Make OpenSSL UpdateServerCert() OS independent.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <openssl/err.h>
@@ skipping 301 matching lines @@
 
   // This is the index used with SSL_get_ex_data to retrieve the owner
   // SSLClientSocketOpenSSL object from an SSL instance.
   int ssl_socket_data_index_;
 
   crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_;
   // |session_cache_| must be destroyed before |ssl_ctx_|.
   SSLSessionCacheOpenSSL session_cache_;
 };
 
+// PeerCertificateChain is a helper object which extracts the certificate
+// chain, as given by the server, from an OpenSSL socket and performs the needed
+// resource management. The first element of the chain is the leaf certificate
+// and the other elements are in the order given by the server.
+class SSLClientSocketOpenSSL::PeerCertificateChain {
+ public:
+  explicit PeerCertificateChain(SSL* ssl) { Reset(ssl); }
+  PeerCertificateChain(const PeerCertificateChain& other) { *this = other; }
+  ~PeerCertificateChain() {}
+  PeerCertificateChain& operator=(const PeerCertificateChain& other);
+  void Reset(SSL* ssl);

[Ryan Sleevi, 2014/03/14 21:06:15]

nit: newline after the operator=

Let's add a descriptive comment

// Resets the PeerCertificateChain to the set of certificates supplied by the
peer
// of |ssl|, which may be NULL, indicating to empty the store certificates.
// Note: If an error occurs, such as being unable to parse the certificates,
this
// will behave as if Reset(NULL) was called.

[haavardm, 2014/03/17 09:21:55]

Done.

+  // Note that when USE_OPENSSL is defined, OSCertHandle is X509*
+  const scoped_refptr<X509Certificate>& AsOSChain() const { return os_chain_; }
+
+  size_t size() const {
+    if (!openssl_chain_.get())
+      return 0;
+    return sk_X509_num(openssl_chain_.get());
+  }
+
+  X509* operator[](size_t index) const {
+    DCHECK_LT(index, size());
+    return sk_X509_value(openssl_chain_.get(), index);
+  }
+
+ private:
+  static void FreeX509Stack(STACK_OF(X509) * chain) {
+    sk_X509_pop_free(chain, X509_free);
+  }
+  crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack> openssl_chain_;

[Ryan Sleevi, 2014/03/14 21:06:15]

nit: newline between 350/351

[haavardm, 2014/03/17 09:21:55]

Done.

+
+  scoped_refptr<X509Certificate> os_chain_;
+};
+
+SSLClientSocketOpenSSL::PeerCertificateChain&
+SSLClientSocketOpenSSL::PeerCertificateChain::operator=(
+    const PeerCertificateChain& other) {
+  if (this == &other)
+    return *this;
+
+  // os_chain_ is reference counted by scoped_refptr;
+  os_chain_ = other.os_chain_;
+
+  // Must increase the reference count manually for sk_X509_dup
+  openssl_chain_.reset(sk_X509_dup(other.openssl_chain_.get()));
+  for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
+    X509* x = sk_X509_value(openssl_chain_.get(), i);
+    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+  }
+  return *this;
+}
+
+#if defined(USE_OPENSSL)
+// When OSCertHandle is typedef'ed to X509, we can do a short cut
+// to avoid converting back and forth between der and X509 struct.

[Ryan Sleevi, 2014/03/14 21:06:15]

comment nit: avoiding pronouns is good (see
https://groups.google.com/a/chromium.org/d/topic/chromium-dev/NH-S6KCkr2M/dis...
)

// When X509Certificate::OSCertHandle is an X509*, it's possible to use a
// short-cut to avoid converting to DER and then re-parsing to an X509*
// by just increasing the reference count of the original X509*.

[haavardm, 2014/03/17 09:21:55]

Done.

+void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) {
+  openssl_chain_.reset(NULL);
+  os_chain_ = NULL;
+
+  if (ssl == NULL)
+    return;
+
+  STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl);
+  if (!chain)
+    return;
+
+  X509Certificate::OSCertHandles intermediates;
+  for (int i = 1; i < sk_X509_num(chain); ++i)
+    intermediates.push_back(sk_X509_value(chain, i));
+
+  os_chain_ =
+      X509Certificate::CreateFromHandle(sk_X509_value(chain, 0), intermediates);
+
+  // sk_X509_dup does not increase reference count on the certs in the stack.
+  openssl_chain_.reset(sk_X509_dup(chain));
+
+  std::vector<base::StringPiece> der_chain;
+  for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
+    X509* x = sk_X509_value(openssl_chain_.get(), i);
+    // We increase reference count for the certs in openssl_chain_.
+    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+  }
+}
+#else  // !defined(USE_OPENSSL)
+void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) {
+  openssl_chain_.reset(NULL);
+  os_chain_ = NULL;
+
+  if (ssl == NULL)
+    return;
+
+  STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl);
+  if (!chain)
+    return;
+
+  // sk_X509_dup does not increase reference count on the certs in the stack.
+  openssl_chain_.reset(sk_X509_dup(chain));
+
+  std::vector<base::StringPiece> der_chain;
+  for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
+    X509* x = sk_X509_value(openssl_chain_.get(), i);
+
+    // We increase reference count for the certs in openssl_chain_.
+    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+
+    unsigned char* cert_data = NULL;
+    int cert_data_length = i2d_X509(x, &cert_data);
+    if (cert_data_length && cert_data)
+      der_chain.push_back(base::StringPiece(reinterpret_cast<char*>(cert_data),
+                                            cert_data_length));
+  }
+
+  os_chain_ = X509Certificate::CreateFromDERCertChain(der_chain);
+
+  for (size_t i = 0; i < der_chain.size(); ++i) {
+    OPENSSL_free(const_cast<char*>(der_chain[i].data()));
+  }
+
+  if (der_chain.size() !=
+      static_cast<size_t>(sk_X509_num(openssl_chain_.get()))) {
+    openssl_chain_.reset(NULL);
+    os_chain_ = NULL;
+  }
+}
+#endif  // USE_OPENSSL
+
 // static
 SSLSessionCacheOpenSSL::Config
     SSLClientSocketOpenSSL::SSLContext::kDefaultSessionCacheConfig = {
         &GetSessionCacheKey,  // key_func
         1024,                 // max_entries
         256,                  // expiration_check_count
         60 * 60,              // timeout_seconds
 };
 
 // static
 void SSLClientSocket::ClearSessionCache() {
   SSLClientSocketOpenSSL::SSLContext* context =
       SSLClientSocketOpenSSL::SSLContext::GetInstance();
   context->session_cache()->Flush();
   OpenSSLClientKeyStore::GetInstance()->Flush();
 }
 
 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
     scoped_ptr<ClientSocketHandle> transport_socket,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     const SSLClientSocketContext& context)
     : transport_send_busy_(false),
       transport_recv_busy_(false),
       transport_recv_eof_(false),
       weak_factory_(this),
       pending_read_error_(kNoPendingReadResult),
       transport_write_error_(OK),
+      server_cert_chain_(new PeerCertificateChain(NULL)),
       completed_handshake_(false),
       client_auth_cert_needed_(false),
       cert_verifier_(context.cert_verifier),
       server_bound_cert_service_(context.server_bound_cert_service),
       ssl_(NULL),
       transport_bio_(NULL),
       transport_(transport_socket.Pass()),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       ssl_session_cache_shard_(context.ssl_session_cache_shard),
       trying_cached_session_(false),
       next_handshake_state_(STATE_NONE),
       npn_status_(kNextProtoUnsupported),
       channel_id_request_return_value_(ERR_UNEXPECTED),
       channel_id_xtn_negotiated_(false),
-      net_log_(transport_->socket()->NetLog()) {
-}
+      net_log_(transport_->socket()->NetLog()) {}
 
 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
   Disconnect();
 }
 
 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   cert_request_info->host_and_port = host_and_port_;
   cert_request_info->cert_authorities = cert_authorities_;
 }
@@ skipping 533 matching lines @@
 
 void SSLClientSocketOpenSSL::DoConnectCallback(int rv) {
   if (!user_connect_callback_.is_null()) {
     CompletionCallback c = user_connect_callback_;
     user_connect_callback_.Reset();
     c.Run(rv > OK ? OK : rv);
   }
 }
 
 X509Certificate* SSLClientSocketOpenSSL::UpdateServerCert() {
-  if (server_cert_.get())
-    return server_cert_.get();
-
-  crypto::ScopedOpenSSL<X509, X509_free> cert(SSL_get_peer_certificate(ssl_));
-  if (!cert.get()) {
-    LOG(WARNING) << "SSL_get_peer_certificate returned NULL";
-    return NULL;
-  }
-
-  // Unlike SSL_get_peer_certificate, SSL_get_peer_cert_chain does not
-  // increment the reference so sk_X509_free does not need to be called.
-  STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl_);
-  X509Certificate::OSCertHandles intermediates;
-  if (chain) {
-    for (int i = 0; i < sk_X509_num(chain); ++i)
-      intermediates.push_back(sk_X509_value(chain, i));
-  }
-  server_cert_ = X509Certificate::CreateFromHandle(cert.get(), intermediates);
-  DCHECK(server_cert_.get());
-
+  server_cert_chain_->Reset(ssl_);
+  server_cert_ = server_cert_chain_->AsOSChain();
   return server_cert_.get();
 }
 
 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) {
   int rv = DoHandshakeLoop(result);
   if (rv != ERR_IO_PENDING) {
     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
     DoConnectCallback(rv);
   }
 }
@@ skipping 467 matching lines @@
     *outlen = ssl_config_.next_protos[0].size();
   }
 
   npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen);
   server_protos_.assign(reinterpret_cast<const char*>(in), inlen);
   DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_;
 #endif
   return SSL_TLSEXT_ERR_OK;
 }
 
+scoped_refptr<X509Certificate>
+SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
+  return server_cert_;
+}
+
 }  // namespace net