Porting SecureSocket to use BoringSSL on OSX

runtime/bin/secure_socket.h

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #ifndef RUNTIME_BIN_SECURE_SOCKET_H_
 #define RUNTIME_BIN_SECURE_SOCKET_H_
 
 #if defined(DART_IO_DISABLED) || defined(DART_IO_SECURE_SOCKET_DISABLED)
 #error "secure_socket.h can only be included on builds with SSL enabled"
 #endif
 
 #include "platform/globals.h"
 #if defined(HOST_OS_ANDROID) || defined(HOST_OS_LINUX) ||                      \
     defined(HOST_OS_WINDOWS) || defined(HOST_OS_FUCHSIA)
 #include "bin/secure_socket_boringssl.h"
 #elif defined(HOST_OS_MACOS)
 #if HOST_OS_IOS
 #include "bin/secure_socket_ios.h"
 #else  // HOST_OS_IOS
 #include "bin/secure_socket_macos.h"
 #endif  // HOST_OS_IOS
 #else
 #error Unknown target os.
 #endif
 
+#include <openssl/bio.h>

[zra, 2017/05/26 18:11:12]

These should go after platform/globals.h but before the includes under bin/

[bkonyi, 2017/05/26 23:35:30]

cpplint will complain if we do that. I get this output when trying to upload the
CL: "Found C system header after other header. Should be: secure_socket.h, c
system, c++ system, other.  [build/include_order] [4]"

+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <openssl/x509.h>
+
+
+namespace dart {
+namespace bin {
+
+/* These are defined in root_certificates.cc. */
+extern const unsigned char* root_certificates_pem;
+extern unsigned int root_certificates_pem_length;
+
+const bool SSL_LOG_STATUS = false;
+const bool SSL_LOG_DATA = false;
+const bool SSL_LOG_CERTS = false;
+
+void ThrowIOException(int status,

[zra, 2017/05/26 18:11:12]

I'd make these statics of an SSLUtils class.

[bkonyi, 2017/05/26 23:35:30]

Done.

+                      const char* exception_type,
+                      const char* message,
+                      const SSL* ssl);
+
+void CheckStatusSSL(int status,
+                    const char* type,
+                    const char* message,
+                    const SSL* ssl);
+
+void CheckStatus(int status, const char* type, const char* message);

[zra, 2017/05/26 18:11:12]

"CheckStatus" in particular is probably not a great top-level name to introduce
into the dart::bin namespace

[bkonyi, 2017/05/26 23:35:30]

Yeah, I wasn't sure about this. I'll add it to the utils class.

+
+class SSLFilter : public ReferenceCounted<SSLFilter> {
+ public:
+  // These enums must agree with those in sdk/lib/io/secure_socket.dart.
+  enum BufferIndex {
+    kReadPlaintext,
+    kWritePlaintext,
+    kReadEncrypted,
+    kWriteEncrypted,
+    kNumBuffers,
+    kFirstEncrypted = kReadEncrypted
+  };
+
+  static const intptr_t kApproximateSize;
+
+  SSLFilter()
+      : callback_error(NULL),
+        ssl_(NULL),
+        socket_side_(NULL),
+        string_start_(NULL),
+        string_length_(NULL),
+        handshake_complete_(NULL),
+        bad_certificate_callback_(NULL),
+        in_handshake_(false),
+        hostname_(NULL) {}
+
+  ~SSLFilter();
+
+  Dart_Handle Init(Dart_Handle dart_this);
+  void Connect(const char* hostname,
+               SSLCertContext* context,
+               bool is_server,
+               bool request_client_certificate,
+               bool require_client_certificate,
+               Dart_Handle protocols_handle);
+  void Destroy();
+  void FreeResources();
+  void Handshake();
+  void GetSelectedProtocol(Dart_NativeArguments args);
+  void Renegotiate(bool use_session_cache,
+                   bool request_client_certificate,
+                   bool require_client_certificate);
+  void RegisterHandshakeCompleteCallback(Dart_Handle handshake_complete);
+  void RegisterBadCertificateCallback(Dart_Handle callback);
+  Dart_Handle bad_certificate_callback() {
+    return Dart_HandleFromPersistent(bad_certificate_callback_);
+  }
+  int ProcessReadPlaintextBuffer(int start, int end);
+  int ProcessWritePlaintextBuffer(int start, int end);
+  int ProcessReadEncryptedBuffer(int start, int end);
+  int ProcessWriteEncryptedBuffer(int start, int end);
+  bool ProcessAllBuffers(int starts[kNumBuffers],
+                         int ends[kNumBuffers],
+                         bool in_handshake);
+  Dart_Handle PeerCertificate();
+  static void InitializeLibrary();
+  Dart_Handle callback_error;
+
+  static CObject* ProcessFilterRequest(const CObjectArray& request);
+
+  // The index of the external data field in _ssl that points to the SSLFilter.
+  static int filter_ssl_index;
+
+  // TODO(whesse): make private:

[zra, 2017/05/26 18:11:12]

Maybe now is a good time to try to take care of this TODO.

[bkonyi, 2017/05/26 23:35:30]

Done.

+  SSL* ssl_;
+  BIO* socket_side_;
+
+ private:
+  void RegisterCallbacks(SSLCertContext* cert_ctx);
+
+  static const intptr_t kInternalBIOSize;
+  static bool library_initialized_;
+  static Mutex* mutex_;  // To protect library initialization.
+
+  uint8_t* buffers_[kNumBuffers];
+  int buffer_size_;
+  int encrypted_buffer_size_;
+  Dart_PersistentHandle string_start_;
+  Dart_PersistentHandle string_length_;
+  Dart_PersistentHandle dart_buffer_objects_[kNumBuffers];
+  Dart_PersistentHandle handshake_complete_;
+  Dart_PersistentHandle bad_certificate_callback_;
+  bool in_handshake_;
+  bool is_server_;
+  char* hostname_;
+
+  static bool isBufferEncrypted(int i) {

[zra, 2017/05/26 18:11:12]

IsBufferEncrypted

[bkonyi, 2017/05/26 23:35:30]

Done.

+    return static_cast<BufferIndex>(i) >= kFirstEncrypted;
+  }
+  Dart_Handle InitializeBuffers(Dart_Handle dart_this);
+  void InitializePlatformData();
+
+  DISALLOW_COPY_AND_ASSIGN(SSLFilter);
+};
+
+}  // namespace bin
+}  // namespace dart
+
 #endif  // RUNTIME_BIN_SECURE_SOCKET_H_