diff options
Diffstat (limited to 'lib/libssl')
-rw-r--r-- | lib/libssl/s3_clnt.c | 6 | ||||
-rw-r--r-- | lib/libssl/s3_lib.c | 8 | ||||
-rw-r--r-- | lib/libssl/s3_srvr.c | 10 | ||||
-rw-r--r-- | lib/libssl/ssl.h | 58 | ||||
-rw-r--r-- | lib/libssl/ssl_lib.c | 64 | ||||
-rw-r--r-- | lib/libssl/ssl_locl.h | 56 | ||||
-rw-r--r-- | lib/libssl/t1_lib.c | 52 |
7 files changed, 129 insertions, 125 deletions
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index 874e4d398ab..74f44dd930a 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.159 2016/12/26 16:33:51 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.160 2017/01/22 06:36:49 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2702,10 +2702,10 @@ ssl3_send_next_proto(SSL *s) if (s->state == SSL3_ST_CW_NEXT_PROTO_A) { d = p = ssl3_handshake_msg_start(s, SSL3_MT_NEXT_PROTO); - len = s->next_proto_negotiated_len; + len = s->internal->next_proto_negotiated_len; padding_len = 32 - ((len + 2) % 32); *(p++) = len; - memcpy(p, s->next_proto_negotiated, len); + memcpy(p, s->internal->next_proto_negotiated, len); p += len; *(p++) = padding_len; memset(p, 0, padding_len); diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 6f5ee4fa50d..ef7a368d8f5 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.118 2017/01/22 03:50:45 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.119 2017/01/22 06:36:49 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1902,9 +1902,9 @@ ssl3_clear(SSL *s) s->packet_length = 0; s->version = TLS1_VERSION; - free(s->next_proto_negotiated); - s->next_proto_negotiated = NULL; - s->next_proto_negotiated_len = 0; + free(s->internal->next_proto_negotiated); + s->internal->next_proto_negotiated = NULL; + s->internal->next_proto_negotiated_len = 0; } static long diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 8e3dc11fc1d..72d90a85c47 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.138 2016/12/21 16:44:31 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.139 2017/01/22 06:36:49 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2905,15 +2905,15 @@ ssl3_get_next_proto(SSL *s) * XXX We should not NULL it, but this matches old behavior of not * freeing before malloc. */ - s->next_proto_negotiated = NULL; - s->next_proto_negotiated_len = 0; + s->internal->next_proto_negotiated = NULL; + s->internal->next_proto_negotiated_len = 0; - if (!CBS_stow(&proto, &s->next_proto_negotiated, &len)) { + if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) { SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE); return (0); } - s->next_proto_negotiated_len = (uint8_t)len; + s->internal->next_proto_negotiated_len = (uint8_t)len; return (1); } diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index b0f54100e2c..fa1027fa281 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.105 2017/01/22 05:14:42 beck Exp $ */ +/* $OpenBSD: ssl.h,v 1.106 2017/01/22 06:36:49 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -841,48 +841,6 @@ struct ssl_ctx_st { int (*tlsext_status_cb)(SSL *ssl, void *arg); void *tlsext_status_arg; - - - - /* Next protocol negotiation information */ - /* (for experimental NPN extension). */ - - /* For a server, this contains a callback function by which the set of - * advertised protocols can be provided. */ - int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf, - unsigned int *len, void *arg); - void *next_protos_advertised_cb_arg; - /* For a client, this contains a callback function that selects the - * next protocol from the list provided by the server. */ - int (*next_proto_select_cb)(SSL *s, unsigned char **out, - unsigned char *outlen, const unsigned char *in, - unsigned int inlen, void *arg); - void *next_proto_select_cb_arg; - - /* - * ALPN information - * (we are in the process of transitioning from NPN to ALPN). - */ - - /* - * Server callback function that allows the server to select the - * protocol for the connection. - * out: on successful return, this must point to the raw protocol - * name (without the length prefix). - * outlen: on successful return, this contains the length of out. - * in: points to the client's list of supported protocols in - * wire-format. - * inlen: the length of in. - */ - int (*alpn_select_cb)(SSL *s, const unsigned char **out, - unsigned char *outlen, const unsigned char *in, unsigned int inlen, - void *arg); - void *alpn_select_cb_arg; - - /* Client list of supported protocols in wire format. */ - unsigned char *alpn_client_proto_list; - unsigned int alpn_client_proto_list_len; - /* SRTP profiles we are willing to do from RFC 5764 */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; @@ -1194,16 +1152,6 @@ struct ssl_st { SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ #define session_ctx initial_ctx - /* Next protocol negotiation. For the client, this is the protocol that - * we sent in NextProtocol and is set when handling ServerHello - * extensions. - * - * For a server, this is the client's selected_protocol from - * NextProtocol and is set when handling the NextProtocol message, - * before the Finished message. */ - unsigned char *next_proto_negotiated; - unsigned char next_proto_negotiated_len; - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */ SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ @@ -1215,10 +1163,6 @@ struct ssl_st { unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */ unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */ - /* Client list of supported protocols in wire format. */ - unsigned char *alpn_client_proto_list; - unsigned int alpn_client_proto_list_len; - int renegotiate;/* 1 if we are renegotiating. * 2 if we are a server and are inside a handshake * (i.e. not just sending a HelloRequest) */ diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index d9e5166cdd2..7031c91e1c3 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.126 2017/01/22 03:50:45 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.127 2017/01/22 06:36:49 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -336,18 +336,18 @@ SSL_new(SSL_CTX *ctx) s->tlsext_ocsp_resplen = -1; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->initial_ctx = ctx; - s->next_proto_negotiated = NULL; + s->internal->next_proto_negotiated = NULL; - if (s->ctx->alpn_client_proto_list != NULL) { - s->alpn_client_proto_list = - malloc(s->ctx->alpn_client_proto_list_len); - if (s->alpn_client_proto_list == NULL) + if (s->ctx->internal->alpn_client_proto_list != NULL) { + s->internal->alpn_client_proto_list = + malloc(s->ctx->internal->alpn_client_proto_list_len); + if (s->internal->alpn_client_proto_list == NULL) goto err; - memcpy(s->alpn_client_proto_list, - s->ctx->alpn_client_proto_list, - s->ctx->alpn_client_proto_list_len); - s->alpn_client_proto_list_len = - s->ctx->alpn_client_proto_list_len; + memcpy(s->internal->alpn_client_proto_list, + s->ctx->internal->alpn_client_proto_list, + s->ctx->internal->alpn_client_proto_list_len); + s->internal->alpn_client_proto_list_len = + s->ctx->internal->alpn_client_proto_list_len; } s->verify_result = X509_V_OK; @@ -554,8 +554,8 @@ SSL_free(SSL *s) SSL_CTX_free(s->ctx); - free(s->next_proto_negotiated); - free(s->alpn_client_proto_list); + free(s->internal->next_proto_negotiated); + free(s->internal->alpn_client_proto_list); #ifndef OPENSSL_NO_SRTP if (s->srtp_profiles) @@ -1614,11 +1614,11 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len) { - *data = s->next_proto_negotiated; + *data = s->internal->next_proto_negotiated; if (!*data) { *len = 0; } else { - *len = s->next_proto_negotiated_len; + *len = s->internal->next_proto_negotiated_len; } } @@ -1637,8 +1637,8 @@ void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg) { - ctx->next_protos_advertised_cb = cb; - ctx->next_protos_advertised_cb_arg = arg; + ctx->internal->next_protos_advertised_cb = cb; + ctx->internal->next_protos_advertised_cb_arg = arg; } /* @@ -1657,8 +1657,8 @@ SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg) { - ctx->next_proto_select_cb = cb; - ctx->next_proto_select_cb_arg = arg; + ctx->internal->next_proto_select_cb = cb; + ctx->internal->next_proto_select_cb_arg = arg; } /* @@ -1670,11 +1670,11 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned int protos_len) { - free(ctx->alpn_client_proto_list); - if ((ctx->alpn_client_proto_list = malloc(protos_len)) == NULL) + free(ctx->internal->alpn_client_proto_list); + if ((ctx->internal->alpn_client_proto_list = malloc(protos_len)) == NULL) return (1); - memcpy(ctx->alpn_client_proto_list, protos, protos_len); - ctx->alpn_client_proto_list_len = protos_len; + memcpy(ctx->internal->alpn_client_proto_list, protos, protos_len); + ctx->internal->alpn_client_proto_list_len = protos_len; return (0); } @@ -1688,11 +1688,11 @@ int SSL_set_alpn_protos(SSL *ssl, const unsigned char* protos, unsigned int protos_len) { - free(ssl->alpn_client_proto_list); - if ((ssl->alpn_client_proto_list = malloc(protos_len)) == NULL) + free(ssl->internal->alpn_client_proto_list); + if ((ssl->internal->alpn_client_proto_list = malloc(protos_len)) == NULL) return (1); - memcpy(ssl->alpn_client_proto_list, protos, protos_len); - ssl->alpn_client_proto_list_len = protos_len; + memcpy(ssl->internal->alpn_client_proto_list, protos, protos_len); + ssl->internal->alpn_client_proto_list_len = protos_len; return (0); } @@ -1707,8 +1707,8 @@ SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg) { - ctx->alpn_select_cb = cb; - ctx->alpn_select_cb_arg = arg; + ctx->internal->alpn_select_cb = cb; + ctx->internal->alpn_select_cb_arg = arg; } /* @@ -1912,8 +1912,8 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->tlsext_status_cb = 0; ret->tlsext_status_arg = NULL; - ret->next_protos_advertised_cb = 0; - ret->next_proto_select_cb = 0; + ret->internal->next_protos_advertised_cb = 0; + ret->internal->next_proto_select_cb = 0; #ifndef OPENSSL_NO_ENGINE ret->client_cert_engine = NULL; #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO @@ -2003,7 +2003,7 @@ SSL_CTX_free(SSL_CTX *a) ENGINE_finish(a->client_cert_engine); #endif - free(a->alpn_client_proto_list); + free(a->internal->alpn_client_proto_list); free(a->internal); free(a); diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index b8b5dd0b1b6..805d68906a5 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.148 2017/01/22 05:14:42 beck Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.149 2017/01/22 06:36:49 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -383,11 +383,65 @@ typedef struct ssl_session_internal_st { typedef struct ssl_ctx_internal_st { uint16_t min_version; uint16_t max_version; + + /* Next protocol negotiation information */ + /* (for experimental NPN extension). */ + + /* For a server, this contains a callback function by which the set of + * advertised protocols can be provided. */ + int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf, + unsigned int *len, void *arg); + void *next_protos_advertised_cb_arg; + /* For a client, this contains a callback function that selects the + * next protocol from the list provided by the server. */ + int (*next_proto_select_cb)(SSL *s, unsigned char **out, + unsigned char *outlen, const unsigned char *in, + unsigned int inlen, void *arg); + void *next_proto_select_cb_arg; + + /* + * ALPN information + * (we are in the process of transitioning from NPN to ALPN). + */ + + /* + * Server callback function that allows the server to select the + * protocol for the connection. + * out: on successful return, this must point to the raw protocol + * name (without the length prefix). + * outlen: on successful return, this contains the length of out. + * in: points to the client's list of supported protocols in + * wire-format. + * inlen: the length of in. + */ + int (*alpn_select_cb)(SSL *s, const unsigned char **out, + unsigned char *outlen, const unsigned char *in, unsigned int inlen, + void *arg); + void *alpn_select_cb_arg; + + /* Client list of supported protocols in wire format. */ + unsigned char *alpn_client_proto_list; + unsigned int alpn_client_proto_list_len; + } SSL_CTX_INTERNAL; typedef struct ssl_internal_st { uint16_t min_version; uint16_t max_version; + + /* Next protocol negotiation. For the client, this is the protocol that + * we sent in NextProtocol and is set when handling ServerHello + * extensions. + * + * For a server, this is the client's selected_protocol from + * NextProtocol and is set when handling the NextProtocol message, + * before the Finished message. */ + unsigned char *next_proto_negotiated; + unsigned char next_proto_negotiated_len; + + /* Client list of supported protocols in wire format. */ + unsigned char *alpn_client_proto_list; + unsigned int alpn_client_proto_list_len; } SSL_INTERNAL; typedef struct ssl3_state_internal_st { diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 958c105dd99..55624a2d24e 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.97 2017/01/22 05:14:42 beck Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.98 2017/01/22 06:36:49 