Change-Id: I982ecda5a19187708b15e8572e6d0000c22ed87c Reviewed-on: https://boringssl-review.googlesource.com/29590 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
@@ -618,12 +618,12 @@ static void dtls1_update_mtu(SSL *ssl) { | |||
// |SSL_set_mtu|. Does this need to be so complex? | |||
if (ssl->d1->mtu < dtls1_min_mtu() && | |||
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { | |||
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); | |||
long mtu = BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); | |||
if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) { | |||
ssl->d1->mtu = (unsigned)mtu; | |||
} else { | |||
ssl->d1->mtu = kDefaultMTU; | |||
BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL); | |||
BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL); | |||
} | |||
} | |||
@@ -803,7 +803,7 @@ static int send_flight(SSL *ssl) { | |||
goto err; | |||
} | |||
int bio_ret = BIO_write(ssl->wbio, packet, packet_len); | |||
int bio_ret = BIO_write(ssl->wbio.get(), packet, packet_len); | |||
if (bio_ret <= 0) { | |||
// Retry this packet the next time around. | |||
ssl->d1->outgoing_written = old_written; | |||
@@ -814,7 +814,7 @@ static int send_flight(SSL *ssl) { | |||
} | |||
} | |||
if (BIO_flush(ssl->wbio) <= 0) { | |||
if (BIO_flush(ssl->wbio.get()) <= 0) { | |||
ssl->s3->rwstate = SSL_WRITING; | |||
goto err; | |||
} | |||
@@ -171,7 +171,8 @@ bool dtls1_check_timeout_num(SSL *ssl) { | |||
// Reduce MTU after 2 unsuccessful retransmissions | |||
if (ssl->d1->num_timeouts > DTLS1_MTU_TIMEOUTS && | |||
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { | |||
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); | |||
long mtu = | |||
BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, nullptr); | |||
if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) { | |||
ssl->d1->mtu = (unsigned)mtu; | |||
} | |||
@@ -260,7 +260,7 @@ int dtls1_dispatch_alert(SSL *ssl) { | |||
// If the alert is fatal, flush the BIO now. | |||
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) { | |||
BIO_flush(ssl->wbio); | |||
BIO_flush(ssl->wbio.get()); | |||
} | |||
ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, ssl->s3->send_alert); | |||
@@ -149,8 +149,8 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) { | |||
// TODO(mab): make sure everything is serialized. | |||
CBB seq, key_share; | |||
SSL_SESSION *session = | |||
s3->session_reused ? ssl->session : s3->hs->new_session.get(); | |||
const SSL_SESSION *session = | |||
s3->session_reused ? ssl->session.get() : s3->hs->new_session.get(); | |||
if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || | |||
!CBB_add_asn1_uint64(&seq, kHandbackVersion) || | |||
!CBB_add_asn1_uint64(&seq, type) || | |||
@@ -239,9 +239,8 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) { | |||
s3->hs = ssl_handshake_new(ssl); | |||
if (session_reused) { | |||
ssl->session = | |||
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool) | |||
.release(); | |||
session = ssl->session; | |||
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool); | |||
session = ssl->session.get(); | |||
} else { | |||
s3->hs->new_session = | |||
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool); | |||
@@ -162,7 +162,7 @@ UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl) { | |||
!hs->transcript.Init()) { | |||
return nullptr; | |||
} | |||
hs->config = ssl->config; | |||
hs->config = ssl->config.get(); | |||
if (!hs->config) { | |||
assert(hs->config); | |||
return nullptr; | |||
@@ -197,7 +197,7 @@ size_t ssl_max_handshake_message_len(const SSL *ssl) { | |||
static const size_t kMaxMessageLen = 16384; | |||
