runtime/bin/tls_socket.cc - Issue 10916081: Add secure sockets to dart:io

Unified Diff: runtime/bin/tls_socket.cc

Issue 10916081: Add secure sockets to dart:io (Closed) Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart

Patch Set: Allow TLS sockets to build with both Chromium NSS and upstream NSS Created 8 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: runtime/bin/tls_socket.cc

diff --git a/runtime/bin/tls_socket.cc b/runtime/bin/tls_socket.cc

new file mode 100644

index 0000000000000000000000000000000000000000..c10a2738ddc95447ef547cfcc55d1ffb66e1beee

--- /dev/null

+++ b/runtime/bin/tls_socket.cc

@@ -0,0 +1,453 @@

+// BSD-style license that can be found in the LICENSE file.

+#include "bin/tls_socket.h"

+#include <errno.h>

+#include <fcntl.h>

+#include <sys/stat.h>

+#include <unistd.h>

+#include <libgen.h>

+#include <stdio.h>

+#include <string.h>

+#include <prinit.h>

+#include <prerror.h>

+#include <prnetdb.h>

+#include <nss.h>

+#include <ssl.h>

+#include "bin/builtin.h"

+#include "bin/dartutils.h"

+#include "bin/thread.h"

+#include "bin/utils.h"

+#include "bin/net/nss_memio.h"

+#include "platform/utils.h"

+#include "include/dart_api.h"

+bool TlsFilter::library_initialized_ = false;

+static TlsFilter* NativePeer(Dart_NativeArguments args) {

Mads Ager (google) 2012/09/28 12:03:56 Maybe call this GetTlsFiler?

Bill Hesse 2012/10/31 16:33:29 Done.

+ TlsFilter* native_peer;

+ Dart_Handle dart_this = HandleError(Dart_GetNativeArgument(args, 0));

+ ASSERT(Dart_IsInstance(dart_this));

+ HandleError(Dart_GetNativeInstanceField(dart_this, 0,

Mads Ager (google) 2012/09/28 12:03:56 Introduce a named constant for the 0. static con

Bill Hesse 2012/10/31 16:33:29 Done.

+ reinterpret_cast<intptr_t*>(&native_peer)));

+ return native_peer;

+static void SetNativePeer(Dart_NativeArguments args, TlsFilter* native_peer) {

Mads Ager (google) 2012/09/28 12:03:56 SetTlsFilter?

Bill Hesse 2012/10/31 16:33:29 Done.

+ Dart_Handle dart_this = HandleError(Dart_GetNativeArgument(args, 0));

Mads Ager (google) 2012/09/28 12:03:56 Ditto on HandleError.

+ ASSERT(Dart_IsInstance(dart_this));

+ HandleError(Dart_SetNativeInstanceField(dart_this, 0,

+ reinterpret_cast<intptr_t>(native_peer)));

+void FUNCTION_NAME(TlsSocket_Init)(Dart_NativeArguments args) {

+ Dart_EnterScope();

+ TlsFilter* native_peer = new TlsFilter;

Mads Ager (google) 2012/09/28 12:03:57 native_peer -> filter?

Bill Hesse 2012/10/31 16:33:29 Done.

+ Dart_Handle dart_this = Dart_GetNativeArgument(args, 0);

+ if (Dart_IsError(dart_this)) {

+ delete native_peer;

+ Dart_PropagateError(dart_this);

+ }

+ SetNativePeer(args, native_peer);

+ native_peer->Init(dart_this);

+ Dart_SetReturnValue(args, Dart_Null());

Mads Ager (google) 2012/09/28 12:03:57 This is the default behavior so you do not need th

Bill Hesse 2012/10/31 16:33:29 Removed everywhere. On 2012/09/28 12:03:57, Mads

+ Dart_ExitScope();

+void FUNCTION_NAME(TlsSocket_Connect)(Dart_NativeArguments args) {

+ Dart_EnterScope();

+ NativePeer(args)->Connect();

+ Dart_SetReturnValue(args, Dart_Null());

+ Dart_ExitScope();

+void FUNCTION_NAME(TlsSocket_Destroy)(Dart_NativeArguments args) {

+ Dart_EnterScope();

+ TlsFilter* native_peer = NativePeer(args);

