| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2016, the Dart project authors. Please see the AUTHORS file | |
| 2 // for details. All rights reserved. Use of this source code is governed by a | |
| 3 // BSD-style license that can be found in the LICENSE file. | |
| 4 | |
| 5 #ifndef RUNTIME_BIN_SECURE_SOCKET_MACOS_H_ | |
| 6 #define RUNTIME_BIN_SECURE_SOCKET_MACOS_H_ | |
| 7 | |
| 8 #if !defined(RUNTIME_BIN_SECURE_SOCKET_H_) | |
| 9 #error Do not include secure_socket_macos.h directly. Use secure_socket.h. | |
| 10 #endif | |
| 11 | |
| 12 #include <stdlib.h> | |
| 13 #include <string.h> | |
| 14 #include <stdio.h> | |
| 15 #include <sys/types.h> | |
| 16 | |
| 17 #include <CoreFoundation/CoreFoundation.h> | |
| 18 #include <Security/SecureTransport.h> | |
| 19 #include <Security/Security.h> | |
| 20 | |
| 21 #include "bin/builtin.h" | |
| 22 #include "bin/dartutils.h" | |
| 23 #include "bin/lockers.h" | |
| 24 #include "bin/reference_counting.h" | |
| 25 #include "bin/socket.h" | |
| 26 #include "bin/thread.h" | |
| 27 #include "bin/utils.h" | |
| 28 | |
| 29 namespace dart { | |
| 30 namespace bin { | |
| 31 | |
| 32 // SSLCertContext wraps the certificates needed for a SecureTransport | |
| 33 // connection. Fields are protected by the mutex_ field, and may only be set | |
| 34 // once. This is to allow access by both the Dart thread and the IOService | |
| 35 // thread. Setters return false if the field was already set. | |
| 36 class SSLCertContext : public ReferenceCounted<SSLCertContext> { | |
| 37 public: | |
| 38 SSLCertContext() | |
| 39 : ReferenceCounted(), | |
| 40 mutex_(new Mutex()), | |
| 41 private_key_(NULL), | |
| 42 keychain_(NULL), | |
| 43 cert_chain_(NULL), | |
| 44 trusted_certs_(NULL), | |
| 45 cert_authorities_(NULL), | |
| 46 trust_builtin_(false) {} | |
| 47 | |
| 48 ~SSLCertContext() { | |
| 49 { | |
| 50 MutexLocker m(mutex_); | |
| 51 if (private_key_ != NULL) { | |
| 52 CFRelease(private_key_); | |
| 53 } | |
| 54 if (keychain_ != NULL) { | |
| 55 SecKeychainDelete(keychain_); | |
| 56 CFRelease(keychain_); | |
| 57 } | |
| 58 if (cert_chain_ != NULL) { | |
| 59 CFRelease(cert_chain_); | |
| 60 } | |
| 61 if (trusted_certs_ != NULL) { | |
| 62 CFRelease(trusted_certs_); | |
| 63 } | |
| 64 if (cert_authorities_ != NULL) { | |
| 65 CFRelease(cert_authorities_); | |
| 66 } | |
| 67 } | |
| 68 delete mutex_; | |
| 69 } | |
| 70 | |
| 71 SecKeyRef private_key() { | |
| 72 MutexLocker m(mutex_); | |
| 73 return private_key_; | |
| 74 } | |
| 75 bool set_private_key(SecKeyRef private_key) { | |
| 76 MutexLocker m(mutex_); | |
| 77 if (private_key_ != NULL) { | |
| 78 return false; | |
| 79 } | |
| 80 private_key_ = private_key; | |
| 81 return true; | |
| 82 } | |
| 83 | |
| 84 SecKeychainRef keychain() { | |
| 85 MutexLocker m(mutex_); | |
| 86 return keychain_; | |
| 87 } | |
| 88 bool set_keychain(SecKeychainRef keychain) { | |
| 89 MutexLocker m(mutex_); | |
| 90 if (keychain_ != NULL) { | |
| 91 return false; | |
| 92 } | |
| 93 keychain_ = keychain; | |
| 94 return true; | |
| 95 } | |
| 96 | |
| 97 CFArrayRef cert_chain() { | |
| 98 MutexLocker m(mutex_); | |
| 99 return cert_chain_; | |
| 100 } | |
| 101 bool set_cert_chain(CFArrayRef cert_chain) { | |
