Use BoringSSL scopers in //net.
BUG=654143
Review-Url: https://codereview.chromium.org/2400033005
Cr-Commit-Position: refs/heads/master@{#424298}
diff --git a/net/base/keygen_handler_openssl.cc b/net/base/keygen_handler_openssl.cc
index f566a1c..76f0e5bd6 100644
--- a/net/base/keygen_handler_openssl.cc
+++ b/net/base/keygen_handler_openssl.cc
@@ -14,10 +14,8 @@
#include "base/location.h"
#include "base/logging.h"
#include "base/strings/string_piece.h"
-#include "crypto/auto_cbb.h"
#include "crypto/openssl_util.h"
#include "crypto/rsa_private_key.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/keygen_handler.h"
#include "net/base/openssl_private_key_store.h"
@@ -54,7 +52,7 @@
crypto::OpenSSLErrStackTracer tracer(FROM_HERE);
// Serialize up to the PublicKeyAndChallenge.
- crypto::AutoCBB cbb;
+ bssl::ScopedCBB cbb;
CBB spkac, public_key_and_challenge, challenge;
if (!CBB_init(cbb.get(), 0) ||
!CBB_add_asn1(cbb.get(), &spkac, CBS_ASN1_SEQUENCE) ||
@@ -70,7 +68,7 @@
}
// Hash what's been written so far.
- crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+ bssl::ScopedEVP_MD_CTX ctx;
if (!EVP_DigestSignInit(ctx.get(), nullptr, EVP_md5(), nullptr, pkey) ||
!EVP_DigestSignUpdate(ctx.get(), CBB_data(&spkac), CBB_len(&spkac))) {
return std::string();
diff --git a/net/base/keygen_handler_unittest.cc b/net/base/keygen_handler_unittest.cc
index f10de065..8060fae 100644
--- a/net/base/keygen_handler_unittest.cc
+++ b/net/base/keygen_handler_unittest.cc
@@ -20,7 +20,6 @@
#include "base/threading/thread_restrictions.h"
#include "base/threading/worker_pool.h"
#include "build/build_config.h"
-#include "crypto/scoped_openssl_types.h"
#include "testing/gtest/include/gtest/gtest.h"
#if defined(USE_NSS_CERTS)
@@ -123,7 +122,8 @@
ASSERT_TRUE(
CBS_get_asn1(©, &public_key_and_challenge, CBS_ASN1_SEQUENCE));
ASSERT_EQ(0u, CBS_len(©));
- crypto::ScopedEVP_PKEY key(EVP_parse_public_key(&public_key_and_challenge));
+ bssl::UniquePtr<EVP_PKEY> key(
+ EVP_parse_public_key(&public_key_and_challenge));
ASSERT_TRUE(key);
CBS challenge_spkac;
ASSERT_TRUE(CBS_get_asn1(&public_key_and_challenge, &challenge_spkac,
@@ -154,7 +154,7 @@
ASSERT_EQ(0u, pad);
// Check the signature.
- crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+ bssl::ScopedEVP_MD_CTX ctx;
ASSERT_TRUE(
EVP_DigestVerifyInit(ctx.get(), nullptr, EVP_md5(), nullptr, key.get()));
ASSERT_TRUE(EVP_DigestVerifyUpdate(ctx.get(),
diff --git a/net/base/openssl_private_key_store_android.cc b/net/base/openssl_private_key_store_android.cc
index 424f72f..224a4f53 100644
--- a/net/base/openssl_private_key_store_android.cc
+++ b/net/base/openssl_private_key_store_android.cc
@@ -10,9 +10,7 @@
#include "base/logging.h"
#include "base/memory/singleton.h"
-#include "crypto/auto_cbb.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/android/network_library.h"
namespace net {
@@ -23,12 +21,12 @@
uint8_t* public_key;
size_t public_len;
- crypto::AutoCBB cbb;
+ bssl::ScopedCBB cbb;
if (!CBB_init(cbb.get(), 0) || !EVP_marshal_public_key(cbb.get(), pkey) ||
!CBB_finish(cbb.get(), &public_key, &public_len)) {
return false;
}
- crypto::ScopedOpenSSLBytes free_public_key(public_key);
+ bssl::UniquePtr<uint8_t> free_public_key(public_key);
uint8_t* private_key;
size_t private_len;
@@ -37,7 +35,7 @@
!CBB_finish(cbb.get(), &private_key, &private_len)) {
return false;
}
- crypto::ScopedOpenSSLBytes free_private_key(private_key);
+ bssl::UniquePtr<uint8_t> free_private_key(private_key);
if (!android::StoreKeyPair(public_key, public_len, private_key,
private_len)) {
diff --git a/net/cert/cert_database_openssl.cc b/net/cert/cert_database_openssl.cc
index a59c2eb..c92c2bc 100644
--- a/net/cert/cert_database_openssl.cc
+++ b/net/cert/cert_database_openssl.cc
@@ -4,11 +4,11 @@
#include "net/cert/cert_database.h"
+#include <openssl/evp.h>
#include <openssl/x509.h>
#include "base/logging.h"
#include "base/observer_list_threadsafe.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/crypto_module.h"
#include "net/base/net_errors.h"
#include "net/base/openssl_private_key_store.h"
@@ -40,7 +40,7 @@
return ERR_CERT_DATE_INVALID;
// X509_PUBKEY_get() transfers ownership, not X509_get_X509_PUBKEY()
- crypto::ScopedEVP_PKEY public_key(
+ bssl::UniquePtr<EVP_PKEY> public_key(
X509_PUBKEY_get(X509_get_X509_PUBKEY(cert->os_cert_handle())));
if (!OpenSSLPrivateKeyStore::HasPrivateKey(public_key.get()))
diff --git a/net/cert/cert_verify_proc_ios.cc b/net/cert/cert_verify_proc_ios.cc
index 73f8a15..2ab30ed 100644
--- a/net/cert/cert_verify_proc_ios.cc
+++ b/net/cert/cert_verify_proc_ios.cc
@@ -125,7 +125,7 @@
if (!X509Certificate::GetDEREncoded(chain_cert, &der_bytes))
return;
const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_bytes.data());
- ScopedX509 x509_cert(d2i_X509(NULL, &bytes, der_bytes.size()));
+ bssl::UniquePtr<X509> x509_cert(d2i_X509(NULL, &bytes, der_bytes.size()));
base::StringPiece spki_bytes;
if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
diff --git a/net/cert/cert_verify_proc_openssl.cc b/net/cert/cert_verify_proc_openssl.cc
index 824a95c..ab7daf04 100644
--- a/net/cert/cert_verify_proc_openssl.cc
+++ b/net/cert/cert_verify_proc_openssl.cc
@@ -12,7 +12,6 @@
#include "base/logging.h"
#include "base/sha1.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "crypto/sha2.h"
#include "net/base/net_errors.h"
#include "net/cert/asn1_util.h"
@@ -90,11 +89,9 @@
}
}
-// sk_X509_free is a function-style macro, so can't be used as a template
-// param directly.
-void sk_X509_free_fn(STACK_OF(X509)* st) {
- sk_X509_free(st);
-}
+struct ShallowX509StackDeleter {
+ void operator()(STACK_OF(X509) * st) const { sk_X509_free(st); }
+};
void GetCertChainInfo(X509_STORE_CTX* store_ctx,
CertVerifyResult* verify_result) {
@@ -211,10 +208,9 @@
verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
}
- crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(
- X509_STORE_CTX_new());
+ bssl::UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());
- crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(
+ std::unique_ptr<STACK_OF(X509), ShallowX509StackDeleter> intermediates(
sk_X509_new_null());
if (!intermediates.get())
return ERR_OUT_OF_MEMORY;
diff --git a/net/cert/ct_log_verifier.cc b/net/cert/ct_log_verifier.cc
index 04eb2f1..2e95beb 100644
--- a/net/cert/ct_log_verifier.cc
+++ b/net/cert/ct_log_verifier.cc
@@ -10,7 +10,6 @@
#include "base/logging.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "crypto/sha2.h"
#include "net/cert/ct_log_verifier_util.h"
#include "net/cert/ct_serialization.h"
diff --git a/net/cert/ct_objects_extractor.cc b/net/cert/ct_objects_extractor.cc
index 3453e445..55b3fe23 100644
--- a/net/cert/ct_objects_extractor.cc
+++ b/net/cert/ct_objects_extractor.cc
@@ -13,11 +13,9 @@
#include "base/logging.h"
#include "base/sha1.h"
#include "base/strings/string_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "crypto/sha2.h"
#include "net/cert/asn1_util.h"
#include "net/cert/signed_certificate_timestamp.h"
-#include "net/ssl/scoped_openssl_types.h"
namespace net {
@@ -25,13 +23,6 @@
namespace {
-void FreeX509_EXTENSIONS(X509_EXTENSIONS* ptr) {
- sk_X509_EXTENSION_pop_free(ptr, X509_EXTENSION_free);
-}
-
-using ScopedX509_EXTENSIONS =
- crypto::ScopedOpenSSL<X509_EXTENSIONS, FreeX509_EXTENSIONS>;
-
// The wire form of the OID 1.3.6.1.4.1.11129.2.4.2. See Section 3.3 of
// RFC6962.
const uint8_t kEmbeddedSCTOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01,
@@ -49,15 +40,16 @@
return memcmp(value1.data(), CBS_data(value2), CBS_len(value2)) == 0;
}
-ScopedX509 OSCertHandleToOpenSSL(X509Certificate::OSCertHandle os_handle) {
+bssl::UniquePtr<X509> OSCertHandleToOpenSSL(
+ X509Certificate::OSCertHandle os_handle) {
#if defined(USE_OPENSSL_CERTS)
- return ScopedX509(X509Certificate::DupOSCertHandle(os_handle));
+ return bssl::UniquePtr<X509>(X509Certificate::DupOSCertHandle(os_handle));
#else
std::string der_encoded;
if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded))
- return ScopedX509();
+ return bssl::UniquePtr<X509>();
const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data());
- return ScopedX509(d2i_X509(NULL, &bytes, der_encoded.size()));
+ return bssl::UniquePtr<X509>(d2i_X509(NULL, &bytes, der_encoded.size()));
#endif
}
@@ -171,7 +163,7 @@
bool ExtractEmbeddedSCTList(X509Certificate::OSCertHandle cert,
std::string* sct_list) {
- ScopedX509 x509(OSCertHandleToOpenSSL(cert));
+ bssl::UniquePtr<X509> x509(OSCertHandleToOpenSSL(cert));
if (!x509)
return false;
X509_EXTENSIONS* x509_exts = x509->cert_info->extensions;
@@ -187,7 +179,7 @@
LogEntry* result) {
result->Reset();
- ScopedX509 leaf_x509(OSCertHandleToOpenSSL(leaf));
+ bssl::UniquePtr<X509> leaf_x509(OSCertHandleToOpenSSL(leaf));
if (!leaf_x509)
return false;
@@ -203,7 +195,7 @@
// The Precertificate log entry is the final certificate's TBSCertificate
// without the SCT extension (RFC6962, section 3.2).
- ScopedX509 leaf_copy(X509_dup(leaf_x509.get()));
+ bssl::UniquePtr<X509> leaf_copy(X509_dup(leaf_x509.get()));
if (!leaf_copy || !leaf_copy->cert_info->extensions) {
NOTREACHED();
return false;
@@ -346,7 +338,7 @@
if (!CBS_get_asn1(&single_response, &extensions, kSingleExtensionsTag))
return false;
const uint8_t* ptr = CBS_data(&extensions);
- ScopedX509_EXTENSIONS x509_exts(
+ bssl::UniquePtr<X509_EXTENSIONS> x509_exts(
d2i_X509_EXTENSIONS(NULL, &ptr, CBS_len(&extensions)));
if (!x509_exts || ptr != CBS_data(&extensions) + CBS_len(&extensions))
return false;
diff --git a/net/cert/internal/verify_name_match.cc b/net/cert/internal/verify_name_match.cc
index 3cfa4a1..e1cc813 100644
--- a/net/cert/internal/verify_name_match.cc
+++ b/net/cert/internal/verify_name_match.cc
@@ -4,13 +4,14 @@
#include "net/cert/internal/verify_name_match.h"
+#include <openssl/bytestring.h>
+#include <openssl/mem.h>
+
#include <algorithm>
#include <vector>
#include "base/strings/string_util.h"
#include "base/tuple.h"
-#include "crypto/auto_cbb.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/cert/internal/parse_name.h"
#include "net/der/input.h"
#include "net/der/parser.h"
@@ -294,7 +295,7 @@
// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
der::Parser rdn_sequence_parser(name_rdn_sequence);
- crypto::AutoCBB cbb;
+ bssl::ScopedCBB cbb;
if (!CBB_init(cbb.get(), 0))
return false;
@@ -316,13 +317,13 @@
CBB rdn_cbb;
if (!CBB_add_asn1(cbb.get(), &rdn_cbb, CBS_ASN1_SET))
return false;
- std::vector<crypto::ScopedOpenSSLBytes>
+ std::vector<bssl::UniquePtr<uint8_t>>
scoped_encoded_attribute_type_and_values;
std::vector<der::Input> encoded_attribute_type_and_values;
for (const auto& type_and_value : type_and_values) {
// A top-level CBB for encoding each individual AttributeTypeAndValue.
