (s->handshake_func == NULL) return 1; if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c index 801b5bea296..93f7384762f 100644 --- a/lib/libssl/ssl_both.c +++ b/lib/libssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.43 2022/10/01 16:23:15 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.44 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -128,7 +128,7 @@ #include "ssl_locl.h" /* - * Send s->internal->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or + * Send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or * SSL3_RT_CHANGE_CIPHER_SPEC). */ int @@ -136,8 +136,8 @@ ssl3_do_write(SSL *s, int type) { int ret; - ret = ssl3_write_bytes(s, type, &s->internal->init_buf->data[s->internal->init_off], - s->internal->init_num); + ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], + s->init_num); if (ret < 0) return (-1); @@ -147,16 +147,16 @@ ssl3_do_write(SSL *s, int type) * we'll ignore the result anyway. */ tls1_transcript_record(s, - (unsigned char *)&s->internal->init_buf->data[s->internal->init_off], ret); + (unsigned char *)&s->init_buf->data[s->init_off], ret); - if (ret == s->internal->init_num) { - ssl_msg_callback(s, 1, type, s->internal->init_buf->data, - (size_t)(s->internal->init_off + s->internal->init_num)); + if (ret == s->init_num) { + ssl_msg_callback(s, 1, type, s->init_buf->data, + (size_t)(s->init_off + s->init_num)); return (1); } - s->internal->init_off += ret; - s->internal->init_num -= ret; + s->init_off += ret; + s->init_num -= ret; return (0); } @@ -207,7 +207,7 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, SSL_CERT_PKEY *cpk) if ((chain = cpk->chain) == NULL) chain = s->ctx->extra_certs; - if (chain != NULL || (s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { + if (chain != NULL || (s->mode & SSL_MODE_NO_AUTO_CHAIN)) { if (!ssl3_add_cert(&cert_list, cpk->x509)) goto err; } else { @@ -269,27 +269,27 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max) SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto fatal_err; } - s->internal->init_msg = s->internal->init_buf->data + + s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; - s->internal->init_num = (int)s->s3->hs.tls12.message_size; + s->init_num = (int)s->s3->hs.tls12.message_size; return 1; } - p = (unsigned char *)s->internal->init_buf->data; + p = (unsigned char *)s->init_buf->data; if (s->s3->hs.state == st1) { int skip_message; do { - while (s->internal->init_num < SSL3_HM_HEADER_LENGTH) { + while (s->init_num < SSL3_HM_HEADER_LENGTH) { i = s->method->ssl_read_bytes(s, - SSL3_RT_HANDSHAKE, &p[s->internal->init_num], - SSL3_HM_HEADER_LENGTH - s->internal->init_num, 0); + SSL3_RT_HANDSHAKE, &p[s->init_num], + SSL3_HM_HEADER_LENGTH - s->init_num, 0); if (i <= 0) { - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; return i; } - s->internal->init_num += i; + s->init_num += i; } skip_message = 0; @@ -301,7 +301,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max) * correct. Does not count for 'Finished' MAC. */ if (p[1] == 0 && p[2] == 0 &&p[3] == 0) { - s->internal->init_num = 0; + s->init_num = 0; skip_message = 1; ssl_msg_callback(s, 0, @@ -330,7 +330,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max) SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE); goto fatal_err; } - if (l && !BUF_MEM_grow_clean(s->internal->init_buf, + if (l && !BUF_MEM_grow_clean(s->init_buf, l + SSL3_HM_HEADER_LENGTH)) { SSLerror(s, ERR_R_BUF_LIB); goto err; @@ -338,33 +338,33 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max) s->s3->hs.tls12.message_size = l; s->s3->hs.state = stn; - s->internal->init_msg = s->internal->init_buf->data + + s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; - s->internal->init_num = 0; + s->init_num = 0; } /* next state (stn) */ - p = s->internal->init_msg; - n = s->s3->hs.tls12.message_size - s->internal->init_num; + p = s->init_msg; + n = s->s3->hs.tls12.message_size - s->init_num; while (n > 0) { i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, - &p[s->internal->init_num], n, 0); + &p[s->init_num], n, 0); if (i <= 0) { - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; return i; } - s->internal->init_num += i; + s->init_num += i; n -= i; } /* Feed this message into MAC computation. */ - if (s->internal->mac_packet) { - tls1_transcript_record(s, (unsigned char *)s->internal->init_buf->data, - s->internal->init_num + SSL3_HM_HEADER_LENGTH); + if (s->mac_packet) { + tls1_transcript_record(s, (unsigned char *)s->init_buf->data, + s->init_num + SSL3_HM_HEADER_LENGTH); ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, - s->internal->init_buf->data, - (size_t)s->internal->init_num + SSL3_HM_HEADER_LENGTH); + s->init_buf->data, + (size_t)s->init_num + SSL3_HM_HEADER_LENGTH); } return 1; @@ -459,7 +459,7 @@ ssl3_setup_init_buffer(SSL *s) { BUF_MEM *buf = NULL; - if (s->internal->init_buf != NULL) + if (s->init_buf != NULL) return (1); if ((buf = BUF_MEM_new()) == NULL) @@ -467,7 +467,7 @@ ssl3_setup_init_buffer(SSL *s) if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) goto err; - s->internal->init_buf = buf; + s->init_buf = buf; return (1); err: @@ -478,11 +478,11 @@ ssl3_setup_init_buffer(SSL *s) void ssl3_release_init_buffer(SSL *s) { - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; - s->internal->init_msg = NULL; - s->internal->init_num = 0; - s->internal->init_off = 0; + BUF_MEM_free(s->init_buf); + s->init_buf = NULL; + s->init_msg = NULL; + s->init_num = 0; + s->init_off = 0; } int @@ -507,7 +507,7 @@ ssl3_setup_read_buffer(SSL *s) s->s3->rbuf.len = len; } - s->internal->packet = s->s3->rbuf.buf; + s->packet = s->s3->rbuf.buf; return 1; err: @@ -531,7 +531,7 @@ ssl3_setup_write_buffer(SSL *s) if (s->s3->wbuf.buf == NULL) { len = s->max_send_fragment + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; - if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index 453d75771d3..d102e2e29d3 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.103 2022/07/07 13:04:39 tb Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.104 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -304,7 +304,7 @@ ssl_get0_cert(SSL_CTX *ctx, SSL *ssl) if (ssl != NULL) return ssl->cert; - return ctx->internal->cert; + return ctx->cert; } int @@ -430,21 +430,21 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *certs) */ X509_VERIFY_PARAM_set1(param, s->param); - if (s->internal->verify_callback) - X509_STORE_CTX_set_verify_cb(ctx, s->internal->verify_callback); + if (s->verify_callback) + X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback); - if (s->ctx->internal->app_verify_callback != NULL) - ret = s->ctx->internal->app_verify_callback(ctx, - s->ctx->internal->app_verify_arg); + if (s->ctx->app_verify_callback != NULL) + ret = s->ctx->app_verify_callback(ctx, + s->ctx->app_verify_arg); else ret = X509_verify_cert(ctx); s->verify_result = X509_STORE_CTX_get_error(ctx); - sk_X509_pop_free(s->internal->verified_chain, X509_free); - s->internal->verified_chain = NULL; + sk_X509_pop_free(s->verified_chain, X509_free); + s->verified_chain = NULL; if (X509_STORE_CTX_get0_chain(ctx) != NULL) { - s->internal->verified_chain = X509_STORE_CTX_get1_chain(ctx); - if (s->internal->verified_chain == NULL) { + s->verified_chain = X509_STORE_CTX_get1_chain(ctx); + if (s->verified_chain == NULL) { SSLerrorx(ERR_R_MALLOC_FAILURE); ret = 0; } @@ -491,19 +491,19 @@ SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk) void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(s->internal->client_CA), name_list); + set_client_CA_list(&(s->client_CA), name_list); } void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(ctx->internal->client_CA), name_list); + set_client_CA_list(&(ctx->client_CA), name_list); } STACK_OF(X509_NAME) * SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { - return (ctx->internal->client_CA); + return (ctx->client_CA); } STACK_OF(X509_NAME) * @@ -516,10 +516,10 @@ SSL_get_client_CA_list(const SSL *s) else return (NULL); } else { - if (s->internal->client_CA != NULL) - return (s->internal->client_CA); + if (s->client_CA != NULL) + return (s->client_CA); else - return (s->ctx->internal->client_CA); + return (s->ctx->client_CA); } } @@ -546,13 +546,13 @@ add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x) int SSL_add_client_CA(SSL *ssl, X509 *x) { - return (add_client_CA(&(ssl->internal->client_CA), x)); + return (add_client_CA(&(ssl->client_CA), x)); } int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) { - return (add_client_CA(&(ctx->internal->client_CA), x)); + return (add_client_CA(&(ctx->client_CA), x)); } static int diff --git a/lib/libssl/ssl_ciphers.c b/lib/libssl/ssl_ciphers.c index f77f32ab7f9..09b48058206 100644 --- a/lib/libssl/ssl_ciphers.c +++ b/lib/libssl/ssl_ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.15 2022/07/02 16:31:04 tb Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.16 2022/10/02 16:36:41 jsing Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan * Copyright (c) 2015-2018, 2020 Joel Sing @@ -79,7 +79,7 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) } /* Add SCSV if there are other ciphers and we're not renegotiating. */ - if (num_ciphers > 0 && !s->internal->renegotiate) { + if (num_ciphers > 0 && !s->renegotiate) { if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK)) return 0; } @@ -118,7 +118,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if * renegotiating. */ - if (s->internal->renegotiate) { + if (s->renegotiate) { SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 8b2f209a795..d5791e3ffca 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.154 2022/10/01 16:23:15 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.155 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -204,7 +204,7 @@ ssl3_connect(SSL *s) ERR_clear_error(); errno = 0; - s->internal->in_handshake++; + s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -213,9 +213,9 @@ ssl3_connect(SSL *s) switch (s->s3->hs.state) { case SSL_ST_RENEGOTIATE: - s->internal->renegotiate = 1; + s->renegotiate = 1; s->s3->hs.state = SSL_ST_CONNECT; - s->ctx->internal->stats.sess_connect_renegotiate++; + s->ctx->stats.sess_connect_renegotiate++; /* break */ case SSL_ST_BEFORE: case SSL_ST_CONNECT: @@ -268,21 +268,21 @@ ssl3_connect(SSL *s) } s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A; - s->ctx->internal->stats.sess_connect++; - s->internal->init_num = 0; + s->ctx->stats.sess_connect++; + s->init_num = 0; if (SSL_is_dtls(s)) { /* mark client_random uninitialized */ memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); s->d1->send_cookie = 0; - s->internal->hit = 0; + s->hit = 0; } break; case SSL3_ST_CW_CLNT_HELLO_A: case SSL3_ST_CW_CLNT_HELLO_B: - s->internal->shutdown = 0; + s->shutdown = 0; if (SSL_is_dtls(s)) { /* every DTLS ClientHello resets Finished MAC */ @@ -301,7 +301,7 @@ ssl3_connect(SSL *s) } else s->s3->hs.state = SSL3_ST_CR_SRVR_HELLO_A; - s->internal->init_num = 0; + s->init_num = 0; /* turn on buffering for the next lot of output */ if (s->bbio != s->wbio) @@ -315,10 +315,10 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; - if (s->internal->hit) { + if (s->hit) { s->s3->hs.state = SSL3_ST_CR_FINISHED_A; if (!SSL_is_dtls(s)) { - if (s->internal->tlsext_ticket_expected) { + if (s->tlsext_ticket_expected) { /* receive renewed session ticket */ s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A; } @@ -331,7 +331,7 @@ ssl3_connect(SSL *s) } else { s->s3->hs.state = SSL3_ST_CR_CERT_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: @@ -344,7 +344,7 @@ ssl3_connect(SSL *s) s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A; else s->s3->hs.state = SSL3_ST_CR_CERT_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_CERT_A: @@ -353,12 +353,12 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; if (ret == 2) { - s->internal->hit = 1; - if (s->internal->tlsext_ticket_expected) + s->hit = 1; + if (s->tlsext_ticket_expected) s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A; else s->s3->hs.state = SSL3_ST_CR_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; break; } /* Check if it is anon DH/ECDH. */ @@ -367,7 +367,7 @@ ssl3_connect(SSL *s) ret = ssl3_get_server_certificate(s); if (ret <= 0) goto end; - if (s->internal->tlsext_status_expected) + if (s->tlsext_status_expected) s->s3->hs.state = SSL3_ST_CR_CERT_STATUS_A; else s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A; @@ -375,7 +375,7 @@ ssl3_connect(SSL *s) skip = 1; s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_KEY_EXCH_A: @@ -384,7 +384,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CR_CERT_REQ_A; - s->internal->init_num = 0; + s->init_num = 0; /* * At this point we check that we have the @@ -402,7 +402,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CR_SRVR_DONE_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_SRVR_DONE_A: @@ -416,7 +416,7 @@ ssl3_connect(SSL *s) s->s3->hs.state = SSL3_ST_CW_CERT_A; else s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A; - s->internal->init_num = 0; + s->init_num = 0; break; @@ -430,7 +430,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CW_KEY_EXCH_A: @@ -469,7 +469,7 @@ ssl3_connect(SSL *s) } } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CW_CERT_VRFY_A: @@ -480,20 +480,20 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CW_CHANGE_A; - s->internal->init_num = 0; + s->init_num = 0; s->s3->change_cipher_spec = 0; break; case SSL3_ST_CW_CHANGE_A: case SSL3_ST_CW_CHANGE_B: - if (SSL_is_dtls(s) && !s->internal->hit) + if (SSL_is_dtls(s) && !s->hit) dtls1_start_timer(s); ret = ssl3_send_client_change_cipher_spec(s); if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CW_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; s->session->cipher = s->s3->hs.cipher; if (!tls1_setup_key_block(s)) { @@ -508,7 +508,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: - if (SSL_is_dtls(s) && !s->internal->hit) + if (SSL_is_dtls(s) && !s->hit) dtls1_start_timer(s); ret = ssl3_send_client_finished(s); if (ret <= 0) @@ -518,18 +518,18 @@ ssl3_connect(SSL *s) s->s3->hs.state = SSL3_ST_CW_FLUSH; /* clear flags */ - if (s->internal->hit) { + if (s->hit) { s->s3->hs.tls12.next_state = SSL_ST_OK; } else { /* Allow NewSessionTicket if ticket expected */ - if (s->internal->tlsext_ticket_expected) + if (s->tlsext_ticket_expected) s->s3->hs.tls12.next_state = SSL3_ST_CR_SESSION_TICKET_A; else s->s3->hs.tls12.next_state = SSL3_ST_CR_FINISHED_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_SESSION_TICKET_A: @@ -538,7 +538,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CR_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_CERT_STATUS_A: @@ -547,7 +547,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_FINISHED_A: @@ -562,27 +562,27 @@ ssl3_connect(SSL *s) if (SSL_is_dtls(s)) dtls1_stop_timer(s); - if (s->internal->hit) + if (s->hit) s->s3->hs.state = SSL3_ST_CW_CHANGE_A; else s->s3->hs.state = SSL_ST_OK; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CW_FLUSH: - s->internal->rwstate = SSL_WRITING; + s->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { if (SSL_is_dtls(s)) { /* If the write error was fatal, stop trying */ if (!BIO_should_retry(s->wbio)) { - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->hs.state = s->s3->hs.tls12.next_state; } } ret = -1; goto end; } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->hs.state = s->s3->hs.tls12.next_state; break; @@ -601,18 +601,18 @@ ssl3_connect(SSL *s) ssl_free_wbio_buffer(s); - s->internal->init_num = 0; - s->internal->renegotiate = 0; - s->internal->new_session = 0; + s->init_num = 0; + s->renegotiate = 0; + s->new_session = 0; ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); - if (s->internal->hit) - s->ctx->internal->stats.sess_hit++; + if (s->hit) + s->ctx->stats.sess_hit++; ret = 1; /* s->server=0; */ - s->internal->handshake_func = ssl3_connect; - s->ctx->internal->stats.sess_connect_good++; + s->handshake_func = ssl3_connect; + s->ctx->stats.sess_connect_good++; ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1); @@ -634,7 +634,7 @@ ssl3_connect(SSL *s) /* did we do anything */ if (!s->s3->hs.tls12.reuse_message && !skip) { - if (s->internal->debug) { + if (s->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; } @@ -650,7 +650,7 @@ ssl3_connect(SSL *s) } end: - s->internal->in_handshake--; + s->in_handshake--; ssl_info_callback(s, SSL_CB_CONNECT_EXIT, ret); return (ret); @@ -706,7 +706,7 @@ ssl3_send_client_hello(SSL *s) /* Session ID */ if (!CBB_add_u8_length_prefixed(&client_hello, &session_id)) goto err; - if (!s->internal->new_session && + if (!s->new_session && s->session->session_id_length > 0) { sl = s->session->session_id_length; if (sl > sizeof(s->session->session_id)) { @@ -777,7 +777,7 @@ ssl3_get_dtls_hello_verify(SSL *s) int al, ret; if ((ret = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, - DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list)) <= 0) + DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->max_cert_list)) <= 0) return ret; if (s->s3->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { @@ -786,11 +786,11 @@ ssl3_get_dtls_hello_verify(SSL *s) return (1); } - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&hello_verify_request, s->internal->init_msg, - s->internal->init_num); + CBS_init(&hello_verify_request, s->init_msg, + s->init_num); if (!CBS_get_u16(&hello_verify_request, &ssl_version)) goto decode_err; @@ -840,16 +840,16 @@ ssl3_get_server_hello(SSL *s) unsigned long alg_k; int al, ret; - s->internal->first_packet = 1; + s->first_packet = 1; if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, SSL3_ST_CR_SRVR_HELLO_B, -1, 20000 /* ?? */)) <= 0) return ret; - s->internal->first_packet = 0; + s->first_packet = 0; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (SSL_is_dtls(s)) { if (s->s3->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { @@ -944,13 +944,13 @@ ssl3_get_server_hello(SSL *s) * Check if we want to resume the session based on external * pre-shared secret. */ - if (s->internal->tls_session_secret_cb != NULL) { + if (s->tls_session_secret_cb != NULL) { SSL_CIPHER *pref_cipher = NULL; int master_key_length = sizeof(s->session->master_key); - if (!s->internal->tls_session_secret_cb(s, + if (!s->tls_session_secret_cb(s, s->session->master_key, &master_key_length, NULL, - &pref_cipher, s->internal->tls_session_secret_cb_arg)) { + &pref_cipher, s->tls_session_secret_cb_arg)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -978,13 +978,13 @@ ssl3_get_server_hello(SSL *s) goto fatal_err; } s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->internal->hit = 1; + s->hit = 1; } else { /* a miss or crap from the other end */ /* If we were trying for session-id reuse, make a new * SSL_SESSION so we don't stuff up other people */ - s->internal->hit = 0; + s->hit = 0; if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s, 0)) { al = SSL_AD_INTERNAL_ERROR; @@ -1032,7 +1032,7 @@ ssl3_get_server_hello(SSL *s) */ if (s->session->cipher) s->session->cipher_id = s->session->cipher->id; - if (s->internal->hit && (s->session->cipher_id != cipher->id)) { + if (s->hit && (s->session->cipher_id != cipher->id)) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); goto fatal_err; @@ -1076,7 +1076,7 @@ ssl3_get_server_hello(SSL *s) * absence on initial connect only. */ if (!s->s3->renegotiate_seen && - !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { + !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); goto fatal_err; @@ -1109,7 +1109,7 @@ ssl3_get_server_certificate(SSL *s) int al, ret; if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A, - SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0) + SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0) return ret; ret = -1; @@ -1130,10 +1130,10 @@ ssl3_get_server_certificate(SSL *s) goto err; } - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (!CBS_get_u24_length_prefixed(&cbs, &cert_list)) goto decode_err; @@ -1314,16 +1314,16 @@ ssl3_get_server_key_exchange(SSL *s) * as ServerKeyExchange message may be skipped. */ if ((ret = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A, - SSL3_ST_CR_KEY_EXCH_B, -1, s->internal->max_cert_list)) <= 0) + SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list)) <= 0) return ret; if ((md_ctx = EVP_MD_CTX_new()) == NULL) goto err; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { /* @@ -1454,7 +1454,7 @@ ssl3_get_certificate_request(SSL *s) int ret; if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A, - SSL3_ST_CR_CERT_REQ_B, -1, s->internal->max_cert_list)) <= 0) + SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list)) <= 0) return ret; ret = 0; @@ -1484,9 +1484,9 @@ ssl3_get_certificate_request(SSL *s) goto err; } - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&cert_request, s->internal->init_msg, s->internal->init_num); + CBS_init(&cert_request, s->init_msg, s->init_num); if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); @@ -1610,13 +1610,13 @@ ssl3_get_new_session_ticket(SSL *s) goto fatal_err; } - if (s->internal->init_num < 0) { + if (s->init_num < 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); goto fatal_err; } - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (!CBS_get_u32(&cbs, &lifetime_hint) || !CBS_get_u16_length_prefixed(&cbs, &session_ticket) || CBS_len(&cbs) != 0) { @@ -1679,13 +1679,13 @@ ssl3_get_cert_status(SSL *s) * Tell the callback the server did not send us an OSCP * response, and has decided to head directly to key exchange. */ - if (s->ctx->internal->tlsext_status_cb) { - free(s->internal->tlsext_ocsp_resp); - s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resp_len = 0; + if (s->ctx->tlsext_status_cb) { + free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resp_len = 0; - ret = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + ret = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); if (ret == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); @@ -1708,14 +1708,14 @@ ssl3_get_cert_status(SSL *s) goto fatal_err; } - if (s->internal->init_num < 0) { + if (s->init_num < 0) { /* need at least status type + length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); goto fatal_err; } - CBS_init(&cert_status, s->internal->init_msg, s->internal->init_num); + CBS_init(&cert_status, s->init_msg, s->init_num); if (!CBS_get_u8(&cert_status, &status_type) || CBS_len(&cert_status) < 3) { /* need at least status type + length */ @@ -1737,16 +1737,16 @@ ssl3_get_cert_status(SSL *s) goto fatal_err; } - if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, - &s->internal->tlsext_ocsp_resp_len)) { + if (!CBS_stow(&response, &s->tlsext_ocsp_resp, + &s->tlsext_ocsp_resp_len)) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_MALLOC_FAILURE); goto fatal_err; } - if (s->ctx->internal->tlsext_status_cb) { - ret = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + if (s->ctx->tlsext_status_cb) { + ret = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); if (ret == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); @@ -1774,7 +1774,7 @@ ssl3_get_server_done(SSL *s) 30 /* should be very small, like 0 :-) */)) <= 0) return ret; - if (s->internal->init_num != 0) { + if (s->init_num != 0) { /* should contain no data */ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSLerror(s, SSL_R_LENGTH_MISMATCH); @@ -2383,15 +2383,15 @@ ssl3_send_client_certificate(SSL *s) if (s->s3->hs.state == SSL3_ST_CW_CERT_B) { /* * If we get an error, we need to - * ssl->internal->rwstate = SSL_X509_LOOKUP; return(-1); + * ssl->rwstate = SSL_X509_LOOKUP; return(-1); * We then get retried later. */ i = ssl_do_client_cert_cb(s, &x509, &pkey); if (i < 0) { - s->internal->rwstate = SSL_X509_LOOKUP; + s->rwstate = SSL_X509_LOOKUP; return (-1); } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { s->s3->hs.state = SSL3_ST_CW_CERT_B; if (!SSL_use_certificate(s, x509) || @@ -2508,7 +2508,7 @@ ssl3_check_finished(SSL *s) /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A, - SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0) + SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0) return ret; s->s3->hs.tls12.reuse_message = 1; @@ -2525,16 +2525,16 @@ ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) int i = 0; #ifndef OPENSSL_NO_ENGINE - if (s->ctx->internal->client_cert_engine) { + if (s->ctx->client_cert_engine) { i = ENGINE_load_ssl_client_cert( - s->ctx->internal->client_cert_engine, s, + s->ctx->client_cert_engine, s, SSL_get_client_CA_list(s), px509, ppkey, NULL, NULL, NULL); if (i != 0) return (i); } #endif - if (s->ctx->internal->client_cert_cb) - i = s->ctx->internal->client_cert_cb(s, px509, ppkey); + if (s->ctx->client_cert_cb) + i = s->ctx->client_cert_cb(s, px509, ppkey); return (i); } @@ -2547,8 +2547,8 @@ ssl3_send_client_change_cipher_spec(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) { - if (!CBB_init_fixed(&cbb, s->internal->init_buf->data, - s->internal->init_buf->length)) + if (!CBB_init_fixed(&cbb, s->init_buf->data, + s->init_buf->length)) goto err; if (!CBB_add_u8(&cbb, SSL3_MT_CCS)) goto err; @@ -2558,8 +2558,8 @@ ssl3_send_client_change_cipher_spec(SSL *s) if (outlen > INT_MAX) goto err; - s->internal->init_num = (int)outlen; - s->internal->init_off = 0; + s->init_num = (int)outlen; + s->init_off = 0; if (SSL_is_dtls(s)) { s->d1->handshake_write_seq = @@ -2639,13 +2639,13 @@ ssl3_get_server_finished(SSL *s) md_len = TLS1_FINISH_MAC_LENGTH; - if (s->internal->init_num < 0) { + if (s->init_num < 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); goto fatal_err; } - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (s->s3->hs.peer_finished_len != md_len || CBS_len(&cbs) != md_len) { diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index f5f7bf66c1c..4b5f119a88a 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.305 2022/09/10 15:29:33 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.306 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -180,33 +180,33 @@ SSL_clear(SSL *s) } s->error = 0; - s->internal->hit = 0; - s->internal->shutdown = 0; + s->hit = 0; + s->shutdown = 0; - if (s->internal->renegotiate) { + if (s->renegotiate) { SSLerror(s, ERR_R_INTERNAL_ERROR); return (0); } s->version = s->method->version; s->client_version = s->version; - s->internal->rwstate = SSL_NOTHING; - s->internal->rstate = SSL_ST_READ_HEADER; + s->rwstate = SSL_NOTHING; + s->rstate = SSL_ST_READ_HEADER; - tls13_ctx_free(s->internal->tls13); - s->internal->tls13 = NULL; + tls13_ctx_free(s->tls13); + s->tls13 = NULL; ssl3_release_init_buffer(s); ssl_clear_cipher_state(s); - s->internal->first_packet = 0; + s->first_packet = 0; /* * Check to see if we were changed into a different method, if * so, revert back if we are not doing session-id reuse. */ - if (!s->internal->in_handshake && (s->session == NULL) && + if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) { s->method->ssl_free(s); s->method = s->ctx->method; @@ -227,8 +227,8 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST, - ctx->internal->cert); + ctx->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST, + ctx->cert); if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return (0); @@ -253,87 +253,85 @@ SSL_new(SSL_CTX *ctx) if ((s = calloc(1, sizeof(*s))) == NULL) goto err; - if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) - goto err; - if ((s->internal->rl = tls12_record_layer_new()) == NULL) + if ((s->rl = tls12_record_layer_new()) == NULL) goto err; - s->internal->min_tls_version = ctx->internal->min_tls_version; - s->internal->max_tls_version = ctx->internal->max_tls_version; - s->internal->min_proto_version = ctx->internal->min_proto_version; - s->internal->max_proto_version = ctx->internal->max_proto_version; + s->min_tls_version = ctx->min_tls_version; + s->max_tls_version = ctx->max_tls_version; + s->min_proto_version = ctx->min_proto_version; + s->max_proto_version = ctx->max_proto_version; - s->internal->options = ctx->internal->options; - s->internal->mode = ctx->internal->mode; - s->internal->max_cert_list = ctx->internal->max_cert_list; - s->internal->num_tickets = ctx->internal->num_tickets; + s->options = ctx->options; + s->mode = ctx->mode; + s->max_cert_list = ctx->max_cert_list; + s->num_tickets = ctx->num_tickets; - if ((s->cert = ssl_cert_dup(ctx->internal->cert)) == NULL) + if ((s->cert = ssl_cert_dup(ctx->cert)) == NULL) goto err; - s->internal->read_ahead = ctx->internal->read_ahead; - s->internal->msg_callback = ctx->internal->msg_callback; - s->internal->msg_callback_arg = ctx->internal->msg_callback_arg; + s->read_ahead = ctx->read_ahead; + s->msg_callback = ctx->msg_callback; + s->msg_callback_arg = ctx->msg_callback_arg; s->verify_mode = ctx->verify_mode; s->sid_ctx_length = ctx->sid_ctx_length; OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); - s->internal->verify_callback = ctx->internal->default_verify_callback; - s->internal->generate_session_id = ctx->internal->generate_session_id; + s->verify_callback = ctx->default_verify_callback; + s->generate_session_id = ctx->generate_session_id; s->param = X509_VERIFY_PARAM_new(); if (!s->param) goto err; X509_VERIFY_PARAM_inherit(s->param, ctx->param); - s->internal->quiet_shutdown = ctx->internal->quiet_shutdown; - s->max_send_fragment = ctx->internal->max_send_fragment; + s->quiet_shutdown = ctx->quiet_shutdown; + s->max_send_fragment = ctx->max_send_fragment; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->ctx = ctx; - s->internal->tlsext_debug_cb = 0; - s->internal->tlsext_debug_arg = NULL; - s->internal->tlsext_ticket_expected = 0; + s->tlsext_debug_cb = 0; + s->tlsext_debug_arg = NULL; + s->tlsext_ticket_expected = 0; s->tlsext_status_type = -1; - s->internal->tlsext_status_expected = 0; - s->internal->tlsext_ocsp_ids = NULL; - s->internal->tlsext_ocsp_exts = NULL; - s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resp_len = 0; + s->tlsext_status_expected = 0; + s->tlsext_ocsp_ids = NULL; + s->tlsext_ocsp_exts = NULL; + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resp_len = 0; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->initial_ctx = ctx; - if (ctx->internal->tlsext_ecpointformatlist != NULL) { - s->internal->tlsext_ecpointformatlist = - calloc(ctx->internal->tlsext_ecpointformatlist_length, - sizeof(ctx->internal->tlsext_ecpointformatlist[0])); - if (s->internal->tlsext_ecpointformatlist == NULL) + if (ctx->tlsext_ecpointformatlist != NULL) { + s->tlsext_ecpointformatlist = + calloc(ctx->tlsext_ecpointformatlist_length, + sizeof(ctx->tlsext_ecpointformatlist[0])); + if (s->tlsext_ecpointformatlist == NULL) goto err; - memcpy(s->internal->tlsext_ecpointformatlist, - ctx->internal->tlsext_ecpointformatlist, - ctx->internal->tlsext_ecpointformatlist_length * - sizeof(ctx->internal->tlsext_ecpointformatlist[0])); - s->internal->tlsext_ecpointformatlist_length = - ctx->internal->tlsext_ecpointformatlist_length; - } - if (ctx->internal->tlsext_supportedgroups != NULL) { - s->internal->tlsext_supportedgroups = - calloc(ctx->internal->tlsext_supportedgroups_length, - sizeof(ctx->internal->tlsext_supportedgroups[0])); - if (s->internal->tlsext_supportedgroups == NULL) + memcpy(s->tlsext_ecpointformatlist, + ctx->tlsext_ecpointformatlist, + ctx->tlsext_ecpointformatlist_length * + sizeof(ctx->tlsext_ecpointformatlist[0])); + s->tlsext_ecpointformatlist_length = + ctx->tlsext_ecpointformatlist_length; + } + if (ctx->tlsext_supportedgroups != NULL) { + s->tlsext_supportedgroups = + calloc(ctx->tlsext_supportedgroups_length, + sizeof(ctx->tlsext_supportedgroups[0])); + if (s->tlsext_supportedgroups == NULL) goto err; - memcpy(s->internal->tlsext_supportedgroups, - ctx->internal->tlsext_supportedgroups, - ctx->internal->tlsext_supportedgroups_length * - sizeof(ctx->internal->tlsext_supportedgroups[0])); - s->internal->tlsext_supportedgroups_length = - ctx->internal->tlsext_supportedgroups_length; - } - - CBS_init(&cbs, ctx->internal->alpn_client_proto_list, - ctx->internal->alpn_client_proto_list_len); - if (!CBS_stow(&cbs, &s->internal->alpn_client_proto_list, - &s->internal->alpn_client_proto_list_len)) + memcpy(s->tlsext_supportedgroups, + ctx->tlsext_supportedgroups, + ctx->tlsext_supportedgroups_length * + sizeof(ctx->tlsext_supportedgroups[0])); + s->tlsext_supportedgroups_length = + ctx->tlsext_supportedgroups_length; + } + + CBS_init(&cbs, ctx->alpn_client_proto_list, + ctx->alpn_client_proto_list_len); + if (!CBS_stow(&cbs, &s->alpn_client_proto_list, + &s->alpn_client_proto_list_len)) goto err; s->verify_result = X509_V_OK; @@ -349,7 +347,7 @@ SSL_new(SSL_CTX *ctx) SSL_clear(s); - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->internal->ex_data); + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); return (s); @@ -391,7 +389,7 @@ int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - ctx->internal->generate_session_id = cb; + ctx->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); return (1); } @@ -400,7 +398,7 @@ int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); - ssl->internal->generate_session_id = cb; + ssl->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL); return (1); } @@ -426,7 +424,7 @@ SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, memcpy(r.session_id, id, id_len); CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - p = lh_SSL_SESSION_retrieve(ssl->ctx->internal->sessions, &r); + p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r); CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); return (p != NULL); } @@ -519,7 +517,7 @@ SSL_free(SSL *s) X509_VERIFY_PARAM_free(s->param); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->internal->ex_data); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); if (s->bbio != NULL) { /* If the buffering BIO is in place, pop it off */ @@ -534,12 +532,12 @@ SSL_free(SSL *s) BIO_free_all(s->rbio); BIO_free_all(s->wbio); - tls13_ctx_free(s->internal->tls13); + tls13_ctx_free(s->tls13); ssl3_release_init_buffer(s); sk_SSL_CIPHER_free(s->cipher_list); - sk_SSL_CIPHER_free(s->internal->cipher_list_tls13); + sk_SSL_CIPHER_free(s->cipher_list_tls13); /* Make the next call work :-) */ if (s->session != NULL) { @@ -554,32 +552,31 @@ SSL_free(SSL *s) free(s->tlsext_hostname); SSL_CTX_free(s->initial_ctx); - free(s->internal->tlsext_ecpointformatlist); - free(s->internal->tlsext_supportedgroups); + free(s->tlsext_ecpointformatlist); + free(s->tlsext_supportedgroups); - sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, + sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); - sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); - free(s->internal->tlsext_ocsp_resp); + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); + free(s->tlsext_ocsp_resp); - sk_X509_NAME_pop_free(s->internal->client_CA, X509_NAME_free); + sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); if (s->method != NULL) s->method->ssl_free(s); SSL_CTX_free(s->ctx); - free(s->internal->alpn_client_proto_list); + free(s->alpn_client_proto_list); - free(s->internal->quic_transport_params); + free(s->quic_transport_params); #ifndef OPENSSL_NO_SRTP - sk_SRTP_PROTECTION_PROFILE_free(s->internal->srtp_profiles); + sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); #endif - tls12_record_layer_free(s->internal->rl); + tls12_record_layer_free(s->rl); - free(s->internal); free(s); } @@ -768,25 +765,25 @@ SSL_get_verify_depth(const SSL *s) int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *) { - return (s->internal->verify_callback); + return (s->verify_callback); } void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) { - ctx->internal->keylog_callback = cb; + ctx->keylog_callback = cb; } SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx) { - return (ctx->internal->keylog_callback); + return (ctx->keylog_callback); } int SSL_set_num_tickets(SSL *s, size_t num_tickets) { - s->internal->num_tickets = num_tickets; + s->num_tickets = num_tickets; return 1; } @@ -794,13 +791,13 @@ SSL_set_num_tickets(SSL *s, size_t num_tickets) size_t SSL_get_num_tickets(const SSL *s) { - return s->internal->num_tickets; + return s->num_tickets; } int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) { - ctx->internal->num_tickets = num_tickets; + ctx->num_tickets = num_tickets; return 1; } @@ -808,7 +805,7 @@ SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) { - return ctx->internal->num_tickets; + return ctx->num_tickets; } int @@ -826,7 +823,7 @@ SSL_CTX_get_verify_depth(const SSL_CTX *ctx) int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) { - return (ctx->internal->default_verify_callback); + return (ctx->default_verify_callback); } void @@ -835,7 +832,7 @@ SSL_set_verify(SSL *s, int mode, { s->verify_mode = mode; if (callback != NULL) - s->internal->verify_callback = callback; + s->verify_callback = callback; } void @@ -847,13 +844,13 @@ SSL_set_verify_depth(SSL *s, int depth) void SSL_set_read_ahead(SSL *s, int yes) { - s->internal->read_ahead = yes; + s->read_ahead = yes; } int SSL_get_read_ahead(const SSL *s) { - return (s->internal->read_ahead); + return (s->read_ahead); } int @@ -897,7 +894,7 @@ SSL_get_peer_cert_chain(const SSL *s) STACK_OF(X509) * SSL_get0_verified_chain(const SSL *s) { - return s->internal->verified_chain; + return s->verified_chain; } /* @@ -939,17 +936,17 @@ SSL_copy_session_id(SSL *t, const SSL *f) int SSL_CTX_check_private_key(const SSL_CTX *ctx) { - if ((ctx == NULL) || (ctx->internal->cert == NULL) || - (ctx->internal->cert->key->x509 == NULL)) { + if ((ctx == NULL) || (ctx->cert == NULL) || + (ctx->cert->key->x509 == NULL)) { SSLerrorx(SSL_R_NO_CERTIFICATE_ASSIGNED); return (0); } - if (ctx->internal->cert->key->privatekey == NULL) { + if (ctx->cert->key->privatekey == NULL) { SSLerrorx(SSL_R_NO_PRIVATE_KEY_ASSIGNED); return (0); } - return (X509_check_private_key(ctx->internal->cert->key->x509, - ctx->internal->cert->key->privatekey)); + return (X509_check_private_key(ctx->cert->key->x509, + ctx->cert->key->privatekey)); } /* Fix this function so that it takes an optional type parameter */ @@ -979,7 +976,7 @@ SSL_check_private_key(const SSL *ssl) int SSL_accept(SSL *s) { - if (s->internal->handshake_func == NULL) + if (s->handshake_func == NULL) SSL_set_accept_state(s); /* Not properly initialized yet */ return (s->method->ssl_accept(s)); @@ -988,7 +985,7 @@ SSL_accept(SSL *s) int SSL_connect(SSL *s) { - if (s->internal->handshake_func == NULL) + if (s->handshake_func == NULL) SSL_set_connect_state(s); /* Not properly initialized yet */ return (s->method->ssl_connect(s)); @@ -1035,13 +1032,13 @@ SSL_read(SSL *s, void *buf, int num) return (-1); } - if (s->internal->handshake_func == NULL) { + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } - if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { + s->rwstate = SSL_NOTHING; return (0); } return ssl3_read(s, buf, num); @@ -1079,12 +1076,12 @@ SSL_peek(SSL *s, void *buf, int num) return (-1); } - if (s->internal->handshake_func == NULL) { + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } - if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { return (0); } return ssl3_peek(s, buf, num); @@ -1122,13 +1119,13 @@ SSL_write(SSL *s, const void *buf, int num) return (-1); } - if (s->internal->handshake_func == NULL) { + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } - if (s->internal->shutdown & SSL_SENT_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; + if (s->shutdown & SSL_SENT_SHUTDOWN) { + s->rwstate = SSL_NOTHING; SSLerror(s, SSL_R_PROTOCOL_IS_SHUTDOWN); return (-1); } @@ -1221,7 +1218,7 @@ SSL_shutdown(SSL *s) * even if blocking I/O is used (see ssl3_shutdown). */ - if (s->internal->handshake_func == NULL) { + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } @@ -1235,10 +1232,10 @@ SSL_shutdown(SSL *s) int SSL_renegotiate(SSL *s) { - if (s->internal->renegotiate == 0) - s->internal->renegotiate = 1; + if (s->renegotiate == 0) + s->renegotiate = 1; - s->internal->new_session = 1; + s->new_session = 1; return (s->method->ssl_renegotiate(s)); } @@ -1246,10 +1243,10 @@ SSL_renegotiate(SSL *s) int SSL_renegotiate_abbreviated(SSL *s) { - if (s->internal->renegotiate == 0) - s->internal->renegotiate = 1; + if (s->renegotiate == 0) + s->renegotiate = 1; - s->internal->new_session = 0; + s->new_session = 0; return (s->method->ssl_renegotiate(s)); } @@ -1261,7 +1258,7 @@ SSL_renegotiate_pending(SSL *s) * Becomes true when negotiation is requested; * false again once a handshake has finished. */ - return (s->internal->renegotiate != 0); + return (s->renegotiate != 0); } long @@ -1271,29 +1268,29 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return (s->internal->read_ahead); + return (s->read_ahead); case SSL_CTRL_SET_READ_AHEAD: - l = s->internal->read_ahead; - s->internal->read_ahead = larg; + l = s->read_ahead; + s->read_ahead = larg; return (l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: - s->internal->msg_callback_arg = parg; + s->msg_callback_arg = parg; return (1); case SSL_CTRL_OPTIONS: - return (s->internal->options|=larg); + return (s->options|=larg); case SSL_CTRL_CLEAR_OPTIONS: - return (s->internal->options&=~larg); + return (s->options&=~larg); case SSL_CTRL_MODE: - return (s->internal->mode|=larg); + return (s->mode|=larg); case SSL_CTRL_CLEAR_MODE: - return (s->internal->mode &=~larg); + return (s->mode &=~larg); case SSL_CTRL_GET_MAX_CERT_LIST: - return (s->internal->max_cert_list); + return (s->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: - l = s->internal->max_cert_list; - s->internal->max_cert_list = larg; + l = s->max_cert_list; + s->max_cert_list = larg; return (l); case SSL_CTRL_SET_MTU: #ifndef OPENSSL_NO_DTLS1 @@ -1326,7 +1323,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: - s->internal->msg_callback = (ssl_msg_callback_fn *)(fp); + s->msg_callback = (ssl_msg_callback_fn *)(fp); return (1); default: @@ -1337,7 +1334,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) struct lhash_st_SSL_SESSION * SSL_CTX_sessions(SSL_CTX *ctx) { - return (ctx->internal->sessions); + return (ctx->sessions); } long @@ -1347,72 +1344,72 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return (ctx->internal->read_ahead); + return (ctx->read_ahead); case SSL_CTRL_SET_READ_AHEAD: - l = ctx->internal->read_ahead; - ctx->internal->read_ahead = larg; + l = ctx->read_ahead; + ctx->read_ahead = larg; return (l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: - ctx->internal->msg_callback_arg = parg; + ctx->msg_callback_arg = parg; return (1); case SSL_CTRL_GET_MAX_CERT_LIST: - return (ctx->internal->max_cert_list); + return (ctx->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: - l = ctx->internal->max_cert_list; - ctx->internal->max_cert_list = larg; + l = ctx->max_cert_list; + ctx->max_cert_list = larg; return (l); case SSL_CTRL_SET_SESS_CACHE_SIZE: - l = ctx->internal->session_cache_size; - ctx->internal->session_cache_size = larg; + l = ctx->session_cache_size; + ctx->session_cache_size = larg; return (l); case SSL_CTRL_GET_SESS_CACHE_SIZE: - return (ctx->internal->session_cache_size); + return (ctx->session_cache_size); case SSL_CTRL_SET_SESS_CACHE_MODE: - l = ctx->internal->session_cache_mode; - ctx->internal->session_cache_mode = larg; + l = ctx->session_cache_mode; + ctx->session_cache_mode = larg; return (l); case SSL_CTRL_GET_SESS_CACHE_MODE: - return (ctx->internal->session_cache_mode); + return (ctx->session_cache_mode); case SSL_CTRL_SESS_NUMBER: - return (lh_SSL_SESSION_num_items(ctx->internal->sessions)); + return (lh_SSL_SESSION_num_items(ctx->sessions)); case SSL_CTRL_SESS_CONNECT: - return (ctx->internal->stats.sess_connect); + return (ctx->stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: - return (ctx->internal->stats.sess_connect_good); + return (ctx->stats.sess_connect_good); case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: - return (ctx->internal->stats.sess_connect_renegotiate); + return (ctx->stats.sess_connect_renegotiate); case SSL_CTRL_SESS_ACCEPT: - return (ctx->internal->stats.sess_accept); + return (ctx->stats.sess_accept); case SSL_CTRL_SESS_ACCEPT_GOOD: - return (ctx->internal->stats.sess_accept_good); + return (ctx->stats.sess_accept_good); case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: - return (ctx->internal->stats.sess_accept_renegotiate); + return (ctx->stats.sess_accept_renegotiate); case SSL_CTRL_SESS_HIT: - return (ctx->internal->stats.sess_hit); + return (ctx->stats.sess_hit); case SSL_CTRL_SESS_CB_HIT: - return (ctx->internal->stats.sess_cb_hit); + return (ctx->stats.sess_cb_hit); case SSL_CTRL_SESS_MISSES: - return (ctx->internal->stats.sess_miss); + return (ctx->stats.sess_miss); case SSL_CTRL_SESS_TIMEOUTS: - return (ctx->internal->stats.sess_timeout); + return (ctx->stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: - return (ctx->internal->stats.sess_cache_full); + return (ctx->stats.sess_cache_full); case SSL_CTRL_OPTIONS: - return (ctx->internal->options|=larg); + return (ctx->options|=larg); case SSL_CTRL_CLEAR_OPTIONS: - return (ctx->internal->options&=~larg); + return (ctx->options&=~larg); case SSL_CTRL_MODE: - return (ctx->internal->mode|=larg); + return (ctx->mode|=larg); case SSL_CTRL_CLEAR_MODE: - return (ctx->internal->mode&=~larg); + return (ctx->mode&=~larg); case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return (0); - ctx->internal->max_send_fragment = larg; + ctx->max_send_fragment = larg; return (1); default: return (ssl3_ctx_ctrl(ctx, cmd, larg, parg)); @@ -1424,7 +1421,7 @@ SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: - ctx->internal->msg_callback = (ssl_msg_callback_fn *)fp; + ctx->msg_callback = (ssl_msg_callback_fn *)fp; return (1); default: @@ -1562,7 +1559,7 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) * ctx->cipher_list has been updated. */ ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - ctx->internal->cipher_list_tls13, str, ctx->internal->cert); + ctx->cipher_list_tls13, str, ctx->cert); if (ciphers == NULL) { return (0); } else if (sk_SSL_CIPHER_num(ciphers) == 0) { @@ -1575,12 +1572,12 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) { - if (!ssl_parse_ciphersuites(&ctx->internal->cipher_list_tls13, str)) { + if (!ssl_parse_ciphersuites(&ctx->cipher_list_tls13, str)) { SSLerrorx(SSL_R_NO_CIPHER_MATCH); return 0; } if (!ssl_merge_cipherlists(ctx->cipher_list, - ctx->internal->cipher_list_tls13, &ctx->cipher_list)) + ctx->cipher_list_tls13, &ctx->cipher_list)) return 0; return 1; @@ -1592,8 +1589,8 @@ SSL_set_cipher_list(SSL *s, const char *str) { STACK_OF(SSL_CIPHER) *ciphers, *ciphers_tls13; - if ((ciphers_tls13 = s->internal->cipher_list_tls13) == NULL) - ciphers_tls13 = s->ctx->internal->cipher_list_tls13; + if ((ciphers_tls13 = s->cipher_list_tls13) == NULL) + ciphers_tls13 = s->ctx->cipher_list_tls13; /* See comment in SSL_CTX_set_cipher_list. */ ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, @@ -1615,11 +1612,11 @@ SSL_set_ciphersuites(SSL *s, const char *str) if ((ciphers = s->cipher_list) == NULL) ciphers = s->ctx->cipher_list; - if (!ssl_parse_ciphersuites(&s->internal->cipher_list_tls13, str)) { + if (!ssl_parse_ciphersuites(&s->cipher_list_tls13, str)) { SSLerrorx(SSL_R_NO_CIPHER_MATCH); return (0); } - if (!ssl_merge_cipherlists(ciphers, s->internal->cipher_list_tls13, + if (!ssl_merge_cipherlists(ciphers, s->cipher_list_tls13, &s->cipher_list)) return 0; @@ -1791,8 +1788,8 @@ SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, goto err; } - if (!CBS_stow(&cbs, &ctx->internal->alpn_client_proto_list, - &ctx->internal->alpn_client_proto_list_len)) + if (!CBS_stow(&cbs, &ctx->alpn_client_proto_list, + &ctx->alpn_client_proto_list_len)) goto err; failed = 0; @@ -1824,8 +1821,8 @@ SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, goto err; } - if (!CBS_stow(&cbs, &ssl->internal->alpn_client_proto_list, - &ssl->internal->alpn_client_proto_list_len)) + if (!CBS_stow(&cbs, &ssl->alpn_client_proto_list, + &ssl->alpn_client_proto_list_len)) goto err; failed = 0; @@ -1845,8 +1842,8 @@ SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg) { - ctx->internal->alpn_select_cb = cb; - ctx->internal->alpn_select_cb_arg = arg; + ctx->alpn_select_cb = cb; + ctx->alpn_select_cb_arg = arg; } /* @@ -1874,12 +1871,12 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, const unsigned char *p, size_t plen, int use_context) { - if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) { + if (s->tls13 != NULL && s->version == TLS1_3_VERSION) { if (!use_context) { p = NULL; plen = 0; } - return tls13_exporter(s->internal->tls13, label, llen, p, plen, + return tls13_exporter(s->tls13, label, llen, p, plen, out, olen); } @@ -1961,11 +1958,6 @@ SSL_CTX_new(const SSL_METHOD *meth) SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } - if ((ret->internal = calloc(1, sizeof(*ret->internal))) == NULL) { - free(ret); - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (NULL); - } if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerrorx(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); @@ -1973,62 +1965,62 @@ SSL_CTX_new(const SSL_METHOD *meth) } ret->method = meth; - ret->internal->min_tls_version = meth->min_tls_version; - ret->internal->max_tls_version = meth->max_tls_version; - ret->internal->min_proto_version = 0; - ret->internal->max_proto_version = 0; - ret->internal->mode = SSL_MODE_AUTO_RETRY; + ret->min_tls_version = meth->min_tls_version; + ret->max_tls_version = meth->max_tls_version; + ret->min_proto_version = 0; + ret->max_proto_version = 0; + ret->mode = SSL_MODE_AUTO_RETRY; ret->cert_store = NULL; - ret->internal->session_cache_mode = SSL_SESS_CACHE_SERVER; - ret->internal->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; - ret->internal->session_cache_head = NULL; - ret->internal->session_cache_tail = NULL; + ret->session_cache_mode = SSL_SESS_CACHE_SERVER; + ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; + ret->session_cache_head = NULL; + ret->session_cache_tail = NULL; /* We take the system default */ ret->session_timeout = ssl_get_default_timeout(); - ret->internal->new_session_cb = 0; - ret->internal->remove_session_cb = 0; - ret->internal->get_session_cb = 0; - ret->internal->generate_session_id = 0; + ret->new_session_cb = 0; + ret->remove_session_cb = 0; + ret->get_session_cb = 0; + ret->generate_session_id = 0; - memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats)); + memset((char *)&ret->stats, 0, sizeof(ret->stats)); ret->references = 1; - ret->internal->quiet_shutdown = 0; + ret->quiet_shutdown = 0; - ret->internal->info_callback = NULL; + ret->info_callback = NULL; - ret->internal->app_verify_callback = 0; - ret->internal->app_verify_arg = NULL; + ret->app_verify_callback = 0; + ret->app_verify_arg = NULL; - ret->internal->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; - ret->internal->read_ahead = 0; - ret->internal->msg_callback = 0; - ret->internal->msg_callback_arg = NULL; + ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; + ret->read_ahead = 0; + ret->msg_callback = 0; + ret->msg_callback_arg = NULL; ret->verify_mode = SSL_VERIFY_NONE; ret->sid_ctx_length = 0; - ret->internal->default_verify_callback = NULL; + ret->default_verify_callback = NULL; - if ((ret->internal->cert = ssl_cert_new()) == NULL) + if ((ret->cert = ssl_cert_new()) == NULL) goto err; ret->default_passwd_callback = 0; ret->default_passwd_callback_userdata = NULL; - ret->internal->client_cert_cb = 0; - ret->internal->app_gen_cookie_cb = 0; - ret->internal->app_verify_cookie_cb = 0; + ret->client_cert_cb = 0; + ret->app_gen_cookie_cb = 0; + ret->app_verify_cookie_cb = 0; - ret->internal->sessions = lh_SSL_SESSION_new(); - if (ret->internal->sessions == NULL) + ret->sessions = lh_SSL_SESSION_new(); + if (ret->sessions == NULL) goto err; ret->cert_store = X509_STORE_new(); if (ret->cert_store == NULL) goto err; ssl_create_cipher_list(ret->method, &ret->cipher_list, - NULL, SSL_DEFAULT_CIPHER_LIST, ret->internal->cert); + NULL, SSL_DEFAULT_CIPHER_LIST, ret->cert); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); @@ -2039,28 +2031,28 @@ SSL_CTX_new(const SSL_METHOD *meth) if (!ret->param) goto err; - if ((ret->internal->client_CA = sk_X509_NAME_new_null()) == NULL) + if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) goto err; - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->internal->ex_data); + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); ret->extra_certs = NULL; - ret->internal->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; + ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; - ret->internal->tlsext_servername_callback = 0; - ret->internal->tlsext_servername_arg = NULL; + ret->tlsext_servername_callback = 0; + ret->tlsext_servername_arg = NULL; /* Setup RFC4507 ticket keys */ - arc4random_buf(ret->internal->tlsext_tick_key_name, 16); - arc4random_buf(ret->internal->tlsext_tick_hmac_key, 16); - arc4random_buf(ret->internal->tlsext_tick_aes_key, 16); + arc4random_buf(ret->tlsext_tick_key_name, 16); + arc4random_buf(ret->tlsext_tick_hmac_key, 16); + arc4random_buf(ret->tlsext_tick_aes_key, 16); - ret->internal->tlsext_status_cb = 0; - ret->internal->tlsext_status_arg = NULL; + ret->tlsext_status_cb = 0; + ret->tlsext_status_arg = NULL; #ifndef OPENSSL_NO_ENGINE - ret->internal->client_cert_engine = NULL; + ret->client_cert_engine = NULL; #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO #define eng_strx(x) #x #define eng_str(x) eng_strx(x) @@ -2083,7 +2075,7 @@ SSL_CTX_new(const SSL_METHOD *meth) * Default is to connect to non-RI servers. When RI is more widely * deployed might change this. */ - ret->internal->options |= SSL_OP_LEGACY_SERVER_CONNECT; + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; return (ret); err: @@ -2116,35 +2108,34 @@ SSL_CTX_free(SSL_CTX *ctx) * free ex_data, then finally free the cache. * (See ticket [openssl.org #212].) */ - if (ctx->internal->sessions != NULL) + if (ctx->sessions != NULL) SSL_CTX_flush_sessions(ctx, 0); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ctx, &ctx->internal->ex_data); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ctx, &ctx->ex_data); - lh_SSL_SESSION_free(ctx->internal->sessions); + lh_SSL_SESSION_free(ctx->sessions); X509_STORE_free(ctx->cert_store); sk_SSL_CIPHER_free(ctx->cipher_list); - sk_SSL_CIPHER_free(ctx->internal->cipher_list_tls13); - ssl_cert_free(ctx->internal->cert); - sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); + sk_SSL_CIPHER_free(ctx->cipher_list_tls13); + ssl_cert_free(ctx->cert); + sk_X509_NAME_pop_free(ctx->client_CA, X509_NAME_free); sk_X509_pop_free(ctx->extra_certs, X509_free); #ifndef OPENSSL_NO_SRTP - if (ctx->internal->srtp_profiles) - sk_SRTP_PROTECTION_PROFILE_free(ctx->internal->srtp_profiles); + if (ctx->srtp_profiles) + sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles); #endif #ifndef OPENSSL_NO_ENGINE - ENGINE_finish(ctx->internal->client_cert_engine); + ENGINE_finish(ctx->client_cert_engine); #endif - free(ctx->internal->tlsext_ecpointformatlist); - free(ctx->internal->tlsext_supportedgroups); + free(ctx->tlsext_ecpointformatlist); + free(ctx->tlsext_supportedgroups); - free(ctx->internal->alpn_client_proto_list); + free(ctx->alpn_client_proto_list); - free(ctx->internal); free(ctx); } @@ -2183,15 +2174,15 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg) { - ctx->internal->app_verify_callback = cb; - ctx->internal->app_verify_arg = arg; + ctx->app_verify_callback = cb; + ctx->app_verify_arg = arg; } void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *)) { ctx->verify_mode = mode; - ctx->internal->default_verify_callback = cb; + ctx->default_verify_callback = cb; } void @@ -2363,14 +2354,14 @@ ssl_should_update_external_cache(SSL *s, int mode) { int cache_mode; - cache_mode = s->session_ctx->internal->session_cache_mode; + cache_mode = s->session_ctx->session_cache_mode; /* Don't cache if mode says not to */ if ((cache_mode & mode) == 0) return 0; /* if it is not already cached, cache it */ - if (!s->internal->hit) + if (!s->hit) return 1; /* If it's TLS 1.3, do it to match OpenSSL */ @@ -2385,14 +2376,14 @@ ssl_should_update_internal_cache(SSL *s, int mode) { int cache_mode; - cache_mode = s->session_ctx->internal->session_cache_mode; + cache_mode = s->session_ctx->session_cache_mode; /* Don't cache if mode says not to */ if ((cache_mode & mode) == 0) return 0; /* If it is already cached, don't cache it again */ - if (s->internal->hit) + if (s->hit) return 0; if ((cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0) @@ -2415,11 +2406,11 @@ ssl_should_update_internal_cache(SSL *s, int mode) * to know about this even if it's a stateless ticket * from 1.3 so we can know when it is removed. */ - if (s->session_ctx->internal->remove_session_cb != NULL) + if (s->session_ctx->remove_session_cb != NULL) return 1; /* If we have set OP_NO_TICKET, cache it. */ - if ((s->internal->options & SSL_OP_NO_TICKET) != 0) + if ((s->options & SSL_OP_NO_TICKET) != 0) return 1; /* Otherwise do not cache */ @@ -2434,7 +2425,7 @@ ssl_update_cache(SSL *s, int mode) if (s->session->session_id_length == 0) return; - cache_mode = s->session_ctx->internal->session_cache_mode; + cache_mode = s->session_ctx->session_cache_mode; do_callback = ssl_should_update_external_cache(s, mode); if (ssl_should_update_internal_cache(s, mode)) { @@ -2455,9 +2446,9 @@ ssl_update_cache(SSL *s, int mode) * same glorious experience they expect from OpenSSL which * does it this way. */ - if (do_callback && s->session_ctx->internal->new_session_cb != NULL) { + if (do_callback && s->session_ctx->new_session_cb != NULL) { CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION); - if (!s->session_ctx->internal->new_session_cb(s, s->session)) + if (!s->session_ctx->new_session_cb(s, s->session)) SSL_SESSION_free(s->session); } @@ -2466,9 +2457,9 @@ ssl_update_cache(SSL *s, int mode) (cache_mode & mode) != 0) { int connections; if (mode & SSL_SESS_CACHE_CLIENT) - connections = s->session_ctx->internal->stats.sess_connect_good; + connections = s->session_ctx->stats.sess_connect_good; else - connections = s->session_ctx->internal->stats.sess_accept_good; + connections = s->session_ctx->stats.sess_accept_good; if ((connections & 0xff) == 0xff) SSL_CTX_flush_sessions(s->session_ctx, time(NULL)); } @@ -2489,9 +2480,9 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *method) if (s->method == method) return (ret); - if (s->internal->handshake_func == s->method->ssl_connect) + if (s->handshake_func == s->method->ssl_connect) handshake_func = method->ssl_connect; - else if (s->internal->handshake_func == s->method->ssl_accept) + else if (s->handshake_func == s->method->ssl_accept) handshake_func = method->ssl_accept; if (s->method->version == method->version) { @@ -2501,7 +2492,7 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *method) s->method = method; ret = s->method->ssl_new(s); } - s->internal->handshake_func = handshake_func; + s->handshake_func = handshake_func; return (ret); } @@ -2537,7 +2528,7 @@ SSL_get_error(const SSL *s, int i) * try to write to the rbio, and an application * program where rbio and wbio are separate couldn't * even know what it should wait for. However if we - * ever set s->internal->rwstate incorrectly (so that we have + * ever set s->rwstate incorrectly (so that we have * SSL_want_read(s) instead of SSL_want_write(s)) * and rbio and wbio *are* the same, this test works * around that bug; so it might be