| 102 MutexLocker m(mutex_); | |
| 103 if (cert_chain_ != NULL) { | |
| 104 return false; | |
| 105 } | |
| 106 cert_chain_ = cert_chain; | |
| 107 return true; | |
| 108 } | |
| 109 | |
| 110 CFArrayRef trusted_certs() { | |
| 111 MutexLocker m(mutex_); | |
| 112 return trusted_certs_; | |
| 113 } | |
| 114 bool set_trusted_certs(CFArrayRef trusted_certs) { | |
| 115 MutexLocker m(mutex_); | |
| 116 if (trusted_certs_ != NULL) { | |
| 117 return false; | |
| 118 } | |
| 119 trusted_certs_ = trusted_certs; | |
| 120 return true; | |
| 121 } | |
| 122 | |
| 123 CFArrayRef cert_authorities() { | |
| 124 MutexLocker m(mutex_); | |
| 125 return cert_authorities_; | |
| 126 } | |
| 127 bool set_cert_authorities(CFArrayRef cert_authorities) { | |
| 128 MutexLocker m(mutex_); | |
| 129 if (cert_authorities_ != NULL) { | |
| 130 return false; | |
| 131 } | |
| 132 cert_authorities_ = cert_authorities; | |
| 133 return true; | |
| 134 } | |
| 135 | |
| 136 bool trust_builtin() { | |
| 137 MutexLocker m(mutex_); | |
| 138 return trust_builtin_; | |
| 139 } | |
| 140 void set_trust_builtin(bool trust_builtin) { | |
| 141 MutexLocker m(mutex_); | |
| 142 trust_builtin_ = trust_builtin; | |
| 143 } | |
| 144 | |
| 145 private: | |
| 146 // The context is accessed both by Dart code and the IOService. This mutex | |
| 147 // protects all fields. | |
| 148 Mutex* mutex_; | |
| 149 | |
| 150 SecKeyRef private_key_; | |
| 151 SecKeychainRef keychain_; | |
| 152 | |
| 153 // CFArrays of SecCertificateRef. | |
| 154 CFArrayRef cert_chain_; | |
| 155 CFArrayRef trusted_certs_; | |
| 156 CFArrayRef cert_authorities_; | |
| 157 | |
| 158 bool trust_builtin_; | |
| 159 | |
| 160 DISALLOW_COPY_AND_ASSIGN(SSLCertContext); | |
| 161 }; | |
| 162 | |
| 163 // SSLFilter encapsulates the SecureTransport code in a filter that communicates | |
| 164 // with the containing _SecureFilterImpl Dart object through four shared | |
| 165 // ExternalByteArray buffers, for reading and writing plaintext, and | |
| 166 // reading and writing encrypted text. The filter handles handshaking | |
| 167 // and certificate verification. | |
| 168 class SSLFilter : public ReferenceCounted<SSLFilter> { | |
| 169 public: | |
| 170 // These enums must agree with those in sdk/lib/io/secure_socket.dart. | |
| 171 enum BufferIndex { | |
| 172 kReadPlaintext, | |
| 173 kWritePlaintext, | |
| 174 kReadEncrypted, | |
| 175 kWriteEncrypted, | |
| 176 kNumBuffers, | |
| 177 kFirstEncrypted = kReadEncrypted | |
| 178 }; | |
| 179 | |
| 180 SSLFilter() | |
| 181 : ReferenceCounted(), | |
| 182 cert_context_(NULL), | |
| 183 ssl_context_(NULL), | |
| 184 peer_certs_(NULL), | |
| 185 string_start_(NULL), | |
| 186 string_length_(NULL), | |
| 187 handshake_complete_(NULL), | |
| 188 bad_certificate_callback_(NULL), | |
| 189 in_handshake_(false), | |
| 190 connected_(false), | |
| 191 bad_cert_(false), | |
| 192 is_server_(false), | |
| 193 hostname_(NULL) {} | |
| 194 | |
| 195 ~SSLFilter(); | |
| 196 | |
| 197 // Callback called by the IOService. | |
| 198 static CObject* ProcessFilterRequest(const CObjectArray& request); | |
| 199 | |
| 200 Dart_Handle Init(Dart_Handle dart_this); | |
| 201 void Connect(Dart_Handle dart_this, | |
