Change-Id: I5c8dbfec4a404d8d1501725a90b383eb3e05c664 Reviewed-on: https://boringssl-review.googlesource.com/29591 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
@@ -158,8 +158,9 @@ static int find_profile_by_name(const char *profile_name, | |||
return 0; | |||
} | |||
static int ssl_ctx_make_profiles(const char *profiles_string, | |||
STACK_OF(SRTP_PROTECTION_PROFILE) **out) { | |||
static int ssl_ctx_make_profiles( | |||
const char *profiles_string, | |||
UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> *out) { | |||
UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> profiles( | |||
sk_SRTP_PROTECTION_PROFILE_new_null()); | |||
if (profiles == nullptr) { | |||
@@ -188,8 +189,7 @@ static int ssl_ctx_make_profiles(const char *profiles_string, | |||
} | |||
} while (col); | |||
sk_SRTP_PROTECTION_PROFILE_free(*out); | |||
*out = profiles.release(); | |||
*out = std::move(profiles); | |||
return 1; | |||
} | |||
@@ -212,8 +212,9 @@ STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl) { | |||
return nullptr; | |||
} | |||
return ssl->config->srtp_profiles != nullptr ? ssl->config->srtp_profiles | |||
: ssl->ctx->srtp_profiles; | |||
return ssl->config->srtp_profiles != nullptr | |||
? ssl->config->srtp_profiles.get() | |||
: ssl->ctx->srtp_profiles.get(); | |||
} | |||
const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *ssl) { | |||
@@ -535,8 +535,9 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { | |||
// Negotiate the cipher suite. This must be done after |cert_cb| so the | |||
// certificate is finalized. | |||
SSLCipherPreferenceList *prefs = | |||
hs->config->cipher_list ? hs->config->cipher_list : ssl->ctx->cipher_list; | |||
SSLCipherPreferenceList *prefs = hs->config->cipher_list | |||
? hs->config->cipher_list.get() | |||
: ssl->ctx->cipher_list.get(); | |||
hs->new_cipher = ssl3_choose_cipher(hs, &client_hello, prefs); | |||
if (hs->new_cipher == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); | |||
@@ -788,11 +789,12 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { | |||
// PSK ciphers begin with an identity hint. | |||
if (alg_a & SSL_aPSK) { | |||
size_t len = (hs->config->psk_identity_hint == NULL) | |||
size_t len = hs->config->psk_identity_hint == nullptr | |||
? 0 | |||
: strlen(hs->config->psk_identity_hint); | |||
: strlen(hs->config->psk_identity_hint.get()); | |||
if (!CBB_add_u16_length_prefixed(cbb.get(), &child) || | |||
!CBB_add_bytes(&child, (const uint8_t *)hs->config->psk_identity_hint, | |||
!CBB_add_bytes(&child, | |||
(const uint8_t *)hs->config->psk_identity_hint.get(), | |||
len)) { | |||
return ssl_hs_error; | |||
} | |||
@@ -524,7 +524,7 @@ const EVP_MD *ssl_get_handshake_digest(uint16_t version, | |||
// true on success and false on failure. If |strict| is true, nonsense will be | |||
// rejected. If false, nonsense will be silently ignored. An empty result is | |||
// considered an error regardless of |strict|. | |||
bool ssl_create_cipher_list(SSLCipherPreferenceList **out_cipher_list, | |||
bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list, | |||
const char *rule_str, bool strict); | |||
// ssl_cipher_get_value returns the cipher suite id of |cipher|. | |||
@@ -2417,11 +2417,11 @@ struct SSL_CONFIG { | |||
X509_VERIFY_PARAM *param = nullptr; | |||
// crypto | |||
SSLCipherPreferenceList *cipher_list = nullptr; | |||
UniquePtr<SSLCipherPreferenceList> cipher_list; | |||
// This is used to hold the local certificate used (i.e. the server | |||
// certificate for a server or the client certificate for a client). | |||
CERT *cert = nullptr; | |||
UniquePtr<CERT> cert; | |||
int (*verify_callback)(int ok, | |||
X509_STORE_CTX *ctx) = | |||
@@ -2431,47 +2431,40 @@ struct SSL_CONFIG { | |||
SSL *ssl, uint8_t *out_alert) = nullptr; | |||
// Server-only: psk_identity_hint is the identity hint to send in | |||
// PSK-based key exchanges. | |||
char *psk_identity_hint = nullptr; | |||
UniquePtr<char> psk_identity_hint; | |||
unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, | |||
char *identity, | |||
unsigned int max_identity_len, | |||
uint8_t *psk, | |||
unsigned int max_psk_len) = nullptr; | |||
unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, | |||
uint8_t *psk, | |||
unsigned int max_psk_len) = nullptr; | |||
unsigned (*psk_client_callback)(SSL *ssl, const char *hint, char *identity, | |||
unsigned max_identity_len, uint8_t *psk, | |||
unsigned max_psk_len) = nullptr; | |||
unsigned (*psk_server_callback)(SSL *ssl, const char *identity, uint8_t *psk, | |||
unsigned max_psk_len) = nullptr; | |||
// for server side, keep the list of CA_dn we can use | |||
STACK_OF(CRYPTO_BUFFER) *client_CA = nullptr; | |||
UniquePtr<STACK_OF(CRYPTO_BUFFER)> client_CA; | |||
// cached_x509_client_CA is a cache of parsed versions of the elements of | |||
// |client_CA|. | |||
STACK_OF(X509_NAME) *cached_x509_client_CA = nullptr; | |||
uint16_t dummy_pq_padding_len = 0; | |||
size_t supported_group_list_len = 0; | |||
uint16_t *supported_group_list = nullptr; // our list | |||
Array<uint16_t> supported_group_list; // our list | |||
// The client's Channel ID private key. | |||
EVP_PKEY *tlsext_channel_id_private = nullptr; | |||
UniquePtr<EVP_PKEY> tlsext_channel_id_private; | |||
// For a client, this contains the list of supported protocols in wire | |||
// format. | |||
uint8_t *alpn_client_proto_list = nullptr; | |||
unsigned alpn_client_proto_list_len = 0; | |||
Array<uint8_t> alpn_client_proto_list; | |||
// Contains a list of supported Token Binding key parameters. | |||
uint8_t *token_binding_params = nullptr; | |||
size_t token_binding_params_len = 0; | |||
Array<uint8_t> token_binding_params; | |||
// Contains the QUIC transport params that this endpoint will send. | |||
uint8_t *quic_transport_params = nullptr; | |||
size_t quic_transport_params_len = 0; | |||
Array<uint8_t> quic_transport_params; | |||
// srtp_profiles is the list of configured SRTP protection profiles for | |||
// DTLS-SRTP. | |||
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles = nullptr; | |||
UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> srtp_profiles; | |||
// verify_mode is a bitmask of |SSL_VERIFY_*| values. | |||
uint8_t verify_mode = SSL_VERIFY_NONE; | |||
@@ -2712,19 +2705,16 @@ int tls1_check_group_id(const SSL_HANDSHAKE *ssl, uint16_t group_id); | |||
// found, it returns zero. | |||
int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id); | |||
// tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves| | |||
// into a newly allocated array of TLS group IDs. On success, the function | |||
// returns one and writes the array to |*out_group_ids| and its size to | |||
// |*out_group_ids_len|. Otherwise, it returns zero. | |||
int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len, | |||
const int *curves, size_t ncurves); | |||
// tls1_set_curves converts the array of NIDs in |curves| into a newly allocated | |||
// array of TLS group IDs. On success, the function returns true and writes the | |||
// array to |*out_group_ids|. Otherwise, it returns false. | |||
bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves); | |||
// tls1_set_curves_list converts the string of curves pointed to by |curves| | |||
// into a newly allocated array of TLS group IDs. On success, the function | |||
// returns one and writes the array to |*out_group_ids| and its size to | |||
// |*out_group_ids_len|. Otherwise, it returns zero. | |||
int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len, | |||
const char *curves); | |||
// returns true and writes the array to |*out_group_ids|. Otherwise, it returns | |||
// false. | |||
bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves); | |||
// ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It | |||
// returns one on success and zero on failure. The |header_len| argument is the | |||
@@ -2840,7 +2830,7 @@ struct ssl_ctx_st { | |||
// configuration. | |||
tls13_variant_t tls13_variant = tls13_default; | |||
bssl::SSLCipherPreferenceList *cipher_list = nullptr; | |||
bssl::UniquePtr<bssl::SSLCipherPreferenceList> cipher_list; | |||
X509_STORE *cert_store = nullptr; | |||
LHASH_OF(SSL_SESSION) *sessions = nullptr; | |||
@@ -2914,7 +2904,7 @@ struct ssl_ctx_st { | |||
void (*info_callback)(const SSL *ssl, int type, int value) = nullptr; | |||
// what we put in client cert requests | |||
STACK_OF(CRYPTO_BUFFER) *client_CA = nullptr; | |||
bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> client_CA; | |||
// cached_x509_client_CA is a cache of parsed versions of the elements of | |||
// |client_CA|. | |||
@@ -2930,7 +2920,7 @@ struct ssl_ctx_st { | |||
uint32_t mode = SSL_MODE_NO_AUTO_CHAIN; | |||
uint32_t max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; | |||
bssl::CERT *cert = nullptr; | |||
bssl::UniquePtr<bssl::CERT> cert; | |||
// callback that allows applications to peek at protocol messages | |||
void (*msg_callback)(int write_p, int version, int content_type, | |||
@@ -2976,7 +2966,7 @@ struct ssl_ctx_st { | |||
// Server-only: psk_identity_hint is the default identity hint to send in | |||
// PSK-based key exchanges. | |||
char *psk_identity_hint = nullptr; | |||
bssl::UniquePtr<char> psk_identity_hint; | |||
unsigned (*psk_client_callback)(SSL *ssl, const char *hint, char *identity, | |||
unsigned max_identity_len, uint8_t *psk, | |||
@@ -3018,21 +3008,19 @@ struct ssl_ctx_st { | |||
// For a client, this contains the list of supported protocols in wire | |||
// format. | |||
uint8_t *alpn_client_proto_list = nullptr; | |||
unsigned alpn_client_proto_list_len = 0; | |||
bssl::Array<uint8_t> alpn_client_proto_list; | |||
// SRTP profiles we are willing to do from RFC 5764 | |||
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles = nullptr; | |||
bssl::UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> srtp_profiles; | |||
// Defined compression algorithms for certificates. | |||
STACK_OF(CertCompressionAlg) *cert_compression_algs = nullptr; | |||
// Supported group values inherited by SSL structure | |||
size_t supported_group_list_len = 0; | |||
uint16_t *supported_group_list = nullptr; | |||
bssl::Array<uint16_t> supported_group_list; | |||
// The client's Channel ID private key. | |||
EVP_PKEY *tlsext_channel_id_private = nullptr; | |||
bssl::UniquePtr<EVP_PKEY> tlsext_channel_id_private; | |||
// keylog_callback, if not NULL, is the key logging callback. See | |||
// |SSL_CTX_set_keylog_callback|. | |||
@@ -3058,8 +3046,7 @@ struct ssl_ctx_st { | |||
// verify_sigalgs, if not empty, is the set of signature algorithms | |||
// accepted from the peer in decreasing order of preference. | |||
uint16_t *verify_sigalgs = nullptr; | |||
size_t num_verify_sigalgs = 0; | |||
bssl::Array<uint16_t> verify_sigalgs; | |||
// retain_only_sha256_of_client_certs is true if we should compute the SHA256 | |||
// hash of the peer's certificate and then discard it to save memory and | |||
@@ -656,11 +656,11 @@ UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl, | |||
} | |||
bool ssl_has_client_CAs(const SSL_CONFIG *cfg) { | |||
STACK_OF(CRYPTO_BUFFER) *names = cfg->client_CA; | |||
if (names == NULL) { | |||
names = cfg->ssl->ctx->client_CA; | |||
const STACK_OF(CRYPTO_BUFFER) *names = cfg->client_CA.get(); | |||
if (names == nullptr) { | |||
names = cfg->ssl->ctx->client_CA.get(); | |||
} | |||
if (names == NULL) { | |||
if (names == nullptr) { | |||
return false; | |||
} | |||
return sk_CRYPTO_BUFFER_num(names) > 0; | |||
@@ -672,9 +672,9 @@ int ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb) { | |||
return 0; | |||
} | |||
STACK_OF(CRYPTO_BUFFER) *names = hs->config->client_CA; | |||
const STACK_OF(CRYPTO_BUFFER) *names = hs->config->client_CA.get(); | |||
if (names == NULL) { | |||
names = hs->ssl->ctx->client_CA; | |||
names = hs->ssl->ctx->client_CA.get(); | |||
} | |||
if (names == NULL) { | |||
return CBB_flush(cbb); | |||
@@ -760,14 +760,14 @@ int SSL_set_chain_and_key(SSL *ssl, CRYPTO_BUFFER *const *certs, | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return cert_set_chain_and_key(ssl->config->cert, certs, num_certs, privkey, | |||
privkey_method); | |||
return cert_set_chain_and_key(ssl->config->cert.get(), certs, num_certs, | |||
privkey, privkey_method); | |||
} | |||
int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs, | |||
size_t num_certs, EVP_PKEY *privkey, | |||
