andj/gist:1171458

## gistfile1.diff
--- /tmp/removed123.txt	2011-08-25 20:51:12.490866386 +0200
+++ /tmp/added123.txt	2011-08-25 20:51:12.520881386 +0200
@@ -1,4 +1,40 @@
--- a/ssl.c
+++ b/ssl.c
+  CLEAR (*ks);
+
+  key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
+      session);
+++ b/ssl_backend.h
+/* **************************************
+ *
+ * Key-state specific functions
+ *
+ ***************************************/
+
+/**
+ * Initialise the SSL channel part of the given key state. Settings will be
+ * loaded from a previously initialised TLS context.
+ *
+ * @param ks_ssl	The SSL channel's state info to initialise
+ * @param ssl_ctx	The TLS context to use when initialising the channel.
+ * @param is_server	Initialise a server?
+ * @param session	The session associated with the given key_state
+ */
+void key_state_ssl_init(struct key_state_ssl *ks_ssl,
+    const struct tls_root_ctx *ssl_ctx, bool is_server, void *session);
+
+++ b/ssl_openssl.c
+/* **************************************
+ *
+ * Key-state specific functions
+ *
+ ***************************************/
+/*
+ *
+ * BIO functions
+ *
+ */
+
+/*
  * OpenVPN's interface to SSL/TLS authentication,
  * encryption, and decryption is exclusively
  * through "memory BIOs".
@@ -13,33 +49,37 @@
   return ret;
 }

-/*
-  CLEAR (*ks);
+void
+key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, void *session)
+{
+  ASSERT(NULL != ssl_ctx);
+  ASSERT(ks_ssl);
+  CLEAR (*ks_ssl);

-  ks->ks_ssl.ssl = SSL_new (session->opt->ssl_ctx.ctx);
-  if (!ks->ks_ssl.ssl)
+  ks_ssl->ssl = SSL_new (ssl_ctx->ctx);
+  if (!ks_ssl->ssl)
     msg (M_SSLERR, "SSL_new failed");

   /* put session * in ssl object so we can access it
      from verify callback*/
-  SSL_set_ex_data (ks->ks_ssl.ssl, mydata_index, session);
+  SSL_set_ex_data (ks_ssl->ssl, mydata_index, session);

-  ks->ks_ssl.ssl_bio = getbio (BIO_f_ssl (), "ssl_bio");
-  ks->ks_ssl.ct_in = getbio (BIO_s_mem (), "ct_in");
-  ks->ks_ssl.ct_out = getbio (BIO_s_mem (), "ct_out");
+  ks_ssl->ssl_bio = getbio (BIO_f_ssl (), "ssl_bio");
+  ks_ssl->ct_in = getbio (BIO_s_mem (), "ct_in");
+  ks_ssl->ct_out = getbio (BIO_s_mem (), "ct_out");

 #ifdef BIO_DEBUG
-  bio_debug_oc ("open ssl_bio", ks->ks_ssl.ssl_bio);
-  bio_debug_oc ("open ct_in", ks->ks_ssl.ct_in);
-  bio_debug_oc ("open ct_out", ks->ks_ssl.ct_out);
+  bio_debug_oc ("open ssl_bio", ks_ssl->ssl_bio);
+  bio_debug_oc ("open ct_in", ks_ssl->ct_in);
+  bio_debug_oc ("open ct_out", ks_ssl->ct_out);
 #endif

-  if (session->opt->server)
-    SSL_set_accept_state (ks->ks_ssl.ssl);
+  if (is_server)
+    SSL_set_accept_state (ks_ssl->ssl);
   else
-    SSL_set_connect_state (ks->ks_ssl.ssl);
+    SSL_set_connect_state (ks_ssl->ssl);
+
+  SSL_set_bio (ks_ssl->ssl, ks_ssl->ct_in, ks_ssl->ct_out);
+  BIO_set_ssl (ks_ssl->ssl_bio, ks_ssl->ssl, BIO_NOCLOSE);
+}