| 202 const char* hostname, | |
| 203 SSLCertContext* context, | |
| 204 bool is_server, | |
| 205 bool request_client_certificate, | |
| 206 bool require_client_certificate); | |
| 207 void Destroy(); | |
| 208 OSStatus CheckHandshake(); | |
| 209 void Renegotiate(bool use_session_cache, | |
| 210 bool request_client_certificate, | |
| 211 bool require_client_certificate); | |
| 212 void RegisterHandshakeCompleteCallback(Dart_Handle handshake_complete); | |
| 213 void RegisterBadCertificateCallback(Dart_Handle callback); | |
| 214 Dart_Handle PeerCertificate(); | |
| 215 | |
| 216 private: | |
| 217 static OSStatus SSLReadCallback(SSLConnectionRef connection, | |
| 218 void* data, | |
| 219 size_t* data_length); | |
| 220 static OSStatus SSLWriteCallback(SSLConnectionRef connection, | |
| 221 const void* data, | |
| 222 size_t* data_length); | |
| 223 | |
| 224 static bool isBufferEncrypted(intptr_t i) { | |
| 225 return static_cast<BufferIndex>(i) >= kFirstEncrypted; | |
| 226 } | |
| 227 Dart_Handle InitializeBuffers(Dart_Handle dart_this); | |
| 228 | |
| 229 intptr_t GetBufferStart(intptr_t idx) const; | |
| 230 intptr_t GetBufferEnd(intptr_t idx) const; | |
| 231 void SetBufferStart(intptr_t idx, intptr_t value); | |
| 232 void SetBufferEnd(intptr_t idx, intptr_t value); | |
| 233 | |
| 234 OSStatus ProcessAllBuffers(intptr_t starts[kNumBuffers], | |
| 235 intptr_t ends[kNumBuffers], | |
| 236 bool in_handshake); | |
| 237 OSStatus ProcessReadPlaintextBuffer(intptr_t start, | |
| 238 intptr_t end, | |
| 239 intptr_t* bytes_processed); | |
| 240 OSStatus ProcessWritePlaintextBuffer(intptr_t start, | |
| 241 intptr_t end, | |
| 242 intptr_t* bytes_processed); | |
| 243 | |
| 244 // These calls can block on IO, and should only be invoked from | |
| 245 // from ProcessAllBuffers from ProcessFilterRequest. | |
| 246 OSStatus EvaluatePeerTrust(); | |
| 247 OSStatus Handshake(); | |
| 248 Dart_Handle InvokeBadCertCallback(SecCertificateRef peer_cert); | |
| 249 | |
| 250 RetainedPointer<SSLCertContext> cert_context_; | |
| 251 SSLContextRef ssl_context_; | |
| 252 CFArrayRef peer_certs_; | |
| 253 | |
| 254 // starts and ends filled in at the start of ProcessAllBuffers. | |
| 255 // If these are NULL, then try to get the pointers out of | |
| 256 // dart_buffer_objects_. | |
| 257 uint8_t* buffers_[kNumBuffers]; | |
| 258 intptr_t* buffer_starts_[kNumBuffers]; | |
| 259 intptr_t* buffer_ends_[kNumBuffers]; | |
| 260 intptr_t buffer_size_; | |
| 261 intptr_t encrypted_buffer_size_; | |
| 262 Dart_PersistentHandle string_start_; | |
| 263 Dart_PersistentHandle string_length_; | |
| 264 Dart_PersistentHandle dart_buffer_objects_[kNumBuffers]; | |
| 265 Dart_PersistentHandle handshake_complete_; | |
| 266 Dart_PersistentHandle bad_certificate_callback_; | |
| 267 bool in_handshake_; | |
| 268 bool connected_; | |
| 269 bool bad_cert_; | |
| 270 bool is_server_; | |
| 271 char* hostname_; | |
| 272 | |
| 273 DISALLOW_COPY_AND_ASSIGN(SSLFilter); | |
| 274 }; | |
| 275 | |
| 276 } // namespace bin | |
| 277 } // namespace dart | |
| 278 | |
| 279 #endif // RUNTIME_BIN_SECURE_SOCKET_MACOS_H_ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2903743002:
Porting SecureSocket to use BoringSSL on OSX (Closed)
