A bunch more scopers. Change-Id: I5c8dbfec4a404d8d1501725a90b383eb3e05c664 Reviewed-on: https://boringssl-review.googlesource.com/29591 Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/d1_srtp.cc b/ssl/d1_srtp.cc index 69b693c..96d7d51 100644 --- a/ssl/d1_srtp.cc +++ b/ssl/d1_srtp.cc
@@ -158,8 +158,9 @@ return 0; } -static int ssl_ctx_make_profiles(const char *profiles_string, - STACK_OF(SRTP_PROTECTION_PROFILE) **out) { +static int ssl_ctx_make_profiles( + const char *profiles_string, + UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> *out) { UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> profiles( sk_SRTP_PROTECTION_PROFILE_new_null()); if (profiles == nullptr) { @@ -188,8 +189,7 @@ } } while (col); - sk_SRTP_PROTECTION_PROFILE_free(*out); - *out = profiles.release(); + *out = std::move(profiles); return 1; } @@ -212,8 +212,9 @@ return nullptr; } - return ssl->config->srtp_profiles != nullptr ? ssl->config->srtp_profiles - : ssl->ctx->srtp_profiles; + return ssl->config->srtp_profiles != nullptr + ? ssl->config->srtp_profiles.get() + : ssl->ctx->srtp_profiles.get(); } const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *ssl) {
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc index a0674d1..4b6749f 100644 --- a/ssl/handshake_server.cc +++ b/ssl/handshake_server.cc
@@ -535,8 +535,9 @@ // Negotiate the cipher suite. This must be done after |cert_cb| so the // certificate is finalized. - SSLCipherPreferenceList *prefs = - hs->config->cipher_list ? hs->config->cipher_list : ssl->ctx->cipher_list; + SSLCipherPreferenceList *prefs = hs->config->cipher_list + ? hs->config->cipher_list.get() + : ssl->ctx->cipher_list.get(); hs->new_cipher = ssl3_choose_cipher(hs, &client_hello, prefs); if (hs->new_cipher == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); @@ -788,11 +789,12 @@ // PSK ciphers begin with an identity hint. if (alg_a & SSL_aPSK) { - size_t len = (hs->config->psk_identity_hint == NULL) + size_t len = hs->config->psk_identity_hint == nullptr ? 0 - : strlen(hs->config->psk_identity_hint); + : strlen(hs->config->psk_identity_hint.get()); if (!CBB_add_u16_length_prefixed(cbb.get(), &child) || - !CBB_add_bytes(&child, (const uint8_t *)hs->config->psk_identity_hint, + !CBB_add_bytes(&child, + (const uint8_t *)hs->config->psk_identity_hint.get(), len)) { return ssl_hs_error; }
diff --git a/ssl/internal.h b/ssl/internal.h index 279b332..d71ea57 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -524,7 +524,7 @@ // true on success and false on failure. If |strict| is true, nonsense will be // rejected. If false, nonsense will be silently ignored. An empty result is // considered an error regardless of |strict|. -bool ssl_create_cipher_list(SSLCipherPreferenceList **out_cipher_list, +bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list, const char *rule_str, bool strict); // ssl_cipher_get_value returns the cipher suite id of |cipher|. @@ -2417,11 +2417,11 @@ X509_VERIFY_PARAM *param = nullptr; // crypto - SSLCipherPreferenceList *cipher_list = nullptr; + UniquePtr<SSLCipherPreferenceList> cipher_list; // This is used to hold the local certificate used (i.e. the server // certificate for a server or the client certificate for a client). - CERT *cert = nullptr; + UniquePtr<CERT> cert; int (*verify_callback)(int ok, X509_STORE_CTX *ctx) = @@ -2431,47 +2431,40 @@ SSL *ssl, uint8_t *out_alert) = nullptr; // Server-only: psk_identity_hint is the identity hint to send in // PSK-based key exchanges. - char *psk_identity_hint = nullptr; + UniquePtr<char> psk_identity_hint; - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, - unsigned int max_identity_len, - uint8_t *psk, - unsigned int max_psk_len) = nullptr; - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - uint8_t *psk, - unsigned int max_psk_len) = nullptr; + unsigned (*psk_client_callback)(SSL *ssl, const char *hint, char *identity, + unsigned max_identity_len, uint8_t *psk, + unsigned max_psk_len) = nullptr; + unsigned (*psk_server_callback)(SSL *ssl, const char *identity, uint8_t *psk, + unsigned max_psk_len) = nullptr; // for server side, keep the list of CA_dn we can use - STACK_OF(CRYPTO_BUFFER) *client_CA = nullptr; + UniquePtr<STACK_OF(CRYPTO_BUFFER)> client_CA; // cached_x509_client_CA is a cache of parsed versions of the elements of // |client_CA|. STACK_OF(X509_NAME) *cached_x509_client_CA = nullptr; uint16_t dummy_pq_padding_len = 0; - size_t supported_group_list_len = 0; - uint16_t *supported_group_list = nullptr; // our list + Array<uint16_t> supported_group_list; // our list // The client's Channel ID private key. - EVP_PKEY *tlsext_channel_id_private = nullptr; + UniquePtr<EVP_PKEY> tlsext_channel_id_private; // For a client, this contains the list of supported protocols in wire // format. - uint8_t *alpn_client_proto_list = nullptr; - unsigned alpn_client_proto_list_len = 0; + Array<uint8_t> alpn_client_proto_list; // Contains a list of supported Token Binding key parameters. - uint8_t *token_binding_params = nullptr; - size_t token_binding_params_len = 0; + Array<uint8_t> token_binding_params; // Contains