Move not_resumable and sess_cert from SSL_SESSION to internal.

ok beck@
2025-01-10 06:47:55 -08:00 · 2017-01-23 01:22:08 +00:00 · 2017-01-23 01:22:08 +00:00 · bdad0337c5
commit bdad0337c5
parent ffb13b436d
7 changed files with 50 additions and 47 deletions
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.163 2017/01/23 00:12:54 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.164 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -600,7 +600,7 @@ ssl3_client_hello(SSL *s)
 		if ((sess == NULL) ||
 		    (sess->ssl_version != s->version) ||
 		    (!sess->session_id_length && !sess->tlsext_tick) ||
-		    (sess->not_resumable)) {
+		    (sess->internal->not_resumable)) {
 			if (!ssl_get_new_session(s, 0))
 				goto err;
 		}
@ -1037,9 +1037,9 @@ ssl3_get_server_certificate(SSL *s)
 	sc = ssl_sess_cert_new();
 	if (sc == NULL)
 		goto err;
-	if (s->session->sess_cert)
-		ssl_sess_cert_free(s->session->sess_cert);
-	s->session->sess_cert = sc;
+	if (SSI(s)->sess_cert)
+		ssl_sess_cert_free(SSI(s)->sess_cert);
+	SSI(s)->sess_cert = sc;

 	sc->cert_chain = sk;
 	/*
@ -1114,7 +1114,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
 	int al;

 	alg_a = S3I(s)->tmp.new_cipher->algorithm_auth;
-	sc = s->session->sess_cert;
+	sc = SSI(s)->sess_cert;

 	if (*nn < 0)
 		goto err;
@ -1281,7 +1281,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
 	int al;

 	alg_a = S3I(s)->tmp.new_cipher->algorithm_auth;
-	sc = s->session->sess_cert;
+	sc = SSI(s)->sess_cert;

 	if (*nn < 0)
 		goto err;
@ -1397,18 +1397,18 @@ ssl3_get_server_key_exchange(SSL *s)
 		return (1);
 	}

-	if (s->session->sess_cert != NULL) {
-		DH_free(s->session->sess_cert->peer_dh_tmp);
-		s->session->sess_cert->peer_dh_tmp = NULL;
+	if (SSI(s)->sess_cert != NULL) {
+		DH_free(SSI(s)->sess_cert->peer_dh_tmp);
+		SSI(s)->sess_cert->peer_dh_tmp = NULL;

-		EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
-		s->session->sess_cert->peer_ecdh_tmp = NULL;
+		EC_KEY_free(SSI(s)->sess_cert->peer_ecdh_tmp);
+		SSI(s)->sess_cert->peer_ecdh_tmp = NULL;

-		free(s->session->sess_cert->peer_x25519_tmp);
-		s->session->sess_cert->peer_x25519_tmp = NULL;
+		free(SSI(s)->sess_cert->peer_x25519_tmp);
+		SSI(s)->sess_cert->peer_x25519_tmp = NULL;
 	} else {
-		s->session->sess_cert = ssl_sess_cert_new();
-		if (s->session->sess_cert == NULL)
+		SSI(s)->sess_cert = ssl_sess_cert_new();
+		if (SSI(s)->sess_cert == NULL)
 			goto err;
 	}

@ -2341,7 +2341,7 @@ ssl3_send_client_key_exchange(SSL *s)
 	if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
 		alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey;

-		if ((sess_cert = s->session->sess_cert) == NULL) {
+		if ((sess_cert = SSI(s)->sess_cert) == NULL) {
 			ssl3_send_alert(s, SSL3_AL_FATAL,
 			    SSL_AD_UNEXPECTED_MESSAGE);
 			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
@ -2636,13 +2636,13 @@ ssl3_check_cert_and_algorithm(SSL *s)
 	if (alg_a & SSL_aNULL)
 		return (1);

-	sc = s->session->sess_cert;
+	sc = SSI(s)->sess_cert;
 	if (sc == NULL) {
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
 		    ERR_R_INTERNAL_ERROR);
 		goto err;
 	}
-	dh = s->session->sess_cert->peer_dh_tmp;
+	dh = SSI(s)->sess_cert->peer_dh_tmp;

 	/* This is the passed certificate. */

--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.120 2017/01/22 09:02:07 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.121 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -1928,10 +1928,10 @@ ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp)

 	if (s->server != 0)
 		return 0;
-	if (s->session == NULL || s->session->sess_cert == NULL)
+	if (s->session == NULL || SSI(s)->sess_cert == NULL)
 		return 0;