safer to keep it. @@ -2578,7 +2569,7 @@ SSL_get_error(const SSL *s, int i) if (SSL_want_x509_lookup(s)) return (SSL_ERROR_WANT_X509_LOOKUP); - if ((s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) && + if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) return (SSL_ERROR_ZERO_RETURN); @@ -2631,15 +2622,15 @@ SSL_quic_max_handshake_flight_len(const SSL *ssl, * to request client certificates. */ if ((SSL_get_verify_mode(ssl) & SSL_VERIFY_PEER) != 0 && - ssl->internal->max_cert_list > flight_len) - flight_len = ssl->internal->max_cert_list; + ssl->max_cert_list > flight_len) + flight_len = ssl->max_cert_list; } else { /* * Clients may receive both Certificate message and a * CertificateRequest message. */ - if (ssl->internal->max_cert_list * 2 > flight_len) - flight_len = ssl->internal->max_cert_list * 2; + if (ssl->max_cert_list * 2 > flight_len) + flight_len = ssl->max_cert_list * 2; } return flight_len; case ssl_encryption_application: @@ -2709,7 +2700,7 @@ SSL_process_quic_post_handshake(SSL *ssl) int SSL_do_handshake(SSL *s) { - if (s->internal->handshake_func == NULL) { + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_CONNECTION_TYPE_NOT_SET); return (-1); } @@ -2719,7 +2710,7 @@ SSL_do_handshake(SSL *s) if (!SSL_in_init(s) && !SSL_in_before(s)) return 1; - return s->internal->handshake_func(s); + return s->handshake_func(s); } /* @@ -2730,9 +2721,9 @@ void SSL_set_accept_state(SSL *s) { s->server = 1; - s->internal->shutdown = 0; + s->shutdown = 0; s->s3->hs.state = SSL_ST_ACCEPT|SSL_ST_BEFORE; - s->internal->handshake_func = s->method->ssl_accept; + s->handshake_func = s->method->ssl_accept; ssl_clear_cipher_state(s); } @@ -2740,9 +2731,9 @@ void SSL_set_connect_state(SSL *s) { s->server = 0; - s->internal->shutdown = 0; + s->shutdown = 0; s->s3->hs.state = SSL_ST_CONNECT|SSL_ST_BEFORE; - s->internal->handshake_func = s->method->ssl_connect; + s->handshake_func = s->method->ssl_connect; ssl_clear_cipher_state(s); } @@ -2832,24 +2823,24 @@ SSL_dup(SSL *s) goto err; } - ret->internal->options = s->internal->options; - ret->internal->mode = s->internal->mode; + ret->options = s->options; + ret->mode = s->mode; SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); - ret->internal->msg_callback = s->internal->msg_callback; - ret->internal->msg_callback_arg = s->internal->msg_callback_arg; + ret->msg_callback = s->msg_callback; + ret->msg_callback_arg = s->msg_callback_arg; SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s)); SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); - ret->internal->generate_session_id = s->internal->generate_session_id; + ret->generate_session_id = s->generate_session_id; SSL_set_info_callback(ret, SSL_get_info_callback(s)); - ret->internal->debug = s->internal->debug; + ret->debug = s->debug; /* copy app data, a little dangerous perhaps */ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, - &ret->internal->ex_data, &s->internal->ex_data)) + &ret->ex_data, &s->ex_data)) goto err; /* setup rbio, and wbio */ @@ -2864,25 +2855,25 @@ SSL_dup(SSL *s) } else ret->wbio = ret->rbio; } - ret->internal->rwstate = s->internal->rwstate; - ret->internal->in_handshake = s->internal->in_handshake; - ret->internal->handshake_func = s->internal->handshake_func; + ret->rwstate = s->rwstate; + ret->in_handshake = s->in_handshake; + ret->handshake_func = s->handshake_func; ret->server = s->server; - ret->internal->renegotiate = s->internal->renegotiate; - ret->internal->new_session = s->internal->new_session; - ret->internal->quiet_shutdown = s->internal->quiet_shutdown; - ret->internal->shutdown = s->internal->shutdown; + ret->renegotiate = s->renegotiate; + ret->new_session = s->new_session; + ret->quiet_shutdown = s->quiet_shutdown; + ret->shutdown = s->shutdown; /* SSL_dup does not really work at any state, though */ ret->s3->hs.state = s->s3->hs.state; - ret->internal->rstate = s->internal->rstate; + ret->rstate = s->rstate; /* * Would have to copy ret->init_buf, ret->init_msg, ret->init_num, * ret->init_off */ - ret->internal->init_num = 0; + ret->init_num = 0; - ret->internal->hit = s->internal->hit; + ret->hit = s->hit; X509_VERIFY_PARAM_inherit(ret->param, s->param); @@ -2891,16 +2882,16 @@ SSL_dup(SSL *s) sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) goto err; } - if (s->internal->cipher_list_tls13 != NULL) { - if ((ret->internal->cipher_list_tls13 = - sk_SSL_CIPHER_dup(s->internal->cipher_list_tls13)) == NULL) + if (s->cipher_list_tls13 != NULL) { + if ((ret->cipher_list_tls13 = + sk_SSL_CIPHER_dup(s->cipher_list_tls13)) == NULL) goto err; } /* Dup the client_CA list */ - if (s->internal->client_CA != NULL) { - if ((sk = sk_X509_NAME_dup(s->internal->client_CA)) == NULL) goto err; - ret->internal->client_CA = sk; + if (s->client_CA != NULL) { + if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; + ret->client_CA = sk; for (i = 0; i < sk_X509_NAME_num(sk); i++) { xn = sk_X509_NAME_value(sk, i); if (sk_X509_NAME_set(sk, i, @@ -2920,8 +2911,8 @@ SSL_dup(SSL *s) void ssl_clear_cipher_state(SSL *s) { - tls12_record_layer_clear_read_state(s->internal->rl); - tls12_record_layer_clear_write_state(s->internal->rl); + tls12_record_layer_clear_read_state(s->rl); + tls12_record_layer_clear_write_state(s->rl); } void @@ -2929,8 +2920,8 @@ ssl_info_callback(const SSL *s, int type, int value) { ssl_info_callback_fn *cb; - if ((cb = s->internal->info_callback) == NULL) - cb = s->ctx->internal->info_callback; + if ((cb = s->info_callback) == NULL) + cb = s->ctx->info_callback; if (cb != NULL) cb(s, type, value); } @@ -2939,11 +2930,11 @@ void ssl_msg_callback(SSL *s, int is_write, int content_type, const void *msg_buf, size_t msg_len) { - if (s->internal->msg_callback == NULL) + if (s->msg_callback == NULL) return; - s->internal->msg_callback(is_write, s->version, content_type, - msg_buf, msg_len, s, s->internal->msg_callback_arg); + s->msg_callback(is_write, s->version, content_type, + msg_buf, msg_len, s, s->msg_callback_arg); } void @@ -3068,37 +3059,37 @@ ssl_free_wbio_buffer(SSL *s) void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) { - ctx->internal->quiet_shutdown = mode; + ctx->quiet_shutdown = mode; } int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { - return (ctx->internal->quiet_shutdown); + return (ctx->quiet_shutdown); } void SSL_set_quiet_shutdown(SSL *s, int mode) { - s->internal->quiet_shutdown = mode; + s->quiet_shutdown = mode; } int SSL_get_quiet_shutdown(const SSL *s) { - return (s->internal->quiet_shutdown); + return (s->quiet_shutdown); } void SSL_set_shutdown(SSL *s, int mode) { - s->internal->shutdown = mode; + s->shutdown = mode; } int SSL_get_shutdown(const SSL *s) { - return (s->internal->shutdown); + return (s->shutdown); } int @@ -3123,7 +3114,7 @@ SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) if (ssl->ctx == ctx) return (ssl->ctx); - if ((new_cert = ssl_cert_dup(ctx->internal->cert)) == NULL) + if ((new_cert = ssl_cert_dup(ctx->cert)) == NULL) return NULL; ssl_cert_free(ssl->cert); ssl->cert = new_cert; @@ -3157,12 +3148,12 @@ SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) void SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) { - ssl->internal->info_callback = cb; + ssl->info_callback = cb; } void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val) { - return (ssl->internal->info_callback); + return (ssl->info_callback); } int @@ -3218,13 +3209,13 @@ SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int SSL_set_ex_data(SSL *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg)); + return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); } void * SSL_get_ex_data(const SSL *s, int idx) { - return (CRYPTO_get_ex_data(&s->internal->ex_data, idx)); + return (CRYPTO_get_ex_data(&s->ex_data, idx)); } int @@ -3238,13 +3229,13 @@ SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg)); + return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); } void * SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) { - return (CRYPTO_get_ex_data(&s->internal->ex_data, idx)); + return (CRYPTO_get_ex_data(&s->ex_data, idx)); } int @@ -3269,25 +3260,25 @@ SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) X509 * SSL_CTX_get0_certificate(const SSL_CTX *ctx) { - if (ctx->internal->cert == NULL) + if (ctx->cert == NULL) return NULL; - return ctx->internal->cert->key->x509; + return ctx->cert->key->x509; } EVP_PKEY * SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { - if (ctx->internal->cert == NULL) + if (ctx->cert == NULL) return NULL; - return ctx->internal->cert->key->privatekey; + return ctx->cert->key->privatekey; } int SSL_want(const SSL *s) { - return (s->internal->rwstate); + return (s->rwstate); } void @@ -3352,68 +3343,68 @@ SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, void SSL_set_debug(SSL *s, int debug) { - s->internal->debug = debug; + s->debug = debug; } int SSL_cache_hit(SSL *s) { - return (s->internal->hit); + return (s->hit); } int SSL_CTX_get_min_proto_version(SSL_CTX *ctx) { - return ctx->internal->min_proto_version; + return ctx->min_proto_version; } int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_min(ctx->method, version, - ctx->internal->max_tls_version, &ctx->internal->min_tls_version, - &ctx->internal->min_proto_version); + ctx->max_tls_version, &ctx->min_tls_version, + &ctx->min_proto_version); } int SSL_CTX_get_max_proto_version(SSL_CTX *ctx) { - return ctx->internal->max_proto_version; + return ctx->max_proto_version; } int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_max(ctx->method, version, - ctx->internal->min_tls_version, &ctx->internal->max_tls_version, - &ctx->internal->max_proto_version); + ctx->min_tls_version, &ctx->max_tls_version, + &ctx->max_proto_version); } int SSL_get_min_proto_version(SSL *ssl) { - return ssl->internal->min_proto_version; + return ssl->min_proto_version; } int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_min(ssl->method, version, - ssl->internal->max_tls_version, &ssl->internal->min_tls_version, - &ssl->internal->min_proto_version); + ssl->max_tls_version, &ssl->min_tls_version, + &ssl->min_proto_version); } int SSL_get_max_proto_version(SSL *ssl) { - return ssl->internal->max_proto_version; + return ssl->max_proto_version; } int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_max(ssl->method, version, - ssl->internal->min_tls_version, &ssl->internal->max_tls_version, - &ssl->internal->max_proto_version); + ssl->min_tls_version, &ssl->max_tls_version, + &ssl->max_proto_version); } const SSL_METHOD * @@ -3425,13 +3416,13 @@ SSL_CTX_get_ssl_method(const SSL_CTX *ctx) int SSL_CTX_get_security_level(const SSL_CTX *ctx) { - return ctx->internal->cert->security_level; + return ctx->cert->security_level; } void SSL_CTX_set_security_level(SSL_CTX *ctx, int level) { - ctx->internal->cert->security_level = level; + ctx->cert->security_level = level; } int @@ -3456,16 +3447,16 @@ int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, size_t params_len) { - freezero(ssl->internal->quic_transport_params, - ssl->internal->quic_transport_params_len); - ssl->internal->quic_transport_params = NULL; - ssl->internal->quic_transport_params_len = 0; + freezero(ssl->quic_transport_params, + ssl->quic_transport_params_len); + ssl->quic_transport_params = NULL; + ssl->quic_transport_params_len = 0; - if ((ssl->internal->quic_transport_params = malloc(params_len)) == NULL) + if ((ssl->quic_transport_params = malloc(params_len)) == NULL) return 0; - memcpy(ssl->internal->quic_transport_params, params, params_len); - ssl->internal->quic_transport_params_len = params_len; + memcpy(ssl->quic_transport_params, params, params_len); + ssl->quic_transport_params_len = params_len; return 1; } diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index a8d5308e8c3..8046ad8c866 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.426 2022/10/01 16:23:15 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.427 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -713,7 +713,42 @@ typedef void (ssl_info_callback_fn)(const SSL *s, int type, int val); typedef void (ssl_msg_callback_fn)(int is_write, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); -typedef struct ssl_ctx_internal_st { +struct ssl_ctx_st { + const SSL_METHOD *method; + const SSL_QUIC_METHOD *quic_method; + + STACK_OF(SSL_CIPHER) *cipher_list; + + struct x509_store_st /* X509_STORE */ *cert_store; + + /* If timeout is not 0, it is the default timeout value set + * when SSL_new() is called. This has been put in to make + * life easier to set things up */ + long session_timeout; + + int references; + + /* Default values to use in SSL structures follow (these are copied by SSL_new) */ + + STACK_OF(X509) *extra_certs; + + int verify_mode; + size_t sid_ctx_length; + unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; + + X509_VERIFY_PARAM *param; + + /* + * XXX + * default_passwd_cb used by python and openvpn, need to keep it until we + * add an accessor + */ + /* Default password callback. */ + pem_password_cb *default_passwd_callback; + + /* Default password callback user data. */ + void *default_passwd_callback_userdata; + uint16_t min_tls_version; uint16_t max_tls_version; @@ -879,48 +914,72 @@ typedef struct ssl_ctx_internal_st { uint16_t *tlsext_supportedgroups; /* our list */ SSL_CTX_keylog_cb_func keylog_callback; /* Unused. For OpenSSL compatibility. */ size_t num_tickets; /* Unused, for OpenSSL compatibility */ -} SSL_CTX_INTERNAL; +}; + +struct ssl_st { + /* protocol version + * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) + */ + int version; -struct ssl_ctx_st { const SSL_METHOD *method; const SSL_QUIC_METHOD *quic_method; - STACK_OF(SSL_CIPHER) *cipher_list; + /* There are 2 BIO's even though they are normally both the + * same. This is so data can be read and written to different + * handlers */ - struct x509_store_st /* X509_STORE */ *cert_store; + BIO *rbio; /* used by SSL_read */ + BIO *wbio; /* used by SSL_write */ + BIO *bbio; /* used during session-id reuse to concatenate + * messages */ + int server; /* are we the server side? - mostly used by SSL_clear*/ - /* If timeout is not 0, it is the default timeout value set - * when SSL_new() is called. This has been put in to make - * life easier to set things up */ - long session_timeout; + struct ssl3_state_st *s3; /* SSLv3 variables */ + struct dtls1_state_st *d1; /* DTLSv1 variables */ - int references; + X509_VERIFY_PARAM *param; - /* Default values to use in SSL structures follow (these are copied by SSL_new) */ + /* crypto */ + STACK_OF(SSL_CIPHER) *cipher_list; - STACK_OF(X509) *extra_certs; + /* This is used to hold the server certificate used */ + SSL_CERT *cert; - int verify_mode; + /* the session_id_context is used to ensure sessions are only reused + * in the appropriate context */ size_t sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - X509_VERIFY_PARAM *param; + /* This can also be in the session once a session is established */ + SSL_SESSION *session; - /* - * XXX - * default_passwd_cb used by python and openvpn, need to keep it until we - * add an accessor - */ - /* Default password callback. */ - pem_password_cb *default_passwd_callback; + /* Used in SSL2 and SSL3 */ + int verify_mode; /* 0 don't care about verify failure. + * 1 fail if verify fails */ + int error; /* error bytes to be written */ + int error_code; /* actual code */ - /* Default password callback user data. */ - void *default_passwd_callback_userdata; + SSL_CTX *ctx; - struct ssl_ctx_internal_st *internal; -}; + long verify_result; + + int references; + + int client_version; /* what was passed, used for + * SSLv3/TLS rollback check */ + + unsigned int max_send_fragment; + + char *tlsext_hostname; + + /* certificate status request info */ + /* Status type or -1 if no status type */ + int tlsext_status_type; + + SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ +#define session_ctx initial_ctx -typedef struct ssl_internal_st { struct tls13_ctx *tls13; uint16_t min_tls_version; @@ -1066,73 +1125,6 @@ typedef struct ssl_internal_st { size_t num_tickets; /* Unused, for OpenSSL compatibility */ STACK_OF(X509) *verified_chain; -} SSL_INTERNAL; - -struct ssl_st { - /* protocol version - * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) - */ - int version; - - const SSL_METHOD *method; - const SSL_QUIC_METHOD *quic_method; - - /* There are 2 BIO's even though they are normally both the - * same. This is so data can be read and written to different - * handlers */ - - BIO *rbio; /* used by SSL_read */ - BIO *wbio; /* used by SSL_write */ - BIO *bbio; /* used during session-id reuse to concatenate - * messages */ - int server; /* are we the server side? - mostly used by SSL_clear*/ - - struct ssl3_state_st *s3; /* SSLv3 variables */ - struct dtls1_state_st *d1; /* DTLSv1 variables */ - - X509_VERIFY_PARAM *param; - - /* crypto */ - STACK_OF(SSL_CIPHER) *cipher_list; - - /* This is used to hold the server certificate used */ - SSL_CERT *cert; - - /* the session_id_context is used to ensure sessions are only reused - * in the appropriate context */ - size_t sid_ctx_length; - unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - - /* This can also be in the session once a session is established */ - SSL_SESSION *session; - - /* Used in SSL2 and SSL3 */ - int verify_mode; /* 0 don't care about verify failure. - * 1 fail if verify fails */ - int error; /* error bytes to be written */ - int error_code; /* actual code */ - - SSL_CTX *ctx; - - long verify_result; - - int references; - - int client_version; /* what was passed, used for - * SSLv3/TLS rollback check */ - - unsigned int max_send_fragment; - - char *tlsext_hostname; - - /* certificate status request info */ - /* Status type or -1 if no status type */ - int tlsext_status_type; - - SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ -#define session_ctx initial_ctx - - struct ssl_internal_st *internal; }; typedef struct ssl3_record_internal_st { diff --git a/lib/libssl/ssl_packet.c b/lib/libssl/ssl_packet.c index 091685b2178..b2c3d0f2a02 100644 --- a/lib/libssl/ssl_packet.c +++ b/lib/libssl/ssl_packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_packet.c,v 1.13 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_packet.c,v 1.14 2022/10/02 16:36:41 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -84,7 +84,7 @@ ssl_convert_sslv2_client_hello(SSL *s) memset(&cbb, 0, sizeof(cbb)); - CBS_init(&cbs, s->internal->packet, SSL3_RT_HEADER_LENGTH); + CBS_init(&cbs, s->packet, SSL3_RT_HEADER_LENGTH); if (!CBS_get_u16(&cbs, &record_length) || !CBS_get_u8(&cbs, &message_type) || @@ -119,17 +119,17 @@ ssl_convert_sslv2_client_hello(SSL *s) if (n != record_length + 2) return n; - tls1_transcript_record(s, s->internal->packet + 2, - s->internal->packet_length - 2); - s->internal->mac_packet = 0; + tls1_transcript_record(s, s->packet + 2, + s->packet_length - 2); + s->mac_packet = 0; - if (s->internal->msg_callback) - s->internal->msg_callback(0, SSL2_VERSION, 0, - s->internal->packet + 2, s->internal->packet_length - 2, s, - s->internal->msg_callback_arg); + if (s->msg_callback) + s->msg_callback(0, SSL2_VERSION, 0, + s->packet + 2, s->packet_length - 2, s, + s->msg_callback_arg); /* Decode the SSLv2 record containing the client hello. */ - CBS_init(&cbs, s->internal->packet, s->internal->packet_length); + CBS_init(&cbs, s->packet, s->packet_length); if (!CBS_get_u16(&cbs, &record_length)) return -1; @@ -212,9 +212,9 @@ ssl_convert_sslv2_client_hello(SSL *s) if (data_len > s->s3->rbuf.len) goto err; - s->internal->packet = s->s3->rbuf.buf; - s->internal->packet_length = data_len; - memcpy(s->internal->packet, data, data_len); + s->packet = s->s3->rbuf.buf; + s->packet_length = data_len; + memcpy(s->packet, data, data_len); ret = 1; err: @@ -240,7 +240,7 @@ ssl_server_legacy_first_packet(SSL *s) if (SSL_is_dtls(s)) return 1; - CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); + CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH); if (ssl_is_sslv3_handshake(&header) == 1) return 1; diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c index d9f5a0d0577..8462d03967a 100644 --- a/lib/libssl/ssl_pkt.c +++ b/lib/libssl/ssl_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_pkt.c,v 1.60 2022/09/11 13:51:25 jsing Exp $ */ +/* $OpenBSD: ssl_pkt.c,v 1.61 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -136,16 +136,16 @@ ssl_force_want_read(SSL *s) BIO_clear_retry_flags(bio); BIO_set_retry_read(bio); - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; } /* * If extend == 0, obtain new n-byte packet; if extend == 1, increase * packet by another n bytes. * The packet will be in the sub-array of s->s3->rbuf.buf specified - * by s->internal->packet and s->internal->packet_length. - * (If s->internal->read_ahead is set, 'max' bytes may be stored in rbuf - * [plus s->internal->packet_length bytes if extend == 1].) + * by s->packet and s->packet_length. + * (If s->read_ahead is set, 'max' bytes may be stored in rbuf + * [plus s->packet_length bytes if extend == 1].) */ static int ssl3_read_n(SSL *s, int n, int max, int extend) @@ -187,8 +187,8 @@ ssl3_read_n(SSL *s, int n, int max, int extend) rb->offset = align; } } - s->internal->packet = rb->buf + rb->offset; - s->internal->packet_length = 0; + s->packet = rb->buf + rb->offset; + s->packet_length = 0; /* ... now we can act as if 'extend' was set */ } @@ -202,7 +202,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) /* if there is enough in the buffer from a previous read, take some */ if (left >= n) { - s->internal->packet_length += n; + s->packet_length += n; rb->left = left - n; rb->offset += n; return (n); @@ -210,15 +210,15 @@ ssl3_read_n(SSL *s, int n, int max, int extend) /* else we need to read more data */ - len = s->internal->packet_length; + len = s->packet_length; pkt = rb->buf + align; /* Move any available bytes to front of buffer: * 'len' bytes already pointed to by 'packet', * 'left' extra ones at the end */ - if (s->internal->packet != pkt) { + if (s->packet != pkt) { /* len > 0 */ - memmove(pkt, s->internal->packet, len + left); - s->internal->packet = pkt; + memmove(pkt, s->packet, len + left); + s->packet = pkt; rb->offset = len + align; } @@ -228,7 +228,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) return -1; } - if (s->internal->read_ahead || SSL_is_dtls(s)) { + if (s->read_ahead || SSL_is_dtls(s)) { if (max < n) max = n; if (max > (int)(rb->len - rb->offset)) @@ -245,7 +245,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) errno = 0; if (s->rbio != NULL) { - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; i = BIO_read(s->rbio, pkt + len + left, max - left); } else { SSLerror(s, SSL_R_READ_BIO_NOT_SET); @@ -254,7 +254,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) if (i <= 0) { rb->left = left; - if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && + if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_is_dtls(s)) { if (len + left == 0) ssl3_release_read_buffer(s); @@ -277,8 +277,8 @@ ssl3_read_n(SSL *s, int n, int max, int extend) /* done reading, now the book-keeping */ rb->offset += n; rb->left = left - n; - s->internal->packet_length += n; - s->internal->rwstate = SSL_NOTHING; + s->packet_length += n; + s->rwstate = SSL_NOTHING; return (n); } @@ -291,8 +291,8 @@ ssl3_packet_read(SSL *s, int plen) n = ssl3_read_n(s, plen, s->s3->rbuf.len, 0); if (n <= 0) return n; - if (s->internal->packet_length < plen) - return s->internal->packet_length; + if (s->packet_length < plen) + return s->packet_length; return plen; } @@ -302,15 +302,15 @@ ssl3_packet_extend(SSL *s, int plen) { int rlen, n; - if (s->internal->packet_length >= plen) + if (s->packet_length >= plen) return plen; - rlen = plen - s->internal->packet_length; + rlen = plen - s->packet_length; n = ssl3_read_n(s, rlen, rlen, 1); if (n <= 0) return n; - if (s->internal->packet_length < plen) - return s->internal->packet_length; + if (s->packet_length < plen) + return s->packet_length; return plen; } @@ -319,9 +319,9 @@ ssl3_packet_extend(SSL *s, int plen) * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. * When it finishes, one packet has been decoded and can be found in - * ssl->s3->internal->rrec.type - is the type of record - * ssl->s3->internal->rrec.data, - data - * ssl->s3->internal->rrec.length, - number of bytes + * ssl->s3->rrec.type - is the type of record + * ssl->s3->rrec.data, - data + * ssl->s3->rrec.length, - number of bytes */ /* used only by ssl3_read_bytes */ static int @@ -337,8 +337,8 @@ ssl3_get_record(SSL *s) again: /* check if we have the header */ - if ((s->internal->rstate != SSL_ST_READ_BODY) || - (s->internal->packet_length < SSL3_RT_HEADER_LENGTH)) { + if ((s->rstate != SSL_ST_READ_BODY) || + (s->packet_length < SSL3_RT_HEADER_LENGTH)) { CBS header; uint16_t len, ssl_version; uint8_t type; @@ -347,16 +347,16 @@ ssl3_get_record(SSL *s) if (n <= 0) return (n); - s->internal->mac_packet = 1; - s->internal->rstate = SSL_ST_READ_BODY; + s->mac_packet = 1; + s->rstate = SSL_ST_READ_BODY; - if (s->server && s->internal->first_packet) { + if (s->server && s->first_packet) { if ((ret = ssl_server_legacy_first_packet(s)) != 1) return (ret); ret = -1; } - CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); + CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH); /* Pull apart the header into the SSL3_RECORD_INTERNAL */ if (!CBS_get_u8(&header, &type) || @@ -370,9 +370,9 @@ ssl3_get_record(SSL *s) rr->length = len; /* Lets check version */ - if (!s->internal->first_packet && ssl_version != s->version) { + if (!s->first_packet && ssl_version != s->version) { if ((s->version & 0xFF00) == (ssl_version & 0xFF00) && - !tls12_record_layer_write_protected(s->internal->rl)) { + !tls12_record_layer_write_protected(s->rl)) { /* Send back error using their minor version number :-) */ s->version = ssl_version; } @@ -399,17 +399,17 @@ ssl3_get_record(SSL *s) if (n != SSL3_RT_HEADER_LENGTH + rr->length) return (n); - s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ + s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ /* * A full record has now been read from the wire, which now needs * to be processed. */ - tls12_record_layer_set_version(s->internal->rl, s->version); + tls12_record_layer_set_version(s->rl, s->version); - if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, - s->internal->packet_length, &out, &out_len)) { - tls12_record_layer_alert(s->internal->rl, &alert_desc); + if (!tls12_record_layer_open_record(s->rl, s->packet, + s->packet_length, &out, &out_len)) { + tls12_record_layer_alert(s->rl, &alert_desc); if (alert_desc == 0) goto err; @@ -428,7 +428,7 @@ ssl3_get_record(SSL *s) rr->off = 0; /* we have pulled in a full packet so zero things */ - s->internal->packet_length = 0; + s->packet_length = 0; if (rr->length == 0) { /* @@ -446,18 +446,18 @@ ssl3_get_record(SSL *s) * insert a single empty record, so we allow ourselves to read * once past a single empty record without forcing want_read. */ - if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { + if (s->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { SSLerror(s, SSL_R_PEER_BEHAVING_BADLY); return -1; } - if (s->internal->empty_record_count > 1) { + if (s->empty_record_count > 1) { ssl_force_want_read(s); return -1; } goto again; } - s->internal->empty_record_count = 0; + s->empty_record_count = 0; return (1); @@ -482,12 +482,12 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) return -1; } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; tot = s->s3->wnum; s->s3->wnum = 0; - if (SSL_in_init(s) && !s->internal->in_handshake) { - i = s->internal->handshake_func(s); + if (SSL_in_init(s) && !s->in_handshake) { + i = s->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -512,7 +512,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA && - (s->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { + (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { /* * Next chunk of data should get another prepended * empty fragment in ciphersuites with known-IV @@ -573,7 +573,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) */ version = s->version; if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_B && - !s->internal->renegotiate && + !s->renegotiate && s->s3->hs.our_max_tls_version > TLS1_VERSION) version = TLS1_VERSION; @@ -582,7 +582,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this * is unnecessary for AEAD. */ - if (sess != NULL && tls12_record_layer_write_protected(s->internal->rl)) { + if (sess != NULL && tls12_record_layer_write_protected(s->rl)) { if (s->s3->need_empty_fragments && !s->s3->empty_fragment_done && type == SSL3_RT_APPLICATION_DATA) @@ -603,16 +603,16 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align)) goto err; - tls12_record_layer_set_version(s->internal->rl, version); + tls12_record_layer_set_version(s->rl, version); if (need_empty_fragment) { - if (!tls12_record_layer_seal_record(s->internal->rl, type, + if (!tls12_record_layer_seal_record(s->rl, type, buf, 0, &cbb)) goto err; s->s3->empty_fragment_done = 1; } - if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) + if (!tls12_record_layer_seal_record(s->rl, type, buf, len, &cbb)) goto err; if (!CBB_finish(&cbb, NULL, &out_len)) @@ -647,7 +647,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) /* XXXX */ if ((s->s3->wpend_tot > (int)len) || ((s->s3->wpend_buf != buf) && - !(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || + !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || (s->s3->wpend_type != type)) { SSLerror(s, SSL_R_BAD_WRITE_RETRY); return (-1); @@ -656,7 +656,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) for (;;) { errno = 0; if (s->wbio != NULL) { - s->internal->rwstate = SSL_WRITING; + s->rwstate = SSL_WRITING; i = BIO_write(s->wbio, (char *)&(wb->buf[wb->offset]), (unsigned int)wb->left); } else { @@ -666,10 +666,10 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) if (i == wb->left) { wb->left = 0; wb->offset += i; - if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && + if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_is_dtls(s)) ssl3_release_write_buffer(s); - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; return (s->s3->wpend_ret); } else if (i <= 0) { /* @@ -731,7 +731,7 @@ ssl3_read_alert(SSL *s) if (alert_level == SSL3_AL_WARNING) { s->s3->warn_alert = alert_descr; if (alert_descr == SSL_AD_CLOSE_NOTIFY) { - s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; + s->shutdown |= SSL_RECEIVED_SHUTDOWN; return 0; } /* We requested renegotiation and the peer rejected it. */ @@ -742,11 +742,11 @@ ssl3_read_alert(SSL *s) return -1; } } else if (alert_level == SSL3_AL_FATAL) { - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->fatal_alert = alert_descr; SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); ERR_asprintf_error_data("SSL alert number %d", alert_descr); - s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; + s->shutdown |= SSL_RECEIVED_SHUTDOWN; SSL_CTX_remove_session(s->ctx, s->session); return 0; } else { @@ -847,7 +847,7 @@ ssl3_read_handshake_unexpected(SSL *s) if (s->s3->handshake_fragment_len < sizeof(s->s3->handshake_fragment)) return 1; - if (s->internal->in_handshake) { + if (s->in_handshake) { SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } @@ -937,7 +937,7 @@ ssl3_read_handshake_unexpected(SSL *s) return -1; } - if ((s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { + if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); return -1; @@ -957,8 +957,8 @@ ssl3_read_handshake_unexpected(SSL *s) } s->s3->hs.state = SSL_ST_ACCEPT; - s->internal->renegotiate = 1; - s->internal->new_session = 1; + s->renegotiate = 1; + s->new_session = 1; } else { SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); @@ -966,14 +966,14 @@ ssl3_read_handshake_unexpected(SSL *s) return -1; } - if ((ret = s->internal->handshake_func(s)) < 0) + if ((ret = s->handshake_func(s)) < 0) return ret; if (ret == 0) { SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } - if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { + if (!(s->mode & SSL_MODE_AUTO_RETRY)) { if (s->s3->rbuf.left == 0) { ssl_force_want_read(s); return -1; @@ -1062,8 +1062,8 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return n; } - if (SSL_in_init(s) && !s->internal->in_handshake) { - if ((ret = s->internal->handshake_func(s)) < 0) + if (SSL_in_init(s) && !s->in_handshake) { + if ((ret = s->handshake_func(s)) < 0) return ret; if (ret == 0) { SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); @@ -1085,11 +1085,11 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; rr = &s->s3->rrec; - if (rr->length == 0 || s->internal->rstate == SSL_ST_READ_BODY) { + if (rr->length == 0 || s->rstate == SSL_ST_READ_BODY) { if ((ret = ssl3_get_record(s)) <= 0) return ret; } @@ -1106,8 +1106,8 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * If the other end has shut down, throw anything we read away (even in * 'peek' mode). */ - if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { + s->rwstate = SSL_NOTHING; rr->length = 0; return 0; } @@ -1119,7 +1119,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * are doing a handshake for the first time. */ if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA && - !tls12_record_layer_read_protected(s->internal->rl)) { + !tls12_record_layer_read_protected(s->rl)) { SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); @@ -1140,9 +1140,9 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) rr->length -= n; rr->off += n; if (rr->length == 0) { - s->internal->rstate = SSL_ST_READ_HEADER; + s->rstate = SSL_ST_READ_HEADER; rr->off = 0; - if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && + if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) ssl3_release_read_buffer(s); } @@ -1162,8 +1162,8 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) goto start; } - if (s->internal->shutdown & SSL_SENT_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; + if (s->shutdown & SSL_SENT_SHUTDOWN) { + s->rwstate = SSL_NOTHING; rr->length = 0; return 0; } diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c index b691b9bc4bc..7026b330cf5 100644 --- a/lib/libssl/ssl_seclevel.c +++ b/lib/libssl/ssl_seclevel.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_seclevel.c,v 1.25 2022/08/17 18:41:17 tb Exp $ */ +/* $OpenBSD: ssl_seclevel.c,v 1.26 2022/10/02 16:36:41 jsing Exp $ */ /* * Copyright (c) 2020-2022 Theo Buehler * @@ -224,8 +224,8 @@ ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits, static int ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other) { - return ctx->internal->cert->security_cb(NULL, ctx, secop, bits, nid, - other, ctx->internal->cert->security_ex_data); + return ctx->cert->security_cb(NULL, ctx, secop, bits, nid, + other, ctx->cert->security_ex_data); } static int diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index 7cf36f8984f..45c6ddb6827 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.117 2022/08/17 07:39:19 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.118 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -354,17 +354,17 @@ ssl_get_new_session(SSL *s, int session) } /* If RFC4507 ticket use empty session ID. */ - if (s->internal->tlsext_ticket_expected) { + if (s->tlsext_ticket_expected) { ss->session_id_length = 0; goto sess_id_done; } /* Choose which callback will set the session ID. */ CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - if (s->internal->generate_session_id) - cb = s->internal->generate_session_id; - else if (s->session_ctx->internal->generate_session_id) - cb = s->session_ctx->internal->generate_session_id; + if (s->generate_session_id) + cb = s->generate_session_id; + else if (s->session_ctx->generate_session_id) + cb = s->session_ctx->generate_session_id; CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); /* Choose a session ID. */ @@ -430,7 +430,7 @@ ssl_session_from_cache(SSL *s, CBS *session_id) SSL_SESSION *sess; SSL_SESSION data; - if ((s->session_ctx->internal->session_cache_mode & + if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) return NULL; @@ -443,13 +443,13 @@ ssl_session_from_cache(SSL *s, CBS *session_id) return NULL; CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - sess = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data); + sess = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data); if (sess != NULL) CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION); CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); if (sess == NULL) - s->session_ctx->internal->stats.sess_miss++; + s->session_ctx->stats.sess_miss++; return sess; } @@ -460,11 +460,11 @@ ssl_session_from_callback(SSL *s, CBS *session_id) SSL_SESSION *sess; int copy; - if (s->session_ctx->internal->get_session_cb == NULL) + if (s->session_ctx->get_session_cb == NULL) return NULL; copy = 1; - if ((sess = s->session_ctx->internal->get_session_cb(s, + if ((sess = s->session_ctx->get_session_cb(s, CBS_data(session_id), CBS_len(session_id), ©)) == NULL) return NULL; /* @@ -476,10 +476,10 @@ ssl_session_from_callback(SSL *s, CBS *session_id) if (copy) CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION); - s->session_ctx->internal->stats.sess_cb_hit++; + s->session_ctx->stats.sess_cb_hit++; /* Add the externally cached session to the internal cache as well. */ - if (!