[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Tue Jan 10 03:32:55 UTC 2017
The branch master has been updated
via 1ed327f7dfe02a062e50cd844a925c970c645c7c (commit)
via 8cbfcc70bf37886064ef852dda9e1bf40e904756 (commit)
via aff8c126fd8db84fa4ef623997a8c4200a14a44f (commit)
from 18e3ab7bc4fd5711014d60ddf40cda25988e4e18 (commit)
- Log -----------------------------------------------------------------
commit 1ed327f7dfe02a062e50cd844a925c970c645c7c
Author: Rich Salz <rsalz at openssl.org>
Date: Mon Jan 9 12:42:15 2017 -0500
Review comments
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
commit 8cbfcc70bf37886064ef852dda9e1bf40e904756
Author: Rich Salz <rsalz at openssl.org>
Date: Sun Dec 11 15:01:28 2016 -0500
Use typedefs for PSK, NPN, ALPN callback functions
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
commit aff8c126fd8db84fa4ef623997a8c4200a14a44f
Author: Rich Salz <rsalz at openssl.org>
Date: Thu Dec 8 14:18:40 2016 -0500
Move extension data into sub-structs
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
-----------------------------------------------------------------------
Summary of changes:
include/openssl/ssl.h | 113 ++++++-----------
ssl/s3_lib.c | 144 ++++++++++-----------
ssl/ssl_asn1.c | 20 +--
ssl/ssl_lib.c | 213 +++++++++++++------------------
ssl/ssl_locl.h | 292 +++++++++++++++++++++----------------------
ssl/ssl_sess.c | 119 +++++++++---------
ssl/ssl_txt.c | 8 +-
ssl/statem/extensions.c | 60 ++++-----
ssl/statem/extensions_clnt.c | 130 ++++++++++---------
ssl/statem/extensions_srvr.c | 70 +++++------
ssl/statem/statem_clnt.c | 63 +++++-----
ssl/statem/statem_srvr.c | 56 ++++-----
ssl/t1_lib.c | 69 +++++-----
test/handshake_helper.c | 8 +-
test/ossl_shim/ossl_shim.cc | 2 +-
test/ssltest_old.c | 10 +-
16 files changed, 651 insertions(+), 726 deletions(-)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 05bd5ed..9dc4a3f 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -656,21 +656,30 @@ void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
unsigned int
cookie_len));
# ifndef OPENSSL_NO_NEXTPROTONEG
+
+typedef int (*SSL_CTX_npn_advertised_cb_func)(SSL *ssl,
+ const unsigned char **out,
+ unsigned int *outlen,
+ void *arg);
void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
- int (*cb) (SSL *ssl,
- const unsigned char
- **out,
- unsigned int *outlen,
- void *arg), void *arg);
+ SSL_CTX_npn_advertised_cb_func cb,
+ void *arg);
+# define SSL_CTX_set_npn_advertised_cb SSL_CTX_set_next_protos_advertised_cb
+
+typedef int (*SSL_CTX_npn_select_cb_func)(SSL *s,
+ unsigned char **out,
+ unsigned char *outlen,
+ const unsigned char *in,
+ unsigned int inlen,
+ void *arg);
void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
- int (*cb) (SSL *ssl,
- unsigned char **out,
- unsigned char *outlen,
- const unsigned char *in,
- unsigned int inlen,
- void *arg), void *arg);
+ SSL_CTX_npn_select_cb_func cb,
+ void *arg);
+# define SSL_CTX_set_npn_select_cb SSL_CTX_set_next_proto_select_cb
+
void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
unsigned *len);
+# define SSL_get0_npn_negotiated SSL_get0_next_proto_negotiated
# endif
__owur int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
@@ -686,13 +695,15 @@ __owur int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
unsigned int protos_len);
__owur int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
unsigned int protos_len);
-void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
- int (*cb) (SSL *ssl,
+typedef int (*SSL_CTX_alpn_select_cb_func)(SSL *ssl,
const unsigned char **out,
unsigned char *outlen,
const unsigned char *in,
unsigned int inlen,
- void *arg), void *arg);
+ void *arg);
+void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
+ SSL_CTX_alpn_select_cb_func cb,
+ void *arg);
void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
unsigned int *len);
@@ -703,64 +714,22 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
*/
# define PSK_MAX_IDENTITY_LEN 128
# define PSK_MAX_PSK_LEN 256
-void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
- unsigned int (*psk_client_callback) (SSL
- *ssl,
- const
- char
- *hint,
- char
- *identity,
- unsigned
- int
- max_identity_len,
- unsigned
- char
- *psk,
- unsigned
- int
- max_psk_len));
-void SSL_set_psk_client_callback(SSL *ssl,
- unsigned int (*psk_client_callback) (SSL
- *ssl,
- const
- char
- *hint,
- char
- *identity,
- unsigned
- int
- max_identity_len,
- unsigned
- char
- *psk,
- unsigned
- int
- max_psk_len));
-void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
- unsigned int (*psk_server_callback) (SSL
- *ssl,
- const
- char
- *identity,
- unsigned
- char
- *psk,
- unsigned
- int
- max_psk_len));
-void SSL_set_psk_server_callback(SSL *ssl,
- unsigned int (*psk_server_callback) (SSL
- *ssl,
- const
- char
- *identity,
- unsigned
- char
- *psk,
- unsigned
- int
- max_psk_len));
+typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl,
+ const char *hint,
+ char *identity,
+ unsigned int max_identity_len,
+ unsigned char *psk,
+ unsigned int max_psk_len);
+void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb);
+void SSL_set_psk_client_callback(SSL *ssl, SSL_psk_client_cb_func cb);
+
+typedef unsigned int (*SSL_psk_server_cb_func)(SSL *ssl,
+ const char *identity,
+ unsigned char *psk,
+ unsigned int max_psk_len);
+void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb);
+void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb);
+
__owur int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint);
__owur int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint);
const char *SSL_get_psk_identity_hint(const SSL *s);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 524f530..4010985 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2882,9 +2882,9 @@ void ssl3_clear(SSL *s)
s->version = SSL3_VERSION;
#if !defined(OPENSSL_NO_NEXTPROTONEG)
- OPENSSL_free(s->next_proto_negotiated);
- s->next_proto_negotiated = NULL;
- s->next_proto_negotiated_len = 0;
+ OPENSSL_free(s->ext.npn);
+ s->ext.npn = NULL;
+ s->ext.npn_len = 0;
#endif
}
@@ -2969,8 +2969,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
nid = EC_GROUP_get_curve_name(group);
if (nid == NID_undef)
return 0;
- return tls1_set_groups(&s->tlsext_supportedgroupslist,
- &s->tlsext_supportedgroupslist_length,
+ return tls1_set_groups(&s->ext.supportedgroups,
+ &s->ext.supportedgroups_len,
&nid, 1);
}
break;
@@ -2979,8 +2979,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
if (larg == TLSEXT_NAMETYPE_host_name) {
size_t len;
- OPENSSL_free(s->tlsext_hostname);
- s->tlsext_hostname = NULL;
+ OPENSSL_free(s->ext.hostname);
+ s->ext.hostname = NULL;
ret = 1;
if (parg == NULL)
@@ -2990,7 +2990,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
return 0;
}
- if ((s->tlsext_hostname = OPENSSL_strdup((char *)parg)) == NULL) {
+ if ((s->ext.hostname = OPENSSL_strdup((char *)parg)) == NULL) {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -3000,50 +3000,50 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
}
break;
case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
- s->tlsext_debug_arg = parg;
+ s->ext.debug_arg = parg;
ret = 1;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
- ret = s->tlsext_status_type;
+ ret = s->ext.status_type;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
- s->tlsext_status_type = larg;
+ s->ext.status_type = larg;
ret = 1;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
- *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts;
+ *(STACK_OF(X509_EXTENSION) **)parg = s->ext.ocsp.exts;
ret = 1;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
- s->tlsext_ocsp_exts = parg;
+ s->ext.ocsp.exts = parg;
ret = 1;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
- *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids;
+ *(STACK_OF(OCSP_RESPID) **)parg = s->ext.ocsp.ids;
ret = 1;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
- s->tlsext_ocsp_ids = parg;
+ s->ext.ocsp.ids = parg;
ret = 1;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
- *(unsigned char **)parg = s->tlsext_ocsp_resp;
- if (s->tlsext_ocsp_resplen == 0
- || s->tlsext_ocsp_resplen > LONG_MAX)
+ *(unsigned char **)parg = s->ext.ocsp.resp;
+ if (s->ext.ocsp.resp_len == 0
+ || s->ext.ocsp.resp_len > LONG_MAX)
return -1;
- return (long)s->tlsext_ocsp_resplen;
+ return (long)s->ext.ocsp.resp_len;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
- OPENSSL_free(s->tlsext_ocsp_resp);
- s->tlsext_ocsp_resp = parg;
- s->tlsext_ocsp_resplen = larg;
+ OPENSSL_free(s->ext.ocsp.resp);
+ s->ext.ocsp.resp = parg;
+ s->ext.ocsp.resp_len = larg;
ret = 1;
break;
@@ -3101,10 +3101,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
{
unsigned char *clist;
size_t clistlen;
+
if (!s->session)
return 0;
- clist = s->session->tlsext_supportedgroupslist;
- clistlen = s->session->tlsext_supportedgroupslist_length / 2;
+ clist = s->session->ext.supportedgroups;
+ clistlen = s->session->ext.supportedgroups_len / 2;
if (parg) {
size_t i;
int *cptr = parg;
@@ -3123,12 +3124,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
}
case SSL_CTRL_SET_GROUPS:
- return tls1_set_groups(&s->tlsext_supportedgroupslist,
- &s->tlsext_supportedgroupslist_length, parg, larg);
+ return tls1_set_groups(&s->ext.supportedgroups,
+ &s->ext.supportedgroups_len, parg, larg);
case SSL_CTRL_SET_GROUPS_LIST:
- return tls1_set_groups_list(&s->tlsext_supportedgroupslist,
- &s->tlsext_supportedgroupslist_length, parg);
+ return tls1_set_groups_list(&s->ext.supportedgroups,
+ &s->ext.supportedgroups_len, parg);
case SSL_CTRL_GET_SHARED_GROUP:
return tls1_shared_group(s, larg);
@@ -3208,10 +3209,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
{
SSL_SESSION *sess = s->session;
const unsigned char **pformat = parg;
- if (!sess || !sess->tlsext_ecpointformatlist)
+
+ if (sess == NULL || sess->ext.ecpointformats == NULL)
return 0;
- *pformat = sess->tlsext_ecpointformatlist;
- return (int)sess->tlsext_ecpointformatlist_length;
+ *pformat = sess->ext.ecpointformats;
+ return (int)sess->ext.ecpointformats_len;
}
#endif
@@ -3234,8 +3236,8 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
break;
#endif
case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
- s->tlsext_debug_cb = (void (*)(SSL *, int, int,
- const unsigned char *, int, void *))fp;
+ s->ext.debug_cb = (void (*)(SSL *, int, int,
+ const unsigned char *, int, void *))fp;
break;
case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