+ SetNativePeer(args, NULL);

+ native_peer->Destroy();

+ delete native_peer;

+ Dart_SetReturnValue(args, Dart_Null());

+ Dart_ExitScope();

+void FUNCTION_NAME(TlsSocket_RegisterHandshakeCallbacks)(

+ Dart_NativeArguments args) {

+ Dart_EnterScope();

+ Dart_Handle handshake_start = HandleError(Dart_GetNativeArgument(args, 1));

+ Dart_Handle handshake_finish = HandleError(Dart_GetNativeArgument(args, 2));

+ if (!Dart_IsClosure(handshake_start) ||

+ !Dart_IsClosure(handshake_finish)) {

+ Dart_ThrowException(DartUtils::NewDartIllegalArgumentException(

+ "Illegal argument to RegisterHandshakeCallbacks"));

+ }

+ NativePeer(args)->RegisterHandshakeCallbacks(handshake_start,

+ handshake_finish);

+ Dart_SetReturnValue(args, Dart_Null());

+ Dart_ExitScope();

+void FUNCTION_NAME(TlsSocket_ProcessBuffer)(Dart_NativeArguments args) {

+ Dart_EnterScope();

+ Dart_Handle buffer_id_object = HandleError(Dart_GetNativeArgument(args, 1));

+ int64_t buffer_id = DartUtils::GetIntegerValue(buffer_id_object);

+ if (buffer_id < 0 || buffer_id >= TlsFilter::kNumBuffers) {

+ Dart_ThrowException(DartUtils::NewDartIllegalArgumentException(

+ "Illegal argument to ProcessBuffer"));

+ }

+ intptr_t bytes_read =

+ NativePeer(args)->ProcessBuffer(static_cast<int>(buffer_id));

+ Dart_SetReturnValue(args, Dart_NewInteger(bytes_read));

+ Dart_ExitScope();

+void FUNCTION_NAME(TlsSocket_SetCertificateDatabase)

+ (Dart_NativeArguments args) {

+ Dart_EnterScope();

+ Dart_Handle dart_pkcert_dir = HandleError(Dart_GetNativeArgument(args, 0));

+ // Check that the type is string, and get the UTF-8 C string value from it.

+ if (Dart_IsString(dart_pkcert_dir)) {

+ const char* pkcert_dir = NULL;

+ HandleError(Dart_StringToCString(dart_pkcert_dir, &pkcert_dir));

+ TlsFilter::InitializeLibrary(pkcert_dir);

+ } else {

+ Dart_ThrowException(DartUtils::NewDartIllegalArgumentException(

+ "Non-String argument to SetCertificateDatabase"));

+ }

+ Dart_SetReturnValue(args, Dart_Null());

+ Dart_ExitScope();

+void TlsFilter::Init(Dart_Handle dart_this) {

+ stringStart_ = HandleError(

+ Dart_NewPersistentHandle(Dart_NewString("start")));

+ stringLength_ = HandleError(

+ Dart_NewPersistentHandle(Dart_NewString("length")));

+ InitializeBuffers(dart_this);

+ InitializePlatformData();

+void TlsFilter::InitializeBuffers(Dart_Handle dart_this) {

+ // Create TlsFilter buffers as ExternalUint8Array objects.

+ Dart_Handle dart_buffers_object = HandleError(

+ Dart_GetField(dart_this, Dart_NewString("buffers")));

+ Dart_Handle dart_buffer_object = HandleError(

+ Dart_ListGetAt(dart_buffers_object, kReadPlaintext));

+ Dart_Handle tlsExternalBuffer_class = HandleError(

Mads Ager (google) 2012/09/28 12:03:57 Please use C++ naming convention: tls_external_buf

Bill Hesse 2012/10/31 16:33:29 Done.

