Give CERT a destructor.
Change-Id: I97f5290d908e59ece75fe5b8fa72d51c3cf62148
Reviewed-on: https://boringssl-review.googlesource.com/27489
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h
index 19895d6..f1fc63f 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -328,11 +328,11 @@
// CopyFrom replaces the array with a newly-allocated copy of |in|. It returns
// true on success and false on error.
- bool CopyFrom(Span<const uint8_t> in) {
+ bool CopyFrom(Span<const T> in) {
if (!Init(in.size())) {
return false;
}
- OPENSSL_memcpy(data_, in.data(), in.size());
+ OPENSSL_memcpy(data_, in.data(), sizeof(T) * in.size());
return true;
}
@@ -1766,7 +1766,12 @@
#define NAMED_CURVE_TYPE 3
struct CERT {
- EVP_PKEY *privatekey;
+ static constexpr bool kAllowUniquePtr = true;
+
+ explicit CERT(const SSL_X509_METHOD *x509_method);
+ ~CERT();
+
+ UniquePtr<EVP_PKEY> privatekey;
// chain contains the certificate chain, with the leaf at the beginning. The
// first element of |chain| may be NULL to indicate that the leaf certificate
@@ -1774,35 +1779,34 @@
// If |chain| != NULL -> len(chain) >= 1
// If |chain[0]| == NULL -> len(chain) >= 2.
// |chain[1..]| != NULL
- STACK_OF(CRYPTO_BUFFER) *chain;
+ UniquePtr<STACK_OF(CRYPTO_BUFFER)> chain;
// x509_chain may contain a parsed copy of |chain[1..]|. This is only used as
// a cache in order to implement “get0” functions that return a non-owning
// pointer to the certificate chain.
- STACK_OF(X509) *x509_chain;
+ STACK_OF(X509) *x509_chain = nullptr;
// x509_leaf may contain a parsed copy of the first element of |chain|. This
// is only used as a cache in order to implement “get0” functions that return
// a non-owning pointer to the certificate chain.
- X509 *x509_leaf;
+ X509 *x509_leaf = nullptr;
// x509_stash contains the last |X509| object append to the chain. This is a
// workaround for some third-party code that continue to use an |X509| object
// even after passing ownership with an “add0” function.
- X509 *x509_stash;
+ X509 *x509_stash = nullptr;
// key_method, if non-NULL, is a set of callbacks to call for private key
// operations.
- const SSL_PRIVATE_KEY_METHOD *key_method;
+ const SSL_PRIVATE_KEY_METHOD *key_method = nullptr;
// x509_method contains pointers to functions that might deal with |X509|
// compatibility, or might be a no-op, depending on the application.
- const SSL_X509_METHOD *x509_method;
+ const SSL_X509_METHOD *x509_method = nullptr;
- // sigalgs, if non-NULL, is the set of signature algorithms supported by
+ // sigalgs, if non-empty, is the set of signature algorithms supported by
// |privatekey| in decreasing order of preference.
- uint16_t *sigalgs;
- size_t num_sigalgs;
+ Array<uint16_t> sigalgs;
// Certificate setup callback: if set is called whenever a
// certificate may be required (client or server). the callback
@@ -1810,23 +1814,23 @@
// certificates required. This allows advanced applications
// to select certificates on the fly: for example based on
// supported signature algorithms or curves.
- int (*cert_cb)(SSL *ssl, void *arg);
- void *cert_cb_arg;
+ int (*cert_cb)(SSL *ssl, void *arg) = nullptr;
+ void *cert_cb_arg = nullptr;
// Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX
// store is used instead.
- X509_STORE *verify_store;
+ X509_STORE *verify_store = nullptr;
// Signed certificate timestamp list to be sent to the client, if requested
- CRYPTO_BUFFER *signed_cert_timestamp_list;
+ UniquePtr<CRYPTO_BUFFER> signed_cert_timestamp_list;
// OCSP response to be sent to the client, if requested.
- CRYPTO_BUFFER *ocsp_response;
+ UniquePtr<CRYPTO_BUFFER> ocsp_response;
// sid_ctx partitions the session space within a shared session cache or
// ticket key. Only sessions with a matching value will be accepted.
- uint8_t sid_ctx_length;
- uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+ uint8_t sid_ctx_length = 0;
+ uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH] = {0};
// If enable_early_data is true, early data can be sent and accepted.
bool enable_early_data:1;
@@ -2762,10 +2766,8 @@
// kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext.
static const size_t kMaxEarlyDataAccepted = 14336;
-CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method);
-CERT *ssl_cert_dup(CERT *cert);
+UniquePtr<CERT> ssl_cert_dup(CERT *cert);
void ssl_cert_clear_certs(CERT *cert);
-void ssl_cert_free(CERT *cert);
int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer);
int ssl_is_key_type_supported(int key_type);
// ssl_compare_public_and_private_key returns one if |pubkey| is the public