@@ -3306,69 +3308,69 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
nid = EC_GROUP_get_curve_name(group);
if (nid == NID_undef)
return 0;
- return tls1_set_groups(&ctx->tlsext_supportedgroupslist,
- &ctx->tlsext_supportedgroupslist_length,
+ return tls1_set_groups(&ctx->ext.supportedgroups,
+ &ctx->ext.supportedgroups_len,
&nid, 1);
}
/* break; */
#endif /* !OPENSSL_NO_EC */
case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
- ctx->tlsext_servername_arg = parg;
+ ctx->ext.servername_arg = parg;
break;
case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
{
unsigned char *keys = parg;
- long tlsext_tick_keylen = (sizeof(ctx->tlsext_tick_key_name) +
- sizeof(ctx->tlsext_tick_hmac_key) +
- sizeof(ctx->tlsext_tick_aes_key));
+ long tick_keylen = (sizeof(ctx->ext.tick_key_name) +
+ sizeof(ctx->ext.tick_hmac_key) +
+ sizeof(ctx->ext.tick_aes_key));
if (keys == NULL)
- return tlsext_tick_keylen;
- if (larg != tlsext_tick_keylen) {
+ return tick_keylen;
+ if (larg != tick_keylen) {
SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
return 0;
}
if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
- memcpy(ctx->tlsext_tick_key_name, keys,
- sizeof(ctx->tlsext_tick_key_name));
- memcpy(ctx->tlsext_tick_hmac_key,
- keys + sizeof(ctx->tlsext_tick_key_name),
- sizeof(ctx->tlsext_tick_hmac_key));
- memcpy(ctx->tlsext_tick_aes_key,
- keys + sizeof(ctx->tlsext_tick_key_name) +
- sizeof(ctx->tlsext_tick_hmac_key),
- sizeof(ctx->tlsext_tick_aes_key));
+ memcpy(ctx->ext.tick_key_name, keys,
+ sizeof(ctx->ext.tick_key_name));
+ memcpy(ctx->ext.tick_hmac_key,
+ keys + sizeof(ctx->ext.tick_key_name),
+ sizeof(ctx->ext.tick_hmac_key));
+ memcpy(ctx->ext.tick_aes_key,
+ keys + sizeof(ctx->ext.tick_key_name) +
+ sizeof(ctx->ext.tick_hmac_key),
+ sizeof(ctx->ext.tick_aes_key));
} else {
- memcpy(keys, ctx->tlsext_tick_key_name,
- sizeof(ctx->tlsext_tick_key_name));
- memcpy(keys + sizeof(ctx->tlsext_tick_key_name),
- ctx->tlsext_tick_hmac_key,
- sizeof(ctx->tlsext_tick_hmac_key));
- memcpy(keys + sizeof(ctx->tlsext_tick_key_name) +
- sizeof(ctx->tlsext_tick_hmac_key),
- ctx->tlsext_tick_aes_key,
- sizeof(ctx->tlsext_tick_aes_key));
+ memcpy(keys, ctx->ext.tick_key_name,
+ sizeof(ctx->ext.tick_key_name));
+ memcpy(keys + sizeof(ctx->ext.tick_key_name),
+ ctx->ext.tick_hmac_key,
+ sizeof(ctx->ext.tick_hmac_key));
+ memcpy(keys + sizeof(ctx->ext.tick_key_name) +
+ sizeof(ctx->ext.tick_hmac_key),
+ ctx->ext.tick_aes_key,
+ sizeof(ctx->ext.tick_aes_key));
}
return 1;
}
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
- return ctx->tlsext_status_type;
+ return ctx->ext.status_type;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
- ctx->tlsext_status_type = larg;
+ ctx->ext.status_type = larg;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
- ctx->tlsext_status_arg = parg;
+ ctx->ext.status_arg = parg;
return 1;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
- *(void**)parg = ctx->tlsext_status_arg;
+ *(void**)parg = ctx->ext.status_arg;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
- *(int (**)(SSL*, void*))parg = ctx->tlsext_status_cb;
+ *(int (**)(SSL*, void*))parg = ctx->ext.status_cb;
break;
#ifndef OPENSSL_NO_SRP
@@ -3404,13 +3406,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_GROUPS:
- return tls1_set_groups(&ctx->tlsext_supportedgroupslist,
- &ctx->tlsext_supportedgroupslist_length,
+ return tls1_set_groups(&ctx->ext.supportedgroups,
+ &ctx->ext.supportedgroups_len,
parg, larg);
case SSL_CTRL_SET_GROUPS_LIST:
- return tls1_set_groups_list(&ctx->tlsext_supportedgroupslist,
- &ctx->tlsext_supportedgroupslist_length,
+ return tls1_set_groups_list(&ctx->ext.supportedgroups,
+ &ctx->ext.supportedgroups_len,
parg);
#endif
case SSL_CTRL_SET_SIGALGS:
@@ -3502,15 +3504,15 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
break;
#endif
case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
- ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;
+ ctx->ext.servername_cb = (int (*)(SSL *, int *, void *))fp;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
- ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;
+ ctx->ext.status_cb = (int (*)(SSL *, void *))fp;
break;
case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
- ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
+ ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *,
unsigned char *,
EVP_CIPHER_CTX *,
HMAC_CTX *, int))fp;
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index fd13f90..401aeb5 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -183,13 +183,13 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
as.peer = in->peer;
ssl_session_sinit(&as.tlsext_hostname, &tlsext_hostname,
- in->tlsext_hostname);
- if (in->tlsext_tick) {
+ in->ext.hostname);
+ if (in->ext.tick) {
ssl_session_oinit(&as.tlsext_tick, &tlsext_tick,
- in->tlsext_tick, in->tlsext_ticklen);
+ in->ext.tick, in->ext.ticklen);
}
- if (in->tlsext_tick_lifetime_hint > 0)
- as.tlsext_tick_lifetime_hint = in->tlsext_tick_lifetime_hint;
+ if (in->ext.tick_lifetime_hint > 0)
+ as.tlsext_tick_lifetime_hint = in->ext.tick_lifetime_hint;
#ifndef OPENSSL_NO_PSK
ssl_session_sinit(&as.psk_identity_hint, &psk_identity_hint,
in->psk_identity_hint);
@@ -315,7 +315,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
/* NB: this defaults to zero which is X509_V_OK */
ret->verify_result = as->verify_result;
- if (!ssl_session_strndup(&ret->tlsext_hostname, as->tlsext_hostname))
+ if (!ssl_session_strndup(&ret->ext.hostname, as->tlsext_hostname))
goto err;
#ifndef OPENSSL_NO_PSK
@@ -325,13 +325,13 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
goto err;
#endif
- ret->tlsext_tick_lifetime_hint = as->tlsext_tick_lifetime_hint;
+ ret->ext.tick_lifetime_hint = as->tlsext_tick_lifetime_hint;
if (as->tlsext_tick) {
- ret->tlsext_tick = as->tlsext_tick->data;
- ret->tlsext_ticklen = as->tlsext_tick->length;
+ ret->ext.tick = as->tlsext_tick->data;
+ ret->ext.ticklen = as->tlsext_tick->length;
as->tlsext_tick->data = NULL;
} else {
- ret->tlsext_tick = NULL;
+ ret->ext.tick = NULL;
}
#ifndef OPENSSL_NO_COMP
if (as->comp_id) {
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 65e3ba1..5887345 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -589,49 +589,46 @@ SSL *SSL_new(SSL_CTX *ctx)
SSL_CTX_up_ref(ctx);
s->ctx = ctx;
- s->tlsext_debug_cb = 0;
- s->tlsext_debug_arg = NULL;
- s->tlsext_ticket_expected = 0;
- s->tlsext_status_type = ctx->tlsext_status_type;
- s->tlsext_status_expected = 0;
- s->tlsext_ocsp_ids = NULL;
- s->tlsext_ocsp_exts = NULL;
- s->tlsext_ocsp_resp = NULL;
- s->tlsext_ocsp_resplen = 0;
+ s->ext.debug_cb = 0;
+ s->ext.debug_arg = NULL;
+ s->ext.ticket_expected = 0;
+ s->ext.status_type = ctx->ext.status_type;
+ s->ext.status_expected = 0;
+ s->ext.ocsp.ids = NULL;
+ s->ext.ocsp.exts = NULL;
+ s->ext.ocsp.resp = NULL;
+ s->ext.ocsp.resp_len = 0;
SSL_CTX_up_ref(ctx);
s->initial_ctx = ctx;
#ifndef OPENSSL_NO_EC
- if (ctx->tlsext_ecpointformatlist) {
- s->tlsext_ecpointformatlist =
- OPENSSL_memdup(ctx->tlsext_ecpointformatlist,
- ctx->tlsext_ecpointformatlist_length);
- if (!s->tlsext_ecpointformatlist)
+ if (ctx->ext.ecpointformats) {
+ s->ext.ecpointformats =
+ OPENSSL_memdup(ctx->ext.ecpointformats,
+ ctx->ext.ecpointformats_len);
+ if (!s->ext.ecpointformats)
goto err;
- s->tlsext_ecpointformatlist_length =
- ctx->tlsext_ecpointformatlist_length;
- }
- if (ctx->tlsext_supportedgroupslist) {
- s->tlsext_supportedgroupslist =
- OPENSSL_memdup(ctx->tlsext_supportedgroupslist,
- ctx->tlsext_supportedgroupslist_length);
- if (!s->tlsext_supportedgroupslist)
+ s->ext.ecpointformats_len =
+ ctx->ext.ecpointformats_len;
+ }
+ if (ctx->ext.supportedgroups) {
+ s->ext.supportedgroups =
+ OPENSSL_memdup(ctx->ext.supportedgroups,
+ ctx->ext.supportedgroups_len);
+ if (!s->ext.supportedgroups)
goto err;
- s->tlsext_supportedgroupslist_length =
- ctx->tlsext_supportedgroupslist_length;
+ s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
}
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
- s->next_proto_negotiated = NULL;
+ s->ext.npn = NULL;
#endif
- if (s->ctx->alpn_client_proto_list) {
- s->alpn_client_proto_list =
- OPENSSL_malloc(s->ctx->alpn_client_proto_list_len);
- if (s->alpn_client_proto_list == NULL)
+ if (s->ctx->ext.alpn) {
+ s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len);
+ if (s->ext.alpn == NULL)
goto err;
- memcpy(s->alpn_client_proto_list, s->ctx->alpn_client_proto_list,
- s->ctx->alpn_client_proto_list_len);
- s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len;
+ memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len);
+ s->ext.alpn_len = s->ctx->ext.alpn_len;
}
s->verified_chain = NULL;
@@ -838,7 +835,7 @@ int SSL_dane_enable(SSL *s, const char *basedomain)
* accepts them and disables host name checks. To avoid side-effects with
* invalid input, set the SNI name first.
*/
- if (s->tlsext_hostname == NULL) {
+ if (s->ext.hostname == NULL) {
if (!SSL_set_tlsext_host_name(s, basedomain)) {
SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
return -1;
@@ -997,22 +994,22 @@ void SSL_free(SSL *s)
ssl_cert_free(s->cert);
/* Free up if allocated */
- OPENSSL_free(s->tlsext_hostname);
+ OPENSSL_free(s->ext.hostname);
SSL_CTX_free(s->initial_ctx);
#ifndef OPENSSL_NO_EC
- OPENSSL_free(s->tlsext_ecpointformatlist);
- OPENSSL_free(s->tlsext_supportedgroupslist);
+ OPENSSL_free(s->ext.ecpointformats);
+ OPENSSL_free(s->ext.supportedgroups);
#endif /* OPENSSL_NO_EC */
- sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free);
+ sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
#ifndef OPENSSL_NO_OCSP
- sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
+ sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
#endif
#ifndef OPENSSL_NO_CT
SCT_LIST_free(s->scts);
- OPENSSL_free(s->tlsext_scts);
+ OPENSSL_free(s->ext.scts);
#endif
- OPENSSL_free(s->tlsext_ocsp_resp);
- OPENSSL_free(s->alpn_client_proto_list);
+ OPENSSL_free(s->ext.ocsp.resp);
+ OPENSSL_free(s->ext.alpn);
sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
@@ -1028,7 +1025,7 @@ void SSL_free(SSL *s)
ASYNC_WAIT_CTX_free(s->waitctx);
#if !defined(OPENSSL_NO_NEXTPROTONEG)
- OPENSSL_free(s->next_proto_negotiated);
+ OPENSSL_free(s->ext.npn);
#endif
#ifndef OPENSSL_NO_SRTP
@@ -2168,15 +2165,15 @@ const char *SSL_get_servername(const SSL *s, const int type)
if (type != TLSEXT_NAMETYPE_host_name)
return NULL;
- return s->session && !s->tlsext_hostname ?