(s->session_ctx->internal->session_cache_mode & + if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) { /* * The following should not return 1, @@ -523,7 +523,7 @@ ssl_session_by_id(SSL *s, CBS *session_id) * - If a session is found then s->session is pointed at it (after freeing * an existing session if need be) and s->verify_result is set from the * session. - * - For both new and resumed sessions, s->internal->tlsext_ticket_expected + * - For both new and resumed sessions, s->tlsext_ticket_expected * indicates whether the server should issue a new session ticket or not. */ int @@ -538,7 +538,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) if (CBS_len(session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; - /* Sets s->internal->tlsext_ticket_expected. */ + /* Sets s->tlsext_ticket_expected. */ switch (tls1_process_ticket(s, ext_block, &alert_desc, &sess)) { case TLS1_TICKET_FATAL_ERROR: fatal = 1; @@ -605,7 +605,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) } if (sess->timeout < (time(NULL) - sess->time)) { - s->session_ctx->internal->stats.sess_timeout++; + s->session_ctx->stats.sess_timeout++; if (!ticket_decrypted) { /* The session was from the cache, so remove it. */ SSL_CTX_remove_session(s->session_ctx, sess); @@ -613,7 +613,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) goto err; } - s->session_ctx->internal->stats.sess_hit++; + s->session_ctx->stats.sess_hit++; SSL_SESSION_free(s->session); s->session = sess; @@ -628,7 +628,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) * The session was from a ticket. Issue a ticket for the new * session. */ - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; } if (fatal) { *alert = alert_desc; @@ -655,12 +655,12 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) * later. */ CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - s = lh_SSL_SESSION_insert(ctx->internal->sessions, c); + s = lh_SSL_SESSION_insert(ctx->sessions, c); /* * s != NULL iff we already had a session with the given PID. * In this case, s == c should hold (then we did not really modify - * ctx->internal->sessions), or we're in trouble. + * ctx->sessions), or we're in trouble. */ if (s != NULL && s != c) { /* We *are* in trouble ... */ @@ -700,10 +700,10 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) { if (!remove_session_lock(ctx, - ctx->internal->session_cache_tail, 0)) + ctx->session_cache_tail, 0)) break; else - ctx->internal->stats.sess_cache_full++; + ctx->stats.sess_cache_full++; } } } @@ -728,9 +728,9 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) if (lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - if ((r = lh_SSL_SESSION_retrieve(ctx->internal->sessions, c)) == c) { + if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) { ret = 1; - r = lh_SSL_SESSION_delete(ctx->internal->sessions, c); + r = lh_SSL_SESSION_delete(ctx->sessions, c); SSL_SESSION_list_remove(ctx, c); } if (lck) @@ -738,8 +738,8 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) if (ret) { r->not_resumable = 1; - if (ctx->internal->remove_session_cb != NULL) - ctx->internal->remove_session_cb(ctx, r); + if (ctx->remove_session_cb != NULL) + ctx->remove_session_cb(ctx, r); SSL_SESSION_free(r); } @@ -942,8 +942,8 @@ SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, { if (s == NULL) return (0); - s->internal->tls_session_secret_cb = tls_session_secret_cb; - s->internal->tls_session_secret_cb_arg = arg; + s->tls_session_secret_cb = tls_session_secret_cb; + s->tls_session_secret_cb_arg = arg; return (1); } @@ -953,8 +953,8 @@ SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, { if (s == NULL) return (0); - s->internal->tls_session_ticket_ext_cb = cb; - s->internal->tls_session_ticket_ext_cb_arg = arg; + s->tls_session_ticket_ext_cb = cb; + s->tls_session_ticket_ext_cb_arg = arg; return (1); } @@ -962,23 +962,23 @@ int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) { if (s->version >= TLS1_VERSION) { - free(s->internal->tlsext_session_ticket); - s->internal->tlsext_session_ticket = + free(s->tlsext_session_ticket); + s->tlsext_session_ticket = malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); - if (!s->internal->tlsext_session_ticket) { + if (!s->tlsext_session_ticket) { SSLerror(s, ERR_R_MALLOC_FAILURE); return 0; } if (ext_data) { - s->internal->tlsext_session_ticket->length = ext_len; - s->internal->tlsext_session_ticket->data = - s->internal->tlsext_session_ticket + 1; - memcpy(s->internal->tlsext_session_ticket->data, + s->tlsext_session_ticket->length = ext_len; + s->tlsext_session_ticket->data = + s->tlsext_session_ticket + 1; + memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); } else { - s->internal->tlsext_session_ticket->length = 0; - s->internal->tlsext_session_ticket->data = NULL; + s->tlsext_session_ticket->length = 0; + s->tlsext_session_ticket->data = NULL; } return 1; @@ -1003,8 +1003,8 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) (void)lh_SSL_SESSION_delete(p->cache, s); SSL_SESSION_list_remove(p->ctx, s); s->not_resumable = 1; - if (p->ctx->internal->remove_session_cb != NULL) - p->ctx->internal->remove_session_cb(p->ctx, s); + if (p->ctx->remove_session_cb != NULL) + p->ctx->remove_session_cb(p->ctx, s); SSL_SESSION_free(s); } } @@ -1026,7 +1026,7 @@ SSL_CTX_flush_sessions(SSL_CTX *s, long t) TIMEOUT_PARAM tp; tp.ctx = s; - tp.cache = s->internal->sessions; + tp.cache = s->sessions; if (tp.cache == NULL) return; tp.time = t; @@ -1042,7 +1042,7 @@ SSL_CTX_flush_sessions(SSL_CTX *s, long t) int ssl_clear_bad_session(SSL *s) { - if ((s->session != NULL) && !(s->internal->shutdown & SSL_SENT_SHUTDOWN) && + if ((s->session != NULL) && !(s->shutdown & SSL_SENT_SHUTDOWN) && !(SSL_in_init(s) || SSL_in_before(s))) { SSL_CTX_remove_session(s->ctx, s->session); return (1); @@ -1057,23 +1057,23 @@ SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) if (s->next == NULL || s->prev == NULL) return; - if (s->next == (SSL_SESSION *)&(ctx->internal->session_cache_tail)) { + if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) { /* last element in list */ - if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) { + if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { /* only one element in list */ - ctx->internal->session_cache_head = NULL; - ctx->internal->session_cache_tail = NULL; + ctx->session_cache_head = NULL; + ctx->session_cache_tail = NULL; } else { - ctx->internal->session_cache_tail = s->prev; + ctx->session_cache_tail = s->prev; s->prev->next = - (SSL_SESSION *)&(ctx->internal->session_cache_tail); + (SSL_SESSION *)&(ctx->session_cache_tail); } } else { - if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) { + if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { /* first element in list */ - ctx->internal->session_cache_head = s->next; + ctx->session_cache_head = s->next; s->next->prev = - (SSL_SESSION *)&(ctx->internal->session_cache_head); + (SSL_SESSION *)&(ctx->session_cache_head); } else { /* middle of list */ s->next->prev = s->prev; @@ -1089,83 +1089,83 @@ SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) if (s->next != NULL && s->prev != NULL) SSL_SESSION_list_remove(ctx, s); - if (ctx->internal->session_cache_head == NULL) { - ctx->internal->session_cache_head = s; - ctx->internal->session_cache_tail = s; - s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head); - s->next = (SSL_SESSION *)&(ctx->internal->session_cache_tail); + if (ctx->session_cache_head == NULL) { + ctx->session_cache_head = s; + ctx->session_cache_tail = s; + s->prev = (SSL_SESSION *)&(ctx->session_cache_head); + s->next = (SSL_SESSION *)&(ctx->session_cache_tail); } else { - s->next = ctx->internal->session_cache_head; + s->next = ctx->session_cache_head; s->next->prev = s; - s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head); - ctx->internal->session_cache_head = s; + s->prev = (SSL_SESSION *)&(ctx->session_cache_head); + ctx->session_cache_head = s; } } void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*cb)(struct ssl_st *ssl, SSL_SESSION *sess)) { - ctx->internal->new_session_cb = cb; + ctx->new_session_cb = cb; } int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess) { - return ctx->internal->new_session_cb; + return ctx->new_session_cb; } void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess)) { - ctx->internal->remove_session_cb = cb; + ctx->remove_session_cb = cb; } void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess) { - return ctx->internal->remove_session_cb; + return ctx->remove_session_cb; } void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl, const unsigned char *data, int len, int *copy)) { - ctx->internal->get_session_cb = cb; + ctx->get_session_cb = cb; } SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, const unsigned char *data, int len, int *copy) { - return ctx->internal->get_session_cb; + return ctx->get_session_cb; } void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int val)) { - ctx->internal->info_callback = cb; + ctx->info_callback = cb; } void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val) { - return ctx->internal->info_callback; + return ctx->info_callback; } void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)) { - ctx->internal->client_cert_cb = cb; + ctx->client_cert_cb = cb; } int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509, EVP_PKEY **pkey) { - return ctx->internal->client_cert_cb; + return ctx->client_cert_cb; } #ifndef OPENSSL_NO_ENGINE @@ -1181,7 +1181,7 @@ SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) ENGINE_finish(e); return 0; } - ctx->internal->client_cert_engine = e; + ctx->client_cert_engine = e; return 1; } #endif @@ -1190,14 +1190,14 @@ void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) { - ctx->internal->app_gen_cookie_cb = cb; + ctx->app_gen_cookie_cb = cb; } void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, const unsigned char *cookie, unsigned int cookie_len)) { - ctx->internal->app_verify_cookie_cb = cb; + ctx->app_verify_cookie_cb = cb; } int diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index 821006af811..098e82e339d 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.150 2022/10/01 16:23:15 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.151 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -204,7 +204,7 @@ ssl3_accept(SSL *s) listen = s->d1->listen; /* init things to blank */ - s->internal->in_handshake++; + s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -216,7 +216,7 @@ ssl3_accept(SSL *s) switch (s->s3->hs.state) { case SSL_ST_RENEGOTIATE: - s->internal->renegotiate = 1; + s->renegotiate = 1; /* s->s3->hs.state=SSL_ST_ACCEPT; */ case SSL_ST_BEFORE: @@ -257,7 +257,7 @@ ssl3_accept(SSL *s) goto end; } - s->internal->init_num = 0; + s->init_num = 0; if (s->s3->hs.state != SSL_ST_RENEGOTIATE) { /* @@ -276,7 +276,7 @@ ssl3_accept(SSL *s) } s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_A; - s->ctx->internal->stats.sess_accept++; + s->ctx->stats.sess_accept++; } else if (!SSL_is_dtls(s) && !s->s3->send_connection_binding) { /* * Server attempting to renegotiate with @@ -293,14 +293,14 @@ ssl3_accept(SSL *s) * s->s3->hs.state == SSL_ST_RENEGOTIATE, * we will just send a HelloRequest. */ - s->ctx->internal->stats.sess_accept_renegotiate++; + s->ctx->stats.sess_accept_renegotiate++; s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_A; } break; case SSL3_ST_SW_HELLO_REQ_A: case SSL3_ST_SW_HELLO_REQ_B: - s->internal->shutdown = 0; + s->shutdown = 0; if (SSL_is_dtls(s)) { dtls1_clear_record_buffer(s); dtls1_start_timer(s); @@ -313,7 +313,7 @@ ssl3_accept(SSL *s) else s->s3->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C; s->s3->hs.state = SSL3_ST_SW_FLUSH; - s->internal->init_num = 0; + s->init_num = 0; if (SSL_is_dtls(s)) { if (!tls1_transcript_init(s)) { @@ -330,7 +330,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CLNT_HELLO_A: case SSL3_ST_SR_CLNT_HELLO_B: case SSL3_ST_SR_CLNT_HELLO_C: - s->internal->shutdown = 0; + s->shutdown = 0; if (SSL_is_dtls(s)) { ret = ssl3_get_client_hello(s); if (ret <= 0) @@ -343,7 +343,7 @@ ssl3_accept(SSL *s) else s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A; - s->internal->init_num = 0; + s->init_num = 0; /* * Reflect ClientHello sequence to remain @@ -351,7 +351,7 @@ ssl3_accept(SSL *s) */ if (listen) { tls12_record_layer_reflect_seq_num( - s->internal->rl); + s->rl); } /* If we're just listening, stop here */ @@ -368,15 +368,15 @@ ssl3_accept(SSL *s) goto end; } } else { - if (s->internal->rwstate != SSL_X509_LOOKUP) { + if (s->rwstate != SSL_X509_LOOKUP) { ret = ssl3_get_client_hello(s); if (ret <= 0) goto end; } - s->internal->renegotiate = 2; + s->renegotiate = 2; s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A; - s->internal->init_num = 0; + s->init_num = 0; } break; @@ -395,21 +395,21 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_SRVR_HELLO_A: case SSL3_ST_SW_SRVR_HELLO_B: if (SSL_is_dtls(s)) { - s->internal->renegotiate = 2; + s->renegotiate = 2; dtls1_start_timer(s); } ret = ssl3_send_server_hello(s); if (ret <= 0) goto end; - if (s->internal->hit) { - if (s->internal->tlsext_ticket_expected) + if (s->hit) { + if (s->tlsext_ticket_expected) s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A; else s->s3->hs.state = SSL3_ST_SW_CHANGE_A; } else { s->s3->hs.state = SSL3_ST_SW_CERT_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_CERT_A: @@ -422,7 +422,7 @@ ssl3_accept(SSL *s) ret = ssl3_send_server_certificate(s); if (ret <= 0) goto end; - if (s->internal->tlsext_status_expected) + if (s->tlsext_status_expected) s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_A; else s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A; @@ -430,7 +430,7 @@ ssl3_accept(SSL *s) skip = 1; s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_KEY_EXCH_A: @@ -455,7 +455,7 @@ ssl3_accept(SSL *s) skip = 1; s->s3->hs.state = SSL3_ST_SW_CERT_REQ_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_CERT_REQ_A: @@ -498,7 +498,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A; - s->internal->init_num = 0; + s->init_num = 0; } break; @@ -511,7 +511,7 @@ ssl3_accept(SSL *s) goto end; s->s3->hs.tls12.next_state = SSL3_ST_SR_CERT_A; s->s3->hs.state = SSL3_ST_SW_FLUSH; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_FLUSH: @@ -525,19 +525,19 @@ ssl3_accept(SSL *s) * still exist. So instead we just flush * unconditionally. */ - s->internal->rwstate = SSL_WRITING; + s->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { if (SSL_is_dtls(s)) { /* If the write error was fatal, stop trying. */ if (!BIO_should_retry(s->wbio)) { - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->hs.state = s->s3->hs.tls12.next_state; } } ret = -1; goto end; } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->hs.state = s->s3->hs.tls12.next_state; break; @@ -548,7 +548,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; } - s->internal->init_num = 0; + s->init_num = 0; s->s3->hs.state = SSL3_ST_SR_KEY_EXCH_A; break; @@ -560,7 +560,7 @@ ssl3_accept(SSL *s) if (SSL_is_dtls(s)) { s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A; - s->internal->init_num = 0; + s->init_num = 0; } alg_k = s->s3->hs.cipher->algorithm_mkey; @@ -571,10 +571,10 @@ ssl3_accept(SSL *s) * the CertificateVerify message is not sent. */ s->s3->hs.state = SSL3_ST_SR_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) { s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A; - s->internal->init_num = 0; + s->init_num = 0; if (!s->session->peer_cert) break; /* @@ -584,7 +584,7 @@ ssl3_accept(SSL *s) tls1_transcript_freeze(s); } else { s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A; - s->internal->init_num = 0; + s->init_num = 0; tls1_transcript_free(s); @@ -614,7 +614,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SR_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SR_FINISHED_A: @@ -628,13 +628,13 @@ ssl3_accept(SSL *s) goto end; if (SSL_is_dtls(s)) dtls1_stop_timer(s); - if (s->internal->hit) + if (s->hit) s->s3->hs.state = SSL_ST_OK; - else if (s->internal->tlsext_ticket_expected) + else if (s->tlsext_ticket_expected) s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A; else s->s3->hs.state = SSL3_ST_SW_CHANGE_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_SESSION_TICKET_A: @@ -643,7 +643,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_CHANGE_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_CERT_STATUS_A: @@ -652,7 +652,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_CHANGE_A: @@ -661,7 +661,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; s->session->cipher = s->s3->hs.cipher; if (!tls1_setup_key_block(s)) { @@ -680,12 +680,12 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_FLUSH; - if (s->internal->hit) { + if (s->hit) { s->s3->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A; tls1_transcript_free(s); } else s->s3->hs.tls12.next_state = SSL_ST_OK; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL_ST_OK: @@ -704,18 +704,18 @@ ssl3_accept(SSL *s) /* remove buffering on output */ ssl_free_wbio_buffer(s); - s->internal->init_num = 0; + s->init_num = 0; /* Skipped if we just sent a HelloRequest. */ - if (s->internal->renegotiate == 2) { - s->internal->renegotiate = 0; - s->internal->new_session = 0; + if (s->renegotiate == 2) { + s->renegotiate = 0; + s->new_session = 0; ssl_update_cache(s, SSL_SESS_CACHE_SERVER); - s->ctx->internal->stats.sess_accept_good++; + s->ctx->stats.sess_accept_good++; /* s->server=1; */ - s->internal->handshake_func = ssl3_accept; + s->handshake_func = ssl3_accept; ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1); } @@ -740,7 +740,7 @@ ssl3_accept(SSL *s) } if (!s->s3->hs.tls12.reuse_message && !skip) { - if (s->internal->debug) { + if (s->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; } @@ -757,7 +757,7 @@ ssl3_accept(SSL *s) } end: /* BIO_flush(s->wbio); */ - s->internal->in_handshake--; + s->in_handshake--; ssl_info_callback(s, SSL_CB_ACCEPT_EXIT, ret); return (ret); @@ -815,19 +815,19 @@ ssl3_get_client_hello(SSL *s) if (s->s3->hs.state == SSL3_ST_SR_CLNT_HELLO_A) s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_B; - s->internal->first_packet = 1; + s->first_packet = 1; if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH)) <= 0) return ret; - s->internal->first_packet = 0; + s->first_packet = 0; ret = -1; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); /* Parse client hello up until the extensions (if any). */ if (!CBS_get_u16(&cbs, &client_version)) @@ -856,7 +856,7 @@ ssl3_get_client_hello(SSL *s) */ if (!ssl_max_shared_version(s, client_version, &shared_version)) { if ((client_version >> 8) == SSL3_VERSION_MAJOR && - !tls12_record_layer_write_protected(s->internal->rl)) { + !tls12_record_layer_write_protected(s->rl)) { /* * Similar to ssl3_get_record, send alert using remote * version number. @@ -898,7 +898,7 @@ ssl3_get_client_hello(SSL *s) sizeof(s->s3->client_random), NULL)) goto err; - s->internal->hit = 0; + s->hit = 0; /* * Versions before 0.9.7 always allow clients to resume sessions in @@ -910,12 +910,12 @@ ssl3_get_client_hello(SSL *s) * library versions). * * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() - * to request renegotiation but not a new session (s->internal->new_session + * to request renegotiation but not a new session (s->new_session * remains unset): for servers, this essentially just means that the * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be * ignored. */ - if ((s->internal->new_session && (s->internal->options & + if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s, 1)) goto err; @@ -926,7 +926,7 @@ ssl3_get_client_hello(SSL *s) i = ssl_get_prev_session(s, &session_id, &ext_block, &al); if (i == 1) { /* previous session */ - s->internal->hit = 1; + s->hit = 1; } else if (i == -1) goto fatal_err; else { @@ -958,8 +958,8 @@ ssl3_get_client_hello(SSL *s) sizeof(s->d1->rcvd_cookie), &cookie_len)) goto err; - if (s->ctx->internal->app_verify_cookie_cb != NULL) { - if (s->ctx->internal->app_verify_cookie_cb(s, + if (s->ctx->app_verify_cookie_cb != NULL) { + if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, cookie_len) == 0) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_COOKIE_MISMATCH); @@ -994,7 +994,7 @@ ssl3_get_client_hello(SSL *s) /* If it is a hit, check that the cipher is in the list */ /* XXX - CBS_len(&cipher_suites) will always be zero here... */ - if (s->internal->hit && CBS_len(&cipher_suites) > 0) { + if (s->hit && CBS_len(&cipher_suites) > 0) { j = 0; id = s->session->cipher->id; @@ -1037,7 +1037,7 @@ ssl3_get_client_hello(SSL *s) if (CBS_len(&cbs) != 0) goto decode_err; - if (!s->s3->renegotiate_seen && s->internal->renegotiate) { + if (!s->s3->renegotiate_seen && s->renegotiate) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); goto fatal_err; @@ -1077,13 +1077,13 @@ ssl3_get_client_hello(SSL *s) } } - if (!s->internal->hit && s->internal->tls_session_secret_cb != NULL) { + if (!s->hit && s->tls_session_secret_cb != NULL) { SSL_CIPHER *pref_cipher = NULL; int master_key_length = sizeof(s->session->master_key); - if (!s->internal->tls_session_secret_cb(s, + if (!s->tls_session_secret_cb(s, s->session->master_key, &master_key_length, ciphers, - &pref_cipher, s->internal->tls_session_secret_cb_arg)) { + &pref_cipher, s->tls_session_secret_cb_arg)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -1093,7 +1093,7 @@ ssl3_get_client_hello(SSL *s) } s->session->master_key_length = master_key_length; - s->internal->hit = 1; + s->hit = 1; s->session->verify_result = X509_V_OK; sk_SSL_CIPHER_free(s->session->ciphers); @@ -1120,7 +1120,7 @@ ssl3_get_client_hello(SSL *s) * pick a cipher */ - if (!s->internal->hit) { + if (!s->hit) { if (ciphers == NULL) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_NO_CIPHERS_PASSED); @@ -1157,7 +1157,7 @@ ssl3_get_client_hello(SSL *s) * compression - basically ignored right now * ssl version is set - sslv3 * s->session - The ssl session has been setup. - * s->internal->hit - session reuse flag + * s->hit - session reuse flag * s->hs.cipher - the new cipher to use. */ @@ -1190,8 +1190,8 @@ ssl3_send_dtls_hello_verify_request(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (s->s3->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { - if (s->ctx->internal->app_gen_cookie_cb == NULL || - s->ctx->internal->app_gen_cookie_cb(s, s->d1->cookie, + if (s->ctx->app_gen_cookie_cb == NULL || + s->ctx->app_gen_cookie_cb(s, s->d1->cookie, &(s->d1->cookie_len)) == 0) { SSLerror(s, ERR_R_INTERNAL_ERROR); return 0; @@ -1259,12 +1259,12 @@ ssl3_send_server_hello(SSL *s) * - However, if we want the new session to be single-use, * we send back a 0-length session ID. * - * s->internal->hit is non-zero in either case of session reuse, + * s->hit is non-zero in either case of session reuse, * so the following won't overwrite an ID that we're supposed * to send back. */ - if (!(s->ctx->internal->session_cache_mode & SSL_SESS_CACHE_SERVER) - && !s->internal->hit) + if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) + && !s->hit) s->session->session_id_length = 0; sl = s->session->session_id_length; @@ -1895,10 +1895,10 @@ ssl3_get_client_key_exchange(SSL *s) SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048)) <= 0) return ret; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); alg_k = s->s3->hs.cipher->algorithm_mkey; @@ -1955,13 +1955,13 @@ ssl3_get_cert_verify(SSL *s) ret = 0; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto err; if ((mctx = EVP_MD_CTX_new()) == NULL) goto err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); peer_cert = s->session->peer_cert; pkey = X509_get0_pubkey(peer_cert); @@ -2178,7 +2178,7 @@ ssl3_get_client_certificate(SSL *s) int al, ret; if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, - -1, s->internal->max_cert_list)) <= 0) + -1, s->max_cert_list)) <= 0) return ret; ret = -1; @@ -2210,10 +2210,10 @@ ssl3_get_client_certificate(SSL *s) goto fatal_err; } - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (!CBS_get_u24_length_prefixed(&cbs, &cert_list)) goto decode_err; @@ -2367,17 +2367,17 @@ ssl3_send_newsession_ticket(SSL *s) * it does all the work, otherwise use generated values from * parent context. */ - if (tctx->internal->tlsext_ticket_key_cb != NULL) { - if (tctx->internal->tlsext_ticket_key_cb(s, + if (tctx->tlsext_ticket_key_cb != NULL) { + if (tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, hctx, 1) < 0) goto err; } else { arc4random_buf(iv, 16); EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, - tctx->internal->tlsext_tick_aes_key, iv); - HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key, + tctx->tlsext_tick_aes_key, iv); + HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16, EVP_sha256(), NULL); - memcpy(key_name, tctx->internal->tlsext_tick_key_name, 16); + memcpy(key_name, tctx->tlsext_tick_key_name, 16); } /* Encrypt the session state. */ @@ -2415,7 +2415,7 @@ ssl3_send_newsession_ticket(SSL *s) * sessions will live as long as their sessions. */ if (!CBB_add_u32(&session_ticket, - s->internal->hit ? 0 : s->session->timeout)) + s->hit ? 0 : s->session->timeout)) goto err; if (!CBB_add_u16_length_prefixed(&session_ticket, &ticket)) @@ -2473,8 +2473,8 @@ ssl3_send_cert_status(SSL *s) goto err; if (!CBB_add_u24_length_prefixed(&certstatus, &ocspresp)) goto err; - if (!CBB_add_bytes(&ocspresp, s->internal->tlsext_ocsp_resp, - s->internal->tlsext_ocsp_resp_len)) + if (!CBB_add_bytes(&ocspresp, s->tlsext_ocsp_resp, + s->tlsext_ocsp_resp_len)) goto err; if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; @@ -2500,8 +2500,8 @@ ssl3_send_server_change_cipher_spec(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (s->s3->hs.state == SSL3_ST_SW_CHANGE_A) { - if (!CBB_init_fixed(&cbb, s->internal->init_buf->data, - s->internal->init_buf->length)) + if (!CBB_init_fixed(&cbb, s->init_buf->data, + s->init_buf->length)) goto err; if (!CBB_add_u8(&cbb, SSL3_MT_CCS)) goto err; @@ -2511,8 +2511,8 @@ ssl3_send_server_change_cipher_spec(SSL *s) if (outlen > INT_MAX) goto err; - s->internal->init_num = (int)outlen; - s->internal->init_off = 0; + s->init_num = (int)outlen; + s->init_off = 0; if (SSL_is_dtls(s)) { s->d1->handshake_write_seq = @@ -2555,13 +2555,13 @@ ssl3_get_client_finished(SSL *s) md_len = TLS1_FINISH_MAC_LENGTH; - if (s->internal->init_num < 0) { + if (s->init_num < 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); goto fatal_err; } - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (s->s3->hs.peer_finished_len != md_len || CBS_len(&cbs) != md_len) { diff --git a/lib/libssl/ssl_stat.c b/lib/libssl/ssl_stat.c index 5d35528acdd..e4303e171a3 100644 --- a/lib/libssl/ssl_stat.c +++ b/lib/libssl/ssl_stat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_stat.c,v 1.18 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_stat.c,v 1.19 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -325,7 +325,7 @@ SSL_rstate_string_long(const SSL *s) { const char *str; - switch (s->internal->rstate) { + switch (s->rstate) { case SSL_ST_READ_HEADER: str = "read header"; break; @@ -771,7 +771,7 @@ SSL_rstate_string(const SSL *s) { const char *str; - switch (s->internal->rstate) { + switch (s->rstate) { case SSL_ST_READ_HEADER: str = "RH"; break; diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index a42856264b3..647a95e4851 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.129 2022/08/15 10:46:53 tb Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.130 2022/10/02 16:36:41 jsing Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -40,7 +40,7 @@ static int tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) { /* ALPN protos have been specified and this is the initial handshake */ - return s->internal->alpn_client_proto_list != NULL && + return s->alpn_client_proto_list != NULL && s->s3->hs.finished_len == 0; } @@ -52,8 +52,8 @@ tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &protolist)) return 0; - if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, - s->internal->alpn_client_proto_list_len)) + if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list, + s->alpn_client_proto_list_len)) return 0; if (!CBB_flush(cbb)) @@ -97,7 +97,7 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) if (!tlsext_alpn_check_format(&alpn)) return 0; - if (s->ctx->internal->alpn_select_cb == NULL) + if (s->ctx->alpn_select_cb == NULL) return 1; /* @@ -106,9 +106,9 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) * 2. Should the callback be called even if no ALPN extension was sent? * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. */ - r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, + r = s->ctx->alpn_select_cb(s, &selected, &selected_len, CBS_data(&alpn), CBS_len(&alpn), - s->ctx->internal->alpn_select_cb_arg); + s->ctx->alpn_select_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { CBS_init(&selected_cbs, selected, selected_len); @@ -164,7 +164,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS list, proto; - if (s->internal->alpn_client_proto_list == NULL) { + if (s->alpn_client_proto_list == NULL) { *alert = SSL_AD_UNSUPPORTED_EXTENSION; return 0; } @@ -243,7 +243,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, return 0; groups_len /= 2; - if (s->internal->hit) + if (s->hit) return 1; if (s->s3->hs.tls13.hrr) { @@ -365,7 +365,7 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } - if (!s->internal->hit) { + if (!s->hit) { if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), &(s->session->tlsext_ecpointformatlist_length))) { *alert = SSL_AD_INTERNAL_ERROR; @@ -418,7 +418,7 @@ tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) static int tlsext_ri_client_needs(SSL *s, uint16_t msg_type) { - return (s->internal->renegotiate); + return (s->renegotiate); } static int @@ -779,7 +779,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) goto err; } - if (s->internal->hit || s->s3->hs.tls13.hrr) { + if (s->hit || s->s3->hs.tls13.hrr) { if (s->session->tlsext_hostname == NULL) { *alert = SSL_AD_UNRECOGNIZED_NAME; goto err; @@ -817,7 +817,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) static int tlsext_sni_server_needs(SSL *s, uint16_t msg_type) { - if (s->internal->hit) + if (s->hit) return 0; return (s->session->tlsext_hostname != NULL); @@ -837,7 +837,7 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } - if (s->internal->hit) { + if (s->hit) { if (s->session->tlsext_hostname == NULL) { *alert = SSL_AD_UNRECOGNIZED_NAME; return 0; @@ -885,12 +885,12 @@ tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 0; if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) return 0; - for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { + for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { unsigned char *respid_data; OCSP_RESPID *id; size_t id_len; - if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, + if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i)) == NULL) return 0; if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) @@ -904,12 +904,12 @@ tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) } if (!CBB_add_u16_length_prefixed(cbb, &exts)) return 0; - if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, + if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL)) == -1) return 0; if (!CBB_add_space(&exts, &ext_data, ext_len)) return 0; - if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != + if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) != ext_len)) return 0; if (!CBB_flush(cbb)) @@ -946,11 +946,11 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) goto err; /* XXX */ - sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); - s->internal->tlsext_ocsp_ids = NULL; + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); + s->tlsext_ocsp_ids = NULL; if (CBS_len(&respid_list) > 0) { - s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); - if (s->internal->tlsext_ocsp_ids == NULL) { + s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); + if (s->tlsext_ocsp_ids == NULL) { alert_desc = SSL_AD_INTERNAL_ERROR; goto err; } @@ -964,7 +964,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) p = CBS_data(&respid); if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) goto err; - if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { + if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { alert_desc = SSL_AD_INTERNAL_ERROR; OCSP_RESPID_free(id); goto err; @@ -975,10 +975,10 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &exts)) goto err; if (CBS_len(&exts) > 0) { - sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, + sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); p = CBS_data(&exts); - if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, + if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, &p, CBS_len(&exts))) == NULL) goto err; } @@ -995,14 +995,14 @@ tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) { if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->ctx->internal->tlsext_status_cb != NULL) { - s->internal->tlsext_status_expected = 0; - if (s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && - s->internal->tlsext_ocsp_resp_len > 0) - s->internal->tlsext_status_expected = 1; + s->ctx->tlsext_status_cb != NULL) { + s->tlsext_status_expected = 0; + if (s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && + s->tlsext_ocsp_resp_len > 0) + s->tlsext_status_expected = 1; } - return s->internal->tlsext_status_expected; + return s->tlsext_status_expected; } static int @@ -1016,8 +1016,8 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) return 0; if (!CBB_add_bytes(&ocsp_response, - s->internal->tlsext_ocsp_resp, - s->internal->tlsext_ocsp_resp_len)) + s->tlsext_ocsp_resp, + s->tlsext_ocsp_resp_len)) return 0; if (!CBB_flush(cbb)) return 0; @@ -1059,8 +1059,8 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); return 0; } - if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, - &s->internal->tlsext_ocsp_resp_len)) { + if (!CBS_stow(&response, &s->tlsext_ocsp_resp, + &s->tlsext_ocsp_resp_len)) { *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -1070,7 +1070,7 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } /* Set flag to expect CertificateStatus message */ - s->internal->tlsext_status_expected = 1; + s->tlsext_status_expected = 1; } return 1; } @@ -1092,11 +1092,11 @@ tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) if (!ssl_security_tickets(s)) return 0; - if (s->internal->new_session) + if (s->new_session) return 1; - if (s->internal->tlsext_session_ticket != NULL && - s->internal->tlsext_session_ticket->data == NULL) + if (s->tlsext_session_ticket != NULL && + s->tlsext_session_ticket->data == NULL) return 0; return 1; @@ -1109,7 +1109,7 @@ tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) * Signal that we support session tickets by sending an empty * extension when renegotiating or no session found. */ - if (s->internal->new_session || s->session == NULL) + if (s->new_session || s->session == NULL) return 1; if (s->session->tlsext_tick != NULL) { @@ -1118,18 +1118,18 @@ tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) s->session->tlsext_ticklen)) return 0; - } else if (s->internal->tlsext_session_ticket != NULL) { + } else if (s->tlsext_session_ticket != NULL) { /* * Attempt to resume with a custom provided session ticket set * by SSL_set_session_ticket_ext(). */ - if (s->internal->tlsext_session_ticket->length > 0) { - size_t ticklen = s->internal->tlsext_session_ticket->length; + if (s->tlsext_session_ticket->length > 0) { + size_t ticklen = s->tlsext_session_ticket->length; if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) return 0; memcpy(s->session->tlsext_tick, - s->internal->tlsext_session_ticket->data, + s->tlsext_session_ticket->data, ticklen); s->session->tlsext_ticklen = ticklen; @@ -1149,10 +1149,10 @@ static int tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - if (s->internal->tls_session_ticket_ext_cb) { - if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), + if (s->tls_session_ticket_ext_cb) { + if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), (int)CBS_len(cbs), - s->internal->tls_session_ticket_ext_cb_arg)) { + s->tls_session_ticket_ext_cb_arg)) { *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -1170,7 +1170,7 @@ tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, static int tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) { - return (s->internal->tlsext_ticket_expected && + return (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET) && ssl_security_tickets(s)); } @@ -1186,10 +1186,10 @@ static int tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - if (s->internal->tls_session_ticket_ext_cb) { - if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), + if (s->tls_session_ticket_ext_cb) { + if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), (int)CBS_len(cbs), - s->internal->tls_session_ticket_ext_cb_arg)) { + s->tls_session_ticket_ext_cb_arg)) { *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -1200,7 +1200,7 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, return 0; } - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; return 1; } @@ -1310,7 +1310,7 @@ tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) goto err; if (cprof->id == sprof->id) { - s->internal->srtp_profile = sprof; + s->srtp_profile = sprof; ret = 1; goto done; } @@ -1397,7 +1397,7 @@ tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) } if (prof->id == id) { - s->internal->srtp_profile = prof; + s->srtp_profile = prof; return 1; } } @@ -1899,15 +1899,15 @@ tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) static int tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) { - return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0; + return SSL_is_quic(s) && s->quic_transport_params_len > 0; } static int tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - if (!CBB_add_bytes(cbb, s->internal->quic_transport_params, - s->internal->quic_transport_params_len)) + if (!CBB_add_bytes(cbb, s->quic_transport_params, + s->quic_transport_params_len)) return 0; return 1; @@ -1934,15 +1934,15 @@ tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type, static int tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) { - return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0; + return SSL_is_quic(s) && s->quic_transport_params_len > 0; } static int tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - if (!CBB_add_bytes(cbb, s->internal->quic_transport_params, - s->internal->quic_transport_params_len)) + if (!CBB_add_bytes(cbb, s->quic_transport_params, + s->quic_transport_params_len)) return 0; return 1; @@ -2294,7 +2294,7 @@ tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) * RFC 8446 4.1.2. For subsequent CH, early data will be removed, * cookie may be added, padding may be removed. */ - struct tls13_ctx *ctx = s->internal->tls13; + struct tls13_ctx *ctx = s->tls13; if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || type == TLSEXT_TYPE_padding) @@ -2344,11 +2344,11 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) goto err; - if (s->internal->tlsext_debug_cb != NULL) - s->internal->tlsext_debug_cb(s, !is_server, type, + if (s->tlsext_debug_cb != NULL) + s->tlsext_debug_cb(s, !is_server, type, (unsigned char *)CBS_data(&extension_data), CBS_len(&extension_data), - s->internal->tlsext_debug_arg); + s->tlsext_debug_arg); /* Unknown extensions are ignored. */ if ((tlsext = tls_extension_find(type, &idx)) == NULL) @@ -2397,7 +2397,7 @@ tlsext_server_reset_state(SSL *s) free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; s->s3->alpn_selected_len = 0; - s->internal->srtp_profile = NULL; + s->srtp_profile = NULL; } int diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c index 4a58f14ccdb..3cd6db01caf 100644 --- a/lib/libssl/ssl_versions.c +++ b/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.24 2022/09/11 18:13:30 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.25 2022/10/02 16:36:41 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -140,13 +140,13 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) min_version = 0; max_version = TLS1_3_VERSION; - options = s->internal->options; + options = s->options; if (SSL_is_dtls(s)) { options = 0; - if (s->internal->options & SSL_OP_NO_DTLSv1) + if (s->options & SSL_OP_NO_DTLSv1) options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; - if (s->internal->options & SSL_OP_NO_DTLSv1_2) + if (s->options & SSL_OP_NO_DTLSv1_2) options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; } @@ -174,7 +174,7 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) /* Limit to configured version range. */ if (!ssl_clamp_tls_version_range(&min_version, &max_version, - s->internal->min_tls_version, s->internal->max_tls_version)) + s->min_tls_version, s->max_tls_version)) return 0; /* QUIC requires a minimum of TLSv1.3. */ diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index c996159a475..66a7aea2f50 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.154 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.155 2022/10/02 16:36:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -311,13 +311,13 @@ tls1_change_cipher_state(SSL *s, int is_write) } if (!is_write) { - if (!tls12_record_layer_change_read_cipher_state(s->internal->rl, + if (!tls12_record_layer_change_read_cipher_state(s->rl, &mac_key, &key, &iv)) goto err; if (SSL_is_dtls(s)) dtls1_reset_read_seq_numbers(s); } else { - if (!tls12_record_layer_change_write_cipher_state(s->internal->rl, + if (!tls12_record_layer_change_write_cipher_state(s->rl, &mac_key, &key, &iv)) goto err; } @@ -375,8 +375,8 @@ tls1_setup_key_block(SSL *s) if (!ssl_get_handshake_evp_md(s, &handshake_hash)) return (0); - tls12_record_layer_set_aead(s->internal->rl, aead); - tls12_record_layer_set_cipher_hash(s->internal->rl, cipher, + tls12_record_layer_set_aead(s->rl, aead); + tls12_record_layer_set_cipher_hash(s->rl, cipher, handshake_hash, mac_hash); if ((key_block = tls12_key_block_new()) == NULL) @@ -387,7 +387,7 @@ tls1_setup_key_block(SSL *s) s->s3->hs.tls12.key_block = key_block; key_block = NULL; - if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && s->method->version <= TLS1_VERSION) { /* * Enable vulnerability countermeasure for CBC ciphers with diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 355c9827efb..c326575231c 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.195 2022/08/17 18:45:25 tb Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.196 2022/10/02 16:36:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -139,7 +139,7 @@ tls1_free(SSL *s) if (s == NULL) return; - free(s->internal->tlsext_session_ticket); + free(s->tlsext_session_ticket); ssl3_free(s); } @@ -404,8 +404,8 @@ tls1_get_formatlist(const SSL *s, int client_formats, const uint8_t **pformats, return; } - *pformats = s->internal->tlsext_ecpointformatlist; - *pformatslen = s->internal->tlsext_ecpointformatlist_length; + *pformats = s->tlsext_ecpointformatlist; + *pformatslen = s->tlsext_ecpointformatlist_length; if (*pformats == NULL) { *pformats = ecformats_default; *pformatslen = sizeof(ecformats_default); @@ -427,8 +427,8 @@ tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups, return; } - *pgroups = s->internal->tlsext_supportedgroups; - *pgroupslen = s->internal->tlsext_supportedgroups_length; + *pgroups = s->tlsext_supportedgroups; + *pgroupslen = s->tlsext_supportedgroups_length; if (*pgroups != NULL) return; @@ -451,7 +451,7 @@ tls1_get_group_lists(const SSL *ssl, const uint16_t **pref, size_t *preflen, if (!ssl->server) return 0; - server_pref = (ssl->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE); + server_pref = (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE); tls1_get_group_list(ssl, (server_pref == 0), pref, preflen); tls1_get_group_list(ssl, (server_pref != 0), supp, supplen); @@ -738,12 +738,12 @@ ssl_check_clienthello_tlsext_early(SSL *s) * ssl3_choose_cipher in s3_lib.c. */ - if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) - ret = s->ctx->internal->tlsext_servername_callback(s, &al, - s->ctx->internal->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) - ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, - s->initial_ctx->internal->tlsext_servername_arg); + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) + ret = s->ctx->tlsext_servername_callback(s, &al, + s->ctx->tlsext_servername_arg); + else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) + ret = s->initial_ctx->tlsext_servername_callback(s, &al, + s->initial_ctx->tlsext_servername_arg); switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -770,32 +770,32 @@ ssl_check_clienthello_tlsext_late(SSL *s) * has been chosen because this may influence which certificate is sent */ if ((s->tlsext_status_type != -1) && - s->ctx && s->ctx->internal->tlsext_status_cb) { + s->ctx && s->ctx->tlsext_status_cb) { int r; SSL_CERT_PKEY *certpkey; certpkey = ssl_get_server_send_pkey(s); /* If no certificate can't return certificate status */ if (certpkey == NULL) { - s->internal->tlsext_status_expected = 0; + s->tlsext_status_expected = 0; return 1; } /* Set current certificate to one we will use so * SSL_get_certificate et al can pick it up. */ s->cert->key = certpkey; - r = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + r = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); switch (r) { /* We don't want to send a status request response */ case SSL_TLSEXT_ERR_NOACK: - s->internal->tlsext_status_expected = 0; + s->tlsext_status_expected = 0; break; /* status request response should be sent */ case SSL_TLSEXT_ERR_OK: - if (s->internal->tlsext_ocsp_resp) - s->internal->tlsext_status_expected = 1; + if (s->tlsext_ocsp_resp) + s->tlsext_status_expected = 1; else - s->internal->tlsext_status_expected = 0; + s->tlsext_status_expected = 0; break; /* something bad happened */ case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -804,7 +804,7 @@ ssl_check_clienthello_tlsext_late(SSL *s) goto err; } } else - s->internal->tlsext_status_expected = 0; + s->tlsext_status_expected = 0; err: switch (ret) { @@ -827,26 +827,26 @@ ssl_check_serverhello_tlsext(SSL *s) ret = SSL_TLSEXT_ERR_OK; - if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) - ret = s->ctx->internal->tlsext_servername_callback(s, &al, - s->ctx->internal->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) - ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, - s->initial_ctx->internal->tlsext_servername_arg); + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) + ret = s->ctx->tlsext_servername_callback(s, &al, + s->ctx->tlsext_servername_arg); + else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) + ret = s->initial_ctx->tlsext_servername_callback(s, &al, + s->initial_ctx->tlsext_servername_arg); /* If we've requested certificate status and we wont get one * tell the callback */ - if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) && - s->ctx && s->ctx->internal->tlsext_status_cb) { + if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && + s->ctx && s->ctx->tlsext_status_cb) { int r; - free(s->internal->tlsext_ocsp_resp); - s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resp_len = 0; + free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resp_len = 0; - r = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + r = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); if (r == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; ret = SSL_TLSEXT_ERR_ALERT_FATAL; @@ -878,27 +878,27 @@ ssl_check_serverhello_tlsext(SSL *s) * ret: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. * - * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key + * If s->tls_session_secret_cb is set then we are expecting a pre-shared key * ciphersuite, in which case we have no use for session tickets and one will - * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. + * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. * * Returns: * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings). * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the * client supports session tickets but doesn't currently have one to offer. - * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was + * TLS1_TICKET_NOT_DECRYPTED: either s->tls_session_secret_cb was * set, or a ticket was offered but couldn't be decrypted because of a * non-fatal error. * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set. * * Side effects: - * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue + * Sets s->tlsext_ticket_expected to 1 if the server will have to issue * a new session ticket to the client because the client indicated support - * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have + * (and s->tls_session_secret_cb is NULL) but the client either doesn't have * a session ticket or we couldn't use the one it gave us, or if * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. - * Otherwise, s->internal->tlsext_ticket_expected is set to 0. + * Otherwise, s->tlsext_ticket_expected is set to 0. */ int tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) @@ -906,7 +906,7 @@ tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) CBS extensions, ext_data; uint16_t ext_type = 0; - s->internal->tlsext_ticket_expected = 0; + s->tlsext_ticket_expected = 0; *ret = NULL; /* @@ -947,11 +947,11 @@ tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) * The client will accept a ticket but does not currently * have one. */ - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; return TLS1_TICKET_EMPTY; } - if (s->internal->tls_session_secret_cb != NULL) { + if (s->tls_session_secret_cb != NULL) { /* * Indicate that the ticket could not be decrypted rather than * generating the session from ticket now, trigger abbreviated @@ -1004,7 +1004,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) if ((hctx = HMAC_CTX_new()) == NULL) goto err; - if (tctx->internal->tlsext_ticket_key_cb != NULL) { + if (tctx->tlsext_ticket_key_cb != NULL) { int rv; /* @@ -1016,7 +1016,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) if (CBS_len(ticket) < EVP_MAX_IV_LENGTH) goto derr; - if ((rv = tctx->internal->tlsext_ticket_key_cb(s, + if ((rv = tctx->tlsext_ticket_key_cb(s, (unsigned char *)CBS_data(&ticket_name), (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0) goto err; @@ -1024,7 +1024,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) goto derr; if (rv == 2) { /* Renew ticket. */ - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; } /* @@ -1037,17 +1037,17 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) } else { /* Check that the key name matches. */ if (!CBS_mem_equal(&ticket_name, - tctx->internal->tlsext_tick_key_name, - sizeof(tctx->internal->tlsext_tick_key_name))) + tctx->tlsext_tick_key_name, + sizeof(tctx->tlsext_tick_key_name))) goto derr; if (!CBS_get_bytes(ticket, &ticket_iv, EVP_CIPHER_iv_length(EVP_aes_128_cbc()))) goto derr; if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL, - tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv))) + tctx->tlsext_tick_aes_key, CBS_data(&ticket_iv))) goto err; - if (!HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key, - sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(), + if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, + sizeof(tctx->tlsext_tick_hmac_key), EVP_sha256(), NULL)) goto err; } @@ -1113,7 +1113,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) derr: ERR_clear_error(); - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; ret = TLS1_TICKET_NOT_DECRYPTED; goto done; diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index 33ef55d2ec0..746447cc137 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.99 2022/09/11 14:33:07 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.100 2022/10/02 16:36:42 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -39,7 +39,7 @@ tls13_client_init(struct tls13_ctx *ctx) s->version = ctx->hs->our_max_tls_version; tls13_record_layer_set_retry_after_phh(ctx->rl, - (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + (s->mode & SSL_MODE_AUTO_RETRY) != 0); if (!ssl_get_new_session(s, 0)) /* XXX */ return 0; diff --git a/lib/libssl/tls13_legacy.c b/lib/libssl/tls13_legacy.c index 545f2cd9783..57fb84cefba 100644 --- a/lib/libssl/tls13_legacy.c +++ b/lib/libssl/tls13_legacy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_legacy.c,v 1.38 2022/07/17 15:49:20 jsing Exp $ */ +/* $OpenBSD: tls13_legacy.c,v 1.39 2022/10/02 16:36:42 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -30,7 +30,7 @@ tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) return TLS13_IO_FAILURE; } - ssl->internal->rwstate = SSL_READING; + ssl->rwstate = SSL_READING; errno = 0; if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { @@ -46,7 +46,7 @@ tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) } if (n == len) - ssl->internal->rwstate = SSL_NOTHING; + ssl->rwstate = SSL_NOTHING; return n; } @@ -69,7 +69,7 @@ tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) return TLS13_IO_FAILURE; } - ssl->internal->rwstate = SSL_WRITING; + ssl->rwstate = SSL_WRITING; errno = 0; if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { @@ -83,7 +83,7 @@ tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) } if (n == len) - ssl->internal->rwstate = SSL_NOTHING; + ssl->rwstate = SSL_NOTHING; return n; } @@ -123,7 +123,7 @@ tls13_legacy_wire_flush_cb(void *arg) static void tls13_legacy_error(SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; int reason = SSL_R_UNKNOWN; /* If we received a fatal alert we already put an error on the stack. */ @@ -171,7 +171,7 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret) if (ret > 0) return ret; - ssl->internal->rwstate = SSL_NOTHING; + ssl->rwstate = SSL_NOTHING; switch (ret) { case TLS13_IO_EOF: @@ -187,12 +187,12 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret) case TLS13_IO_WANT_POLLIN: BIO_set_retry_read(ssl->rbio); - ssl->internal->rwstate = SSL_READING; + ssl->rwstate = SSL_READING; return -1; case TLS13_IO_WANT_POLLOUT: BIO_set_retry_write(ssl->wbio); - ssl->internal->rwstate = SSL_WRITING; + ssl->rwstate = SSL_WRITING; return -1; case TLS13_IO_WANT_RETRY: @@ -207,7 +207,7 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret) int tls13_legacy_pending(const SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; ssize_t ret; if (ctx == NULL) @@ -223,11 +223,11 @@ tls13_legacy_pending(const SSL *ssl) int tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; ssize_t ret; if (ctx == NULL || !ctx->handshake_completed) { - if ((ret = ssl->internal->handshake_func(ssl)) <= 0) + if ((ret = ssl->handshake_func(ssl)) <= 0) return ret; if (len == 0) return 0; @@ -235,7 +235,7 @@ tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int pee } tls13_record_layer_set_retry_after_phh(ctx->rl, - (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + (ctx->ssl->mode & SSL_MODE_AUTO_RETRY) != 0); if (type != SSL3_RT_APPLICATION_DATA) { SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); @@ -257,13 +257,13 @@ tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int pee int tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; const uint8_t *buf = vbuf; size_t n, sent; ssize_t ret; if (ctx == NULL || !ctx->handshake_completed) { - if ((ret = ssl->internal->handshake_func(ssl)) <= 0) + if ((ret = ssl->handshake_func(ssl)) <= 0) return ret; if (len == 0) return 0; @@ -283,7 +283,7 @@ tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) * The TLSv1.3 record layer write behaviour is the same as * SSL_MODE_ENABLE_PARTIAL_WRITE. */ - if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { + if (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { ret = tls13_write_application_data(ctx->rl, buf, len); return tls13_legacy_return_code(ssl, ret); } @@ -352,18 +352,18 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx) s->s3->rbuf.left = CBS_len(&cbs); s->s3->rrec.type = SSL3_RT_HANDSHAKE; s->s3->rrec.length = CBS_len(&cbs); - s->internal->rstate = SSL_ST_READ_BODY; - s->internal->packet = s->s3->rbuf.buf; - s->internal->packet_length = SSL3_RT_HEADER_LENGTH; - s->internal->mac_packet = 1; + s->rstate = SSL_ST_READ_BODY; + s->packet = s->s3->rbuf.buf; + s->packet_length = SSL3_RT_HEADER_LENGTH; + s->mac_packet = 1; } /* Stash the current handshake message. */ tls13_handshake_msg_data(ctx->hs_msg, &cbs); - if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs))) + if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs))) goto err; - if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, - s->internal->init_buf->length, NULL)) + if (!CBS_write_bytes(&cbs, s->init_buf->data, + s->init_buf->length, NULL)) goto err; s->s3->hs.tls12.reuse_message = 1; @@ -386,7 +386,7 @@ tls13_use_legacy_client(struct tls13_ctx *ctx) if (!tls13_use_legacy_stack(ctx)) return 0; - s->internal->handshake_func = s->method->ssl_connect; + s->handshake_func = s->method->ssl_connect; s->version = s->method->max_tls_version; return 1; @@ -400,7 +400,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx) if (!tls13_use_legacy_stack(ctx)) return 0; - s->internal->handshake_func = s->method->ssl_accept; + s->handshake_func = s->method->ssl_accept; s->version = s->method->max_tls_version; s->server = 1; @@ -410,7 +410,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx) int tls13_legacy_accept(SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; int ret; if (ctx == NULL) { @@ -442,7 +442,7 @@ tls13_legacy_accept(SSL *ssl) int tls13_legacy_connect(SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; int ret; if (ctx == NULL) { @@ -474,7 +474,7 @@ tls13_legacy_connect(SSL *ssl) int tls13_legacy_shutdown(SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; uint8_t buf[512]; /* XXX */ ssize_t ret; @@ -484,15 +484,15 @@ tls13_legacy_shutdown(SSL *ssl) * alerts. All other cases, including EOF, return -1 and set internal * state appropriately. */ - if (ctx == NULL || ssl->internal->quiet_shutdown) { - ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; + if (ctx == NULL || ssl->quiet_shutdown) { + ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; return 1; } if (!ctx->close_notify_sent) { /* Enqueue and send close notify. */ - if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { - ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; + if (!(ssl->shutdown & SSL_SENT_SHUTDOWN)) { + ssl->shutdown |= SSL_SENT_SHUTDOWN; if ((ret = tls13_send_alert(ctx->rl, TLS13_ALERT_CLOSE_NOTIFY)) < 0) return tls13_legacy_return_code(ssl, ret); @@ -533,13 +533,13 @@ tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) SSL_CTX *ssl_ctx = ctx->ssl->ctx; SSL *s = ctx->ssl; - if (ssl_ctx->internal->tlsext_servername_callback == NULL) + if (ssl_ctx->tlsext_servername_callback == NULL) ssl_ctx = s->initial_ctx; - if (ssl_ctx->internal->tlsext_servername_callback == NULL) + if (ssl_ctx->tlsext_servername_callback == NULL) return 1; - ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert, - ssl_ctx->internal->tlsext_servername_arg); + ret = ssl_ctx->tlsext_servername_callback(s, &legacy_alert, + ssl_ctx->tlsext_servername_arg); /* * Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index 651c34ca296..017cc887b80 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.71 2022/09/10 15:29:33 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.72 2022/10/02 16:36:42 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * Copyright (c) 2019 Bob Beck @@ -110,7 +110,7 @@ tls13_alert_received_cb(uint8_t alert_desc, void *arg) if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { ctx->close_notify_recv = 1; - ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; + ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN; ctx->ssl->s3->warn_alert = alert_desc; return; } @@ -158,7 +158,7 @@ tls13_legacy_handshake_message_recv_cb(void *arg) SSL *s = ctx->ssl; CBS cbs; - if (s->internal->msg_callback == NULL) + if (s->msg_callback == NULL) return; tls13_handshake_msg_data(ctx->hs_msg, &cbs); @@ -172,7 +172,7 @@ tls13_legacy_handshake_message_sent_cb(void *arg) SSL *s = ctx->ssl; CBS cbs; - if (s->internal->msg_callback == NULL) + if (s->msg_callback == NULL) return; tls13_handshake_msg_data(ctx->hs_msg, &cbs); @@ -195,11 +195,11 @@ tls13_legacy_ocsp_status_recv_cb(void *arg) SSL *s = ctx->ssl; int ret; - if (s->ctx->internal->tlsext_status_cb == NULL) + if (s->ctx->tlsext_status_cb == NULL) return 1; - ret = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + ret = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); if (ret < 0) { ctx->alert = TLS13_ALERT_INTERNAL_ERROR; SSLerror(s, ERR_R_MALLOC_FAILURE); @@ -413,7 +413,7 @@ tls13_ctx_new(int mode, SSL *ssl) ctx->middlebox_compat = 1; - ssl->internal->tls13 = ctx; + ssl->tls13 = ctx; if (SSL_is_quic(ssl)) { if (!tls13_quic_init(ctx)) diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index 82350702dc7..7bbc541c826 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.103 2022/09/17 17:14:06 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.104 2022/10/02 16:36:42 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -37,7 +37,7 @@ tls13_server_init(struct tls13_ctx *ctx) s->version = ctx->hs->our_max_tls_version; tls13_record_layer_set_retry_after_phh(ctx->rl, - (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + (s->mode & SSL_MODE_AUTO_RETRY) != 0); if (!ssl_get_new_session(s, 0)) /* XXX */ return 0; @@ -656,7 +656,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) if ((chain = cpk->chain) == NULL) chain = s->ctx->extra_certs; - if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { + if (chain == NULL && !(s->mode & SSL_MODE_NO_AUTO_CHAIN)) { if ((xsc = X509_STORE_CTX_new()) == NULL) goto err; if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL))