Porting SecureSocket to use BoringSSL on OSX

runtime/bin/secure_socket_ios.cc

 // Copyright (c) 2016, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #if !defined(DART_IO_DISABLED) && !defined(DART_IO_SECURE_SOCKET_DISABLED)
 
 #include "platform/globals.h"
 #if HOST_OS_IOS
 
 #include "bin/secure_socket.h"
@@ skipping 16 matching lines @@
 #include "bin/log.h"
 #include "bin/socket.h"
 #include "bin/thread.h"
 #include "bin/utils.h"
 
 #include "platform/text_buffer.h"
 #include "platform/utils.h"
 
 #include "include/dart_api.h"
 
-// Return the error from the containing function if handle is an error handle.
-#define RETURN_IF_ERROR(handle)                                                \
-  {                                                                            \
-    Dart_Handle __handle = handle;                                             \
-    if (Dart_IsError((__handle))) {                                            \
-      return __handle;                                                         \
-    }                                                                          \
-  }
-
 namespace dart {
 namespace bin {
 
-static const int kSSLFilterNativeFieldIndex = 0;
-static const int kSecurityContextNativeFieldIndex = 0;
-static const int kX509NativeFieldIndex = 0;
+extern const int kSSLFilterNativeFieldIndex;
+extern const int kSecurityContextNativeFieldIndex;
 
-static const bool SSL_LOG_STATUS = false;
-static const bool SSL_LOG_DATA = false;
-static const bool SSL_LOG_CERTS = false;
-static const int SSL_ERROR_MESSAGE_BUFFER_SIZE = 1000;
-static const intptr_t PEM_BUFSIZE = 1024;
+const int kX509NativeFieldIndex = 0;
+
+const intptr_t SSLCertContext::kApproximateSize = sizeof(SSLCertContext);
+static void ReleaseCertificate(void* isolate_data,
+                               Dart_WeakPersistentHandle handle,
+                               void* context_pointer) {
+  SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(context_pointer);
+  CFRelease(cert);
+}
+
 
 static char* CFStringRefToCString(CFStringRef cfstring) {
   CFIndex len = CFStringGetLength(cfstring);
   CFIndex max_len =
       CFStringGetMaximumSizeForEncoding(len, kCFStringEncodingUTF8) + 1;
   char* result = reinterpret_cast<char*>(Dart_ScopeAllocate(max_len));
   ASSERT(result != NULL);
   bool success =
       CFStringGetCString(cfstring, result, max_len, kCFStringEncodingUTF8);
   return success ? result : NULL;
 }
 
