src - OpenBSD base system

diff options


context:
space:
mode:

author	Joel Sing <jsing@cvs.openbsd.org>	2017-01-22 06:36:50 +0000
committer	Joel Sing <jsing@cvs.openbsd.org>	2017-01-22 06:36:50 +0000
commit	ab7cc6bb8cd62f27d4f9747df0102deb2a2cd5a6 (patch)
tree	5221ba0784dc3f5dbc757563dbbb491e7f4d264e /lib
parent	6f3279bfef9fb95045c11998ffe661171c1725bc (diff)

Move ALPN and NPN fields from SSL/SSL_CTX to internal.

ok beck@

Diffstat (limited to 'lib')

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

lib/libssl/ssl_locl.h

-rw-r--r--

lib/libssl/t1_lib.c

7 files changed, 129 insertions, 125 deletions

diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index 874e4d398ab..74f44dd930a 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: s3_clnt.c,v 1.159 2016/12/26 16:33:51 jsing Exp $ */

+/* $OpenBSD: s3_clnt.c,v 1.160 2017/01/22 06:36:49 jsing Exp $ */

@@ -2702,10 +2702,10 @@ ssl3_send_next_proto(SSL *s)

if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {

d = p = ssl3_handshake_msg_start(s, SSL3_MT_NEXT_PROTO);

- len = s->next_proto_negotiated_len;

+ len = s->internal->next_proto_negotiated_len;

padding_len = 32 - ((len + 2) % 32);

*(p++) = len;

- memcpy(p, s->next_proto_negotiated, len);

+ memcpy(p, s->internal->next_proto_negotiated, len);

p += len;

*(p++) = padding_len;

memset(p, 0, padding_len);

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 6f5ee4fa50d..ef7a368d8f5 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: s3_lib.c,v 1.118 2017/01/22 03:50:45 jsing Exp $ */

+/* $OpenBSD: s3_lib.c,v 1.119 2017/01/22 06:36:49 jsing Exp $ */

@@ -1902,9 +1902,9 @@ ssl3_clear(SSL *s)

s->packet_length = 0;

s->version = TLS1_VERSION;

- free(s->next_proto_negotiated);

- s->next_proto_negotiated = NULL;

- s->next_proto_negotiated_len = 0;

+ free(s->internal->next_proto_negotiated);

+ s->internal->next_proto_negotiated = NULL;

+ s->internal->next_proto_negotiated_len = 0;

}

static long

diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 8e3dc11fc1d..72d90a85c47 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: s3_srvr.c,v 1.138 2016/12/21 16:44:31 jsing Exp $ */

+/* $OpenBSD: s3_srvr.c,v 1.139 2017/01/22 06:36:49 jsing Exp $ */

@@ -2905,15 +2905,15 @@ ssl3_get_next_proto(SSL *s)

* XXX We should not NULL it, but this matches old behavior of not

* freeing before malloc.

- s->next_proto_negotiated = NULL;

- s->next_proto_negotiated_len = 0;

+ s->internal->next_proto_negotiated = NULL;

+ s->internal->next_proto_negotiated_len = 0;

- if (!CBS_stow(&proto, &s->next_proto_negotiated, &len)) {

+ if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) {

SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,

ERR_R_MALLOC_FAILURE);

return (0);

}

- s->next_proto_negotiated_len = (uint8_t)len;

+ s->internal->next_proto_negotiated_len = (uint8_t)len;

return (1);

}

diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index b0f54100e2c..fa1027fa281 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl.h,v 1.105 2017/01/22 05:14:42 beck Exp $ */

+/* $OpenBSD: ssl.h,v 1.106 2017/01/22 06:36:49 jsing Exp $ */

@@ -841,48 +841,6 @@ struct ssl_ctx_st {

int (*tlsext_status_cb)(SSL *ssl, void *arg);

void *tlsext_status_arg;

- /* Next protocol negotiation information */

- /* (for experimental NPN extension). */

- /* For a server, this contains a callback function by which the set of

- * advertised protocols can be provided. */

- int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,

- unsigned int *len, void *arg);

- void *next_protos_advertised_cb_arg;

- /* For a client, this contains a callback function that selects the

- * next protocol from the list provided by the server. */

- int (*next_proto_select_cb)(SSL *s, unsigned char **out,

- unsigned char *outlen, const unsigned char *in,

- unsigned int inlen, void *arg);

- void *next_proto_select_cb_arg;

- /*

- * ALPN information

- * (we are in the process of transitioning from NPN to ALPN).