if (SSL_in_init(ssl)) { | |||
SSL_CONFIG *config = ssl->config; // SSL_in_init() implies not NULL. | |||
SSL_CONFIG *config = ssl->config.get(); // SSL_in_init() implies not NULL. | |||
if ((!ssl->server || (config->verify_mode & SSL_VERIFY_PEER)) && | |||
kMaxMessageLen < ssl->max_cert_list) { | |||
return ssl->max_cert_list; | |||
@@ -404,7 +404,7 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { | |||
(ssl->session->session_id_length == 0 && | |||
ssl->session->ticket.empty()) || | |||
ssl->session->not_resumable || | |||
!ssl_session_is_time_valid(ssl, ssl->session)) { | |||
!ssl_session_is_time_valid(ssl, ssl->session.get())) { | |||
ssl_set_session(ssl, NULL); | |||
} | |||
} | |||
@@ -664,7 +664,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
return ssl_hs_error; | |||
} | |||
if (!ssl_session_is_context_valid(hs, ssl->session)) { | |||
if (!ssl_session_is_context_valid(hs, ssl->session.get())) { | |||
// This is actually a client application bug. | |||
OPENSSL_PUT_ERROR(SSL, | |||
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); | |||
@@ -1547,7 +1547,7 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) { | |||
// immutable once established, so duplicate all but the ticket of the | |||
// existing session. | |||
renewed_session = | |||
SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH); | |||
SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH); | |||
if (!renewed_session) { | |||
// This should never happen. | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
@@ -1575,8 +1575,7 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) { | |||
if (renewed_session) { | |||
session->not_resumable = false; | |||
SSL_SESSION_free(ssl->session); | |||
ssl->session = renewed_session.release(); | |||
ssl->session = std::move(renewed_session); | |||
} | |||
ssl->method->next_message(ssl); | |||
@@ -600,7 +600,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
if (session) { | |||
// Use the old session. | |||
hs->ticket_expected = renew_ticket; | |||
ssl->session = session.release(); | |||
ssl->session = std::move(session); | |||
ssl->s3->session_reused = true; | |||
} else { | |||
hs->ticket_expected = tickets_supported; | |||
@@ -713,8 +713,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { | |||
} | |||
const SSL_SESSION *session = hs->new_session.get(); | |||
if (ssl->session != NULL) { | |||
session = ssl->session; | |||
if (ssl->session != nullptr) { | |||
session = ssl->session.get(); | |||
} | |||
ScopedCBB cbb; | |||
@@ -1419,7 +1419,8 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { | |||
} else { | |||
// We are renewing an existing session. Duplicate the session to adjust | |||
// the timeout. | |||
session_copy = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH); | |||
session_copy = | |||
SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH); | |||
if (!session_copy) { | |||
return ssl_hs_error; | |||
} | |||
@@ -2396,6 +2396,8 @@ struct DTLS1_STATE { | |||
// See SSL_shed_handshake_config() for more about the conditions under which | |||
// configuration can be shed. | |||
struct SSL_CONFIG { | |||
static constexpr bool kAllowUniquePtr = true; | |||
explicit SSL_CONFIG(SSL *ssl_arg); | |||
~SSL_CONFIG(); | |||
@@ -3125,7 +3127,7 @@ struct ssl_st { | |||
// should check for nullptr, since configuration may be shed after the | |||
// handshake completes. (If you have the |SSL_HANDSHAKE| object at hand, use | |||
// that instead, and skip the null check.) | |||
bssl::SSL_CONFIG *config = nullptr; | |||
bssl::UniquePtr<bssl::SSL_CONFIG> config; | |||
// version is the protocol version. | |||
uint16_t version = 0; | |||
@@ -3135,8 +3137,8 @@ struct ssl_st { | |||