const SSL_PRIVATE_KEY_METHOD *privkey_method) { | |||
return cert_set_chain_and_key(ctx->cert, certs, num_certs, privkey, | |||
return cert_set_chain_and_key(ctx->cert.get(), certs, num_certs, privkey, | |||
privkey_method); | |||
} | |||
@@ -778,7 +778,7 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len, | |||
return 0; | |||
} | |||
return ssl_set_cert(ctx->cert, std::move(buffer)); | |||
return ssl_set_cert(ctx->cert.get(), std::move(buffer)); | |||
} | |||
int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) { | |||
@@ -787,19 +787,19 @@ int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) { | |||
return 0; | |||
} | |||
return ssl_set_cert(ssl->config->cert, std::move(buffer)); | |||
return ssl_set_cert(ssl->config->cert.get(), std::move(buffer)); | |||
} | |||
void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg), | |||
void *arg) { | |||
ssl_cert_set_cert_cb(ctx->cert, cb, arg); | |||
ssl_cert_set_cert_cb(ctx->cert.get(), cb, arg); | |||
} | |||
void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) { | |||
if (!ssl->config) { | |||
return; | |||
} | |||
ssl_cert_set_cert_cb(ssl->config->cert, cb, arg); | |||
ssl_cert_set_cert_cb(ssl->config->cert.get(), cb, arg); | |||
} | |||
const STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) { | |||
@@ -834,7 +834,7 @@ static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list, | |||
int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, const uint8_t *list, | |||
size_t list_len) { | |||
return set_signed_cert_timestamp_list(ctx->cert, list, list_len); | |||
return set_signed_cert_timestamp_list(ctx->cert.get(), list, list_len); | |||
} | |||
int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list, | |||
@@ -842,7 +842,8 @@ int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list, | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return set_signed_cert_timestamp_list(ssl->config->cert, list, list_len); | |||
return set_signed_cert_timestamp_list(ssl->config->cert.get(), list, | |||
list_len); | |||
} | |||
int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response, | |||
@@ -864,8 +865,7 @@ int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response, | |||
void SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) { | |||
ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx); | |||
sk_CRYPTO_BUFFER_pop_free(ctx->client_CA, CRYPTO_BUFFER_free); | |||
ctx->client_CA = name_list; | |||
ctx->client_CA.reset(name_list); | |||
} | |||
void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) { | |||
@@ -873,6 +873,5 @@ void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) { | |||
return; | |||
} | |||
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get()); | |||
sk_CRYPTO_BUFFER_pop_free(ssl->config->client_CA, CRYPTO_BUFFER_free); | |||
ssl->config->client_CA = name_list; | |||
ssl->config->client_CA.reset(name_list); | |||
} |
@@ -1137,7 +1137,7 @@ static bool ssl_cipher_process_rulestr(const char *rule_str, | |||
return true; | |||
} | |||
bool ssl_create_cipher_list(SSLCipherPreferenceList **out_cipher_list, | |||
bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list, | |||
const char *rule_str, bool strict) { | |||
// Return with error if nothing to do. | |||
if (rule_str == NULL || out_cipher_list == NULL) { | |||
@@ -1255,10 +1255,7 @@ bool ssl_create_cipher_list(SSLCipherPreferenceList **out_cipher_list, | |||
return false; | |||
} | |||
if (*out_cipher_list) { | |||
Delete(*out_cipher_list); | |||
} | |||
*out_cipher_list = pref_list.release(); | |||
*out_cipher_list = std::move(pref_list); | |||
// Configuring an empty cipher list is an error but still updates the | |||
// output. | |||
@@ -562,22 +562,13 @@ ssl_ctx_st::~ssl_ctx_st() { | |||
CRYPTO_MUTEX_cleanup(&lock); | |||
lh_SSL_SESSION_free(sessions); | |||
Delete(cipher_list); | |||
Delete(cert); | |||
sk_SSL_CUSTOM_EXTENSION_pop_free(client_custom_extensions, | |||
SSL_CUSTOM_EXTENSION_free); | |||
sk_SSL_CUSTOM_EXTENSION_pop_free(server_custom_extensions, | |||
SSL_CUSTOM_EXTENSION_free); | |||
sk_CRYPTO_BUFFER_pop_free(client_CA, CRYPTO_BUFFER_free); | |||
x509_method->ssl_ctx_free(this); | |||
sk_SRTP_PROTECTION_PROFILE_free(srtp_profiles); | |||
sk_CertCompressionAlg_pop_free(cert_compression_algs, | |||
Delete<CertCompressionAlg>); | |||
OPENSSL_free(psk_identity_hint); | |||
OPENSSL_free(supported_group_list); | |||
OPENSSL_free(alpn_client_proto_list); | |||
EVP_PKEY_free(tlsext_channel_id_private); | |||
OPENSSL_free(verify_sigalgs); | |||
OPENSSL_free(tlsext_ticket_key_current); | |||
OPENSSL_free(tlsext_ticket_key_prev); | |||
} | |||
@@ -593,9 +584,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { | |||
return nullptr; | |||
} | |||
ret->cert = New<CERT>(method->x509_method); | |||
ret->cert = MakeUnique<CERT>(method->x509_method); | |||
ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); | |||
ret->client_CA = sk_CRYPTO_BUFFER_new_null(); | |||
ret->client_CA.reset(sk_CRYPTO_BUFFER_new_null()); | |||
if (ret->cert == nullptr || | |||
ret->sessions == nullptr || | |||
ret->client_CA == nullptr || | |||
@@ -675,8 +666,8 @@ SSL *SSL_new(SSL_CTX *ctx) { | |||
ssl->config->conf_min_version = ctx->conf_min_version; | |||
ssl->config->conf_max_version = ctx->conf_max_version; | |||
ssl->config->cert = ssl_cert_dup(ctx->cert).release(); | |||
if (ssl->config->cert == NULL) { | |||
ssl->config->cert = ssl_cert_dup(ctx->cert.get()); | |||
if (ssl->config->cert == nullptr) { | |||
return nullptr; | |||
} | |||
@@ -686,27 +677,16 @@ SSL *SSL_new(SSL_CTX *ctx) { | |||
ssl->config->retain_only_sha256_of_client_certs = | |||
ctx->retain_only_sha256_of_client_certs; | |||
if (ctx->supported_group_list) { | |||
ssl->config->supported_group_list = (uint16_t *)BUF_memdup( | |||
ctx->supported_group_list, ctx->supported_group_list_len * 2); | |||
if (!ssl->config->supported_group_list) { | |||
return nullptr; | |||
} | |||
ssl->config->supported_group_list_len = ctx->supported_group_list_len; | |||
} | |||
if (ctx->alpn_client_proto_list) { | |||
ssl->config->alpn_client_proto_list = (uint8_t *)BUF_memdup( | |||
ctx->alpn_client_proto_list, ctx->alpn_client_proto_list_len); | |||
