kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Switch some easy SSL fields to UniquePtr. 

Change-Id: I982ecda5a19187708b15e8572e6d0000c22ed87c
Reviewed-on: https://boringssl-review.googlesource.com/29590
Reviewed-by: Adam Langley <agl@google.com>
kris/onging/CECPQ3_patch15
David Benjamin 6 years ago
committed by Adam Langley
parent
c1389f2ce8
commit
50596f8f54
19 changed files with 104 additions and 120 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +4
    -4
      ssl/d1_both.cc
  2. +2
    -1
      ssl/d1_lib.cc
  3. +1
    -1
      ssl/d1_pkt.cc
  4. +4
    -5
      ssl/handoff.cc
  5. +2
    -2
      ssl/handshake.cc
  6. +4
    -5
      ssl/handshake_client.cc
  7. +5
    -4
      ssl/handshake_server.cc
  8. +9
    -7
      ssl/internal.h
  9. +2
    -2
      ssl/s3_both.cc
  10. +1
    -1
      ssl/s3_pkt.cc
  11. +7
    -6
      ssl/ssl_buffer.cc
  12. +1
    -1
      ssl/ssl_cert.cc
  13. +25
    -43
      ssl/ssl_lib.cc
  14. +6
    -10
      ssl/ssl_session.cc
  15. +5
    -5
      ssl/ssl_x509.cc
  16. +15
    -15
      ssl/t1_lib.cc
  17. +6
    -4
      ssl/test/bssl_shim.cc
  18. +3
    -2
      ssl/tls13_client.cc
  19. +2
    -2
      ssl/tls13_enc.cc

+ 4
- 4
ssl/d1_both.cc View File

@@ -618,12 +618,12 @@ static void dtls1_update_mtu(SSL *ssl) {
// |SSL_set_mtu|. Does this need to be so complex?
if (ssl->d1->mtu < dtls1_min_mtu() &&
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
long mtu = BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {
ssl->d1->mtu = (unsigned)mtu;
} else {
ssl->d1->mtu = kDefaultMTU;
BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL);
BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL);
}
}

@@ -803,7 +803,7 @@ static int send_flight(SSL *ssl) {
goto err;
}

int bio_ret = BIO_write(ssl->wbio, packet, packet_len);
int bio_ret = BIO_write(ssl->wbio.get(), packet, packet_len);
if (bio_ret <= 0) {
// Retry this packet the next time around.
ssl->d1->outgoing_written = old_written;
@@ -814,7 +814,7 @@ static int send_flight(SSL *ssl) {
}
}

if (BIO_flush(ssl->wbio) <= 0) {
if (BIO_flush(ssl->wbio.get()) <= 0) {
ssl->s3->rwstate = SSL_WRITING;
goto err;
}


+ 2
- 1
ssl/d1_lib.cc View File

@@ -171,7 +171,8 @@ bool dtls1_check_timeout_num(SSL *ssl) {
// Reduce MTU after 2 unsuccessful retransmissions
if (ssl->d1->num_timeouts > DTLS1_MTU_TIMEOUTS &&
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
long mtu =
BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, nullptr);
if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {
ssl->d1->mtu = (unsigned)mtu;
}


+ 1
- 1
ssl/d1_pkt.cc View File

@@ -260,7 +260,7 @@ int dtls1_dispatch_alert(SSL *ssl) {

// If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
BIO_flush(ssl->wbio);
BIO_flush(ssl->wbio.get());
}

ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, ssl->s3->send_alert);


+ 4
- 5
ssl/handoff.cc View File

@@ -149,8 +149,8 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {

// TODO(mab): make sure everything is serialized.
CBB seq, key_share;
SSL_SESSION *session =
s3->session_reused ? ssl->session : s3->hs->new_session.get();
const SSL_SESSION *session =
s3->session_reused ? ssl->session.get() : s3->hs->new_session.get();
if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
!CBB_add_asn1_uint64(&seq, type) ||
@@ -239,9 +239,8 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
s3->hs = ssl_handshake_new(ssl);
if (session_reused) {
ssl->session =
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool)
.release();
session = ssl->session;
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
session = ssl->session.get();
} else {
s3->hs->new_session =
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);