// There are 2 BIO's even though they are normally both the same. This is so | |||
// data can be read and written to different handlers | |||
BIO *rbio = nullptr; // used by SSL_read | |||
BIO *wbio = nullptr; // used by SSL_write | |||
bssl::UniquePtr<BIO> rbio; // used by SSL_read | |||
bssl::UniquePtr<BIO> wbio; // used by SSL_write | |||
// do_handshake runs the handshake. On completion, it returns |ssl_hs_ok|. | |||
// Otherwise, it returns a value corresponding to what operation is needed to | |||
@@ -3167,15 +3169,15 @@ struct ssl_st { | |||
// session is the configured session to be offered by the client. This session | |||
// is immutable. | |||
SSL_SESSION *session = nullptr; | |||
bssl::UniquePtr<SSL_SESSION> session; | |||
void (*info_callback)(const SSL *ssl, int type, int value) = nullptr; | |||
SSL_CTX *ctx = nullptr; | |||
bssl::UniquePtr<SSL_CTX> ctx; | |||
// session_ctx is the |SSL_CTX| used for the session cache and related | |||
// settings. | |||
SSL_CTX *session_ctx = nullptr; | |||
bssl::UniquePtr<SSL_CTX> session_ctx; | |||
// extra application data | |||
CRYPTO_EX_DATA ex_data; | |||
@@ -3183,7 +3185,7 @@ struct ssl_st { | |||
uint32_t options = 0; // protocol behaviour | |||
uint32_t mode = 0; // API behaviour | |||
uint32_t max_cert_list = 0; | |||
char *tlsext_hostname = nullptr; | |||
bssl::UniquePtr<char> tlsext_hostname; | |||
// renegotiate_mode controls how peer renegotiation attempts are handled. | |||
ssl_renegotiate_mode_t renegotiate_mode = ssl_renegotiate_never; | |||
@@ -311,7 +311,7 @@ int ssl3_flush_flight(SSL *ssl) { | |||
// Write the pending flight. | |||
while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) { | |||
int ret = BIO_write( | |||
ssl->wbio, | |||
ssl->wbio.get(), | |||
ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset, | |||
ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset); | |||
if (ret <= 0) { | |||
@@ -322,7 +322,7 @@ int ssl3_flush_flight(SSL *ssl) { | |||
ssl->s3->pending_flight_offset += ret; | |||
} | |||
if (BIO_flush(ssl->wbio) <= 0) { | |||
if (BIO_flush(ssl->wbio.get()) <= 0) { | |||
ssl->s3->rwstate = SSL_WRITING; | |||
return -1; | |||
} | |||
@@ -414,7 +414,7 @@ int ssl3_dispatch_alert(SSL *ssl) { | |||
// If the alert is fatal, flush the BIO now. | |||
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) { | |||
BIO_flush(ssl->wbio); | |||
BIO_flush(ssl->wbio.get()); | |||
} | |||
ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, ssl->s3->send_alert); | |||
@@ -113,7 +113,8 @@ static int dtls_read_buffer_next_packet(SSL *ssl) { | |||
} | |||
// Read a single packet from |ssl->rbio|. |buf->cap()| must fit in an int. | |||
int ret = BIO_read(ssl->rbio, buf->data(), static_cast<int>(buf->cap())); | |||
int ret = | |||
BIO_read(ssl->rbio.get(), buf->data(), static_cast<int>(buf->cap())); | |||
if (ret <= 0) { | |||
ssl->s3->rwstate = SSL_READING; | |||
return ret; | |||
@@ -134,7 +135,7 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) { | |||
while (buf->size() < len) { | |||
// The amount of data to read is bounded by |buf->cap|, which must fit in an | |||
// int. | |||
int ret = BIO_read(ssl->rbio, buf->data() + buf->size(), | |||
int ret = BIO_read(ssl->rbio.get(), buf->data() + buf->size(), | |||
static_cast<int>(len - buf->size())); | |||
if (ret <= 0) { | |||
ssl->s3->rwstate = SSL_READING; | |||
@@ -163,7 +164,7 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { | |||
return -1; | |||
} | |||
if (ssl->rbio == NULL) { | |||
if (ssl->rbio == nullptr) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET); | |||
return -1; | |||
} | |||
@@ -240,7 +241,7 @@ static int tls_write_buffer_flush(SSL *ssl) { | |||
SSLBuffer *buf = &ssl->s3->write_buffer; | |||
while (!buf->empty()) { | |||
int ret = BIO_write(ssl->wbio, buf->data(), buf->size()); | |||
int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size()); | |||
if (ret <= 0) { | |||
ssl->s3->rwstate = SSL_WRITING; | |||
return ret; | |||
@@ -257,7 +258,7 @@ static int dtls_write_buffer_flush(SSL *ssl) { | |||
return 1; | |||
} | |||
int ret = BIO_write(ssl->wbio, buf->data(), buf->size()); | |||
int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size()); | |||
if (ret <= 0) { | |||
ssl->s3->rwstate = SSL_WRITING; | |||
// If the write failed, drop the write buffer anyway. Datagram transports | |||
@@ -271,7 +272,7 @@ static int dtls_write_buffer_flush(SSL *ssl) { | |||
} | |||
int ssl_write_buffer_flush(SSL *ssl) { | |||
if (ssl->wbio == NULL) { | |||
if (ssl->wbio == nullptr) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET); | |||
return -1; | |||
} | |||
@@ -872,7 +872,7 @@ void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) { | |||
if (!ssl->config) { | |||
return; | |||
} | |||
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config); | |||
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get()); | |||
sk_CRYPTO_BUFFER_pop_free(ssl->config->client_CA, CRYPTO_BUFFER_free); | |||
ssl->config->client_CA = name_list; | |||
} |
@@ -274,7 +274,7 @@ ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out, | |||
void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { | |||
SSL *const ssl = hs->ssl; | |||
SSL_CTX *ctx = ssl->session_ctx; | |||
SSL_CTX *ctx = ssl->session_ctx.get(); | |||
// Never cache sessions with empty session IDs. | |||
if (ssl->s3->established_session->session_id_length == 0 || | |||
ssl->s3->established_session->not_resumable || | |||
@@ -289,7 +289,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { | |||
// A client may see new sessions on abbreviated handshakes if the server | |||
// decides to renew the ticket. Once the handshake is completed, it should be | |||
// inserted into the cache. | |||
if (ssl->s3->established_session.get() != ssl->session || | |||
if (ssl->s3->established_session.get() != ssl->session.get() || | |||
(!ssl->server && hs->ticket_expected)) { | |||
if (use_internal_cache) { | |||
SSL_CTX_add_session(ctx, ssl->s3->established_session.get()); | |||
@@ -406,7 +406,7 @@ void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, | |||
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) { | |||
// TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the | |||
// |ssl| arg from |current_time_cb| if possible. | |||
ssl_ctx_get_current_time(ssl->ctx, out_clock); | |||
ssl_ctx_get_current_time(ssl->ctx.get(), out_clock); | |||
} | |||
void ssl_ctx_get_current_time(const SSL_CTX *ctx, | |||
@@ -496,8 +496,7 @@ static void ssl_maybe_shed_handshake_config(SSL *ssl) { | |||
return; | |||
} | |||
Delete(ssl->config); | |||
ssl->config = nullptr; | |||
ssl->config.reset(); | |||
} | |||
void SSL_set_handoff_mode(SSL *ssl, bool on) { | |||
@@ -637,8 +636,8 @@ ssl_st::ssl_st(SSL_CTX *ctx_arg) | |||
msg_callback(ctx_arg->msg_callback), | |||
msg_callback_arg(ctx_arg->msg_callback_arg), | |||
tls13_variant(ctx_arg->tls13_variant), | |||
ctx(UpRef(ctx_arg).release()), | |||
session_ctx(UpRef(ctx_arg).release()), | |||
ctx(UpRef(ctx_arg)), | |||
session_ctx(UpRef(ctx_arg)), | |||
options(ctx->options), | |||
mode(ctx->mode), | |||
max_cert_list(ctx->max_cert_list), | |||
@@ -651,22 +650,11 @@ ssl_st::ssl_st(SSL_CTX *ctx_arg) | |||
ssl_st::~ssl_st() { | |||
CRYPTO_free_ex_data(&g_ex_data_class_ssl, this, &ex_data); | |||
BIO_free_all(rbio); | |||
BIO_free_all(wbio); | |||