if (ssl->config->alpn_client_proto_list == NULL) { | |||
return nullptr; | |||
} | |||
ssl->config->alpn_client_proto_list_len = ctx->alpn_client_proto_list_len; | |||
if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) || | |||
!ssl->config->alpn_client_proto_list.CopyFrom( | |||
ctx->alpn_client_proto_list)) { | |||
return nullptr; | |||
} | |||
if (ctx->psk_identity_hint) { | |||
ssl->config->psk_identity_hint = BUF_strdup(ctx->psk_identity_hint); | |||
if (ssl->config->psk_identity_hint == NULL) { | |||
ssl->config->psk_identity_hint.reset( | |||
BUF_strdup(ctx->psk_identity_hint.get())); | |||
if (ssl->config->psk_identity_hint == nullptr) { | |||
return nullptr; | |||
} | |||
} | |||
@@ -714,10 +694,8 @@ SSL *SSL_new(SSL_CTX *ctx) { | |||
ssl->config->psk_server_callback = ctx->psk_server_callback; | |||
ssl->config->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled; | |||
if (ctx->tlsext_channel_id_private) { | |||
EVP_PKEY_up_ref(ctx->tlsext_channel_id_private); | |||
ssl->config->tlsext_channel_id_private = ctx->tlsext_channel_id_private; | |||
} | |||
ssl->config->tlsext_channel_id_private = | |||
UpRef(ctx->tlsext_channel_id_private); | |||
ssl->config->signed_cert_timestamps_enabled = | |||
ctx->signed_cert_timestamps_enabled; | |||
@@ -747,16 +725,6 @@ SSL_CONFIG::~SSL_CONFIG() { | |||
if (ssl->ctx != nullptr) { | |||
ssl->ctx->x509_method->ssl_config_free(this); | |||
} | |||
Delete(cipher_list); | |||
Delete(cert); | |||
OPENSSL_free(psk_identity_hint); | |||
OPENSSL_free(supported_group_list); | |||
EVP_PKEY_free(tlsext_channel_id_private); | |||
OPENSSL_free(alpn_client_proto_list); | |||
OPENSSL_free(token_binding_params); | |||
OPENSSL_free(quic_transport_params); | |||
sk_SRTP_PROTECTION_PROFILE_free(srtp_profiles); | |||
sk_CRYPTO_BUFFER_pop_free(client_CA, CRYPTO_BUFFER_free); | |||
} | |||
void SSL_free(SSL *ssl) { | |||
@@ -1126,16 +1094,8 @@ int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) { | |||
int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, | |||
size_t params_len) { | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
ssl->config->quic_transport_params = | |||
(uint8_t *)BUF_memdup(params, params_len); | |||
if (!ssl->config->quic_transport_params) { | |||
return 0; | |||
} | |||
ssl->config->quic_transport_params_len = params_len; | |||
return 1; | |||
return ssl->config && ssl->config->quic_transport_params.CopyFrom( | |||
MakeConstSpan(params, params_len)); | |||
} | |||
void SSL_get_peer_quic_transport_params(const SSL *ssl, | |||
@@ -1399,7 +1359,7 @@ static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx, | |||
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx, | |||
size_t sid_ctx_len) { | |||
return set_session_id_context(ctx->cert, sid_ctx, sid_ctx_len); | |||
return set_session_id_context(ctx->cert.get(), sid_ctx, sid_ctx_len); | |||
} | |||
int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, | |||
@@ -1407,7 +1367,7 @@ int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return set_session_id_context(ssl->config->cert, sid_ctx, sid_ctx_len); | |||
return set_session_id_context(ssl->config->cert.get(), sid_ctx, sid_ctx_len); | |||
} | |||
const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) { | |||
@@ -1424,7 +1384,7 @@ void SSL_certs_clear(SSL *ssl) { | |||
if (!ssl->config) { | |||
return; | |||
} | |||
ssl_cert_clear_certs(ssl->config->cert); | |||
ssl_cert_clear_certs(ssl->config->cert.get()); | |||
} | |||
int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); } | |||
@@ -1579,17 +1539,16 @@ int SSL_pending(const SSL *ssl) { | |||
return static_cast<int>(ssl->s3->pending_app_data.size()); | |||
} | |||
// Fix this so it checks all the valid key/cert options | |||
int SSL_CTX_check_private_key(const SSL_CTX *ctx) { | |||
return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey.get()); | |||
return ssl_cert_check_private_key(ctx->cert.get(), | |||
ctx->cert->privatekey.get()); | |||
} | |||
// Fix this function so that it takes an optional type parameter | |||
int SSL_check_private_key(const SSL *ssl) { | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return ssl_cert_check_private_key(ssl->config->cert, | |||
return ssl_cert_check_private_key(ssl->config->cert.get(), | |||
ssl->config->cert->privatekey.get()); | |||
} | |||
@@ -1759,8 +1718,7 @@ int SSL_CTX_set_tlsext_ticket_key_cb( | |||
int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t curves_len) { | |||
return tls1_set_curves(&ctx->supported_group_list, | |||
&ctx->supported_group_list_len, curves, | |||
curves_len); | |||
MakeConstSpan(curves, curves_len)); | |||
} | |||
int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) { | |||
@@ -1768,21 +1726,18 @@ int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) { | |||
return 0; | |||
} | |||
return tls1_set_curves(&ssl->config->supported_group_list, | |||
&ssl->config->supported_group_list_len, curves, | |||
curves_len); | |||
MakeConstSpan(curves, curves_len)); | |||
} | |||
int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) { | |||
return tls1_set_curves_list(&ctx->supported_group_list, | |||
&ctx->supported_group_list_len, curves); | |||
return tls1_set_curves_list(&ctx->supported_group_list, curves); | |||
} | |||
int SSL_set1_curves_list(SSL *ssl, const char *curves) { | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return tls1_set_curves_list(&ssl->config->supported_group_list, | |||
&ssl->config->supported_group_list_len, curves); | |||
return tls1_set_curves_list(&ssl->config->supported_group_list, curves); | |||
} | |||
uint16_t SSL_get_curve_id(const SSL *ssl) { | |||
@@ -2043,29 +1998,21 @@ void SSL_CTX_set_next_proto_select_cb( | |||
int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos, | |||
unsigned protos_len) { | |||
OPENSSL_free(ctx->alpn_client_proto_list); | |||
ctx->alpn_client_proto_list = (uint8_t *)BUF_memdup(protos, protos_len); | |||
if (!ctx->alpn_client_proto_list) { | |||
return 1; | |||
} | |||
ctx->alpn_client_proto_list_len = protos_len; | |||
return 0; | |||
// Note this function's calling convention is backwards. | |||
return ctx->alpn_client_proto_list.CopyFrom(MakeConstSpan(protos, protos_len)) | |||
? 0 | |||
