diff options
-rw-r--r-- | include/openssl/ssl.h | 12 | ||||
-rw-r--r-- | ssl/s3_lib.c | 142 | ||||
-rw-r--r-- | ssl/ssl_asn1.c | 20 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 180 | ||||
-rw-r--r-- | ssl/ssl_locl.h | 292 | ||||
-rw-r--r-- | ssl/ssl_sess.c | 117 | ||||
-rw-r--r-- | ssl/ssl_txt.c | 8 | ||||
-rw-r--r-- | ssl/statem/extensions.c | 76 | ||||
-rw-r--r-- | ssl/statem/extensions_clnt.c | 130 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 70 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 61 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 57 | ||||
-rw-r--r-- | ssl/t1_lib.c | 69 | ||||
-rw-r--r-- | test/handshake_helper.c | 8 | ||||
-rw-r--r-- | test/ossl_shim/ossl_shim.cc | 2 | ||||
-rw-r--r-- | test/ssltest_old.c | 10 |
16 files changed, 645 insertions, 609 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 05bd5ed62f..18d36922e3 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -656,19 +656,23 @@ void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, unsigned int cookie_len)); # ifndef OPENSSL_NO_NEXTPROTONEG +# define SSL_CTX_set_npn_select_cb SSL_CTX_set_next_proto_select_cb +# define SSL_CTX_set_npn_advertised_cb SSL_CTX_set_next_protos_advertised_cb +# define SSL_get0_npn_negotiated SSL_get0_next_proto_negotiated void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, int (*cb) (SSL *ssl, - const unsigned char - **out, + const unsigned char **out, unsigned int *outlen, - void *arg), void *arg); + void *arg), + void *arg); void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s, int (*cb) (SSL *ssl, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, - void *arg), void *arg); + void *arg), + void *arg); void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len); # endif diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 524f5308f3..0f6e94844a 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2882,9 +2882,9 @@ void ssl3_clear(SSL *s) s->version = SSL3_VERSION; #if !defined(OPENSSL_NO_NEXTPROTONEG) - OPENSSL_free(s->next_proto_negotiated); - s->next_proto_negotiated = NULL; - s->next_proto_negotiated_len = 0; + OPENSSL_free(s->ext.npn); + s->ext.npn = NULL; + s->ext.npn_len = 0; #endif } @@ -2969,8 +2969,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) nid = EC_GROUP_get_curve_name(group); if (nid == NID_undef) return 0; - return tls1_set_groups(&s->tlsext_supportedgroupslist, - &s->tlsext_supportedgroupslist_length, + return tls1_set_groups(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, &nid, 1); } break; @@ -2979,8 +2979,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) if (larg == TLSEXT_NAMETYPE_host_name) { size_t len; - OPENSSL_free(s->tlsext_hostname); - s->tlsext_hostname = NULL; + OPENSSL_free(s->ext.hostname); + s->ext.hostname = NULL; ret = 1; if (parg == NULL) @@ -2990,7 +2990,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } - if ((s->tlsext_hostname = OPENSSL_strdup((char *)parg)) == NULL) { + if ((s->ext.hostname = OPENSSL_strdup((char *)parg)) == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); return 0; } @@ -3000,50 +3000,50 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } break; case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: - s->tlsext_debug_arg = parg; + s->ext.debug_arg = parg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: - ret = s->tlsext_status_type; + ret = s->ext.status_type; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: - s->tlsext_status_type = larg; + s->ext.status_type = larg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: - *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts; + *(STACK_OF(X509_EXTENSION) **)parg = s->ext.ocsp.exts; ret = 1; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: - s->tlsext_ocsp_exts = parg; + s->ext.ocsp.exts = parg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: - *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids; + *(STACK_OF(OCSP_RESPID) **)parg = s->ext.ocsp.ids; ret = 1; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: - s->tlsext_ocsp_ids = parg; + s->ext.ocsp.ids = parg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: - *(unsigned char **)parg = s->tlsext_ocsp_resp; - if (s->tlsext_ocsp_resplen == 0 - || s->tlsext_ocsp_resplen > LONG_MAX) + *(unsigned char **)parg = s->ext.ocsp.resp; + if (s->ext.ocsp.resp_len == 0 + || s->ext.ocsp.resp_len > LONG_MAX) return -1; - return (long)s->tlsext_ocsp_resplen; + return (long)s->ext.ocsp.resp_len; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: - OPENSSL_free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = parg; - s->tlsext_ocsp_resplen = larg; + OPENSSL_free(s->ext.ocsp.resp); + s->ext.ocsp.resp = parg; + s->ext.ocsp.resp_len = larg; ret = 1; break; @@ -3101,10 +3101,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { unsigned char *clist; size_t clistlen; + if (!s->session) return 0; - clist = s->session->tlsext_supportedgroupslist; - clistlen = s->session->tlsext_supportedgroupslist_length / 2; + clist = s->session->ext.supportedgroups; + clistlen = s->session->ext.supportedgroups_len / 2; if (parg) { size_t i; int *cptr = parg; @@ -3123,12 +3124,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } case SSL_CTRL_SET_GROUPS: - return tls1_set_groups(&s->tlsext_supportedgroupslist, - &s->tlsext_supportedgroupslist_length, parg, larg); + return tls1_set_groups(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, parg, larg); case SSL_CTRL_SET_GROUPS_LIST: - return tls1_set_groups_list(&s->tlsext_supportedgroupslist, - &s->tlsext_supportedgroupslist_length, parg); + return tls1_set_groups_list(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, parg); case SSL_CTRL_GET_SHARED_GROUP: return tls1_shared_group(s, larg); @@ -3208,10 +3209,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { SSL_SESSION *sess = s->session; const unsigned char **pformat = parg; - if (!sess || !sess->tlsext_ecpointformatlist) + + if (sess == NULL || sess->ext.ecpointformats == NULL) return 0; - *pformat = sess->tlsext_ecpointformatlist; - return (int)sess->tlsext_ecpointformatlist_length; + *pformat = sess->ext.ecpointformats; + return (int)sess->ext.ecpointformats_len; } #endif @@ -3234,7 +3236,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) break; #endif case SSL_CTRL_SET_TLSEXT_DEBUG_CB: - s->tlsext_debug_cb = (void (*)(SSL *, int, int, + s->ext.debug_cb = (void (*)(SSL *, int, int, const unsigned char *, int, void *))fp; break; @@ -3306,69 +3308,69 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) nid = EC_GROUP_get_curve_name(group); if (nid == NID_undef) return 0; - return tls1_set_groups(&ctx->tlsext_supportedgroupslist, - &ctx->tlsext_supportedgroupslist_length, + return tls1_set_groups(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, &nid, 1); } /* break; */ #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: - ctx->tlsext_servername_arg = parg; + ctx->ext.servername_arg = parg; break; case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: { unsigned char *keys = parg; - long tlsext_tick_keylen = (sizeof(ctx->tlsext_tick_key_name) + - sizeof(ctx->tlsext_tick_hmac_key) + - sizeof(ctx->tlsext_tick_aes_key)); + long tick_keylen = (sizeof(ctx->ext.tick_key_name) + + sizeof(ctx->ext.tick_hmac_key) + + sizeof(ctx->ext.tick_aes_key)); if (keys == NULL) - return tlsext_tick_keylen; - if (larg != tlsext_tick_keylen) { + return tick_keylen; + if (larg != tick_keylen) { SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH); return 0; } if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { - memcpy(ctx->tlsext_tick_key_name, keys, - sizeof(ctx->tlsext_tick_key_name)); - memcpy(ctx->tlsext_tick_hmac_key, - keys + sizeof(ctx->tlsext_tick_key_name), - sizeof(ctx->tlsext_tick_hmac_key)); - memcpy(ctx->tlsext_tick_aes_key, - keys + sizeof(ctx->tlsext_tick_key_name) + - sizeof(ctx->tlsext_tick_hmac_key), - sizeof(ctx->tlsext_tick_aes_key)); + memcpy(ctx->ext.tick_key_name, keys, + sizeof(ctx->ext.tick_key_name)); + memcpy(ctx->ext.tick_hmac_key, + keys + sizeof(ctx->ext.tick_key_name), + sizeof(ctx->ext.tick_hmac_key)); + memcpy(ctx->ext.tick_aes_key, + keys + sizeof(ctx->ext.tick_key_name) + + sizeof(ctx->ext.tick_hmac_key), + sizeof(ctx->ext.tick_aes_key)); } else { - memcpy(keys, ctx->tlsext_tick_key_name, - sizeof(ctx->tlsext_tick_key_name)); - memcpy(keys + sizeof(ctx->tlsext_tick_key_name), - ctx->tlsext_tick_hmac_key, - sizeof(ctx->tlsext_tick_hmac_key)); - memcpy(keys + sizeof(ctx->tlsext_tick_key_name) + - sizeof(ctx->tlsext_tick_hmac_key), - ctx->tlsext_tick_aes_key, - sizeof(ctx->tlsext_tick_aes_key)); + memcpy(keys, ctx->ext.tick_key_name, + sizeof(ctx->ext.tick_key_name)); + memcpy(keys + sizeof(ctx->ext.tick_key_name), + ctx->ext.tick_hmac_key, + sizeof(ctx->ext.tick_hmac_key)); + memcpy(keys + sizeof(ctx->ext.tick_key_name) + + sizeof(ctx->ext.tick_hmac_key), + ctx->ext.tick_aes_key, + sizeof(ctx->ext.tick_aes_key)); } return 1; } case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: - return ctx->tlsext_status_type; + return ctx->ext.status_type; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: - ctx->tlsext_status_type = larg; + ctx->ext.status_type = larg; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: - ctx->tlsext_status_arg = parg; + ctx->ext.status_arg = parg; return 1; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: - *(void**)parg = ctx->tlsext_status_arg; + *(void**)parg = ctx->ext.status_arg; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: - *(int (**)(SSL*, void*))parg = ctx->tlsext_status_cb; + *(int (**)(SSL*, void*))parg = ctx->ext.status_cb; break; #ifndef OPENSSL_NO_SRP @@ -3404,13 +3406,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) #ifndef OPENSSL_NO_EC case SSL_CTRL_SET_GROUPS: - return tls1_set_groups(&ctx->tlsext_supportedgroupslist, - &ctx->tlsext_supportedgroupslist_length, + return tls1_set_groups(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, parg, larg); case SSL_CTRL_SET_GROUPS_LIST: - return tls1_set_groups_list(&ctx->tlsext_supportedgroupslist, - &ctx->tlsext_supportedgroupslist_length, + return tls1_set_groups_list(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, parg); #endif case SSL_CTRL_SET_SIGALGS: @@ -3502,15 +3504,15 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) break; #endif case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: - ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; + ctx->ext.servername_cb = (int (*)(SSL *, int *, void *))fp; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: - ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; + ctx->ext.status_cb = (int (*)(SSL *, void *))fp; break; case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: - ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, + ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index fd13f90c28..401aeb5eaf 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -183,13 +183,13 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) as.peer = in->peer; ssl_session_sinit(&as.tlsext_hostname, &tlsext_hostname, - in->tlsext_hostname); - if (in->tlsext_tick) { + in->ext.hostname); + if (in->ext.tick) { ssl_session_oinit(&as.tlsext_tick, &tlsext_tick, - in->tlsext_tick, in->tlsext_ticklen); + in->ext.tick, in->ext.ticklen); } - if (in->tlsext_tick_lifetime_hint > 0) - as.tlsext_tick_lifetime_hint = in->tlsext_tick_lifetime_hint; + if (in->ext.tick_lifetime_hint > 0) + as.tlsext_tick_lifetime_hint = in->ext.tick_lifetime_hint; #ifndef OPENSSL_NO_PSK ssl_session_sinit(&as.psk_identity_hint, &psk_identity_hint, in->psk_identity_hint); @@ -315,7 +315,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, /* NB: this defaults to zero which is X509_V_OK */ ret->verify_result = as->verify_result; - if (!ssl_session_strndup(&ret->tlsext_hostname, as->tlsext_hostname)) + if (!ssl_session_strndup(&ret->ext.hostname, as->tlsext_hostname)) goto err; #ifndef OPENSSL_NO_PSK @@ -325,13 +325,13 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, goto err; #endif - ret->tlsext_tick_lifetime_hint = as->tlsext_tick_lifetime_hint; + ret->ext.tick_lifetime_hint = as->tlsext_tick_lifetime_hint; if (as->tlsext_tick) { - ret->tlsext_tick = as->tlsext_tick->data; - ret->tlsext_ticklen = as->tlsext_tick->length; + ret->ext.tick = as->tlsext_tick->data; + ret->ext.ticklen = as->tlsext_tick->length; as->tlsext_tick->data = NULL; } else { - ret->tlsext_tick = NULL; + ret->ext.tick = NULL; } #ifndef OPENSSL_NO_COMP if (as->comp_id) { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 65e3ba1824..ddc2ff78e7 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -589,49 +589,46 @@ SSL *SSL_new(SSL_CTX *ctx) SSL_CTX_up_ref(ctx); s->ctx = ctx; - s->tlsext_debug_cb = 0; - s->tlsext_debug_arg = NULL; - s->tlsext_ticket_expected = 0; - s->tlsext_status_type = ctx->tlsext_status_type; - s->tlsext_status_expected = 0; - s->tlsext_ocsp_ids = NULL; - s->tlsext_ocsp_exts = NULL; - s->tlsext_ocsp_resp = NULL; - s->tlsext_ocsp_resplen = 0; + s->ext.debug_cb = 0; + s->ext.debug_arg = NULL; + s->ext.ticket_expected = 0; + s->ext.status_type = ctx->ext.status_type; + s->ext.status_expected = 0; + s->ext.ocsp.ids = NULL; + s->ext.ocsp.exts = NULL; + s->ext.ocsp.resp = NULL; + s->ext.ocsp.resp_len = 0; SSL_CTX_up_ref(ctx); s->initial_ctx = ctx; #ifndef OPENSSL_NO_EC - if (ctx->tlsext_ecpointformatlist) { - s->tlsext_ecpointformatlist = - OPENSSL_memdup(ctx->tlsext_ecpointformatlist, - ctx->tlsext_ecpointformatlist_length); - if (!s->tlsext_ecpointformatlist) + if (ctx->ext.ecpointformats) { + s->ext.ecpointformats = + OPENSSL_memdup(ctx->ext.ecpointformats, + ctx->ext.ecpointformats_len); + if (!s->ext.ecpointformats) goto err; - s->tlsext_ecpointformatlist_length = - ctx->tlsext_ecpointformatlist_length; - } - if (ctx->tlsext_supportedgroupslist) { - s->tlsext_supportedgroupslist = - OPENSSL_memdup(ctx->tlsext_supportedgroupslist, - ctx->tlsext_supportedgroupslist_length); - if (!s->tlsext_supportedgroupslist) + s->ext.ecpointformats_len = + ctx->ext.ecpointformats_len; + } + if (ctx->ext.supportedgroups) { + s->ext.supportedgroups = + OPENSSL_memdup(ctx->ext.supportedgroups, + ctx->ext.supportedgroups_len); + if (!s->ext.supportedgroups) goto err; - s->tlsext_supportedgroupslist_length = - ctx->tlsext_supportedgroupslist_length; + s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; } #endif #ifndef OPENSSL_NO_NEXTPROTONEG - s->next_proto_negotiated = NULL; + s->ext.npn = NULL; #endif - if (s->ctx->alpn_client_proto_list) { - s->alpn_client_proto_list = - OPENSSL_malloc(s->ctx->alpn_client_proto_list_len); - if (s->alpn_client_proto_list == NULL) + if (s->ctx->ext.alpn) { + s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len); + if (s->ext.alpn == NULL) goto err; - memcpy(s->alpn_client_proto_list, s->ctx->alpn_client_proto_list, - s->ctx->alpn_client_proto_list_len); - s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len; + memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len); + s->ext.alpn_len = s->ctx->ext.alpn_len; } s->verified_chain = NULL; @@ -838,7 +835,7 @@ int SSL_dane_enable(SSL *s, const char *basedomain) * accepts them and disables host name checks. To avoid side-effects with * invalid input, set the SNI name first. */ - if (s->tlsext_hostname == NULL) { + if (s->ext.hostname == NULL) { if (!SSL_set_tlsext_host_name(s, basedomain)) { SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); return -1; @@ -997,22 +994,22 @@ void SSL_free(SSL *s) ssl_cert_free(s->cert); /* Free up if allocated */ - OPENSSL_free(s->tlsext_hostname); + OPENSSL_free(s->ext.hostname); SSL_CTX_free(s->initial_ctx); #ifndef OPENSSL_NO_EC - OPENSSL_free(s->tlsext_ecpointformatlist); - OPENSSL_free(s->tlsext_supportedgroupslist); + OPENSSL_free(s->ext.ecpointformats); + OPENSSL_free(s->ext.supportedgroups); #endif /* OPENSSL_NO_EC */ - sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); + sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free); #ifndef OPENSSL_NO_OCSP - sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); + sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); #endif #ifndef OPENSSL_NO_CT SCT_LIST_free(s->scts); - OPENSSL_free(s->tlsext_scts); + OPENSSL_free(s->ext.scts); #endif - OPENSSL_free(s->tlsext_ocsp_resp); - OPENSSL_free(s->alpn_client_proto_list); + OPENSSL_free(s->ext.ocsp.resp); + OPENSSL_free(s->ext.alpn); sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); @@ -1028,7 +1025,7 @@ void SSL_free(SSL *s) ASYNC_WAIT_CTX_free(s->waitctx); #if !defined(OPENSSL_NO_NEXTPROTONEG) - OPENSSL_free(s->next_proto_negotiated); + OPENSSL_free(s->ext.npn); #endif #ifndef OPENSSL_NO_SRTP @@ -2168,15 +2165,15 @@ const char *SSL_get_servername(const SSL *s, const int type) if (type != TLSEXT_NAMETYPE_host_name) return NULL; - return s->session && !s->tlsext_hostname ? - s->session->tlsext_hostname : s->tlsext_hostname; + return s->session && !s->ext.hostname ? + s->session->ext.hostname : s->ext.hostname; } int SSL_get_servername_type(const SSL *s) { if (s->session - && (!s->tlsext_hostname ? s->session-> - tlsext_hostname : s->tlsext_hostname)) + && (!s->ext.hostname ? s->session-> + ext.hostname : s->ext.hostname)) return TLSEXT_NAMETYPE_host_name; return -1; } @@ -2251,16 +2248,16 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len) { - *data = s->next_proto_negotiated; + *data = s->ext.npn; if (!*data) { *len = 0; } else { - *len = (unsigned int)s->next_proto_negotiated_len; + *len = (unsigned int)s->ext.npn_len; } } /* - * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when + * SSL_CTX_set_npn_advertised_cb sets a callback that is called when * a TLS server needs a list of supported protocols for Next Protocol * Negotiation. The returned list must be in wire format. The list is * returned by setting |out| to point to it and |outlen| to its length. This @@ -2269,15 +2266,15 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, * wishes to advertise. Otherwise, no such extension will