the QUIC transport params that this endpoint will send. - uint8_t *quic_transport_params = nullptr; - size_t quic_transport_params_len = 0; + Array<uint8_t> quic_transport_params; // srtp_profiles is the list of configured SRTP protection profiles for // DTLS-SRTP. - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles = nullptr; + UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> srtp_profiles; // verify_mode is a bitmask of |SSL_VERIFY_*| values. uint8_t verify_mode = SSL_VERIFY_NONE; @@ -2712,19 +2705,16 @@ // found, it returns zero. int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id); -// tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves| -// into a newly allocated array of TLS group IDs. On success, the function -// returns one and writes the array to |*out_group_ids| and its size to -// |*out_group_ids_len|. Otherwise, it returns zero. -int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len, - const int *curves, size_t ncurves); +// tls1_set_curves converts the array of NIDs in |curves| into a newly allocated +// array of TLS group IDs. On success, the function returns true and writes the +// array to |*out_group_ids|. Otherwise, it returns false. +bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves); // tls1_set_curves_list converts the string of curves pointed to by |curves| // into a newly allocated array of TLS group IDs. On success, the function -// returns one and writes the array to |*out_group_ids| and its size to -// |*out_group_ids_len|. Otherwise, it returns zero. -int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len, - const char *curves); +// returns true and writes the array to |*out_group_ids|. Otherwise, it returns +// false. +bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves); // ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It // returns one on success and zero on failure. The |header_len| argument is the @@ -2840,7 +2830,7 @@ // configuration. tls13_variant_t tls13_variant = tls13_default; - bssl::SSLCipherPreferenceList *cipher_list = nullptr; + bssl::UniquePtr<bssl::SSLCipherPreferenceList> cipher_list; X509_STORE *cert_store = nullptr; LHASH_OF(SSL_SESSION) *sessions = nullptr; @@ -2914,7 +2904,7 @@ void (*info_callback)(const SSL *ssl, int type, int value) = nullptr; // what we put in client cert requests - STACK_OF(CRYPTO_BUFFER) *client_CA = nullptr; + bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> client_CA; // cached_x509_client_CA is a cache of parsed versions of the elements of // |client_CA|. @@ -2930,7 +2920,7 @@ uint32_t mode = SSL_MODE_NO_AUTO_CHAIN; uint32_t max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; - bssl::CERT *cert = nullptr; + bssl::UniquePtr<bssl::CERT> cert; // callback that allows applications to peek at protocol messages void (*msg_callback)(int write_p, int version, int content_type, @@ -2976,7 +2966,7 @@ // Server-only: psk_identity_hint is the default identity hint to send in // PSK-based key exchanges. - char *psk_identity_hint = nullptr; + bssl::UniquePtr<char> psk_identity_hint; unsigned (*psk_client_callback)(SSL *ssl, const char *hint, char *identity, unsigned max_identity_len, uint8_t *psk, @@ -3018,21 +3008,19 @@ // For a client, this contains the list of supported protocols in wire // format. - uint8_t *alpn_client_proto_list = nullptr; - unsigned alpn_client_proto_list_len = 0; + bssl::Array<uint8_t> alpn_client_proto_list; // SRTP profiles we are willing to do from RFC 5764 - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles = nullptr; + bssl::UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> srtp_profiles; // Defined compression algorithms for certificates. STACK_OF(CertCompressionAlg) *cert_compression_algs = nullptr; // Supported group values inherited by SSL structure - size_t supported_group_list_len = 0; - uint16_t *supported_group_list = nullptr; + bssl::Array<uint16_t> supported_group_list; // The client's Channel ID private key. - EVP_PKEY *tlsext_channel_id_private = nullptr; + bssl::UniquePtr<EVP_PKEY> tlsext_channel_id_private; // keylog_callback, if not NULL, is the key logging callback. See // |SSL_CTX_set_keylog_callback|. @@ -3058,8 +3046,7 @@ // verify_sigalgs, if not empty, is the set of signature algorithms // accepted from the peer in decreasing order of preference. - uint16_t *verify_sigalgs = nullptr; - size_t num_verify_sigalgs = 0; + bssl::Array<uint16_t> verify_sigalgs; // retain_only_sha256_of_client_certs is true if we should compute the SHA256 // hash of the peer's certificate and then discard it to save memory and
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc index 421b30a..4842974 100644 --- a/ssl/ssl_cert.cc +++ b/ssl/ssl_cert.cc
@@ -656,11 +656,11 @@ } bool ssl_has_client_CAs(const SSL_CONFIG *cfg) { - STACK_OF(CRYPTO_BUFFER) *names = cfg->client_CA; - if (names == NULL) { - names = cfg->ssl->ctx->client_CA; + const STACK_OF(CRYPTO_BUFFER) *names = cfg->client_CA.get(); + if (names == nullptr) { + names = cfg->ssl->ctx->client_CA.get(); } - if (names == NULL) { + if (names == nullptr) { return false; } return sk_CRYPTO_BUFFER_num(names) > 0; @@ -672,9 +672,9 @@ return 0; } - STACK_OF(CRYPTO_BUFFER) *names = hs->config->client_CA; + const STACK_OF(CRYPTO_BUFFER) *names = hs->config->client_CA.get(); if (names == NULL) { - names = hs->ssl->ctx->client_CA; + names = hs->ssl->ctx->client_CA.get(); } if (names == NULL) { return CBB_flush(cbb); @@ -760,14 +760,14 @@ if (!ssl->config) { return 0; } - return cert_set_chain_and_key(ssl->config->cert, certs, num_certs, privkey, - privkey_method); + return cert_set_chain_and_key(ssl->config->cert.get(), certs, num_certs, + privkey, privkey_method); } int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method) { - return cert_set_chain_and_key(ctx->cert, certs, num_certs, privkey, + return cert_set_chain_and_key(ctx->cert.get(), certs, num_certs, privkey, privkey_method); } @@ -778,7 +778,7 @@ return 0; } - return ssl_set_cert(ctx->cert, std::move(buffer)); + return ssl_set_cert(ctx->cert.get(), std::move(buffer)); } int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) { @@ -787,19 +787,19 @@ return 0; } - return ssl_set_cert(ssl->config->cert, std::move(buffer)); + return ssl_set_cert(ssl->config->cert.get(), std::move(buffer)); } void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg), void *arg) { - ssl_cert_set_cert_cb(ctx->cert, cb, arg); + ssl_cert_set_cert_cb(ctx->cert.get(), cb, arg); } void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) { if (!ssl->config) { return; } - ssl_cert_set_cert_cb(ssl->config->cert, cb, arg); + ssl_cert_set_cert_cb(ssl->config->cert.get(), cb, arg); } const STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) { @@ -834,7 +834,7 @@ int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, const uint8_t *list, size_t list_len) { - return set_signed_cert_timestamp_list(ctx->cert, list, list_len); + return set_signed_cert_timestamp_list(ctx->cert.get(), list, list_len); } int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list, @@ -842,7 +842,8 @@ if (!ssl->config) { return 0; } - return set_signed_cert_timestamp_list(ssl->config->cert, list, list_len); + return set_signed_cert_timestamp_list(ssl->config->cert.get(), list, + list_len); } int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response, @@ -864,8 +865,7 @@ void SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) { ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx); - sk_CRYPTO_BUFFER_pop_free(ctx->client_CA, CRYPTO_BUFFER_free); - ctx->client_CA = name_list; + ctx->client_CA.reset(name_list); } void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) { @@ -873,6 +873,5 @@ return; } ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get()); - sk_CRYPTO_BUFFER_pop_free(ssl->config->client_CA, CRYPTO_BUFFER_free); - ssl->config->client_CA = name_list; + ssl->config->client_CA.reset(name_list); }
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc index 42be591..02380c1 100644 --- a/ssl/ssl_cipher.cc +++ b/ssl/ssl_cipher.cc
@@ -1137,7 +1137,7 @@ return true; } -bool ssl_create_cipher_list(SSLCipherPreferenceList **out_cipher_list, +bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list, const char *rule_str, bool strict) { // Return with error if nothing to do. if (rule_str == NULL || out_cipher_list == NULL) { @@ -1255,10 +1255,7 @@ return false; } - if (*out_cipher_list) { - Delete(*out_cipher_list); - } - *out_cipher_list = pref_list.release(); + *out_cipher_list = std::move(pref_list); // Configuring an empty cipher list is an error but still updates the // output.
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index 13e6267..39c5d92 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc
@@ -562,22 +562,13 @@ CRYPTO_MUTEX_cleanup(&lock); lh_SSL_SESSION_free(sessions); - Delete(cipher_list); - Delete(cert); sk_SSL_CUSTOM_EXTENSION_pop_free(client_custom_extensions, SSL_CUSTOM_EXTENSION_free); sk_SSL_CUSTOM_EXTENSION_pop_free(server_custom_extensions, SSL_CUSTOM_EXTENSION_free); - sk_CRYPTO_BUFFER_pop_free(client_CA, CRYPTO_BUFFER_free); x509_method->ssl_ctx_free(this); - sk_SRTP_PROTECTION_PROFILE_free(srtp_profiles); sk_CertCompressionAlg_pop_free(cert_compression_algs, Delete<CertCompressionAlg>); - OPENSSL_free(psk_identity_hint); - OPENSSL_free(supported_group_list); - OPENSSL_free(alpn_client_proto_list); - EVP_PKEY_free(tlsext_channel_id_private); - OPENSSL_free(verify_sigalgs); OPENSSL_free(tlsext_ticket_key_current); OPENSSL_free(tlsext_ticket_key_prev); } @@ -593,9 +584,9 @@ return nullptr; } - ret->cert = New<CERT>(method->x509_method); + ret->cert = MakeUnique<CERT>(method->x509_method); ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); - ret->client_CA = sk_CRYPTO_BUFFER_new_null(); + ret->client_CA.reset(sk_CRYPTO_BUFFER_new_null()); if (ret->cert == nullptr || ret->sessions == nullptr || ret->client_CA == nullptr || @@ -675,8 +666,8 @@ ssl->config->conf_min_version = ctx->conf_min_version; ssl->config->conf_max_version = ctx->conf_max_version; - ssl->config->cert = ssl_cert_dup(ctx->cert).release(); - if (ssl->config->cert == NULL) { + ssl->config->cert = ssl_cert_dup(ctx->cert.get()); + if (ssl->config->cert == nullptr) { return nullptr; } @@ -686,27 +677,16 @@ ssl->config->retain_only_sha256_of_client_certs = ctx->retain_only_sha256_of_client_certs; - if (ctx->supported_group_list) { - ssl->config->supported_group_list = (uint16_t *)BUF_memdup( - ctx->supported_group_list, ctx->supported_group_list_len * 2); - if (!ssl->config->supported_group_list) { - return nullptr; - } - ssl->config->supported_group_list_len = ctx->supported_group_list_len; - } - - if (ctx->alpn_client_proto_list) { - ssl->config->alpn_client_proto_list = (uint8_t *)BUF_memdup( - ctx->alpn_client_proto_list, ctx->alpn_client_proto_list_len); - if (ssl->config->alpn_client_proto_list == NULL) { - return nullptr; - } - ssl->config->alpn_client_proto_list_len = ctx->alpn_client_proto_list_len; + if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) || + !ssl->config->alpn_client_proto_list.CopyFrom( + ctx->alpn_client_proto_list)) { + return nullptr; } if (ctx->psk_identity_hint) { - ssl->config->psk_identity_hint = BUF_strdup(ctx->psk_identity_hint); - if (ssl->config->psk_identity_hint == NULL) { + ssl->config->psk_identity_hint.reset( + BUF_strdup(ctx->psk_identity_hint.get())); + if (ssl->config->psk_identity_hint == nullptr) { return nullptr; } } @@ -714,10 +694,8 @@ ssl->config->psk_server_callback = ctx->psk_server_callback; ssl->config->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled; - if (ctx->tlsext_channel_id_private) { - EVP_PKEY_up_ref(ctx->tlsext_channel_id_private); - ssl->config->tlsext_channel_id_private = ctx->tlsext_channel_id_private; - } + ssl->config->tlsext_channel_id_private = + UpRef(ctx->tlsext_channel_id_private); ssl->config->signed_cert_timestamps_enabled = ctx->signed_cert_timestamps_enabled; @@ -747,16 +725,6 @@ if (ssl->ctx != nullptr) { ssl->ctx->x509_method->ssl_config_free(this); } - Delete(cipher_list); - Delete(cert); - OPENSSL_free(psk_identity_hint); - OPENSSL_free(supported_group_list); - EVP_PKEY_free(tlsext_channel_id_private); - OPENSSL_free(alpn_client_proto_list); - OPENSSL_free(token_binding_params); - OPENSSL_free(quic_transport_params); - sk_SRTP_PROTECTION_PROFILE_free(srtp_profiles); - sk_CRYPTO_BUFFER_pop_free(client_CA, CRYPTO_BUFFER_free); } void SSL_free(SSL *ssl) { @@ -1126,16 +1094,8 @@ int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, size_t params_len) { - if (!ssl->config) { - return 0; - } - ssl->config->quic_transport_params = - (uint8_t *)BUF_memdup(params, params_len); - if (!ssl->config->quic_transport_params) { - return 0; - } - ssl->config->quic_transport_params_len = params_len; - return 1; + return ssl->config && ssl->config->quic_transport_params.CopyFrom( + MakeConstSpan(params, params_len)); } void SSL_get_peer_quic_transport_params(const SSL *ssl, @@ -1399,7 +1359,7 @@ int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx, size_t sid_ctx_len) { - return set_session_id_context(ctx->cert, sid_ctx, sid_ctx_len); + return set_session_id_context(ctx->cert.get(), sid_ctx, sid_ctx_len); } int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, @@ -1407,7 +1367,7 @@ if (!ssl->config) { return 0; } - return set_session_id_context(ssl->config->cert, sid_ctx, sid_ctx_len); + return set_session_id_context(ssl->config->cert.get(), sid_ctx, sid_ctx_len); } const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) { @@ -1424,7 +1384,7 @@ if (!ssl->config) { return; } - ssl_cert_clear_certs(ssl->config->cert); + ssl_cert_clear_certs(ssl->config->cert.get()); } int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); } @@ -1579,17 +1539,16 @@ return static_cast<int>(ssl->s3->pending_app_data.size()); } -// Fix this so it checks all the valid key/cert options int SSL_CTX_check_private_key(const SSL_CTX *ctx) { - return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey.get()); + return ssl_cert_check_private_key(ctx->cert.get(), + ctx->cert->privatekey.get()); } -// Fix this function so that it takes an optional type parameter int SSL_check_private_key(const SSL *ssl) { if (!ssl->config) { return 0; } - return ssl_cert_check_private_key(ssl->config->cert, + return ssl_cert_check_private_key(ssl->config->cert.get(), ssl->config->cert->privatekey.get()); } @@ -1759,8 +1718,7 @@ int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t curves_len) { return tls1_set_curves(&ctx->supported_group_list, - &ctx->supported_group_list_len, curves, - curves_len); + MakeConstSpan(curves, curves_len)); } int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) { @@ -1768,21 +1726,18 @@ return 0; } return tls1_set_curves(&ssl->config->supported_group_list, - &ssl->config->supported_group_list_len, curves, - curves_len); + MakeConstSpan(curves, curves_len)); } int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) { - return tls1_set_curves_list(&ctx->supported_group_list, - &ctx->supported_group_list_len, curves); + return tls1_set_curves_list(&ctx->supported_group_list, curves); } int SSL_set1_curves_list(SSL *ssl, const char *curves) { if (!ssl->config) { return 0; } - return tls1_set_curves_list(&ssl->config->supported_group_list, - &ssl->config->supported_group_list_len, curves); + return tls1_set_curves_list(&ssl->config->supported_group_list, curves); } uint16_t SSL_get_curve_id(const SSL *ssl) { @@ -2043,29 +1998,21 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos, unsigned protos_len) { - OPENSSL_free(ctx->alpn_client_proto_list); - ctx->alpn_client_proto_list = (uint8_t *)BUF_memdup(protos, protos_len); - if (!ctx->alpn_client_proto_list) { - return 1; - } - ctx->alpn_client_proto_list_len = protos_len; - - return 0; + // Note this function's calling convention is backwards. + return ctx->alpn_client_proto_list.CopyFrom(MakeConstSpan(protos, protos_len)) + ? 0 + : 1; } int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) { + // Note this function's calling convention is backwards. if (!ssl->config) { - return 0; - } - OPENSSL_free(ssl->config->alpn_client_proto_list); - ssl->config->alpn_client_proto_list = - (uint8_t *)BUF_memdup(protos, protos_len); - if (!ssl->config->alpn_client_proto_list) { return 1; } - ssl->config->alpn_client_proto_list_len = protos_len; - - return 0; + return ssl->config->alpn_client_proto_list.CopyFrom( + MakeConstSpan(protos, protos_len)) + ? 0 + : 1; } void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, @@ -2171,9 +2118,7 @@ return 0; } - EVP_PKEY_free(ctx->tlsext_channel_id_private); - EVP_PKEY_up_ref(private_key); - ctx->tlsext_channel_id_private = private_key; + ctx->tlsext_channel_id_private = UpRef(private_key); ctx->tlsext_channel_id_enabled = true; return 1; @@ -2188,9 +2133,7 @@ return 0; } - EVP_PKEY_free(ssl->config->tlsext_channel_id_private); - EVP_PKEY_up_ref(private_key); - ssl->config->tlsext_channel_id_private = private_key; + ssl->config->tlsext_channel_id_private = UpRef(private_key); ssl->config->tlsext_channel_id_enabled = true; return 1; @@ -2213,13 +2156,7 @@ OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); return 0; } - OPENSSL_free(ssl->config->token_binding_params); - ssl->config->token_binding_params = (uint8_t *)BUF_memdup(params, len); - if (!ssl->config->token_binding_params) { - return 0; - } - ssl->config->token_binding_params_len = len; - return 1; + return ssl->config->token_binding_params.CopyFrom(MakeConstSpan(params, len)); } int SSL_is_token_binding_negotiated(const SSL *ssl) { @@ -2337,9 +2274,12 @@ ctx = ssl->session_ctx.get(); } - Delete(ssl->config->cert); - ssl->config->cert = ssl_cert_dup(ctx->cert).release(); + UniquePtr<CERT> new_cert = ssl_cert_dup(ctx->cert.get()); + if (!new_cert) { + return nullptr; + } + ssl->config->cert = std::move(new_cert); ssl->ctx = UpRef(ctx); ssl->enable_early_data = ssl->ctx->enable_early_data; @@ -2423,23 +2363,23 @@ void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export, int keylength)) {} -static int use_psk_identity_hint(char **out, const char *identity_hint) { +static int use_psk_identity_hint(UniquePtr<char> *out, + const char *identity_hint) { if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); return 0; } // Clear currently configured hint, if any. - OPENSSL_free(*out); - *out = NULL; + out->reset(); // Treat the empty hint as not supplying one. Plain PSK makes it possible to // send either no hint (omit ServerKeyExchange) or an empty hint, while // ECDHE_PSK can only spell empty hint. Having different capabilities is odd, // so we interpret empty and missing as identical. if (identity_hint != NULL && identity_hint[0] != '\0') { - *out = BUF_strdup(identity_hint); - if (*out == NULL) { + out->reset(BUF_strdup(identity_hint)); + if (*out == nullptr) { return 0; } } @@ -2466,7 +2406,7 @@ assert(ssl->config); return NULL; } - return ssl->config->psk_identity_hint; + return ssl->config->psk_identity_hint.get(); } const char *SSL_get_psk_identity(const SSL *ssl) {
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc index d41ea5d..f5c387b 100644 --- a/ssl/ssl_privkey.cc +++ b/ssl/ssl_privkey.cc
@@ -304,7 +304,7 @@ return 0; } - return ssl_set_pkey(ssl->config->cert, pkey.get()); + return ssl_set_pkey(ssl->config->cert.get(), pkey.get()); } int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) { @@ -323,7 +323,7 @@ return 0; } - return ssl_set_pkey(ssl->config->cert, pkey); + return ssl_set_pkey(ssl->config->cert.get(), pkey); } int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der, @@ -356,7 +356,7 @@ return 0; } - return ssl_set_pkey(ctx->cert, pkey.get()); + return ssl_set_pkey(ctx->cert.get(), pkey.get()); } int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der, @@ -376,7 +376,7 @@ return 0; } - return ssl_set_pkey(ctx->cert, pkey); + return ssl_set_pkey(ctx->cert.get(), pkey); } int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der, @@ -461,21 +461,6 @@ return alg != nullptr && alg->is_rsa_pss; } -static int set_algorithm_prefs(uint16_t **out_prefs, size_t *out_num_prefs, - const uint16_t *prefs, size_t num_prefs) { - OPENSSL_free(*out_prefs); - - *out_num_prefs = 0; - *out_prefs = (uint16_t *)BUF_memdup(prefs, num_prefs * sizeof(prefs[0])); - if (*out_prefs == NULL) { - OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); - return 0; - } - *out_num_prefs = num_prefs; - - return 1; -} - int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs, size_t num_prefs) { return ctx->cert->sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs)); @@ -491,6 +476,5 @@ int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs, size_t num_prefs) { - return set_algorithm_prefs(&ctx->verify_sigalgs, &ctx->num_verify_sigalgs, - prefs, num_prefs); + return ctx->verify_sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs)); }