- s->session->tlsext_hostname : s->tlsext_hostname;
+ return s->session && !s->ext.hostname ?
+ s->session->ext.hostname : s->ext.hostname;
}
int SSL_get_servername_type(const SSL *s)
{
if (s->session
- && (!s->tlsext_hostname ? s->session->
- tlsext_hostname : s->tlsext_hostname))
+ && (!s->ext.hostname ? s->session->
+ ext.hostname : s->ext.hostname))
return TLSEXT_NAMETYPE_host_name;
return -1;
}
@@ -2251,16 +2248,16 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
unsigned *len)
{
- *data = s->next_proto_negotiated;
+ *data = s->ext.npn;
if (!*data) {
*len = 0;
} else {
- *len = (unsigned int)s->next_proto_negotiated_len;
+ *len = (unsigned int)s->ext.npn_len;
}
}
/*
- * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when
+ * SSL_CTX_set_npn_advertised_cb sets a callback that is called when
* a TLS server needs a list of supported protocols for Next Protocol
* Negotiation. The returned list must be in wire format. The list is
* returned by setting |out| to point to it and |outlen| to its length. This
@@ -2269,15 +2266,12 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
* wishes to advertise. Otherwise, no such extension will be included in the
* ServerHello.
*/
-void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx,
- int (*cb) (SSL *ssl,
- const unsigned char
- **out,
- unsigned int *outlen,
- void *arg), void *arg)
+void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx,
+ SSL_CTX_npn_advertised_cb_func cb,
+ void *arg)
{
- ctx->next_protos_advertised_cb = cb;
- ctx->next_protos_advertised_cb_arg = arg;
+ ctx->ext.npn_advertised_cb = cb;
+ ctx->ext.npn_advertised_cb_arg = arg;
}
/*
@@ -2290,15 +2284,12 @@ void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx,
* select a protocol. It is fatal to the connection if this callback returns
* a value other than SSL_TLSEXT_ERR_OK.
*/
-void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
- int (*cb) (SSL *s, unsigned char **out,
- unsigned char *outlen,
- const unsigned char *in,
- unsigned int inlen,
- void *arg), void *arg)
+void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
+ SSL_CTX_npn_select_cb_func cb,
+ void *arg)
{
- ctx->next_proto_select_cb = cb;
- ctx->next_proto_select_cb_arg = arg;
+ ctx->ext.npn_select_cb = cb;
+ ctx->ext.npn_select_cb_arg = arg;
}
#endif
@@ -2310,13 +2301,13 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
unsigned int protos_len)
{
- OPENSSL_free(ctx->alpn_client_proto_list);
- ctx->alpn_client_proto_list = OPENSSL_memdup(protos, protos_len);
- if (ctx->alpn_client_proto_list == NULL) {
+ OPENSSL_free(ctx->ext.alpn);
+ ctx->ext.alpn = OPENSSL_memdup(protos, protos_len);
+ if (ctx->ext.alpn == NULL) {
SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
return 1;
}
- ctx->alpn_client_proto_list_len = protos_len;
+ ctx->ext.alpn_len = protos_len;
return 0;
}
@@ -2329,13 +2320,13 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
unsigned int protos_len)
{
- OPENSSL_free(ssl->alpn_client_proto_list);
- ssl->alpn_client_proto_list = OPENSSL_memdup(protos, protos_len);
- if (ssl->alpn_client_proto_list == NULL) {
+ OPENSSL_free(ssl->ext.alpn);
+ ssl->ext.alpn = OPENSSL_memdup(protos, protos_len);
+ if (ssl->ext.alpn == NULL) {
SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
return 1;
}
- ssl->alpn_client_proto_list_len = protos_len;
+ ssl->ext.alpn_len = protos_len;
return 0;
}
@@ -2346,15 +2337,11 @@ int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
* from the client's list of offered protocols.
*/
void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
- int (*cb) (SSL *ssl,
- const unsigned char **out,
- unsigned char *outlen,
- const unsigned char *in,
- unsigned int inlen,
- void *arg), void *arg)
+ SSL_CTX_alpn_select_cb_func cb,
+ void *arg)
{
- ctx->alpn_select_cb = cb;
- ctx->alpn_select_cb_arg = arg;
+ ctx->ext.alpn_select_cb = cb;
+ ctx->ext.alpn_select_cb_arg = arg;
}
/*
@@ -2513,12 +2500,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
/* Setup RFC5077 ticket keys */
- if ((RAND_bytes(ret->tlsext_tick_key_name,
- sizeof(ret->tlsext_tick_key_name)) <= 0)
- || (RAND_bytes(ret->tlsext_tick_hmac_key,
- sizeof(ret->tlsext_tick_hmac_key)) <= 0)
- || (RAND_bytes(ret->tlsext_tick_aes_key,
- sizeof(ret->tlsext_tick_aes_key)) <= 0))
+ if ((RAND_bytes(ret->ext.tick_key_name,
+ sizeof(ret->ext.tick_key_name)) <= 0)
+ || (RAND_bytes(ret->ext.tick_hmac_key,
+ sizeof(ret->ext.tick_hmac_key)) <= 0)
+ || (RAND_bytes(ret->ext.tick_aes_key,
+ sizeof(ret->ext.tick_aes_key)) <= 0))
ret->options |= SSL_OP_NO_TICKET;
#ifndef OPENSSL_NO_SRP
@@ -2556,7 +2543,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
*/
ret->options |= SSL_OP_NO_COMPRESSION;
- ret->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
+ ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
return ret;
err:
@@ -2629,10 +2616,10 @@ void SSL_CTX_free(SSL_CTX *a)
#endif
#ifndef OPENSSL_NO_EC
- OPENSSL_free(a->tlsext_ecpointformatlist);
- OPENSSL_free(a->tlsext_supportedgroupslist);
+ OPENSSL_free(a->ext.ecpointformats);
+ OPENSSL_free(a->ext.supportedgroups);
#endif
- OPENSSL_free(a->alpn_client_proto_list);
+ OPENSSL_free(a->ext.alpn);
CRYPTO_THREAD_lock_free(a->lock);
@@ -3728,46 +3715,22 @@ const char *SSL_get_psk_identity(const SSL *s)
return (s->session->psk_identity);
}
-void SSL_set_psk_client_callback(SSL *s,
- unsigned int (*cb) (SSL *ssl,
- const char *hint,
- char *identity,
- unsigned int
- max_identity_len,
- unsigned char *psk,
- unsigned int max_psk_len))
+void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb)
{
s->psk_client_callback = cb;
}
-void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
- unsigned int (*cb) (SSL *ssl,
- const char *hint,
- char *identity,
- unsigned int
- max_identity_len,
- unsigned char *psk,
- unsigned int
- max_psk_len))
+void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb)
{
ctx->psk_client_callback = cb;
}
-void SSL_set_psk_server_callback(SSL *s,
- unsigned int (*cb) (SSL *ssl,
- const char *identity,
- unsigned char *psk,
- unsigned int max_psk_len))
+void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb)
{
s->psk_server_callback = cb;
}
-void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
- unsigned int (*cb) (SSL *ssl,
- const char *identity,
- unsigned char *psk,
- unsigned int
- max_psk_len))
+void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb)
{
ctx->psk_server_callback = cb;
}
@@ -4040,9 +4003,9 @@ static int ct_extract_tls_extension_scts(SSL *s)
{
int scts_extracted = 0;
- if (s->tlsext_scts != NULL) {
- const unsigned char *p = s->tlsext_scts;
- STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->tlsext_scts_len);
+ if (s->ext.scts != NULL) {
+ const unsigned char *p = s->ext.scts;
+ STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len);
scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION);
@@ -4070,11 +4033,11 @@ static int ct_extract_ocsp_response_scts(SSL *s)
STACK_OF(SCT) *scts = NULL;
int i;
- if (s->tlsext_ocsp_resp == NULL || s->tlsext_ocsp_resplen == 0)
+ if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0)
goto err;
- p = s->tlsext_ocsp_resp;
- rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->tlsext_ocsp_resplen);
+ p = s->ext.ocsp.resp;
+ rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len);
if (rsp == NULL)
goto err;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c1b331a..641438d 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -553,18 +553,21 @@ struct ssl_session_st {
* implement a maximum cache size.
*/
struct ssl_session_st *prev, *next;
- char *tlsext_hostname;
+
+ struct {
+ char *hostname;
# ifndef OPENSSL_NO_EC
- size_t tlsext_ecpointformatlist_length;
- unsigned char *tlsext_ecpointformatlist; /* peer's list */
- size_t tlsext_supportedgroupslist_length;
- unsigned char *tlsext_supportedgroupslist; /* peer's list */
+ size_t ecpointformats_len;
+ unsigned char *ecpointformats; /* peer's list */
+ size_t supportedgroups_len;
+ unsigned char *supportedgroups; /* peer's list */
# endif /* OPENSSL_NO_EC */
/* RFC4507 info */
- unsigned char *tlsext_tick; /* Session ticket */
- size_t tlsext_ticklen; /* Session ticket length */
- unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in
- * seconds */
+ unsigned char *tick; /* Session ticket */
+ size_t ticklen; /* Session ticket length */
+ /* Session lifetime hint in seconds */
+ unsigned long tick_lifetime_hint;
+ } ext;
# ifndef OPENSSL_NO_SRP
char *srp_username;
# endif
@@ -775,63 +778,40 @@ struct ssl_ctx_st {
ENGINE *client_cert_engine;
# endif
- /* TLS extensions servername callback */
- int (*tlsext_servername_callback) (SSL *, int *, void *);
- void *tlsext_servername_arg;
- /* RFC 4507 session ticket keys */
- unsigned char tlsext_tick_key_name[TLSEXT_KEYNAME_LENGTH];
- unsigned char tlsext_tick_hmac_key[32];
- unsigned char tlsext_tick_aes_key[32];
- /* Callback to support customisation of ticket key setting */
- int (*tlsext_ticket_key_cb) (SSL *ssl,
- unsigned char *name, unsigned char *iv,
- EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
-
- /* certificate status request info */
- /* Callback for status request */
- int (*tlsext_status_cb) (SSL *ssl, void *arg);
- void *tlsext_status_arg;
-
-# ifndef OPENSSL_NO_PSK
- unsigned int (*psk_client_callback) (SSL *ssl, const char *hint,
- char *identity,
- unsigned int max_identity_len,
- unsigned char *psk,
- unsigned int max_psk_len);
- unsigned int (*psk_server_callback) (SSL *ssl, const char *identity,
- unsigned char *psk,
- unsigned int max_psk_len);
-# endif
+ /* TLS extensions. */
+ struct {
+ /* TLS extensions servername callback */
+ int (*servername_cb) (SSL *, int *, void *);
+ void *servername_arg;
+ /* RFC 4507 session ticket keys */
+ unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH];
+ unsigned char tick_hmac_key[32];
+ unsigned char tick_aes_key[32];
+ /* Callback to support customisation of ticket key setting */
+ int (*ticket_key_cb) (SSL *ssl,
+ unsigned char *name, unsigned char *iv,
+ EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
+
+ /* certificate status request info */
+ /* Callback for status request */
+ int (*status_cb) (SSL *ssl, void *arg);
+ void *status_arg;
+ /* ext status type used for CSR extension (OCSP Stapling) */
+ int status_type;
-# ifndef OPENSSL_NO_SRP
- SRP_CTX srp_ctx; /* ctx for SRP authentication */
-# endif
+# ifndef OPENSSL_NO_EC
+ /* EC extension values inherited by SSL structure */
+ size_t ecpointformats_len;
+ unsigned char *ecpointformats;
+ size_t supportedgroups_len;
+ unsigned char *supportedgroups;
+# endif /* OPENSSL_NO_EC */
# ifndef OPENSSL_NO_NEXTPROTONEG
- /* Next protocol negotiation information */
-
- /*
- * For a server, this contains a callback function by which the set of
- * advertised protocols can be provided.