- crypto::AutoCBB type_and_value_encoder_cbb;
+ bssl::ScopedCBB type_and_value_encoder_cbb;
if (!CBB_init(type_and_value_encoder_cbb.get(), 0))
return false;
@@ -367,7 +368,7 @@
if (!CBB_finish(type_and_value_encoder_cbb.get(), &bytes, &len))
return false;
scoped_encoded_attribute_type_and_values.push_back(
- crypto::ScopedOpenSSLBytes(bytes));
+ bssl::UniquePtr<uint8_t>(bytes));
encoded_attribute_type_and_values.push_back(der::Input(bytes, len));
}
diff --git a/net/cert/internal/verify_signed_data.cc b/net/cert/internal/verify_signed_data.cc
index bd0ee60..a8727dc 100644
--- a/net/cert/internal/verify_signed_data.cc
+++ b/net/cert/internal/verify_signed_data.cc
@@ -4,6 +4,7 @@
#include "net/cert/internal/verify_signed_data.h"
+#include <openssl/bn.h>
#include <openssl/bytestring.h>
#include <openssl/digest.h>
#include <openssl/ec.h>
@@ -14,7 +15,6 @@
#include "base/compiler_specific.h"
#include "base/logging.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/cert/internal/cert_errors.h"
#include "net/cert/internal/signature_algorithm.h"
#include "net/cert/internal/signature_policy.h"
@@ -81,7 +81,7 @@
// See https://crbug.com/522228 and https://crbug.com/522232
WARN_UNUSED_RESULT bool ImportPkeyFromSpki(const der::Input& spki,
int expected_pkey_id,
- crypto::ScopedEVP_PKEY* pkey) {
+ bssl::UniquePtr<EVP_PKEY>* pkey) {
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
CBS cbs;
@@ -153,7 +153,7 @@
//
// Following RFC 3279 in this case.
WARN_UNUSED_RESULT bool ParseRsaKeyFromSpki(const der::Input& public_key_spki,
- crypto::ScopedEVP_PKEY* pkey,
+ bssl::UniquePtr<EVP_PKEY>* pkey,
const SignaturePolicy* policy,
CertErrors* errors) {
// TODO(crbug.com/634443): Add more specific errors.
@@ -161,7 +161,7 @@
return false;
// Extract the modulus length from the key.
- crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey->get()));
+ RSA* rsa = EVP_PKEY_get0_RSA(pkey->get());
if (!rsa)
return false;
unsigned int modulus_length_bits = BN_num_bits(rsa->n);
@@ -191,7 +191,7 @@
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
- crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+ bssl::ScopedEVP_MD_CTX ctx;
EVP_PKEY_CTX* pctx = nullptr; // Owned by |ctx|.
const EVP_MD* digest;
@@ -262,7 +262,7 @@
// ... -- Extensible
// }
WARN_UNUSED_RESULT bool ParseEcKeyFromSpki(const der::Input& public_key_spki,
- crypto::ScopedEVP_PKEY* pkey,
+ bssl::UniquePtr<EVP_PKEY>* pkey,
const SignaturePolicy* policy,
CertErrors* errors) {
// TODO(crbug.com/634443): Add more specific errors.
@@ -270,10 +270,10 @@
return false;
// Extract the curve name.
- crypto::ScopedEC_KEY ec(EVP_PKEY_get1_EC_KEY(pkey->get()));
- if (!ec.get())
+ EC_KEY* ec = EVP_PKEY_get0_EC_KEY(pkey->get());
+ if (!ec)
return false; // Unexpected.
- int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec.get()));
+ int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
if (!policy->IsAcceptableCurveForEcdsa(curve_nid, errors)) {
errors->AddError(kUnacceptableEcdsaCurve);
@@ -296,7 +296,7 @@
return false;
}
- crypto::ScopedEVP_PKEY public_key;
+ bssl::UniquePtr<EVP_PKEY> public_key;
// Parse the SPKI to an EVP_PKEY appropriate for the signature algorithm.
switch (signature_algorithm.algorithm()) {
diff --git a/net/cert/jwk_serializer.cc b/net/cert/jwk_serializer.cc
index 3a6a86d3..bcd9545d 100644
--- a/net/cert/jwk_serializer.cc
+++ b/net/cert/jwk_serializer.cc
@@ -15,7 +15,6 @@
#include "base/strings/string_util.h"
#include "base/values.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
namespace net {
@@ -26,10 +25,10 @@
bool ConvertEcKeyToJwk(EVP_PKEY* pkey,
base::DictionaryValue* public_key_jwk,
const crypto::OpenSSLErrStackTracer& err_tracer) {
- crypto::ScopedEC_KEY ec_key(EVP_PKEY_get1_EC_KEY(pkey));
+ EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey);
if (!ec_key)
return false;
- const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key.get());
+ const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key);
if (!ec_group)
return false;
@@ -47,12 +46,12 @@
int degree_bytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;
- const EC_POINT* ec_point = EC_KEY_get0_public_key(ec_key.get());
+ const EC_POINT* ec_point = EC_KEY_get0_public_key(ec_key);
if (!ec_point)
return false;
- crypto::ScopedBIGNUM x(BN_new());
- crypto::ScopedBIGNUM y(BN_new());
+ bssl::UniquePtr<BIGNUM> x(BN_new());
+ bssl::UniquePtr<BIGNUM> y(BN_new());
if (!EC_POINT_get_affine_coordinates_GFp(ec_group, ec_point, x.get(), y.get(),
NULL)) {
return false;
@@ -98,7 +97,7 @@
CBS cbs;
CBS_init(&cbs, reinterpret_cast<const uint8_t*>(spki_der.data()),
spki_der.size());
- crypto::ScopedEVP_PKEY pubkey(EVP_parse_public_key(&cbs));
+ bssl::UniquePtr<EVP_PKEY> pubkey(EVP_parse_public_key(&cbs));
if (!pubkey || CBS_len(&cbs) != 0)
return false;
diff --git a/net/cert/x509_certificate_ios.cc b/net/cert/x509_certificate_ios.cc
index f50652c..fccc23bab 100644
--- a/net/cert/x509_certificate_ios.cc
+++ b/net/cert/x509_certificate_ios.cc
@@ -15,7 +15,6 @@
#include "base/strings/string_piece.h"
#include "base/strings/string_util.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/ip_address.h"
#include "net/cert/x509_util_openssl.h"
#include "net/ssl/openssl_ssl_util.h"
@@ -26,9 +25,6 @@
namespace {
-using ScopedGENERAL_NAMES =
- crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>;
-
// Returns true if a given |cert_handle| is actually a valid X.509 certificate
// handle.
//
@@ -109,7 +105,7 @@
std::vector<std::string>* dns_names,
std::vector<std::string>* ip_addresses) {
DCHECK(dns_names || ip_addresses);
- ScopedX509 cert = OSCertHandleToOpenSSL(os_cert);
+ bssl::UniquePtr<X509> cert = OSCertHandleToOpenSSL(os_cert);
if (!cert.get())
return;
int index = X509_get_ext_by_NID(cert.get(), NID_subject_alt_name, -1);
@@ -117,7 +113,7 @@
if (!alt_name_ext)
return;
- ScopedGENERAL_NAMES alt_names(
+ bssl::UniquePtr<GENERAL_NAMES> alt_names(
reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext)));
if (!alt_names.get())
return;
@@ -150,11 +146,6 @@
}
}
-// Used to free a list of X509_NAMEs and the objects it points to.
-void sk_X509_NAME_free_all(STACK_OF(X509_NAME) * sk) {
- sk_X509_NAME_pop_free(sk, X509_NAME_free);
-}
-
} // namespace
// static
@@ -173,7 +164,7 @@
void X509Certificate::Initialize() {
crypto::EnsureOpenSSLInit();
- ScopedX509 x509_cert = OSCertHandleToOpenSSL(cert_handle_);
+ bssl::UniquePtr<X509> x509_cert = OSCertHandleToOpenSSL(cert_handle_);
if (!x509_cert)
return;
ASN1_INTEGER* serial_num = X509_get_serialNumber(x509_cert.get());
@@ -342,10 +333,10 @@
PublicKeyType* type) {
*type = kPublicKeyTypeUnknown;
*size_bits = 0;
- ScopedX509 cert = OSCertHandleToOpenSSL(os_cert);
+ bssl::UniquePtr<X509> cert = OSCertHandleToOpenSSL(os_cert);
if (!cert)
return;
- crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert.get()));
+ bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert.get()));
if (!scoped_key)
return;
@@ -392,8 +383,7 @@
// Convert to a temporary list of X509_NAME objects.
// It will own the objects it points to.
- crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all>
- issuer_names(sk_X509_NAME_new_null());
+ bssl::UniquePtr<STACK_OF(X509_NAME)> issuer_names(sk_X509_NAME_new_null());
if (!issuer_names)
return false;
@@ -407,7 +397,7 @@
sk_X509_NAME_push(issuer_names.get(), ca_name);
}
- ScopedX509 x509_cert = OSCertHandleToOpenSSL(cert_handle_);
+ bssl::UniquePtr<X509> x509_cert = OSCertHandleToOpenSSL(cert_handle_);
if (!x509_cert)
return false;
X509_NAME* cert_issuer = X509_get_issuer_name(x509_cert.get());
@@ -423,7 +413,7 @@
for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();
it != intermediate_ca_certs_.end(); ++it) {
- ScopedX509 intermediate_cert = OSCertHandleToOpenSSL(*it);
+ bssl::UniquePtr<X509> intermediate_cert = OSCertHandleToOpenSSL(*it);
if (!intermediate_cert)
return false;
cert_issuer = X509_get_issuer_name(intermediate_cert.get());
@@ -443,10 +433,10 @@
// static
bool X509Certificate::IsSelfSigned(OSCertHandle os_cert) {
- ScopedX509 cert = OSCertHandleToOpenSSL(os_cert);
+ bssl::UniquePtr<X509> cert = OSCertHandleToOpenSSL(os_cert);
if (!cert)
return false;
- crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert.get()));
+ bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert.get()));
if (!scoped_key)
return false;
if (!X509_verify(cert.get(), scoped_key.get()))
diff --git a/net/cert/x509_certificate_openssl.cc b/net/cert/x509_certificate_openssl.cc
index e22ea9f0..e7d62ff 100644
--- a/net/cert/x509_certificate_openssl.cc
+++ b/net/cert/x509_certificate_openssl.cc
@@ -22,7 +22,6 @@
#include "base/strings/string_piece.h"
#include "base/strings/string_util.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/ip_address.h"
#include "net/base/net_errors.h"
#include "net/cert/x509_util_openssl.h"
@@ -36,9 +35,6 @@
namespace {
-using ScopedGENERAL_NAMES =
- crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>;
-
void CreateOSCertHandlesFromPKCS7Bytes(
const char* data,
size_t length,
@@ -106,7 +102,7 @@
if (!alt_name_ext)
return;
- ScopedGENERAL_NAMES alt_names(
+ bssl::UniquePtr<GENERAL_NAMES> alt_names(
reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext)));
if (!alt_names.get())
return;
@@ -164,16 +160,11 @@
ResetCertStore();
}
- crypto::ScopedOpenSSL<X509_STORE, X509_STORE_free> store_;
+ bssl::UniquePtr<X509_STORE> store_;
DISALLOW_COPY_AND_ASSIGN(X509InitSingleton);
};
-// Used to free a list of X509_NAMEs and the objects it points to.
-void sk_X509_NAME_free_all(STACK_OF(X509_NAME)* sk) {
- sk_X509_NAME_pop_free(sk, X509_NAME_free);
-}
-
} // namespace
// static
@@ -361,11 +352,10 @@
*type = kPublicKeyTypeUnknown;
*size_bits = 0;
- crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle));
+ bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert_handle));
if (!scoped_key.get())
return;
- CHECK(scoped_key.get());
EVP_PKEY* key = scoped_key.get();
switch (key->type) {
@@ -395,8 +385,7 @@
// Convert to a temporary list of X509_NAME objects.
// It will own the objects it points to.
- crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all>
- issuer_names(sk_X509_NAME_new_null());
+ bssl::UniquePtr<STACK_OF(X509_NAME)> issuer_names(sk_X509_NAME_new_null());
if (!issuer_names.get())
return false;
@@ -442,7 +431,7 @@
// static
bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) {
- crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle));
+ bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert_handle));
if (!scoped_key)
return false;
if (!X509_verify(cert_handle, scoped_key.get()))
diff --git a/net/cert/x509_util_openssl.cc b/net/cert/x509_util_openssl.cc
index 4c6ee78..98c5575 100644
--- a/net/cert/x509_util_openssl.cc
+++ b/net/cert/x509_util_openssl.cc
@@ -20,27 +20,16 @@
#include "crypto/ec_private_key.h"
#include "crypto/openssl_util.h"
#include "crypto/rsa_private_key.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/cert/internal/parse_certificate.h"
#include "net/cert/internal/signature_algorithm.h"
#include "net/cert/x509_cert_types.h"
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_util.h"
-#include "net/ssl/scoped_openssl_types.h"
namespace net {
namespace {
-using ScopedASN1_INTEGER =
- crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free>;
-using ScopedASN1_OCTET_STRING =
- crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free>;
-using ScopedASN1_STRING = crypto::ScopedOpenSSL<ASN1_STRING, ASN1_STRING_free>;
-using ScopedASN1_TIME = crypto::ScopedOpenSSL<ASN1_TIME, ASN1_TIME_free>;
-using ScopedX509_EXTENSION =
- crypto::ScopedOpenSSL<X509_EXTENSION, X509_EXTENSION_free>;
-
const EVP_MD* ToEVP(x509_util::DigestAlgorithm alg) {
switch (alg) {
case x509_util::DIGEST_SHA1:
@@ -57,34 +46,34 @@
namespace {
-X509* CreateCertificate(EVP_PKEY* key,
- DigestAlgorithm alg,
- const std::string& common_name,
- uint32_t serial_number,
- base::Time not_valid_before,
- base::Time not_valid_after) {
+bssl::UniquePtr<X509> CreateCertificate(EVP_PKEY* key,
+ DigestAlgorithm alg,
+ const std::string& common_name,
+ uint32_t serial_number,
+ base::Time not_valid_before,
+ base::Time not_valid_after) {
// Put the serial number into an OpenSSL-friendly object.
- ScopedASN1_INTEGER asn1_serial(ASN1_INTEGER_new());
+ bssl::UniquePtr<ASN1_INTEGER> asn1_serial(ASN1_INTEGER_new());
if (!asn1_serial.get() ||
!ASN1_INTEGER_set(asn1_serial.get(), static_cast<long>(serial_number))) {
LOG(ERROR) << "Invalid serial number " << serial_number;
- return NULL;
+ return nullptr;
}
// Do the same for the time stamps.
- ScopedASN1_TIME asn1_not_before_time(
- ASN1_TIME_set(NULL, not_valid_before.ToTimeT()));
+ bssl::UniquePtr<ASN1_TIME> asn1_not_before_time(
+ ASN1_TIME_set(nullptr, not_valid_before.ToTimeT()));
if (!asn1_not_before_time.get()) {
LOG(ERROR) << "Invalid not_valid_before time: "
<< not_valid_before.ToTimeT();
- return NULL;
+ return nullptr;
}
- ScopedASN1_TIME asn1_not_after_time(
- ASN1_TIME_set(NULL, not_valid_after.ToTimeT()));
+ bssl::UniquePtr<ASN1_TIME> asn1_not_after_time(
+ ASN1_TIME_set(nullptr, not_valid_after.ToTimeT()));
if (!asn1_not_after_time.get()) {
LOG(ERROR) << "Invalid not_valid_after time: " << not_valid_after.ToTimeT();
- return NULL;
+ return nullptr;
}
// Because |common_name| only contains a common name and starts with 'CN=',
@@ -95,11 +84,11 @@
if (common_name.size() < kCommonNamePrefixLen ||
strncmp(common_name.c_str(), kCommonNamePrefix, kCommonNamePrefixLen)) {
LOG(ERROR) << "Common name must begin with " << kCommonNamePrefix;
- return NULL;
+ return nullptr;
}
if (common_name.size() > INT_MAX) {
LOG(ERROR) << "Common name too long";
- return NULL;
+ return nullptr;
}
unsigned char* common_name_str =
reinterpret_cast<unsigned char*>(const_cast<char*>(common_name.data())) +
@@ -107,7 +96,7 @@
int common_name_len =
static_cast<int>(common_name.size() - kCommonNamePrefixLen);
- ScopedX509_NAME name(X509_NAME_new());
+ bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
if (!name.get() || !X509_NAME_add_entry_by_NID(name.get(),
NID_commonName,
MBSTRING_ASC,
@@ -116,11 +105,11 @@
-1,
0)) {
LOG(ERROR) << "Can't parse common name: " << common_name.c_str();
- return NULL;
+ return nullptr;
}
// Now create certificate and populate it.
- ScopedX509 cert(X509_new());
+ bssl::UniquePtr<X509> cert(X509_new());
if (!cert.get() || !X509_set_version(cert.get(), 2L) /* i.e. version 3 */ ||
!X509_set_pubkey(cert.get(), key) ||
!X509_set_serialNumber(cert.get(), asn1_serial.get()) ||
@@ -129,10 +118,10 @@
!X509_set_subject_name(cert.get(), name.get()) ||
!X509_set_issuer_name(cert.get(), name.get())) {
LOG(ERROR) << "Could not create certificate";
- return NULL;
+ return nullptr;
}
- return cert.release();
+ return cert;
}
// DER-encodes |x509|. On success, returns true and writes the
@@ -211,13 +200,10 @@
base::Time not_valid_after,
std::string* der_encoded) {
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
- ScopedX509 cert(CreateCertificate(key->key(),
- alg,
- common_name,
- serial_number,
- not_valid_before,
- not_valid_after));
- if (!cert.get())
+ bssl::UniquePtr<X509> cert =
+ CreateCertificate(key->key(), alg, common_name, serial_number,
+ not_valid_before, not_valid_after);
+ if (!cert)
return false;
return SignAndDerEncodeCert(cert.get(), key->key(), alg, der_encoded);
diff --git a/net/quic/chromium/crypto/proof_source_chromium.cc b/net/quic/chromium/crypto/proof_source_chromium.cc
index 44b5e825..45b9ba9 100644
--- a/net/quic/chromium/crypto/proof_source_chromium.cc
+++ b/net/quic/chromium/crypto/proof_source_chromium.cc
@@ -11,7 +11,6 @@
#include "base/strings/string_number_conversions.h"
#include "crypto/openssl_util.h"
#include "net/quic/core/crypto/crypto_protocol.h"
-#include "net/ssl/scoped_openssl_types.h"
using std::string;
using std::vector;
@@ -90,7 +89,7 @@
DCHECK(private_key_.get()) << " this: " << this;
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
- crypto::ScopedEVP_MD_CTX sign_context(EVP_MD_CTX_create());
+ bssl::ScopedEVP_MD_CTX sign_context;
EVP_PKEY_CTX* pkey_ctx;
if (quic_version > QUIC_VERSION_30) {
diff --git a/net/quic/core/crypto/channel_id.cc b/net/quic/core/crypto/channel_id.cc
index 0d989c8..65a5e2ee 100644
--- a/net/quic/core/crypto/channel_id.cc
+++ b/net/quic/core/crypto/channel_id.cc
@@ -6,12 +6,12 @@
#include <openssl/bn.h>
#include <openssl/ec.h>
+#include <openssl/ec_key.h>
#include <openssl/ecdsa.h>
-#include <openssl/obj_mac.h>
+#include <openssl/nid.h>
#include <openssl/sha.h>
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
using base::StringPiece;
@@ -38,12 +38,13 @@
return false;
}
- crypto::ScopedEC_GROUP p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
+ bssl::UniquePtr<EC_GROUP> p256(
+ EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
if (!p256) {
return false;
}
- crypto::ScopedBIGNUM x(BN_new()), y(BN_new()), r(BN_new()), s(BN_new());
+ bssl::UniquePtr<BIGNUM> x(BN_new()), y(BN_new()), r(BN_new()), s(BN_new());
ECDSA_SIG sig;
sig.r = r.get();
@@ -60,14 +61,14 @@
return false;
}
- crypto::ScopedEC_POINT point(EC_POINT_new(p256.get()));
+ bssl::UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
if (!point ||
!EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
y.get(), nullptr)) {
return false;
}
- crypto::ScopedEC_KEY ecdsa_key(EC_KEY_new());
+ bssl::UniquePtr<EC_KEY> ecdsa_key(EC_KEY_new());
if (ecdsa_key.get() == nullptr ||
!EC_KEY_set_group(ecdsa_key.get(), p256.get()) ||
!EC_KEY_set_public_key(ecdsa_key.get(), point.get())) {
diff --git a/net/quic/core/crypto/p256_key_exchange.cc b/net/quic/core/crypto/p256_key_exchange.cc
index 6e401a6..3a92118 100644
--- a/net/quic/core/crypto/p256_key_exchange.cc
+++ b/net/quic/core/crypto/p256_key_exchange.cc
@@ -8,6 +8,8 @@
#include <openssl/ecdh.h>
#include <openssl/evp.h>
+#include <utility>
+
#include "base/logging.h"
using base::StringPiece;
@@ -15,8 +17,9 @@
namespace net {
-P256KeyExchange::P256KeyExchange(EC_KEY* private_key, const uint8_t* public_key)
- : private_key_(private_key) {
+P256KeyExchange::P256KeyExchange(bssl::UniquePtr<EC_KEY> private_key,
+ const uint8_t* public_key)
+ : private_key_(std::move(private_key)) {
memcpy(public_key_, public_key, sizeof(public_key_));
}
@@ -30,7 +33,7 @@
}
const uint8_t* keyp = reinterpret_cast<const uint8_t*>(key.data());
- crypto::ScopedEC_KEY private_key(
+ bssl::UniquePtr<EC_KEY> private_key(
d2i_ECPrivateKey(nullptr, &keyp, key.size()));
if (!private_key.get() || !EC_KEY_check_key(private_key.get())) {
DVLOG(1) << "Private key is invalid.";
@@ -46,12 +49,12 @@
return nullptr;
}
- return new P256KeyExchange(private_key.release(), public_key);
+ return new P256KeyExchange(std::move(private_key), public_key);
}
// static
string P256KeyExchange::NewPrivateKey() {
- crypto::ScopedEC_KEY key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+ bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
if (!key.get() || !EC_KEY_generate_key(key.get())) {
DVLOG(1) << "Can't generate a new private key.";
return string();
@@ -84,7 +87,7 @@
return false;
}
- crypto::ScopedEC_POINT point(
+ bssl::UniquePtr<EC_POINT> point(
EC_POINT_new(EC_KEY_get0_group(private_key_.get())));
if (!point ||
!EC_POINT_oct2point(/* also test if point is on curve */
diff --git a/net/quic/core/crypto/p256_key_exchange.h b/net/quic/core/crypto/p256_key_exchange.h
index e6b32a2..64fa8b9 100644
--- a/net/quic/core/crypto/p256_key_exchange.h
+++ b/net/quic/core/crypto/p256_key_exchange.h
@@ -5,6 +5,7 @@
#ifndef NET_QUIC_CRYPTO_P256_KEY_EXCHANGE_H_
#define NET_QUIC_CRYPTO_P256_KEY_EXCHANGE_H_
+#include <openssl/base.h>
#include <stdint.h>
#include <memory>
@@ -13,7 +14,6 @@
#include "base/macros.h"
#include "base/strings/string_piece.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/net_export.h"
#include "net/quic/core/crypto/key_exchange.h"
@@ -54,11 +54,12 @@
kUncompressedECPointForm = 0x04,
};
- // P256KeyExchange takes ownership of |private_key|, and expects
- // |public_key| consists of |kUncompressedP256PointBytes| bytes.
- P256KeyExchange(EC_KEY* private_key, const uint8_t* public_key);
+ // P256KeyExchange wraps |private_key|, and expects |public_key| consists of
+ // |kUncompressedP256PointBytes| bytes.
+ P256KeyExchange(bssl::UniquePtr<EC_KEY> private_key,
+ const uint8_t* public_key);
- crypto::ScopedEC_KEY private_key_;
+ bssl::UniquePtr<EC_KEY> private_key_;
// The public key stored as an uncompressed P-256 point.
uint8_t public_key_[kUncompressedP256PointBytes];
diff --git a/net/quic/test_tools/crypto_test_utils.cc b/net/quic/test_tools/crypto_test_utils.cc
index ab907cd..7e95691a 100644
--- a/net/quic/test_tools/crypto_test_utils.cc
+++ b/net/quic/test_tools/crypto_test_utils.cc
@@ -15,7 +15,6 @@
#include "base/strings/string_util.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "crypto/secure_hash.h"
#include "net/quic/core/crypto/channel_id.h"
#include "net/quic/core/crypto/common_cert_set.h"
@@ -136,9 +135,8 @@
// ChannelIDKey implementation.
bool Sign(StringPiece signed_data, string* out_signature) const override {
- crypto::ScopedEVP_MD_CTX md_ctx(EVP_MD_CTX_create());
- if (!md_ctx ||
- EVP_DigestSignInit(md_ctx.get(), nullptr, EVP_sha256(), nullptr,
+ bssl::ScopedEVP_MD_CTX md_ctx;
+ if (EVP_DigestSignInit(md_ctx.get(), nullptr, EVP_sha256(), nullptr,
ecdsa_key_.get()) != 1) {
return false;
}
@@ -160,7 +158,7 @@
}
uint8_t* derp = der_sig.get();
- crypto::ScopedECDSA_SIG sig(
+ bssl::UniquePtr<ECDSA_SIG> sig(
d2i_ECDSA_SIG(nullptr, const_cast<const uint8_t**>(&derp), sig_len));
if (sig.get() == nullptr) {
return false;
@@ -199,7 +197,7 @@
}
private:
- crypto::ScopedEVP_PKEY ecdsa_key_;
+ bssl::UniquePtr<EVP_PKEY> ecdsa_key_;
};
class TestChannelIDSource : public ChannelIDSource {
@@ -235,24 +233,24 @@
// clearing the most-significant bit.
digest[0] &= 0x7f;
- crypto::ScopedBIGNUM k(BN_new());
+ bssl::UniquePtr<BIGNUM> k(BN_new());
CHECK(BN_bin2bn(digest, sizeof(digest), k.get()) != nullptr);
- crypto::ScopedEC_GROUP p256(
+ bssl::UniquePtr<EC_GROUP> p256(
EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
CHECK(p256);
- crypto::ScopedEC_KEY ecdsa_key(EC_KEY_new());
+ bssl::UniquePtr<EC_KEY> ecdsa_key(EC_KEY_new());
CHECK(ecdsa_key && EC_KEY_set_group(ecdsa_key.get(), p256.get()));
- crypto::ScopedEC_POINT point(EC_POINT_new(p256.get()));
+ bssl::UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
CHECK(EC_POINT_mul(p256.get(), point.get(), k.get(), nullptr, nullptr,
nullptr));
EC_KEY_set_private_key(ecdsa_key.get(), k.get());
EC_KEY_set_public_key(ecdsa_key.get(), point.get());
- crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
+ bssl::UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
// EVP_PKEY_set1_EC_KEY takes a reference so no |release| here.