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 6b4732c..3bf93d9 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc
@@ -493,7 +493,7 @@ ASSERT_TRUE(ctx); ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule)); - ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len); + ASSERT_EQ(t.expected.size(), ctx->supported_group_list.size()); for (size_t i = 0; i < t.expected.size(); i++) { EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]); }
diff --git a/ssl/ssl_x509.cc b/ssl/ssl_x509.cc index aabf2a0..8f4e53b 100644 --- a/ssl/ssl_x509.cc +++ b/ssl/ssl_x509.cc
@@ -460,11 +460,11 @@ // Remove the leaf from the generated chain. X509_free(sk_X509_shift(ctx->chain)); - if (!ssl_cert_set_chain(hs->config->cert, ctx->chain)) { + if (!ssl_cert_set_chain(hs->config->cert.get(), ctx->chain)) { return 0; } - ssl_crypto_x509_cert_flush_cached_chain(hs->config->cert); + ssl_crypto_x509_cert_flush_cached_chain(hs->config->cert.get()); return 1; } @@ -755,12 +755,12 @@ if (!ssl->config) { return 0; } - return ssl_use_certificate(ssl->config->cert, x); + return ssl_use_certificate(ssl->config->cert.get(), x); } int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) { check_ssl_ctx_x509_method(ctx); - return ssl_use_certificate(ctx->cert, x); + return ssl_use_certificate(ctx->cert.get(), x); } // ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the @@ -797,13 +797,13 @@ assert(ssl->config); return 0; } - return ssl_cert_get0_leaf(ssl->config->cert); + return ssl_cert_get0_leaf(ssl->config->cert.get()); } X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) { check_ssl_ctx_x509_method(ctx); MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock)); - return ssl_cert_get0_leaf(ctx->cert); + return ssl_cert_get0_leaf(ctx->cert.get()); } static int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) { @@ -869,12 +869,12 @@ int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { check_ssl_ctx_x509_method(ctx); - return ssl_cert_set0_chain(ctx->cert, chain); + return ssl_cert_set0_chain(ctx->cert.get(), chain); } int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { check_ssl_ctx_x509_method(ctx); - return ssl_cert_set1_chain(ctx->cert, chain); + return ssl_cert_set1_chain(ctx->cert.get(), chain); } int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) { @@ -882,7 +882,7 @@ if (!ssl->config) { return 0; } - return ssl_cert_set0_chain(ssl->config->cert, chain); + return ssl_cert_set0_chain(ssl->config->cert.get(), chain); } int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) { @@ -890,17 +890,17 @@ if (!ssl->config) { return 0; } - return ssl_cert_set1_chain(ssl->config->cert, chain); + return ssl_cert_set1_chain(ssl->config->cert.get(), chain); } int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) { check_ssl_ctx_x509_method(ctx); - return ssl_cert_add0_chain_cert(ctx->cert, x509); + return ssl_cert_add0_chain_cert(ctx->cert.get(), x509); } int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) { check_ssl_ctx_x509_method(ctx); - return ssl_cert_add1_chain_cert(ctx->cert, x509); + return ssl_cert_add1_chain_cert(ctx->cert.get(), x509); } int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509) { @@ -913,7 +913,7 @@ if (!ssl->config) { return 0; } - return ssl_cert_add0_chain_cert(ssl->config->cert, x509); + return ssl_cert_add0_chain_cert(ssl->config->cert.get(), x509); } int SSL_add1_chain_cert(SSL *ssl, X509 *x509) { @@ -921,7 +921,7 @@ if (!ssl->config) { return 0; } - return ssl_cert_add1_chain_cert(ssl->config->cert, x509); + return ssl_cert_add1_chain_cert(ssl->config->cert.get(), x509); } int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) { @@ -971,7 +971,7 @@ int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) { check_ssl_ctx_x509_method(ctx); MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock)); - if (!ssl_cert_cache_chain_certs(ctx->cert)) { + if (!ssl_cert_cache_chain_certs(ctx->cert.get())) { *out_chain = NULL; return 0; } @@ -991,7 +991,7 @@ assert(ssl->config); return 0; } - if (!ssl_cert_cache_chain_certs(ssl->config->cert)) { + if (!ssl_cert_cache_chain_certs(ssl->config->cert.get())) { *out_chain = NULL; return 0; } @@ -1042,7 +1042,7 @@ return sk_X509_NAME_deep_copy(list, X509_NAME_dup, X509_NAME_free); } -static void set_client_CA_list(STACK_OF(CRYPTO_BUFFER) **ca_list, +static void set_client_CA_list(UniquePtr<STACK_OF(CRYPTO_BUFFER)> *ca_list, const STACK_OF(X509_NAME) *name_list, CRYPTO_BUFFER_POOL *pool) { UniquePtr<STACK_OF(CRYPTO_BUFFER)> buffers(sk_CRYPTO_BUFFER_new_null()); @@ -1065,8 +1065,7 @@ } } - sk_CRYPTO_BUFFER_pop_free(*ca_list, CRYPTO_BUFFER_free); - *ca_list = buffers.release(); + *ca_list = std::move(buffers); } void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) { @@ -1140,7 +1139,7 @@ if (ssl->config->client_CA != NULL) { return buffer_names_to_x509( - ssl->config->client_CA, + ssl->config->client_CA.get(), (STACK_OF(X509_NAME) **)&ssl->config->cached_x509_client_CA); } return SSL_CTX_get_client_CA_list(ssl->ctx.get()); @@ -1152,11 +1151,11 @@ // so it needs to lock around updating |cached_x509_client_CA|. MutexWriteLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock)); return buffer_names_to_x509( - ctx->client_CA, + ctx->client_CA.get(), const_cast<STACK_OF(X509_NAME) **>(&ctx->cached_x509_client_CA)); } -static int add_client_CA(STACK_OF(CRYPTO_BUFFER) **names, X509 *x509, +static int add_client_CA(UniquePtr<STACK_OF(CRYPTO_BUFFER)> *names, X509 *x509, CRYPTO_BUFFER_POOL *pool) { if (x509 == NULL) { return 0; @@ -1175,8 +1174,8 @@ } int alloced = 0; - if (*names == NULL) { - *names = sk_CRYPTO_BUFFER_new_null(); + if (*names == nullptr) { + names->reset(sk_CRYPTO_BUFFER_new_null()); alloced = 1; if (*names == NULL) { @@ -1184,10 +1183,9 @@ } } - if (!PushToStack(*names, std::move(buffer))) { + if (!PushToStack(names->get(), std::move(buffer))) { if (alloced) { - sk_CRYPTO_BUFFER_pop_free(*names, CRYPTO_BUFFER_free); - *names = NULL; + names->reset(); } return 0; }
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc index dfabbae..e0e7504 100644 --- a/ssl/t1_lib.cc +++ b/ssl/t1_lib.cc
@@ -293,9 +293,8 @@ }; Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) { - if (hs->config->supported_group_list != nullptr) { - return MakeConstSpan(hs->config->supported_group_list, - hs->config->supported_group_list_len); + if (!hs->config->supported_group_list.empty()) { + return hs->config->supported_group_list; } return Span<const uint16_t>(kDefaultGroups); } @@ -335,68 +334,55 @@ return 0; } -int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len, - const int *curves, size_t ncurves) { - uint16_t *group_ids = (uint16_t *)OPENSSL_malloc(ncurves * sizeof(uint16_t)); - if (group_ids == NULL) { - return 0; +bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) { + Array<uint16_t> group_ids; + if (!group_ids.Init(curves.size())) { + return false; } - for (size_t i = 0; i < ncurves; i++) { + for (size_t i = 0; i < curves.size(); i++) { if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) { - OPENSSL_free(group_ids); - return 0; + return false; } } - OPENSSL_free(*out_group_ids); - *out_group_ids = group_ids; - *out_group_ids_len = ncurves; - - return 1; + *out_group_ids = std::move(group_ids); + return true; } -int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len, - const char *curves) { - uint16_t *group_ids = NULL; - size_t ncurves = 0; - - const char *col; - const char *ptr = curves; - +bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) { + // Count the number of curves in the list. + size_t count = 0; + const char *ptr = curves, *col; do { col = strchr(ptr, ':'); - - uint16_t group_id; - if (!ssl_name_to_group_id(&group_id, ptr, - col ? (size_t)(col - ptr) : strlen(ptr))) { - goto err; - } - - uint16_t *new_group_ids = (uint16_t *)OPENSSL_realloc( - group_ids, (ncurves + 1) * sizeof(uint16_t)); - if (new_group_ids == NULL) { - goto err; - } - group_ids = new_group_ids; - - group_ids[ncurves] = group_id; - ncurves++; - + count++; if (col) { ptr = col + 1; } } while (col); - OPENSSL_free(*out_group_ids); - *out_group_ids = group_ids; - *out_group_ids_len = ncurves; + Array<uint16_t> group_ids; + if (!group_ids.Init(count)) { + return false; + } - return 1; + size_t i = 0; + ptr = curves; + do { + col = strchr(ptr, ':'); + if (!ssl_name_to_group_id(&group_ids[i++], ptr, + col ? (size_t)(col - ptr) : strlen(ptr))) { + return false; + } + if (col) { + ptr = col + 1; + } + } while (col); -err: - OPENSSL_free(group_ids); - return 0; + assert(i == count); + *out_group_ids = std::move(group_ids); + return true; } int tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) { @@ -506,9 +492,8 @@ static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl, bool for_certs) { SSLSignatureAlgorithmList ret; - if (ssl->ctx->num_verify_sigalgs != 0) { - ret.list = - MakeConstSpan(ssl->ctx->verify_sigalgs, ssl->ctx->num_verify_sigalgs); + if (!ssl->ctx->verify_sigalgs.empty()) { + ret.list = ssl->ctx->verify_sigalgs; } else { ret.list = kVerifySignatureAlgorithms; ret.skip_ed25519 = !ssl->ctx->ed25519_enabled; @@ -1393,7 +1378,7 @@ static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; - if (hs->config->alpn_client_proto_list == NULL || + if (hs->config->alpn_client_proto_list.empty() || ssl->s3->initial_handshake_complete) { return true; } @@ -1402,8 +1387,8 @@ if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) || !CBB_add_u16_length_prefixed(out, &contents) || !CBB_add_u16_length_prefixed(&contents, &proto_list) || - !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list, - hs->config->alpn_client_proto_list_len) || + !