- */
- int (*next_protos_advertised_cb) (SSL *s, const unsigned char **buf,
- unsigned int *len, void *arg);
- void *next_protos_advertised_cb_arg;
- /*
- * For a client, this contains a callback function that selects the next
- * protocol from the list provided by the server.
- */
- int (*next_proto_select_cb) (SSL *s, unsigned char **out,
- unsigned char *outlen,
- const unsigned char *in,
- unsigned int inlen, void *arg);
- void *next_proto_select_cb_arg;
-# endif
-
- /*
- * ALPN information (we are in the process of transitioning from NPN to
- * ALPN.)
- */
+ /*
+ * ALPN information (we are in the process of transitioning from NPN to
+ * ALPN.)
+ */
/*-
* For a server, this contains a callback function that allows the
@@ -843,19 +823,45 @@ struct ssl_ctx_st {
* wire-format.
* inlen: the length of |in|.
*/
- int (*alpn_select_cb) (SSL *s,
- const unsigned char **out,
- unsigned char *outlen,
- const unsigned char *in,
- unsigned int inlen, void *arg);
- void *alpn_select_cb_arg;
+ int (*alpn_select_cb) (SSL *s,
+ const unsigned char **out,
+ unsigned char *outlen,
+ const unsigned char *in,
+ unsigned int inlen, void *arg);
+ void *alpn_select_cb_arg;
- /*
- * For a client, this contains the list of supported protocols in wire
- * format.
- */
- unsigned char *alpn_client_proto_list;
- size_t alpn_client_proto_list_len;
+ /*
+ * For a client, this contains the list of supported protocols in wire
+ * format.
+ */
+ unsigned char *alpn;
+ size_t alpn_len;
+
+ /* Next protocol negotiation information */
+
+ /*
+ * For a server, this contains a callback function by which the set of
+ * advertised protocols can be provided.
+ */
+ SSL_CTX_npn_advertised_cb_func npn_advertised_cb;
+ void *npn_advertised_cb_arg;
+ /*
+ * For a client, this contains a callback function that selects the next
+ * protocol from the list provided by the server.
+ */
+ SSL_CTX_npn_select_cb_func npn_select_cb;
+ void *npn_select_cb_arg;
+# endif
+ } ext;
+
+# ifndef OPENSSL_NO_PSK
+ SSL_psk_client_cb_func psk_client_callback;
+ SSL_psk_server_cb_func psk_server_callback;
+# endif
+
+# ifndef OPENSSL_NO_SRP
+ SRP_CTX srp_ctx; /* ctx for SRP authentication */
+# endif
/* Shared DANE context */
struct dane_ctx_st dane;
@@ -867,16 +873,6 @@ struct ssl_ctx_st {
* basis, depending on the chosen cipher.
*/
int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
-# ifndef OPENSSL_NO_EC
- /* EC extension values inherited by SSL structure */
- size_t tlsext_ecpointformatlist_length;
- unsigned char *tlsext_ecpointformatlist;
- size_t tlsext_supportedgroupslist_length;
- unsigned char *tlsext_supportedgroupslist;
-# endif /* OPENSSL_NO_EC */
-
- /* ext status type used for CSR extension (OCSP Stapling) */
- int tlsext_status_type;
CRYPTO_RWLOCK *lock;
};
@@ -996,14 +992,8 @@ struct ssl_st {
/* actual code */
int error_code;
# ifndef OPENSSL_NO_PSK
- unsigned int (*psk_client_callback) (SSL *ssl, const char *hint,
- char *identity,
- unsigned int max_identity_len,
- unsigned char *psk,
- unsigned int max_psk_len);
- unsigned int (*psk_server_callback) (SSL *ssl, const char *identity,
- unsigned char *psk,
- unsigned int max_psk_len);
+ SSL_psk_client_cb_func psk_client_callback;
+ SSL_psk_server_cb_func psk_server_callback;
# endif
SSL_CTX *ctx;
/* Verified chain of peer */
@@ -1039,11 +1029,67 @@ struct ssl_st {
size_t max_send_fragment;
/* Up to how many pipelines should we use? If 0 then 1 is assumed */
size_t max_pipelines;
- /* TLS extension debug callback */
- void (*tlsext_debug_cb) (SSL *s, int client_server, int type,
- const unsigned char *data, int len, void *arg);
- void *tlsext_debug_arg;
- char *tlsext_hostname;
+
+ struct {
+ /* TLS extension debug callback */
+ void (*debug_cb)(SSL *s, int client_server, int type,
+ const unsigned char *data, int len, void *arg);
+ void *debug_arg;
+ char *hostname;
+ /* certificate status request info */
+ /* Status type or -1 if no status type */
+ int status_type;
+ /* Raw extension data, if seen */
+ unsigned char *scts;
+ /* Length of raw extension data, if seen */
+ uint16_t scts_len;
+ /* Expect OCSP CertificateStatus message */
+ int status_expected;
+
+ struct {
+ /* OCSP status request only */
+ STACK_OF(OCSP_RESPID) *ids;
+ X509_EXTENSIONS *exts;
+ /* OCSP response received or to be sent */
+ unsigned char *resp;
+ size_t resp_len;
+ } ocsp;
+
+ /* RFC4507 session ticket expected to be received or sent */
+ int ticket_expected;
+# ifndef OPENSSL_NO_EC
+ size_t ecpointformats_len;
+ /* our list */
+ unsigned char *ecpointformats;
+ size_t supportedgroups_len;
+ /* our list */
+ unsigned char *supportedgroups;
+# endif /* OPENSSL_NO_EC */
+ /* TLS Session Ticket extension override */
+ TLS_SESSION_TICKET_EXT *session_ticket;
+ /* TLS Session Ticket extension callback */
+ tls_session_ticket_ext_cb_fn session_ticket_cb;
+ void *session_ticket_cb_arg;
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn session_secret_cb;
+ void *session_secret_cb_arg;
+ /*
+ * For a client, this contains the list of supported protocols in wire
+ * format.
+ */
+ unsigned char *alpn;
+ size_t alpn_len;
+ /*
+ * Next protocol negotiation. For the client, this is the protocol that
+ * we sent in NextProtocol and is set when handling ServerHello
+ * extensions. For a server, this is the client's selected_protocol from
+ * NextProtocol and is set when handling the NextProtocol message, before
+ * the Finished message.
+ */
+ unsigned char *npn;
+ size_t npn_len;
+ } ext;
+
/*-
* no further mod of servername
* 0 : call the servername extension callback.
@@ -1051,9 +1097,6 @@ struct ssl_st {
* 2 : don't call servername callback, no ack in server hello
*/
int servername_done;
- /* certificate status request info */
- /* Status type or -1 if no status type */
- int tlsext_status_type;
# ifndef OPENSSL_NO_CT
/*
* Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
@@ -1067,62 +1110,17 @@ struct ssl_st {
* Lazily populated by CT_get_peer_scts(SSL*)
*/
STACK_OF(SCT) *scts;
- /* Raw extension data, if seen */
- unsigned char *tlsext_scts;
- /* Length of raw extension data, if seen */
- uint16_t tlsext_scts_len;
/* Have we attempted to find/parse SCTs yet? */
int scts_parsed;
# endif
- /* Expect OCSP CertificateStatus message */
- int tlsext_status_expected;
- /* OCSP status request only */
- STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
- X509_EXTENSIONS *tlsext_ocsp_exts;
- /* OCSP response received or to be sent */
- unsigned char *tlsext_ocsp_resp;
- size_t tlsext_ocsp_resplen;
- /* RFC4507 session ticket expected to be received or sent */
- int tlsext_ticket_expected;
-# ifndef OPENSSL_NO_EC
- size_t tlsext_ecpointformatlist_length;
- /* our list */
- unsigned char *tlsext_ecpointformatlist;
- size_t tlsext_supportedgroupslist_length;
- /* our list */
- unsigned char *tlsext_supportedgroupslist;
-# endif /* OPENSSL_NO_EC */
- /* TLS Session Ticket extension override */
- TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
- /* TLS Session Ticket extension callback */
- tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
- void *tls_session_ticket_ext_cb_arg;
- /* TLS pre-shared secret session resumption */
- tls_session_secret_cb_fn tls_session_secret_cb;
- void *tls_session_secret_cb_arg;
SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */
# ifndef OPENSSL_NO_NEXTPROTONEG
- /*
- * Next protocol negotiation. For the client, this is the protocol that
- * we sent in NextProtocol and is set when handling ServerHello
- * extensions. For a server, this is the client's selected_protocol from
- * NextProtocol and is set when handling the NextProtocol message, before
- * the Finished message.
- */
- unsigned char *next_proto_negotiated;
- size_t next_proto_negotiated_len;
# endif
# define session_ctx initial_ctx
/* What we'll do */
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
/* What's been chosen */
SRTP_PROTECTION_PROFILE *srtp_profile;
- /*
- * For a client, this contains the list of supported protocols in wire
- * format.
- */
- unsigned char *alpn_client_proto_list;
- size_t alpn_client_proto_list_len;
/*-
* 1 if we are renegotiating.
* 2 if we are a server and are inside a handshake
@@ -1277,7 +1275,7 @@ typedef struct ssl3_state_st {
/*
* Set if we saw the Next Protocol Negotiation extension from our peer.
*/
- int next_proto_neg_seen;
+ int npn_seen;
# endif
/*
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index c9a9e23..0ea7438 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -129,12 +129,12 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
dest->psk_identity = NULL;
#endif
dest->ciphers = NULL;
- dest->tlsext_hostname = NULL;
+ dest->ext.hostname = NULL;
#ifndef OPENSSL_NO_EC
- dest->tlsext_ecpointformatlist = NULL;
- dest->tlsext_supportedgroupslist = NULL;
+ dest->ext.ecpointformats = NULL;
+ dest->ext.supportedgroups = NULL;
#endif
- dest->tlsext_tick = NULL;
+ dest->ext.tick = NULL;
#ifndef OPENSSL_NO_SRP
dest->srp_username = NULL;
#endif
@@ -184,37 +184,37 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
goto err;
}
- if (src->tlsext_hostname) {
- dest->tlsext_hostname = OPENSSL_strdup(src->tlsext_hostname);
- if (dest->tlsext_hostname == NULL) {
+ if (src->ext.hostname) {
+ dest->ext.hostname = OPENSSL_strdup(src->ext.hostname);
+ if (dest->ext.hostname == NULL) {
goto err;
}
}
#ifndef OPENSSL_NO_EC
- if (src->tlsext_ecpointformatlist) {
- dest->tlsext_ecpointformatlist =
- OPENSSL_memdup(src->tlsext_ecpointformatlist,
- src->tlsext_ecpointformatlist_length);
- if (dest->tlsext_ecpointformatlist == NULL)
+ if (src->ext.ecpointformats) {
+ dest->ext.ecpointformats =
+ OPENSSL_memdup(src->ext.ecpointformats,
+ src->ext.ecpointformats_len);
+ if (dest->ext.ecpointformats == NULL)
goto err;
}
- if (src->tlsext_supportedgroupslist) {
- dest->tlsext_supportedgroupslist =
- OPENSSL_memdup(src->tlsext_supportedgroupslist,
- src->tlsext_supportedgroupslist_length);
- if (dest->tlsext_supportedgroupslist == NULL)
+ if (src->ext.supportedgroups) {
+ dest->ext.supportedgroups =
+ OPENSSL_memdup(src->ext.supportedgroups,
+ src->ext.supportedgroups_len);
+ if (dest->ext.supportedgroups == NULL)
goto err;
}
#endif
if (ticket != 0) {
- dest->tlsext_tick =
- OPENSSL_memdup(src->tlsext_tick, src->tlsext_ticklen);
- if (dest->tlsext_tick == NULL)
+ dest->ext.tick =
+ OPENSSL_memdup(src->ext.tick, src->ext.ticklen);
+ if (dest->ext.tick == NULL)
goto err;
} else {
- dest->tlsext_tick_lifetime_hint = 0;
- dest->tlsext_ticklen = 0;
+ dest->ext.tick_lifetime_hint = 0;
+ dest->ext.ticklen = 0;
}
#ifndef OPENSSL_NO_SRP
@@ -353,7 +353,7 @@ int ssl_get_new_session(SSL *s, int session)
* ServerHello extensions, and before recording the session
* ID received from the server, so this block is a noop.