: 1; | |||
} | |||
int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) { | |||
// Note this function's calling convention is backwards. | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
OPENSSL_free(ssl->config->alpn_client_proto_list); | |||
ssl->config->alpn_client_proto_list = | |||
(uint8_t *)BUF_memdup(protos, protos_len); | |||
if (!ssl->config->alpn_client_proto_list) { | |||
return 1; | |||
} | |||
ssl->config->alpn_client_proto_list_len = protos_len; | |||
return 0; | |||
return ssl->config->alpn_client_proto_list.CopyFrom( | |||
MakeConstSpan(protos, protos_len)) | |||
? 0 | |||
: 1; | |||
} | |||
void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, | |||
@@ -2171,9 +2118,7 @@ int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) { | |||
return 0; | |||
} | |||
EVP_PKEY_free(ctx->tlsext_channel_id_private); | |||
EVP_PKEY_up_ref(private_key); | |||
ctx->tlsext_channel_id_private = private_key; | |||
ctx->tlsext_channel_id_private = UpRef(private_key); | |||
ctx->tlsext_channel_id_enabled = true; | |||
return 1; | |||
@@ -2188,9 +2133,7 @@ int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) { | |||
return 0; | |||
} | |||
EVP_PKEY_free(ssl->config->tlsext_channel_id_private); | |||
EVP_PKEY_up_ref(private_key); | |||
ssl->config->tlsext_channel_id_private = private_key; | |||
ssl->config->tlsext_channel_id_private = UpRef(private_key); | |||
ssl->config->tlsext_channel_id_enabled = true; | |||
return 1; | |||
@@ -2213,13 +2156,7 @@ int SSL_set_token_binding_params(SSL *ssl, const uint8_t *params, size_t len) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); | |||
return 0; | |||
} | |||
OPENSSL_free(ssl->config->token_binding_params); | |||
ssl->config->token_binding_params = (uint8_t *)BUF_memdup(params, len); | |||
if (!ssl->config->token_binding_params) { | |||
return 0; | |||
} | |||
ssl->config->token_binding_params_len = len; | |||
return 1; | |||
return ssl->config->token_binding_params.CopyFrom(MakeConstSpan(params, len)); | |||
} | |||
int SSL_is_token_binding_negotiated(const SSL *ssl) { | |||
@@ -2337,9 +2274,12 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { | |||
ctx = ssl->session_ctx.get(); | |||
} | |||
Delete(ssl->config->cert); | |||
ssl->config->cert = ssl_cert_dup(ctx->cert).release(); | |||
UniquePtr<CERT> new_cert = ssl_cert_dup(ctx->cert.get()); | |||
if (!new_cert) { | |||
return nullptr; | |||
} | |||
ssl->config->cert = std::move(new_cert); | |||
ssl->ctx = UpRef(ctx); | |||
ssl->enable_early_data = ssl->ctx->enable_early_data; | |||
@@ -2423,23 +2363,23 @@ void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, | |||
void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export, | |||
int keylength)) {} | |||
static int use_psk_identity_hint(char **out, const char *identity_hint) { | |||
static int use_psk_identity_hint(UniquePtr<char> *out, | |||
const char *identity_hint) { | |||
if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); | |||
return 0; | |||
} | |||
// Clear currently configured hint, if any. | |||
OPENSSL_free(*out); | |||
*out = NULL; | |||
out->reset(); | |||
// Treat the empty hint as not supplying one. Plain PSK makes it possible to | |||
// send either no hint (omit ServerKeyExchange) or an empty hint, while | |||
// ECDHE_PSK can only spell empty hint. Having different capabilities is odd, | |||
// so we interpret empty and missing as identical. | |||
if (identity_hint != NULL && identity_hint[0] != '\0') { | |||
*out = BUF_strdup(identity_hint); | |||
if (*out == NULL) { | |||
out->reset(BUF_strdup(identity_hint)); | |||
if (*out == nullptr) { | |||
return 0; | |||
} | |||
} | |||
@@ -2466,7 +2406,7 @@ const char *SSL_get_psk_identity_hint(const SSL *ssl) { | |||
assert(ssl->config); | |||
return NULL; | |||
} | |||
return ssl->config->psk_identity_hint; | |||
return ssl->config->psk_identity_hint.get(); | |||
} | |||
const char *SSL_get_psk_identity(const SSL *ssl) { | |||
@@ -304,7 +304,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) { | |||
return 0; | |||
} | |||
return ssl_set_pkey(ssl->config->cert, pkey.get()); | |||
return ssl_set_pkey(ssl->config->cert.get(), pkey.get()); | |||
} | |||
int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) { | |||
@@ -323,7 +323,7 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) { | |||
return 0; | |||
} | |||
return ssl_set_pkey(ssl->config->cert, pkey); | |||
return ssl_set_pkey(ssl->config->cert.get(), pkey); | |||
} | |||
int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der, | |||
@@ -356,7 +356,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) { | |||
return 0; | |||
} | |||
return ssl_set_pkey(ctx->cert, pkey.get()); | |||
return ssl_set_pkey(ctx->cert.get(), pkey.get()); | |||
} | |||
int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der, | |||
@@ -376,7 +376,7 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { | |||
return 0; | |||
} | |||
return ssl_set_pkey(ctx->cert, pkey); | |||
return ssl_set_pkey(ctx->cert.get(), pkey); | |||
} | |||
int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der, | |||
@@ -461,21 +461,6 @@ int SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg) { | |||
return alg != nullptr && alg->is_rsa_pss; | |||
} | |||
static int set_algorithm_prefs(uint16_t **out_prefs, size_t *out_num_prefs, | |||
const uint16_t *prefs, size_t num_prefs) { | |||
OPENSSL_free(*out_prefs); | |||
*out_num_prefs = 0; | |||
*out_prefs = (uint16_t *)BUF_memdup(prefs, num_prefs * sizeof(prefs[0])); | |||
if (*out_prefs == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
return 0; | |||
} | |||
*out_num_prefs = num_prefs; | |||
return 1; | |||
} | |||
int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs, | |||
size_t num_prefs) { | |||
return ctx->cert->sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs)); | |||
@@ -491,6 +476,5 @@ int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs, | |||
int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs, | |||
size_t num_prefs) { | |||
return set_algorithm_prefs(&ctx->verify_sigalgs, &ctx->num_verify_sigalgs, | |||
prefs, num_prefs); | |||
return ctx->verify_sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs)); | |||