 
-// Handle an error reported from the SecureTransport library.
-static void ThrowIOException(OSStatus status,
-                             const char* exception_type,
-                             const char* message) {
-  TextBuffer status_message(SSL_ERROR_MESSAGE_BUFFER_SIZE);
-  status_message.Printf("OSStatus = %ld: https://www.osstatus.com",
-                        static_cast<intptr_t>(status));
-  OSError os_error_struct(status, status_message.buf(), OSError::kBoringSSL);
-  Dart_Handle os_error = DartUtils::NewDartOSError(&os_error_struct);
-  Dart_Handle exception =
-      DartUtils::NewDartIOException(exception_type, message, os_error);
-  ASSERT(!Dart_IsError(exception));
-  Dart_ThrowException(exception);
-  UNREACHABLE();
-}
-
-
-static void CheckStatus(OSStatus status,
-                        const char* type,
-                        const char* message) {
-  if (status == noErr) {
-    return;
-  }
-  ThrowIOException(status, type, message);
-}
-
-
-static SSLFilter* GetFilter(Dart_NativeArguments args) {
-  SSLFilter* filter;
-  Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
-  ASSERT(Dart_IsInstance(dart_this));
-  ThrowIfError(
-      Dart_GetNativeInstanceField(dart_this, kSSLFilterNativeFieldIndex,
-                                  reinterpret_cast<intptr_t*>(&filter)));
-  return filter;
-}
-
-
-static void DeleteFilter(void* isolate_data,
-                         Dart_WeakPersistentHandle handle,
-                         void* context_pointer) {
-  SSLFilter* filter = reinterpret_cast<SSLFilter*>(context_pointer);
-  filter->Release();
-}
-
-
-static Dart_Handle SetFilter(Dart_NativeArguments args, SSLFilter* filter) {
-  ASSERT(filter != NULL);
-  const int approximate_size_of_filter = 1500;
-  Dart_Handle dart_this = Dart_GetNativeArgument(args, 0);
-  RETURN_IF_ERROR(dart_this);
-  ASSERT(Dart_IsInstance(dart_this));
-  Dart_Handle err =
-      Dart_SetNativeInstanceField(dart_this, kSSLFilterNativeFieldIndex,
-                                  reinterpret_cast<intptr_t>(filter));
-  RETURN_IF_ERROR(err);
-  Dart_NewWeakPersistentHandle(dart_this, reinterpret_cast<void*>(filter),
-                               approximate_size_of_filter, DeleteFilter);
-  return Dart_Null();
-}
-
-
-static SSLCertContext* GetSecurityContext(Dart_NativeArguments args) {
-  SSLCertContext* context;
-  Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
-  ASSERT(Dart_IsInstance(dart_this));
-  ThrowIfError(
-      Dart_GetNativeInstanceField(dart_this, kSecurityContextNativeFieldIndex,
-                                  reinterpret_cast<intptr_t*>(&context)));
-  return context;
-}
-
-
-static void DeleteCertContext(void* isolate_data,
-                              Dart_WeakPersistentHandle handle,
-                              void* context_pointer) {
-  SSLCertContext* context = static_cast<SSLCertContext*>(context_pointer);
-  context->Release();
-}
-
-
-static Dart_Handle SetSecurityContext(Dart_NativeArguments args,
-                                      SSLCertContext* context) {
-  const int approximate_size_of_context = 1500;
-  Dart_Handle dart_this = Dart_GetNativeArgument(args, 0);
-  RETURN_IF_ERROR(dart_this);
-  ASSERT(Dart_IsInstance(dart_this));
-  Dart_Handle err =
-      Dart_SetNativeInstanceField(dart_this, kSecurityContextNativeFieldIndex,
-                                  reinterpret_cast<intptr_t>(context));
-  RETURN_IF_ERROR(err);
-  Dart_NewWeakPersistentHandle(dart_this, context, approximate_size_of_context,
-                               DeleteCertContext);
-  return Dart_Null();
-}
-
-
 static SecCertificateRef GetX509Certificate(Dart_NativeArguments args) {
   SecCertificateRef certificate;
   Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
   ASSERT(Dart_IsInstance(dart_this));
   ThrowIfError(
       Dart_GetNativeInstanceField(dart_this, kX509NativeFieldIndex,
                                   reinterpret_cast<intptr_t*>(&certificate)));
   return certificate;
 }
 
 
-static void ReleaseCertificate(void* isolate_data,
-                               Dart_WeakPersistentHandle handle,
-                               void* context_pointer) {
-  SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(context_pointer);
-  CFRelease(cert);
-}
-
-
 static Dart_Handle WrappedX509Certificate(SecCertificateRef certificate) {
   const intptr_t approximate_size_of_certificate = 1500;
   if (certificate == NULL) {
     return Dart_Null();
   }
   Dart_Handle x509_type =
       DartUtils::GetDartType(DartUtils::kIOLibURL, "X509Certificate");
   if (Dart_IsError(x509_type)) {
     return x509_type;
   }
@@ skipping 15 matching lines @@
 
   Dart_Handle status = Dart_SetNativeInstanceField(
       result, kX509NativeFieldIndex, reinterpret_cast<intptr_t>(certificate));
   if (Dart_IsError(status)) {
     return status;
   }
   return result;
 }
 
 
-static const char* GetPasswordArgument(Dart_NativeArguments args,
-                                       intptr_t index) {
-  Dart_Handle password_object =
-      ThrowIfError(Dart_GetNativeArgument(args, index));
-  const char* password = NULL;
-  if (Dart_IsString(password_object)) {
-    ThrowIfError(Dart_StringToCString(password_object, &password));
-    if (strlen(password) > PEM_BUFSIZE - 1) {
-      Dart_ThrowException(DartUtils::NewDartArgumentError(
-          "Password length is greater than 1023 bytes."));
-    }
-  } else if (Dart_IsNull(password_object)) {
-    password = "";
-  } else {
-    Dart_ThrowException(
-        DartUtils::NewDartArgumentError("Password is not a String or null"));
+SecCertificateRef CreateMacosCertFromX509(X509* cert) {

[zra, 2017/05/26 18:11:12]

MacosCert seems a little off to me since the return type says you're making a
SecCertificate. Maybe: MacosCert -> SecCertificate so it would be
CreateSecCertificateFromX509.

