From f2d3718ea44863f6fb36a8a2cb4dd5438db669bc Mon Sep 17 00:00:00 2001 From: wbeck10 Date: Wed, 11 Oct 2023 22:16:17 +0000 Subject: [PATCH] Add SSL_CTX_dup API --- doc/man3/SSL_CTX_new.pod | 7 +- include/openssl/ssl.h.in | 2 + include/openssl/types.h | 1 + ssl/d1_lib.c | 8 +- ssl/d1_msg.c | 4 +- ssl/d1_srtp.c | 2 +- ssl/quic/quic_impl.c | 10 +- ssl/quic/quic_local.h | 2 +- ssl/quic/quic_tls.c | 2 +- ssl/record/rec_layer_d1.c | 4 +- ssl/record/rec_layer_s3.c | 6 +- ssl/s3_lib.c | 120 +++--- ssl/s3_msg.c | 4 +- ssl/ssl_cert.c | 34 +- ssl/ssl_ciph.c | 10 +- ssl/ssl_conf.c | 18 +- ssl/ssl_lib.c | 728 ++++++++++++++++++++++------------- ssl/ssl_local.h | 131 ++++--- ssl/ssl_mcnf.c | 2 +- ssl/ssl_rsa.c | 28 +- ssl/ssl_sess.c | 60 +-- ssl/statem/extensions.c | 12 +- ssl/statem/extensions_clnt.c | 8 +- ssl/statem/extensions_cust.c | 4 +- ssl/statem/extensions_srvr.c | 22 +- ssl/statem/statem.c | 4 +- ssl/statem/statem_clnt.c | 14 +- ssl/statem/statem_lib.c | 14 +- ssl/statem/statem_srvr.c | 54 +-- ssl/t1_lib.c | 44 +-- ssl/tls_depr.c | 4 +- test/sslapitest.c | 50 +++ util/libssl.num | 1 + 33 files changed, 837 insertions(+), 577 deletions(-) diff --git a/doc/man3/SSL_CTX_new.pod b/doc/man3/SSL_CTX_new.pod index f467f93659b575..bd24b53cd90d4c 100644 --- a/doc/man3/SSL_CTX_new.pod +++ b/doc/man3/SSL_CTX_new.pod @@ -3,7 +3,7 @@ =head1 NAME TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method, -SSL_CTX_new, SSL_CTX_new_ex, SSL_CTX_up_ref, SSLv3_method, +SSL_CTX_new, SSL_CTX_new_ex, SSL_CTX_dup, SSL_CTX_up_ref, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, @@ -21,6 +21,8 @@ functions SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, const SSL_METHOD *method); SSL_CTX *SSL_CTX_new(const SSL_METHOD *method); + SSL_CTX *SSL_CTX_dup(OSSL_LIB_CTX *libctx, SSL_CTX *source, + const char *propq, const SSL_METHOD *meth); int SSL_CTX_up_ref(SSL_CTX *ctx); const SSL_METHOD *TLS_method(void); @@ -88,6 +90,9 @@ parameters may be NULL. SSL_CTX_new() does the same as SSL_CTX_new_ex() except that the default library context is used and no property query string is specified. +SSL_CTX_dup() creates a new SSL_CTX object and uses the current configuration from +an existing SSL_CTX. + An B object is reference counted. Creating an B object for the first time increments the reference count. Freeing the B (using SSL_CTX_free) decrements it. When the reference count drops to zero, any memory diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 59b587e657e67e..0e511db46193c2 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1560,6 +1560,8 @@ __owur int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); __owur SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, const SSL_METHOD *meth); +__owur SSL_CTX *SSL_CTX_dup(OSSL_LIB_CTX *libctx, SSL_CTX *source, + const char *propq, const SSL_METHOD *meth); int SSL_CTX_up_ref(SSL_CTX *ctx); void SSL_CTX_free(SSL_CTX *); __owur long SSL_CTX_set_timeout(SSL_CTX *ctx, long t); diff --git a/include/openssl/types.h b/include/openssl/types.h index c28028681fcefa..b89b0b3c7faa09 100644 --- a/include/openssl/types.h +++ b/include/openssl/types.h @@ -186,6 +186,7 @@ typedef struct ui_method_st UI_METHOD; typedef struct engine_st ENGINE; typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; +typedef struct ssl_ctx_cnf_st SSL_CTX_CNF; typedef struct comp_ctx_st COMP_CTX; typedef struct comp_method_st COMP_METHOD; diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index be4ff02a897cd0..36199352369511 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -618,13 +618,13 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client) /* * We have a cookie, so lets check it. */ - if (ssl->ctx->app_verify_cookie_cb == NULL) { + if (ssl->ctx->cnf->app_verify_cookie_cb == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_VERIFY_COOKIE_CALLBACK); /* This is fatal */ ret = -1; goto end; } - if (ssl->ctx->app_verify_cookie_cb(ssl, PACKET_data(&cookiepkt), + if (ssl->ctx->cnf->app_verify_cookie_cb(ssl, PACKET_data(&cookiepkt), (unsigned int)PACKET_remaining(&cookiepkt)) == 0) { /* * We treat invalid cookies in the same was as no cookie as @@ -649,8 +649,8 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client) */ /* Generate the cookie */ - if (ssl->ctx->app_gen_cookie_cb == NULL || - ssl->ctx->app_gen_cookie_cb(ssl, cookie, &cookielen) == 0 || + if (ssl->ctx->cnf->app_gen_cookie_cb == NULL || + ssl->ctx->cnf->app_gen_cookie_cb(ssl, cookie, &cookielen) == 0 || cookielen > 255) { ERR_raise(ERR_LIB_SSL, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); /* This is fatal */ diff --git a/ssl/d1_msg.c b/ssl/d1_msg.c index b1e1fad16d9e47..38952e6b9521ac 100644 --- a/ssl/d1_msg.c +++ b/ssl/d1_msg.c @@ -67,8 +67,8 @@ int dtls1_dispatch_alert(SSL *ssl) if (s->info_callback != NULL) cb = s->info_callback; - else if (ssl->ctx->info_callback != NULL) - cb = ssl->ctx->info_callback; + else if (ssl->ctx->cnf->info_callback != NULL) + cb = ssl->ctx->cnf->info_callback; if (cb != NULL) { j = (s->s3.send_alert[0] << 8) | s->s3.send_alert[1]; diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index 5ca135d9703700..c7095b9934d8b3 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -140,7 +140,7 @@ static int ssl_ctx_make_profiles(const char *profiles_string, int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) { - if (IS_QUIC_METHOD(ctx->method)) + if (IS_QUIC_METHOD(ctx->cnf->method)) return 1; return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles); diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 86020a450a99db..f0191ca92c08c5 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -387,7 +387,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx) /* Initialise the QUIC_CONNECTION's stub header. */ ssl_base = &qc->ssl; - if (!ossl_ssl_init(ssl_base, ctx, ctx->method, SSL_TYPE_QUIC_CONNECTION)) { + if (!ossl_ssl_init(ssl_base, ctx, ctx->cnf->method, SSL_TYPE_QUIC_CONNECTION)) { ssl_base = NULL; QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); goto err; @@ -422,8 +422,8 @@ SSL *ossl_quic_new(SSL_CTX *ctx) qc->as_server_state = qc->as_server; qc->default_stream_mode = SSL_DEFAULT_STREAM_MODE_AUTO_BIDI; - qc->default_ssl_mode = qc->ssl.ctx->mode; - qc->default_ssl_options = qc->ssl.ctx->options & OSSL_QUIC_PERMITTED_OPTIONS; + qc->default_ssl_mode = qc->ssl.ctx->cnf->mode; + qc->default_ssl_options = qc->ssl.ctx->cnf->options & OSSL_QUIC_PERMITTED_OPTIONS; qc->desires_blocking = 1; qc->blocking = 0; qc->incoming_stream_policy = SSL_INCOMING_STREAM_POLICY_AUTO; @@ -432,8 +432,8 @@ SSL *ossl_quic_new(SSL_CTX *ctx) if (!create_channel(qc)) goto err; - ossl_quic_channel_set_msg_callback(qc->ch, ctx->msg_callback, ssl_base); - ossl_quic_channel_set_msg_callback_arg(qc->ch, ctx->msg_callback_arg); + ossl_quic_channel_set_msg_callback(qc->ch, ctx->cnf->msg_callback, ssl_base); + ossl_quic_channel_set_msg_callback_arg(qc->ch, ctx->cnf->msg_callback_arg); qc_update_reject_policy(qc); diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h index 928ae4c6bf3f90..e5ae7a6cf1f415 100644 --- a/ssl/quic/quic_local.h +++ b/ssl/quic/quic_local.h @@ -246,7 +246,7 @@ int ossl_quic_trace(int write_p, int version, int content_type, # define IS_QUIC_METHOD(m) \ ((m) == OSSL_QUIC_client_method() || \ (m) == OSSL_QUIC_client_thread_method()) -# define IS_QUIC_CTX(ctx) IS_QUIC_METHOD((ctx)->method) +# define IS_QUIC_CTX(ctx) IS_QUIC_METHOD((ctx)->cnf->method) # define QUIC_CONNECTION_FROM_SSL_int(ssl, c) \ ((ssl) == NULL ? NULL \ diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c index a1bcedbfb07164..6df34b9fc16801 100644 --- a/ssl/quic/quic_tls.c +++ b/ssl/quic/quic_tls.c @@ -739,7 +739,7 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls) /* ALPN is a requirement for QUIC and must be set */ if (qtls->args.is_server) { - if (sctx->ext.alpn_select_cb == NULL) + if (sctx->cnf->ext.alpn_select_cb == NULL) return RAISE_INTERNAL_ERROR(qtls); } else { if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 87b588b84bed9d..915b5e35d45e8d 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -397,8 +397,8 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type, if (sc->info_callback != NULL) cb = sc->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->cnf->info_callback != NULL) + cb = s->ctx->cnf->info_callback; if (cb != NULL) { j = (alert_level << 8) | alert_descr; diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 260d163a50d932..0be31ec35780f1 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -156,7 +156,7 @@ size_t ssl3_pending(const SSL *s) void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) { - ctx->default_read_buf_len = len; + ctx->cnf->default_read_buf_len = len; } void SSL_set_default_read_buffer_len(SSL *s, size_t len) @@ -820,8 +820,8 @@ int ssl3_read_bytes(SSL *ssl, uint8_t type, uint8_t *recvd_type, if (s->info_callback != NULL) cb = s->info_callback; - else if (ssl->ctx->info_callback != NULL) - cb = ssl->ctx->info_callback; + else if (ssl->ctx->cnf->info_callback != NULL) + cb = ssl->ctx->cnf->info_callback; if (cb != NULL) { j = (alert_level << 8) | alert_descr; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 1f778c34234731..752780ee5a1ac9 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3841,7 +3841,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) } #endif case SSL_CTRL_SET_DH_AUTO: - ctx->cert->dh_tmp_auto = larg; + ctx->cnf->cert->dh_tmp_auto = larg; return 1; #if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: @@ -3850,21 +3850,21 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - return ssl_set_tmp_ecdh_groups(&ctx->ext.supportedgroups, - &ctx->ext.supportedgroups_len, + return ssl_set_tmp_ecdh_groups(&ctx->cnf->ext.supportedgroups, + &ctx->cnf->ext.supportedgroups_len, parg); } #endif /* !OPENSSL_NO_DEPRECATED_3_0 */ case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: - ctx->ext.servername_arg = parg; + ctx->cnf->ext.servername_arg = parg; break; case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: { unsigned char *keys = parg; - long tick_keylen = (sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.secure->tick_hmac_key) + - sizeof(ctx->ext.secure->tick_aes_key)); + long tick_keylen = (sizeof(ctx->cnf->ext.tick_key_name) + + sizeof(ctx->cnf->ext.secure->tick_hmac_key) + + sizeof(ctx->cnf->ext.secure->tick_aes_key)); if (keys == NULL) return tick_keylen; if (larg != tick_keylen) { @@ -3872,46 +3872,46 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return 0; } if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { - memcpy(ctx->ext.tick_key_name, keys, - sizeof(ctx->ext.tick_key_name)); - memcpy(ctx->ext.secure->tick_hmac_key, - keys + sizeof(ctx->ext.tick_key_name), - sizeof(ctx->ext.secure->tick_hmac_key)); - memcpy(ctx->ext.secure->tick_aes_key, - keys + sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.secure->tick_hmac_key), - sizeof(ctx->ext.secure->tick_aes_key)); + memcpy(ctx->cnf->ext.tick_key_name, keys, + sizeof(ctx->cnf->ext.tick_key_name)); + memcpy(ctx->cnf->ext.secure->tick_hmac_key, + keys + sizeof(ctx->cnf->ext.tick_key_name), + sizeof(ctx->cnf->ext.secure->tick_hmac_key)); + memcpy(ctx->cnf->ext.secure->tick_aes_key, + keys + sizeof(ctx->cnf->ext.tick_key_name) + + sizeof(ctx->cnf->ext.secure->tick_hmac_key), + sizeof(ctx->cnf->ext.secure->tick_aes_key)); } else { - memcpy(keys, ctx->ext.tick_key_name, - sizeof(ctx->ext.tick_key_name)); - memcpy(keys + sizeof(ctx->ext.tick_key_name), - ctx->ext.secure->tick_hmac_key, - sizeof(ctx->ext.secure->tick_hmac_key)); - memcpy(keys + sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.secure->tick_hmac_key), - ctx->ext.secure->tick_aes_key, - sizeof(ctx->ext.secure->tick_aes_key)); + memcpy(keys, ctx->cnf->ext.tick_key_name, + sizeof(ctx->cnf->ext.tick_key_name)); + memcpy(keys + sizeof(ctx->cnf->ext.tick_key_name), + ctx->cnf->ext.secure->tick_hmac_key, + sizeof(ctx->cnf->ext.secure->tick_hmac_key)); + memcpy(keys + sizeof(ctx->cnf->ext.tick_key_name) + + sizeof(ctx->cnf->ext.secure->tick_hmac_key), + ctx->cnf->ext.secure->tick_aes_key, + sizeof(ctx->cnf->ext.secure->tick_aes_key)); } return 1; } case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: - return ctx->ext.status_type; + return ctx->cnf->ext.status_type; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: - ctx->ext.status_type = larg; + ctx->cnf->ext.status_type = larg; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: - ctx->ext.status_arg = parg; + ctx->cnf->ext.status_arg = parg; return 1; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: - *(void**)parg = ctx->ext.status_arg; + *(void**)parg = ctx->cnf->ext.status_arg; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: - *(int (**)(SSL*, void*))parg = ctx->ext.status_cb; + *(int (**)(SSL*, void*))parg = ctx->cnf->ext.status_cb; break; #ifndef OPENSSL_NO_SRP @@ -3951,69 +3951,69 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) #endif case SSL_CTRL_SET_GROUPS: - return tls1_set_groups(&ctx->ext.supportedgroups, - &ctx->ext.supportedgroups_len, + return tls1_set_groups(&ctx->cnf->ext.supportedgroups, + &ctx->cnf->ext.supportedgroups_len, parg, larg); case SSL_CTRL_SET_GROUPS_LIST: - return tls1_set_groups_list(ctx, &ctx->ext.supportedgroups, - &ctx->ext.supportedgroups_len, + return tls1_set_groups_list(ctx, &ctx->cnf->ext.supportedgroups, + &ctx->cnf->ext.supportedgroups_len, parg); case SSL_CTRL_SET_SIGALGS: - return tls1_set_sigalgs(ctx->cert, parg, larg, 0); + return tls1_set_sigalgs(ctx->cnf->cert, parg, larg, 0); case SSL_CTRL_SET_SIGALGS_LIST: - return tls1_set_sigalgs_list(ctx->cert, parg, 0); + return tls1_set_sigalgs_list(ctx->cnf->cert, parg, 0); case SSL_CTRL_SET_CLIENT_SIGALGS: - return tls1_set_sigalgs(ctx->cert, parg, larg, 1); + return tls1_set_sigalgs(ctx->cnf->cert, parg, larg, 1); case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: - return tls1_set_sigalgs_list(ctx->cert, parg, 1); + return tls1_set_sigalgs_list(ctx->cnf->cert, parg, 1); case SSL_CTRL_SET_CLIENT_CERT_TYPES: - return ssl3_set_req_cert_type(ctx->cert, parg, larg); + return ssl3_set_req_cert_type(ctx->cnf->cert, parg, larg); case SSL_CTRL_BUILD_CERT_CHAIN: return ssl_build_cert_chain(NULL, ctx, larg); case SSL_CTRL_SET_VERIFY_CERT_STORE: - return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg); + return ssl_cert_set_cert_store(ctx->cnf->cert, parg, 0, larg); case SSL_CTRL_SET_CHAIN_CERT_STORE: - return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg); + return ssl_cert_set_cert_store(ctx->cnf->cert, parg, 1, larg); case SSL_CTRL_GET_VERIFY_CERT_STORE: - return ssl_cert_get_cert_store(ctx->cert, parg, 0); + return ssl_cert_get_cert_store(ctx->cnf->cert, parg, 0); case SSL_CTRL_GET_CHAIN_CERT_STORE: - return ssl_cert_get_cert_store(ctx->cert, parg, 1); + return ssl_cert_get_cert_store(ctx->cnf->cert, parg, 1); /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: - if (ctx->extra_certs == NULL) { - if ((ctx->extra_certs = sk_X509_new_null()) == NULL) { + if (ctx->cnf->extra_certs == NULL) { + if ((ctx->cnf->extra_certs = sk_X509_new_null()) == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); return 0; } } - if (!sk_X509_push(ctx->extra_certs, (X509 *)parg)) { + if (!sk_X509_push(ctx->cnf->extra_certs, (X509 *)parg)) { ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); return 0; } break; case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: - if (ctx->extra_certs == NULL && larg == 0) - *(STACK_OF(X509) **)parg = ctx->cert->key->chain; + if (ctx->cnf->extra_certs == NULL && larg == 0) + *(STACK_OF(X509) **)parg = ctx->cnf->cert->key->chain; else - *(STACK_OF(X509) **)parg = ctx->extra_certs; + *(STACK_OF(X509) **)parg = ctx->cnf->extra_certs; break; case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: - OSSL_STACK_OF_X509_free(ctx->extra_certs); - ctx->extra_certs = NULL; + OSSL_STACK_OF_X509_free(ctx->cnf->extra_certs); + ctx->cnf->extra_certs = NULL; break; case SSL_CTRL_CHAIN: @@ -4029,14 +4029,14 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return ssl_cert_add0_chain_cert(NULL, ctx, (X509 *)parg); case SSL_CTRL_GET_CHAIN_CERTS: - *(STACK_OF(X509) **)parg = ctx->cert->key->chain; + *(STACK_OF(X509) **)parg = ctx->cnf->cert->key->chain; break; case SSL_CTRL_SELECT_CURRENT_CERT: - return ssl_cert_select_current(ctx->cert, (X509 *)parg); + return ssl_cert_select_current(ctx->cnf->cert, (X509 *)parg); case SSL_CTRL_SET_CURRENT_CERT: - return ssl_cert_set_current(ctx->cert, larg); + return ssl_cert_set_current(ctx->cnf->cert, larg); default: return 0; @@ -4050,21 +4050,21 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) #if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: { - ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; + ctx->cnf->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; #endif case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: - ctx->ext.servername_cb = (int (*)(SSL *, int *, void *))fp; + ctx->cnf->ext.servername_cb = (int (*)(SSL *, int *, void *))fp; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: - ctx->ext.status_cb = (int (*)(SSL *, void *))fp; + ctx->cnf->ext.status_cb = (int (*)(SSL *, void *))fp; break; # ifndef OPENSSL_NO_DEPRECATED_3_0 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: - ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *, + ctx->cnf->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; @@ -4089,7 +4089,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) #endif case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB: { - ctx->not_resumable_session_cb = (int (*)(SSL *, int))fp; + ctx->cnf->not_resumable_session_cb = (int (*)(SSL *, int))fp; } break; default: @@ -4102,7 +4102,7 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb (SSL_CTX *ctx, int (*fp)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, EVP_MAC_CTX *, int)) { - ctx->ext.ticket_key_evp_cb = fp; + ctx->cnf->ext.ticket_key_evp_cb = fp; return 1; } diff --git a/ssl/s3_msg.c b/ssl/s3_msg.c index 3fcea15e279e4c..57385b4f3d7178 100644 --- a/ssl/s3_msg.c +++ b/ssl/s3_msg.c @@ -147,8 +147,8 @@ int ssl3_dispatch_alert(SSL *s) if (sc->info_callback != NULL) cb = sc->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; + else if (s->ctx->cnf->info_callback != NULL) + cb = s->ctx->cnf->info_callback; if (cb != NULL) { j = (sc->s3.send_alert[0] << 8) | sc->s3.send_alert[1]; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 126be668fdd96f..e1bfc9b8d13ba0 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -292,7 +292,7 @@ void ssl_cert_free(CERT *c) int ssl_cert_set0_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain) { int i, r; - CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key; + CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cnf->cert->key; if (!cpk) return 0; @@ -329,7 +329,7 @@ int ssl_cert_set1_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain) int ssl_cert_add0_chain_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x) { int r; - CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; + CERT_PKEY *cpk = s ? s->cert->key : ctx->cnf->cert->key; if (!cpk) return 0; @@ -435,7 +435,7 @@ static int ssl_verify_internal(SSL_CONNECTION *s, STACK_OF(X509) *sk, EVP_PKEY * if (s->cert->verify_store) verify_store = s->cert->verify_store; else - verify_store = sctx->cert_store; + verify_store = sctx->cnf->cert_store; ctx = X509_STORE_CTX_new_ex(sctx->libctx, sctx->propq); if (ctx == NULL) { @@ -490,8 +490,8 @@ static int ssl_verify_internal(SSL_CONNECTION *s, STACK_OF(X509) *sk, EVP_PKEY * if (s->verify_callback) X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback); - if (sctx->app_verify_callback != NULL) { - i = sctx->app_verify_callback(ctx, sctx->app_verify_arg); + if (sctx->cnf->app_verify_callback != NULL) { + i = sctx->cnf->app_verify_callback(ctx, sctx->cnf->app_verify_arg); } else { i = X509_verify_cert(ctx); /* We treat an error in the same way as a failure to verify */ @@ -586,12 +586,12 @@ void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) { - set0_CA_list(&ctx->ca_names, name_list); + set0_CA_list(&ctx->cnf->ca_names, name_list); } const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx) { - return ctx->ca_names; + return ctx->cnf->ca_names; } const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s) @@ -601,17 +601,17 @@ const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s) if (sc == NULL) return NULL; - return sc->ca_names != NULL ? sc->ca_names : s->ctx->ca_names; + return sc->ca_names != NULL ? sc->ca_names : s->ctx->cnf->ca_names; } void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) { - set0_CA_list(&ctx->client_ca_names, name_list); + set0_CA_list(&ctx->cnf->client_ca_names, name_list); } STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { - return ctx->client_ca_names; + return ctx->cnf->client_ca_names; } void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) @@ -644,7 +644,7 @@ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) if (!sc->server) return sc->s3.tmp.peer_ca_names; return sc->client_ca_names != NULL ? sc->client_ca_names - : s->ctx->client_ca_names; + : s->ctx->cnf->client_ca_names; } static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x) @@ -678,7 +678,7 @@ int SSL_add1_to_CA_list(SSL *ssl, const X509 *x) int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x) { - return add_ca_name(&ctx->ca_names, x); + return add_ca_name(&ctx->cnf->ca_names, x); } /* @@ -697,7 +697,7 @@ int SSL_add_client_CA(SSL *ssl, X509 *x) int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) { - return add_ca_name(&ctx->client_ca_names, x); + return add_ca_name(&ctx->cnf->client_ca_names, x); } static int xname_cmp(const X509_NAME *a, const X509_NAME *b) @@ -987,7 +987,7 @@ int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, /* Build a certificate chain for current certificate */ int ssl_build_cert_chain(SSL_CONNECTION *s, SSL_CTX *ctx, int flags) { - CERT *c = s != NULL ? s->cert : ctx->cert; + CERT *c = s != NULL ? s->cert : ctx->cnf->cert; CERT_PKEY *cpk = c->key; X509_STORE *chain_store = NULL; X509_STORE_CTX *xs_ctx = NULL; @@ -1017,7 +1017,7 @@ int ssl_build_cert_chain(SSL_CONNECTION *s, SSL_CTX *ctx, int flags) if (c->chain_store != NULL) chain_store = c->chain_store; else - chain_store = real_ctx->cert_store; + chain_store = real_ctx->cnf->cert_store; if (flags & SSL_BUILD_CHAIN_FLAG_UNTRUSTED) untrusted = cpk->chain; @@ -1217,8 +1217,8 @@ int ssl_security(const SSL_CONNECTION *s, int op, int bits, int nid, void *other int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other) { - return ctx->cert->sec_cb(NULL, ctx, op, bits, nid, other, - ctx->cert->sec_ex); + return ctx->cnf->cert->sec_cb(NULL, ctx, op, bits, nid, other, + ctx->cnf->cert->sec_ex); } int ssl_cert_lookup_by_nid(int nid, size_t *pidx, SSL_CTX *ctx) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 35949f2dcc3c87..30de75a824337c 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1422,11 +1422,11 @@ static int update_cipher_list(SSL_CTX *ctx, int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) { - int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); + int ret = set_ciphersuites(&(ctx->cnf->tls13_ciphersuites), str); - if (ret && ctx->cipher_list != NULL) - return update_cipher_list(ctx, &ctx->cipher_list, &ctx->cipher_list_by_id, - ctx->tls13_ciphersuites); + if (ret && ctx->cnf->cipher_list != NULL) + return update_cipher_list(ctx, &ctx->cnf->cipher_list, &ctx->cnf->cipher_list_by_id, + ctx->cnf->tls13_ciphersuites); return ret; } @@ -1467,7 +1467,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; - const SSL_METHOD *ssl_method = ctx->method; + const SSL_METHOD *ssl_method = ctx->cnf->method; /* * Return with error if nothing to do. diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 3142370016846e..9b6a4548b36361 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -335,7 +335,7 @@ static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound) int new_version; if (cctx->ctx != NULL) - method_version = cctx->ctx->method->version; + method_version = cctx->ctx->cnf->method->version; else if (cctx->ssl != NULL) method_version = cctx->ssl->defltmeth->version; else @@ -437,7 +437,7 @@ static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) CERT *c = NULL; if (cctx->ctx != NULL) { rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); - c = cctx->ctx->cert; + c = cctx->ctx->cnf->cert; } if (cctx->ssl != NULL) { SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl); @@ -492,7 +492,7 @@ static int do_store(SSL_CONF_CTX *cctx, const char *propq = NULL; if (cctx->ctx != NULL) { - cert = cctx->ctx->cert; + cert = cctx->ctx->cnf->cert; ctx = cctx->ctx; } else if (cctx->ssl != NULL) { SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl); @@ -1003,7 +1003,7 @@ int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) CERT *c = NULL; if (cctx->ctx != NULL) { - c = cctx->ctx->cert; + c = cctx->ctx->cnf->cert; } else if (cctx->ssl != NULL) { SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl); @@ -1103,11 +1103,11 @@ void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) cctx->ctx = ctx; cctx->ssl = NULL; if (ctx) { - cctx->poptions = &ctx->options; - cctx->min_version = &ctx->min_proto_version; - cctx->max_version = &ctx->max_proto_version; - cctx->pcert_flags = &ctx->cert->cert_flags; - cctx->pvfy_flags = &ctx->verify_mode; + cctx->poptions = &ctx->cnf->options; + cctx->min_version = &ctx->cnf->min_proto_version; + cctx->max_version = &ctx->cnf->max_proto_version; + cctx->pcert_flags = &ctx->cnf->cert->cert_flags; + cctx->pvfy_flags = &ctx->cnf->verify_mode; } else { cctx->poptions = NULL; cctx->min_version = NULL; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f15fe126a22f54..0868baca7ebbec 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -675,17 +675,17 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) return 0; } - ctx->method = meth; + ctx->cnf->method = meth; if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; } sk = ssl_create_cipher_list(ctx, - ctx->tls13_ciphersuites, - &(ctx->cipher_list), - &(ctx->cipher_list_by_id), - OSSL_default_cipher_list(), ctx->cert); + ctx->cnf->tls13_ciphersuites, + &(ctx->cnf->cipher_list), + &(ctx->cnf->cipher_list_by_id), + OSSL_default_cipher_list(), ctx->cnf->cert); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; @@ -700,11 +700,11 @@ SSL *SSL_new(SSL_CTX *ctx) ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_CTX); return NULL; } - if (ctx->method == NULL) { + if (ctx->cnf->method == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); return NULL; } - return ctx->method->ssl_new(ctx); + return ctx->cnf->method->ssl_new(ctx); } int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type) @@ -754,24 +754,24 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) RECORD_LAYER_init(&s->rlayer, s); - s->options = ctx->options; + s->options = ctx->cnf->options; s->dane.flags = ctx->dane.flags; - if (method->version == ctx->method->version) { - s->min_proto_version = ctx->min_proto_version; - s->max_proto_version = ctx->max_proto_version; + if (method->version == ctx->cnf->method->version) { + s->min_proto_version = ctx->cnf->min_proto_version; + s->max_proto_version = ctx->cnf->max_proto_version; } - s->mode = ctx->mode; - s->max_cert_list = ctx->max_cert_list; - s->max_early_data = ctx->max_early_data; - s->recv_max_early_data = ctx->recv_max_early_data; + s->mode = ctx->cnf->mode; + s->max_cert_list = ctx->cnf->max_cert_list; + s->max_early_data = ctx->cnf->max_early_data; + s->recv_max_early_data = ctx->cnf->recv_max_early_data; - s->num_tickets = ctx->num_tickets; - s->pha_enabled = ctx->pha_enabled; + s->num_tickets = ctx->cnf->num_tickets; + s->pha_enabled = ctx->cnf->pha_enabled; /* Shallow copy of the ciphersuites stack */ - s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites); + s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->cnf->tls13_ciphersuites); if (s->tls13_ciphersuites == NULL) goto cerr; @@ -784,43 +784,43 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) * used to be known as s->ctx->default_cert). Now we don't look at the * SSL_CTX's CERT after having duplicated it once. */ - s->cert = ssl_cert_dup(ctx->cert); + s->cert = ssl_cert_dup(ctx->cnf->cert); if (s->cert == NULL) goto sslerr; - RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead); - s->msg_callback = ctx->msg_callback; - s->msg_callback_arg = ctx->msg_callback_arg; - s->verify_mode = ctx->verify_mode; - s->not_resumable_session_cb = ctx->not_resumable_session_cb; - s->rlayer.record_padding_cb = ctx->record_padding_cb; - s->rlayer.record_padding_arg = ctx->record_padding_arg; - s->rlayer.block_padding = ctx->block_padding; - s->sid_ctx_length = ctx->sid_ctx_length; + RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->cnf->read_ahead); + s->msg_callback = ctx->cnf->msg_callback; + s->msg_callback_arg = ctx->cnf->msg_callback_arg; + s->verify_mode = ctx->cnf->verify_mode; + s->not_resumable_session_cb = ctx->cnf->not_resumable_session_cb; + s->rlayer.record_padding_cb = ctx->cnf->record_padding_cb; + s->rlayer.record_padding_arg = ctx->cnf->record_padding_arg; + s->rlayer.block_padding = ctx->cnf->block_padding; + s->sid_ctx_length = ctx->cnf->sid_ctx_length; if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx))) goto err; - memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); - s->verify_callback = ctx->default_verify_callback; - s->generate_session_id = ctx->generate_session_id; + memcpy(&s->sid_ctx, &ctx->cnf->sid_ctx, sizeof(s->sid_ctx)); + s->verify_callback = ctx->cnf->default_verify_callback; + s->generate_session_id = ctx->cnf->generate_session_id; s->param = X509_VERIFY_PARAM_new(); if (s->param == NULL) goto asn1err; - X509_VERIFY_PARAM_inherit(s->param, ctx->param); - s->quiet_shutdown = IS_QUIC_CTX(ctx) ? 0 : ctx->quiet_shutdown; + X509_VERIFY_PARAM_inherit(s->param, ctx->cnf->param); + s->quiet_shutdown = IS_QUIC_CTX(ctx) ? 0 : ctx->cnf->quiet_shutdown; if (!IS_QUIC_CTX(ctx)) - s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode; + s->ext.max_fragment_len_mode = ctx->cnf->ext.max_fragment_len_mode; - s->max_send_fragment = ctx->max_send_fragment; - s->split_send_fragment = ctx->split_send_fragment; - s->max_pipelines = ctx->max_pipelines; - s->rlayer.default_read_buf_len = ctx->default_read_buf_len; + s->max_send_fragment = ctx->cnf->max_send_fragment; + s->split_send_fragment = ctx->cnf->split_send_fragment; + s->max_pipelines = ctx->cnf->max_pipelines; + s->rlayer.default_read_buf_len = ctx->cnf->default_read_buf_len; s->ext.debug_cb = 0; s->ext.debug_arg = NULL; s->ext.ticket_expected = 0; - s->ext.status_type = ctx->ext.status_type; + s->ext.status_type = ctx->cnf->ext.status_type; s->ext.status_expected = 0; s->ext.ocsp.ids = NULL; s->ext.ocsp.exts = NULL; @@ -828,54 +828,54 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) s->ext.ocsp.resp_len = 0; SSL_CTX_up_ref(ctx); s->session_ctx = ctx; - if (ctx->ext.ecpointformats) { + if (ctx->cnf->ext.ecpointformats) { s->ext.ecpointformats = - OPENSSL_memdup(ctx->ext.ecpointformats, - ctx->ext.ecpointformats_len); + OPENSSL_memdup(ctx->cnf->ext.ecpointformats, + ctx->cnf->ext.ecpointformats_len); if (!s->ext.ecpointformats) { s->ext.ecpointformats_len = 0; goto err; } s->ext.ecpointformats_len = - ctx->ext.ecpointformats_len; + ctx->cnf->ext.ecpointformats_len; } - if (ctx->ext.supportedgroups) { + if (ctx->cnf->ext.supportedgroups) { s->ext.supportedgroups = - OPENSSL_memdup(ctx->ext.supportedgroups, - ctx->ext.supportedgroups_len - * sizeof(*ctx->ext.supportedgroups)); + OPENSSL_memdup(ctx->cnf->ext.supportedgroups, + ctx->cnf->ext.supportedgroups_len + * sizeof(*ctx->cnf->ext.supportedgroups)); if (!s->ext.supportedgroups) { s->ext.supportedgroups_len = 0; goto err; } - s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; + s->ext.supportedgroups_len = ctx->cnf->ext.supportedgroups_len; } #ifndef OPENSSL_NO_NEXTPROTONEG s->ext.npn = NULL; #endif - if (ctx->ext.alpn != NULL) { - s->ext.alpn = OPENSSL_malloc(ctx->ext.alpn_len); + if (ctx->cnf->ext.alpn != NULL) { + s->ext.alpn = OPENSSL_malloc(ctx->cnf->ext.alpn_len); if (s->ext.alpn == NULL) { s->ext.alpn_len = 0; goto err; } - memcpy(s->ext.alpn, ctx->ext.alpn, ctx->ext.alpn_len); - s->ext.alpn_len = ctx->ext.alpn_len; + memcpy(s->ext.alpn, ctx->cnf->ext.alpn, ctx->cnf->ext.alpn_len); + s->ext.alpn_len = ctx->cnf->ext.alpn_len; } s->verified_chain = NULL; s->verify_result = X509_V_OK; - s->default_passwd_callback = ctx->default_passwd_callback; - s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata; + s->default_passwd_callback = ctx->cnf->default_passwd_callback; + s->default_passwd_callback_userdata = ctx->cnf->default_passwd_callback_userdata; s->key_update = SSL_KEY_UPDATE_NONE; if (!IS_QUIC_CTX(ctx)) { - s->allow_early_data_cb = ctx->allow_early_data_cb; - s->allow_early_data_cb_data = ctx->allow_early_data_cb_data; + s->allow_early_data_cb = ctx->cnf->allow_early_data_cb; + s->allow_early_data_cb_data = ctx->cnf->allow_early_data_cb_data; } if (!method->ssl_init(ssl)) @@ -887,14 +887,14 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) goto sslerr; #ifndef OPENSSL_NO_PSK - s->psk_client_callback = ctx->psk_client_callback; - s->psk_server_callback = ctx->psk_server_callback; + s->psk_client_callback = ctx->cnf->psk_client_callback; + s->psk_server_callback = ctx->cnf->psk_server_callback; #endif - s->psk_find_session_cb = ctx->psk_find_session_cb; - s->psk_use_session_cb = ctx->psk_use_session_cb; + s->psk_find_session_cb = ctx->cnf->psk_find_session_cb; + s->psk_use_session_cb = ctx->cnf->psk_use_session_cb; - s->async_cb = ctx->async_cb; - s->async_cb_arg = ctx->async_cb_arg; + s->async_cb = ctx->cnf->async_cb; + s->async_cb_arg = ctx->cnf->async_cb_arg; s->job = NULL; @@ -917,8 +917,8 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) } #ifndef OPENSSL_NO_CT - if (!SSL_set_ct_validation_callback(ssl, ctx->ct_validation_callback, - ctx->ct_validation_callback_arg)) + if (!SSL_set_ct_validation_callback(ssl, ctx->cnf->ct_validation_callback, + ctx->cnf->ct_validation_callback_arg)) goto sslerr; #endif @@ -939,7 +939,7 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) SSL *ossl_ssl_connection_new(SSL_CTX *ctx) { - return ossl_ssl_connection_new_int(ctx, ctx->method); + return ossl_ssl_connection_new_int(ctx, ctx->cnf->method); } int SSL_is_dtls(const SSL *s) @@ -1000,8 +1000,8 @@ int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; } - ctx->sid_ctx_length = sid_ctx_len; - memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len); + ctx->cnf->sid_ctx_length = sid_ctx_len; + memcpy(ctx->cnf->sid_ctx, sid_ctx, sid_ctx_len); return 1; } @@ -1028,7 +1028,7 @@ int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) { if (!CRYPTO_THREAD_write_lock(ctx->lock)) return 0; - ctx->generate_session_id = cb; + ctx->cnf->generate_session_id = cb; CRYPTO_THREAD_unlock(ctx->lock); return 1; } @@ -1073,7 +1073,7 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) { - return X509_VERIFY_PARAM_set_purpose(s->param, purpose); + return X509_VERIFY_PARAM_set_purpose(s->cnf->param, purpose); } int SSL_set_purpose(SSL *s, int purpose) @@ -1088,7 +1088,7 @@ int SSL_set_purpose(SSL *s, int purpose) int SSL_CTX_set_trust(SSL_CTX *s, int trust) { - return X509_VERIFY_PARAM_set_trust(s->param, trust); + return X509_VERIFY_PARAM_set_trust(s->cnf->param, trust); } int SSL_set_trust(SSL *s, int trust) @@ -1346,7 +1346,7 @@ int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype, int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) { - return X509_VERIFY_PARAM_set1(ctx->param, vpm); + return X509_VERIFY_PARAM_set1(ctx->cnf->param, vpm); } int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) @@ -1361,7 +1361,7 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) { - return ctx->param; + return ctx->cnf->param; } X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) @@ -1827,16 +1827,16 @@ int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) { int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { - return ctx->verify_mode; + return ctx->cnf->verify_mode; } int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) { - return X509_VERIFY_PARAM_get_depth(ctx->param); + return X509_VERIFY_PARAM_get_depth(ctx->cnf->param); } int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) { - return ctx->default_verify_callback; + return ctx->cnf->default_verify_callback; } void SSL_set_verify(SSL *s, int mode, @@ -2031,16 +2031,16 @@ int SSL_copy_session_id(SSL *t, const SSL *f) /* Fix this so it checks all the valid key/cert options */ int SSL_CTX_check_private_key(const SSL_CTX *ctx) { - if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) { + if ((ctx == NULL) || (ctx->cnf->cert->key->x509 == NULL)) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); return 0; } - if (ctx->cert->key->privatekey == NULL) { + if (ctx->cnf->cert->key->privatekey == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); return 0; } return X509_check_private_key - (ctx->cert->key->x509, ctx->cert->key->privatekey); + (ctx->cnf->cert->key->x509, ctx->cnf->cert->key->privatekey); } /* Fix this function so that it takes an optional type parameter */ @@ -2107,13 +2107,13 @@ int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds, int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback) { - ctx->async_cb = callback; + ctx->cnf->async_cb = callback; return 1; } int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg) { - ctx->async_cb_arg = arg; + ctx->cnf->async_cb_arg = arg; return 1; } @@ -3068,39 +3068,39 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return ctx->read_ahead; + return ctx->cnf->read_ahead; case SSL_CTRL_SET_READ_AHEAD: - l = ctx->read_ahead; - ctx->read_ahead = larg; + l = ctx->cnf->read_ahead; + ctx->cnf->read_ahead = larg; return l; case SSL_CTRL_SET_MSG_CALLBACK_ARG: - ctx->msg_callback_arg = parg; + ctx->cnf->msg_callback_arg = parg; return 1; case SSL_CTRL_GET_MAX_CERT_LIST: - return (long)ctx->max_cert_list; + return (long)ctx->cnf->max_cert_list; case SSL_CTRL_SET_MAX_CERT_LIST: if (larg < 0) return 0; - l = (long)ctx->max_cert_list; - ctx->max_cert_list = (size_t)larg; + l = (long)ctx->cnf->max_cert_list; + ctx->cnf->max_cert_list = (size_t)larg; return l; case SSL_CTRL_SET_SESS_CACHE_SIZE: if (larg < 0) return 0; - l = (long)ctx->session_cache_size; - ctx->session_cache_size = (size_t)larg; + l = (long)ctx->cnf->session_cache_size; + ctx->cnf->session_cache_size = (size_t)larg; return l; case SSL_CTRL_GET_SESS_CACHE_SIZE: - return (long)ctx->session_cache_size; + return (long)ctx->cnf->session_cache_size; case SSL_CTRL_SET_SESS_CACHE_MODE: - l = ctx->session_cache_mode; - ctx->session_cache_mode = larg; + l = ctx->cnf->session_cache_mode; + ctx->cnf->session_cache_mode = larg; return l; case SSL_CTRL_GET_SESS_CACHE_MODE: - return ctx->session_cache_mode; + return ctx->cnf->session_cache_mode; case SSL_CTRL_SESS_NUMBER: return lh_SSL_SESSION_num_items(ctx->sessions); @@ -3127,44 +3127,44 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SESS_CACHE_FULL: return ssl_tsan_load(ctx, &ctx->stats.sess_cache_full); case SSL_CTRL_MODE: - return (ctx->mode |= larg); + return (ctx->cnf->mode |= larg); case SSL_CTRL_CLEAR_MODE: - return (ctx->mode &= ~larg); + return (ctx->cnf->mode &= ~larg); case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return 0; - ctx->max_send_fragment = larg; - if (ctx->max_send_fragment < ctx->split_send_fragment) - ctx->split_send_fragment = ctx->max_send_fragment; + ctx->cnf->max_send_fragment = larg; + if (ctx->cnf->max_send_fragment < ctx->cnf->split_send_fragment) + ctx->cnf->split_send_fragment = ctx->cnf->max_send_fragment; return 1; case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: - if ((size_t)larg > ctx->max_send_fragment || larg == 0) + if ((size_t)larg > ctx->cnf->max_send_fragment || larg == 0) return 0; - ctx->split_send_fragment = larg; + ctx->cnf->split_send_fragment = larg; return 1; case SSL_CTRL_SET_MAX_PIPELINES: if (larg < 1 || larg > SSL_MAX_PIPELINES) return 0; - ctx->max_pipelines = larg; + ctx->cnf->max_pipelines = larg; return 1; case SSL_CTRL_CERT_FLAGS: - return (ctx->cert->cert_flags |= larg); + return (ctx->cnf->cert->cert_flags |= larg); case SSL_CTRL_CLEAR_CERT_FLAGS: - return (ctx->cert->cert_flags &= ~larg); + return (ctx->cnf->cert->cert_flags &= ~larg); case SSL_CTRL_SET_MIN_PROTO_VERSION: - return ssl_check_allowed_versions(larg, ctx->max_proto_version) - && ssl_set_version_bound(ctx->method->version, (int)larg, - &ctx->min_proto_version); + return ssl_check_allowed_versions(larg, ctx->cnf->max_proto_version) + && ssl_set_version_bound(ctx->cnf->method->version, (int)larg, + &ctx->cnf->min_proto_version); case SSL_CTRL_GET_MIN_PROTO_VERSION: - return ctx->min_proto_version; + return ctx->cnf->min_proto_version; case SSL_CTRL_SET_MAX_PROTO_VERSION: - return ssl_check_allowed_versions(ctx->min_proto_version, larg) - && ssl_set_version_bound(ctx->method->version, (int)larg, - &ctx->max_proto_version); + return ssl_check_allowed_versions(ctx->cnf->min_proto_version, larg) + && ssl_set_version_bound(ctx->cnf->method->version, (int)larg, + &ctx->cnf->max_proto_version); case SSL_CTRL_GET_MAX_PROTO_VERSION: - return ctx->max_proto_version; + return ctx->cnf->max_proto_version; default: - return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg); + return ctx->cnf->method->ssl_ctx_ctrl(ctx, cmd, larg, parg); } } @@ -3172,14 +3172,14 @@ long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: - ctx->msg_callback = (void (*) + ctx->cnf->msg_callback = (void (*) (int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); return 1; default: - return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp); + return ctx->cnf->method->ssl_ctx_callback_ctrl(ctx, cmd, fp); } } @@ -3213,8 +3213,8 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) if (sc != NULL) { if (sc->cipher_list != NULL) { return sc->cipher_list; - } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { - return s->ctx->cipher_list; + } else if ((s->ctx != NULL) && (s->ctx->cnf->cipher_list != NULL)) { + return s->ctx->cnf->cipher_list; } } return NULL; @@ -3267,8 +3267,8 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL_CONNECTION *s) if (s->cipher_list_by_id != NULL) return s->cipher_list_by_id; else if (s->ssl.ctx != NULL - && s->ssl.ctx->cipher_list_by_id != NULL) - return s->ssl.ctx->cipher_list_by_id; + && s->ssl.ctx->cnf->cipher_list_by_id != NULL) + return s->ssl.ctx->cnf->cipher_list_by_id; } return NULL; } @@ -3295,7 +3295,7 @@ const char *SSL_get_cipher_list(const SSL *s, int n) STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) { if (ctx != NULL) - return ctx->cipher_list; + return ctx->cnf->cipher_list; return NULL; } @@ -3324,9 +3324,9 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { STACK_OF(SSL_CIPHER) *sk; - sk = ssl_create_cipher_list(ctx, ctx->tls13_ciphersuites, - &ctx->cipher_list, &ctx->cipher_list_by_id, str, - ctx->cert); + sk = ssl_create_cipher_list(ctx, ctx->cnf->tls13_ciphersuites, + &ctx->cnf->cipher_list, &ctx->cnf->cipher_list_by_id, str, + ctx->cnf->cert); /* * ssl_create_cipher_list may return an empty stack if it was unable to * find a cipher matching the given rule string (for example if the rule @@ -3609,8 +3609,8 @@ void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx, /* NPN not allowed for QUIC */ return; - ctx->ext.npn_advertised_cb = cb; - ctx->ext.npn_advertised_cb_arg = arg; + ctx->cnf->ext.npn_advertised_cb = cb; + ctx->cnf->ext.npn_advertised_cb_arg = arg; } /* @@ -3631,8 +3631,8 @@ void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx, /* NPN not allowed for QUIC */ return; - ctx->ext.npn_select_cb = cb; - ctx->ext.npn_select_cb_arg = arg; + ctx->cnf->ext.npn_select_cb = cb; + ctx->cnf->ext.npn_select_cb_arg = arg; } #endif @@ -3660,9 +3660,9 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned char *alpn; if (protos_len == 0 || protos == NULL) { - OPENSSL_free(ctx->ext.alpn); - ctx->ext.alpn = NULL; - ctx->ext.alpn_len = 0; + OPENSSL_free(ctx->cnf->ext.alpn); + ctx->cnf->ext.alpn = NULL; + ctx->cnf->ext.alpn_len = 0; return 0; } /* Not valid per RFC */ @@ -3672,9 +3672,9 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, alpn = OPENSSL_memdup(protos, protos_len); if (alpn == NULL) return 1; - OPENSSL_free(ctx->ext.alpn); - ctx->ext.alpn = alpn; - ctx->ext.alpn_len = protos_len; + OPENSSL_free(ctx->cnf->ext.alpn); + ctx->cnf->ext.alpn = alpn; + ctx->cnf->ext.alpn_len = protos_len; return 0; } @@ -3722,8 +3722,8 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, SSL_CTX_alpn_select_cb_func cb, void *arg) { - ctx->ext.alpn_select_cb = cb; - ctx->ext.alpn_select_cb_arg = arg; + ctx->cnf->ext.alpn_select_cb = cb; + ctx->cnf->ext.alpn_select_cb_arg = arg; } /* @@ -3823,6 +3823,180 @@ static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) return memcmp(a->session_id, b->session_id, a->session_id_length); } +SSL_CTX *SSL_CTX_dup(OSSL_LIB_CTX *libctx, SSL_CTX *source, + const char *propq, const SSL_METHOD *meth) +{ + SSL_CTX *ret = NULL; + int ok = 0; + + if (source == NULL) + goto exit; + + ret = SSL_CTX_new_ex(libctx, propq, meth); + if (ret) { + if (meth != NULL) + ret->cnf->method = meth; + else + ret->cnf->method = source->cnf->method; + if (source->cnf->cipher_list) { + sk_SSL_CIPHER_free(ret->cnf->cipher_list); + ret->cnf->cipher_list = sk_SSL_CIPHER_dup(source->cnf->cipher_list); + } + if (source->cnf->cipher_list_by_id) { + sk_SSL_CIPHER_free(ret->cnf->cipher_list_by_id); + ret->cnf->cipher_list_by_id = sk_SSL_CIPHER_dup(source->cnf->cipher_list_by_id); + } + if (source->cnf->tls13_ciphersuites) { + sk_SSL_CIPHER_free(ret->cnf->tls13_ciphersuites); + ret->cnf->tls13_ciphersuites = sk_SSL_CIPHER_dup(source->cnf->tls13_ciphersuites); + } + SSL_CTX_set1_cert_store(ret, source->cnf->cert_store); + ret->cnf->session_cache_size = source->cnf->session_cache_size; + ret->cnf->session_timeout.t = source->cnf->session_timeout.t; + ret->cnf->session_cache_mode = source->cnf->session_cache_mode; + ret->cnf->new_session_cb = source->cnf->new_session_cb; + ret->cnf->remove_session_cb = source->cnf->remove_session_cb; + ret->cnf->get_session_cb = source->cnf->get_session_cb; + ret->cnf->app_verify_callback = source->cnf->app_verify_callback; + ret->cnf->app_verify_arg = source->cnf->app_verify_arg; + ret->cnf->default_passwd_callback = source->cnf->default_passwd_callback; + ret->cnf->default_passwd_callback_userdata = source->cnf->default_passwd_callback_userdata; + ret->cnf->client_cert_cb = source->cnf->client_cert_cb; + ret->cnf->app_gen_cookie_cb = source->cnf->app_gen_cookie_cb; + ret->cnf->app_verify_cookie_cb = source->cnf->app_verify_cookie_cb; + ret->cnf->gen_stateless_cookie_cb = source->cnf->gen_stateless_cookie_cb; + ret->cnf->verify_stateless_cookie_cb = source->cnf->verify_stateless_cookie_cb; + ret->cnf->ex_data.ctx = source->cnf->ex_data.ctx; + if (source->cnf->ex_data.sk != NULL) { + sk_void_free(ret->cnf->ex_data.sk); + ret->cnf->ex_data.sk = sk_void_dup(source->cnf->ex_data.sk); + } + if (source->cnf->extra_certs != NULL) { + sk_X509_free(ret->cnf->extra_certs); + ret->cnf->extra_certs = sk_X509_dup(source->cnf->extra_certs); + } + ret->cnf->info_callback = source->cnf->info_callback; + if (source->cnf->ca_names != NULL) { + sk_X509_NAME_free(ret->cnf->ca_names); + ret->cnf->ca_names = sk_X509_NAME_dup(source->cnf->ca_names); + } + if (source->cnf->client_ca_names != NULL) { + sk_X509_NAME_free(ret->cnf->client_ca_names); + ret->cnf->client_ca_names = sk_X509_NAME_dup(source->cnf->client_ca_names); + } + ret->cnf->options = source->cnf->options; + ret->cnf->mode = source->cnf->mode; + ret->cnf->min_proto_version = source->cnf->min_proto_version; + ret->cnf->max_proto_version = source->cnf->max_proto_version; + ret->cnf->max_cert_list = source->cnf->max_cert_list; + if (source->cnf->cert) { + ssl_cert_free(ret->cnf->cert); + ret->cnf->cert = ssl_cert_dup(source->cnf->cert); + } + ret->cnf->read_ahead = source->cnf->read_ahead; + ret->cnf->msg_callback = source->cnf->msg_callback; + ret->cnf->msg_callback_arg = source->cnf->msg_callback_arg; + ret->cnf->verify_mode = source->cnf->verify_mode; + ret->cnf->sid_ctx_length = source->cnf->sid_ctx_length; + memcpy(ret->cnf->sid_ctx, source->cnf->sid_ctx, sizeof(source->cnf->sid_ctx_length)); + ret->cnf->default_verify_callback = source->cnf->default_verify_callback; + ret->cnf->generate_session_id = source->cnf->generate_session_id; + X509_VERIFY_PARAM_inherit(ret->cnf->param, source->cnf->param); + ret->cnf->quiet_shutdown = source->cnf->quiet_shutdown; +# ifndef OPENSSL_NO_CT + ret->cnf->ct_validation_callback = source->cnf->ct_validation_callback; + ret->cnf->ct_validation_callback_arg = source->cnf->ct_validation_callback_arg; +#endif + ret->cnf->split_send_fragment = source->cnf->split_send_fragment; + ret->cnf->max_send_fragment = source->cnf->max_send_fragment; + ret->cnf->max_pipelines = source->cnf->max_pipelines; + ret->cnf->default_read_buf_len = source->cnf->default_read_buf_len; +#ifndef OPENSSL_NO_ENGINE + if (source->cnf->client_cert_engine) { + if (SSL_CTX_set_client_cert_engine(ret, source->cnf->client_cert_engine) == 0) + goto exit; + } +#endif + ret->cnf->client_hello_cb = source->cnf->client_hello_cb; + ret->cnf->client_hello_cb_arg = source->cnf->client_hello_cb_arg; + + /* Duplicate ext structure */ + ret->cnf->ext.servername_cb = source->cnf->ext.servername_cb; + ret->cnf->ext.servername_arg = source->cnf->ext.servername_arg; +# ifndef OPENSSL_NO_DEPRECATED_3_0 + /* Callback to support customisation of ticket key setting */ + ret->cnf->ext.ticket_key_cb = source->cnf->ext.ticket_key_cb; +#endif + ret->cnf->ext.ticket_key_evp_cb = source->cnf->ext.ticket_key_evp_cb; + ret->cnf->ext.status_cb = source->cnf->ext.status_cb; + ret->cnf->ext.status_arg = source->cnf->ext.status_arg; + ret->cnf->ext.status_type = source->cnf->ext.status_type; + ret->cnf->ext.max_fragment_len_mode = source->cnf->ext.max_fragment_len_mode; + ret->cnf->ext.ecpointformats_len = source->cnf->ext.ecpointformats_len; + if (source->cnf->ext.ecpointformats != NULL) { + OPENSSL_free(ret->cnf->ext.ecpointformats); + ret->cnf->ext.ecpointformats = OPENSSL_memdup(source->cnf->ext.ecpointformats, + source->cnf->ext.ecpointformats_len); + } + ret->cnf->ext.supportedgroups_len = source->cnf->ext.supportedgroups_len; + if (source->cnf->ext.supportedgroups != NULL) { + OPENSSL_free(ret->cnf->ext.supportedgroups); + ret->cnf->ext.supportedgroups = OPENSSL_memdup(source->cnf->ext.supportedgroups, + source->cnf->ext.supportedgroups_len); + } + ret->cnf->ext.supported_groups_default_len = source->cnf->ext.supported_groups_default_len; + if (source->cnf->ext.supported_groups_default != NULL) { + OPENSSL_free(ret->cnf->ext.supported_groups_default); + ret->cnf->ext.supported_groups_default = OPENSSL_memdup(source->cnf->ext.supported_groups_default, + source->cnf->ext.supported_groups_default_len); + } + ret->cnf->ext.alpn_select_cb = source->cnf->ext.alpn_select_cb; + ret->cnf->ext.alpn_select_cb_arg = source->cnf->ext.alpn_select_cb_arg; + ret->cnf->ext.alpn_len = source->cnf->ext.alpn_len; + if (source->cnf->ext.alpn != NULL) { + OPENSSL_free(ret->cnf->ext.alpn); + ret->cnf->ext.alpn = OPENSSL_memdup(source->cnf->ext.alpn, + source->cnf->ext.alpn_len); + } +# ifndef OPENSSL_NO_NEXTPROTONEG + ret->cnf->ext.npn_advertised_cb = source->cnf->ext.npn_advertised_cb; + ret->cnf->ext.npn_advertised_cb_arg = source->cnf->ext.npn_advertised_cb_arg; + ret->cnf->ext.npn_select_cb = source->cnf->ext.npn_select_cb; + ret->cnf->ext.npn_select_cb_arg = source->cnf->ext.npn_select_cb_arg; +#endif +# ifndef OPENSSL_NO_PSK + ret->cnf->psk_client_callback = source->cnf->psk_client_callback; + ret->cnf->psk_server_callback = source->cnf->psk_server_callback; +# endif + ret->cnf->psk_find_session_cb = source->cnf->psk_find_session_cb; + ret->cnf->psk_use_session_cb = source->cnf->psk_use_session_cb; + ret->cnf->not_resumable_session_cb = source->cnf->not_resumable_session_cb; + ret->cnf->keylog_callback = source->cnf->keylog_callback; + ret->cnf->max_early_data = source->cnf->max_early_data; + ret->cnf->recv_max_early_data = source->cnf->recv_max_early_data; + ret->cnf->record_padding_cb = source->cnf->record_padding_cb; + ret->cnf->record_padding_arg = source->cnf->record_padding_arg; + ret->cnf->block_padding = source->cnf->block_padding; + ret->cnf->generate_ticket_cb = source->cnf->generate_ticket_cb; + ret->cnf->decrypt_ticket_cb = source->cnf->decrypt_ticket_cb; + ret->cnf->ticket_cb_data = source->cnf->ticket_cb_data; + ret->cnf->num_tickets = source->cnf->num_tickets; + ret->cnf->allow_early_data_cb = source->cnf->allow_early_data_cb; + ret->cnf->allow_early_data_cb_data = source->cnf->allow_early_data_cb_data; + ret->cnf->pha_enabled = source->cnf->pha_enabled; + ret->cnf->async_cb = source->cnf->async_cb; + ret->cnf->async_cb_arg = source->cnf->async_cb_arg; + ok = 1; + } +exit: + if (ok == 0) { + if (ret != NULL) + SSL_CTX_free(ret); + ret = NULL; + } + return ret; +} + /* * These wrapper functions should remain rather than redeclaring * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each @@ -3834,6 +4008,8 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, const SSL_METHOD *meth) { SSL_CTX *ret = NULL; + SSL_CTX_CNF *cnf = NULL; + #ifndef OPENSSL_NO_COMP_ALG int i; #endif @@ -3862,6 +4038,12 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, return NULL; } + cnf = OPENSSL_zalloc(sizeof(*cnf)); + if (cnf == NULL) + return NULL; + + ret->cnf = cnf; + ret->lock = CRYPTO_THREAD_lock_new(); if (ret->lock == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); @@ -3883,24 +4065,24 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, goto err; } - ret->method = meth; - ret->min_proto_version = 0; - ret->max_proto_version = 0; - ret->mode = SSL_MODE_AUTO_RETRY; - ret->session_cache_mode = SSL_SESS_CACHE_SERVER; - ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; + ret->cnf->method = meth; + ret->cnf->min_proto_version = 0; + ret->cnf->max_proto_version = 0; + ret->cnf->mode = SSL_MODE_AUTO_RETRY; + ret->cnf->session_cache_mode = SSL_SESS_CACHE_SERVER; + ret->cnf->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; /* We take the system default. */ - ret->session_timeout = meth->get_timeout(); - ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; - ret->verify_mode = SSL_VERIFY_NONE; + ret->cnf->session_timeout = meth->get_timeout(); + ret->cnf->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; + ret->cnf->verify_mode = SSL_VERIFY_NONE; ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); if (ret->sessions == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); goto err; } - ret->cert_store = X509_STORE_new(); - if (ret->cert_store == NULL) { + ret->cnf->cert_store = X509_STORE_new(); + if (ret->cnf->cert_store == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); goto err; } @@ -3940,22 +4122,22 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, goto err; } - if ((ret->cert = ssl_cert_new(SSL_PKEY_NUM + ret->sigalg_list_len)) == NULL) { + if ((ret->cnf->cert = ssl_cert_new(SSL_PKEY_NUM + ret->sigalg_list_len)) == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB); goto err; } if (!ssl_create_cipher_list(ret, - ret->tls13_ciphersuites, - &ret->cipher_list, &ret->cipher_list_by_id, - OSSL_default_cipher_list(), ret->cert) - || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { + ret->cnf->tls13_ciphersuites, + &ret->cnf->cipher_list, &ret->cnf->cipher_list_by_id, + OSSL_default_cipher_list(), ret->cnf->cert) + || sk_SSL_CIPHER_num(ret->cnf->cipher_list) <= 0) { ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err; } - ret->param = X509_VERIFY_PARAM_new(); - if (ret->param == NULL) { + ret->cnf->param = X509_VERIFY_PARAM_new(); + if (ret->cnf->param == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); goto err; } @@ -3967,42 +4149,42 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq); ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq); - if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) { + if ((ret->cnf->ca_names = sk_X509_NAME_new_null()) == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); goto err; } - if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL) { + if ((ret->cnf->client_ca_names = sk_X509_NAME_new_null()) == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); goto err; } - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) { + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->cnf->ex_data)) { ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); goto err; } - if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL) + if ((ret->cnf->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->cnf->ext.secure))) == NULL) goto err; /* No compression for DTLS */ if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)) ret->comp_methods = SSL_COMP_get_compression_methods(); - ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; - ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; + ret->cnf->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; + ret->cnf->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; /* Setup RFC5077 ticket keys */ - if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name, - sizeof(ret->ext.tick_key_name), 0) <= 0) - || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key, - sizeof(ret->ext.secure->tick_hmac_key), 0) <= 0) - || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key, - sizeof(ret->ext.secure->tick_aes_key), 0) <= 0)) - ret->options |= SSL_OP_NO_TICKET; - - if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key, - sizeof(ret->ext.cookie_hmac_key), 0) <= 0) { + if ((RAND_bytes_ex(libctx, ret->cnf->ext.tick_key_name, + sizeof(ret->cnf->ext.tick_key_name), 0) <= 0) + || (RAND_priv_bytes_ex(libctx, ret->cnf->ext.secure->tick_hmac_key, + sizeof(ret->cnf->ext.secure->tick_hmac_key), 0) <= 0) + || (RAND_priv_bytes_ex(libctx, ret->cnf->ext.secure->tick_aes_key, + sizeof(ret->cnf->ext.secure->tick_aes_key), 0) <= 0)) + ret->cnf->options |= SSL_OP_NO_TICKET; + + if (RAND_priv_bytes_ex(libctx, ret->cnf->ext.cookie_hmac_key, + sizeof(ret->cnf->ext.cookie_hmac_key), 0) <= 0) { ERR_raise(ERR_LIB_SSL, ERR_R_RAND_LIB); goto err; } @@ -4054,9 +4236,9 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, * middlebox