} |
@@ -493,7 +493,7 @@ TEST(SSLTest, CurveRules) { | |||
ASSERT_TRUE(ctx); | |||
ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule)); | |||
ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len); | |||
ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size()); | |||
for (size_t i = 0; i < t.expected.size(); i++) { | |||
EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]); | |||
} | |||
@@ -460,11 +460,11 @@ static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) { | |||
// Remove the leaf from the generated chain. | |||
X509_free(sk_X509_shift(ctx->chain)); | |||
if (!ssl_cert_set_chain(hs->config->cert, ctx->chain)) { | |||
if (!ssl_cert_set_chain(hs->config->cert.get(), ctx->chain)) { | |||
return 0; | |||
} | |||
ssl_crypto_x509_cert_flush_cached_chain(hs->config->cert); | |||
ssl_crypto_x509_cert_flush_cached_chain(hs->config->cert.get()); | |||
return 1; | |||
} | |||
@@ -755,12 +755,12 @@ int SSL_use_certificate(SSL *ssl, X509 *x) { | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return ssl_use_certificate(ssl->config->cert, x); | |||
return ssl_use_certificate(ssl->config->cert.get(), x); | |||
} | |||
int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) { | |||
check_ssl_ctx_x509_method(ctx); | |||
return ssl_use_certificate(ctx->cert, x); | |||
return ssl_use_certificate(ctx->cert.get(), x); | |||
} | |||
// ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the | |||
@@ -797,13 +797,13 @@ X509 *SSL_get_certificate(const SSL *ssl) { | |||
assert(ssl->config); | |||
return 0; | |||
} | |||
return ssl_cert_get0_leaf(ssl->config->cert); | |||
return ssl_cert_get0_leaf(ssl->config->cert.get()); | |||
} | |||
X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) { | |||
check_ssl_ctx_x509_method(ctx); | |||
MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock)); | |||
return ssl_cert_get0_leaf(ctx->cert); | |||
return ssl_cert_get0_leaf(ctx->cert.get()); | |||
} | |||
static int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) { | |||
@@ -869,12 +869,12 @@ static int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) { | |||
int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { | |||
check_ssl_ctx_x509_method(ctx); | |||
return ssl_cert_set0_chain(ctx->cert, chain); | |||
return ssl_cert_set0_chain(ctx->cert.get(), chain); | |||
} | |||
int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { | |||
check_ssl_ctx_x509_method(ctx); | |||
return ssl_cert_set1_chain(ctx->cert, chain); | |||
return ssl_cert_set1_chain(ctx->cert.get(), chain); | |||
} | |||
int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) { | |||
@@ -882,7 +882,7 @@ int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) { | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return ssl_cert_set0_chain(ssl->config->cert, chain); | |||
return ssl_cert_set0_chain(ssl->config->cert.get(), chain); | |||
} | |||
int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) { | |||
@@ -890,17 +890,17 @@ int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) { | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return ssl_cert_set1_chain(ssl->config->cert, chain); | |||
return ssl_cert_set1_chain(ssl->config->cert.get(), chain); | |||
} | |||
int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) { | |||
check_ssl_ctx_x509_method(ctx); | |||
return ssl_cert_add0_chain_cert(ctx->cert, x509); | |||
return ssl_cert_add0_chain_cert(ctx->cert.get(), x509); | |||
} | |||
int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) { | |||
check_ssl_ctx_x509_method(ctx); | |||
return ssl_cert_add1_chain_cert(ctx->cert, x509); | |||
return ssl_cert_add1_chain_cert(ctx->cert.get(), x509); | |||
} | |||
int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509) { | |||
@@ -913,7 +913,7 @@ int SSL_add0_chain_cert(SSL *ssl, X509 *x509) { | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return ssl_cert_add0_chain_cert(ssl->config->cert, x509); | |||
return ssl_cert_add0_chain_cert(ssl->config->cert.get(), x509); | |||
} | |||
int SSL_add1_chain_cert(SSL *ssl, X509 *x509) { | |||
@@ -921,7 +921,7 @@ int SSL_add1_chain_cert(SSL *ssl, X509 *x509) { | |||
if (!ssl->config) { | |||
return 0; | |||
} | |||
return ssl_cert_add1_chain_cert(ssl->config->cert, x509); | |||
return ssl_cert_add1_chain_cert(ssl->config->cert.get(), x509); | |||
} | |||
int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) { | |||
@@ -971,7 +971,7 @@ static int ssl_cert_cache_chain_certs(CERT *cert) { | |||
int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) { | |||
check_ssl_ctx_x509_method(ctx); | |||
MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock)); | |||
if (!ssl_cert_cache_chain_certs(ctx->cert)) { | |||
if (!ssl_cert_cache_chain_certs(ctx->cert.get())) { | |||
*out_chain = NULL; | |||
return 0; | |||
} | |||
@@ -991,7 +991,7 @@ int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) { | |||
assert(ssl->config); | |||
return 0; | |||
} | |||
if (!ssl_cert_cache_chain_certs(ssl->config->cert)) { | |||
if (!ssl_cert_cache_chain_certs(ssl->config->cert.get())) { | |||
*out_chain = NULL; | |||
return 0; | |||
} | |||
@@ -1042,7 +1042,7 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) { | |||
return sk_X509_NAME_deep_copy(list, X509_NAME_dup, X509_NAME_free); | |||
} | |||
static void set_client_CA_list(STACK_OF(CRYPTO_BUFFER) **ca_list, | |||
static void set_client_CA_list(UniquePtr<STACK_OF(CRYPTO_BUFFER)> *ca_list, | |||
const STACK_OF(X509_NAME) *name_list, | |||
CRYPTO_BUFFER_POOL *pool) { | |||
UniquePtr<STACK_OF(CRYPTO_BUFFER)> buffers(sk_CRYPTO_BUFFER_new_null()); | |||
@@ -1065,8 +1065,7 @@ static void set_client_CA_list(STACK_OF(CRYPTO_BUFFER) **ca_list, | |||
} | |||
} | |||
sk_CRYPTO_BUFFER_pop_free(*ca_list, CRYPTO_BUFFER_free); | |||
*ca_list = buffers.release(); | |||
*ca_list = std::move(buffers); | |||
} | |||
void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) { | |||
@@ -1140,7 +1139,7 @@ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) { | |||
if (ssl->config->client_CA != NULL) { | |||
return buffer_names_to_x509( | |||
ssl->config->client_CA, | |||
ssl->config->client_CA.get(), | |||
(STACK_OF(X509_NAME) **)&ssl->config->cached_x509_client_CA); | |||