-  SSL_set_bio (ks->ks_ssl.ssl, ks->ks_ssl.ct_in, ks->ks_ssl.ct_out);
-  BIO_set_ssl (ks->ks_ssl.ssl_bio, ks->ks_ssl.ssl, BIO_NOCLOSE);
--- a/ssl_backend.h
--- a/ssl_openssl.c
	--- /tmp/removed123.txt 2011-08-25 20:51:12.490866386 +0200
	+++ /tmp/added123.txt 2011-08-25 20:51:12.520881386 +0200
	@@ -1,4 +1,40 @@
	--- a/ssl.c
	+++ b/ssl.c
	+ CLEAR (*ks);
	+
	+ key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
	+ session);
	+++ b/ssl_backend.h
	+/* **************************************
	+ *
	+ * Key-state specific functions
	+ *
	+ ***************************************/
	+
	+/**
	+ * Initialise the SSL channel part of the given key state. Settings will be
	+ * loaded from a previously initialised TLS context.
	+ *
	+ * @param ks_ssl The SSL channel's state info to initialise
	+ * @param ssl_ctx The TLS context to use when initialising the channel.
	+ * @param is_server Initialise a server?
	+ * @param session The session associated with the given key_state
	+ */
	+void key_state_ssl_init(struct key_state_ssl *ks_ssl,
	+ const struct tls_root_ctx ssl_ctx, bool is_server, void session);
	+
	+++ b/ssl_openssl.c
	+/* **************************************
	+ *
	+ * Key-state specific functions
	+ *
	+ ***************************************/
	+/*
	+ *
	+ * BIO functions
	+ *
	+ */
	+
	+/*
	* OpenVPN's interface to SSL/TLS authentication,
	* encryption, and decryption is exclusively
	* through "memory BIOs".
	@@ -13,33 +49,37 @@
	return ret;
	}

	-/*
	- CLEAR (*ks);
	+void
	+key_state_ssl_init(struct key_state_ssl ks_ssl, const struct tls_root_ctx ssl_ctx, bool is_server, void *session)
	+{
	+ ASSERT(NULL != ssl_ctx);
	+ ASSERT(ks_ssl);
	+ CLEAR (*ks_ssl);

	- ks->ks_ssl.ssl = SSL_new (session->opt->ssl_ctx.ctx);
	- if (!ks->ks_ssl.ssl)
	+ ks_ssl->ssl = SSL_new (ssl_ctx->ctx);
	+ if (!ks_ssl->ssl)
	msg (M_SSLERR, "SSL_new failed");

	/* put session * in ssl object so we can access it
	from verify callback*/
	- SSL_set_ex_data (ks->ks_ssl.ssl, mydata_index, session);
	+ SSL_set_ex_data (ks_ssl->ssl, mydata_index, session);

	- ks->ks_ssl.ssl_bio = getbio (BIO_f_ssl (), "ssl_bio");
	- ks->ks_ssl.ct_in = getbio (BIO_s_mem (), "ct_in");
	- ks->ks_ssl.ct_out = getbio (BIO_s_mem (), "ct_out");
	+ ks_ssl->ssl_bio = getbio (BIO_f_ssl (), "ssl_bio");
	+ ks_ssl->ct_in = getbio (BIO_s_mem (), "ct_in");
	+ ks_ssl->ct_out = getbio (BIO_s_mem (), "ct_out");

	#ifdef BIO_DEBUG
	- bio_debug_oc ("open ssl_bio", ks->ks_ssl.ssl_bio);
	- bio_debug_oc ("open ct_in", ks->ks_ssl.ct_in);
	- bio_debug_oc ("open ct_out", ks->ks_ssl.ct_out);
	+ bio_debug_oc ("open ssl_bio", ks_ssl->ssl_bio);
	+ bio_debug_oc ("open ct_in", ks_ssl->ct_in);
	+ bio_debug_oc ("open ct_out", ks_ssl->ct_out);
	#endif

	- if (session->opt->server)
	- SSL_set_accept_state (ks->ks_ssl.ssl);
	+ if (is_server)
	+ SSL_set_accept_state (ks_ssl->ssl);
	else
	- SSL_set_connect_state (ks->ks_ssl.ssl);
	+ SSL_set_connect_state (ks_ssl->ssl);
	+
	+ SSL_set_bio (ks_ssl->ssl, ks_ssl->ct_in, ks_ssl->ct_out);
	+ BIO_set_ssl (ks_ssl->ssl_bio, ks_ssl->ssl, BIO_NOCLOSE);
	+}

	- SSL_set_bio (ks->ks_ssl.ssl, ks->ks_ssl.ct_in, ks->ks_ssl.ct_out);
	- BIO_set_ssl (ks->ks_ssl.ssl_bio, ks->ks_ssl.ssl, BIO_NOCLOSE);
	--- a/ssl_backend.h
	--- a/ssl_openssl.c