+ Dart_InstanceGetClass(dart_buffer_object));

+ Dart_Handle dart_buffer_size = HandleError(

+ Dart_GetField(tlsExternalBuffer_class, Dart_NewString("kSize")));

+ buffer_size_ = DartUtils::GetIntegerValue(dart_buffer_size);

+ if (buffer_size_ <= 0 || buffer_size_ > 1024 * 1024) {

+ Dart_ThrowException(

+ Dart_NewString("Invalid buffer size in _TlsExternalBuffer"));

+ }

+ for (int i = 0; i < kNumBuffers; ++i) {

+ dart_buffer_objects_[i] = HandleError(

+ Dart_NewPersistentHandle(Dart_ListGetAt(dart_buffers_object, i)));

+ buffers_[i] = new uint8_t[buffer_size_];

+ Dart_Handle data = HandleError(

+ Dart_NewExternalByteArray(buffers_[i],

+ buffer_size_, NULL, NULL));

+ HandleError(

+ Dart_SetField(dart_buffer_objects_[i], Dart_NewString("data"), data));

+ }

+void TlsFilter::RegisterHandshakeCallbacks(Dart_Handle start,

+ Dart_Handle finish) {

+ handshake_start_ = HandleError(Dart_NewPersistentHandle(start));

+ handshake_finish_ = HandleError(Dart_NewPersistentHandle(finish));

+void TlsFilter::DestroyPlatformIndependent() {

+ for (int i = 0; i < kNumBuffers; ++i) {

+ Dart_DeletePersistentHandle(dart_buffer_objects_[i]);

+ }

+ Dart_DeletePersistentHandle(stringStart_);

+ Dart_DeletePersistentHandle(stringLength_);

+class TlsFilterPlatformData {

+ public:

+ PRFileDesc* memio;

+};

+TlsFilter::TlsFilter() : in_handshake_(false) { }

+void TlsFilter::InitializeLibrary(const char* pkcert_database) {

+ printf("Entering InitializeLibrary\n");

+ LockInitMutex();

+ if (!library_initialized_) {

+ PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);

+ printf("%s\n", pkcert_database);

Mads Ager (google) 2012/09/28 12:03:57 Please remove debug printing.

+#ifdef CHROMIUM_NSS

Søren Gjesse 2012/09/28 09:17:31 We should avoid #ifdefs like this. How about havin

Mads Ager (google) 2012/09/28 12:03:57 I'm not convinced that our build should have to su

Bill Hesse 2012/10/31 16:33:29 All #ifdefs removed, only Chromium NSS supported,

+ // The Chromium version of the NSS libraries does not allow read-only here.

+ SECStatus status =

+ NSS_InitReadWrite(pkcert_database);

+#else

+ SECStatus status =

+ NSS_Init(pkcert_database);

+#endif

+ if (status == SECSuccess) {

+ printf("Successful NSS_Init call\n");

Mads Ager (google) 2012/09/28 12:03:57 Please remove debug printing. You should probably

+ } else {

+ PRErrorCode pr_error = PR_GetError();

+ printf("Unsuccessful NSS_Init call. Error %d\n", pr_error);

+ }

+ status = NSS_SetDomesticPolicy();

+ if (status == SECSuccess) {

+ printf("Successful NSS_SetDomesticPolicy call\n");

+ } else {

+ PRErrorCode pr_error = PR_GetError();

+ printf("Unsuccessful NSS_SetDomesticPolicy call. Error %d\n", pr_error);

+ }

+ } else {

+ printf("Called TlsFilter::InitializeLibrary more than once.\n");

+ }

+ UnlockInitMutex();

+ printf("Exiting InitializeLibrary\n");

+void TlsFilter::InitializePlatformData() {

+ data_ = new TlsFilterPlatformData;

+ data_->memio = memio_CreateIOLayer(30000);

Mads Ager (google) 2012/09/28 12:03:57 Maybe we can create a named constant for this valu

+char host_entry_buffer[PR_NETDB_BUF_SIZE];

+PRHostEnt host_entry;

+PRNetAddr host_address;

+PRFileDesc* my_socket;

+bool SECURITY = true;

Mads Ager (google) 2012/09/28 12:03:57 Please remove.

+SECStatus status;

+// Callback that always returns SECSuccess.