- */

- /*

- * Server callback function that allows the server to select the

- * protocol for the connection.

- * out: on successful return, this must point to the raw protocol

- * name (without the length prefix).

- * outlen: on successful return, this contains the length of out.

- * in: points to the client's list of supported protocols in

- * wire-format.

- * inlen: the length of in.

- */

- int (*alpn_select_cb)(SSL *s, const unsigned char **out,

- unsigned char *outlen, const unsigned char *in, unsigned int inlen,

- void *arg);

- void *alpn_select_cb_arg;

- /* Client list of supported protocols in wire format. */

- unsigned char *alpn_client_proto_list;

- unsigned int alpn_client_proto_list_len;

/* SRTP profiles we are willing to do from RFC 5764 */

STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;

@@ -1194,16 +1152,6 @@ struct ssl_st {

SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */

#define session_ctx initial_ctx

- /* Next protocol negotiation. For the client, this is the protocol that

- * we sent in NextProtocol and is set when handling ServerHello

- * extensions.

- *

- * For a server, this is the client's selected_protocol from

- * NextProtocol and is set when handling the NextProtocol message,

- * before the Finished message. */

- unsigned char *next_proto_negotiated;

- unsigned char next_proto_negotiated_len;

STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */

SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */

@@ -1215,10 +1163,6 @@ struct ssl_st {

unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */

unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */

- /* Client list of supported protocols in wire format. */

- unsigned char *alpn_client_proto_list;

- unsigned int alpn_client_proto_list_len;

int renegotiate;/* 1 if we are renegotiating.

* 2 if we are a server and are inside a handshake

* (i.e. not just sending a HelloRequest) */

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index d9e5166cdd2..7031c91e1c3 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_lib.c,v 1.126 2017/01/22 03:50:45 jsing Exp $ */

+/* $OpenBSD: ssl_lib.c,v 1.127 2017/01/22 06:36:49 jsing Exp $ */

@@ -336,18 +336,18 @@ SSL_new(SSL_CTX *ctx)

s->tlsext_ocsp_resplen = -1;

CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);

s->initial_ctx = ctx;

- s->next_proto_negotiated = NULL;

+ s->internal->next_proto_negotiated = NULL;

- if (s->ctx->alpn_client_proto_list != NULL) {

- s->alpn_client_proto_list =

- malloc(s->ctx->alpn_client_proto_list_len);

- if (s->alpn_client_proto_list == NULL)

+ if (s->ctx->internal->alpn_client_proto_list != NULL) {

+ s->internal->alpn_client_proto_list =

+ malloc(s->ctx->internal->alpn_client_proto_list_len);

+ if (s->internal->alpn_client_proto_list == NULL)

goto err;

- memcpy(s->alpn_client_proto_list,

- s->ctx->alpn_client_proto_list,

- s->ctx->alpn_client_proto_list_len);

- s->alpn_client_proto_list_len =

- s->ctx->alpn_client_proto_list_len;

+ memcpy(s->internal->alpn_client_proto_list,

+ s->ctx->internal->alpn_client_proto_list,

+ s->ctx->internal->alpn_client_proto_list_len);

+ s->internal->alpn_client_proto_list_len =

+ s->ctx->internal->alpn_client_proto_list_len;

}

s->verify_result = X509_V_OK;

@@ -554,8 +554,8 @@ SSL_free(SSL *s)