*/
- if (s->tlsext_ticket_expected) {
+ if (s->ext.ticket_expected) {
ss->session_id_length = 0;
goto sess_id_done;
}
@@ -398,9 +398,9 @@ int ssl_get_new_session(SSL *s, int session)
}
sess_id_done:
- if (s->tlsext_hostname) {
- ss->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
- if (ss->tlsext_hostname == NULL) {
+ if (s->ext.hostname) {
+ ss->ext.hostname = OPENSSL_strdup(s->ext.hostname);
+ if (ss->ext.hostname == NULL) {
SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
SSL_SESSION_free(ss);
return 0;
@@ -441,7 +441,7 @@ int ssl_get_new_session(SSL *s, int session)
* Side effects:
* - If a session is found then s->session is pointed at it (after freeing an
* existing session if need be) and s->verify_result is set from the session.
- * - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
+ * - Both for new and resumed sessions, s->ext.ticket_expected is set to 1
* if the server should issue a new session ticket (to 0 otherwise).
*/
int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
@@ -456,7 +456,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
if (hello->session_id_len == 0)
try_session_cache = 0;
- /* sets s->tlsext_ticket_expected */
+ /* sets s->ext.ticket_expected */
r = tls_get_ticket_from_client(s, hello, &ret);
switch (r) {
case -1: /* Error during processing */
@@ -635,7 +635,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
* The session was from a ticket, so we should issue a ticket for
* the new session
*/
- s->tlsext_ticket_expected = 1;
+ s->ext.ticket_expected = 1;
}
}
if (fatal)
@@ -765,13 +765,15 @@ void SSL_SESSION_free(SSL_SESSION *ss)
X509_free(ss->peer);
sk_X509_pop_free(ss->peer_chain, X509_free);
sk_SSL_CIPHER_free(ss->ciphers);
- OPENSSL_free(ss->tlsext_hostname);
- OPENSSL_free(ss->tlsext_tick);
+ OPENSSL_free(ss->ext.hostname);
+ OPENSSL_free(ss->ext.tick);
#ifndef OPENSSL_NO_EC
- ss->tlsext_ecpointformatlist_length = 0;
- OPENSSL_free(ss->tlsext_ecpointformatlist);
- ss->tlsext_supportedgroupslist_length = 0;
- OPENSSL_free(ss->tlsext_supportedgroupslist);
+ OPENSSL_free(ss->ext.ecpointformats);
+ ss->ext.ecpointformats = NULL;
+ ss->ext.ecpointformats_len = 0;
+ OPENSSL_free(ss->ext.supportedgroups);
+ ss->ext.supportedgroups = NULL;
+ ss->ext.supportedgroups_len = 0;
#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_PSK
OPENSSL_free(ss->psk_identity_hint);
@@ -869,25 +871,25 @@ const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s)
const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s)
{
- return s->tlsext_hostname;
+ return s->ext.hostname;
}
int SSL_SESSION_has_ticket(const SSL_SESSION *s)
{
- return (s->tlsext_ticklen > 0) ? 1 : 0;
+ return (s->ext.ticklen > 0) ? 1 : 0;
}
unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
{
- return s->tlsext_tick_lifetime_hint;
+ return s->ext.tick_lifetime_hint;
}
void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick,
size_t *len)
{
- *len = s->tlsext_ticklen;
+ *len = s->ext.ticklen;
if (tick != NULL)
- *tick = s->tlsext_tick;
+ *tick = s->ext.tick;
}
X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
@@ -927,20 +929,13 @@ long SSL_CTX_get_timeout(const SSL_CTX *s)
}
int SSL_set_session_secret_cb(SSL *s,
- int (*tls_session_secret_cb) (SSL *s,
- void *secret,
- int *secret_len,
- STACK_OF(SSL_CIPHER)
- *peer_ciphers,
- const SSL_CIPHER
- **cipher,
- void *arg),
+ tls_session_secret_cb_fn tls_session_secret_cb,
void *arg)
{
if (s == NULL)
return (0);
- s->tls_session_secret_cb = tls_session_secret_cb;
- s->tls_session_secret_cb_arg = arg;
+ s->ext.session_secret_cb = tls_session_secret_cb;
+ s->ext.session_secret_cb_arg = arg;
return (1);
}
@@ -949,30 +944,30 @@ int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
{
if (s == NULL)
return (0);
- s->tls_session_ticket_ext_cb = cb;
- s->tls_session_ticket_ext_cb_arg = arg;
+ s->ext.session_ticket_cb = cb;
+ s->ext.session_ticket_cb_arg = arg;
return (1);
}
int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
{
if (s->version >= TLS1_VERSION) {
- OPENSSL_free(s->tlsext_session_ticket);
- s->tlsext_session_ticket = NULL;
- s->tlsext_session_ticket =
+ OPENSSL_free(s->ext.session_ticket);
+ s->ext.session_ticket = NULL;
+ s->ext.session_ticket =
OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
- if (s->tlsext_session_ticket == NULL) {
+ if (s->ext.session_ticket == NULL) {
SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
return 0;
}
- if (ext_data) {
- s->tlsext_session_ticket->length = ext_len;
- s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
- memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
+ if (ext_data != NULL) {
+ s->ext.session_ticket->length = ext_len;
+ s->ext.session_ticket->data = s->ext.session_ticket + 1;
+ memcpy(s->ext.session_ticket->data, ext_data, ext_len);
} else {
- s->tlsext_session_ticket->length = 0;
- s->tlsext_session_ticket->data = NULL;
+ s->ext.session_ticket->length = 0;
+ s->ext.session_ticket->data = NULL;
}
return 1;
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 06ea646..7d4a4fd 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -119,18 +119,18 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0)
goto err;
#endif
- if (x->tlsext_tick_lifetime_hint) {
+ if (x->ext.tick_lifetime_hint) {
if (BIO_printf(bp,
"\n TLS session ticket lifetime hint: %ld (seconds)",
- x->tlsext_tick_lifetime_hint) <= 0)
+ x->ext.tick_lifetime_hint) <= 0)
goto err;
}
- if (x->tlsext_tick) {
+ if (x->ext.tick) {
if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0)
goto err;
/* TODO(size_t): Convert this call */
if (BIO_dump_indent
- (bp, (const char *)x->tlsext_tick, (int)x->tlsext_ticklen, 4)
+ (bp, (const char *)x->ext.tick, (int)x->ext.ticklen, 4)
<= 0)
goto err;
}
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 0c65525..a68dd48 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -457,11 +457,11 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
if (!currext->present)
return 1;
- if (s->tlsext_debug_cb)
- s->tlsext_debug_cb(s, !s->server, currext->type,
- PACKET_data(&currext->data),
- PACKET_remaining(&currext->data),
- s->tlsext_debug_arg);
+ if (s->ext.debug_cb)
+ s->ext.debug_cb(s, !s->server, currext->type,
+ PACKET_data(&currext->data),
+ PACKET_remaining(&currext->data),
+ s->ext.debug_arg);
/* Skip if we've already parsed this extension */
if (currext->parsed)
@@ -714,13 +714,13 @@ static int final_server_name(SSL *s, unsigned int context, int sent,
int ret = SSL_TLSEXT_ERR_NOACK;
int altmp = SSL_AD_UNRECOGNIZED_NAME;
- if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
- ret = s->ctx->tlsext_servername_callback(s, &altmp,
- s->ctx->tlsext_servername_arg);
+ if (s->ctx != NULL && s->ctx->ext.servername_cb != 0)
+ ret = s->ctx->ext.servername_cb(s, &altmp,
+ s->ctx->ext.servername_arg);
else if (s->initial_ctx != NULL
- && s->initial_ctx->tlsext_servername_callback != 0)
- ret = s->initial_ctx->tlsext_servername_callback(s, &altmp,
- s->initial_ctx->tlsext_servername_arg);
+ && s->initial_ctx->ext.servername_cb != 0)
+ ret = s->initial_ctx->ext.servername_cb(s, &altmp,
+ s->initial_ctx->ext.servername_arg);
switch (ret) {
case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -757,20 +757,20 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
* suite, then if server returns an EC point formats lists extension it
* must contain uncompressed.