+ 2
- 2
ssl/handshake.cc View File

@@ -162,7 +162,7 @@ UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl) {
!hs->transcript.Init()) {
return nullptr;
}
hs->config = ssl->config;
hs->config = ssl->config.get();
if (!hs->config) {
assert(hs->config);
return nullptr;
@@ -197,7 +197,7 @@ size_t ssl_max_handshake_message_len(const SSL *ssl) {
static const size_t kMaxMessageLen = 16384;

if (SSL_in_init(ssl)) {
SSL_CONFIG *config = ssl->config; // SSL_in_init() implies not NULL.
SSL_CONFIG *config = ssl->config.get(); // SSL_in_init() implies not NULL.
if ((!ssl->server || (config->verify_mode & SSL_VERIFY_PEER)) &&
kMaxMessageLen < ssl->max_cert_list) {
return ssl->max_cert_list;


+ 4
- 5
ssl/handshake_client.cc View File

@@ -404,7 +404,7 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
(ssl->session->session_id_length == 0 &&
ssl->session->ticket.empty()) ||
ssl->session->not_resumable ||
!ssl_session_is_time_valid(ssl, ssl->session)) {
!ssl_session_is_time_valid(ssl, ssl->session.get())) {
ssl_set_session(ssl, NULL);
}
}
@@ -664,7 +664,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
if (!ssl_session_is_context_valid(hs, ssl->session)) {
if (!ssl_session_is_context_valid(hs, ssl->session.get())) {
// This is actually a client application bug.
OPENSSL_PUT_ERROR(SSL,
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
@@ -1547,7 +1547,7 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {
// immutable once established, so duplicate all but the ticket of the
// existing session.
renewed_session =
SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH);
if (!renewed_session) {
// This should never happen.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1575,8 +1575,7 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {

if (renewed_session) {
session->not_resumable = false;
SSL_SESSION_free(ssl->session);
ssl->session = renewed_session.release();
ssl->session = std::move(renewed_session);
}

ssl->method->next_message(ssl);


+ 5
- 4
ssl/handshake_server.cc View File

@@ -600,7 +600,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
if (session) {
// Use the old session.
hs->ticket_expected = renew_ticket;
ssl->session = session.release();
ssl->session = std::move(session);
ssl->s3->session_reused = true;
} else {
hs->ticket_expected = tickets_supported;
@@ -713,8 +713,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
}

const SSL_SESSION *session = hs->new_session.get();
if (ssl->session != NULL) {
session = ssl->session;
if (ssl->session != nullptr) {
session = ssl->session.get();
}

ScopedCBB cbb;
@@ -1419,7 +1419,8 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
} else {
// We are renewing an existing session. Duplicate the session to adjust
// the timeout.
session_copy = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
session_copy =
SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH);
if (!session_copy) {
return ssl_hs_error;
}


+ 9
- 7
ssl/internal.h View File

@@ -2396,6 +2396,8 @@ struct DTLS1_STATE {
// See SSL_shed_handshake_config() for more about the conditions under which
// configuration can be shed.
struct SSL_CONFIG {
static constexpr bool kAllowUniquePtr = true;

explicit SSL_CONFIG(SSL *ssl_arg);
~SSL_CONFIG();

@@ -3125,7 +3127,7 @@ struct ssl_st {
// should check for nullptr, since configuration may be shed after the
// handshake completes. (If you have the |SSL_HANDSHAKE| object at hand, use
// that instead, and skip the null check.)
bssl::SSL_CONFIG *config = nullptr;
bssl::UniquePtr<bssl::SSL_CONFIG> config;

// version is the protocol version.
uint16_t version = 0;
@@ -3135,8 +3137,8 @@ struct ssl_st {
// There are 2 BIO's even though they are normally both the same. This is so
// data can be read and written to different handlers