compatibility by default. This may be disabled by default in * a later OpenSSL version. */ - ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT; + ret->cnf->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT; - ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; + ret->cnf->ext.status_type = TLSEXT_STATUSTYPE_nothing; /* * We cannot usefully set a default max_early_data here (which gets @@ -4074,7 +4256,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, * eliminating the bandwidth-wasting early data in the case described * above. */ - ret->max_early_data = 0; + ret->cnf->max_early_data = 0; /* * Default recv_max_early_data is a fully loaded single record. Could be @@ -4084,10 +4266,10 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, * because of an old, stale ticket) then we will tolerate it and skip over * it. */ - ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; + ret->cnf->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; /* By default we send two session tickets automatically in TLSv1.3 */ - ret->num_tickets = 2; + ret->cnf->num_tickets = 2; ssl_ctx_system_config(ret); @@ -4128,7 +4310,7 @@ void SSL_CTX_free(SSL_CTX *a) return; REF_ASSERT_ISNT(i < 0); - X509_VERIFY_PARAM_free(a->param); + X509_VERIFY_PARAM_free(a->cnf->param); dane_ctx_final(&a->dane); /* @@ -4143,19 +4325,19 @@ void SSL_CTX_free(SSL_CTX *a) if (a->sessions != NULL) SSL_CTX_flush_sessions(a, 0); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->cnf->ex_data); lh_SSL_SESSION_free(a->sessions); - X509_STORE_free(a->cert_store); + X509_STORE_free(a->cnf->cert_store); #ifndef OPENSSL_NO_CT CTLOG_STORE_free(a->ctlog_store); #endif - sk_SSL_CIPHER_free(a->cipher_list); - sk_SSL_CIPHER_free(a->cipher_list_by_id); - sk_SSL_CIPHER_free(a->tls13_ciphersuites); - ssl_cert_free(a->cert); - sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); - sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free); - OSSL_STACK_OF_X509_free(a->extra_certs); + sk_SSL_CIPHER_free(a->cnf->cipher_list); + sk_SSL_CIPHER_free(a->cnf->cipher_list_by_id); + sk_SSL_CIPHER_free(a->cnf->tls13_ciphersuites); + ssl_cert_free(a->cnf->cert); + sk_X509_NAME_pop_free(a->cnf->ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(a->cnf->client_ca_names, X509_NAME_free); + OSSL_STACK_OF_X509_free(a->cnf->extra_certs); a->comp_methods = NULL; #ifndef OPENSSL_NO_SRTP sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); @@ -4164,14 +4346,14 @@ void SSL_CTX_free(SSL_CTX *a) ssl_ctx_srp_ctx_free_intern(a); #endif #ifndef OPENSSL_NO_ENGINE - tls_engine_finish(a->client_cert_engine); + tls_engine_finish(a->cnf->client_cert_engine); #endif - OPENSSL_free(a->ext.ecpointformats); - OPENSSL_free(a->ext.supportedgroups); - OPENSSL_free(a->ext.supported_groups_default); - OPENSSL_free(a->ext.alpn); - OPENSSL_secure_free(a->ext.secure); + OPENSSL_free(a->cnf->ext.ecpointformats); + OPENSSL_free(a->cnf->ext.supportedgroups); + OPENSSL_free(a->cnf->ext.supported_groups_default); + OPENSSL_free(a->cnf->ext.alpn); + OPENSSL_secure_free(a->cnf->ext.secure); ssl_evp_md_free(a->md5); ssl_evp_md_free(a->sha1); @@ -4211,7 +4393,7 @@ void SSL_CTX_free(SSL_CTX *a) #ifdef TSAN_REQUIRES_LOCKING CRYPTO_THREAD_lock_free(a->tsan_lock); #endif - + OPENSSL_free(a->cnf); OPENSSL_free(a->propq); OPENSSL_free(a); @@ -4219,22 +4401,22 @@ void SSL_CTX_free(SSL_CTX *a) void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) { - ctx->default_passwd_callback = cb; + ctx->cnf->default_passwd_callback = cb; } void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) { - ctx->default_passwd_callback_userdata = u; + ctx->cnf->default_passwd_callback_userdata = u; } pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) { - return ctx->default_passwd_callback; + return ctx->cnf->default_passwd_callback; } void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) { - return ctx->default_passwd_callback_userdata; + return ctx->cnf->default_passwd_callback_userdata; } void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb) @@ -4281,25 +4463,25 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb) (X509_STORE_CTX *, void *), void *arg) { - ctx->app_verify_callback = cb; - ctx->app_verify_arg = arg; + ctx->cnf->app_verify_callback = cb; + ctx->cnf->app_verify_arg = arg; } void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb) (int, X509_STORE_CTX *)) { - ctx->verify_mode = mode; - ctx->default_verify_callback = cb; + ctx->cnf->verify_mode = mode; + ctx->cnf->default_verify_callback = cb; } void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) { - X509_VERIFY_PARAM_set_depth(ctx->param, depth); + X509_VERIFY_PARAM_set_depth(ctx->cnf->param, depth); } void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg) { - ssl_cert_set_cert_cb(c->cert, cb, arg); + ssl_cert_set_cert_cb(c->cnf->cert, cb, arg); } void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg) @@ -4485,7 +4667,7 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) && (s->verify_mode & SSL_VERIFY_PEER) != 0) return; - i = s->session_ctx->session_cache_mode; + i = s->session_ctx->cnf->session_cache_mode; if ((i & mode) != 0 && (!s->hit || SSL_CONNECTION_IS_TLS13(s))) { /* @@ -4504,7 +4686,7 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) || !s->server || (s->max_early_data > 0 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0) - || s->session_ctx->remove_session_cb != NULL + || s->session_ctx->cnf->remove_session_cb != NULL || (s->options & SSL_OP_NO_TICKET) != 0)) SSL_CTX_add_session(s->session_ctx, s->session); @@ -4513,9 +4695,9 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) * TLSv1.3 without early data because some applications just want to * know about the creation of a session and aren't doing a full cache. */ - if (s->session_ctx->new_session_cb != NULL) { + if (s->session_ctx->cnf->new_session_cb != NULL) { SSL_SESSION_up_ref(s->session); - if (!s->session_ctx->new_session_cb(SSL_CONNECTION_GET_SSL(s), + if (!s->session_ctx->cnf->new_session_cb(SSL_CONNECTION_GET_SSL(s), s->session)) SSL_SESSION_free(s->session); } @@ -4536,7 +4718,7 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx) { - return ctx->method; + return ctx->cnf->method; } const SSL_METHOD *SSL_get_ssl_method(const SSL *s) @@ -5026,16 +5208,16 @@ EVP_PKEY *SSL_get_privatekey(const SSL *s) X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) { - if (ctx->cert != NULL) - return ctx->cert->key->x509; + if (ctx->cnf->cert != NULL) + return ctx->cnf->cert->key->x509; else return NULL; } EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { - if (ctx->cert != NULL) - return ctx->cert->key->privatekey; + if (ctx->cnf->cert != NULL) + return ctx->cnf->cert->key->privatekey; else return NULL; } @@ -5130,12 +5312,12 @@ int ssl_free_wbio_buffer(SSL_CONNECTION *s) void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) { - ctx->quiet_shutdown = mode; + ctx->cnf->quiet_shutdown = mode; } int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { - return ctx->quiet_shutdown; + return ctx->cnf->quiet_shutdown; } void SSL_set_quiet_shutdown(SSL *s, int mode) @@ -5230,7 +5412,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) return ssl->ctx; if (ctx == NULL) ctx = sc->session_ctx; - new_cert = ssl_cert_dup(ctx->cert); + new_cert = ssl_cert_dup(ctx->cnf->cert); if (new_cert == NULL) { return NULL; } @@ -5257,10 +5439,10 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) * leave it unchanged. */ if ((ssl->ctx != NULL) && - (sc->sid_ctx_length == ssl->ctx->sid_ctx_length) && - (memcmp(sc->sid_ctx, ssl->ctx->sid_ctx, sc->sid_ctx_length) == 0)) { - sc->sid_ctx_length = ctx->sid_ctx_length; - memcpy(&sc->sid_ctx, &ctx->sid_ctx, sizeof(sc->sid_ctx)); + (sc->sid_ctx_length == ssl->ctx->cnf->sid_ctx_length) && + (memcmp(sc->sid_ctx, ssl->ctx->cnf->sid_ctx, sc->sid_ctx_length) == 0)) { + sc->sid_ctx_length = ctx->cnf->sid_ctx_length; + memcpy(&sc->sid_ctx, &ctx->cnf->sid_ctx, sizeof(sc->sid_ctx)); } SSL_CTX_up_ref(ctx); @@ -5272,7 +5454,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) { - return X509_STORE_set_default_paths_ex(ctx->cert_store, ctx->libctx, + return X509_STORE_set_default_paths_ex(ctx->cnf->cert_store, ctx->libctx, ctx->propq); } @@ -5280,7 +5462,7 @@ int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx) { X509_LOOKUP *lookup; - lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir()); + lookup = X509_STORE_add_lookup(ctx->cnf->cert_store, X509_LOOKUP_hash_dir()); if (lookup == NULL) return 0; @@ -5298,7 +5480,7 @@ int SSL_CTX_set_default_verify_file(SSL_CTX *ctx) { X509_LOOKUP *lookup; - lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file()); + lookup = X509_STORE_add_lookup(ctx->cnf->cert_store, X509_LOOKUP_file()); if (lookup == NULL) return 0; @@ -5317,7 +5499,7 @@ int SSL_CTX_set_default_verify_store(SSL_CTX *ctx) { X509_LOOKUP *lookup; - lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store()); + lookup = X509_STORE_add_lookup(ctx->cnf->cert_store, X509_LOOKUP_store()); if (lookup == NULL) return 0; @@ -5333,18 +5515,18 @@ int SSL_CTX_set_default_verify_store(SSL_CTX *ctx) int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile) { - return X509_STORE_load_file_ex(ctx->cert_store, CAfile, ctx->libctx, + return X509_STORE_load_file_ex(ctx->cnf->cert_store, CAfile, ctx->libctx, ctx->propq); } int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath) { - return X509_STORE_load_path(ctx->cert_store, CApath); + return X509_STORE_load_path(ctx->cnf->cert_store, CApath); } int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore) { - return X509_STORE_load_store_ex(ctx->cert_store, CAstore, ctx->libctx, + return X509_STORE_load_store_ex(ctx->cnf->cert_store, CAstore, ctx->libctx, ctx->propq); } @@ -5471,23 +5653,23 @@ void *SSL_get_ex_data(const SSL *s, int idx) int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) { - return CRYPTO_set_ex_data(&s->ex_data, idx, arg); + return CRYPTO_set_ex_data(&s->cnf->ex_data, idx, arg); } void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) { - return CRYPTO_get_ex_data(&s->ex_data, idx); + return CRYPTO_get_ex_data(&s->cnf->ex_data, idx); } X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) { - return ctx->cert_store; + return ctx->cnf->cert_store; } void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) { - X509_STORE_free(ctx->cert_store); - ctx->cert_store = store; + X509_STORE_free(ctx->cnf->cert_store); + ctx->cnf->cert_store = store; } void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) @@ -5519,13 +5701,13 @@ int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG); return 0; } - OPENSSL_free(ctx->cert->psk_identity_hint); + OPENSSL_free(ctx->cnf->cert->psk_identity_hint); if (identity_hint != NULL) { - ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint); - if (ctx->cert->psk_identity_hint == NULL) + ctx->cnf->cert->psk_identity_hint = OPENSSL_strdup(identity_hint); + if (ctx->cnf->cert->psk_identity_hint == NULL) return 0; } else - ctx->cert->psk_identity_hint = NULL; + ctx->cnf->cert->psk_identity_hint = NULL; return 1; } @@ -5582,7 +5764,7 @@ void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb) void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb) { - ctx->psk_client_callback = cb; + ctx->cnf->psk_client_callback = cb; } void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb) @@ -5597,7 +5779,7 @@ void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb) void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb) { - ctx->psk_server_callback = cb; + ctx->cnf->psk_server_callback = cb; } #endif @@ -5614,7 +5796,7 @@ void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb) void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, SSL_psk_find_session_cb_func cb) { - ctx->psk_find_session_cb = cb; + ctx->cnf->psk_find_session_cb = cb; } void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) @@ -5630,7 +5812,7 @@ void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx, SSL_psk_use_session_cb_func cb) { - ctx->psk_use_session_cb = cb; + ctx->cnf->psk_use_session_cb = cb; } void SSL_CTX_set_msg_callback(SSL_CTX *ctx, @@ -5670,17 +5852,17 @@ void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, size_t (*cb) (SSL *ssl, int type, size_t len, void *arg)) { - ctx->record_padding_cb = cb; + ctx->cnf->record_padding_cb = cb; } void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg) { - ctx->record_padding_arg = arg; + ctx->cnf->record_padding_arg = arg; } void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx) { - return ctx->record_padding_arg; + return ctx->cnf->record_padding_arg; } int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) @@ -5690,9 +5872,9 @@ int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) /* block size of 0 or 1 is basically no padding */ if (block_size == 1) - ctx->block_padding = 0; + ctx->cnf->block_padding = 0; else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) - ctx->block_padding = block_size; + ctx->cnf->block_padding = block_size; else return 0; return 1; @@ -5777,14 +5959,14 @@ size_t SSL_get_num_tickets(const SSL *s) int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) { - ctx->num_tickets = num_tickets; + ctx->cnf->num_tickets = num_tickets; return 1; } size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) { - return ctx->num_tickets; + return ctx->cnf->num_tickets; } /* Retrieve handshake hashes */ @@ -5918,12 +6100,12 @@ void *SSL_get0_security_ex_data(const SSL *s) void SSL_CTX_set_security_level(SSL_CTX *ctx, int level) { - ctx->cert->sec_level = level; + ctx->cnf->cert->sec_level = level; } int SSL_CTX_get_security_level(const SSL_CTX *ctx) { - return ctx->cert->sec_level; + return ctx->cnf->cert->sec_level; } void SSL_CTX_set_security_callback(SSL_CTX *ctx, @@ -5931,7 +6113,7 @@ void SSL_CTX_set_security_callback(SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex)) { - ctx->cert->sec_cb = cb; + ctx->cnf->cert->sec_cb = cb; } int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s, @@ -5940,22 +6122,22 @@ int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s, int nid, void *other, void *ex) { - return ctx->cert->sec_cb; + return ctx->cnf->cert->sec_cb; } void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex) { - ctx->cert->sec_ex = ex; + ctx->cnf->cert->sec_ex = ex; } void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx) { - return ctx->cert->sec_ex; + return ctx->cnf->cert->sec_ex; } uint64_t SSL_CTX_get_options(const SSL_CTX *ctx) { - return ctx->options; + return ctx->cnf->options; } uint64_t SSL_get_options(const SSL *s) @@ -5975,7 +6157,7 @@ uint64_t