SSL_CTX_free(s->ctx);

- free(s->next_proto_negotiated);

- free(s->alpn_client_proto_list);

+ free(s->internal->next_proto_negotiated);

+ free(s->internal->alpn_client_proto_list);

#ifndef OPENSSL_NO_SRTP

if (s->srtp_profiles)

@@ -1614,11 +1614,11 @@ void

SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,

unsigned *len)

{

- *data = s->next_proto_negotiated;

+ *data = s->internal->next_proto_negotiated;

if (!*data) {

*len = 0;

} else {

- *len = s->next_proto_negotiated_len;

+ *len = s->internal->next_proto_negotiated_len;

}

@@ -1637,8 +1637,8 @@ void

SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl,

const unsigned char **out, unsigned int *outlen, void *arg), void *arg)

{

- ctx->next_protos_advertised_cb = cb;

- ctx->next_protos_advertised_cb_arg = arg;

+ ctx->internal->next_protos_advertised_cb = cb;

+ ctx->internal->next_protos_advertised_cb_arg = arg;

}

@@ -1657,8 +1657,8 @@ SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,

unsigned char **out, unsigned char *outlen, const unsigned char *in,

unsigned int inlen, void *arg), void *arg)

{

- ctx->next_proto_select_cb = cb;

- ctx->next_proto_select_cb_arg = arg;

+ ctx->internal->next_proto_select_cb = cb;

+ ctx->internal->next_proto_select_cb_arg = arg;

}

@@ -1670,11 +1670,11 @@ int

SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,

unsigned int protos_len)

{

- free(ctx->alpn_client_proto_list);

- if ((ctx->alpn_client_proto_list = malloc(protos_len)) == NULL)

+ free(ctx->internal->alpn_client_proto_list);

+ if ((ctx->internal->alpn_client_proto_list = malloc(protos_len)) == NULL)

return (1);

- memcpy(ctx->alpn_client_proto_list, protos, protos_len);

- ctx->alpn_client_proto_list_len = protos_len;

+ memcpy(ctx->internal->alpn_client_proto_list, protos, protos_len);

+ ctx->internal->alpn_client_proto_list_len = protos_len;

return (0);

}

@@ -1688,11 +1688,11 @@ int

SSL_set_alpn_protos(SSL *ssl, const unsigned char* protos,

unsigned int protos_len)

{

- free(ssl->alpn_client_proto_list);

- if ((ssl->alpn_client_proto_list = malloc(protos_len)) == NULL)

+ free(ssl->internal->alpn_client_proto_list);

+ if ((ssl->internal->alpn_client_proto_list = malloc(protos_len)) == NULL)

return (1);

- memcpy(ssl->alpn_client_proto_list, protos, protos_len);

- ssl->alpn_client_proto_list_len = protos_len;

+ memcpy(ssl->internal->alpn_client_proto_list, protos, protos_len);

+ ssl->internal->alpn_client_proto_list_len = protos_len;

return (0);

}

@@ -1707,8 +1707,8 @@ SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx,

int (*cb) (SSL *ssl, const unsigned char **out, unsigned char *outlen,

const unsigned char *in, unsigned int inlen, void *arg), void *arg)

{

- ctx->alpn_select_cb = cb;

- ctx->alpn_select_cb_arg = arg;

+ ctx->internal->alpn_select_cb = cb;

+ ctx->internal->alpn_select_cb_arg = arg;

}

@@ -1912,8 +1912,8 @@ SSL_CTX_new(const SSL_METHOD *meth)

ret->tlsext_status_cb = 0;

ret->tlsext_status_arg = NULL;

- ret->next_protos_advertised_cb = 0;

- ret->next_proto_select_cb = 0;

+ ret->internal->next_protos_advertised_cb = 0;

+ ret->internal->next_proto_select_cb = 0;

#ifndef OPENSSL_NO_ENGINE

ret->client_cert_engine = NULL;

#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO

@@ -2003,7 +2003,7 @@ SSL_CTX_free(SSL_CTX *a)

ENGINE_finish(a->client_cert_engine);

#endif

- free(a->alpn_client_proto_list);

+ free(a->internal->alpn_client_proto_list);

free(a->internal);

free(a);

diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index b8b5dd0b1b6..805d68906a5 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_locl.h,v 1.148 2017/01/22 05:14:42 beck Exp $ */

+/* $OpenBSD: ssl_locl.h,v 1.149 2017/01/22 06:36:49 jsing Exp $ */

@@ -383,11 +383,65 @@ typedef struct ssl_session_internal_st {

typedef struct ssl_ctx_internal_st {

uint16_t min_version;

uint16_t max_version;

+ /* Next protocol negotiation information */

+ /* (for experimental NPN extension). */

+ /* For a server, this contains a callback function by which the set of

+ * advertised protocols can be provided. */

+ int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,

+ unsigned int *len, void *arg);

+ void *next_protos_advertised_cb_arg;

+ /* For a client, this contains a callback function that selects the

+ * next protocol from the list provided by the server. */

+ int (*next_proto_select_cb)(SSL *s, unsigned char **out,

+ unsigned char *outlen, const unsigned char *in,

+ unsigned int inlen, void *arg);

+ void *next_proto_select_cb_arg;

+ /*

+ * ALPN information

+ * (we are in the process of transitioning from NPN to ALPN).

+ */

+ /*

+ * Server callback function that allows the server to select the

+ * protocol for the connection.

+ * out: on successful return, this must point to the raw protocol

+ * name (without the length prefix).

+ * outlen: on successful return, this contains the length of out.

+ * in: points to the client's list of supported protocols in

+ * wire-format.

+ * inlen: the length of in.

+ */

+ int (*alpn_select_cb)(SSL *s, const unsigned char **out,

+ unsigned char *outlen, const unsigned char *in, unsigned int inlen,

+ void *arg);

+ void *alpn_select_cb_arg;

+ /* Client list of supported protocols in wire format. */

+ unsigned char *alpn_client_proto_list;

+ unsigned int alpn_client_proto_list_len;

} SSL_CTX_INTERNAL;

typedef struct ssl_internal_st {

uint16_t min_version;

uint16_t max_version;

+ /* Next protocol negotiation. For the client, this is the protocol that

+ * we sent in NextProtocol and is set when handling ServerHello

+ * extensions.

+ *

+ * For a server, this is the client's selected_protocol from

+ * NextProtocol and is set when handling the NextProtocol message,

+ * before the Finished message. */

+ unsigned char *next_proto_negotiated;

+ unsigned char next_proto_negotiated_len;

+ /* Client list of supported protocols in wire format. */

+ unsigned char *alpn_client_proto_list;

+ unsigned int alpn_client_proto_list_len;

} SSL_INTERNAL;

typedef struct ssl3_state_internal_st {

diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 958c105dd99..55624a2d24e 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: t1_lib.c,v 1.97 2017/01/22 05:14:42 beck Exp $ */

+/* $OpenBSD: t1_lib.c,v 1.98 2017/01/22 06:36:49 jsing Exp $ */

@@ -862,7 +862,8 @@ skip_ext:

i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);

}

- if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {

+ if (s->ctx->internal->next_proto_select_cb &&

+ !s->s3->tmp.finish_md_len) {

/* The client advertises an emtpy extension to indicate its

* support for Next Protocol Negotiation */

if ((size_t)(limit - ret) < 4)

@@ -871,16 +872,17 @@ skip_ext:

s2n(0, ret);

}

- if (s->alpn_client_proto_list != NULL &&

+ if (s->internal->alpn_client_proto_list != NULL &&

s->s3->tmp.finish_md_len == 0) {

- if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)

+ if ((size_t)(limit - ret) <

+ 6 + s->internal->alpn_client_proto_list_len)

return (NULL);

s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);

- s2n(2 + s->alpn_client_proto_list_len, ret);

- s2n(s->alpn_client_proto_list_len, ret);

- memcpy(ret, s->alpn_client_proto_list,

- s->alpn_client_proto_list_len);

- ret += s->alpn_client_proto_list_len;

+ s2n(2 + s->internal->alpn_client_proto_list_len, ret);

+ s2n(s->internal->alpn_client_proto_list_len, ret);

+ memcpy(ret, s->internal->alpn_client_proto_list,

+ s->internal->alpn_client_proto_list_len);

+ ret += s->internal->alpn_client_proto_list_len;

}

#ifndef OPENSSL_NO_SRTP

@@ -1085,13 +1087,13 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

next_proto_neg_seen = s->s3->next_proto_neg_seen;

s->s3->next_proto_neg_seen = 0;

- if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {

+ if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) {

const unsigned char *npa;

unsigned int npalen;

int r;

- r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,

- s->ctx->next_protos_advertised_cb_arg);

+ r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen,

+ s->ctx->internal->next_protos_advertised_cb_arg);

if (r == SSL_TLSEXT_ERR_OK) {

if ((size_t)(limit - ret) < 4 + npalen)

return NULL;

@@ -1142,7 +1144,7 @@ tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,

unsigned char selected_len;

int r;

- if (s->ctx->alpn_select_cb == NULL)

+ if (s->ctx->internal->alpn_select_cb == NULL)

return (1);

if (data_len < 2)

@@ -1169,8 +1171,9 @@ tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,

goto parse_error;

}

- r = s->ctx->alpn_select_cb(s, &selected, &selected_len,

- CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg);

+ r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,

+ CBS_data(&alpn), CBS_len(&alpn),

+ s->ctx->internal->alpn_select_cb_arg);

if (r == SSL_TLSEXT_ERR_OK) {

free(s->s3->alpn_selected);

if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) {

@@ -1547,7 +1550,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,

}

else if (type ==

TLSEXT_TYPE_application_layer_protocol_negotiation &&

- s->ctx->alpn_select_cb != NULL &&

+ s->ctx->internal->alpn_select_cb != NULL &&

s->s3->tmp.finish_md_len == 0) {

if (tls1_alpn_handle_client_hello(s, data,

size, al) != 1)

@@ -1716,7 +1719,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)

unsigned char selected_len;

/* We must have requested it. */

- if (s->ctx->next_proto_select_cb == NULL) {

+ if (s->ctx->internal->next_proto_select_cb == NULL) {

*al = TLS1_AD_UNSUPPORTED_EXTENSION;

return 0;

}

@@ -1725,17 +1728,20 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)

*al = TLS1_AD_DECODE_ERROR;

return 0;

}

- if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {

+ if (s->ctx->internal->next_proto_select_cb(s, &selected,

+ &selected_len, data, size,

+ s->ctx->internal->next_proto_select_cb_arg) !=

+ SSL_TLSEXT_ERR_OK) {

*al = TLS1_AD_INTERNAL_ERROR;

return 0;

}

- s->next_proto_negotiated = malloc(selected_len);

- if (!s->next_proto_negotiated) {

+ s->internal->next_proto_negotiated = malloc(selected_len);

+ if (!s->internal->next_proto_negotiated) {

*al = TLS1_AD_INTERNAL_ERROR;

return 0;

}

- memcpy(s->next_proto_negotiated, selected, selected_len);

- s->next_proto_negotiated_len = selected_len;

+ memcpy(s->internal->next_proto_negotiated, selected, selected_len);

+ s->internal->next_proto_negotiated_len = selected_len;

s->s3->next_proto_neg_seen = 1;

}

else if (type ==

@@ -1743,7 +1749,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)

unsigned int len;

/* We must have requested it. */

- if (s->alpn_client_proto_list == NULL) {

+ if (s->internal->alpn_client_proto_list == NULL) {

*al = TLS1_AD_UNSUPPORTED_EXTENSION;

return 0;

}