BIO *rbio = nullptr; // used by SSL_read
BIO *wbio = nullptr; // used by SSL_write
bssl::UniquePtr<BIO> rbio; // used by SSL_read
bssl::UniquePtr<BIO> wbio; // used by SSL_write

// do_handshake runs the handshake. On completion, it returns |ssl_hs_ok|.
// Otherwise, it returns a value corresponding to what operation is needed to
@@ -3167,15 +3169,15 @@ struct ssl_st {

// session is the configured session to be offered by the client. This session
// is immutable.
SSL_SESSION *session = nullptr;
bssl::UniquePtr<SSL_SESSION> session;

void (*info_callback)(const SSL *ssl, int type, int value) = nullptr;

SSL_CTX *ctx = nullptr;
bssl::UniquePtr<SSL_CTX> ctx;

// session_ctx is the |SSL_CTX| used for the session cache and related
// settings.
SSL_CTX *session_ctx = nullptr;
bssl::UniquePtr<SSL_CTX> session_ctx;

// extra application data
CRYPTO_EX_DATA ex_data;
@@ -3183,7 +3185,7 @@ struct ssl_st {
uint32_t options = 0; // protocol behaviour
uint32_t mode = 0; // API behaviour
uint32_t max_cert_list = 0;
char *tlsext_hostname = nullptr;
bssl::UniquePtr<char> tlsext_hostname;

// renegotiate_mode controls how peer renegotiation attempts are handled.
ssl_renegotiate_mode_t renegotiate_mode = ssl_renegotiate_never;


+ 2
- 2
ssl/s3_both.cc View File

@@ -311,7 +311,7 @@ int ssl3_flush_flight(SSL *ssl) {
// Write the pending flight.
while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {
int ret = BIO_write(
ssl->wbio,
ssl->wbio.get(),
ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,
ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);
if (ret <= 0) {
@@ -322,7 +322,7 @@ int ssl3_flush_flight(SSL *ssl) {
ssl->s3->pending_flight_offset += ret;
}

if (BIO_flush(ssl->wbio) <= 0) {
if (BIO_flush(ssl->wbio.get()) <= 0) {
ssl->s3->rwstate = SSL_WRITING;
return -1;
}


+ 1
- 1
ssl/s3_pkt.cc View File

@@ -414,7 +414,7 @@ int ssl3_dispatch_alert(SSL *ssl) {

// If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
BIO_flush(ssl->wbio);
BIO_flush(ssl->wbio.get());
}

ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, ssl->s3->send_alert);


+ 7
- 6
ssl/ssl_buffer.cc View File

@@ -113,7 +113,8 @@ static int dtls_read_buffer_next_packet(SSL *ssl) {
}

// Read a single packet from |ssl->rbio|. |buf->cap()| must fit in an int.
int ret = BIO_read(ssl->rbio, buf->data(), static_cast<int>(buf->cap()));
int ret =
BIO_read(ssl->rbio.get(), buf->data(), static_cast<int>(buf->cap()));
if (ret <= 0) {
ssl->s3->rwstate = SSL_READING;
return ret;
@@ -134,7 +135,7 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) {
while (buf->size() < len) {
// The amount of data to read is bounded by |buf->cap|, which must fit in an
// int.
int ret = BIO_read(ssl->rbio, buf->data() + buf->size(),
int ret = BIO_read(ssl->rbio.get(), buf->data() + buf->size(),
static_cast<int>(len - buf->size()));
if (ret <= 0) {
ssl->s3->rwstate = SSL_READING;
@@ -163,7 +164,7 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {
return -1;
}

if (ssl->rbio == NULL) {
if (ssl->rbio == nullptr) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);
return -1;
}
@@ -240,7 +241,7 @@ static int tls_write_buffer_flush(SSL *ssl) {
SSLBuffer *buf = &ssl->s3->write_buffer;

while (!buf->empty()) {
int ret = BIO_write(ssl->wbio, buf->data(), buf->size());
int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size());
if (ret <= 0) {
ssl->s3->rwstate = SSL_WRITING;
return ret;
@@ -257,7 +258,7 @@ static int dtls_write_buffer_flush(SSL *ssl) {
return 1;
}