-	sc = s->session->sess_cert;
+	sc = SSI(s)->sess_cert;

 	if ((pkey = EVP_PKEY_new()) == NULL)
 		return 0;
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.142 2017/01/23 00:12:54 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.143 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -2593,17 +2593,17 @@ ssl3_get_client_certificate(SSL *s)
 	 * With the current implementation, sess_cert will always be NULL
 	 * when we arrive here
 	 */
-	if (s->session->sess_cert == NULL) {
-		s->session->sess_cert = ssl_sess_cert_new();
-		if (s->session->sess_cert == NULL) {
+	if (SSI(s)->sess_cert == NULL) {
+		SSI(s)->sess_cert = ssl_sess_cert_new();
+		if (SSI(s)->sess_cert == NULL) {
 			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
 			    ERR_R_MALLOC_FAILURE);
 			goto err;
 		}
 	}
-	if (s->session->sess_cert->cert_chain != NULL)
-		sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
-	s->session->sess_cert->cert_chain = sk;
+	if (SSI(s)->sess_cert->cert_chain != NULL)
+		sk_X509_pop_free(SSI(s)->sess_cert->cert_chain, X509_free);
+	SSI(s)->sess_cert->cert_chain = sk;

 	/*
 	 * Inconsistency alert: cert_chain does *not* include the
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.108 2017/01/23 01:04:23 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.109 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -464,28 +464,23 @@ struct ssl_session_st {

 	int master_key_length;
 	unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
+
 	/* session_id - valid? */
 	unsigned int session_id_length;
 	unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+
 	/* this is used to determine whether the session is being reused in
 	 * the appropriate context. It is up to the application to set this,
 	 * via SSL_new */
 	unsigned int sid_ctx_length;
 	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];

-	/* Used to indicate that session resumption is not allowed.
-	 * Applications can also set this bit for a new session via
-	 * not_resumable_session_cb to disable session caching and tickets. */
-	int not_resumable;
-
-	/* The cert is the certificate used to establish this connection */
-	struct sess_cert_st /* SESS_CERT */ *sess_cert;
-
 	/* This is the cert for the other end.
 	 * On clients, it will be the same as sess_cert->peer_key->x509
 	 * (the latter is not enough as sess_cert is not retained
 	 * in the external representation of sessions, see ssl_asn1.c). */
 	X509 *peer;
+
 	/* when app_verify_callback accepts a session where the peer's certificate
 	 * is not ok, we must remember the error for session reuse: */
 	long verify_result; /* only for servers */
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.130 2017/01/23 00:12:54 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.131 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -826,10 +826,10 @@ SSL_get_peer_cert_chain(const SSL *s)
 	STACK_OF(X509)	*r;

 	if ((s == NULL) || (s->session == NULL) ||
-	    (s->session->sess_cert == NULL))
+	    (SSI(s)->sess_cert == NULL))
 		r = NULL;
 	else
-		r = s->session->sess_cert->cert_chain;
+		r = SSI(s)->sess_cert->cert_chain;

 	/*
 	 * If we are a client, cert_chain includes the peer's own
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.152 2017/01/23 00:12:55 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.153 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -373,6 +373,14 @@ __BEGIN_HIDDEN_DECLS
 #define NAMED_CURVE_TYPE           3

 typedef struct ssl_session_internal_st {
+	/* Used to indicate that session resumption is not allowed.
+	 * Applications can also set this bit for a new session via
+	 * not_resumable_session_cb to disable session caching and tickets. */
+	int not_resumable;
+
+	/* The cert is the certificate used to establish this connection */
+	struct sess_cert_st /* SESS_CERT */ *sess_cert;
+
 	size_t tlsext_ecpointformatlist_length;
 	uint8_t *tlsext_ecpointformatlist; /* peer's list */
 	size_t tlsext_ellipticcurvelist_length;
--- a/lib/libssl/ssl_sess.c
+++ b/lib/libssl/ssl_sess.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.56 2017/01/23 00:12:55 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.57 2017/01/23 01:22:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -673,7 +673,7 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
 			CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);

 		if (ret) {
-			r->not_resumable = 1;
+			r->internal->not_resumable = 1;
 			if (ctx->remove_session_cb != NULL)
 				ctx->remove_session_cb(ctx, r);
 			SSL_SESSION_free(r);
@ -699,8 +699,8 @@ SSL_SESSION_free(SSL_SESSION *ss)

 	explicit_bzero(ss->master_key, sizeof ss->master_key);
 	explicit_bzero(ss->session_id, sizeof ss->session_id);
-	if (ss->sess_cert != NULL)
-		ssl_sess_cert_free(ss->sess_cert);
+	if (ss->internal->sess_cert != NULL)
+		ssl_sess_cert_free(ss->internal->sess_cert);
 	X509_free(ss->peer);
 	if (ss->ciphers != NULL)
 		sk_SSL_CIPHER_free(ss->ciphers);
@ -910,7 +910,7 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
 		 * save on locking overhead */
 		(void)lh_SSL_SESSION_delete(p->cache, s);
 		SSL_SESSION_list_remove(p->ctx, s);
-		s->not_resumable = 1;
+		s->internal->not_resumable = 1;
 		if (p->ctx->remove_session_cb != NULL)
 			p->ctx->remove_session_cb(p->ctx, s);
 		SSL_SESSION_free(s);