Use BoringSSL scopers in //net.

net/cert/internal/verify_signed_data.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_signed_data.h"
 
+#include <openssl/bn.h>
 #include <openssl/bytestring.h>
 #include <openssl/digest.h>
 #include <openssl/ec.h>
 #include <openssl/ec_key.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/internal/signature_policy.h"
 #include "net/der/input.h"
 #include "net/der/parse_values.h"
 #include "net/der/parser.h"
 
 namespace net {
 
 namespace {
@@ skipping 46 matching lines @@
          EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1_hash) &&
          EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
                                           salt_length_bytes_int.ValueOrDie());
 }
 
 // TODO(eroman): This function is not strict enough. It accepts BER, other RSA
 // OIDs, and does not check id-rsaEncryption parameters.
 // See https://crbug.com/522228 and https://crbug.com/522232
 WARN_UNUSED_RESULT bool ImportPkeyFromSpki(const der::Input& spki,
                                            int expected_pkey_id,
-                                           crypto::ScopedEVP_PKEY* pkey) {
+                                           bssl::UniquePtr<EVP_PKEY>* pkey) {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
   CBS cbs;
   CBS_init(&cbs, spki.UnsafeData(), spki.Length());
   pkey->reset(EVP_parse_public_key(&cbs));
   if (!*pkey || CBS_len(&cbs) != 0 ||
       EVP_PKEY_id(pkey->get()) != expected_pkey_id) {
     pkey->reset();
     return false;
   }
@@ skipping 51 matching lines @@
 // COMPATIBILITY NOTE: RFC 5912 and RFC 3279 are in disagreement on the value
 // of parameters for rsaEncryption. Whereas RFC 5912 says they must be absent,
 // RFC 3279 says they must be NULL:
 //
 //     The rsaEncryption OID is intended to be used in the algorithm field
 //     of a value of type AlgorithmIdentifier.  The parameters field MUST
 //     have ASN.1 type NULL for this algorithm identifier.
 //
 // Following RFC 3279 in this case.
 WARN_UNUSED_RESULT bool ParseRsaKeyFromSpki(const der::Input& public_key_spki,
-                                            crypto::ScopedEVP_PKEY* pkey,
+                                            bssl::UniquePtr<EVP_PKEY>* pkey,
                                             const SignaturePolicy* policy,
                                             CertErrors* errors) {
   // TODO(crbug.com/634443): Add more specific errors.
   if (!ImportPkeyFromSpki(public_key_spki, EVP_PKEY_RSA, pkey))
     return false;
 
   // Extract the modulus length from the key.
-  crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey->get()));
+  RSA* rsa = EVP_PKEY_get0_RSA(pkey->get());

[eroman, 2016/10/10 22:45:55]

Thanks for removing the spurious refcounts in this file.

   if (!rsa)
     return false;
   unsigned int modulus_length_bits = BN_num_bits(rsa->n);
 
   if (!policy->IsAcceptableModulusLengthForRsa(modulus_length_bits, errors)) {
     errors->AddError(kUnacceptableRsaModulusLength);
     return false;
   }
 
   return true;
 }
 
 // Does signature verification using either RSA or ECDSA.
 WARN_UNUSED_RESULT bool DoVerify(const SignatureAlgorithm& algorithm,
                                  const der::Input& signed_data,
                                  const der::BitString& signature_value,
                                  EVP_PKEY* public_key) {
   DCHECK(algorithm.algorithm() == SignatureAlgorithmId::RsaPkcs1 ||
          algorithm.algorithm() == SignatureAlgorithmId::RsaPss ||
          algorithm.algorithm() == SignatureAlgorithmId::Ecdsa);
 
   // For the supported algorithms the signature value must be a whole
   // number of bytes.
   if (signature_value.unused_bits() != 0)
     return false;
   const der::Input& signature_value_bytes = signature_value.bytes();
 
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
-  crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+  bssl::ScopedEVP_MD_CTX ctx;
   EVP_PKEY_CTX* pctx = nullptr;  // Owned by |ctx|.
 
   const EVP_MD* digest;
   if (!GetDigest(algorithm.digest(), &digest))
     return false;
 
   if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, nullptr, public_key))
     return false;
 
   // Set the RSASSA-PSS specific options.
@@ skipping 50 matching lines @@
 //
 //     NamedCurve CURVE ::= {
 //     { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } |
 //     { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } |
 //     { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } |
 //     { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } |
 //     { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 },
 //     ... -- Extensible
 //     }
 WARN_UNUSED_RESULT bool ParseEcKeyFromSpki(const der::Input& public_key_spki,
-                                           crypto::ScopedEVP_PKEY* pkey,
+                                           bssl::UniquePtr<EVP_PKEY>* pkey,
                                            const SignaturePolicy* policy,
                                            CertErrors* errors) {
   // TODO(crbug.com/634443): Add more specific errors.
   if (!ImportPkeyFromSpki(public_key_spki, EVP_PKEY_EC, pkey))
     return false;
 
   // Extract the curve name.
-  crypto::ScopedEC_KEY ec(EVP_PKEY_get1_EC_KEY(pkey->get()));
-  if (!ec.get())
+  EC_KEY* ec = EVP_PKEY_get0_EC_KEY(pkey->get());
+  if (!ec)
     return false;  // Unexpected.
-  int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec.get()));
+  int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
 
   if (!policy->IsAcceptableCurveForEcdsa(curve_nid, errors)) {
     errors->AddError(kUnacceptableEcdsaCurve);
     return false;
   }
 
   return true;
 }
 
 }  // namespace
 
 bool VerifySignedData(const SignatureAlgorithm& signature_algorithm,
                       const der::Input& signed_data,
                       const der::BitString& signature_value,
                       const der::Input& public_key_spki,
                       const SignaturePolicy* policy,
                       CertErrors* errors) {
   if (!policy->IsAcceptableSignatureAlgorithm(signature_algorithm, errors)) {
     errors->AddError(kUnacceptableSignatureAlgorithm);
     return false;
   }
 
-  crypto::ScopedEVP_PKEY public_key;
+  bssl::UniquePtr<EVP_PKEY> public_key;
 
   // Parse the SPKI to an EVP_PKEY appropriate for the signature algorithm.
   switch (signature_algorithm.algorithm()) {
     case SignatureAlgorithmId::RsaPkcs1:
     case SignatureAlgorithmId::RsaPss:
       if (!ParseRsaKeyFromSpki(public_key_spki, &public_key, policy, errors))
         return false;
       break;
     case SignatureAlgorithmId::Ecdsa:
       if (!ParseEcKeyFromSpki(public_key_spki, &public_key, policy, errors))
         return false;
       break;
   }
 
   if (!DoVerify(signature_algorithm, signed_data, signature_value,
                 public_key.get())) {
     errors->AddError(kSignatureVerificationFailed);
     return false;
   }
 
   return true;
 }
 
 }  // namespace net