Delete(config); | |||
config = nullptr; | |||
SSL_SESSION_free(session); | |||
OPENSSL_free(tlsext_hostname); | |||
// |config| refers to |this|, so we must release it earlier. | |||
config.reset(); | |||
if (method != NULL) { | |||
method->ssl_free(this); | |||
} | |||
SSL_CTX_free(ctx); | |||
SSL_CTX_free(session_ctx); | |||
} | |||
SSL *SSL_new(SSL_CTX *ctx) { | |||
@@ -680,7 +668,7 @@ SSL *SSL_new(SSL_CTX *ctx) { | |||
return nullptr; | |||
} | |||
ssl->config = New<SSL_CONFIG>(ssl.get()); | |||
ssl->config = MakeUnique<SSL_CONFIG>(ssl.get()); | |||
if (ssl->config == nullptr) { | |||
return nullptr; | |||
} | |||
@@ -786,13 +774,11 @@ void SSL_set_accept_state(SSL *ssl) { | |||
} | |||
void SSL_set0_rbio(SSL *ssl, BIO *rbio) { | |||
BIO_free_all(ssl->rbio); | |||
ssl->rbio = rbio; | |||
ssl->rbio.reset(rbio); | |||
} | |||
void SSL_set0_wbio(SSL *ssl, BIO *wbio) { | |||
BIO_free_all(ssl->wbio); | |||
ssl->wbio = wbio; | |||
ssl->wbio.reset(wbio); | |||
} | |||
void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) { | |||
@@ -829,9 +815,9 @@ void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) { | |||
SSL_set0_wbio(ssl, wbio); | |||
} | |||
BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio; } | |||
BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio.get(); } | |||
BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio; } | |||
BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio.get(); } | |||
int SSL_do_handshake(SSL *ssl) { | |||
ssl_reset_error_state(ssl); | |||
@@ -1891,8 +1877,8 @@ const char *SSL_get_servername(const SSL *ssl, const int type) { | |||
// Historically, |SSL_get_servername| was also the configuration getter | |||
// corresponding to |SSL_set_tlsext_host_name|. | |||
if (ssl->tlsext_hostname != NULL) { | |||
return ssl->tlsext_hostname; | |||
if (ssl->tlsext_hostname != nullptr) { | |||
return ssl->tlsext_hostname.get(); | |||
} | |||
return ssl->s3->hostname.get(); | |||
@@ -1971,10 +1957,8 @@ void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, | |||
} | |||
int SSL_set_tlsext_host_name(SSL *ssl, const char *name) { | |||
OPENSSL_free(ssl->tlsext_hostname); | |||
ssl->tlsext_hostname = NULL; | |||
if (name == NULL) { | |||
ssl->tlsext_hostname.reset(); | |||
if (name == nullptr) { | |||
return 1; | |||
} | |||
@@ -1983,8 +1967,8 @@ int SSL_set_tlsext_host_name(SSL *ssl, const char *name) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); | |||
return 0; | |||
} | |||
ssl->tlsext_hostname = BUF_strdup(name); | |||
if (ssl->tlsext_hostname == NULL) { | |||
ssl->tlsext_hostname.reset(BUF_strdup(name)); | |||
if (ssl->tlsext_hostname == nullptr) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
return 0; | |||
} | |||
@@ -2333,14 +2317,14 @@ int SSL_get_shutdown(const SSL *ssl) { | |||
return ret; | |||
} | |||
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx; } | |||
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx.get(); } | |||
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { | |||
if (!ssl->config) { | |||
return NULL; | |||
} | |||
if (ssl->ctx == ctx) { | |||
return ssl->ctx; | |||
if (ssl->ctx.get() == ctx) { | |||
return ssl->ctx.get(); | |||
} | |||
// One cannot change the X.509 callbacks during a connection. | |||
@@ -2350,18 +2334,16 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { | |||
} | |||
if (ctx == NULL) { | |||
ctx = ssl->session_ctx; | |||
ctx = ssl->session_ctx.get(); | |||
} | |||
Delete(ssl->config->cert); | |||
ssl->config->cert = ssl_cert_dup(ctx->cert).release(); | |||
SSL_CTX_up_ref(ctx); | |||
SSL_CTX_free(ssl->ctx); | |||
ssl->ctx = ctx; | |||
ssl->ctx = UpRef(ctx); | |||