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(), + hs->config->alpn_client_proto_list.size()) || !CBB_flush(out)) { return false; } @@ -1419,7 +1404,7 @@ } assert(!ssl->s3->initial_handshake_complete); - assert(hs->config->alpn_client_proto_list != NULL); + assert(!hs->config->alpn_client_proto_list.empty()); if (hs->next_proto_neg_seen) { // NPN and ALPN may not be negotiated in the same connection. @@ -1456,7 +1441,7 @@ bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs, Span<const uint8_t> protocol) { - if (hs->config->alpn_client_proto_list == nullptr) { + if (hs->config->alpn_client_proto_list.empty()) { return false; } @@ -1465,9 +1450,9 @@ } // Check that the protocol name is one of the ones we advertised. - CBS client_protocol_name_list, client_protocol_name; - CBS_init(&client_protocol_name_list, hs->config->alpn_client_proto_list, - hs->config->alpn_client_proto_list_len); + CBS client_protocol_name_list = + MakeConstSpan(hs->config->alpn_client_proto_list), + client_protocol_name; while (CBS_len(&client_protocol_name_list) > 0) { if (!CBS_get_u8_length_prefixed(&client_protocol_name_list, &client_protocol_name)) { @@ -2549,7 +2534,7 @@ static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; - if (hs->config->token_binding_params == nullptr || SSL_is_dtls(ssl)) { + if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) { return true; } @@ -2558,8 +2543,8 @@ !CBB_add_u16_length_prefixed(out, &contents) || !CBB_add_u16(&contents, kTokenBindingMaxVersion) || !CBB_add_u8_length_prefixed(&contents, ¶ms) || - !CBB_add_bytes(¶ms, hs->config->token_binding_params, - hs->config->token_binding_params_len) || + !CBB_add_bytes(¶ms, hs->config->token_binding_params.data(), + hs->config->token_binding_params.size()) || !CBB_flush(out)) { return false; } @@ -2599,8 +2584,8 @@ return true; } - for (size_t i = 0; i < hs->config->token_binding_params_len; ++i) { - if (param == hs->config->token_binding_params[i]) { + for (uint8_t config_param : hs->config->token_binding_params) { + if (param == config_param) { ssl->s3->negotiated_token_binding_param = param; ssl->s3->token_binding_negotiated = true; return true; @@ -2617,8 +2602,7 @@ // param is found, and false otherwise. static bool select_tb_param(SSL_HANDSHAKE *hs, Span<const uint8_t> peer_params) { - for (size_t i = 0; i < hs->config->token_binding_params_len; ++i) { - uint8_t tb_param = hs->config->token_binding_params[i]; + for (uint8_t tb_param : hs->config->token_binding_params) { for (uint8_t peer_param : peer_params) { if (tb_param == peer_param) { hs->ssl->s3->negotiated_token_binding_param = tb_param; @@ -2633,7 +2617,7 @@ uint8_t *out_alert, CBS *contents) { SSL *const ssl = hs->ssl; - if (contents == nullptr || hs->config->token_binding_params == nullptr) { + if (contents == nullptr || hs->config->token_binding_params.empty()) { return true; } @@ -2689,15 +2673,16 @@ static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { - if (!hs->config->quic_transport_params || hs->max_version <= TLS1_2_VERSION) { + if (hs->config->quic_transport_params.empty() || + hs->max_version <= TLS1_2_VERSION) { return true; } CBB contents; if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) || !CBB_add_u16_length_prefixed(out, &contents) || - !CBB_add_bytes(&contents, hs->config->quic_transport_params, - hs->config->quic_transport_params_len) || + !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(), + hs->config->quic_transport_params.size()) || !CBB_flush(out)) { return false; } @@ -2724,7 +2709,7 @@ uint8_t *out_alert, CBS *contents) { SSL *const ssl = hs->ssl; - if (!contents || !hs->config->quic_transport_params) { + if (!contents || hs->config->quic_transport_params.empty()) { return true; } // Ignore the extension before TLS 1.3. @@ -2737,15 +2722,15 @@ static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { - if (!hs->config->quic_transport_params) { + if (hs->config->quic_transport_params.empty()) { return true; } CBB contents; if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) || !CBB_add_u16_length_prefixed(out, &contents) || - !CBB_add_bytes(&contents, hs->config->quic_transport_params, - hs->config->quic_transport_params_len) || + !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(), + hs->config->quic_transport_params.size()) || !CBB_flush(out)) { return false; } @@ -3667,7 +3652,7 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) { SSL *const ssl = hs->ssl; - CERT *cert = hs->config->cert; + CERT *cert = hs->config->cert.get(); // Before TLS 1.2, the signature algorithm isn't negotiated as part of the // handshake. @@ -3789,7 +3774,8 @@ return false; } - EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->tlsext_channel_id_private); + EC_KEY *ec_key = + EVP_PKEY_get0_EC_KEY(hs->config->tlsext_channel_id_private.get()); if (ec_key == nullptr) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false;
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc index 696909a..4424318 100644 --- a/ssl/tls13_both.cc +++ b/ssl/tls13_both.cc
@@ -415,7 +415,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - CERT *const cert = hs->config->cert; + CERT *const cert = hs->config->cert.get(); ScopedCBB cbb; CBB *body, body_storage, certificate_list;