[bkonyi, 2017/05/26 23:35:30]

Yes, that makes more sense. Done.

+  unsigned char* deb_cert = NULL;
+  int length = i2d_X509(cert, &deb_cert);
+  if (length < 0) {
+    return NULL;
   }
-  return password;
+  ASSERT(deb_cert != NULL);
+  CFDataRef cert_buf =
+      CFDataCreateWithBytesNoCopy(NULL, deb_cert, length, kCFAllocatorNull);
+  SecCertificateRef auth_cert = SecCertificateCreateWithData(NULL, cert_buf);
+  if (auth_cert == NULL) {
+    return NULL;
+  }
+  return auth_cert;
 }
 
 
-static OSStatus TryPKCS12Import(CFDataRef cfdata,
-                                CFStringRef password,
-                                CFArrayRef* out_certs,
-                                SecIdentityRef* out_identity) {
+int MacosCertVerificationCallback(X509_STORE_CTX* ctx, void* arg) {

[zra, 2017/05/26 18:11:12]

static

Maybe just CertVerificationCallback

[bkonyi, 2017/05/26 23:35:30]

I'll go with CertificateVerificationCallback to be consistent with
CertificateCallback. Done.

+  SSLCertContext* context = static_cast<SSLCertContext*>(arg);
+
+  // Convert BoringSSL formatted certificates to SecCertificate certificates.
+  CFMutableArrayRef cert_chain = NULL;
+  X509* root_cert = NULL;
+  if (ctx->untrusted != NULL) {
+    STACK_OF(X509)* user_provided_certs = ctx->untrusted;
+    int num_certs = sk_X509_num(user_provided_certs);
+    int current_cert = 0;
+    cert_chain = CFArrayCreateMutable(NULL, num_certs, NULL);
+    X509* ca;
+    while ((ca = sk_X509_shift(user_provided_certs)) != NULL) {
+      SecCertificateRef cert = CreateMacosCertFromX509(ca);
+      ASSERT(cert != NULL);

[zra, 2017/05/26 18:11:12]

Verification should probably fail if we can't parse the cert.

[bkonyi, 2017/05/26 23:35:30]

Done.

+      CFArrayAppendValue(cert_chain, cert);
+      CFRelease(cert);
+
+      ++current_cert;
+      if (current_cert == num_certs) {
+        root_cert = ca;
+      }
+    }
+  }
+
+  // Generate a generic X509 verification policy.
+  SecPolicyRef policy = SecPolicyCreateBasicX509();
+
+  // Create the trust object with the certificates provided by the user.
+  SecTrustRef trust = NULL;
+  OSStatus status = SecTrustCreateWithCertificates(cert_chain, policy, &trust);
+  if (status != noErr) {
+    CFRelease(cert_chain);
+    CFRelease(policy);
+    return ctx->verify_cb(0, ctx);
+  }
+
+  // If the user provided any additional CA certificates, add them to the trust
+  // object.
+  if (context->trusted_certs() != NULL) {
+    status = SecTrustSetAnchorCertificates(trust, context->trusted_certs());
+    if (status != noErr) {
+      CFRelease(cert_chain);
+      CFRelease(policy);
+      CFRelease(trust);
+      return ctx->verify_cb(0, ctx);
+    }
+  }
+
+  // Specify whether or not to use the built-in CA certificates for
+  // verification.
+  status = SecTrustSetAnchorCertificatesOnly(trust, !context->trust_builtin());
+  if (status != noErr) {
+    CFRelease(cert_chain);
+    CFRelease(policy);
+    CFRelease(trust);
+    return ctx->verify_cb(0, ctx);
+  }
+
+  // Perform the certificate verification.
+  SecTrustResultType trust_result;
+  status = SecTrustEvaluate(trust, &trust_result);
+  if (status != noErr) {
+    CFRelease(cert_chain);
+    CFRelease(policy);
+    CFRelease(trust);
+    return ctx->verify_cb(0, ctx);
+  }
+
+  CFRelease(cert_chain);
+  CFRelease(policy);
+  CFRelease(trust);
+
+  if ((trust_result == kSecTrustResultProceed) ||
+      (trust_result == kSecTrustResultUnspecified)) {
+    // Successfully verified certificate!
+    return ctx->verify_cb(1, ctx);
+  }
+
+  // Set current_cert to the root of the certificate chain. This will be passed
+  // to the callback provided by the user for additional verification steps.
+  ctx->current_cert = root_cert;
+  return ctx->verify_cb(0, ctx);
+}
+
+
+int CertificateCallback(int preverify_ok, X509_STORE_CTX* store_ctx) {

[zra, 2017/05/26 18:11:12]

static

[bkonyi, 2017/05/26 23:35:30]

Done.

+  if (preverify_ok == 1) {
+    return 1;
+  }
+  Dart_Isolate isolate = Dart_CurrentIsolate();
+  if (isolate == NULL) {
+    FATAL("CertificateCallback called with no current isolate\n");
+  }
+  int ssl_index = SSL_get_ex_data_X509_STORE_CTX_idx();
+  SSL* ssl =
+      static_cast<SSL*>(X509_STORE_CTX_get_ex_data(store_ctx, ssl_index));
+  SSLFilter* filter = static_cast<SSLFilter*>(
+      SSL_get_ex_data(ssl, SSLFilter::filter_ssl_index));
+  X509* certificate = X509_STORE_CTX_get_current_cert(store_ctx);
+  Dart_Handle callback = filter->bad_certificate_callback();
+  if (Dart_IsNull(callback)) {
+    return 0;
+  }
+
+  // Upref since the Dart X509 object may outlive the SecurityContext.
+  if (certificate != NULL) {
+    X509_up_ref(certificate);
+  }
+  Dart_Handle args[1];
+  args[0] = WrappedX509Certificate(CreateMacosCertFromX509(certificate));
+  if (Dart_IsError(args[0])) {
+    filter->callback_error = args[0];
+    return 0;
+  }
+  Dart_Handle result = Dart_InvokeClosure(callback, 1, args);
+  if (!Dart_IsError(result) && !Dart_IsBoolean(result)) {
+    result = Dart_NewUnhandledExceptionError(DartUtils::NewDartIOException(
+        "HandshakeException",
+        "BadCertificateCallback returned a value that was not a boolean",
+        Dart_Null()));
+  }
+  if (Dart_IsError(result)) {
+    filter->callback_error = result;
+    return 0;
+  }
+  return DartUtils::GetBooleanValue(result);
+}
+
+
+void SSLFilter::RegisterCallbacks(SSLCertContext* cert_ctx) {
+  SSL_CTX* ctx = SSL_get_SSL_CTX(ssl_);
+  SSL_CTX_set_cert_verify_callback(ctx, MacosCertVerificationCallback,
+                                   cert_ctx);
+}
+
+
+Dart_Handle SSLFilter::PeerCertificate() {
+  X509* ca = SSL_get_peer_certificate(ssl_);
+  if (ca == NULL) {
+    return Dart_Null();
+  }
+  SecCertificateRef peer = CreateMacosCertFromX509(ca);

[zra, 2017/05/26 18:11:12]

NULL check?

[bkonyi, 2017/05/26 23:35:30]

I've added a check to see if peer == NULL. At this point, we really shouldn't
have issues parsing the cert since we should have already done it at some point
during the certificate verification callback. Should this be an ASSERT instead?

+  return WrappedX509Certificate(peer);
+}
+
+
+OSStatus TryPKCS12Import(CFDataRef cfdata,
+                         CFStringRef password,
+                         CFArrayRef* out_certs,
+                         SecIdentityRef* out_identity) {
   const void* keys[] = {kSecImportExportPassphrase};
   const void* values[] = {password};
   CFDictionaryRef params =
       CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
   CFArrayRef items = NULL;
   OSStatus status = SecPKCS12Import(cfdata, params, &items);
   CFRelease(params);
 
   if (status != noErr) {
     if (SSL_LOG_STATUS) {
@@ skipping 80 matching lines @@
     *out_identity = result_identity;
   }
 
   // On failure, don't return any objects.
   ASSERT((status == noErr) ||
          ((result_certs == NULL) && (result_identity == NULL)));
   return status;
 }
 
 
-static OSStatus ExtractSecItems(uint8_t* buffer,
-                                intptr_t length,
-                                const char* password,
-                                CFArrayRef* out_certs,
-                                SecIdentityRef* out_identity) {
-  ASSERT(buffer != NULL);
-  ASSERT(password != NULL);
-  OSStatus status = noErr;
-
-  CFDataRef cfdata =
-      CFDataCreateWithBytesNoCopy(NULL, buffer, length, kCFAllocatorNull);
-  CFStringRef cfpassword = CFStringCreateWithCStringNoCopy(
-      NULL, password, kCFStringEncodingUTF8, kCFAllocatorNull);
-  ASSERT(cfdata != NULL);
-  ASSERT(cfpassword != NULL);
-
-  status = TryPKCS12Import(cfdata, cfpassword, out_certs, out_identity);
-
-  CFRelease(cfdata);
-  CFRelease(cfpassword);
-  return status;
-}
-
-
-void FUNCTION_NAME(SecureSocket_Init)(Dart_NativeArguments args) {
-  Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
-  SSLFilter* filter = new SSLFilter();  // Deleted in DeleteFilter finalizer.
-  Dart_Handle err = SetFilter(args, filter);
-  if (Dart_IsError(err)) {
-    filter->Release();
-    Dart_PropagateError(err);
-  }
-  err = filter->Init(dart_this);
-  if (Dart_IsError(err)) {
-    // The finalizer was set up by SetFilter. It will delete `filter` if there
-    // is an error.
-    filter->Destroy();
-    Dart_PropagateError(err);
-  }
-}
-
-
-void FUNCTION_NAME(SecureSocket_Connect)(Dart_NativeArguments args) {
-  Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
-  Dart_Handle host_name_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
-  Dart_Handle context_object = ThrowIfError(Dart_GetNativeArgument(args, 2));
-  bool is_server = DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 3));
-  bool request_client_certificate =
-      DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 4));
-  bool require_client_certificate =
-      DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 5));
-
-  const char* host_name = NULL;
-  // TODO(whesse): Is truncating a Dart string containing \0 what we want?
-  ThrowIfError(Dart_StringToCString(host_name_object, &host_name));
-
-  SSLCertContext* context = NULL;
-  if (!Dart_IsNull(context_object)) {
-    ThrowIfError(Dart_GetNativeInstanceField(
-        context_object, kSecurityContextNativeFieldIndex,
-        reinterpret_cast<intptr_t*>(&context)));
-  }
-
-  GetFilter(args)->Connect(dart_this, host_name, context, is_server,
-                           request_client_certificate,
-                           require_client_certificate);
-}
-
-
-void FUNCTION_NAME(SecureSocket_Destroy)(Dart_NativeArguments args) {
-  SSLFilter* filter = GetFilter(args);
-  // The SSLFilter is deleted in the finalizer for the Dart object created by
-  // SetFilter. There is no need to NULL-out the native field for the SSLFilter
-  // here because the SSLFilter won't be deleted until the finalizer for the
-  // Dart object runs while the Dart object is being GCd. This approach avoids a
-  // leak if Destroy isn't called, and avoids a NULL-dereference if Destroy is
-  // called more than once.
-  filter->Destroy();
-}
-
-
-void FUNCTION_NAME(SecureSocket_Handshake)(Dart_NativeArguments args) {
-  OSStatus status = GetFilter(args)->CheckHandshake();
-  CheckStatus(status, "HandshakeException", "Handshake error");
-}
-
-
-void FUNCTION_NAME(SecureSocket_GetSelectedProtocol)(
-    Dart_NativeArguments args) {
-  Dart_SetReturnValue(args, Dart_Null());
-}
-
-
-void FUNCTION_NAME(SecureSocket_Renegotiate)(Dart_NativeArguments args) {
-  bool use_session_cache =
-      DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 1));
-  bool request_client_certificate =
-      DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 2));
-  bool require_client_certificate =