int ret = BIO_write(ssl->wbio, buf->data(), buf->size());
int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size());
if (ret <= 0) {
ssl->s3->rwstate = SSL_WRITING;
// If the write failed, drop the write buffer anyway. Datagram transports
@@ -271,7 +272,7 @@ static int dtls_write_buffer_flush(SSL *ssl) {
}

int ssl_write_buffer_flush(SSL *ssl) {
if (ssl->wbio == NULL) {
if (ssl->wbio == nullptr) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);
return -1;
}


+ 1
- 1
ssl/ssl_cert.cc View File

@@ -872,7 +872,7 @@ void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) {
if (!ssl->config) {
return;
}
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config);
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get());
sk_CRYPTO_BUFFER_pop_free(ssl->config->client_CA, CRYPTO_BUFFER_free);
ssl->config->client_CA = name_list;
}

+ 25
- 43
ssl/ssl_lib.cc View File

@@ -274,7 +274,7 @@ ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out,

void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
SSL *const ssl = hs->ssl;
SSL_CTX *ctx = ssl->session_ctx;
SSL_CTX *ctx = ssl->session_ctx.get();
// Never cache sessions with empty session IDs.
if (ssl->s3->established_session->session_id_length == 0 ||
ssl->s3->established_session->not_resumable ||
@@ -289,7 +289,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
// A client may see new sessions on abbreviated handshakes if the server
// decides to renew the ticket. Once the handshake is completed, it should be
// inserted into the cache.
if (ssl->s3->established_session.get() != ssl->session ||
if (ssl->s3->established_session.get() != ssl->session.get() ||
(!ssl->server && hs->ticket_expected)) {
if (use_internal_cache) {
SSL_CTX_add_session(ctx, ssl->s3->established_session.get());
@@ -406,7 +406,7 @@ void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
// TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
// |ssl| arg from |current_time_cb| if possible.
ssl_ctx_get_current_time(ssl->ctx, out_clock);
ssl_ctx_get_current_time(ssl->ctx.get(), out_clock);
}

void ssl_ctx_get_current_time(const SSL_CTX *ctx,
@@ -496,8 +496,7 @@ static void ssl_maybe_shed_handshake_config(SSL *ssl) {
return;
}

Delete(ssl->config);
ssl->config = nullptr;
ssl->config.reset();
}

void SSL_set_handoff_mode(SSL *ssl, bool on) {
@@ -637,8 +636,8 @@ ssl_st::ssl_st(SSL_CTX *ctx_arg)
msg_callback(ctx_arg->msg_callback),
msg_callback_arg(ctx_arg->msg_callback_arg),
tls13_variant(ctx_arg->tls13_variant),
ctx(UpRef(ctx_arg).release()),
session_ctx(UpRef(ctx_arg).release()),
ctx(UpRef(ctx_arg)),
session_ctx(UpRef(ctx_arg)),
options(ctx->options),
mode(ctx->mode),
max_cert_list(ctx->max_cert_list),
@@ -651,22 +650,11 @@ ssl_st::ssl_st(SSL_CTX *ctx_arg)

ssl_st::~ssl_st() {
CRYPTO_free_ex_data(&g_ex_data_class_ssl, this, &ex_data);

BIO_free_all(rbio);
BIO_free_all(wbio);

Delete(config);
config = nullptr;

SSL_SESSION_free(session);

OPENSSL_free(tlsext_hostname);

// |config| refers to |this|, so we must release it earlier.
config.reset();
if (method != NULL) {
method->ssl_free(this);
}
SSL_CTX_free(ctx);
SSL_CTX_free(session_ctx);
}