ssl->enable_early_data = ssl->ctx->enable_early_data; | |||
return ssl->ctx; | |||
return ssl->ctx.get(); | |||
} | |||
void SSL_set_info_callback(SSL *ssl, | |||
@@ -478,7 +478,7 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL_HANDSHAKE *hs, CBB *out, | |||
// Initialize HMAC and cipher contexts. If callback present it does all the | |||
// work otherwise use generated values from parent ctx. | |||
SSL_CTX *tctx = hs->ssl->session_ctx; | |||
SSL_CTX *tctx = hs->ssl->session_ctx.get(); | |||
uint8_t iv[EVP_MAX_IV_LENGTH]; | |||
uint8_t key_name[16]; | |||
if (tctx->tlsext_ticket_key_cb != NULL) { | |||
@@ -696,13 +696,13 @@ static enum ssl_hs_wait_t ssl_lookup_session( | |||
// Add the externally cached session to the internal cache if necessary. | |||
if (!(ssl->session_ctx->session_cache_mode & | |||
SSL_SESS_CACHE_NO_INTERNAL_STORE)) { | |||
SSL_CTX_add_session(ssl->session_ctx, session.get()); | |||
SSL_CTX_add_session(ssl->session_ctx.get(), session.get()); | |||
} | |||
} | |||
if (session && !ssl_session_is_time_valid(ssl, session.get())) { | |||
// The session was from the cache, so remove it. | |||
SSL_CTX_remove_session(ssl->session_ctx, session.get()); | |||
SSL_CTX_remove_session(ssl->session_ctx.get(), session.get()); | |||
session.reset(); | |||
} | |||
@@ -788,15 +788,11 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *session, int lock) { | |||
} | |||
void ssl_set_session(SSL *ssl, SSL_SESSION *session) { | |||
if (ssl->session == session) { | |||
if (ssl->session.get() == session) { | |||
return; | |||
} | |||
SSL_SESSION_free(ssl->session); | |||
ssl->session = session; | |||
if (session != NULL) { | |||
SSL_SESSION_up_ref(session); | |||
} | |||
ssl->session = UpRef(session); | |||
} | |||
// locked by SSL_CTX in the calling function | |||
@@ -1070,7 +1066,7 @@ SSL_SESSION *SSL_get_session(const SSL *ssl) { | |||
if (hs->new_session) { | |||
return hs->new_session.get(); | |||
} | |||
return ssl->session; | |||
return ssl->session.get(); | |||
} | |||
SSL_SESSION *SSL_get1_session(SSL *ssl) { | |||
@@ -354,7 +354,7 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, | |||
return 0; | |||
} | |||
SSL_CTX *ssl_ctx = hs->ssl->ctx; | |||
SSL_CTX *ssl_ctx = hs->ssl->ctx.get(); | |||
X509_STORE *verify_store = ssl_ctx->cert_store; | |||
if (hs->config->cert->verify_store != NULL) { | |||
verify_store = hs->config->cert->verify_store; | |||
@@ -1074,7 +1074,7 @@ void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) { | |||
if (!ssl->config) { | |||
return; | |||
} | |||
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config); | |||
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get()); | |||
set_client_CA_list(&ssl->config->client_CA, name_list, ssl->ctx->pool); | |||
sk_X509_NAME_pop_free(name_list, X509_NAME_free); | |||
} | |||
@@ -1143,7 +1143,7 @@ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) { | |||
ssl->config->client_CA, | |||
(STACK_OF(X509_NAME) **)&ssl->config->cached_x509_client_CA); | |||
} | |||
return SSL_CTX_get_client_CA_list(ssl->ctx); | |||
return SSL_CTX_get_client_CA_list(ssl->ctx.get()); | |||
} | |||
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { | |||
@@ -1204,7 +1204,7 @@ int SSL_add_client_CA(SSL *ssl, X509 *x509) { | |||
return 0; | |||
} | |||
ssl_crypto_x509_ssl_flush_cached_client_CA(ssl->config); | |||
ssl_crypto_x509_ssl_flush_cached_client_CA(ssl->config.get()); | |||
return 1; | |||
} | |||
@@ -1224,7 +1224,7 @@ static int do_client_cert_cb(SSL *ssl, void *arg) { | |||
assert(ssl->config); | |||
return -1; | |||
} | |||
if (ssl_has_certificate(ssl->config) || | |||
if (ssl_has_certificate(ssl->config.get()) || | |||