-      DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 3));
-  GetFilter(args)->Renegotiate(use_session_cache, request_client_certificate,
-                               require_client_certificate);
-}
-
-
-void FUNCTION_NAME(SecureSocket_RegisterHandshakeCompleteCallback)(
-    Dart_NativeArguments args) {
-  Dart_Handle handshake_complete =
-      ThrowIfError(Dart_GetNativeArgument(args, 1));
-  if (!Dart_IsClosure(handshake_complete)) {
-    Dart_ThrowException(DartUtils::NewDartArgumentError(
-        "Illegal argument to RegisterHandshakeCompleteCallback"));
-  }
-  GetFilter(args)->RegisterHandshakeCompleteCallback(handshake_complete);
-}
-
-
-void FUNCTION_NAME(SecureSocket_RegisterBadCertificateCallback)(
-    Dart_NativeArguments args) {
-  Dart_Handle callback = ThrowIfError(Dart_GetNativeArgument(args, 1));
-  if (!Dart_IsClosure(callback) && !Dart_IsNull(callback)) {
-    Dart_ThrowException(DartUtils::NewDartArgumentError(
-        "Illegal argument to RegisterBadCertificateCallback"));
-  }
-  GetFilter(args)->RegisterBadCertificateCallback(callback);
-}
-
-
-void FUNCTION_NAME(SecureSocket_PeerCertificate)(Dart_NativeArguments args) {
-  Dart_SetReturnValue(args, GetFilter(args)->PeerCertificate());
-}
-
-
-void FUNCTION_NAME(SecureSocket_FilterPointer)(Dart_NativeArguments args) {
-  SSLFilter* filter = GetFilter(args);
-  // This filter pointer is passed to the IO Service thread. The IO Service
-  // thread must Release() the pointer when it is done with it.
-  filter->Retain();
-  intptr_t filter_pointer = reinterpret_cast<intptr_t>(filter);
-  Dart_SetReturnValue(args, Dart_NewInteger(filter_pointer));
-}
-
-
-void FUNCTION_NAME(SecurityContext_Allocate)(Dart_NativeArguments args) {
-  SSLCertContext* cert_context = new SSLCertContext();
-  // cert_context deleted in DeleteCertContext finalizer.
-  Dart_Handle err = SetSecurityContext(args, cert_context);
-  if (Dart_IsError(err)) {
-    cert_context->Release();
-    Dart_PropagateError(err);
-  }
-}
-
-
-void FUNCTION_NAME(SecurityContext_UsePrivateKeyBytes)(
-    Dart_NativeArguments args) {
-  SSLCertContext* context = GetSecurityContext(args);
-  const char* password = GetPasswordArgument(args, 2);
-
-  OSStatus status;
-  CFArrayRef cert_chain = NULL;
-  SecIdentityRef identity = NULL;
-  {
-    ScopedMemBuffer buffer(ThrowIfError(Dart_GetNativeArgument(args, 1)));
-    status = ExtractSecItems(buffer.get(), buffer.length(), password,
-                             &cert_chain, &identity);
-  }
-
-  // Set the context fields. Repeated calls to usePrivateKeyBytes are an error.
-  bool set_failure = false;
-  if ((identity != NULL) && !context->set_identity(identity)) {
-    CFRelease(identity);
-    if (cert_chain != NULL) {
-      CFRelease(cert_chain);
-    }
-    set_failure = true;
-  }
-
-  // We can't have set a cert_chain without also having set an identity.
-  // That is, if context->set_identity() succeeds, then it is impossible for
-  // context->set_cert_chain() to fail. This is because SecPKCS12Import never
-  // returns a cert chain without also returning a private key.
-  ASSERT(set_failure || (context->cert_chain() == NULL));
-  if (!set_failure && (cert_chain != NULL)) {
-    context->set_cert_chain(cert_chain);
-  }
-
-  if (set_failure) {
-    Dart_ThrowException(DartUtils::NewDartArgumentError(
-        "usePrivateKeyBytes has already been called on the given context."));
-  }
-  CheckStatus(status, "TlsException", "Failure in usePrivateKeyBytes");
-}
-
-
 void FUNCTION_NAME(SecurityContext_SetTrustedCertificatesBytes)(
     Dart_NativeArguments args) {
-  SSLCertContext* context = GetSecurityContext(args);
+  SSLCertContext* context = SSLCertContext::GetSecurityContext(args);
 
   OSStatus status = noErr;
-  SecCertificateRef cert = NULL;
+  CFTypeRef cert = NULL;
   {
     ScopedMemBuffer buffer(ThrowIfError(Dart_GetNativeArgument(args, 1)));
     CFDataRef cfdata = CFDataCreateWithBytesNoCopy(
         NULL, buffer.get(), buffer.length(), kCFAllocatorNull);
-    cert = SecCertificateCreateWithData(NULL, cfdata);
+    cert =
+        reinterpret_cast<CFTypeRef>(SecCertificateCreateWithData(NULL, cfdata));
     CFRelease(cfdata);
   }
 
   // Add the certs to the context.
   if (cert != NULL) {
-    context->add_trusted_cert(cert);
+    CFMutableArrayRef certs =
+        CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+    CFArrayAppendValue(certs, cert);
+    context->set_trusted_certs(certs);
   } else {
     status = errSSLBadCert;
   }
   CheckStatus(status, "TlsException", "Failure in setTrustedCertificatesBytes");
 }
 
 
-void FUNCTION_NAME(SecurityContext_AlpnSupported)(Dart_NativeArguments args) {
-  Dart_SetReturnValue(args, Dart_NewBoolean(false));
-}
-
-
-void FUNCTION_NAME(SecurityContext_TrustBuiltinRoots)(
-    Dart_NativeArguments args) {
-  SSLCertContext* context = GetSecurityContext(args);
-  context->set_trust_builtin(true);
-}
-
-
 void FUNCTION_NAME(SecurityContext_UseCertificateChainBytes)(
     Dart_NativeArguments args) {
   // This is a no-op on iOS. We get the cert chain along with the private key
-  // in UsePrivateyKeyBytes().
+  // in UsePrivateKeyBytes().
 }
 
 
 void FUNCTION_NAME(SecurityContext_SetClientAuthoritiesBytes)(
     Dart_NativeArguments args) {
   Dart_ThrowException(DartUtils::NewDartUnsupportedError(
       "SecurityContext.setClientAuthoritiesBytes is not supported on this "
       "platform."));
 }
 
 
-void FUNCTION_NAME(SecurityContext_SetAlpnProtocols)(
-    Dart_NativeArguments args) {
-  Dart_ThrowException(DartUtils::NewDartUnsupportedError(
-      "ALPN is not supported on this platform"));
+void FUNCTION_NAME(SecurityContext_AlpnSupported)(Dart_NativeArguments args) {
+  Dart_SetReturnValue(args, Dart_NewBoolean(true));
 }
 
 
+void FUNCTION_NAME(SecurityContext_TrustBuiltinRoots)(
+    Dart_NativeArguments args) {
+  SSLCertContext* context = SSLCertContext::GetSecurityContext(args);
+  context->set_trust_builtin(true);
+}
+
+
 void FUNCTION_NAME(X509_Subject)(Dart_NativeArguments args) {
   SecCertificateRef certificate = GetX509Certificate(args);
   CFStringRef cfsubject = SecCertificateCopySubjectSummary(certificate);
   if (cfsubject != NULL) {
     char* csubject = CFStringRefToCString(cfsubject);
     CFRelease(cfsubject);
     Dart_SetReturnValue(args, Dart_NewStringFromCString(csubject));
   } else {
     Dart_ThrowException(DartUtils::NewDartArgumentError(
         "X509.subject failed to find subject's common name."));
@@ skipping 11 matching lines @@
   Dart_ThrowException(DartUtils::NewDartUnsupportedError(
       "X509Certificate.startValidity is not supported on this platform."));
 }
 
 
 void FUNCTION_NAME(X509_EndValidity)(Dart_NativeArguments args) {
   Dart_ThrowException(DartUtils::NewDartUnsupportedError(
       "X509Certificate.endValidity is not supported on this platform."));
 }
 