SSL *SSL_new(SSL_CTX *ctx) {
@@ -680,7 +668,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
return nullptr;
}

ssl->config = New<SSL_CONFIG>(ssl.get());
ssl->config = MakeUnique<SSL_CONFIG>(ssl.get());
if (ssl->config == nullptr) {
return nullptr;
}
@@ -786,13 +774,11 @@ void SSL_set_accept_state(SSL *ssl) {
}

void SSL_set0_rbio(SSL *ssl, BIO *rbio) {
BIO_free_all(ssl->rbio);
ssl->rbio = rbio;
ssl->rbio.reset(rbio);
}

void SSL_set0_wbio(SSL *ssl, BIO *wbio) {
BIO_free_all(ssl->wbio);
ssl->wbio = wbio;
ssl->wbio.reset(wbio);
}

void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
@@ -829,9 +815,9 @@ void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
SSL_set0_wbio(ssl, wbio);
}

BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio; }
BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio.get(); }

BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio; }
BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio.get(); }

int SSL_do_handshake(SSL *ssl) {
ssl_reset_error_state(ssl);
@@ -1891,8 +1877,8 @@ const char *SSL_get_servername(const SSL *ssl, const int type) {

// Historically, |SSL_get_servername| was also the configuration getter
// corresponding to |SSL_set_tlsext_host_name|.
if (ssl->tlsext_hostname != NULL) {
return ssl->tlsext_hostname;
if (ssl->tlsext_hostname != nullptr) {
return ssl->tlsext_hostname.get();
}

return ssl->s3->hostname.get();
@@ -1971,10 +1957,8 @@ void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
}

int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
OPENSSL_free(ssl->tlsext_hostname);
ssl->tlsext_hostname = NULL;

if (name == NULL) {
ssl->tlsext_hostname.reset();
if (name == nullptr) {
return 1;
}

@@ -1983,8 +1967,8 @@ int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
return 0;
}
ssl->tlsext_hostname = BUF_strdup(name);
if (ssl->tlsext_hostname == NULL) {
ssl->tlsext_hostname.reset(BUF_strdup(name));
if (ssl->tlsext_hostname == nullptr) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -2333,14 +2317,14 @@ int SSL_get_shutdown(const SSL *ssl) {
return ret;
}

SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx; }
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx.get(); }

SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
if (!ssl->config) {
return NULL;
}
if (ssl->ctx == ctx) {
return ssl->ctx;
if (ssl->ctx.get() == ctx) {
return ssl->ctx.get();
}

// One cannot change the X.509 callbacks during a connection.
@@ -2350,18 +2334,16 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
}

if (ctx == NULL) {
ctx = ssl->session_ctx;
ctx = ssl->session_ctx.get();
}

Delete(ssl->config->cert);
ssl->config->cert = ssl_cert_dup(ctx->cert).release();

SSL_CTX_up_ref(ctx);
SSL_CTX_free(ssl->ctx);
ssl->ctx = ctx;
ssl->ctx = UpRef(ctx);
ssl->enable_early_data = ssl->ctx->enable_early_data;

return ssl->ctx;
return ssl->ctx.get();
}

void SSL_set_info_callback(SSL *ssl,


+ 6
- 10
ssl/ssl_session.cc View File

@@ -478,7 +478,7 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL_HANDSHAKE *hs, CBB *out,

// Initialize HMAC and cipher contexts. If callback present it does all the
// work otherwise use generated values from parent ctx.
SSL_CTX *tctx = hs->ssl->session_ctx;
SSL_CTX *tctx = hs->ssl->session_ctx.get();
uint8_t iv[EVP_MAX_IV_LENGTH];
uint8_t key_name[16];
if (tctx->tlsext_ticket_key_cb != NULL) {
@@ -696,13 +696,13 @@ static enum ssl_hs_wait_t ssl_lookup_session(
// Add the externally cached session to the internal cache if necessary.
if (!(ssl->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
SSL_CTX_add_session(ssl->session_ctx, session.get());
SSL_CTX_add_session(ssl->session_ctx.get(), session.get());
}
}

if (session && !ssl_session_is_time_valid(ssl, session.get())) {
// The session was from the cache, so remove it.
SSL_CTX_remove_session(ssl->session_ctx, session.get());
SSL_CTX_remove_session(ssl->session_ctx.get(), session.get());
session.reset();
}

@@ -788,15 +788,11 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *session, int lock) {
}

void ssl_set_session(SSL *ssl, SSL_SESSION *session) {
if (ssl->session == session) {
if (ssl->session.get() == session) {
return;
}

SSL_SESSION_free(ssl->session);
ssl->session = session;
if (session != NULL) {
SSL_SESSION_up_ref(session);
}
ssl->session = UpRef(session);
}

// locked by SSL_CTX in the calling function
@@ -1070,7 +1066,7 @@ SSL_SESSION *SSL_get_session(const SSL *ssl) {
if (hs->new_session) {
return hs->new_session.get();
}
return ssl->session;
return ssl->session.get();
}

SSL_SESSION *SSL_get1_session(SSL *ssl) {


+ 5
- 5
ssl/ssl_x509.cc View File

@@ -354,7 +354,7 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
return 0;
}

SSL_CTX *ssl_ctx = hs->ssl->ctx;
SSL_CTX *ssl_ctx = hs->ssl->ctx.get();
X509_STORE *verify_store = ssl_ctx->cert_store;
if (hs->config->cert->verify_store != NULL) {
verify_store = hs->config->cert->verify_store;
@@ -1074,7 +1074,7 @@ void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) {
if (!ssl->config) {
return;
}
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config);
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get());
set_client_CA_list(&ssl->config->client_CA, name_list, ssl->ctx->pool);
sk_X509_NAME_pop_free(name_list, X509_NAME_free);
}
@@ -1143,7 +1143,7 @@ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {
ssl->config->client_CA,
(STACK_OF(X509_NAME) **)&ssl->config->cached_x509_client_CA);
}
return SSL_CTX_get_client_CA_list(ssl->ctx);
return SSL_CTX_get_client_CA_list(ssl->ctx.get());
}

STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
@@ -1204,7 +1204,7 @@ int SSL_add_client_CA(SSL *ssl, X509 *x509) {
return 0;
}

ssl_crypto_x509_ssl_flush_cached_client_CA(ssl->config);
ssl_crypto_x509_ssl_flush_cached_client_CA(ssl->config.get());
return 1;
}

@@ -1224,7 +1224,7 @@ static int do_client_cert_cb(SSL *ssl, void *arg) {
assert(ssl->config);
return -1;
}
if (ssl_has_certificate(ssl->config) ||
if (ssl_has_certificate(ssl->config.get()) ||
ssl->ctx->client_cert_cb == NULL) {
return 1;
}


+ 15
- 15
ssl/t1_lib.cc View File

@@ -606,7 +606,7 @@ static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {

static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
if (ssl->tlsext_hostname == NULL) {
if (ssl->tlsext_hostname == nullptr) {
return true;
}

@@ -616,8 +616,8 @@ static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
!CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
!CBB_add_u16_length_prefixed(&server_name_list, &name) ||
!CBB_add_bytes(&name, (const uint8_t *)ssl->tlsext_hostname,
strlen(ssl->tlsext_hostname)) ||
!CBB_add_bytes(&name, (const uint8_t *)ssl->tlsext_hostname.get(),
strlen(ssl->tlsext_hostname.get())) ||
!CBB_flush(out)) {
return false;
}
@@ -950,10 +950,10 @@ static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
// over the state from the previous handshake, such as OpenSSL servers
// without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
if (!ssl->s3->initial_handshake_complete &&
ssl->session != NULL &&
ssl->session != nullptr &&
!ssl->session->ticket.empty() &&
// Don't send TLS 1.3 session tickets in the ticket extension.
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
ticket = ssl->session->ticket;
}

@@ -1866,20 +1866,20 @@ static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {

static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
return 0;
}

size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session));
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
return 15 + ssl->session->ticket.size() + binder_len;
}

static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
hs->needs_psk_binder = false;
if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
return true;
}