*/
- if (s->tlsext_ecpointformatlist != NULL
- && s->tlsext_ecpointformatlist_length > 0
- && s->session->tlsext_ecpointformatlist != NULL
- && s->session->tlsext_ecpointformatlist_length > 0
+ if (s->ext.ecpointformats != NULL
+ && s->ext.ecpointformats_len > 0
+ && s->session->ext.ecpointformats != NULL
+ && s->session->ext.ecpointformats_len > 0
&& ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
/* we are using an ECC cipher */
size_t i;
- unsigned char *list = s->session->tlsext_ecpointformatlist;
+ unsigned char *list = s->session->ext.ecpointformats;
- for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
+ for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
break;
}
- if (i == s->session->tlsext_ecpointformatlist_length) {
+ if (i == s->session->ext.ecpointformats_len) {
SSLerr(SSL_F_FINAL_EC_PT_FORMATS,
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
return 0;
@@ -784,7 +784,7 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
static int init_session_ticket(SSL *s, unsigned int context)
{
if (!s->server)
- s->tlsext_ticket_expected = 0;
+ s->ext.ticket_expected = 0;
return 1;
}
@@ -793,15 +793,15 @@ static int init_session_ticket(SSL *s, unsigned int context)
static int init_status_request(SSL *s, unsigned int context)
{
if (s->server) {
- s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
+ s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
} else {
/*
* Ensure we get sensible values passed to tlsext_status_cb in the event
* that we don't receive a status message
*/
- OPENSSL_free(s->tlsext_ocsp_resp);
- s->tlsext_ocsp_resp = NULL;
- s->tlsext_ocsp_resplen = 0;
+ OPENSSL_free(s->ext.ocsp.resp);
+ s->ext.ocsp.resp = NULL;
+ s->ext.ocsp.resp_len = 0;
}
return 1;
@@ -811,7 +811,7 @@ static int init_status_request(SSL *s, unsigned int context)
#ifndef OPENSSL_NO_NEXTPROTONEG
static int init_npn(SSL *s, unsigned int context)
{
- s->s3->next_proto_neg_seen = 0;
+ s->s3->npn_seen = 0;
return 1;
}
@@ -838,11 +838,11 @@ static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
if (!s->server)
return 1;
- if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
- int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
- s->s3->alpn_proposed,
- (unsigned int)s->s3->alpn_proposed_len,
- s->ctx->alpn_select_cb_arg);
+ if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
+ int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
+ s->s3->alpn_proposed,
+ (unsigned int)s->s3->alpn_proposed_len,
+ s->ctx->ext.alpn_select_cb_arg);
if (r == SSL_TLSEXT_ERR_OK) {
OPENSSL_free(s->s3->alpn_selected);
@@ -854,7 +854,7 @@ static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
s->s3->alpn_selected_len = selected_len;
#ifndef OPENSSL_NO_NEXTPROTONEG
/* ALPN takes precedence over NPN. */
- s->s3->next_proto_neg_seen = 0;
+ s->s3->npn_seen = 0;
#endif
} else {
*al = SSL_AD_NO_APPLICATION_PROTOCOL;
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 277e062..be0c979 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -34,7 +34,7 @@ int tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, X509 *x,
int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, X509 *x,
size_t chainidx, int *al)
{
- if (s->tlsext_hostname == NULL)
+ if (s->ext.hostname == NULL)
return 1;
/* Add TLS extension servername to the Client Hello message */
@@ -44,8 +44,8 @@ int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, X509 *x,
/* Sub-packet for servername list (always 1 hostname)*/
|| !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
- || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname,
- strlen(s->tlsext_hostname))
+ || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
+ strlen(s->ext.hostname))
|| !WPACKET_close(pkt)
|| !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR);
@@ -145,7 +145,7 @@ int tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, X509 *x,
* Add TLS extension supported_groups to the ClientHello message
*/
/* TODO(TLS1.3): Add support for DHE groups */
- pcurves = s->tlsext_supportedgroupslist;
+ pcurves = s->ext.supportedgroups;
if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR);
@@ -191,30 +191,30 @@ int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
return 1;
if (!s->new_session && s->session != NULL
- && s->session->tlsext_tick != NULL) {
- ticklen = s->session->tlsext_ticklen;
- } else if (s->session && s->tlsext_session_ticket != NULL
- && s->tlsext_session_ticket->data != NULL) {
- ticklen = s->tlsext_session_ticket->length;
- s->session->tlsext_tick = OPENSSL_malloc(ticklen);
- if (s->session->tlsext_tick == NULL) {
+ && s->session->ext.tick != NULL) {
+ ticklen = s->session->ext.ticklen;
+ } else if (s->session && s->ext.session_ticket != NULL
+ && s->ext.session_ticket->data != NULL) {
+ ticklen = s->ext.session_ticket->length;
+ s->session->ext.tick = OPENSSL_malloc(ticklen);
+ if (s->session->ext.tick == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
ERR_R_INTERNAL_ERROR);
return 0;
}
- memcpy(s->session->tlsext_tick,
- s->tlsext_session_ticket->data, ticklen);
- s->session->tlsext_ticklen = ticklen;
+ memcpy(s->session->ext.tick,
+ s->ext.session_ticket->data, ticklen);
+ s->session->ext.ticklen = ticklen;
} else {
ticklen = 0;
}
- if (ticklen == 0 && s->tlsext_session_ticket != NULL &&
- s->tlsext_session_ticket->data == NULL)
+ if (ticklen == 0 && s->ext.session_ticket != NULL &&
+ s->ext.session_ticket->data == NULL)
return 1;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
- || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick, ticklen)) {
+ || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -257,7 +257,7 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
if (x != NULL)
return 1;
- if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp)
+ if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
return 1;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
@@ -269,9 +269,9 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
return 0;
}
- for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
+ for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
unsigned char *idbytes;
- OCSP_RESPID *id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
+ OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
int idlen = i2d_OCSP_RESPID(id, NULL);
if (idlen <= 0
@@ -288,9 +288,9 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
return 0;
}
- if (s->tlsext_ocsp_exts) {
+ if (s->ext.ocsp.exts) {
unsigned char *extbytes;
- int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
+ int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
if (extlen < 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
@@ -298,7 +298,7 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
return 0;
}
if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
- || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
+ || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
!= extlen) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
ERR_R_INTERNAL_ERROR);
@@ -318,7 +318,7 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
int tls_construct_ctos_npn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
int *al)
{
- if (s->ctx->next_proto_select_cb == NULL || s->s3->tmp.finish_md_len != 0)
+ if (s->ctx->ext.npn_select_cb == NULL || s->s3->tmp.finish_md_len != 0)
return 1;
/*
@@ -344,15 +344,14 @@ int tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
* finish_md_len is non-zero during a renegotiation, so
* this avoids sending ALPN during the renegotiation
*/
- if (s->alpn_client_proto_list == NULL || s->s3->tmp.finish_md_len != 0)
+ if (s->ext.alpn == NULL || s->s3->tmp.finish_md_len != 0)
return 1;
if (!WPACKET_put_bytes_u16(pkt,
TLSEXT_TYPE_application_layer_protocol_negotiation)
/* Sub-packet ALPN extension */
|| !WPACKET_start_sub_packet_u16(pkt)
- || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list,
- s->alpn_client_proto_list_len)
+ || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
|| !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR);
return 0;
@@ -516,7 +515,7 @@ int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
return 0;
}
- pcurves = s->tlsext_supportedgroupslist;
+ pcurves = s->ext.supportedgroups;
if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return 0;
@@ -698,18 +697,18 @@ int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
int *al)
{
- if (s->tlsext_hostname == NULL || PACKET_remaining(pkt) > 0) {
+ if (s->ext.hostname == NULL || PACKET_remaining(pkt) > 0) {
*al = SSL_AD_UNRECOGNIZED_NAME;
return 0;
}
if (!s->hit) {
- if (s->session->tlsext_hostname != NULL) {
+ if (s->session->ext.hostname != NULL) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
- s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
- if (s->session->tlsext_hostname == NULL) {
+ s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
+ if (s->session->ext.hostname == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
@@ -722,7 +721,7 @@ int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
int *al)
{
- unsigned int ecpointformatlist_length;
+ unsigned int ecpointformats_len;
PACKET ecptformatlist;
if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
@@ -730,22 +729,21 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
return 0;
}
if (!s->hit) {
- ecpointformatlist_length = PACKET_remaining(&ecptformatlist);
- s->session->tlsext_ecpointformatlist_length = 0;
+ ecpointformats_len = PACKET_remaining(&ecptformatlist);
+ s->session->ext.ecpointformats_len = 0;
- OPENSSL_free(s->session->tlsext_ecpointformatlist);
- s->session->tlsext_ecpointformatlist =
- OPENSSL_malloc(ecpointformatlist_length);
- if (s->session->tlsext_ecpointformatlist == NULL) {
+ OPENSSL_free(s->session->ext.ecpointformats);
+ s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
+ if (s->session->ext.ecpointformats == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+ s->session->ext.ecpointformats_len = ecpointformats_len;
if (!PACKET_copy_bytes(&ecptformatlist,
- s->session->tlsext_ecpointformatlist,
- ecpointformatlist_length)) {
+ s->session->ext.ecpointformats,
+ ecpointformats_len)) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
@@ -758,10 +756,10 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
int *al)
{
- if (s->tls_session_ticket_ext_cb != NULL &&
- !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
- PACKET_remaining(pkt),
- s->tls_session_ticket_ext_cb_arg)) {
+ if (s->ext.session_ticket_cb != NULL &&
+ !s->ext.session_ticket_cb(s, PACKET_data(pkt),
+ PACKET_remaining(pkt),
+ s->ext.session_ticket_cb_arg)) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
@@ -771,7 +769,7 @@ int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
return 0;
}
- s->tlsext_ticket_expected = 1;
+ s->ext.ticket_expected = 1;
return 1;
}
@@ -784,7 +782,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
* MUST only be sent if we've requested a status
* request message. In TLS <= 1.2 it must also be empty.
*/
- if (s->tlsext_status_type == TLSEXT_STATUSTYPE_nothing
+ if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
|| (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
*al = SSL_AD_UNSUPPORTED_EXTENSION;
return 0;
@@ -800,7 +798,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
}
/* Set flag to expect CertificateStatus message */
- s->tlsext_status_expected = 1;
+ s->ext.status_expected = 1;
return 1;
}
@@ -819,14 +817,14 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
size_t size = PACKET_remaining(pkt);
/* Simply copy it off for later processing */
- OPENSSL_free(s->tlsext_scts);
- s->tlsext_scts = NULL;
+ OPENSSL_free(s->ext.scts);
+ s->ext.scts = NULL;
- s->tlsext_scts_len = size;
+ s->ext.scts_len = size;
if (size > 0) {
- s->tlsext_scts = OPENSSL_malloc(size);
- if (s->tlsext_scts == NULL
- || !PACKET_copy_bytes(pkt, s->tlsext_scts, size)) {
+ s->ext.scts = OPENSSL_malloc(size);
+ if (s->ext.scts == NULL
+ || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
@@ -872,7 +870,7 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
return 1;
/* We must have requested it. */
- if (s->ctx->next_proto_select_cb == NULL) {
+ if (s->ctx->ext.npn_select_cb == NULL) {
*al = SSL_AD_UNSUPPORTED_EXTENSION;
return 0;
}
@@ -883,10 +881,10 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
*al = SSL_AD_DECODE_ERROR;
return 0;
}
- if (s->ctx->next_proto_select_cb(s, &selected, &selected_len,
- PACKET_data(pkt),
- PACKET_remaining(pkt),
- s->ctx->next_proto_select_cb_arg) !=
+ if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
+ PACKET_data(pkt),
+ PACKET_remaining(pkt),
+ s->ctx->ext.npn_select_cb_arg) !=
SSL_TLSEXT_ERR_OK) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
@@ -896,16 +894,16 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
* Could be non-NULL if server has sent multiple NPN extensions in
* a single Serverhello
*/
- OPENSSL_free(s->next_proto_negotiated);
- s->next_proto_negotiated = OPENSSL_malloc(selected_len);
- if (s->next_proto_negotiated == NULL) {
+ OPENSSL_free(s->ext.npn);
+ s->ext.npn = OPENSSL_malloc(selected_len);
+ if (s->ext.npn == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
- memcpy(s->next_proto_negotiated, selected, selected_len);
- s->next_proto_negotiated_len = selected_len;
- s->s3->next_proto_neg_seen = 1;
+ memcpy(s->ext.npn, selected, selected_len);
+ s->ext.npn_len = selected_len;
+ s->s3->npn_seen = 1;
return 1;
}
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index dfe5fc5..c868bb9 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -116,7 +116,7 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
return 0;
}
- if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
+ if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
*al = TLS1_AD_INTERNAL_ERROR;
return 0;
}
@@ -127,9 +127,9 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
* TODO(openssl-team): if the SNI doesn't match, we MUST
* fall back to a full handshake.
*/
- s->servername_done = s->session->tlsext_hostname
- && PACKET_equal(&hostname, s->session->tlsext_hostname,
- strlen(s->session->tlsext_hostname));
+ s->servername_done = s->session->ext.hostname
+ && PACKET_equal(&hostname, s->session->ext.hostname,
+ strlen(s->session->ext.hostname));
}
return 1;
@@ -173,8 +173,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
if (!s->hit) {
if (!PACKET_memdup(&ec_point_format_list,
- &s->session->tlsext_ecpointformatlist,
- &s->session->tlsext_ecpointformatlist_length)) {
+ &s->session->ext.ecpointformats,
+ &s->session->ext.ecpointformats_len)) {
*al = TLS1_AD_INTERNAL_ERROR;
return 0;
}
@@ -187,10 +187,10 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
int *al)
{
- if (s->tls_session_ticket_ext_cb &&
- !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
- PACKET_remaining(pkt),
- s->tls_session_ticket_ext_cb_arg)) {
+ if (s->ext.session_ticket_cb &&
+ !s->ext.session_ticket_cb(s, PACKET_data(pkt),
+ PACKET_remaining(pkt),
+ s->ext.session_ticket_cb_arg)) {
*al = TLS1_AD_INTERNAL_ERROR;
return 0;
}
@@ -229,16 +229,16 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
if (x != NULL)
return 1;
- if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
+ if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
*al = SSL_AD_DECODE_ERROR;
return 0;
}
- if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
+ if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
/*
* We don't know what to do with any other type so ignore it.
*/
- s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
+ s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
return 1;
}
@@ -251,15 +251,15 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
* We remove any OCSP_RESPIDs from a previous handshake
* to prevent unbounded memory growth - CVE-2016-6304
*/
- sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
+ sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
if (PACKET_remaining(&responder_id_list) > 0) {
- s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
- if (s->tlsext_ocsp_ids == NULL) {
+ s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
+ if (s->ext.ocsp.ids == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
} else {
- s->tlsext_ocsp_ids = NULL;
+ s->ext.ocsp.ids = NULL;
}
while (PACKET_remaining(&responder_id_list) > 0) {
@@ -288,7 +288,7 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
return 0;
}
- if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
+ if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
OCSP_RESPID_free(id);
*al = SSL_AD_INTERNAL_ERROR;
return 0;
@@ -304,11 +304,11 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
if (PACKET_remaining(&exts) > 0) {
const unsigned char *ext_data = PACKET_data(&exts);
- sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
+ sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
X509_EXTENSION_free);
- s->tlsext_ocsp_exts =
+ s->ext.ocsp.exts =
d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
- if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
+ if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
*al = SSL_AD_DECODE_ERROR;
return 0;
}
@@ -339,7 +339,7 @@ int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
* Finished message could have been computed.)
*/
if (s->s3->tmp.finish_md_len == 0)
- s->s3->next_proto_neg_seen = 1;
+ s->s3->npn_seen = 1;
return 1;
}
@@ -643,8 +643,8 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,
if (!s->hit
&& !PACKET_memdup(&supported_groups_list,
- &s->session->tlsext_supportedgroupslist,
- &s->session->tlsext_supportedgroupslist_length)) {
+ &s->session->ext.supportedgroups,
+ &s->session->ext.supportedgroups_len)) {
*al = SSL_AD_DECODE_ERROR;
return 0;
}
@@ -695,7 +695,7 @@ int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x,
size_t chainidx, int *al)
{
if (s->hit || s->servername_done != 1
- || s->session->tlsext_hostname == NULL)
+ || s->session->ext.hostname == NULL)
return 1;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
@@ -714,7 +714,7 @@ int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
- && (s->session->tlsext_ecpointformatlist != NULL);
+ && (s->session->ext.ecpointformats != NULL);
const unsigned char *plist;
size_t plistlen;
@@ -737,8 +737,8 @@ int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
size_t chainidx, int *al)
{
- if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
- s->tlsext_ticket_expected = 0;
+ if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
+ s->ext.ticket_expected = 0;
return 1;
}
@@ -755,7 +755,7 @@ int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
size_t chainidx, int *al)
{
- if (!s->tlsext_status_expected)
+ if (!s->ext.status_expected)
return 1;
if (SSL_IS_TLS13(s) && chainidx != 0)
@@ -789,14 +789,14 @@ int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
const unsigned char *npa;
unsigned int npalen;
int ret;
- int next_proto_neg_seen = s->s3->next_proto_neg_seen;
+ int npn_seen = s->s3->npn_seen;
- s->s3->next_proto_neg_seen = 0;
- if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
+ s->s3->npn_seen = 0;
+ if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
return 1;
- ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
- s->ctx->next_protos_advertised_cb_arg);
+ ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
+ s->ctx->ext.npn_advertised_cb_arg);
if (ret == SSL_TLSEXT_ERR_OK) {
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
|| !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
@@ -804,7 +804,7 @@ int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
ERR_R_INTERNAL_ERROR);
return 0;
}
- s->s3->next_proto_neg_seen = 1;
+ s->s3->npn_seen = 1;
}
return 1;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index a3133ad..9fa16b1 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -225,7 +225,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
case TLS_ST_CR_SRVR_HELLO:
if (s->hit) {
- if (s->tlsext_ticket_expected) {
+ if (s->ext.ticket_expected) {
if (mt == SSL3_MT_NEWSESSION_TICKET) {
st->hand_state = TLS_ST_CR_SESSION_TICKET;
return 1;
@@ -239,8 +239,8 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
return 1;
} else if (s->version >= TLS1_VERSION
- && s->tls_session_secret_cb != NULL
- && s->session->tlsext_tick != NULL
+ && s->ext.session_secret_cb != NULL
+ && s->session->ext.tick != NULL
&& mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
/*
* Normally, we can tell if the server is resuming the session
@@ -282,9 +282,9 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
case TLS_ST_CR_CERT:
/*
* The CertificateStatus message is optional even if
- * |tlsext_status_expected| is set
+ * |ext.status_expected| is set
*/
- if (s->tlsext_status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
+ if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
st->hand_state = TLS_ST_CR_CERT_STATUS;
return 1;
}
@@ -321,7 +321,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
break;
case TLS_ST_CW_FINISHED:
- if (s->tlsext_ticket_expected) {
+ if (s->ext.ticket_expected) {
if (mt == SSL3_MT_NEWSESSION_TICKET) {
st->hand_state = TLS_ST_CR_SESSION_TICKET;
return 1;
@@ -478,7 +478,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
#if defined(OPENSSL_NO_NEXTPROTONEG)
st->hand_state = TLS_ST_CW_FINISHED;
#else
- if (!SSL_IS_DTLS(s) && s->s3->next_proto_neg_seen)
+ if (!SSL_IS_DTLS(s) && s->s3->npn_seen)
st->hand_state = TLS_ST_CW_NEXT_PROTO;
else
st->hand_state = TLS_ST_CW_FINISHED;
@@ -872,7 +872,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
* In the case of EAP-FAST, we can have a pre-shared
* "ticket" without a session ID.
*/
- (!sess->session_id_length && !sess->tlsext_tick) ||
+ (!sess->session_id_length && !sess->ext.tick) ||
(sess->not_resumable)) {
if (!ssl_get_new_session(s, 0))
return 0;
@@ -1122,7 +1122,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
* server wants to resume.
*/
if (s->version >= TLS1_VERSION && !SSL_IS_TLS13(s)
- && s->tls_session_secret_cb != NULL && s->session->tlsext_tick) {
+ && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
const SSL_CIPHER *pref_cipher = NULL;
/*
* s->session->master_key_length is a size_t, but this is an int for
@@ -1130,10 +1130,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
*/
int master_key_length;
master_key_length = sizeof(s->session->master_key);
- if (s->tls_session_secret_cb(s, s->session->master_key,
+ if (s->ext.session_secret_cb(s, s->session->master_key,
&master_key_length,
NULL, &pref_cipher,
- s->tls_session_secret_cb_arg)
+ s->ext.session_secret_cb_arg)
&& master_key_length > 0) {
s->session->master_key_length = master_key_length;
s->session->cipher = pref_cipher ?
@@ -2134,22 +2134,23 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
s->session = new_sess;
}
- OPENSSL_free(s->session->tlsext_tick);
- s->session->tlsext_ticklen = 0;
+ OPENSSL_free(s->session->ext.tick);
+ s->session->ext.tick = NULL;
+ s->session->ext.ticklen = 0;
- s->session->tlsext_tick = OPENSSL_malloc(ticklen);
- if (s->session->tlsext_tick == NULL) {
+ s->session->ext.tick = OPENSSL_malloc(ticklen);
+ if (s->session->ext.tick == NULL) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
goto err;
}
- if (!PACKET_copy_bytes(pkt, s->session->tlsext_tick, ticklen)) {
+ if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
- s->session->tlsext_tick_lifetime_hint = ticket_lifetime_hint;
- s->session->tlsext_ticklen = ticklen;
+ s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
+ s->session->ext.ticklen = ticklen;
/*
* There are two ways to detect a resumed ticket session. One is to set
* an appropriate session ID and then the server must return a match in
@@ -2165,7 +2166,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
* TODO(size_t): we use sess_len here because EVP_Digest expects an int
* but s->session->session_id_length is a size_t
*/
- if (!EVP_Digest(s->session->tlsext_tick, ticklen,
+ if (!EVP_Digest(s->session->ext.tick, ticklen,
s->session->session_id, &sess_len,
EVP_sha256(), NULL)) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB);
@@ -2203,18 +2204,18 @@ int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al)
SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
return 0;
}
- s->tlsext_ocsp_resp = OPENSSL_malloc(resplen);
- if (s->tlsext_ocsp_resp == NULL) {
+ s->ext.ocsp.resp = OPENSSL_malloc(resplen);
+ if (s->ext.ocsp.resp == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, ERR_R_MALLOC_FAILURE);
return 0;
}
- if (!PACKET_copy_bytes(pkt, s->tlsext_ocsp_resp, resplen)) {
+ if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
*al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
return 0;
}
- s->tlsext_ocsp_resplen = resplen;
+ s->ext.ocsp.resp_len = resplen;
return 1;
}
@@ -2251,14 +2252,14 @@ int tls_process_initial_server_flight(SSL *s, int *al)
}
/*
- * Call the ocsp status callback if needed. The |tlsext_ocsp_resp| and
- * |tlsext_ocsp_resplen| values will be set if we actually received a status
+ * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
+ * |ext.ocsp.resp_len| values will be set if we actually received a status
* message, or NULL and -1 otherwise
*/
- if (s->tlsext_status_type != TLSEXT_STATUSTYPE_nothing
- && s->ctx->tlsext_status_cb != NULL) {
- int ret;
- ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+ if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
+ && s->ctx->ext.status_cb != NULL) {
+ int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
+
if (ret == 0) {
*al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
@@ -3112,10 +3113,10 @@ int tls_construct_next_proto(SSL *s, WPACKET *pkt)
size_t len, padding_len;
unsigned char *padding = NULL;
- len = s->next_proto_negotiated_len;
+ len = s->ext.npn_len;
padding_len = 32 - ((len + 2) % 32);
- if (!WPACKET_sub_memcpy_u8(pkt, s->next_proto_negotiated, len)
+ if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
|| !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
goto err;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index b3d6419..224b158 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -255,7 +255,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
- if (s->s3->next_proto_neg_seen) {
+ if (s->s3->npn_seen) {
if (mt == SSL3_MT_NEXT_PROTO) {
st->hand_state = TLS_ST_SR_NEXT_PROTO;
return 1;
@@ -488,7 +488,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
case TLS_ST_SW_SRVR_HELLO:
if (s->hit) {
- if (s->tlsext_ticket_expected)
+ if (s->ext.ticket_expected)
st->hand_state = TLS_ST_SW_SESSION_TICKET;
else
st->hand_state = TLS_ST_SW_CHANGE;
@@ -509,7 +509,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
return WRITE_TRAN_CONTINUE;
case TLS_ST_SW_CERT:
- if (s->tlsext_status_expected) {
+ if (s->ext.status_expected) {
st->hand_state = TLS_ST_SW_CERT_STATUS;
return WRITE_TRAN_CONTINUE;
}
@@ -541,7 +541,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
st->hand_state = TLS_ST_OK;
ossl_statem_set_in_init(s, 0);
return WRITE_TRAN_CONTINUE;
- } else if (s->tlsext_ticket_expected) {
+ } else if (s->ext.ticket_expected) {
st->hand_state = TLS_ST_SW_SESSION_TICKET;
} else {
st->hand_state = TLS_ST_SW_CHANGE;
@@ -1527,7 +1527,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
}
}
- if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
+ if (!s->hit && s->version >= TLS1_VERSION && s->ext.session_secret_cb) {
const SSL_CIPHER *pref_cipher = NULL;
/*
* s->session->master_key_length is a size_t, but this is an int for
@@ -1536,10 +1536,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
int master_key_length;
master_key_length = sizeof(s->session->master_key);
- if (s->tls_session_secret_cb(s, s->session->master_key,
+ if (s->ext.session_secret_cb(s, s->session->master_key,
&master_key_length, ciphers,
&pref_cipher,
- s->tls_session_secret_cb_arg)
+ s->ext.session_secret_cb_arg)
&& master_key_length > 0) {
s->session->master_key_length = master_key_length;
s->hit = 1;
@@ -1691,7 +1691,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
*/
static int tls_handle_status_request(SSL *s, int *al)
{
- s->tlsext_status_expected = 0;
+ s->ext.status_expected = 0;
/*
* If status request then ask callback what to do. Note: this must be
@@ -1699,8 +1699,8 @@ static int tls_handle_status_request(SSL *s, int *al)
* and must be called after the cipher has been chosen because this may
* influence which certificate is sent
*/
- if (s->tlsext_status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
- && s->ctx->tlsext_status_cb != NULL) {
+ if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
+ && s->ctx->ext.status_cb != NULL) {
int ret;
CERT_PKEY *certpkey = ssl_get_server_send_pkey(s);
@@ -1711,16 +1711,16 @@ static int tls_handle_status_request(SSL *s, int *al)
* et al can pick it up.