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -862,7 +862,8 @@ skip_ext: i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); } - if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { + if (s->ctx->internal->next_proto_select_cb && + !s->s3->tmp.finish_md_len) { /* The client advertises an emtpy extension to indicate its * support for Next Protocol Negotiation */ if ((size_t)(limit - ret) < 4) @@ -871,16 +872,17 @@ skip_ext: s2n(0, ret); } - if (s->alpn_client_proto_list != NULL && + if (s->internal->alpn_client_proto_list != NULL && s->s3->tmp.finish_md_len == 0) { - if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) + if ((size_t)(limit - ret) < + 6 + s->internal->alpn_client_proto_list_len) return (NULL); s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); - s2n(2 + s->alpn_client_proto_list_len, ret); - s2n(s->alpn_client_proto_list_len, ret); - memcpy(ret, s->alpn_client_proto_list, - s->alpn_client_proto_list_len); - ret += s->alpn_client_proto_list_len; + s2n(2 + s->internal->alpn_client_proto_list_len, ret); + s2n(s->internal->alpn_client_proto_list_len, ret); + memcpy(ret, s->internal->alpn_client_proto_list, + s->internal->alpn_client_proto_list_len); + ret += s->internal->alpn_client_proto_list_len; } #ifndef OPENSSL_NO_SRTP @@ -1085,13 +1087,13 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) next_proto_neg_seen = s->s3->next_proto_neg_seen; s->s3->next_proto_neg_seen = 0; - if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { + if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) { const unsigned char *npa; unsigned int npalen; int r; - r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, - s->ctx->next_protos_advertised_cb_arg); + r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen, + s->ctx->internal->next_protos_advertised_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { if ((size_t)(limit - ret) < 4 + npalen) return NULL; @@ -1142,7 +1144,7 @@ tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, unsigned char selected_len; int r; - if (s->ctx->alpn_select_cb == NULL) + if (s->ctx->internal->alpn_select_cb == NULL) return (1); if (data_len < 2) @@ -1169,8 +1171,9 @@ tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, goto parse_error; } - r = s->ctx->alpn_select_cb(s, &selected, &selected_len, - CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); + r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, + CBS_data(&alpn), CBS_len(&alpn), + s->ctx->internal->alpn_select_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { free(s->s3->alpn_selected); if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { @@ -1547,7 +1550,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && - s->ctx->alpn_select_cb != NULL && + s->ctx->internal->alpn_select_cb != NULL && s->s3->tmp.finish_md_len == 0) { if (tls1_alpn_handle_client_hello(s, data, size, al) != 1) @@ -1716,7 +1719,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) unsigned char selected_len; /* We must have requested it. */ - if (s->ctx->next_proto_select_cb == NULL) { + if (s->ctx->internal->next_proto_select_cb == NULL) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; } @@ -1725,17 +1728,20 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) *al = TLS1_AD_DECODE_ERROR; return 0; } - if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { + if (s->ctx->internal->next_proto_select_cb(s, &selected, + &selected_len, data, size, + s->ctx->internal->next_proto_select_cb_arg) != + SSL_TLSEXT_ERR_OK) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } - s->next_proto_negotiated = malloc(selected_len); - if (!s->next_proto_negotiated) { + s->internal->next_proto_negotiated = malloc(selected_len); + if (!s->internal->next_proto_negotiated) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } - memcpy(s->next_proto_negotiated, selected, selected_len); - s->next_proto_negotiated_len = selected_len; + memcpy(s->internal->next_proto_negotiated, selected, selected_len); + s->internal->next_proto_negotiated_len = selected_len; s->s3->next_proto_neg_seen = 1; } else if (type == @@ -1743,7 +1749,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) unsigned int len; /* We must have requested it. */ - if (s->alpn_client_proto_list == NULL) { + if (s->internal->alpn_client_proto_list == NULL) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; } |