SSL_get_options(const SSL *s) uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op) { - return ctx->options |= op; + return ctx->cnf->options |= op; } uint64_t SSL_set_options(SSL *s, uint64_t op) @@ -6006,7 +6188,7 @@ uint64_t SSL_set_options(SSL *s, uint64_t op) uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op) { - return ctx->options &= ~op; + return ctx->cnf->options &= ~op; } uint64_t SSL_clear_options(SSL *s, uint64_t op) @@ -6267,8 +6449,8 @@ int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, return 0; } - ctx->ct_validation_callback = callback; - ctx->ct_validation_callback_arg = arg; + ctx->cnf->ct_validation_callback = callback; + ctx->cnf->ct_validation_callback_arg = arg; return 1; } @@ -6284,7 +6466,7 @@ int SSL_ct_is_enabled(const SSL *s) int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx) { - return ctx->ct_validation_callback != NULL; + return ctx->cnf->ct_validation_callback != NULL; } int ssl_validate_ct(SSL_CONNECTION *s) @@ -6440,8 +6622,8 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx) void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, void *arg) { - c->client_hello_cb = cb; - c->client_hello_cb_arg = arg; + c->cnf->client_hello_cb = cb; + c->cnf->client_hello_cb_arg = arg; } int SSL_client_hello_isv2(SSL *s) @@ -6661,12 +6843,12 @@ int SSL_alloc_buffers(SSL *ssl) void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) { - ctx->keylog_callback = cb; + ctx->cnf->keylog_callback = cb; } SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx) { - return ctx->keylog_callback; + return ctx->cnf->keylog_callback; } static int nss_keylog_int(const char *prefix, @@ -6683,7 +6865,7 @@ static int nss_keylog_int(const char *prefix, size_t prefix_len; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc); - if (sctx->keylog_callback == NULL) + if (sctx->cnf->keylog_callback == NULL) return 1; /* @@ -6715,7 +6897,7 @@ static int nss_keylog_int(const char *prefix, } *cursor = '\0'; - sctx->keylog_callback(SSL_CONNECTION_GET_SSL(sc), (const char *)out); + sctx->cnf->keylog_callback(SSL_CONNECTION_GET_SSL(sc), (const char *)out); OPENSSL_clear_free(out, out_len); return 1; @@ -6924,14 +7106,14 @@ int ossl_bytes_to_cipher_list(SSL_CONNECTION *s, PACKET *cipher_suites, int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) { - ctx->max_early_data = max_early_data; + ctx->cnf->max_early_data = max_early_data; return 1; } uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx) { - return ctx->max_early_data; + return ctx->cnf->max_early_data; } int SSL_set_max_early_data(SSL *s, uint32_t max_early_data) @@ -6958,14 +7140,14 @@ uint32_t SSL_get_max_early_data(const SSL *s) int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data) { - ctx->recv_max_early_data = recv_max_early_data; + ctx->cnf->recv_max_early_data = recv_max_early_data; return 1; } uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx) { - return ctx->recv_max_early_data; + return ctx->cnf->recv_max_early_data; } int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data) @@ -7044,7 +7226,7 @@ int SSL_stateless(SSL *s) void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) { - ctx->pha_enabled = val; + ctx->cnf->pha_enabled = val; } void SSL_set_post_handshake_auth(SSL *ssl, int val) @@ -7121,9 +7303,9 @@ int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, SSL_CTX_decrypt_session_ticket_fn dec_cb, void *arg) { - ctx->generate_ticket_cb = gen_cb; - ctx->decrypt_ticket_cb = dec_cb; - ctx->ticket_cb_data = arg; + ctx->cnf->generate_ticket_cb = gen_cb; + ctx->cnf->decrypt_ticket_cb = dec_cb; + ctx->cnf->ticket_cb_data = arg; return 1; } @@ -7131,8 +7313,8 @@ void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, SSL_allow_early_data_cb_fn cb, void *arg) { - ctx->allow_early_data_cb = cb; - ctx->allow_early_data_cb_data = arg; + ctx->cnf->allow_early_data_cb = cb; + ctx->cnf->allow_early_data_cb_data = arg; } void SSL_set_allow_early_data_cb(SSL *s, @@ -7264,8 +7446,8 @@ int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey) ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL); return 0; } - EVP_PKEY_free(ctx->cert->dh_tmp); - ctx->cert->dh_tmp = dhpkey; + EVP_PKEY_free(ctx->cnf->cert->dh_tmp); + ctx->cnf->cert->dh_tmp = dhpkey; return 1; } diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index d1ef358932e00d..c1ddc3f90c114b 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -804,36 +804,38 @@ typedef struct { # define TLS_GROUP_FFDHE_FOR_TLS1_3 (TLS_GROUP_FFDHE|TLS_GROUP_ONLY_FOR_TLS1_3) -struct ssl_ctx_st { - OSSL_LIB_CTX *libctx; - +struct ssl_ctx_cnf_st { const SSL_METHOD *method; STACK_OF(SSL_CIPHER) *cipher_list; + /* same as above but sorted for lookup */ STACK_OF(SSL_CIPHER) *cipher_list_by_id; + /* TLSv1.3 specific ciphersuites */ STACK_OF(SSL_CIPHER) *tls13_ciphersuites; + struct x509_store_st /* X509_STORE */ *cert_store; - LHASH_OF(SSL_SESSION) *sessions; + /* * Most session-ids that will be cached, default is * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ size_t session_cache_size; - struct ssl_session_st *session_cache_head; - struct ssl_session_st *session_cache_tail; - /* - * This can have one of 2 values, ored together, SSL_SESS_CACHE_CLIENT, - * SSL_SESS_CACHE_SERVER, Default is SSL_SESSION_CACHE_SERVER, which - * means only SSL_accept will cache SSL_SESSIONS. - */ - uint32_t session_cache_mode; + /* * If timeout is not 0, it is the default timeout value set when * SSL_new() is called. This has been put in to make life easier to set * things up */ OSSL_TIME session_timeout; + + /* + * This can have one of 2 values, ored together, SSL_SESS_CACHE_CLIENT, + * SSL_SESS_CACHE_SERVER, Default is SSL_SESSION_CACHE_SERVER, which + * means only SSL_accept will cache SSL_SESSIONS. + */ + uint32_t session_cache_mode; + /* * If this callback is not null, it will be called each time a session id * is added to the cache. If this function returns 1, it means that the @@ -848,39 +850,15 @@ struct ssl_ctx_st { SSL_SESSION *(*get_session_cb) (struct ssl_st *ssl, const unsigned char *data, int len, int *copy); - struct { - TSAN_QUALIFIER int sess_connect; /* SSL new conn - started */ - TSAN_QUALIFIER int sess_connect_renegotiate; /* SSL reneg - requested */ - TSAN_QUALIFIER int sess_connect_good; /* SSL new conne/reneg - finished */ - TSAN_QUALIFIER int sess_accept; /* SSL new accept - started */ - TSAN_QUALIFIER int sess_accept_renegotiate; /* SSL reneg - requested */ - TSAN_QUALIFIER int sess_accept_good; /* SSL accept/reneg - finished */ - TSAN_QUALIFIER int sess_miss; /* session lookup misses */ - TSAN_QUALIFIER int sess_timeout; /* reuse attempt on timeouted session */ - TSAN_QUALIFIER int sess_cache_full; /* session removed due to full cache */ - TSAN_QUALIFIER int sess_hit; /* session reuse actually done */ - TSAN_QUALIFIER int sess_cb_hit; /* session-id that was not in - * the cache was passed back via - * the callback. This indicates - * that the application is - * supplying session-id's from - * other processes - spooky - * :-) */ - } stats; -#ifdef TSAN_REQUIRES_LOCKING - CRYPTO_RWLOCK *tsan_lock; -#endif - - CRYPTO_REF_COUNT references; /* if defined, these override the X509_verify_cert() calls */ int (*app_verify_callback) (X509_STORE_CTX *, void *); void *app_verify_arg; + /* * before OpenSSL 0.9.7, 'app_verify_arg' was ignored * ('app_verify_callback' was called with just one argument) */ - /* Default password callback. */ pem_password_cb *default_passwd_callback; @@ -908,11 +886,7 @@ struct ssl_ctx_st { CRYPTO_EX_DATA ex_data; - const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ - const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */ - STACK_OF(X509) *extra_certs; - STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ /* Default values used when no per-SSL value is defined follow */ @@ -940,7 +914,7 @@ struct ssl_ctx_st { size_t max_cert_list; struct cert_st /* CERT */ *cert; - SSL_CERT_LOOKUP *ssl_cert_info; + int read_ahead; /* callback that allows applications to peek at protocol messages */ @@ -961,7 +935,6 @@ struct ssl_ctx_st { int quiet_shutdown; # ifndef OPENSSL_NO_CT - CTLOG_STORE *ctlog_store; /* CT Log Store */ /* * Validates that the SCTs (Signed Certificate Timestamps) are sufficient. * If they are not, the connection should be aborted. @@ -970,6 +943,7 @@ struct ssl_ctx_st { void *ct_validation_callback_arg; # endif + /* * If we're using more than one pipeline how should we divide the data * up between the pipes? @@ -1091,25 +1065,12 @@ struct ssl_ctx_st { SSL_psk_find_session_cb_func psk_find_session_cb; SSL_psk_use_session_cb_func psk_use_session_cb; -# ifndef OPENSSL_NO_SRP - SRP_CTX srp_ctx; /* ctx for SRP authentication */ -# endif - - /* Shared DANE context */ - struct dane_ctx_st dane; - -# ifndef OPENSSL_NO_SRTP - /* SRTP profiles we are willing to do from RFC 5764 */ - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; -# endif /* * Callback for disabling session caching and ticket support on a session * basis, depending on the chosen cipher. */ int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure); - CRYPTO_RWLOCK *lock; - /* * Callback for logging key material for use with debugging tools like * Wireshark. The callback should log `line` followed by a newline. @@ -1152,6 +1113,64 @@ struct ssl_ctx_st { SSL_async_callback_fn async_cb; void *async_cb_arg; +}; + +struct ssl_ctx_st { + OSSL_LIB_CTX *libctx; + struct ssl_ctx_cnf_st *cnf; + + LHASH_OF(SSL_SESSION) *sessions; + struct ssl_session_st *session_cache_head; + struct ssl_session_st *session_cache_tail; + struct { + TSAN_QUALIFIER int sess_connect; /* SSL new conn - started */ + TSAN_QUALIFIER int sess_connect_renegotiate; /* SSL reneg - requested */ + TSAN_QUALIFIER int sess_connect_good; /* SSL new conne/reneg - finished */ + TSAN_QUALIFIER int sess_accept; /* SSL new accept - started */ + TSAN_QUALIFIER int sess_accept_renegotiate; /* SSL reneg - requested */ + TSAN_QUALIFIER int sess_accept_good; /* SSL accept/reneg - finished */ + TSAN_QUALIFIER int sess_miss; /* session lookup misses */ + TSAN_QUALIFIER int sess_timeout; /* reuse attempt on timeouted session */ + TSAN_QUALIFIER int sess_cache_full; /* session removed due to full cache */ + TSAN_QUALIFIER int sess_hit; /* session reuse actually done */ + TSAN_QUALIFIER int sess_cb_hit; /* session-id that was not in + * the cache was passed back via + * the callback. This indicates + * that the application is + * supplying session-id's from + * other processes - spooky + * :-) */ + } stats; +#ifdef TSAN_REQUIRES_LOCKING + CRYPTO_RWLOCK *tsan_lock; +#endif + + CRYPTO_REF_COUNT references; + + const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ + const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */ + SSL_CERT_LOOKUP *ssl_cert_info; + + STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ + +# ifndef OPENSSL_NO_CT + CTLOG_STORE *ctlog_store; /* CT Log Store */ +# endif + +# ifndef OPENSSL_NO_SRP + SRP_CTX srp_ctx; /* ctx for SRP authentication */ +# endif + + /* Shared DANE context */ + struct dane_ctx_st dane; + +# ifndef OPENSSL_NO_SRTP + /* SRTP profiles we are willing to do from RFC 5764 */ + STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; +# endif + + CRYPTO_RWLOCK *lock; + char *propq; int ssl_mac_pkey_id[SSL_MD_NUM_IDX]; diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index c2366e41e365db..f524711cbdf01c 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -56,7 +56,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) SSL_CONF_CTX_set_ssl(cctx, s); libctx = s->ctx->libctx; } else { - meth = ctx->method; + meth = ctx->cnf->method; SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); libctx = ctx->libctx; } diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index c245c24080f36a..6dc6ea7526e968 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -239,7 +239,7 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) ERR_raise(ERR_LIB_SSL, rv); return 0; } - return ssl_set_cert(ctx->cert, x, ctx); + return ssl_set_cert(ctx->cnf->cert, x, ctx); } static int ssl_set_cert(CERT *c, X509 *x, SSL_CTX *ctx) @@ -321,8 +321,8 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) cert = d2i_X509_bio(in, &x); } else if (type == SSL_FILETYPE_PEM) { j = ERR_R_PEM_LIB; - cert = PEM_read_bio_X509(in, &x, ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); + cert = PEM_read_bio_X509(in, &x, ctx->cnf->default_passwd_callback, + ctx->cnf->default_passwd_callback_userdata); } else { ERR_raise(ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE); goto end; @@ -367,7 +367,7 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - return ssl_set_pkey(ctx->cert, pkey, ctx); + return ssl_set_pkey(ctx->cnf->cert, pkey, ctx); } int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) @@ -389,8 +389,8 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) if (type == SSL_FILETYPE_PEM) { j = ERR_R_PEM_LIB; pkey = PEM_read_bio_PrivateKey_ex(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata, + ctx->cnf->default_passwd_callback, + ctx->cnf->default_passwd_callback_userdata, ctx->libctx, ctx->propq); } else if (type == SSL_FILETYPE_ASN1) { j = ERR_R_ASN1_LIB; @@ -450,8 +450,8 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file) * SSL_CTX_use_certificate() */ if (ctx != NULL) { - passwd_callback = ctx->default_passwd_callback; - passwd_callback_userdata = ctx->default_passwd_callback_userdata; + passwd_callback = ctx->cnf->default_passwd_callback; + passwd_callback_userdata = ctx->cnf->default_passwd_callback_userdata; } else { SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); @@ -798,17 +798,17 @@ int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version, ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_SERVERINFO_DATA); return 0; } - if (ctx->cert->key == NULL) { + if (ctx->cnf->cert->key == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); return 0; } - new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, + new_serverinfo = OPENSSL_realloc(ctx->cnf->cert->key->serverinfo, serverinfo_length); if (new_serverinfo == NULL) return 0; - ctx->cert->key->serverinfo = new_serverinfo; - memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length); - ctx->cert->key->serverinfo_length = serverinfo_length; + ctx->cnf->cert->key->serverinfo = new_serverinfo; + memcpy(ctx->cnf->cert->key->serverinfo, serverinfo, serverinfo_length); + ctx->cnf->cert->key->serverinfo_length = serverinfo_length; /* * Now that the serverinfo is validated and stored, go ahead and @@ -958,7 +958,7 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr (sc = SSL_CONNECTION_FROM_SSL(ssl)) == NULL) return 0; - c = sc != NULL ? sc->cert : ctx->cert; + c = sc != NULL ? sc->cert : ctx->cnf->cert; /* Do all security checks before anything else */ rv = ssl_security_cert(sc, ctx, x509, 0, 1); if (rv != 1) { diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 3dcc4d81e5bc63..abe748e4eb3390 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -377,8 +377,8 @@ int ssl_generate_session_id(SSL_CONNECTION *s, SSL_SESSION *ss) } if (s->generate_session_id) cb = s->generate_session_id; - else if (s->session_ctx->generate_session_id) - cb = s->session_ctx->generate_session_id; + else if (s->session_ctx->cnf->generate_session_id) + cb = s->session_ctx->cnf->generate_session_id; CRYPTO_THREAD_unlock(s->session_ctx->lock); CRYPTO_THREAD_unlock(ssl->lock); /* Choose a session ID */ @@ -423,10 +423,10 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session) } /* If the context has a default timeout, use it */ - if (ossl_time_is_zero(s->session_ctx->session_timeout)) + if (ossl_time_is_zero(s->session_ctx->cnf->session_timeout)) ss->timeout = SSL_CONNECTION_GET_SSL(s)->method->get_timeout(); else - ss->timeout = s->session_ctx->session_timeout; + ss->timeout = s->session_ctx->cnf->session_timeout; ssl_session_calculate_timeout(ss); SSL_SESSION_free(s->session); @@ -473,7 +473,7 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s, { SSL_SESSION *ret = NULL; - if ((s->session_ctx->session_cache_mode + if ((s->session_ctx->cnf->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) == 0) { SSL_SESSION data; @@ -496,10 +496,10 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s, ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss); } - if (ret == NULL && s->session_ctx->get_session_cb != NULL) { + if (ret == NULL && s->session_ctx->cnf->get_session_cb != NULL) { int copy = 1; - ret = s->session_ctx->get_session_cb(SSL_CONNECTION_GET_SSL(s), + ret = s->session_ctx->cnf->get_session_cb(SSL_CONNECTION_GET_SSL(s), sess_id, sess_id_len, ©); if (ret != NULL) { @@ -520,7 +520,7 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s, * Add the externally cached session to the internal cache as * well if and only if we are supposed to. */ - if ((s->session_ctx->session_cache_mode & + if ((s->session_ctx->cnf->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0) { /* * Either return value of SSL_CTX_add_session should not @@ -736,7 +736,7 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) } /* Adjust last used time, and add back into the cache at the appropriate spot */ - if (ctx->session_cache_mode & SSL_SESS_CACHE_UPDATE_TIME) { + if (ctx->cnf->session_cache_mode & SSL_SESS_CACHE_UPDATE_TIME) { c->time = ossl_time_now(); ssl_session_calculate_timeout(c); } @@ -799,8 +799,8 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) if (lck) CRYPTO_THREAD_unlock(ctx->lock); - if (ctx->remove_session_cb != NULL) - ctx->remove_session_cb(ctx, c); + if (ctx->cnf->remove_session_cb != NULL) + ctx->cnf->remove_session_cb(ctx, c); if (ret) SSL_SESSION_free(r); @@ -1080,8 +1080,8 @@ long SSL_CTX_set_timeout(SSL_CTX *s, long t) if (s == NULL) return 0; - l = (long)ossl_time2seconds(s->session_timeout); - s->session_timeout = ossl_seconds2time(t); + l = (long)ossl_time2seconds(s->cnf->session_timeout); + s->cnf->session_timeout = ossl_seconds2time(t); return l; } @@ -1089,7 +1089,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *s) { if (s == NULL) return 0; - return (long)ossl_time2seconds(s->session_timeout); + return (long)ossl_time2seconds(s->cnf->session_timeout); } int SSL_set_session_secret_cb(SSL *s, @@ -1176,8 +1176,8 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t) lh_SSL_SESSION_delete(s->sessions, current); SSL_SESSION_list_remove(s, current); current->not_resumable = 1; - if (s->remove_session_cb != NULL) - s->remove_session_cb(s, current); + if (s->cnf->remove_session_cb != NULL) + s->cnf->remove_session_cb(s, current); /* * Throw the session on a stack, it's entirely plausible * that while freeing outside the critical section, the @@ -1293,22 +1293,22 @@ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*cb) (struct ssl_st *ssl, SSL_SESSION *sess)) { - ctx->new_session_cb = cb; + ctx->cnf->new_session_cb = cb; } int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)) (SSL *ssl, SSL_SESSION *sess) { - return ctx->new_session_cb; + return ctx->cnf->new_session_cb; } void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*cb) (SSL_CTX *ctx, SSL_SESSION *sess)) { - ctx->remove_session_cb = cb; + ctx->cnf->remove_session_cb = cb; } void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)) (SSL_CTX *ctx, SSL_SESSION *sess) { - return ctx->remove_session_cb; + return ctx->cnf->remove_session_cb; } void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, @@ -1316,37 +1316,37 @@ void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, const unsigned char *data, int len, int *copy)) { - ctx->get_session_cb = cb; + ctx->cnf->get_session_cb = cb; } SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx)) (SSL *ssl, const unsigned char *data, int len, int *copy) { - return ctx->get_session_cb; + return ctx->cnf->get_session_cb; } void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb) (const SSL *ssl, int type, int val)) { - ctx->info_callback = cb; + ctx->cnf->info_callback = cb; } void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type, int val) { - return ctx->info_callback; + return ctx->cnf->info_callback; } void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, X509 **x509, EVP_PKEY **pkey)) { - ctx->client_cert_cb = cb; + ctx->cnf->client_cert_cb = cb; } int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx)) (SSL *ssl, X509 **x509, EVP_PKEY **pkey) { - return ctx->client_cert_cb; + return ctx->cnf->client_cert_cb; } void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, @@ -1354,7 +1354,7 @@ void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, unsigned char *cookie, unsigned int *cookie_len)) { - ctx->app_gen_cookie_cb = cb; + ctx->cnf->app_gen_cookie_cb = cb; } void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, @@ -1362,7 +1362,7 @@ void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, const unsigned char *cookie, unsigned int cookie_len)) { - ctx->app_verify_cookie_cb = cb; + ctx->cnf->app_verify_cookie_cb = cb; } int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len) @@ -1394,7 +1394,7 @@ void SSL_CTX_set_stateless_cookie_generate_cb( unsigned char *cookie, size_t *cookie_len)) { - ctx->gen_stateless_cookie_cb = cb; + ctx->cnf->gen_stateless_cookie_cb = cb; } void SSL_CTX_set_stateless_cookie_verify_cb( @@ -1403,7 +1403,7 @@ void SSL_CTX_set_stateless_cookie_verify_cb( const unsigned char *cookie, size_t cookie_len)) { - ctx->verify_stateless_cookie_cb = cb; + ctx->cnf->verify_stateless_cookie_cb = cb; } IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 0a64ca2246987e..c6cbd4331cb1d3 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -997,12 +997,12 @@ static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent) return 0; } - if (sctx->ext.servername_cb != NULL) - ret = sctx->ext.servername_cb(ssl, &altmp, - sctx->ext.servername_arg); - else if (s->session_ctx->ext.servername_cb != NULL) - ret = s->session_ctx->ext.servername_cb(ssl, &altmp, - s->session_ctx->ext.servername_arg); + if (sctx->cnf->ext.servername_cb != NULL) + ret = sctx->cnf->ext.servername_cb(ssl, &altmp, + sctx->cnf->ext.servername_arg); + else if (s->session_ctx->cnf->ext.servername_cb != NULL) + ret = s->session_ctx->cnf->ext.servername_cb(ssl, &altmp, + s->session_ctx->cnf->ext.servername_arg); /* * For servers, propagate the SNI hostname from the temporary diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 381a6c9d7b9099..5499c1294dc93c 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -390,7 +390,7 @@ EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { - if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL + if (SSL_CONNECTION_GET_CTX(s)->cnf->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) return EXT_RETURN_NOT_SENT; @@ -1546,7 +1546,7 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, return 1; /* We must have requested it. */ - if (sctx->ext.npn_select_cb == NULL) { + if (sctx->cnf->ext.npn_select_cb == NULL) { SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); return 0; } @@ -1557,10 +1557,10 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, /* SSLfatal() already called */ return 0; } - if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s), + if (sctx->cnf->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s), &selected, &selected_len, PACKET_data(pkt), PACKET_remaining(pkt), - sctx->ext.npn_select_cb_arg) != + sctx->cnf->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); return 0; diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index 81f20b5f6bd048..086b320d3618b8 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -341,7 +341,7 @@ void custom_exts_free(custom_ext_methods *exts) /* Return true if a client custom extension exists, false otherwise */ int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, unsigned int ext_type) { - return custom_ext_find(&ctx->cert->custext, ENDPOINT_CLIENT, ext_type, + return custom_ext_find(&ctx->cnf->cert->custext, ENDPOINT_CLIENT, ext_type, NULL) != NULL; } @@ -364,7 +364,7 @@ int ossl_tls_add_custom_ext_intern(SSL_CTX *ctx, custom_ext_methods *exts, return 0; if (exts == NULL) - exts = &ctx->cert->custext; + exts = &ctx->cnf->cert->custext; #ifndef OPENSSL_NO_CT /* diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 64ccb3ed6d1bef..2f5ab932d4be82 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -718,7 +718,7 @@ int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); /* Ignore any cookie if we're not set up to verify it */ - if (sctx->verify_stateless_cookie_cb == NULL + if (sctx->cnf->verify_stateless_cookie_cb == NULL || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0) return 1; @@ -741,8 +741,8 @@ int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, hctx = EVP_MD_CTX_create(); pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC", sctx->propq, - s->session_ctx->ext.cookie_hmac_key, - sizeof(s->session_ctx->ext.cookie_hmac_key)); + s->session_ctx->cnf->ext.cookie_hmac_key, + sizeof(s->session_ctx->cnf->ext.cookie_hmac_key)); if (hctx == NULL || pkey == NULL) { EVP_MD_CTX_free(hctx); EVP_PKEY_free(pkey); @@ -832,7 +832,7 @@ int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, } /* Verify the app cookie */ - if (sctx->verify_stateless_cookie_cb(ssl, + if (sctx->cnf->verify_stateless_cookie_cb(ssl, PACKET_data(&appcookie), PACKET_remaining(&appcookie)) == 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH); @@ -1484,11 +1484,11 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt, SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); s->s3.npn_seen = 0; - if (!npn_seen || sctx->ext.npn_advertised_cb == NULL) + if (!npn_seen || sctx->cnf->ext.npn_advertised_cb == NULL) return EXT_RETURN_NOT_SENT; - ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen, - sctx->ext.npn_advertised_cb_arg); + ret = sctx->cnf->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen, + sctx->cnf->ext.npn_advertised_cb_arg); if (ret == SSL_TLSEXT_ERR_OK) { if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) { @@ -1761,7 +1761,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt, if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0) return EXT_RETURN_NOT_SENT; - if (sctx->gen_stateless_cookie_cb == NULL) { + if (sctx->cnf->gen_stateless_cookie_cb == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET); return EXT_RETURN_FAIL; } @@ -1806,7 +1806,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt, } /* Generate the application cookie */ - if (sctx->gen_stateless_cookie_cb(ssl, appcookie1, + if (sctx->cnf->gen_stateless_cookie_cb(ssl, appcookie1, &appcookielen) == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); return EXT_RETURN_FAIL; @@ -1832,8 +1832,8 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt, hctx = EVP_MD_CTX_create(); pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC", sctx->propq, - s->session_ctx->ext.cookie_hmac_key, - sizeof(s->session_ctx->ext.cookie_hmac_key)); + s->session_ctx->cnf->ext.cookie_hmac_key, + sizeof(s->session_ctx->cnf->ext.cookie_hmac_key)); if (hctx == NULL || pkey == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); goto err; diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 921d7cfb1e05df..4fa9c7718a0c15 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -315,8 +315,8 @@ static info_cb get_callback(SSL_CONNECTION *s) if (s->info_callback != NULL) return s->info_callback; - else if (sctx->info_callback != NULL) - return sctx->info_callback; + else if (sctx->cnf->info_callback != NULL) + return sctx->cnf->info_callback; return NULL; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index cbf5a57bebf47c..f5962eb00342f3 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2733,7 +2733,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, goto err; } - if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 + if ((s->session_ctx->cnf->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 && !SSL_CONNECTION_IS_TLS13(s)) { /* * In TLSv1.2 and below the arrival of a new tickets signals that @@ -2928,9 +2928,9 @@ int tls_process_initial_server_flight(SSL_CONNECTION *s) * message, or NULL and -1 otherwise */ if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing - && sctx->ext.status_cb != NULL) { - int ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s), - sctx->ext.status_arg); + && sctx->cnf->ext.status_cb != NULL) { + int ret = sctx->cnf->ext.status_cb(SSL_CONNECTION_GET_SSL(s), + sctx->cnf->ext.status_arg); if (ret == 0) { SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, @@ -4047,14 +4047,14 @@ int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey) SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); #ifndef OPENSSL_NO_ENGINE - if (sctx->client_cert_engine) { + if (sctx->cnf->client_cert_engine) { i = tls_engine_load_ssl_client_cert(s, px509, ppkey); if (i != 0) return i; } #endif - if (sctx->client_cert_cb) - i = sctx->client_cert_cb(SSL_CONNECTION_GET_SSL(s), px509, ppkey); + if (sctx->cnf->client_cert_cb) + i = sctx->cnf->client_cert_cb(SSL_CONNECTION_GET_SSL(s), px509, ppkey); return i; } diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index d979b6d5fc4377..34433d7d634a7d 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1015,14 +1015,14 @@ static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk, i if (cpk->chain != NULL) extra_certs = cpk->chain; else - extra_certs = sctx->extra_certs; + extra_certs = sctx->cnf->extra_certs; if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) chain_store = NULL; else if (s->cert->chain_store) chain_store = s->cert->chain_store; else - chain_store = sctx->cert_store; + chain_store = sctx->cnf->cert_store; if (chain_store != NULL) { X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx, @@ -1475,7 +1475,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, * We encourage applications to only use TLSv1.3 tickets once, * so we remove this one from the cache. */ - if ((s->session_ctx->session_cache_mode + if ((s->session_ctx->cnf->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0) SSL_CTX_remove_session(s->session_ctx, s->session); } else { @@ -1505,8 +1505,8 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, if (s->info_callback != NULL) cb = s->info_callback; - else if (sctx->info_callback != NULL) - cb = sctx->info_callback; + else if (sctx->cnf->info_callback != NULL) + cb = sctx->cnf->info_callback; /* The callback may expect us to not be in init at handshake done */ ossl_statem_set_in_init(s, 0); @@ -1902,8 +1902,8 @@ static int is_tls13_capable(const SSL_CONNECTION *s) * A servername callback can change the available certs, so if a servername * cb is set then we just assume TLSv1.3 will be ok */ - if (sctx->ext.servername_cb != NULL - || s->session_ctx->ext.servername_cb != NULL) + if (sctx->cnf->ext.servername_cb != NULL + || s->session_ctx->cnf->ext.servername_cb != NULL) return 1; #ifndef OPENSSL_NO_PSK diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 853af8c0aa9f93..7d24eeea22d39d 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1382,8 +1382,8 @@ CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s, unsigned int cookie_leni; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); - if (sctx->app_gen_cookie_cb == NULL - || sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_SSL(s), s->d1->cookie, + if (sctx->cnf->app_gen_cookie_cb == NULL + || sctx->cnf->app_gen_cookie_cb(SSL_CONNECTION_GET_SSL(s), s->d1->cookie, &cookie_leni) == 0 || cookie_leni > DTLS1_COOKIE_LENGTH) { SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); @@ -1700,9 +1700,9 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) /* Finished parsing the ClientHello, now we can start processing it */ /* Give the ClientHello callback a crack at things */ - if (sctx->client_hello_cb != NULL) { + if (sctx->cnf->client_hello_cb != NULL) { /* A failure in the ClientHello callback terminates the connection. */ - switch (sctx->client_hello_cb(ssl, &al, sctx->client_hello_cb_arg)) { + switch (sctx->cnf->client_hello_cb(ssl, &al, sctx->cnf->client_hello_cb_arg)) { case SSL_CLIENT_HELLO_SUCCESS: break; case SSL_CLIENT_HELLO_RETRY: @@ -1766,8 +1766,8 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) if (SSL_CONNECTION_IS_DTLS(s)) { /* Empty cookie was already handled above by returning early. */ if (SSL_get_options(ssl) & SSL_OP_COOKIE_EXCHANGE) { - if (sctx->app_verify_cookie_cb != NULL) { - if (sctx->app_verify_cookie_cb(ssl, clienthello->dtls_cookie, + if (sctx->cnf->app_verify_cookie_cb != NULL) { + if (sctx->cnf->app_verify_cookie_cb(ssl, clienthello->dtls_cookie, clienthello->dtls_cookie_len) == 0) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH); @@ -2169,7 +2169,7 @@ static int tls_handle_status_request(SSL_CONNECTION *s) * influence which certificate is sent */ if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && sctx != NULL - && sctx->ext.status_cb != NULL) { + && sctx->cnf->ext.status_cb != NULL) { int ret; /* If no certificate can't return certificate status */ @@ -2179,8 +2179,8 @@ static int tls_handle_status_request(SSL_CONNECTION *s) * et al can pick it up. */ s->cert->key = s->s3.tmp.cert; - ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s), - sctx->ext.status_arg); + ret = sctx->cnf->ext.status_cb(SSL_CONNECTION_GET_SSL(s), + sctx->cnf->ext.status_arg); switch (ret) { /* We don't want to send a status request response */ case SSL_TLSEXT_ERR_NOACK: @@ -2213,12 +2213,12 @@ int tls_handle_alpn(SSL_CONNECTION *s) unsigned char selected_len = 0; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); - if (sctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) { - int r = sctx->ext.alpn_select_cb(SSL_CONNECTION_GET_SSL(s), + if (sctx->cnf->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) { + int r = sctx->cnf->ext.alpn_select_cb(SSL_CONNECTION_GET_SSL(s), &selected, &selected_len, s->s3.alpn_proposed, (unsigned int)s->s3.alpn_proposed_len, - sctx->ext.alpn_select_cb_arg); + sctx->cnf->ext.alpn_select_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { OPENSSL_free(s->s3.alpn_selected); @@ -2446,7 +2446,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) * to send back. */ if (s->session->not_resumable || - (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER) + (!(SSL_CONNECTION_GET_CTX(s)->cnf->session_cache_mode & SSL_SESS_CACHE_SERVER) && !s->hit)) s->session->session_id_length = 0; @@ -4019,21 +4019,21 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, * all the work otherwise use generated values from parent ctx. */ #ifndef OPENSSL_NO_DEPRECATED_3_0 - if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) + if (tctx->cnf->ext.ticket_key_evp_cb != NULL || tctx->cnf->ext.ticket_key_cb != NULL) #else - if (tctx->ext.ticket_key_evp_cb != NULL) + if (tctx->cnf->ext.ticket_key_evp_cb != NULL) #endif { int ret = 0; - if (tctx->ext.ticket_key_evp_cb != NULL) - ret = tctx->ext.ticket_key_evp_cb(ssl, key_name, iv, ctx, + if (tctx->cnf->ext.ticket_key_evp_cb != NULL) + ret = tctx->cnf->ext.ticket_key_evp_cb(ssl, key_name, iv, ctx, ssl_hmac_get0_EVP_MAC_CTX(hctx), 1); #ifndef OPENSSL_NO_DEPRECATED_3_0 - else if (tctx->ext.ticket_key_cb != NULL) + else if (tctx->cnf->ext.ticket_key_cb != NULL) /* if 0 is returned, write an empty ticket */ - ret = tctx->ext.ticket_key_cb(ssl, key_name, iv, ctx, + ret = tctx->cnf->ext.ticket_key_cb(ssl, key_name, iv, ctx, ssl_hmac_get0_HMAC_CTX(hctx), 1); #endif @@ -4081,17 +4081,17 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, if (iv_len < 0 || RAND_bytes_ex(sctx->libctx, iv, iv_len, 0) <= 0 || !EVP_EncryptInit_ex(ctx, cipher, NULL, - tctx->ext.secure->tick_aes_key, iv) - || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, - sizeof(tctx->ext.secure->tick_hmac_key), + tctx->cnf->ext.secure->tick_aes_key, iv) + || !ssl_hmac_init(hctx, tctx->cnf->ext.secure->tick_hmac_key, + sizeof(tctx->cnf->ext.secure->tick_hmac_key), "SHA256")) { EVP_CIPHER_free(cipher); SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } EVP_CIPHER_free(cipher); - memcpy(key_name, tctx->ext.tick_key_name, - sizeof(tctx->ext.tick_key_name)); + memcpy(key_name, tctx->cnf->ext.tick_key_name, + sizeof(tctx->cnf->ext.tick_key_name)); } if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { @@ -4262,9 +4262,9 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt s->session->ext.max_early_data = s->max_early_data; } - if (tctx->generate_ticket_cb != NULL && - tctx->generate_ticket_cb(SSL_CONNECTION_GET_SSL(s), - tctx->ticket_cb_data) == 0) { + if (tctx->cnf->generate_ticket_cb != NULL && + tctx->cnf->generate_ticket_cb(SSL_CONNECTION_GET_SSL(s), + tctx->cnf->ticket_cb_data) == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 631e1fdef93cef..21ed1f586fd956 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -404,16 +404,16 @@ int ssl_load_groups(SSL_CTX *ctx) if (num_deflt_grps == 0) return 1; - ctx->ext.supported_groups_default + ctx->cnf->ext.supported_groups_default = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps); - if (ctx->ext.supported_groups_default == NULL) + if (ctx->cnf->ext.supported_groups_default == NULL) return 0; - memcpy(ctx->ext.supported_groups_default, + memcpy(ctx->cnf->ext.supported_groups_default, tmp_supp_groups, num_deflt_grps * sizeof(tmp_supp_groups[0])); - ctx->ext.supported_groups_default_len = num_deflt_grps; + ctx->cnf->ext.supported_groups_default_len = num_deflt_grps; return 1; } @@ -832,8 +832,8 @@ void tls1_get_supported_groups(SSL_CONNECTION *s, const uint16_t **pgroups, default: if (s->ext.supportedgroups == NULL) { - *pgroups = sctx->ext.supported_groups_default; - *pgroupslen = sctx->ext.supported_groups_default_len; + *pgroups = sctx->cnf->ext.supported_groups_default; + *pgroupslen = sctx->cnf->ext.supported_groups_default_len; } else { *pgroups = s->ext.supportedgroups; *pgroupslen = s->ext.supportedgroups_len; @@ -2274,24 +2274,24 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, goto end; } #ifndef OPENSSL_NO_DEPRECATED_3_0 - if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) + if (tctx->cnf->ext.ticket_key_evp_cb != NULL || tctx->cnf->ext.ticket_key_cb != NULL) #else - if (tctx->ext.ticket_key_evp_cb != NULL) + if (tctx->cnf->ext.ticket_key_evp_cb != NULL) #endif { unsigned char *nctick = (unsigned char *)etick; int rv = 0; - if (tctx->ext.ticket_key_evp_cb != NULL) - rv = tctx->ext.ticket_key_evp_cb(SSL_CONNECTION_GET_SSL(s), nctick, + if (tctx->cnf->ext.ticket_key_evp_cb != NULL) + rv = tctx->cnf->ext.ticket_key_evp_cb(SSL_CONNECTION_GET_SSL(s), nctick, nctick + TLSEXT_KEYNAME_LENGTH, ctx, ssl_hmac_get0_EVP_MAC_CTX(hctx), 0); #ifndef OPENSSL_NO_DEPRECATED_3_0 - else if (tctx->ext.ticket_key_cb != NULL) + else if (tctx->cnf->ext.ticket_key_cb != NULL) /* if 0 is returned, write an empty ticket */ - rv = tctx->ext.ticket_key_cb(SSL_CONNECTION_GET_SSL(s), nctick, + rv = tctx->cnf->ext.ticket_key_cb(SSL_CONNECTION_GET_SSL(s), nctick, nctick + TLSEXT_KEYNAME_LENGTH, ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0); #endif @@ -2309,7 +2309,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, EVP_CIPHER *aes256cbc = NULL; /* Check key name matches */ - if (memcmp(etick, tctx->ext.tick_key_name, + if (memcmp(etick, tctx->cnf->ext.tick_key_name, TLSEXT_KEYNAME_LENGTH) != 0) { ret = SSL_TICKET_NO_DECRYPT; goto end; @@ -2318,11 +2318,11 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, aes256cbc = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC", sctx->propq); if (aes256cbc == NULL - || ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, - sizeof(tctx->ext.secure->tick_hmac_key), + || ssl_hmac_init(hctx, tctx->cnf->ext.secure->tick_hmac_key, + sizeof(tctx->cnf->ext.secure->tick_hmac_key), "SHA256") <= 0 || EVP_DecryptInit_ex(ctx, aes256cbc, NULL, - tctx->ext.secure->tick_aes_key, + tctx->cnf->ext.secure->tick_aes_key, etick + TLSEXT_KEYNAME_LENGTH) <= 0) { EVP_CIPHER_free(aes256cbc); ret = SSL_TICKET_FATAL_ERR_OTHER; @@ -2426,7 +2426,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, * detected above. The callback is responsible for checking |ret| before it * performs any action */ - if (s->session_ctx->decrypt_ticket_cb != NULL + if (s->session_ctx->cnf->decrypt_ticket_cb != NULL && (ret == SSL_TICKET_EMPTY || ret == SSL_TICKET_NO_DECRYPT || ret == SSL_TICKET_SUCCESS @@ -2436,10 +2436,10 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, if (keyname_len > TLSEXT_KEYNAME_LENGTH) keyname_len = TLSEXT_KEYNAME_LENGTH; - retcb = s->session_ctx->decrypt_ticket_cb(SSL_CONNECTION_GET_SSL(s), + retcb = s->session_ctx->cnf->decrypt_ticket_cb(SSL_CONNECTION_GET_SSL(s), sess, etick, keyname_len, ret, - s->session_ctx->ticket_cb_data); + s->session_ctx->cnf->ticket_cb_data); switch (retcb) { case SSL_TICKET_RETURN_ABORT: ret = SSL_TICKET_FATAL_ERR_OTHER; @@ -3858,7 +3858,7 @@ int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) return 0; } - ctx->ext.max_fragment_len_mode = mode; + ctx->cnf->ext.max_fragment_len_mode = mode; return 1; } @@ -3896,8 +3896,8 @@ SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) if (ret == NULL) return NULL; #ifndef OPENSSL_NO_DEPRECATED_3_0 - if (ctx->ext.ticket_key_evp_cb == NULL - && ctx->ext.ticket_key_cb != NULL) { + if (ctx->cnf->ext.ticket_key_evp_cb == NULL + && ctx->cnf->ext.ticket_key_cb != NULL) { if (!ssl_hmac_old_new(ret)) goto err; return ret; diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 85ed9f25f92959..df90892aa6979a 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -69,7 +69,7 @@ int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509, { SSL *ssl = SSL_CONNECTION_GET_SSL(s); - return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->client_cert_engine, + return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->cnf->client_cert_engine, ssl, SSL_get_client_CA_list(ssl), px509, ppkey, NULL, NULL, NULL); @@ -88,7 +88,7 @@ int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) ENGINE_finish(e); return 0; } - ctx->client_cert_engine = e; + ctx->cnf->client_cert_engine = e; return 1; } #endif diff --git a/test/sslapitest.c b/test/sslapitest.c index 9539b4cf3a658a..e6e6c88eb3d0b0 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -9625,6 +9625,55 @@ static int test_pluggable_signature(int idx) #endif #ifndef OPENSSL_NO_TLS1_2 +static int test_ssl_ctx_dup(void) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL_CTX *cctx_dup = NULL, *sctx_dup = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), + 0, + 0, + &sctx, &cctx, cert, privkey))) + goto end; + + if (!TEST_ptr(cctx_dup = SSL_CTX_dup(libctx, cctx, NULL, TLS_client_method()))) + goto end; + + if (!TEST_ptr(sctx_dup = SSL_CTX_dup(libctx, sctx, NULL, TLS_server_method()))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx_dup, cctx_dup, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + if (!TEST_ptr(clientssl) + || !TEST_ptr_ne(sctx, sctx_dup) + || !TEST_ptr_ne(cctx, cctx_dup)) + goto end; + + if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION)) + || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION))) + goto end; + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + testresult = 1; + +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + SSL_CTX_free(sctx_dup); + SSL_CTX_free(cctx_dup); + + return testresult; +} + static int test_ssl_dup(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -11415,6 +11464,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_pluggable_signature, 4); #endif #ifndef OPENSSL_NO_TLS1_2 + ADD_TEST(test_ssl_ctx_dup); ADD_TEST(test_ssl_dup); # ifndef OPENSSL_NO_DH ADD_ALL_TESTS(test_set_tmp_dh, 11); diff --git a/util/libssl.num b/util/libssl.num index 225064943ba31f..f916b5e4e0d030 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -577,3 +577,4 @@ SSL_handle_events ? 3_2_0 EXIST::FUNCTION: SSL_get_event_timeout ? 3_2_0 EXIST::FUNCTION: SSL_get0_group_name ? 3_2_0 EXIST::FUNCTION: SSL_is_stream_local ? 3_2_0 EXIST::FUNCTION: +SSL_CTX_dup ? 3_2_0 EXIST::FUNCTION: