runtime/bin/secure_socket_ios.h - Issue 2903743002: Porting SecureSocket to use BoringSSL on OSX

Side by Side Diff: runtime/bin/secure_socket_ios.h

Issue 2903743002: Porting SecureSocket to use BoringSSL on OSX (Closed)

Patch Set: Moved CertificateCallback into SSLCertContext Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
	(Empty)
1 // Copyright (c) 2016, the Dart project authors. Please see the AUTHORS file

2 // for details. All rights reserved. Use of this source code is governed by a

3 // BSD-style license that can be found in the LICENSE file.

4

5 #ifndef RUNTIME_BIN_SECURE_SOCKET_IOS_H_

6 #define RUNTIME_BIN_SECURE_SOCKET_IOS_H_

7

8 #if !defined(RUNTIME_BIN_SECURE_SOCKET_H_)

9 #error Do not include secure_socket_macos.h directly. Use secure_socket.h.

10 #endif

11

12 #include <stdlib.h>

13 #include <string.h>

14 #include <stdio.h>

15 #include <sys/types.h>

16

17 #include <CoreFoundation/CoreFoundation.h>

18 #include <Security/SecureTransport.h>

19 #include <Security/Security.h>

20

21 #include "bin/builtin.h"

22 #include "bin/dartutils.h"

23 #include "bin/lockers.h"

24 #include "bin/reference_counting.h"

25 #include "bin/socket.h"

26 #include "bin/thread.h"

27 #include "bin/utils.h"

28

29 namespace dart {

30 namespace bin {

31

32 // SSLCertContext wraps the certificates needed for a SecureTransport

33 // connection. Fields are protected by the mutex_ field, and may only be set

34 // once. This is to allow access by both the Dart thread and the IOService

35 // thread. Setters return false if the field was already set.

36 class SSLCertContext : public ReferenceCounted<SSLCertContext> {

37 public:

38 SSLCertContext()

39 : ReferenceCounted(),

40 mutex_(new Mutex()),

41 trusted_certs_(NULL),

42 identity_(NULL),

43 cert_chain_(NULL),

44 trust_builtin_(false) {}

45

46 ~SSLCertContext() {

47 {

48 MutexLocker m(mutex_);

49 if (trusted_certs_ != NULL) {

50 CFRelease(trusted_certs_);

51 }

52 if (identity_ != NULL) {

53 CFRelease(identity_);

54 }

55 if (cert_chain_ != NULL) {

56 CFRelease(cert_chain_);

57 }

58 }

59 delete mutex_;

60 }

61

62 CFMutableArrayRef trusted_certs() {

63 MutexLocker m(mutex_);

64 return trusted_certs_;

65 }

66 void add_trusted_cert(SecCertificateRef trusted_cert) {

67 // Takes ownership of trusted_cert.

68 MutexLocker m(mutex_);

69 if (trusted_certs_ == NULL) {

70 trusted_certs_ = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);

71 }

72 CFArrayAppendValue(trusted_certs_, trusted_cert);

73 CFRelease(trusted_cert); // trusted_cert is retained by the array.

74 }

75

76 SecIdentityRef identity() {

77 MutexLocker m(mutex_);

78 return identity_;

79 }

80 bool set_identity(SecIdentityRef identity) {

81 MutexLocker m(mutex_);

82 if (identity_ == NULL) {

83 identity_ = identity;

84 return true;

85 }

86 return false;

87 }

88

89 CFArrayRef cert_chain() {

90 MutexLocker m(mutex_);

91 return cert_chain_;

92 }

93 bool set_cert_chain(CFArrayRef cert_chain) {

94 MutexLocker m(mutex_);

95 if (cert_chain_ == NULL) {

96 cert_chain_ = cert_chain;

97 return true;

98 }

99 return false;

100 }

101

102 bool trust_builtin() {

103 MutexLocker m(mutex_);

104 return trust_builtin_;

105 }

106 void set_trust_builtin(bool trust_builtin) {

107 MutexLocker m(mutex_);

108 trust_builtin_ = trust_builtin;

109 }

110

111 private:

112 // The context is accessed both by Dart code and the IOService. This mutex

113 // protects all fields.

114 Mutex* mutex_;

115 CFMutableArrayRef trusted_certs_;

116 SecIdentityRef identity_;

117 CFArrayRef cert_chain_;

118 bool trust_builtin_;

119

120 DISALLOW_COPY_AND_ASSIGN(SSLCertContext);

121 };

122

123 // SSLFilter encapsulates the SecureTransport code in a filter that communicates

124 // with the containing _SecureFilterImpl Dart object through four shared

125 // ExternalByteArray buffers, for reading and writing plaintext, and

126 // reading and writing encrypted text. The filter handles handshaking

127 // and certificate verification.

128 class SSLFilter : public ReferenceCounted<SSLFilter> {

129 public:

130 // These enums must agree with those in sdk/lib/io/secure_socket.dart.

131 enum BufferIndex {

132 kReadPlaintext,

133 kWritePlaintext,

134 kReadEncrypted,

135 kWriteEncrypted,

136 kNumBuffers,

137 kFirstEncrypted = kReadEncrypted

138 };

139

140 SSLFilter()

141 : ReferenceCounted(),

142 cert_context_(NULL),

143 ssl_context_(NULL),

144 peer_certs_(NULL),

145 string_start_(NULL),

146 string_length_(NULL),

147 handshake_complete_(NULL),

148 bad_certificate_callback_(NULL),

149 in_handshake_(false),

150 connected_(false),

151 bad_cert_(false),

152 is_server_(false),

153 hostname_(NULL) {}

154

155 ~SSLFilter();

156

157 // Callback called by the IOService.

158 static CObject* ProcessFilterRequest(const CObjectArray& request);

159

160 Dart_Handle Init(Dart_Handle dart_this);

161 void Connect(Dart_Handle dart_this,

162 const char* hostname,

163 SSLCertContext* context,

164 bool is_server,

165 bool request_client_certificate,

166 bool require_client_certificate);

167 void Destroy();

168 OSStatus CheckHandshake();

169 void Renegotiate(bool use_session_cache,

170 bool request_client_certificate,

171 bool require_client_certificate);

172 void RegisterHandshakeCompleteCallback(Dart_Handle handshake_complete);

173 void RegisterBadCertificateCallback(Dart_Handle callback);

174 Dart_Handle PeerCertificate();

175

176 private:

177 static OSStatus SSLReadCallback(SSLConnectionRef connection,

178 void* data,

179 size_t* data_length);

180 static OSStatus SSLWriteCallback(SSLConnectionRef connection,

181 const void* data,

182 size_t* data_length);

183

184 static bool isBufferEncrypted(intptr_t i) {

185 return static_cast<BufferIndex>(i) >= kFirstEncrypted;

186 }

187 Dart_Handle InitializeBuffers(Dart_Handle dart_this);

188

189 intptr_t GetBufferStart(intptr_t idx) const;

190 intptr_t GetBufferEnd(intptr_t idx) const;

191 void SetBufferStart(intptr_t idx, intptr_t value);

192 void SetBufferEnd(intptr_t idx, intptr_t value);

193

194 OSStatus ProcessAllBuffers(intptr_t starts[kNumBuffers],

195 intptr_t ends[kNumBuffers],

196 bool in_handshake);

197 OSStatus ProcessReadPlaintextBuffer(intptr_t start,

198 intptr_t end,

199 intptr_t* bytes_processed);

200 OSStatus ProcessWritePlaintextBuffer(intptr_t start,

201 intptr_t end,

202 intptr_t* bytes_processed);

203

204 // These calls can block on IO, and should only be invoked from

205 // from ProcessAllBuffers from ProcessFilterRequest.

206 OSStatus EvaluatePeerTrust();

207 OSStatus Handshake();

208 Dart_Handle InvokeBadCertCallback(SecCertificateRef peer_cert);

209

210 RetainedPointer<SSLCertContext> cert_context_;

211 SSLContextRef ssl_context_;

212 CFArrayRef peer_certs_;

213

214 // starts and ends filled in at the start of ProcessAllBuffers.

215 // If these are NULL, then try to get the pointers out of

216 // dart_buffer_objects_.

217 uint8_t* buffers_[kNumBuffers];

218 intptr_t* buffer_starts_[kNumBuffers];

219 intptr_t* buffer_ends_[kNumBuffers];

220 intptr_t buffer_size_;

221 intptr_t encrypted_buffer_size_;

222 Dart_PersistentHandle string_start_;

223 Dart_PersistentHandle string_length_;

224 Dart_PersistentHandle dart_buffer_objects_[kNumBuffers];

225 Dart_PersistentHandle handshake_complete_;

226 Dart_PersistentHandle bad_certificate_callback_;

227 bool in_handshake_;

228 bool connected_;

229 bool bad_cert_;

230 bool is_server_;

231 char* hostname_;

232

233 DISALLOW_COPY_AND_ASSIGN(SSLFilter);

234 };

235

236 } // namespace bin

237 } // namespace dart

238

239 #endif // RUNTIME_BIN_SECURE_SOCKET_IOS_H_

OLD	NEW

« no previous file with comments | « runtime/bin/secure_socket_filter.cc ('k') | runtime/bin/secure_socket_ios.cc » ('j') | runtime/bin/secure_socket_utils.h » ('J')