ssl->ctx->client_cert_cb == NULL) { | |||
return 1; | |||
} | |||
@@ -606,7 +606,7 @@ static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { | |||
static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
SSL *const ssl = hs->ssl; | |||
if (ssl->tlsext_hostname == NULL) { | |||
if (ssl->tlsext_hostname == nullptr) { | |||
return true; | |||
} | |||
@@ -616,8 +616,8 @@ static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
!CBB_add_u16_length_prefixed(&contents, &server_name_list) || | |||
!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) || | |||
!CBB_add_u16_length_prefixed(&server_name_list, &name) || | |||
!CBB_add_bytes(&name, (const uint8_t *)ssl->tlsext_hostname, | |||
strlen(ssl->tlsext_hostname)) || | |||
!CBB_add_bytes(&name, (const uint8_t *)ssl->tlsext_hostname.get(), | |||
strlen(ssl->tlsext_hostname.get())) || | |||
!CBB_flush(out)) { | |||
return false; | |||
} | |||
@@ -950,10 +950,10 @@ static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
// over the state from the previous handshake, such as OpenSSL servers | |||
// without upstream's 3c3f0259238594d77264a78944d409f2127642c4. | |||
if (!ssl->s3->initial_handshake_complete && | |||
ssl->session != NULL && | |||
ssl->session != nullptr && | |||
!ssl->session->ticket.empty() && | |||
// Don't send TLS 1.3 session tickets in the ticket extension. | |||
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) { | |||
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) { | |||
ticket = ssl->session->ticket; | |||
} | |||
@@ -1866,20 +1866,20 @@ static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { | |||
static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL || | |||
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) { | |||
if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr || | |||
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) { | |||
return 0; | |||
} | |||
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session)); | |||
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get())); | |||
return 15 + ssl->session->ticket.size() + binder_len; | |||
} | |||
static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
SSL *const ssl = hs->ssl; | |||
hs->needs_psk_binder = false; | |||
if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL || | |||
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) { | |||
if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr || | |||
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) { | |||
return true; | |||
} | |||
@@ -1899,7 +1899,7 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
// Fill in a placeholder zero binder of the appropriate length. It will be | |||
// computed and filled in later after length prefixes are computed. | |||
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0}; | |||
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session)); | |||
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get())); | |||
CBB contents, identity, ticket, binders, binder; | |||
if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) || | |||
@@ -2066,8 +2066,8 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { | |||
SSL *const ssl = hs->ssl; | |||
if (!ssl->enable_early_data || | |||
// Session must be 0-RTT capable. | |||
ssl->session == NULL || | |||
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION || | |||
ssl->session == nullptr || | |||
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION || | |||
ssl->session->ticket_max_early_data == 0 || | |||
// The second ClientHello never offers early data. | |||
hs->received_hello_retry_request || | |||
@@ -3525,7 +3525,7 @@ static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys( | |||
SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len, const uint8_t *ticket, | |||
size_t ticket_len) { | |||
assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH); | |||
SSL_CTX *ctx = hs->ssl->session_ctx; | |||
SSL_CTX *ctx = hs->ssl->session_ctx.get(); | |||
// Rotate the ticket key if necessary. | |||
if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) { | |||
@@ -3626,7 +3626,7 @@ enum ssl_ticket_aead_result_t ssl_process_ticket( | |||
// Decode the session. | |||
UniquePtr<SSL_SESSION> session( | |||
SSL_SESSION_from_bytes(plaintext, plaintext_len, hs->ssl->ctx)); | |||
SSL_SESSION_from_bytes(plaintext, plaintext_len, hs->ssl->ctx.get())); | |||
OPENSSL_free(plaintext); | |||
if (!session) { | |||
@@ -773,11 +773,12 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session, | |||
SettingsWriter *writer) { | |||
int ret; | |||
SSL *ssl = ssl_uniqueptr->get(); | |||
SSL_CTX *session_ctx = ssl->ctx; | |||
SSL_CTX *session_ctx = SSL_get_SSL_CTX(ssl); | |||
if (!config->implicit_handshake) { | |||
if (config->handoff) { | |||
bssl::UniquePtr<SSL_CTX> ctx_handoff = config->SetupCtx(ssl->ctx); | |||
bssl::UniquePtr<SSL_CTX> ctx_handoff = | |||
config->SetupCtx(SSL_get_SSL_CTX(ssl)); | |||
if (!ctx_handoff) { | |||
return false; | |||
} | |||
@@ -853,7 +854,8 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session, | |||
return false; | |||
} | |||
bssl::UniquePtr<SSL_CTX> ctx_handback = config->SetupCtx(ssl->ctx); | |||
bssl::UniquePtr<SSL_CTX> ctx_handback = | |||
config->SetupCtx(SSL_get_SSL_CTX(ssl)); | |||
if (!ctx_handback) { | |||
return false; | |||
} | |||
@@ -891,7 +893,7 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session, | |||
return false; | |||
} | |||
CopySessions(session_ctx, ssl->ctx); | |||
CopySessions(session_ctx, SSL_get_SSL_CTX(ssl)); | |||
if (is_resume && !is_retry && !config->is_server && | |||
config->expect_no_offer_early_data && SSL_in_early_data(ssl)) { | |||
@@ -328,7 +328,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
if (!ssl_session_is_context_valid(hs, ssl->session)) { | |||
if (!ssl_session_is_context_valid(hs, ssl->session.get())) { | |||
// This is actually a client application bug. | |||
OPENSSL_PUT_ERROR(SSL, | |||
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); | |||
@@ -338,7 +338,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
ssl->s3->session_reused = true; | |||
// Only authentication information carries over in TLS 1.3. | |||
hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY); | |||
hs->new_session = | |||
SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY); | |||
if (!hs->new_session) { | |||
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); | |||
return ssl_hs_error; | |||
@@ -60,7 +60,7 @@ int tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk, | |||
int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk, | |||
size_t psk_len) { | |||
SSL *const ssl = hs->ssl; | |||
return init_key_schedule(hs, ssl_session_protocol_version(ssl->session), | |||
return init_key_schedule(hs, ssl_session_protocol_version(ssl->session.get()), | |||
ssl->session->cipher) && | |||
HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk, | |||
psk_len, hs->secret, hs->hash_len); | |||
@@ -413,7 +413,7 @@ static int tls13_psk_binder(uint8_t *out, uint16_t version, | |||
int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) { | |||
SSL *const ssl = hs->ssl; | |||
const EVP_MD *digest = ssl_session_get_digest(ssl->session); | |||
const EVP_MD *digest = ssl_session_get_digest(ssl->session.get()); | |||
size_t hash_len = EVP_MD_size(digest); | |||
if (len < hash_len + 3) { | |||