Refactor EnsureOpenSSLInit and openssl_util into base

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
+#include "base/metrics/histogram.h"
+#include "base/openssl_util.h"
 #include "net/base/cert_verifier.h"
-#include "base/metrics/histogram.h"
 #include "net/base/net_errors.h"
-#include "net/base/openssl_util.h"
 #include "net/base/ssl_connection_status_flags.h"
 #include "net/base/ssl_info.h"
 
 namespace net {
 
 namespace {
 
 // Enable this to see logging for state machine state transitions.
 #if 0
 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \
@@ skipping 24 matching lines @@
       MaybeLogSSLError();
       return ERR_SSL_PROTOCOL_ERROR;
     default:
       // TODO(joth): Implement full mapping.
       LOG(WARNING) << "Unknown OpenSSL error " << err;
       MaybeLogSSLError();
       return ERR_SSL_PROTOCOL_ERROR;
   }
 }
 
+// We do certificate verification after handshake, so we disable the default
+// by registering a no-op verify function.
+int NoOpVerifyCallback(X509_STORE_CTX*, void *) {
+  DVLOG(3) << "skipping cert verify";
+  return 1;
+}
+
+class OpenSSLContext {
+ public:
+  SSL_CTX* ssl_ctx() const { return ssl_ctx_.get(); }
+
+ private:
+  friend struct DefaultSingletonTraits<OpenSSLContext>;
+  OpenSSLContext()
+      : ssl_ctx_(SSL_CTX_new(SSLv23_client_method())) {

[bulach, 2010/11/16 14:23:50]

see below, perhaps move out of the initializer list, and call 
 base::EnsureOpenSSLInit(); before setting it in the ctor body..

[joth, 2010/11/16 15:57:41]

Done.
ScopedSSL makes this a little more complex.
However I realized this class is extraneousness; I can make SSL_CTX a singleton
directly by defining the appropriate traits, so I did it that way.

+    SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), NoOpVerifyCallback, NULL);
+  }
+
+  base::ScopedSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_;
+
+  DISALLOW_COPY_AND_ASSIGN(OpenSSLContext);
+};
+
 }  // namespace
 
 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
     ClientSocketHandle* transport_socket,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config)
     : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_(
           this, &SSLClientSocketOpenSSL::BufferSendComplete)),
       ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_(
           this, &SSLClientSocketOpenSSL::BufferRecvComplete)),
@@ skipping 15 matching lines @@
 }
 
 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
   Disconnect();
 }
 
 bool SSLClientSocketOpenSSL::Init() {
   DCHECK(!ssl_);
   DCHECK(!transport_bio_);
 
-  ssl_ = SSL_new(GetOpenSSLInitSingleton()->ssl_ctx());
+  base::EnsureOpenSSLInit();

[bulach, 2010/11/16 14:23:50]

it'd be better to move this to OpenSSLContext's ctor itself

[joth, 2010/11/16 15:57:41]

Done.

+  ssl_ = SSL_new(Singleton<OpenSSLContext>::get()->ssl_ctx());
   if (!ssl_) {
     MaybeLogSSLError();
     return false;
   }
 
   if (!SSL_set_tlsext_host_name(ssl_, host_and_port_.host().c_str())) {
     MaybeLogSSLError();
     return false;
   }
 
@@ skipping 280 matching lines @@
 }
 
 void SSLClientSocketOpenSSL::InvalidateSessionIfBadCertificate() {
   if (UpdateServerCert() != NULL &&
       ssl_config_.IsAllowedBadCert(server_cert_)) {
     // Remove from session cache but don't clear this connection.
     // TODO(joth): This should be a no-op until we enable session caching,
     // see SSL_CTX_set_session_cache_mode(SSL_SESS_CACHE_CLIENT).
     SSL_SESSION* session = SSL_get_session(ssl_);
     LOG_IF(ERROR, session) << "Connection has a session?? " << session;
-    int rv = SSL_CTX_remove_session(GetOpenSSLInitSingleton()->ssl_ctx(),
+    int rv = SSL_CTX_remove_session(Singleton<OpenSSLContext>::get()->ssl_ctx(),
                                     session);
     LOG_IF(ERROR, rv) << "Session was cached?? " << rv;
   }
 }
 
 X509Certificate* SSLClientSocketOpenSSL::UpdateServerCert() {
   if (server_cert_)
     return server_cert_;
 
-  ScopedSSL<X509, X509_free> cert(SSL_get_peer_certificate(ssl_));
+  base::ScopedSSL<X509, X509_free> cert(SSL_get_peer_certificate(ssl_));
   if (!cert.get()) {
     LOG(WARNING) << "SSL_get_peer_certificate returned NULL";
     return NULL;
   }
 
   // Unlike SSL_get_peer_certificate, SSL_get_peer_cert_chain does not
   // increment the reference so sk_X509_free does not need to be called.
   STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl_);
   X509Certificate::OSCertHandles intermediates;
   if (chain) {
@@ skipping 313 matching lines @@
   int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_);
 
   if (rv >= 0)
     return rv;
 
   int err = SSL_get_error(ssl_, rv);
   return MapOpenSSLError(err);
 }
 
 } // namespace net