} | |||
return SSL_CTX_get_client_CA_list(ssl->ctx.get()); | |||
@@ -1152,11 +1151,11 @@ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { | |||
// so it needs to lock around updating |cached_x509_client_CA|. | |||
MutexWriteLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock)); | |||
return buffer_names_to_x509( | |||
ctx->client_CA, | |||
ctx->client_CA.get(), | |||
const_cast<STACK_OF(X509_NAME) **>(&ctx->cached_x509_client_CA)); | |||
} | |||
static int add_client_CA(STACK_OF(CRYPTO_BUFFER) **names, X509 *x509, | |||
static int add_client_CA(UniquePtr<STACK_OF(CRYPTO_BUFFER)> *names, X509 *x509, | |||
CRYPTO_BUFFER_POOL *pool) { | |||
if (x509 == NULL) { | |||
return 0; | |||
@@ -1175,8 +1174,8 @@ static int add_client_CA(STACK_OF(CRYPTO_BUFFER) **names, X509 *x509, | |||
} | |||
int alloced = 0; | |||
if (*names == NULL) { | |||
*names = sk_CRYPTO_BUFFER_new_null(); | |||
if (*names == nullptr) { | |||
names->reset(sk_CRYPTO_BUFFER_new_null()); | |||
alloced = 1; | |||
if (*names == NULL) { | |||
@@ -1184,10 +1183,9 @@ static int add_client_CA(STACK_OF(CRYPTO_BUFFER) **names, X509 *x509, | |||
} | |||
} | |||
if (!PushToStack(*names, std::move(buffer))) { | |||
if (!PushToStack(names->get(), std::move(buffer))) { | |||
if (alloced) { | |||
sk_CRYPTO_BUFFER_pop_free(*names, CRYPTO_BUFFER_free); | |||
*names = NULL; | |||
names->reset(); | |||
} | |||
return 0; | |||
} | |||
@@ -293,9 +293,8 @@ static const uint16_t kDefaultGroups[] = { | |||
}; | |||
Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) { | |||
if (hs->config->supported_group_list != nullptr) { | |||
return MakeConstSpan(hs->config->supported_group_list, | |||
hs->config->supported_group_list_len); | |||
if (!hs->config->supported_group_list.empty()) { | |||
return hs->config->supported_group_list; | |||
} | |||
return Span<const uint16_t>(kDefaultGroups); | |||
} | |||
@@ -335,68 +334,55 @@ int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) { | |||
return 0; | |||
} | |||
int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len, | |||
const int *curves, size_t ncurves) { | |||
uint16_t *group_ids = (uint16_t *)OPENSSL_malloc(ncurves * sizeof(uint16_t)); | |||
if (group_ids == NULL) { | |||
return 0; | |||
bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) { | |||
Array<uint16_t> group_ids; | |||
if (!group_ids.Init(curves.size())) { | |||
return false; | |||
} | |||
for (size_t i = 0; i < ncurves; i++) { | |||
for (size_t i = 0; i < curves.size(); i++) { | |||
if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) { | |||
OPENSSL_free(group_ids); | |||
return 0; | |||
return false; | |||
} | |||
} | |||
OPENSSL_free(*out_group_ids); | |||
*out_group_ids = group_ids; | |||
*out_group_ids_len = ncurves; | |||
return 1; | |||
*out_group_ids = std::move(group_ids); | |||
return true; | |||
} | |||
int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len, | |||
const char *curves) { | |||
uint16_t *group_ids = NULL; | |||
size_t ncurves = 0; | |||
bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) { | |||
// Count the number of curves in the list. | |||
size_t count = 0; | |||
const char *ptr = curves, *col; | |||
do { | |||
col = strchr(ptr, ':'); | |||
count++; | |||
if (col) { | |||
ptr = col + 1; | |||
} | |||
} while (col); | |||
const char *col; | |||
const char *ptr = curves; | |||
Array<uint16_t> group_ids; | |||
if (!group_ids.Init(count)) { | |||
return false; | |||
} | |||
size_t i = 0; | |||
ptr = curves; | |||
do { | |||
col = strchr(ptr, ':'); | |||
uint16_t group_id; | |||
if (!ssl_name_to_group_id(&group_id, ptr, | |||
if (!ssl_name_to_group_id(&group_ids[i++], ptr, | |||
col ? (size_t)(col - ptr) : strlen(ptr))) { | |||
goto err; | |||
} | |||
uint16_t *new_group_ids = (uint16_t *)OPENSSL_realloc( | |||
group_ids, (ncurves + 1) * sizeof(uint16_t)); | |||
if (new_group_ids == NULL) { | |||
goto err; | |||
return false; | |||
} | |||
group_ids = new_group_ids; | |||
group_ids[ncurves] = group_id; | |||
ncurves++; | |||
if (col) { | |||
ptr = col + 1; | |||
} | |||
} while (col); | |||
OPENSSL_free(*out_group_ids); | |||
*out_group_ids = group_ids; | |||
*out_group_ids_len = ncurves; | |||
return 1; | |||
err: | |||
OPENSSL_free(group_ids); | |||
return 0; | |||
assert(i == count); | |||
*out_group_ids = std::move(group_ids); | |||
return true; | |||
} | |||
int tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) { | |||
@@ -506,9 +492,8 @@ struct SSLSignatureAlgorithmList { | |||
static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl, | |||
bool for_certs) { | |||
SSLSignatureAlgorithmList ret; | |||
if (ssl->ctx->num_verify_sigalgs != 0) { | |||
ret.list = | |||
MakeConstSpan(ssl->ctx->verify_sigalgs, ssl->ctx->num_verify_sigalgs); | |||
if (!ssl->ctx->verify_sigalgs.empty()) { | |||
ret.list = ssl->ctx->verify_sigalgs; | |||
} else { | |||
ret.list = kVerifySignatureAlgorithms; | |||
ret.skip_ed25519 = !ssl->ctx->ed25519_enabled; | |||
@@ -1393,7 +1378,7 @@ static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { | |||
static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
SSL *const ssl = hs->ssl; | |||
if (hs->config->alpn_client_proto_list == NULL || | |||
if (hs->config->alpn_client_proto_list.empty() || | |||
ssl->s3->initial_handshake_complete) { | |||
return true; | |||
} | |||
@@ -1402,8 +1387,8 @@ static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) || | |||
!CBB_add_u16_length_prefixed(out, &contents) || | |||
!CBB_add_u16_length_prefixed(&contents, &proto_list) || | |||
!CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list, | |||
hs->config->alpn_client_proto_list_len) || | |||
!CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(), | |||
hs->config->alpn_client_proto_list.size()) || | |||
!CBB_flush(out)) { | |||
return false; | |||
} | |||
@@ -1419,7 +1404,7 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, | |||
} | |||
assert(!ssl->s3->initial_handshake_complete); | |||
assert(hs->config->alpn_client_proto_list != NULL); | |||
assert(!hs->config->alpn_client_proto_list.empty()); | |||
if (hs->next_proto_neg_seen) { | |||
// NPN and ALPN may not be negotiated in the same connection. | |||
@@ -1456,7 +1441,7 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, | |||
bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs, | |||
Span<const uint8_t> protocol) { | |||
if (hs->config->alpn_client_proto_list == nullptr) { | |||
if (hs->config->alpn_client_proto_list.empty()) { | |||
return false; | |||
} | |||
@@ -1465,9 +1450,9 @@ bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs, | |||
} | |||
// Check that the protocol name is one of the ones we advertised. | |||
CBS client_protocol_name_list, client_protocol_name; | |||
CBS_init(&client_protocol_name_list, hs->config->alpn_client_proto_list, | |||
hs->config->alpn_client_proto_list_len); | |||
CBS client_protocol_name_list = | |||
MakeConstSpan(hs->config->alpn_client_proto_list), | |||
client_protocol_name; | |||
while (CBS_len(&client_protocol_name_list) > 0) { | |||
if (!CBS_get_u8_length_prefixed(&client_protocol_name_list, | |||
&client_protocol_name)) { | |||
@@ -2549,7 +2534,7 @@ static uint16_t kTokenBindingMinVersion = 13; | |||
static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
SSL *const ssl = hs->ssl; | |||
if (hs->config->token_binding_params == nullptr || SSL_is_dtls(ssl)) { | |||
if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) { | |||
return true; | |||
} | |||
@@ -2558,8 +2543,8 @@ static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
!CBB_add_u16_length_prefixed(out, &contents) || | |||
!CBB_add_u16(&contents, kTokenBindingMaxVersion) || | |||
!CBB_add_u8_length_prefixed(&contents, ¶ms) || | |||
!CBB_add_bytes(¶ms, hs->config->token_binding_params, | |||
hs->config->token_binding_params_len) || | |||
!CBB_add_bytes(¶ms, hs->config->token_binding_params.data(), | |||
hs->config->token_binding_params.size()) || | |||
!CBB_flush(out)) { | |||
return false; | |||
} | |||
@@ -2599,8 +2584,8 @@ static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs, | |||
return true; | |||
} | |||
for (size_t i = 0; i < hs->config->token_binding_params_len; ++i) { | |||
if (param == hs->config->token_binding_params[i]) { | |||
for (uint8_t config_param : hs->config->token_binding_params) { | |||
if (param == config_param) { | |||
ssl->s3->negotiated_token_binding_param = param; | |||
ssl->s3->token_binding_negotiated = true; | |||
return true; | |||
@@ -2617,8 +2602,7 @@ static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs, | |||
// param is found, and false otherwise. | |||
static bool select_tb_param(SSL_HANDSHAKE *hs, | |||
Span<const uint8_t> peer_params) { | |||
for (size_t i = 0; i < hs->config->token_binding_params_len; ++i) { | |||
uint8_t tb_param = hs->config->token_binding_params[i]; | |||
for (uint8_t tb_param : hs->config->token_binding_params) { | |||
for (uint8_t peer_param : peer_params) { | |||
if (tb_param == peer_param) { | |||
hs->ssl->s3->negotiated_token_binding_param = tb_param; | |||
@@ -2633,7 +2617,7 @@ static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs, | |||
uint8_t *out_alert, | |||
CBS *contents) { | |||
SSL *const ssl = hs->ssl; | |||
if (contents == nullptr || hs->config->token_binding_params == nullptr) { | |||
if (contents == nullptr || hs->config->token_binding_params.empty()) { | |||
return true; | |||
} | |||
@@ -2689,15 +2673,16 @@ static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { | |||
static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs, | |||
CBB *out) { | |||
if (!hs->config->quic_transport_params || hs->max_version <= TLS1_2_VERSION) { | |||
if (hs->config->quic_transport_params.empty() || | |||
hs->max_version <= TLS1_2_VERSION) { | |||
return true; | |||
} | |||
CBB contents; | |||
if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) || | |||
!CBB_add_u16_length_prefixed(out, &contents) || | |||
!CBB_add_bytes(&contents, hs->config->quic_transport_params, | |||
hs->config->quic_transport_params_len) || | |||
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(), | |||
hs->config->quic_transport_params.size()) || | |||
!CBB_flush(out)) { | |||
return false; | |||
} | |||
@@ -2724,7 +2709,7 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs, | |||
uint8_t *out_alert, | |||
CBS *contents) { | |||
SSL *const ssl = hs->ssl; | |||
if (!contents || !hs->config->quic_transport_params) { | |||
if (!contents || hs->config->quic_transport_params.empty()) { | |||
return true; | |||
} | |||
// Ignore the extension before TLS 1.3. | |||
@@ -2737,15 +2722,15 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs, | |||
static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs, | |||
CBB *out) { | |||
if (!hs->config->quic_transport_params) { | |||
if (hs->config->quic_transport_params.empty()) { | |||
return true; | |||
} | |||
CBB contents; | |||
if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) || | |||
!CBB_add_u16_length_prefixed(out, &contents) || | |||
!CBB_add_bytes(&contents, hs->config->quic_transport_params, | |||
hs->config->quic_transport_params_len) || | |||
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(), | |||
hs->config->quic_transport_params.size()) || | |||
!CBB_flush(out)) { | |||
return false; | |||
} | |||
@@ -3667,7 +3652,7 @@ bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) { | |||
bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) { | |||
SSL *const ssl = hs->ssl; | |||
CERT *cert = hs->config->cert; | |||
CERT *cert = hs->config->cert.get(); | |||
// Before TLS 1.2, the signature algorithm isn't negotiated as part of the | |||
// handshake. | |||
@@ -3789,7 +3774,8 @@ bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) { | |||
return false; | |||
} | |||
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->tlsext_channel_id_private); | |||
EC_KEY *ec_key = | |||
EVP_PKEY_get0_EC_KEY(hs->config->tlsext_channel_id_private.get()); | |||
if (ec_key == nullptr) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return false; | |||
@@ -415,7 +415,7 @@ int tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg, | |||
int tls13_add_certificate(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
CERT *const cert = hs->config->cert; | |||
CERT *const cert = hs->config->cert.get(); | |||
ScopedCBB cbb; | |||
CBB *body, body_storage, certificate_list; | |||