@@ -1899,7 +1899,7 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
// Fill in a placeholder zero binder of the appropriate length. It will be
// computed and filled in later after length prefixes are computed.
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session));
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));

CBB contents, identity, ticket, binders, binder;
if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
@@ -2066,8 +2066,8 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
if (!ssl->enable_early_data ||
// Session must be 0-RTT capable.
ssl->session == NULL ||
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION ||
ssl->session == nullptr ||
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
ssl->session->ticket_max_early_data == 0 ||
// The second ClientHello never offers early data.
hs->received_hello_retry_request ||
@@ -3525,7 +3525,7 @@ static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len, const uint8_t *ticket,
size_t ticket_len) {
assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
SSL_CTX *ctx = hs->ssl->session_ctx;
SSL_CTX *ctx = hs->ssl->session_ctx.get();

// Rotate the ticket key if necessary.
if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
@@ -3626,7 +3626,7 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(

// Decode the session.
UniquePtr<SSL_SESSION> session(
SSL_SESSION_from_bytes(plaintext, plaintext_len, hs->ssl->ctx));
SSL_SESSION_from_bytes(plaintext, plaintext_len, hs->ssl->ctx.get()));
OPENSSL_free(plaintext);

if (!session) {


+ 6
- 4
ssl/test/bssl_shim.cc View File

@@ -773,11 +773,12 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session,
SettingsWriter *writer) {
int ret;
SSL *ssl = ssl_uniqueptr->get();
SSL_CTX *session_ctx = ssl->ctx;
SSL_CTX *session_ctx = SSL_get_SSL_CTX(ssl);

if (!config->implicit_handshake) {
if (config->handoff) {
bssl::UniquePtr<SSL_CTX> ctx_handoff = config->SetupCtx(ssl->ctx);
bssl::UniquePtr<SSL_CTX> ctx_handoff =
config->SetupCtx(SSL_get_SSL_CTX(ssl));
if (!ctx_handoff) {
return false;
}
@@ -853,7 +854,8 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session,
return false;
}

bssl::UniquePtr<SSL_CTX> ctx_handback = config->SetupCtx(ssl->ctx);
bssl::UniquePtr<SSL_CTX> ctx_handback =
config->SetupCtx(SSL_get_SSL_CTX(ssl));
if (!ctx_handback) {
return false;
}
@@ -891,7 +893,7 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session,
return false;
}

CopySessions(session_ctx, ssl->ctx);
CopySessions(session_ctx, SSL_get_SSL_CTX(ssl));

if (is_resume && !is_retry && !config->is_server &&
config->expect_no_offer_early_data && SSL_in_early_data(ssl)) {


+ 3
- 2
ssl/tls13_client.cc View File

@@ -328,7 +328,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

if (!ssl_session_is_context_valid(hs, ssl->session)) {
if (!ssl_session_is_context_valid(hs, ssl->session.get())) {
// This is actually a client application bug.
OPENSSL_PUT_ERROR(SSL,
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
@@ -338,7 +338,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {

ssl->s3->session_reused = true;
// Only authentication information carries over in TLS 1.3.
hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);
hs->new_session =
SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);
if (!hs->new_session) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;


+ 2
- 2
ssl/tls13_enc.cc View File

@@ -60,7 +60,7 @@ int tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
size_t psk_len) {
SSL *const ssl = hs->ssl;
return init_key_schedule(hs, ssl_session_protocol_version(ssl->session),
return init_key_schedule(hs, ssl_session_protocol_version(ssl->session.get()),
ssl->session->cipher) &&
HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk,
psk_len, hs->secret, hs->hash_len);
@@ -413,7 +413,7 @@ static int tls13_psk_binder(uint8_t *out, uint16_t version,

int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {
SSL *const ssl = hs->ssl;
const EVP_MD *digest = ssl_session_get_digest(ssl->session);
const EVP_MD *digest = ssl_session_get_digest(ssl->session.get());
size_t hash_len = EVP_MD_size(digest);

if (len < hash_len + 3) {


Write Preview
Loading…
Cancel
Save