EVP_PKEY_set1_EC_KEY(pkey.get(), ecdsa_key.get());
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index 9901d3d5..177a1ba 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -30,10 +30,8 @@
#include "base/threading/thread_local.h"
#include "base/trace_event/trace_event.h"
#include "base/values.h"
-#include "crypto/auto_cbb.h"
#include "crypto/ec_private_key.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/ip_address.h"
#include "net/base/net_errors.h"
#include "net/cert/cert_verifier.h"
@@ -47,7 +45,6 @@
#include "net/log/net_log.h"
#include "net/log/net_log_event_type.h"
#include "net/log/net_log_parameters_callback.h"
-#include "net/ssl/scoped_openssl_types.h"
#include "net/ssl/ssl_cert_request_info.h"
#include "net/ssl/ssl_cipher_suite_names.h"
#include "net/ssl/ssl_client_session_cache.h"
@@ -358,7 +355,7 @@
// SSLClientSocketImpl object from an SSL instance.
int ssl_socket_data_index_;
- ScopedSSL_CTX ssl_ctx_;
+ bssl::UniquePtr<SSL_CTX> ssl_ctx_;
#if !defined(OS_NACL)
std::unique_ptr<SSLKeyLogger> ssl_key_logger_;
@@ -417,7 +414,7 @@
}
private:
- ScopedX509Stack openssl_chain_;
+ bssl::UniquePtr<STACK_OF(X509)> openssl_chain_;
};
SSLClientSocketImpl::PeerCertificateChain&
@@ -492,8 +489,6 @@
tb_was_negotiated_(false),
tb_negotiated_param_(TB_PARAM_ECDSAP256),
tb_signature_map_(10),
- ssl_(NULL),
- transport_bio_(NULL),
transport_(std::move(transport_socket)),
host_and_port_(host_and_port),
ssl_config_(ssl_config),
@@ -555,7 +550,7 @@
uint8_t tb_ekm_buf[32];
static const char kTokenBindingExporterLabel[] = "EXPORTER-Token-Binding";
- if (!SSL_export_keying_material(ssl_, tb_ekm_buf, sizeof(tb_ekm_buf),
+ if (!SSL_export_keying_material(ssl_.get(), tb_ekm_buf, sizeof(tb_ekm_buf),
kTokenBindingExporterLabel,
strlen(kTokenBindingExporterLabel), nullptr,
0, false /* no context */)) {
@@ -587,7 +582,7 @@
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
if (!SSL_export_keying_material(
- ssl_, out, outlen, label.data(), label.size(),
+ ssl_.get(), out, outlen, label.data(), label.size(),
reinterpret_cast<const unsigned char*>(context.data()),
context.length(), has_context ? 1 : 0)) {
LOG(ERROR) << "Failed to export keying material.";
@@ -616,7 +611,7 @@
}
// Set SSL to client mode. Handshake happens in the loop below.
- SSL_set_connect_state(ssl_);
+ SSL_set_connect_state(ssl_.get());
next_handshake_state_ = STATE_HANDSHAKE;
rv = DoHandshakeLoop(OK);
@@ -635,14 +630,10 @@
if (ssl_) {
// Calling SSL_shutdown prevents the session from being marked as
// unresumable.
- SSL_shutdown(ssl_);
- SSL_free(ssl_);
- ssl_ = NULL;
+ SSL_shutdown(ssl_.get());
+ ssl_.reset();
}
- if (transport_bio_) {
- BIO_free_all(transport_bio_);
- transport_bio_ = NULL;
- }
+ transport_bio_.reset();
disconnected_ = true;
@@ -718,7 +709,7 @@
// that has not yet been flushed to the network. |Write| returns early, so
// this can cause race conditions which cause a socket to not be treated
// reusable when it should be. See https://crbug.com/466147.
- if (BIO_wpending(transport_bio_) > 0)
+ if (BIO_wpending(transport_bio_.get()) > 0)
return false;
return transport_->socket()->IsConnectedAndIdle();
@@ -786,22 +777,22 @@
AddCTInfoToSSLInfo(ssl_info);
- const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
+ const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_.get());
CHECK(cipher);
ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
// Historically, the "group" was known as "curve".
- ssl_info->key_exchange_group = SSL_get_curve_id(ssl_);
+ ssl_info->key_exchange_group = SSL_get_curve_id(ssl_.get());
SSLConnectionStatusSetCipherSuite(
static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)),
&ssl_info->connection_status);
- SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_),
+ SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_.get()),
&ssl_info->connection_status);
- if (!SSL_get_secure_renegotiation_support(ssl_))
+ if (!SSL_get_secure_renegotiation_support(ssl_.get()))
ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
- ssl_info->handshake_type = SSL_session_reused(ssl_)
+ ssl_info->handshake_type = SSL_session_reused(ssl_.get())
? SSLInfo::HANDSHAKE_RESUME
: SSLInfo::HANDSHAKE_FULL;
@@ -879,8 +870,8 @@
SSLContext* context = SSLContext::GetInstance();
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
- ssl_ = SSL_new(context->ssl_ctx());
- if (!ssl_ || !context->SetClientSocketForSSL(ssl_, this))
+ ssl_.reset(SSL_new(context->ssl_ctx()));
+ if (!ssl_ || !context->SetClientSocketForSSL(ssl_.get(), this))
return ERR_UNEXPECTED;
// SNI should only contain valid DNS hostnames, not IP addresses (see RFC
@@ -890,14 +881,14 @@
// See https://crbug.com/496472 and https://crbug.com/496468 for discussion.
IPAddress unused;
if (!unused.AssignFromIPLiteral(host_and_port_.host()) &&
- !SSL_set_tlsext_host_name(ssl_, host_and_port_.host().c_str())) {
+ !SSL_set_tlsext_host_name(ssl_.get(), host_and_port_.host().c_str())) {
return ERR_UNEXPECTED;
}
- ScopedSSL_SESSION session =
+ bssl::UniquePtr<SSL_SESSION> session =
context->session_cache()->Lookup(GetSessionCacheKey());
if (session)
- SSL_set_session(ssl_, session.get());
+ SSL_set_session(ssl_.get(), session.get());
// Get read and write buffer sizes from field trials, if possible. If values
// not present, use default. Also make sure values are in reasonable range.
@@ -932,12 +923,14 @@
BIO* ssl_bio = NULL;
// SSLClientSocketImpl retains ownership of the BIO buffers.
+ BIO* transport_bio_raw;
if (!BIO_new_bio_pair_external_buf(
&ssl_bio, send_buffer_->capacity(),
- reinterpret_cast<uint8_t*>(send_buffer_->data()), &transport_bio_,
+ reinterpret_cast<uint8_t*>(send_buffer_->data()), &transport_bio_raw,
recv_buffer_->capacity(),
reinterpret_cast<uint8_t*>(recv_buffer_->data())))
return ERR_UNEXPECTED;
+ transport_bio_.reset(transport_bio_raw);
DCHECK(ssl_bio);
DCHECK(transport_bio_);
@@ -945,12 +938,12 @@
BIO_set_callback(ssl_bio, &SSLClientSocketImpl::BIOCallback);
BIO_set_callback_arg(ssl_bio, reinterpret_cast<char*>(this));
- SSL_set_bio(ssl_, ssl_bio, ssl_bio);
+ SSL_set_bio(ssl_.get(), ssl_bio, ssl_bio);
DCHECK_LT(SSL3_VERSION, ssl_config_.version_min);
DCHECK_LT(SSL3_VERSION, ssl_config_.version_max);
- if (!SSL_set_min_proto_version(ssl_, ssl_config_.version_min) ||
- !SSL_set_max_proto_version(ssl_, ssl_config_.version_max)) {
+ if (!SSL_set_min_proto_version(ssl_.get(), ssl_config_.version_min) ||
+ !SSL_set_max_proto_version(ssl_.get(), ssl_config_.version_max)) {
return ERR_UNEXPECTED;
}
@@ -962,8 +955,8 @@
// TODO(joth): Set this conditionally, see http://crbug.com/55410
options.ConfigureFlag(SSL_OP_LEGACY_SERVER_CONNECT, true);
- SSL_set_options(ssl_, options.set_mask);
- SSL_clear_options(ssl_, options.clear_mask);
+ SSL_set_options(ssl_.get(), options.set_mask);
+ SSL_clear_options(ssl_.get(), options.clear_mask);
// Same as above, this time for the SSL mode.
SslSetClearMask mode;
@@ -974,8 +967,8 @@
mode.ConfigureFlag(SSL_MODE_ENABLE_FALSE_START,
ssl_config_.false_start_enabled);
- SSL_set_mode(ssl_, mode.set_mask);
- SSL_clear_mode(ssl_, mode.clear_mask);
+ SSL_set_mode(ssl_.get(), mode.set_mask);
+ SSL_clear_mode(ssl_.get(), mode.clear_mask);
// Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
// (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable
@@ -1021,7 +1014,7 @@
}
}
- int rv = SSL_set_cipher_list(ssl_, command.c_str());
+ int rv = SSL_set_cipher_list(ssl_.get(), command.c_str());
// If this fails (rv = 0) it means there are no ciphers enabled on this SSL.
// This will almost certainly result in the socket failing to complete the
// handshake at which point the appropriate error is bubbled up to the client.
@@ -1031,23 +1024,24 @@
// TLS channel ids.
if (IsChannelIDEnabled()) {
- SSL_enable_tls_channel_id(ssl_);
+ SSL_enable_tls_channel_id(ssl_.get());
}
if (!ssl_config_.alpn_protos.empty()) {
std::vector<uint8_t> wire_protos =
SerializeNextProtos(ssl_config_.alpn_protos);
- SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0],
+ SSL_set_alpn_protos(ssl_.get(),
+ wire_protos.empty() ? NULL : &wire_protos[0],
wire_protos.size());
}
if (ssl_config_.signed_cert_timestamps_enabled) {
- SSL_enable_signed_cert_timestamps(ssl_);
- SSL_enable_ocsp_stapling(ssl_);
+ SSL_enable_signed_cert_timestamps(ssl_.get());
+ SSL_enable_ocsp_stapling(ssl_.get());
}
if (cert_verifier_->SupportsOCSPStapling())
- SSL_enable_ocsp_stapling(ssl_);
+ SSL_enable_ocsp_stapling(ssl_.get());
return OK;
}
@@ -1100,7 +1094,7 @@
// TODO(cbentzel): Leave only 1 call to SSL_do_handshake once crbug.com/424386
// is fixed.
if (ssl_config_.send_client_cert && ssl_config_.client_cert.get()) {
- rv = SSL_do_handshake(ssl_);
+ rv = SSL_do_handshake(ssl_.get());
} else {
if (g_first_run_completed.Get().Get()) {
// TODO(cbentzel): Remove ScopedTracker below once crbug.com/424386 is
@@ -1108,16 +1102,16 @@
tracked_objects::ScopedTracker tracking_profile(
FROM_HERE_WITH_EXPLICIT_FUNCTION("424386 SSL_do_handshake()"));
- rv = SSL_do_handshake(ssl_);
+ rv = SSL_do_handshake(ssl_.get());
} else {
g_first_run_completed.Get().Set(true);
- rv = SSL_do_handshake(ssl_);
+ rv = SSL_do_handshake(ssl_.get());
}
}
int net_error = OK;
if (rv <= 0) {
- int ssl_error = SSL_get_error(ssl_, rv);
+ int ssl_error = SSL_get_error(ssl_.get(), rv);
if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) {
// The server supports channel ID. Stop to look one up before returning to
// the handshake.