be included in the * ServerHello. */ -void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, - int (*cb) (SSL *ssl, - const unsigned char - **out, - unsigned int *outlen, - void *arg), void *arg) +void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx, + int (*cb) (SSL *ssl, + const unsigned char **out, + unsigned int *outlen, + void *arg), + void *arg) { - ctx->next_protos_advertised_cb = cb; - ctx->next_protos_advertised_cb_arg = arg; + ctx->ext.npn_advertised_cb = cb; + ctx->ext.npn_advertised_cb_arg = arg; } /* @@ -2290,15 +2287,16 @@ void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, * select a protocol. It is fatal to the connection if this callback returns * a value other than SSL_TLSEXT_ERR_OK. */ -void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, - int (*cb) (SSL *s, unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, - void *arg), void *arg) +void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx, + int (*cb) (SSL *s, unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, + void *arg), + void *arg) { - ctx->next_proto_select_cb = cb; - ctx->next_proto_select_cb_arg = arg; + ctx->ext.npn_select_cb = cb; + ctx->ext.npn_select_cb_arg = arg; } #endif @@ -2310,13 +2308,13 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned int protos_len) { - OPENSSL_free(ctx->alpn_client_proto_list); - ctx->alpn_client_proto_list = OPENSSL_memdup(protos, protos_len); - if (ctx->alpn_client_proto_list == NULL) { + OPENSSL_free(ctx->ext.alpn); + ctx->ext.alpn = OPENSSL_memdup(protos, protos_len); + if (ctx->ext.alpn == NULL) { SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } - ctx->alpn_client_proto_list_len = protos_len; + ctx->ext.alpn_len = protos_len; return 0; } @@ -2329,13 +2327,13 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, unsigned int protos_len) { - OPENSSL_free(ssl->alpn_client_proto_list); - ssl->alpn_client_proto_list = OPENSSL_memdup(protos, protos_len); - if (ssl->alpn_client_proto_list == NULL) { + OPENSSL_free(ssl->ext.alpn); + ssl->ext.alpn = OPENSSL_memdup(protos, protos_len); + if (ssl->ext.alpn == NULL) { SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } - ssl->alpn_client_proto_list_len = protos_len; + ssl->ext.alpn_len = protos_len; return 0; } @@ -2353,8 +2351,8 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, unsigned int inlen, void *arg), void *arg) { - ctx->alpn_select_cb = cb; - ctx->alpn_select_cb_arg = arg; + ctx->ext.alpn_select_cb = cb; + ctx->ext.alpn_select_cb_arg = arg; } /* @@ -2513,12 +2511,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; /* Setup RFC5077 ticket keys */ - if ((RAND_bytes(ret->tlsext_tick_key_name, - sizeof(ret->tlsext_tick_key_name)) <= 0) - || (RAND_bytes(ret->tlsext_tick_hmac_key, - sizeof(ret->tlsext_tick_hmac_key)) <= 0) - || (RAND_bytes(ret->tlsext_tick_aes_key, - sizeof(ret->tlsext_tick_aes_key)) <= 0)) + if ((RAND_bytes(ret->ext.tick_key_name, + sizeof(ret->ext.tick_key_name)) <= 0) + || (RAND_bytes(ret->ext.tick_hmac_key, + sizeof(ret->ext.tick_hmac_key)) <= 0) + || (RAND_bytes(ret->ext.tick_aes_key, + sizeof(ret->ext.tick_aes_key)) <= 0)) ret->options |= SSL_OP_NO_TICKET; #ifndef OPENSSL_NO_SRP @@ -2556,7 +2554,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) */ ret->options |= SSL_OP_NO_COMPRESSION; - ret->tlsext_status_type = TLSEXT_STATUSTYPE_nothing; + ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; return ret; err: @@ -2629,10 +2627,10 @@ void SSL_CTX_free(SSL_CTX *a) #endif #ifndef OPENSSL_NO_EC - OPENSSL_free(a->tlsext_ecpointformatlist); - OPENSSL_free(a->tlsext_supportedgroupslist); + OPENSSL_free(a->ext.ecpointformats); + OPENSSL_free(a->ext.supportedgroups); #endif - OPENSSL_free(a->alpn_client_proto_list); + OPENSSL_free(a->ext.alpn); CRYPTO_THREAD_lock_free(a->lock); @@ -4040,9 +4038,9 @@ static int ct_extract_tls_extension_scts(SSL *s) { int scts_extracted = 0; - if (s->tlsext_scts != NULL) { - const unsigned char *p = s->tlsext_scts; - STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->tlsext_scts_len); + if (s->ext.scts != NULL) { + const unsigned char *p = s->ext.scts; + STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len); scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION); @@ -4070,11 +4068,11 @@ static int ct_extract_ocsp_response_scts(SSL *s) STACK_OF(SCT) *scts = NULL; int i; - if (s->tlsext_ocsp_resp == NULL || s->tlsext_ocsp_resplen == 0) + if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0) goto err; - p = s->tlsext_ocsp_resp; - rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->tlsext_ocsp_resplen); + p = s->ext.ocsp.resp; + rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len); if (rsp == NULL) goto err; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index c1b331a1a7..06557bb4b2 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -553,18 +553,21 @@ struct ssl_session_st { * implement a maximum cache size. */ struct ssl_session_st *prev, *next; - char *tlsext_hostname; + + struct { + char *hostname; # ifndef OPENSSL_NO_EC - size_t tlsext_ecpointformatlist_length; - unsigned char *tlsext_ecpointformatlist; /* peer's list */ - size_t tlsext_supportedgroupslist_length; - unsigned char *tlsext_supportedgroupslist; /* peer's list */ + size_t ecpointformats_len; + unsigned char *ecpointformats; /* peer's list */ + size_t supportedgroups_len; + unsigned char *supportedgroups; /* peer's list */ # endif /* OPENSSL_NO_EC */ /* RFC4507 info */ - unsigned char *tlsext_tick; /* Session ticket */ - size_t tlsext_ticklen; /* Session ticket length */ - unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in - * seconds */ + unsigned char *tick; /* Session ticket */ + size_t ticklen; /* Session ticket length */ + /* Session lifetime hint in seconds */ + unsigned long tick_lifetime_hint; + } ext; # ifndef OPENSSL_NO_SRP char *srp_username; # endif @@ -775,63 +778,40 @@ struct ssl_ctx_st { ENGINE *client_cert_engine; # endif - /* TLS extensions servername callback */ - int (*tlsext_servername_callback) (SSL *, int *, void *); - void *tlsext_servername_arg; - /* RFC 4507 session ticket keys */ - unsigned char tlsext_tick_key_name[TLSEXT_KEYNAME_LENGTH]; - unsigned char tlsext_tick_hmac_key[32]; - unsigned char tlsext_tick_aes_key[32]; - /* Callback to support customisation of ticket key setting */ - int (*tlsext_ticket_key_cb) (SSL *ssl, - unsigned char *name, unsigned char *iv, - EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); - - /* certificate status request info */ - /* Callback for status request */ - int (*tlsext_status_cb) (SSL *ssl, void *arg); - void *tlsext_status_arg; - -# ifndef OPENSSL_NO_PSK - unsigned int (*psk_client_callback) (SSL *ssl, const char *hint, - char *identity, - unsigned int max_identity_len, - unsigned char *psk, - unsigned int max_psk_len); - unsigned int (*psk_server_callback) (SSL *ssl, const char *identity, - unsigned char *psk, - unsigned int max_psk_len); -# endif + /* TLS extensions. */ + struct { + /* TLS extensions servername callback */ + int (*servername_cb) (SSL *, int *, void *); + void *servername_arg; + /* RFC 4507 session ticket keys */ + unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH]; |