*/
s->cert->key = certpkey;
- ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+ ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
switch (ret) {
/* We don't want to send a status request response */
case SSL_TLSEXT_ERR_NOACK:
- s->tlsext_status_expected = 0;
+ s->ext.status_expected = 0;
break;
/* status request response should be sent */
case SSL_TLSEXT_ERR_OK:
- if (s->tlsext_ocsp_resp)
- s->tlsext_status_expected = 1;
+ if (s->ext.ocsp.resp)
+ s->ext.status_expected = 1;
break;
/* something bad happened */
case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1773,7 +1773,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
!= 0));
if (s->session->not_resumable)
/* do not send a session ticket */
- s->tlsext_ticket_expected = 0;
+ s->ext.ticket_expected = 0;
} else {
/* Session-id reuse */
s->s3->tmp.new_cipher = s->session->cipher;
@@ -3371,9 +3371,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
* Initialize HMAC and cipher contexts. If callback present it does
* all the work otherwise use generated values from parent ctx.
*/
- if (tctx->tlsext_ticket_key_cb) {
+ if (tctx->ext.ticket_key_cb) {
/* if 0 is returned, write an empty ticket */
- int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx,
+ int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
hctx, 1);
if (ret == 0) {
@@ -3400,14 +3400,14 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
if (RAND_bytes(iv, iv_len) <= 0)
goto err;
if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
- tctx->tlsext_tick_aes_key, iv))
+ tctx->ext.tick_aes_key, iv))
goto err;
- if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
- sizeof(tctx->tlsext_tick_hmac_key),
+ if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
+ sizeof(tctx->ext.tick_hmac_key),
EVP_sha256(), NULL))
goto err;
- memcpy(key_name, tctx->tlsext_tick_key_name,
- sizeof(tctx->tlsext_tick_key_name));
+ memcpy(key_name, tctx->ext.tick_key_name,
+ sizeof(tctx->ext.tick_key_name));
}
/*
@@ -3465,9 +3465,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
*/
int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
{
- if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type)
- || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp,
- s->tlsext_ocsp_resplen)) {
+ if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
+ || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
+ s->ext.ocsp.resp_len)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -3509,12 +3509,12 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
goto err;
}
- if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) {
- s->next_proto_negotiated_len = 0;
+ if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
+ s->ext.npn_len = 0;
goto err;
}
- s->next_proto_negotiated_len = (unsigned char)next_proto_len;
+ s->ext.npn_len = (unsigned char)next_proto_len;
return MSG_PROCESS_CONTINUE_READING;
err:
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index f45ffcb..ec8b968 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -112,7 +112,7 @@ int tls1_new(SSL *s)
void tls1_free(SSL *s)
{
- OPENSSL_free(s->tlsext_session_ticket);
+ OPENSSL_free(s->ext.session_ticket);
ssl3_free(s);
}
@@ -265,8 +265,8 @@ int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves,
{
size_t pcurveslen = 0;
if (sess) {
- *pcurves = s->session->tlsext_supportedgroupslist;
- pcurveslen = s->session->tlsext_supportedgroupslist_length;
+ *pcurves = s->session->ext.supportedgroups;
+ pcurveslen = s->session->ext.supportedgroups_len;
} else {
/* For Suite B mode only include P-256, P-384 */
switch (tls1_suiteb(s)) {
@@ -285,8 +285,8 @@ int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves,
pcurveslen = 2;
break;
default:
- *pcurves = s->tlsext_supportedgroupslist;
- pcurveslen = s->tlsext_supportedgroupslist_length;
+ *pcurves = s->ext.supportedgroups;
+ pcurveslen = s->ext.supportedgroups_len;
}
if (!*pcurves) {
*pcurves = eccurves_default;
@@ -556,9 +556,9 @@ static int tls1_check_ec_key(SSL *s,
* If point formats extension present check it, otherwise everything is
* supported (see RFC4492).
*/
- if (comp_id && s->session->tlsext_ecpointformatlist) {
- pformats = s->session->tlsext_ecpointformatlist;
- num_formats = s->session->tlsext_ecpointformatlist_length;
+ if (comp_id && s->session->ext.ecpointformats) {
+ pformats = s->session->ext.ecpointformats;
+ num_formats = s->session->ext.ecpointformats_len;
for (i = 0; i < num_formats; i++, pformats++) {
if (*comp_id == *pformats)
break;
@@ -601,9 +601,9 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
/*
* If we have a custom point format list use it otherwise use default
*/
- if (s->tlsext_ecpointformatlist) {
- *pformats = s->tlsext_ecpointformatlist;
- *num_formats = s->tlsext_ecpointformatlist_length;
+ if (s->ext.ecpointformats) {
+ *pformats = s->ext.ecpointformats;
+ *num_formats = s->ext.ecpointformats_len;
} else {
*pformats = ecformats_default;
/* For Suite B we don't support char2 fields */
@@ -749,12 +749,12 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
static const unsigned char tls12_sigalgs[] = {
tlsext_sigalg(TLSEXT_hash_sha512)
- tlsext_sigalg(TLSEXT_hash_sha384)
- tlsext_sigalg(TLSEXT_hash_sha256)
- tlsext_sigalg(TLSEXT_hash_sha224)
- tlsext_sigalg(TLSEXT_hash_sha1)
+ tlsext_sigalg(TLSEXT_hash_sha384)
+ tlsext_sigalg(TLSEXT_hash_sha256)
+ tlsext_sigalg(TLSEXT_hash_sha224)
+ tlsext_sigalg(TLSEXT_hash_sha1)
#ifndef OPENSSL_NO_GOST
- TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
+ TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
#endif
@@ -763,9 +763,10 @@ static const unsigned char tls12_sigalgs[] = {
#ifndef OPENSSL_NO_EC
static const unsigned char suiteb_sigalgs[] = {
tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
- tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
+ tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
};
#endif
+
size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
{
/*
@@ -1039,7 +1040,7 @@ RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts, size_t numexts,
*
* If s->tls_session_secret_cb is set then we are expecting a pre-shared key
* ciphersuite, in which case we have no use for session tickets and one will
- * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
+ * never be decrypted, nor will s->ext.ticket_expected be set to 1.
*
* Returns:
* -1: fatal error, either from parsing or decrypting the ticket.
@@ -1051,12 +1052,12 @@ RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts, size_t numexts,
* 3: a ticket was successfully decrypted and *ret was set.
*
* Side effects:
- * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
+ * Sets s->ext.ticket_expected to 1 if the server will have to issue
* a new session ticket to the client because the client indicated support
* (and s->tls_session_secret_cb is NULL) but the client either doesn't have
* a session ticket or we couldn't use the one it gave us, or if
- * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
- * Otherwise, s->tlsext_ticket_expected is set to 0.
+ * s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
+ * Otherwise, s->ext.ticket_expected is set to 0.
*/
int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
SSL_SESSION **ret)
@@ -1066,7 +1067,7 @@ int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
RAW_EXTENSION *ticketext;
*ret = NULL;
- s->tlsext_ticket_expected = 0;
+ s->ext.ticket_expected = 0;
/*
* If tickets disabled or not supported by the protocol version
@@ -1086,10 +1087,10 @@ int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
* The client will accept a ticket but doesn't currently have
* one.
*/
- s->tlsext_ticket_expected = 1;
+ s->ext.ticket_expected = 1;
return 1;
}
- if (s->tls_session_secret_cb) {
+ if (s->ext.session_secret_cb) {
/*
* Indicate that the ticket couldn't be decrypted rather than
* generating the session from ticket now, trigger
@@ -1103,14 +1104,14 @@ int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
hello->session_id, hello->session_id_len, ret);
switch (retv) {
case 2: /* ticket couldn't be decrypted */
- s->tlsext_ticket_expected = 1;
+ s->ext.ticket_expected = 1;
return 2;
case 3: /* ticket was decrypted */
return 3;
case 4: /* ticket decrypted but need to renew */
- s->tlsext_ticket_expected = 1;
+ s->ext.ticket_expected = 1;
return 3;
default: /* fatal error */
@@ -1158,9 +1159,9 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
ret = -2;
goto err;
}
- if (tctx->tlsext_ticket_key_cb) {
+ if (tctx->ext.ticket_key_cb) {
unsigned char *nctick = (unsigned char *)etick;
- int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
+ int rv = tctx->ext.ticket_key_cb(s, nctick, nctick + 16,
ctx, hctx, 0);
if (rv < 0)
goto err;
@@ -1172,17 +1173,17 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
renew_ticket = 1;
} else {
/* Check key name matches */
- if (memcmp(etick, tctx->tlsext_tick_key_name,
- sizeof(tctx->tlsext_tick_key_name)) != 0) {
+ if (memcmp(etick, tctx->ext.tick_key_name,
+ sizeof(tctx->ext.tick_key_name)) != 0) {
ret = 2;
goto err;
}
- if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
- sizeof(tctx->tlsext_tick_hmac_key),
+ if (HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
+ sizeof(tctx->ext.tick_hmac_key),
EVP_sha256(), NULL) <= 0
|| EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
- tctx->tlsext_tick_aes_key,
- etick + sizeof(tctx->tlsext_tick_key_name)) <=
+ tctx->ext.tick_aes_key,
+ etick + sizeof(tctx->ext.tick_key_name)) <=
0) {
goto err;
}
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index bf647f1..9ffd0bf 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -378,16 +378,16 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
parse_protos(extra->server.npn_protocols,
&server_ctx_data->npn_protocols,
&server_ctx_data->npn_protocols_len);
- SSL_CTX_set_next_protos_advertised_cb(server_ctx, server_npn_cb,
- server_ctx_data);
+ SSL_CTX_set_npn_advertised_cb(server_ctx, server_npn_cb,
+ server_ctx_data);
}
if (extra->server2.npn_protocols != NULL) {
parse_protos(extra->server2.npn_protocols,
&server2_ctx_data->npn_protocols,
&server2_ctx_data->npn_protocols_len);
TEST_check(server2_ctx != NULL);
- SSL_CTX_set_next_protos_advertised_cb(server2_ctx, server_npn_cb,
- server2_ctx_data);
+ SSL_CTX_set_npn_advertised_cb(server2_ctx, server_npn_cb,
+ server2_ctx_data);
}
if (extra->client.npn_protocols != NULL) {
parse_protos(extra->client.npn_protocols,
diff --git a/test/ossl_shim/ossl_shim.cc b/test/ossl_shim/ossl_shim.cc
index 4da340b..79edadd 100644
--- a/test/ossl_shim/ossl_shim.cc
+++ b/test/ossl_shim/ossl_shim.cc
@@ -589,7 +589,7 @@ static bssl::UniquePtr<SSL_CTX> SetupCtx(const TestConfig *config) {
SSL_CTX_set_client_cert_cb(ssl_ctx.get(), ClientCertCallback);
}
- SSL_CTX_set_next_protos_advertised_cb(
+ SSL_CTX_set_npn_advertised_cb(
ssl_ctx.get(), NextProtosAdvertisedCallback, NULL);
if (!config->select_next_proto.empty()) {
SSL_CTX_set_next_proto_select_cb(ssl_ctx.get(), NextProtoSelectCallback,
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index c19ab98..1bfa983 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -1662,14 +1662,12 @@ int main(int argc, char *argv[])
"Can't have both -npn_server and -npn_server_reject\n");
goto end;
}
- SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
- SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_npn, NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL);
}
if (npn_server_reject) {
- SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn,
- NULL);
- SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_rejects_npn,
- NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL);
}
#endif
More information about the openssl-commits
mailing list