+static SECStatus AlwaysSucceed(void* arg, PRFileDesc *fd,

+ PRBool check, PRBool server) {

+ return SECSuccess;

+void TlsFilter::Connect() {

+ printf("Entering InitSocket\n");

+ if (!in_handshake_) {

+ my_socket = data_->memio;

+ my_socket = SSL_ImportFD(NULL, my_socket);

+ if (my_socket == NULL) {

+ printf("SSL_ImportFD failed.\n");

Mads Ager (google) 2012/09/28 12:03:57 Similarly here. We should report this error back t

+ }

+ if (SSL_SetURL(my_socket, "www.google.dk") == -1) {

+ printf("SetURL call failed\n");

+ }

+ if (!SECURITY) {

+ status = SSL_OptionSet(my_socket, SSL_SECURITY, PR_FALSE);

+ }

+ if (status == SECSuccess) {

+ printf("Successful SSL_OptionSetDefault call\n");

+ } else {

+ PRErrorCode pr_error = PR_GetError();

+ printf("Unsuccessful SSL_OptionSetDefault call. Error %d\n", pr_error);

+ }

+#ifdef CHROMIUM_NSS

Mads Ager (google) 2012/09/28 12:03:57 Since we always use CHROMIUM_NSS we can get rid of

+ // Certificate chain verification is not yet working with Chromium NSS.

+ status = SSL_AuthCertificateHook(my_socket, AlwaysSucceed, NULL);

+ if (status == SECSuccess) {

+ printf("Successful SSL_AuthCertificateHook call\n");

+ } else {

+ PRErrorCode pr_error = PR_GetError();

+ printf("Unsuccessful SSL_AuthCertificateHook call. Error %d\n", pr_error);

+ }

+#endif

+ status = SSL_ResetHandshake(my_socket, PR_FALSE);

+ if (status == SECSuccess) {

+ printf("Successful SSL_ResetHandshake call\n");

+ } else {

+ PRErrorCode pr_error = PR_GetError();

+ printf("Unsuccessful SSL_ResetHandshake call. Error %d\n", pr_error);

+ }

+ // SetPeerAddress

+ PRNetAddr host_address;

+ char host_entry_buffer[PR_NETDB_BUF_SIZE];

+ PRHostEnt host_entry;

+ PRStatus rv = PR_GetHostByName("www.google.dk", host_entry_buffer,

+ PR_NETDB_BUF_SIZE, &host_entry);

+ if (rv == PR_SUCCESS) {

+ printf("Successful PR_GetHostByName call\n");

+ } else {

+ PRErrorCode pr_error = PR_GetError();

+ printf("Unsuccessful PR_GetHostByName call. Error %d\n", pr_error);

+ }

+ int index = PR_EnumerateHostEnt(0, &host_entry, 443, &host_address);

+ if (index == -1 || index == 0) {

+ printf("Unsuccessful PR_EnumerateHostEnt call.\n");

+ }

+ if (host_address.inet.family == PR_AF_INET) {

+ printf("Got IP V4 address\n");

+ }

+ memio_SetPeerName(my_socket, &host_address);

+ data_->memio = my_socket;

+ }

+ // Handshake

+ int er;

+ if ((er = SSL_ForceHandshake(my_socket)) == SECSuccess) {

+ printf("Successful SSL_ForceHandshake call\n");

+ if (in_handshake_) {

+ printf("Exiting handshake state\n");

+ HandleError(Dart_InvokeClosure(handshake_finish_, 0, NULL));

+ in_handshake_ = false;

+ }

+ } else {

+ printf("Unsuccessful SSL_ForceHandshake call\n");

+ PRErrorCode pr_error = PR_GetError();

+ printf("Error code %d %d\n", er, pr_error);

+ if (!in_handshake_) {

+ printf("Entering handshake state\n");

+ // int writable = ProcessBuffer(kWriteEncrypted);

+ // printf("ProcessBuffer(kWriteEncrypted) returns %d\n", writable);

+ HandleError(Dart_InvokeClosure(handshake_start_, 0, NULL));

+ in_handshake_ = true;

+ }

+ if (!SECURITY) {

+ // Handshake doesn't happen.

+ HandleError(Dart_InvokeClosure(handshake_start_, 0, NULL));

+ HandleError(Dart_InvokeClosure(handshake_finish_, 0, NULL));

+ }

+void TlsFilter::Destroy() {

+ DestroyPlatformIndependent();

+ // TODO(whesse): Destroy OpenSSL objects here.

Mads Ager (google) 2012/09/28 12:03:57 OpenSSL?