@@ -1164,21 +1158,21 @@
//
// TODO(davidben): A few releases after DHE's removal, remove this logic.
if (!ssl_config_.dhe_enabled &&
- SSL_CIPHER_is_DHE(SSL_get_current_cipher(ssl_))) {
+ SSL_CIPHER_is_DHE(SSL_get_current_cipher(ssl_.get()))) {
return ERR_SSL_OBSOLETE_CIPHER;
}
// Check that if token binding was negotiated, then extended master secret
// and renegotiation indication must also be negotiated.
if (tb_was_negotiated_ &&
- !(SSL_get_extms_support(ssl_) &&
- SSL_get_secure_renegotiation_support(ssl_))) {
+ !(SSL_get_extms_support(ssl_.get()) &&
+ SSL_get_secure_renegotiation_support(ssl_.get()))) {
return ERR_SSL_PROTOCOL_ERROR;
}
const uint8_t* alpn_proto = NULL;
unsigned alpn_len = 0;
- SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len);
+ SSL_get0_alpn_selected(ssl_.get(), &alpn_proto, &alpn_len);
if (alpn_len > 0) {
base::StringPiece proto(reinterpret_cast<const char*>(alpn_proto),
alpn_len);
@@ -1190,7 +1184,7 @@
const uint8_t* ocsp_response_raw;
size_t ocsp_response_len;
- SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
+ SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len);
std::string ocsp_response;
if (ocsp_response_len > 0) {
ocsp_response_.assign(reinterpret_cast<const char*>(ocsp_response_raw),
@@ -1201,13 +1195,13 @@
const uint8_t* sct_list;
size_t sct_list_len;
- SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len);
+ SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list, &sct_list_len);
set_signed_cert_timestamps_received(sct_list_len != 0);
if (IsRenegotiationAllowed())
- SSL_set_renegotiate_mode(ssl_, ssl_renegotiate_freely);
+ SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely);
- uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_);
+ uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_.get());
if (signature_algorithm != 0) {
UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLSignatureAlgorithm",
signature_algorithm);
@@ -1242,7 +1236,7 @@
// type.
DCHECK(channel_id_key_);
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
- if (!SSL_set1_tls_channel_id(ssl_, channel_id_key_->key())) {
+ if (!SSL_set1_tls_channel_id(ssl_.get(), channel_id_key_->key())) {
LOG(ERROR) << "Failed to set Channel ID.";
return ERR_FAILED;
}
@@ -1357,7 +1351,7 @@
}
void SSLClientSocketImpl::UpdateServerCert() {
- server_cert_chain_->Reset(SSL_get_peer_cert_chain(ssl_));
+ server_cert_chain_->Reset(SSL_get_peer_cert_chain(ssl_.get()));
server_cert_ = server_cert_chain_->AsOSChain();
if (server_cert_.get()) {
net_log_.AddEvent(NetLogEventType::SSL_CERTIFICATES_RECEIVED,
@@ -1503,7 +1497,7 @@
int total_bytes_read = 0;
int ssl_ret;
do {
- ssl_ret = SSL_read(ssl_, user_read_buf_->data() + total_bytes_read,
+ ssl_ret = SSL_read(ssl_.get(), user_read_buf_->data() + total_bytes_read,
user_read_buf_len_ - total_bytes_read);
if (ssl_ret > 0)
total_bytes_read += ssl_ret;
@@ -1521,7 +1515,7 @@
// TransportReadComplete converts the first to an ERR_CONNECTION_CLOSED
// error, so it does not occur. The second and third are distinguished by
// SSL_ERROR_ZERO_RETURN.
- pending_read_ssl_error_ = SSL_get_error(ssl_, ssl_ret);
+ pending_read_ssl_error_ = SSL_get_error(ssl_.get(), ssl_ret);
if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) {
pending_read_error_ = 0;
} else if (pending_read_ssl_error_ == SSL_ERROR_WANT_X509_LOOKUP &&
@@ -1580,7 +1574,7 @@
int SSLClientSocketImpl::DoPayloadWrite() {
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
- int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_);
+ int rv = SSL_write(ssl_.get(), user_write_buf_->data(), user_write_buf_len_);
if (rv >= 0) {
net_log_.AddByteTransferEvent(NetLogEventType::SSL_SOCKET_BYTES_SENT, rv,
@@ -1588,7 +1582,7 @@
return rv;
}
- int ssl_error = SSL_get_error(ssl_, rv);
+ int ssl_error = SSL_get_error(ssl_.get(), rv);
if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION)
return ERR_IO_PENDING;
OpenSSLErrorInfo error_info;
@@ -1636,7 +1630,7 @@
size_t buffer_read_offset;
uint8_t* read_buf;
size_t max_read;
- int status = BIO_zero_copy_get_read_buf(transport_bio_, &read_buf,
+ int status = BIO_zero_copy_get_read_buf(transport_bio_.get(), &read_buf,
&buffer_read_offset, &max_read);
DCHECK_EQ(status, 1); // Should never fail.
if (!max_read)
@@ -1663,7 +1657,7 @@
// Determine how much was requested from |transport_bio_| that was not
// actually available.
- size_t requested = BIO_ctrl_get_read_request(transport_bio_);
+ size_t requested = BIO_ctrl_get_read_request(transport_bio_.get());
if (requested == 0) {
// This is not a perfect match of error codes, as no operation is
// actually pending. However, returning 0 would be interpreted as
@@ -1683,7 +1677,7 @@
size_t buffer_write_offset;
uint8_t* write_buf;
size_t max_write;
- int status = BIO_zero_copy_get_write_buf(transport_bio_, &write_buf,
+ int status = BIO_zero_copy_get_write_buf(transport_bio_.get(), &write_buf,
&buffer_write_offset, &max_write);
DCHECK_EQ(status, 1); // Should never fail.
if (!max_write)
@@ -1727,7 +1721,8 @@
bytes_written = result;
}
DCHECK_GE(send_buffer_->RemainingCapacity(), bytes_written);
- int ret = BIO_zero_copy_get_read_buf_done(transport_bio_, bytes_written);
+ int ret =
+ BIO_zero_copy_get_read_buf_done(transport_bio_.get(), bytes_written);
DCHECK_EQ(1, ret);
transport_send_busy_ = false;
}
@@ -1747,7 +1742,7 @@
bytes_read = result;
}
DCHECK_GE(recv_buffer_->RemainingCapacity(), bytes_read);
- int ret = BIO_zero_copy_get_write_buf_done(transport_bio_, bytes_read);
+ int ret = BIO_zero_copy_get_write_buf_done(transport_bio_.get(), bytes_read);
DCHECK_EQ(1, ret);
transport_recv_busy_ = false;
return result;
@@ -1756,7 +1751,7 @@
int SSLClientSocketImpl::VerifyCT() {
const uint8_t* sct_list_raw;
size_t sct_list_len;
- SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len);
+ SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list_raw, &sct_list_len);
std::string sct_list;
if (sct_list_len > 0)
sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len);
@@ -1813,13 +1808,13 @@
}
int SSLClientSocketImpl::ClientCertRequestCallback(SSL* ssl) {
- DCHECK(ssl == ssl_);
+ DCHECK(ssl == ssl_.get());
net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_REQUESTED);
certificate_requested_ = true;
// Clear any currently configured certificates.
- SSL_certs_clear(ssl_);
+ SSL_certs_clear(ssl_.get());
#if defined(OS_IOS)
// TODO(droger): Support client auth on iOS. See http://crbug.com/145954).
@@ -1852,7 +1847,7 @@
// Second pass: a client certificate should have been selected.
if (ssl_config_.client_cert.get()) {
- ScopedX509 leaf_x509 =
+ bssl::UniquePtr<X509> leaf_x509 =
OSCertHandleToOpenSSL(ssl_config_.client_cert->os_cert_handle());
if (!leaf_x509) {
LOG(WARNING) << "Failed to import certificate";
@@ -1860,7 +1855,7 @@
return -1;
}
- ScopedX509Stack chain = OSCertHandlesToOpenSSL(
+ bssl::UniquePtr<STACK_OF(X509)> chain = OSCertHandlesToOpenSSL(
ssl_config_.client_cert->GetIntermediateCertificates());
if (!chain) {
LOG(WARNING) << "Failed to import intermediate certificates";
@@ -1868,8 +1863,8 @@
return -1;
}
- if (!SSL_use_certificate(ssl_, leaf_x509.get()) ||
- !SSL_set1_chain(ssl_, chain.get())) {
+ if (!SSL_use_certificate(ssl_.get(), leaf_x509.get()) ||
+ !SSL_set1_chain(ssl_.get(), chain.get())) {
LOG(WARNING) << "Failed to set client certificate";
return -1;
}
@@ -1882,7 +1877,7 @@
return -1;
}
- SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod);
+ SSL_set_private_key_method(ssl_.get(), &SSLContext::kPrivateKeyMethod);
std::vector<SSLPrivateKey::Hash> digest_prefs =
ssl_config_.client_private_key->GetDigestPreferences();
@@ -1909,7 +1904,8 @@
}
}
- SSL_set_private_key_digest_prefs(ssl_, digests.data(), digests.size());
+ SSL_set_private_key_digest_prefs(ssl_.get(), digests.data(),
+ digests.size());
int cert_count = 1 + sk_X509_num(chain.get());
net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED,
@@ -2148,7 +2144,7 @@
if (ssl_config_.token_binding_params.empty()) {
return 0;
}
- crypto::AutoCBB output;
+ bssl::ScopedCBB output;
CBB parameters_list;
if (!CBB_init(output.get(), 7) ||
!CBB_add_u8(output.get(), kTbProtocolVersionMajor) ||
diff --git a/net/socket/ssl_client_socket_impl.h b/net/socket/ssl_client_socket_impl.h
index 5c9b2945..ff235ed 100644
--- a/net/socket/ssl_client_socket_impl.h
+++ b/net/socket/ssl_client_socket_impl.h
@@ -29,7 +29,6 @@
#include "net/socket/ssl_client_socket.h"
#include "net/ssl/channel_id_service.h"
#include "net/ssl/openssl_ssl_util.h"
-#include "net/ssl/scoped_openssl_types.h"
#include "net/ssl/ssl_client_cert_type.h"
#include "net/ssl/ssl_config_service.h"
@@ -336,8 +335,8 @@
TokenBindingSignatureMap tb_signature_map_;
// OpenSSL stuff
- SSL* ssl_;
- BIO* transport_bio_;
+ bssl::UniquePtr<SSL> ssl_;
+ bssl::UniquePtr<BIO> transport_bio_;
std::unique_ptr<ClientSocketHandle> transport_;
const HostPortPair host_and_port_;
@@ -368,7 +367,7 @@
bool channel_id_sent_;
// If non-null, the newly-established to be inserted into the session cache
// once certificate verification is done.
- ScopedSSL_SESSION pending_session_;
+ bssl::UniquePtr<SSL_SESSION> pending_session_;
// True if the initial handshake's certificate has been verified.
bool certificate_verified_;
// Set to true if a CertificateRequest was received.
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 44a9e29..a0ac613 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -22,7 +22,6 @@
#include "base/single_thread_task_runner.h"
#include "base/threading/thread_task_runner_handle.h"
#include "base/time/time.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/address_list.h"
#include "net/base/io_buffer.h"
#include "net/base/net_errors.h"
@@ -3141,13 +3140,13 @@
LOG(ERROR) << "Could not read private key file: " << filepath.value();
return nullptr;
}
- crypto::ScopedBIO bio(BIO_new_mem_buf(const_cast<char*>(data.data()),
- static_cast<int>(data.size())));
+ bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(const_cast<char*>(data.data()),
+ static_cast<int>(data.size())));
if (!bio) {
LOG(ERROR) << "Could not allocate BIO for buffer?";
return nullptr;
}
- crypto::ScopedEVP_PKEY result(
+ bssl::UniquePtr<EVP_PKEY> result(
PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
if (!result) {
LOG(ERROR) << "Could not decode private key file: " << filepath.value();
diff --git a/net/socket/ssl_server_socket_impl.cc b/net/socket/ssl_server_socket_impl.cc
index 56ba598b..eddea2c 100644
--- a/net/socket/ssl_server_socket_impl.cc
+++ b/net/socket/ssl_server_socket_impl.cc
@@ -6,6 +6,7 @@
#include <openssl/err.h>
#include <openssl/ssl.h>
+#include <openssl/x509.h>
#include <utility>
#include "base/callback_helpers.h"
@@ -13,7 +14,6 @@
#include "base/strings/string_util.h"
#include "crypto/openssl_util.h"
#include "crypto/rsa_private_key.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/net_errors.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/client_cert_verifier.h"
@@ -57,7 +57,8 @@
public:
// See comments on CreateSSLServerSocket for details of how these
// parameters are used.
- SSLServerSocketImpl(std::unique_ptr<StreamSocket> socket, SSL* ssl);
+ SSLServerSocketImpl(std::unique_ptr<StreamSocket> socket,
+ bssl::UniquePtr<SSL> ssl);
~SSLServerSocketImpl() override;
// SSLServerSocket interface.
@@ -158,8 +159,8 @@
int transport_write_error_;
// OpenSSL stuff
- SSL* ssl_;
- BIO* transport_bio_;
+ bssl::UniquePtr<SSL> ssl_;
+ bssl::UniquePtr<BIO> transport_bio_;
// StreamSocket for sending and receiving data.
std::unique_ptr<StreamSocket> transport_socket_;
@@ -175,15 +176,14 @@
SSLServerSocketImpl::SSLServerSocketImpl(
std::unique_ptr<StreamSocket> transport_socket,
- SSL* ssl)
+ bssl::UniquePtr<SSL> ssl)
: transport_send_busy_(false),
transport_recv_busy_(false),
transport_recv_eof_(false),
user_read_buf_len_(0),
user_write_buf_len_(0),
transport_write_error_(OK),
- ssl_(ssl),
- transport_bio_(NULL),
+ ssl_(std::move(ssl)),
transport_socket_(std::move(transport_socket)),
next_handshake_state_(STATE_NONE),
completed_handshake_(false) {}
@@ -192,13 +192,8 @@
if (ssl_) {
// Calling SSL_shutdown prevents the session from being marked as
// unresumable.
- SSL_shutdown(ssl_);
- SSL_free(ssl_);
- ssl_ = NULL;
- }
- if (transport_bio_) {
- BIO_free_all(transport_bio_);
- transport_bio_ = NULL;
+ SSL_shutdown(ssl_.get());
+ ssl_.reset();
}
}
@@ -215,7 +210,7 @@
}
// Set SSL to server mode. Handshake happens in the loop below.
- SSL_set_accept_state(ssl_);
+ SSL_set_accept_state(ssl_.get());
GotoState(STATE_HANDSHAKE);
rv = DoHandshakeLoop(OK);
@@ -240,12 +235,12 @@
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
int rv = SSL_export_keying_material(
- ssl_, out, outlen, label.data(), label.size(),
+ ssl_.get(), out, outlen, label.data(), label.size(),
reinterpret_cast<const unsigned char*>(context.data()), context.length(),
context.length() > 0);
if (rv != 1) {
- int ssl_error = SSL_get_error(ssl_, rv);
+ int ssl_error = SSL_get_error(ssl_.get(), rv);
LOG(ERROR) << "Failed to export keying material;"
<< " returned " << rv << ", SSL error code " << ssl_error;
return MapOpenSSLError(ssl_error, err_tracer);
@@ -371,20 +366,20 @@
ssl_info->cert = client_cert_;
- const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
+ const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_.get());
CHECK(cipher);
ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
SSLConnectionStatusSetCipherSuite(
static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)),
&ssl_info->connection_status);
- SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_),
+ SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_.get()),
&ssl_info->connection_status);
- if (!SSL_get_secure_renegotiation_support(ssl_))
+ if (!SSL_get_secure_renegotiation_support(ssl_.get()))
ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
- ssl_info->handshake_type = SSL_session_reused(ssl_)
+ ssl_info->handshake_type = SSL_session_reused(ssl_.get())
? SSLInfo::HANDSHAKE_RESUME
: SSLInfo::HANDSHAKE_FULL;
@@ -457,11 +452,12 @@
if (!send_buffer_) {
// Get a fresh send buffer out of the send BIO.
- size_t max_read = BIO_pending(transport_bio_);
+ size_t max_read = BIO_pending(transport_bio_.get());
if (!max_read)
return 0; // Nothing pending in the OpenSSL write BIO.
send_buffer_ = new DrainableIOBuffer(new IOBuffer(max_read), max_read);
- int read_bytes = BIO_read(transport_bio_, send_buffer_->data(), max_read);
+ int read_bytes =
+ BIO_read(transport_bio_.get(), send_buffer_->data(), max_read);
DCHECK_GT(read_bytes, 0);
CHECK_EQ(static_cast<int>(max_read), read_bytes);
}
@@ -493,14 +489,14 @@
// the BIO so it gets (re-)detected in OnSendComplete. Perhaps with
// BIO_set_callback.
DVLOG(1) << "TransportWriteComplete error " << result;
- (void)BIO_shutdown_wr(SSL_get_wbio(ssl_));
+ (void)BIO_shutdown_wr(SSL_get_wbio(ssl_.get()));
// Match the fix for http://crbug.com/249848 in NSS by erroring future reads
// from the socket after a write error.
//
// TODO(davidben): Avoid having read and write ends interact this way.
transport_write_error_ = result;
- (void)BIO_shutdown_wr(transport_bio_);
+ (void)BIO_shutdown_wr(transport_bio_.get());
send_buffer_ = NULL;
} else {
DCHECK(send_buffer_);
@@ -517,7 +513,7 @@
// Determine how much was requested from |transport_bio_| that was not
// actually available.
- size_t requested = BIO_ctrl_get_read_request(transport_bio_);
+ size_t requested = BIO_ctrl_get_read_request(transport_bio_.get());
if (requested == 0) {
// This is not a perfect match of error codes, as no operation is
// actually pending. However, returning 0 would be interpreted as
@@ -533,7 +529,7 @@
// fill |transport_bio_| is issued. As long as an SSL client socket cannot
// be gracefully shutdown (via SSL close alerts) and re-used for non-SSL
// traffic, this over-subscribed Read()ing will not cause issues.
- size_t max_write = BIO_ctrl_get_write_guarantee(transport_bio_);
+ size_t max_write = BIO_ctrl_get_write_guarantee(transport_bio_.get());
if (!max_write)
return ERR_IO_PENDING;
@@ -564,7 +560,7 @@
// relay up to the SSL socket client (i.e. via DoReadCallback).
if (result == 0)
transport_recv_eof_ = true;
- (void)BIO_shutdown_wr(transport_bio_);
+ (void)BIO_shutdown_wr(transport_bio_.get());
} else if (transport_write_error_ < 0) {
// Mirror transport write errors as read failures; transport_bio_ has been
// shut down by TransportWriteComplete, so the BIO_write will fail, failing
@@ -572,7 +568,7 @@
result = transport_write_error_;
} else {
DCHECK(recv_buffer_);
- int ret = BIO_write(transport_bio_, recv_buffer_->data(), result);
+ int ret = BIO_write(transport_bio_.get(), recv_buffer_->data(), result);
// A write into a memory BIO should always succeed.
DCHECK_EQ(result, ret);
}
@@ -603,10 +599,10 @@
DCHECK(user_read_buf_);
DCHECK_GT(user_read_buf_len_, 0);
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
- int rv = SSL_read(ssl_, user_read_buf_->data(), user_read_buf_len_);
+ int rv = SSL_read(ssl_.get(), user_read_buf_->data(), user_read_buf_len_);
if (rv >= 0)
return rv;
- int ssl_error = SSL_get_error(ssl_, rv);
+ int ssl_error = SSL_get_error(ssl_.get(), rv);
OpenSSLErrorInfo error_info;
int net_error =
MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
@@ -621,10 +617,10 @@
int SSLServerSocketImpl::DoPayloadWrite() {
DCHECK(user_write_buf_);
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
- int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_);
+ int rv = SSL_write(ssl_.get(), user_write_buf_->data(), user_write_buf_len_);
if (rv >= 0)
return rv;
- int ssl_error = SSL_get_error(ssl_, rv);
+ int ssl_error = SSL_get_error(ssl_.get(), rv);
OpenSSLErrorInfo error_info;
int net_error =
MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
@@ -704,22 +700,22 @@
int SSLServerSocketImpl::DoHandshake() {
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
int net_error = OK;
- int rv = SSL_do_handshake(ssl_);
+ int rv = SSL_do_handshake(ssl_.get());
if (rv == 1) {
completed_handshake_ = true;
// The results of SSL_get_peer_certificate() must be explicitly freed.
- ScopedX509 cert(SSL_get_peer_certificate(ssl_));
+ bssl::UniquePtr<X509> cert(SSL_get_peer_certificate(ssl_.get()));
if (cert) {
// The caller does not take ownership of SSL_get_peer_cert_chain's
// results.
- STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl_);
+ STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl_.get());
client_cert_ = CreateX509Certificate(cert.get(), chain);
if (!client_cert_.get())
return ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT;
}
} else {
- int ssl_error = SSL_get_error(ssl_, rv);
+ int ssl_error = SSL_get_error(ssl_.get(), rv);
OpenSSLErrorInfo error_info;
net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
@@ -775,14 +771,16 @@
if (!ssl_)
return ERR_UNEXPECTED;
- BIO* ssl_bio = NULL;
+ BIO* ssl_bio = nullptr;
+ BIO* transport_bio_raw = nullptr;
// 0 => use default buffer sizes.
- if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0))
+ if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_raw, 0))
return ERR_UNEXPECTED;
+ transport_bio_.reset(transport_bio_raw);
DCHECK(ssl_bio);
DCHECK(transport_bio_);
- SSL_set_bio(ssl_, ssl_bio, ssl_bio);
+ SSL_set_bio(ssl_.get(), ssl_bio, ssl_bio);
return OK;
}
@@ -870,7 +868,8 @@
const unsigned char* der_string_array =
reinterpret_cast<const unsigned char*>(der_string.data());
- ScopedX509 x509(d2i_X509(NULL, &der_string_array, der_string.length()));
+ bssl::UniquePtr<X509> x509(
+ d2i_X509(NULL, &der_string_array, der_string.length()));
CHECK(x509);
// On success, SSL_CTX_use_certificate acquires a reference to |x509|.
@@ -929,11 +928,12 @@
if (ssl_server_config_.client_cert_type !=
SSLServerConfig::ClientCertType::NO_CLIENT_CERT &&
!ssl_server_config_.cert_authorities_.empty()) {
- ScopedX509NameStack stack(sk_X509_NAME_new_null());
+ bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
for (const auto& authority : ssl_server_config_.cert_authorities_) {
const uint8_t* name = reinterpret_cast<const uint8_t*>(authority.c_str());
const uint8_t* name_start = name;
- ScopedX509_NAME subj(d2i_X509_NAME(nullptr, &name, authority.length()));
+ bssl::UniquePtr<X509_NAME> subj(
+ d2i_X509_NAME(nullptr, &name, authority.length()));
CHECK(subj && name == name_start + authority.length());
sk_X509_NAME_push(stack.get(), subj.release());
}
@@ -945,9 +945,9 @@
std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket(
std::unique_ptr<StreamSocket> socket) {
- SSL* ssl = SSL_new(ssl_ctx_.get());
+ bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx_.get()));
return std::unique_ptr<SSLServerSocket>(
- new SSLServerSocketImpl(std::move(socket), ssl));
+ new SSLServerSocketImpl(std::move(socket), std::move(ssl)));
}
void EnableSSLServerSockets() {
diff --git a/net/socket/ssl_server_socket_impl.h b/net/socket/ssl_server_socket_impl.h
index 94fd6b59..5437e4e 100644
--- a/net/socket/ssl_server_socket_impl.h
+++ b/net/socket/ssl_server_socket_impl.h
@@ -5,6 +5,7 @@
#ifndef NET_SOCKET_SSL_SERVER_SOCKET_IMPL_H_
#define NET_SOCKET_SSL_SERVER_SOCKET_IMPL_H_
+#include <openssl/base.h>
#include <stdint.h>
#include <memory>
@@ -13,16 +14,8 @@
#include "net/base/completion_callback.h"
#include "net/base/io_buffer.h"
#include "net/socket/ssl_server_socket.h"
-#include "net/ssl/scoped_openssl_types.h"
#include "net/ssl/ssl_server_config.h"
-// Avoid including misc OpenSSL headers, i.e.:
-// <openssl/bio.h>
-typedef struct bio_st BIO;
-// <openssl/ssl.h>
-typedef struct ssl_st SSL;
-typedef struct x509_store_ctx_st X509_STORE_CTX;
-
namespace net {
class SSLInfo;
@@ -38,7 +31,7 @@
std::unique_ptr<StreamSocket> socket) override;
private:
- ScopedSSL_CTX ssl_ctx_;
+ bssl::UniquePtr<SSL_CTX> ssl_ctx_;
// Options for the SSL socket.
SSLServerConfig ssl_server_config_;
diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc
index 71bfda9..82c8f35 100644
--- a/net/socket/ssl_server_socket_unittest.cc
+++ b/net/socket/ssl_server_socket_unittest.cc
@@ -38,7 +38,6 @@
#include "build/build_config.h"
#include "crypto/nss_util.h"
#include "crypto/rsa_private_key.h"
-#include "crypto/scoped_openssl_types.h"
#include "crypto/signature_creator.h"
#include "net/base/address_list.h"
#include "net/base/completion_callback.h"
@@ -61,7 +60,6 @@
#include "net/socket/socket_test_util.h"
#include "net/socket/ssl_client_socket.h"
#include "net/socket/stream_socket.h"
-#include "net/ssl/scoped_openssl_types.h"
#include "net/ssl/ssl_cert_request_info.h"
#include "net/ssl/ssl_cipher_suite_names.h"
#include "net/ssl/ssl_connection_status_flags.h"
@@ -453,14 +451,14 @@
EVP_PKEY_up_ref(key->key());
client_ssl_config_.client_private_key =
- WrapOpenSSLPrivateKey(crypto::ScopedEVP_PKEY(key->key()));
+ WrapOpenSSLPrivateKey(bssl::UniquePtr<EVP_PKEY>(key->key()));
}
void ConfigureClientCertsForServer() {
server_ssl_config_.client_cert_type =
SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT;
- ScopedX509NameStack cert_names(
+ bssl::UniquePtr<STACK_OF(X509_NAME)> cert_names(
SSL_load_client_CA_file(GetTestCertsDirectory()
.AppendASCII(kClientCertCAFileName)
.MaybeAsASCII()
diff --git a/net/ssl/openssl_client_key_store.cc b/net/ssl/openssl_client_key_store.cc
index c92f941d..e205d4f 100644
--- a/net/ssl/openssl_client_key_store.cc
+++ b/net/ssl/openssl_client_key_store.cc
@@ -11,8 +11,6 @@
#include <utility>
#include "base/memory/singleton.h"
-#include "crypto/auto_cbb.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/cert/x509_certificate.h"
#include "net/ssl/ssl_private_key.h"
@@ -22,13 +20,13 @@
// Serializes the SubjectPublicKeyInfo for |cert|.
bool GetCertificateSPKI(const X509Certificate* cert, std::string* spki) {
- crypto::ScopedEVP_PKEY pkey(X509_get_pubkey(cert->os_cert_handle()));
+ bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert->os_cert_handle()));
if (!pkey) {
LOG(ERROR) << "Can't extract private key from certificate!";
return false;
}
- crypto::AutoCBB cbb;
+ bssl::ScopedCBB cbb;
uint8_t* der;
size_t der_len;
if (!CBB_init(cbb.get(), 0) ||
diff --git a/net/ssl/openssl_client_key_store_unittest.cc b/net/ssl/openssl_client_key_store_unittest.cc
index 835fce3..52cea2f 100644
--- a/net/ssl/openssl_client_key_store_unittest.cc
+++ b/net/ssl/openssl_client_key_store_unittest.cc
@@ -6,7 +6,6 @@
#include "base/logging.h"
#include "base/memory/ref_counted.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/ssl/ssl_private_key.h"
#include "net/test/cert_test_util.h"
#include "net/test/test_data_directory.h"
diff --git a/net/ssl/openssl_ssl_util.cc b/net/ssl/openssl_ssl_util.cc
index da97124..52316bc8 100644
--- a/net/ssl/openssl_ssl_util.cc
+++ b/net/ssl/openssl_ssl_util.cc
@@ -7,6 +7,7 @@
#include <errno.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
+#include <openssl/x509.h>
#include <utility>
#include "base/bind.h"
@@ -220,23 +221,24 @@
}
}
-ScopedX509 OSCertHandleToOpenSSL(X509Certificate::OSCertHandle os_handle) {
+bssl::UniquePtr<X509> OSCertHandleToOpenSSL(
+ X509Certificate::OSCertHandle os_handle) {
#if defined(USE_OPENSSL_CERTS)
- return ScopedX509(X509Certificate::DupOSCertHandle(os_handle));
-#else // !defined(USE_OPENSSL_CERTS)
+ return bssl::UniquePtr<X509>(X509Certificate::DupOSCertHandle(os_handle));
+#else // !defined(USE_OPENSSL_CERTS)
std::string der_encoded;
if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded))
- return ScopedX509();
+ return bssl::UniquePtr<X509>();
const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data());
- return ScopedX509(d2i_X509(NULL, &bytes, der_encoded.size()));
+ return bssl::UniquePtr<X509>(d2i_X509(NULL, &bytes, der_encoded.size()));
#endif // defined(USE_OPENSSL_CERTS)
}
-ScopedX509Stack OSCertHandlesToOpenSSL(
+bssl::UniquePtr<STACK_OF(X509)> OSCertHandlesToOpenSSL(
const X509Certificate::OSCertHandles& os_handles) {
- ScopedX509Stack stack(sk_X509_new_null());
+ bssl::UniquePtr<STACK_OF(X509)> stack(sk_X509_new_null());
for (size_t i = 0; i < os_handles.size(); i++) {
- ScopedX509 x509 = OSCertHandleToOpenSSL(os_handles[i]);
+ bssl::UniquePtr<X509> x509 = OSCertHandleToOpenSSL(os_handles[i]);
if (!x509)
return nullptr;
sk_X509_push(stack.get(), x509.release());
diff --git a/net/ssl/openssl_ssl_util.h b/net/ssl/openssl_ssl_util.h
index 9082fdf..06fd4090 100644
--- a/net/ssl/openssl_ssl_util.h
+++ b/net/ssl/openssl_ssl_util.h
@@ -7,11 +7,10 @@
#include <stdint.h>
-#include <openssl/ssl.h>
+#include <openssl/x509.h>
#include "net/cert/x509_certificate.h"
#include "net/log/net_log_parameters_callback.h"
-#include "net/ssl/scoped_openssl_types.h"
namespace crypto {
class OpenSSLErrStackTracer;
@@ -77,9 +76,10 @@
// this SSL connection.
int GetNetSSLVersion(SSL* ssl);
-ScopedX509 OSCertHandleToOpenSSL(X509Certificate::OSCertHandle os_handle);
+bssl::UniquePtr<X509> OSCertHandleToOpenSSL(
+ X509Certificate::OSCertHandle os_handle);
-ScopedX509Stack OSCertHandlesToOpenSSL(
+bssl::UniquePtr<STACK_OF(X509)> OSCertHandlesToOpenSSL(
const X509Certificate::OSCertHandles& os_handles);
} // namespace net
diff --git a/net/ssl/scoped_openssl_types.h b/net/ssl/scoped_openssl_types.h
deleted file mode 100644
index 8bee498..0000000
--- a/net/ssl/scoped_openssl_types.h
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_SSL_SCOPED_OPENSSL_TYPES_H_
-#define NET_SSL_SCOPED_OPENSSL_TYPES_H_
-
-#include <openssl/ssl.h>
-#include <openssl/stack.h>
-#include <openssl/x509.h>
-
-#include "crypto/scoped_openssl_types.h"
-
-namespace net {
-
-inline void FreeX509Stack(STACK_OF(X509)* ptr) {
- sk_X509_pop_free(ptr, X509_free);
-}
-
-inline void FreeX509NameStack(STACK_OF(X509_NAME)* ptr) {
- sk_X509_NAME_pop_free(ptr, X509_NAME_free);
-}
-
-using ScopedSSL = crypto::ScopedOpenSSL<SSL, SSL_free>;
-using ScopedSSL_CTX = crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>;
-using ScopedSSL_SESSION = crypto::ScopedOpenSSL<SSL_SESSION, SSL_SESSION_free>;
-using ScopedX509 = crypto::ScopedOpenSSL<X509, X509_free>;
-using ScopedX509_NAME = crypto::ScopedOpenSSL<X509_NAME, X509_NAME_free>;
-using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>;
-using ScopedX509NameStack =
- crypto::ScopedOpenSSL<STACK_OF(X509_NAME), FreeX509NameStack>;
-
-} // namespace net
-
-#endif // NET_SSL_SCOPED_OPENSSL_TYPES_H_
diff --git a/net/ssl/ssl_client_session_cache.cc b/net/ssl/ssl_client_session_cache.cc
index f1aa1d0e6..ccc13ff 100644
--- a/net/ssl/ssl_client_session_cache.cc
+++ b/net/ssl/ssl_client_session_cache.cc
@@ -4,6 +4,8 @@
#include "net/ssl/ssl_client_session_cache.h"
+#include <openssl/ssl.h>
+
#include <utility>
#include "base/memory/memory_coordinator_client_registry.h"
@@ -31,7 +33,8 @@
return cache_.size();
}
-ScopedSSL_SESSION SSLClientSessionCache::Lookup(const std::string& cache_key) {
+bssl::UniquePtr<SSL_SESSION> SSLClientSessionCache::Lookup(
+ const std::string& cache_key) {
base::AutoLock lock(lock_);
// Expire stale sessions.
@@ -51,7 +54,7 @@
SSL_SESSION* session = iter->second->session.get();
SSL_SESSION_up_ref(session);
- return ScopedSSL_SESSION(session);
+ return bssl::UniquePtr<SSL_SESSION>(session);
}
void SSLClientSessionCache::Insert(const std::string& cache_key,
diff --git a/net/ssl/ssl_client_session_cache.h b/net/ssl/ssl_client_session_cache.h
index 279561b..2f93aa3 100644
--- a/net/ssl/ssl_client_session_cache.h
+++ b/net/ssl/ssl_client_session_cache.h
@@ -5,7 +5,7 @@
#ifndef NET_SSL_SSL_CLIENT_SESSION_CACHE_H
#define NET_SSL_SSL_CLIENT_SESSION_CACHE_H
-#include <openssl/ssl.h>
+#include <openssl/base.h>
#include <stddef.h>
#include <memory>
@@ -20,7 +20,6 @@
#include "base/threading/thread_checker.h"
#include "base/time/time.h"
#include "net/base/net_export.h"
-#include "net/ssl/scoped_openssl_types.h"
namespace base {
class Clock;
@@ -46,7 +45,7 @@
// Returns the session associated with |cache_key| and moves it to the front
// of the MRU list. Returns nullptr if there is none.
- ScopedSSL_SESSION Lookup(const std::string& cache_key);
+ bssl::UniquePtr<SSL_SESSION> Lookup(const std::string& cache_key);
// Inserts |session| into the cache at |cache_key|. If there is an existing
// one, it is released. Every |expiration_check_count| calls, the cache is
@@ -63,7 +62,7 @@
CacheEntry();
~CacheEntry();
- ScopedSSL_SESSION session;
+ bssl::UniquePtr<SSL_SESSION> session;
// The time at which this entry was created.
base::Time creation_time;
};
diff --git a/net/ssl/ssl_client_session_cache_unittest.cc b/net/ssl/ssl_client_session_cache_unittest.cc
index c3169a1..b019034 100644
--- a/net/ssl/ssl_client_session_cache_unittest.cc
+++ b/net/ssl/ssl_client_session_cache_unittest.cc
@@ -10,7 +10,6 @@
#include "base/run_loop.h"
#include "base/strings/string_number_conversions.h"
#include "base/test/simple_test_clock.h"
-#include "net/ssl/scoped_openssl_types.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace net {
@@ -20,9 +19,9 @@
SSLClientSessionCache::Config config;
SSLClientSessionCache cache(config);
- ScopedSSL_SESSION session1(SSL_SESSION_new());
- ScopedSSL_SESSION session2(SSL_SESSION_new());
- ScopedSSL_SESSION session3(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session1(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session2(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session3(SSL_SESSION_new());
EXPECT_EQ(1u, session1->references);
EXPECT_EQ(1u, session2->references);
EXPECT_EQ(1u, session3->references);
@@ -70,7 +69,7 @@
SSLClientSessionCache::Config config;
SSLClientSessionCache cache(config);
- ScopedSSL_SESSION session(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session(SSL_SESSION_new());
EXPECT_EQ(1u, session->references);
EXPECT_EQ(nullptr, cache.Lookup("key1").get());
@@ -105,10 +104,10 @@
config.max_entries = 3;
SSLClientSessionCache cache(config);
- ScopedSSL_SESSION session1(SSL_SESSION_new());
- ScopedSSL_SESSION session2(SSL_SESSION_new());
- ScopedSSL_SESSION session3(SSL_SESSION_new());
- ScopedSSL_SESSION session4(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session1(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session2(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session3(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session4(SSL_SESSION_new());
// Insert three entries.
cache.Insert("key1", session1.get());
@@ -152,14 +151,14 @@
// Add |kNumEntries - 1| entries.
for (size_t i = 0; i < kNumEntries - 1; i++) {
- ScopedSSL_SESSION session(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session(SSL_SESSION_new());
cache.Insert(base::SizeTToString(i), session.get());
}
EXPECT_EQ(kNumEntries - 1, cache.size());
// Expire all the previous entries and insert one more entry.
clock->Advance(kTimeout * 2);
- ScopedSSL_SESSION session(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session(SSL_SESSION_new());
cache.Insert("key", session.get());
// All entries are still in the cache.
@@ -199,7 +198,7 @@
cache.SetClockForTesting(base::WrapUnique(clock));
// Insert an entry into the session cache.
- ScopedSSL_SESSION session(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session(SSL_SESSION_new());
cache.Insert("key", session.get());
EXPECT_EQ(session.get(), cache.Lookup("key").get());
EXPECT_EQ(1u, cache.size());
@@ -240,7 +239,7 @@
cache.SetClockForTesting(base::WrapUnique(clock));
// Insert an entry into the session cache.
- ScopedSSL_SESSION session1(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session1(SSL_SESSION_new());
cache.Insert("key1", session1.get());
EXPECT_EQ(session1.get(), cache.Lookup("key1").get());
EXPECT_EQ(1u, cache.size());
@@ -248,7 +247,7 @@
// Expire the session.
clock->Advance(kTimeout * 2);
// Add one more session.
- ScopedSSL_SESSION session2(SSL_SESSION_new());
+ bssl::UniquePtr<SSL_SESSION> session2(SSL_SESSION_new());
cache.Insert("key2", session2.get());
EXPECT_EQ(2u, cache.size());
diff --git a/net/ssl/ssl_platform_key_android.cc b/net/ssl/ssl_platform_key_android.cc
index b4cc1a7..ef9df17 100644
--- a/net/ssl/ssl_platform_key_android.cc
+++ b/net/ssl/ssl_platform_key_android.cc
@@ -5,6 +5,8 @@
#include "net/ssl/ssl_platform_key_android.h"
#include <openssl/ecdsa.h>
+#include <openssl/mem.h>
+#include <openssl/nid.h>
#include <openssl/rsa.h>
#include <strings.h>
@@ -18,7 +20,6 @@
#include "base/logging.h"
#include "base/macros.h"
#include "base/memory/ptr_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/android/keystore.h"
#include "net/android/legacy_openssl.h"
#include "net/base/net_errors.h"
@@ -101,7 +102,7 @@
base::StringPiece input = input_in;
// Prepend the DigestInfo for RSA.