+intptr_t TlsFilter::ProcessBuffer(int buffer_index) {

+ printf("Entering processBuffer(%d)\n", buffer_index);

+ Dart_Handle buffer_object = dart_buffer_objects_[buffer_index];

+ Dart_Handle start_object = HandleError(

+ Dart_GetField(buffer_object, stringStart_));

+ Dart_Handle length_object = HandleError(

+ Dart_GetField(buffer_object, stringLength_));

+ int64_t unsafe_start = DartUtils::GetIntegerValue(start_object);

+ int64_t unsafe_length = DartUtils::GetIntegerValue(length_object);

+ if (unsafe_start < 0 || unsafe_start >= buffer_size_ ||

+ unsafe_length < 0 || unsafe_length > buffer_size_) {

+ Dart_ThrowException(DartUtils::NewDartIllegalArgumentException(

+ "Illegal .start or .length on a _TlsExternalBuffer"));

+ }

+ intptr_t start = static_cast<intptr_t>(unsafe_start);

+ intptr_t length = static_cast<intptr_t>(unsafe_length);

+ int bytes_sent = 0;

+ switch (buffer_index) {

+ case kReadPlaintext: {

+ int bytes_free = buffer_size_ - start - length;

+ bytes_sent = PR_Read(data_->memio,

+ buffers_[buffer_index] + start + length,

+ bytes_free);

+ printf(" plaintext bytes read %d (into %d)\n",

+ bytes_sent, bytes_free);

+ if (bytes_sent < 0) bytes_sent = 0;

+ break;

+ }

+ case kWriteEncrypted: {

+ const uint8_t* buf1;

+ const uint8_t* buf2;

+ unsigned int len1;

+ unsigned int len2;

+ int bytes_free = buffer_size_ - start - length;

+ memio_Private* secret = memio_GetSecret(data_->memio);

+ memio_GetWriteParams(secret, &buf1, &len1, &buf2, &len2);

+ int bytes_to_send =

+ dart::Utils::Minimum(len1, static_cast<unsigned>(bytes_free));

+ if (bytes_to_send > 0) {

+ memmove(buffers_[buffer_index] + start + length, buf1, bytes_to_send);

+ bytes_sent = bytes_to_send;

+ }

+ bytes_to_send = dart::Utils::Minimum(len2,

+ static_cast<unsigned>(bytes_free - bytes_sent));

+ if (bytes_to_send > 0) {

+ memmove(buffers_[buffer_index] + start + length + bytes_sent, buf2,

+ bytes_to_send);

+ bytes_sent += bytes_to_send;

+ }

+ printf(" encrypted bytes written %d (into %d)\n",

+ bytes_sent, bytes_free);

+ if (bytes_sent > 0) {

+ memio_PutWriteResult(secret, bytes_sent);

+ }

+ break;

+ }

+ case kReadEncrypted: {

+ if (length > 0) {

+ bytes_sent = length;

+ // NEW

+ memio_Private* secret = memio_GetSecret(data_->memio);

+ uint8_t* memio_buf;

+ int free_bytes = memio_GetReadParams(secret, &memio_buf);

+ if (free_bytes < bytes_sent) bytes_sent = free_bytes;

+ printf(" encrypted bytes read %d (out of %d)\n",

+ bytes_sent, static_cast<int>(length));

+ memmove(memio_buf,

+ buffers_[buffer_index] + start,

+ bytes_sent);

+ memio_PutReadResult(secret, bytes_sent);

+ }

+ break;

+ }

+ case kWritePlaintext: {

+ if (length > 0) {

+ bytes_sent = PR_Write(data_->memio,

+ buffers_[buffer_index] + start,

+ length);

+ printf(" plaintext bytes written %d out of %d\n",

+ static_cast<int>(bytes_sent), static_cast<int>(length));

+ } else {

+ printf(" no plaintext bytes to write.\n");

+ }

+ if (bytes_sent < 0) bytes_sent = 0;

+ break;

+ }

+ return bytes_sent;

« runtime/bin/tls_socket.h ('K') | « runtime/bin/tls_socket.h ('k') | runtime/bin/tls_socket.dart » ('j') | runtime/bin/tls_socket.dart » ('J')