- crypto::ScopedOpenSSLBytes digest_info_storage;
+ bssl::UniquePtr<uint8_t> digest_info_storage;
if (type_ == SSLPrivateKey::Type::RSA) {
int hash_nid = NID_undef;
switch (hash) {
diff --git a/net/ssl/ssl_platform_key_chromecast.cc b/net/ssl/ssl_platform_key_chromecast.cc
index e07ace5f..a800d057 100644
--- a/net/ssl/ssl_platform_key_chromecast.cc
+++ b/net/ssl/ssl_platform_key_chromecast.cc
@@ -3,6 +3,8 @@
// found in the LICENSE file.
#include <keyhi.h>
+#include <openssl/mem.h>
+#include <openssl/nid.h>
#include <openssl/rsa.h>
#include <pk11pub.h>
#include <prerror.h>
@@ -12,7 +14,6 @@
#include "base/memory/ptr_util.h"
#include "base/sequenced_task_runner.h"
#include "crypto/scoped_nss_types.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/cert/x509_certificate.h"
#include "net/ssl/client_key_store.h"
#include "net/ssl/ssl_platform_key.h"
@@ -63,7 +64,7 @@
const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>(input.data()));
digest_item.len = input.size();
- crypto::ScopedOpenSSLBytes free_digest_info;
+ bssl::UniquePtr<uint8_t> free_digest_info;
// PK11_Sign expects the caller to prepend the DigestInfo.
int hash_nid = NID_undef;
switch (hash) {
diff --git a/net/ssl/ssl_platform_key_mac.cc b/net/ssl/ssl_platform_key_mac.cc
index ce653d5c..e7313c07 100644
--- a/net/ssl/ssl_platform_key_mac.cc
+++ b/net/ssl/ssl_platform_key_mac.cc
@@ -10,7 +10,8 @@
#include <Security/SecKey.h>
#include <Security/cssm.h>
#include <openssl/ecdsa.h>
-#include <openssl/obj.h>
+#include <openssl/mem.h>
+#include <openssl/nid.h>
#include <openssl/rsa.h>
#include <memory>
@@ -26,7 +27,6 @@
#include "base/synchronization/lock.h"
#include "crypto/mac_security_services_lock.h"
#include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/net_errors.h"
#include "net/cert/x509_certificate.h"
#include "net/ssl/ssl_platform_key_task_runner.h"
@@ -161,7 +161,7 @@
hash_data.Data =
const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>(input.data()));
- crypto::ScopedOpenSSLBytes free_digest_info;
+ bssl::UniquePtr<uint8_t> free_digest_info;
if (cssm_key_->KeyHeader.AlgorithmId == CSSM_ALGID_RSA) {
// CSSM expects the caller to prepend the DigestInfo.
int hash_nid = NID_undef;
diff --git a/net/ssl/ssl_platform_key_nss.cc b/net/ssl/ssl_platform_key_nss.cc
index 79db0d6e..e571294 100644
--- a/net/ssl/ssl_platform_key_nss.cc
+++ b/net/ssl/ssl_platform_key_nss.cc
@@ -5,6 +5,8 @@
#include <keyhi.h>
#include <openssl/bn.h>
#include <openssl/ecdsa.h>
+#include <openssl/mem.h>
+#include <openssl/nid.h>
#include <openssl/rsa.h>
#include <pk11pub.h>
#include <prerror.h>
@@ -16,7 +18,6 @@
#include "base/memory/ptr_util.h"
#include "base/sequenced_task_runner.h"
#include "crypto/scoped_nss_types.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/cert/x509_certificate.h"
#include "net/ssl/client_key_store.h"
#include "net/ssl/ssl_platform_key.h"
@@ -71,7 +72,7 @@
const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>(input.data()));
digest_item.len = input.size();
- crypto::ScopedOpenSSLBytes free_digest_info;
+ bssl::UniquePtr<uint8_t> free_digest_info;
if (type_ == SSLPrivateKey::Type::RSA) {
// PK11_Sign expects the caller to prepend the DigestInfo.
int hash_nid = NID_undef;
@@ -131,7 +132,7 @@
size_t order_len = signature->size() / 2;
// Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
- crypto::ScopedECDSA_SIG sig(ECDSA_SIG_new());
+ bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) ||
!BN_bin2bn(signature->data() + order_len, order_len, sig->s)) {
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
diff --git a/net/ssl/ssl_platform_key_win.cc b/net/ssl/ssl_platform_key_win.cc
index 0a3f89a..e1dbd576 100644
--- a/net/ssl/ssl_platform_key_win.cc
+++ b/net/ssl/ssl_platform_key_win.cc
@@ -25,7 +25,6 @@
#include "crypto/wincrypt_shim.h"
#include "net/base/net_errors.h"
#include "net/cert/x509_certificate.h"
-#include "net/ssl/scoped_openssl_types.h"
#include "net/ssl/ssl_platform_key_task_runner.h"
#include "net/ssl/ssl_private_key.h"
#include "net/ssl/threaded_ssl_private_key.h"
@@ -220,7 +219,7 @@
size_t order_len = signature->size() / 2;
// Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
- crypto::ScopedECDSA_SIG sig(ECDSA_SIG_new());
+ bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) ||
!BN_bin2bn(signature->data() + order_len, order_len, sig->s)) {
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
@@ -260,10 +259,10 @@
&der_encoded))
return false;
const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data());
- ScopedX509 x509(d2i_X509(nullptr, &bytes, der_encoded.size()));
+ bssl::UniquePtr<X509> x509(d2i_X509(nullptr, &bytes, der_encoded.size()));
if (!x509)
return false;
- crypto::ScopedEVP_PKEY key(X509_get_pubkey(x509.get()));
+ bssl::UniquePtr<EVP_PKEY> key(X509_get_pubkey(x509.get()));
if (!key)
return false;
switch (EVP_PKEY_id(key.get())) {
diff --git a/net/ssl/test_ssl_private_key.cc b/net/ssl/test_ssl_private_key.cc
index f6fadbf..ddcce88 100644
--- a/net/ssl/test_ssl_private_key.cc
+++ b/net/ssl/test_ssl_private_key.cc
@@ -6,13 +6,13 @@
#include <openssl/digest.h>
#include <openssl/evp.h>
+#include <openssl/rsa.h>
#include <utility>
#include "base/logging.h"
#include "base/macros.h"
#include "base/memory/ptr_util.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/net_errors.h"
#include "net/ssl/ssl_platform_key_task_runner.h"
#include "net/ssl/ssl_private_key.h"
@@ -24,7 +24,7 @@
class TestSSLPlatformKey : public ThreadedSSLPrivateKey::Delegate {
public:
- TestSSLPlatformKey(crypto::ScopedEVP_PKEY key, SSLPrivateKey::Type type)
+ TestSSLPlatformKey(bssl::UniquePtr<EVP_PKEY> key, SSLPrivateKey::Type type)
: key_(std::move(key)), type_(type) {}
~TestSSLPlatformKey() override {}
@@ -46,8 +46,7 @@
Error SignDigest(SSLPrivateKey::Hash hash,
const base::StringPiece& input,
std::vector<uint8_t>* signature) override {
- crypto::ScopedEVP_PKEY_CTX ctx =
- crypto::ScopedEVP_PKEY_CTX(EVP_PKEY_CTX_new(key_.get(), NULL));
+ bssl::UniquePtr<EVP_PKEY_CTX> ctx(EVP_PKEY_CTX_new(key_.get(), nullptr));
if (!ctx)
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
if (!EVP_PKEY_sign_init(ctx.get()))
@@ -98,7 +97,7 @@
}
private:
- crypto::ScopedEVP_PKEY key_;
+ bssl::UniquePtr<EVP_PKEY> key_;
SSLPrivateKey::Type type_;
DISALLOW_COPY_AND_ASSIGN(TestSSLPlatformKey);
@@ -106,7 +105,8 @@
} // namespace
-scoped_refptr<SSLPrivateKey> WrapOpenSSLPrivateKey(crypto::ScopedEVP_PKEY key) {
+scoped_refptr<SSLPrivateKey> WrapOpenSSLPrivateKey(
+ bssl::UniquePtr<EVP_PKEY> key) {
if (!key)
return nullptr;
diff --git a/net/ssl/test_ssl_private_key.h b/net/ssl/test_ssl_private_key.h
index f9ae906d..0fa4a9f9 100644
--- a/net/ssl/test_ssl_private_key.h
+++ b/net/ssl/test_ssl_private_key.h
@@ -5,10 +5,9 @@
#ifndef NET_SSL_TEST_SSL_PLATFORM_KEY_H_
#define NET_SSL_TEST_SSL_PLATFORM_KEY_H_
-#include <openssl/evp.h>
+#include <openssl/base.h>
#include "base/memory/ref_counted.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/net_export.h"
namespace net {
@@ -18,7 +17,7 @@
// Returns a new SSLPrivateKey which uses |key| for signing operations or
// nullptr on error.
NET_EXPORT scoped_refptr<SSLPrivateKey> WrapOpenSSLPrivateKey(
- crypto::ScopedEVP_PKEY key);
+ bssl::UniquePtr<EVP_PKEY> key);
} // namespace net
diff --git a/net/ssl/token_binding.cc b/net/ssl/token_binding.cc
index e584c56..06bca3d 100644
--- a/net/ssl/token_binding.cc
+++ b/net/ssl/token_binding.cc
@@ -4,15 +4,16 @@
#include "net/ssl/token_binding.h"
+#include <openssl/bn.h>
#include <openssl/bytestring.h>
#include <openssl/ec.h>
#include <openssl/ec_key.h>
+#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/mem.h>
#include "base/stl_util.h"
#include "crypto/ec_private_key.h"
-#include "crypto/scoped_openssl_types.h"
#include "net/base/net_errors.h"
#include "net/ssl/ssl_config.h"
@@ -54,7 +55,7 @@
}
ECDSA_SIG* RawToECDSA_SIG(EC_KEY* ec, base::StringPiece sig) {
- crypto::ScopedECDSA_SIG raw_sig(ECDSA_SIG_new());
+ bssl::UniquePtr<ECDSA_SIG> raw_sig(ECDSA_SIG_new());
const EC_GROUP* group = EC_KEY_get0_group(ec);
const BIGNUM* order = EC_GROUP_get0_order(group);
size_t group_size = BN_num_bytes(order);
@@ -74,7 +75,7 @@
TokenBindingType type,
crypto::ECPrivateKey* key,
std::vector<uint8_t>* out) {
- crypto::ScopedEVP_MD_CTX digest_ctx(EVP_MD_CTX_create());
+ bssl::ScopedEVP_MD_CTX digest_ctx;
uint8_t tb_type = static_cast<uint8_t>(type);
uint8_t key_type = static_cast<uint8_t>(TB_PARAM_ECDSAP256);
uint8_t digest[EVP_MAX_MD_SIZE];
@@ -89,7 +90,7 @@
EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(key->key());
if (!ec_key)
return false;
- crypto::ScopedECDSA_SIG sig(ECDSA_do_sign(digest, digest_len, ec_key));
+ bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key));
if (!sig)
return false;
return ECDSA_SIGToRaw(sig.get(), ec_key, out);
@@ -192,16 +193,16 @@
uint8_t x9_62_ec_point[kUncompressedPointLen];
x9_62_ec_point[0] = 4;
memcpy(x9_62_ec_point + 1, ec_point.data(), kUncompressedPointLen - 1);
- crypto::ScopedEC_Key key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+ bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
EC_KEY* keyp = key.get();
- crypto::ScopedEC_POINT pub_key(EC_POINT_new(EC_KEY_get0_group(keyp)));
+ bssl::UniquePtr<EC_POINT> pub_key(EC_POINT_new(EC_KEY_get0_group(keyp)));
if (!EC_POINT_oct2point(EC_KEY_get0_group(keyp), pub_key.get(),
x9_62_ec_point, kUncompressedPointLen, nullptr) ||
!EC_KEY_set_public_key(keyp, pub_key.get())) {
return false;
}
- crypto::ScopedEVP_MD_CTX digest_ctx(EVP_MD_CTX_create());
+ bssl::ScopedEVP_MD_CTX digest_ctx;
uint8_t tb_type = static_cast<uint8_t>(type);
uint8_t key_type = static_cast<uint8_t>(TB_PARAM_ECDSAP256);
uint8_t digest[EVP_MAX_MD_SIZE];
@@ -214,7 +215,7 @@
return false;
}
- crypto::ScopedECDSA_SIG sig(RawToECDSA_SIG(keyp, signature));
+ bssl::UniquePtr<ECDSA_SIG> sig(RawToECDSA_SIG(keyp, signature));
if (!sig)
return false;
return !!ECDSA_do_verify(digest, digest_len, sig.get(), keyp);