-
-// Pushes data through the SSL filter, reading and writing from circular
-// buffers shared with Dart. Called from the IOService thread.
-//
-// The Dart _SecureFilterImpl class contains 4 ExternalByteArrays used to
-// pass encrypted and plaintext data to and from the C++ SSLFilter object.
-//
-// ProcessFilter is called with a CObject array containing the pointer to
-// the SSLFilter, encoded as an int, and the start and end positions of the
-// valid data in the four circular buffers.  The function only reads from
-// the valid data area of the input buffers, and only writes to the free
-// area of the output buffers.  The function returns the new start and end
-// positions in the buffers, but it only updates start for input buffers, and
-// end for output buffers.  Therefore, the Dart thread can simultaneously
-// write to the free space and end pointer of input buffers, and read from
-// the data space of output buffers, and modify the start pointer.
-//
-// When ProcessFilter returns, the Dart thread is responsible for combining
-// the updated pointers from Dart and C++, to make the new valid state of
-// the circular buffer.
-CObject* SSLFilter::ProcessFilterRequest(const CObjectArray& request) {
-  CObjectIntptr filter_object(request[0]);
-  SSLFilter* filter = reinterpret_cast<SSLFilter*>(filter_object.Value());
-  RefCntReleaseScope<SSLFilter> rs(filter);
-
-  bool in_handshake = CObjectBool(request[1]).Value();
-  intptr_t starts[SSLFilter::kNumBuffers];
-  intptr_t ends[SSLFilter::kNumBuffers];
-  for (intptr_t i = 0; i < SSLFilter::kNumBuffers; ++i) {
-    starts[i] = CObjectInt32(request[2 * i + 2]).Value();
-    ends[i] = CObjectInt32(request[2 * i + 3]).Value();
-  }
-
-  OSStatus status = filter->ProcessAllBuffers(starts, ends, in_handshake);
-  if (status == noErr) {
-    CObjectArray* result =
-        new CObjectArray(CObject::NewArray(SSLFilter::kNumBuffers * 2));
-    for (intptr_t i = 0; i < SSLFilter::kNumBuffers; ++i) {
-      result->SetAt(2 * i, new CObjectInt32(CObject::NewInt32(starts[i])));
-      result->SetAt(2 * i + 1, new CObjectInt32(CObject::NewInt32(ends[i])));
-    }
-    return result;
-  } else {
-    TextBuffer status_message(SSL_ERROR_MESSAGE_BUFFER_SIZE);
-    status_message.Printf("OSStatus = %ld: https://www.osstatus.com",
-                          static_cast<intptr_t>(status));
-    CObjectArray* result = new CObjectArray(CObject::NewArray(2));
-    result->SetAt(0, new CObjectInt32(CObject::NewInt32(status)));
-    result->SetAt(1,
-                  new CObjectString(CObject::NewString(status_message.buf())));
-    return result;
-  }
-}
-
-
-// Usually buffer_starts_ and buffer_ends_ are populated by ProcessAllBuffers,
-// called from ProcessFilterRequest, called from the IOService thread.
-// However, the first call to SSLHandshake comes from the Dart thread, and so
-// doesn't go through there. This results in calls to SSLReadCallback and
-// SSLWriteCallback in which buffer_starts_ and buffer_ends_ haven't been set
-// up. In that case, since we're coming from Dart anyway, we can access the
-// fieds directly from the Dart objects.
-intptr_t SSLFilter::GetBufferStart(intptr_t idx) const {
-  if (buffer_starts_[idx] != NULL) {
-    return *buffer_starts_[idx];
-  }
-  Dart_Handle buffer_handle =
-      ThrowIfError(Dart_HandleFromPersistent(dart_buffer_objects_[idx]));
-  Dart_Handle start_handle =
-      ThrowIfError(Dart_GetField(buffer_handle, DartUtils::NewString("start")));
-  int64_t start = DartUtils::GetIntegerValue(start_handle);
-  return static_cast<intptr_t>(start);
-}
-
-
-intptr_t SSLFilter::GetBufferEnd(intptr_t idx) const {
-  if (buffer_ends_[idx] != NULL) {
-    return *buffer_ends_[idx];
-  }
-  Dart_Handle buffer_handle =
-      ThrowIfError(Dart_HandleFromPersistent(dart_buffer_objects_[idx]));
-  Dart_Handle end_handle =
-      ThrowIfError(Dart_GetField(buffer_handle, DartUtils::NewString("end")));
-  int64_t end = DartUtils::GetIntegerValue(end_handle);
-  return static_cast<intptr_t>(end);
-}
-
-
-void SSLFilter::SetBufferStart(intptr_t idx, intptr_t value) {
-  if (buffer_starts_[idx] != NULL) {
-    *buffer_starts_[idx] = value;
-    return;
-  }
-  Dart_Handle buffer_handle =
-      ThrowIfError(Dart_HandleFromPersistent(dart_buffer_objects_[idx]));
-  ThrowIfError(DartUtils::SetIntegerField(buffer_handle, "start",
-                                          static_cast<int64_t>(value)));
-}
-
-
-void SSLFilter::SetBufferEnd(intptr_t idx, intptr_t value) {
-  if (buffer_ends_[idx] != NULL) {
-    *buffer_ends_[idx] = value;
-    return;
-  }
-  Dart_Handle buffer_handle =
-      ThrowIfError(Dart_HandleFromPersistent(dart_buffer_objects_[idx]));
-  ThrowIfError(DartUtils::SetIntegerField(buffer_handle, "end",
-                                          static_cast<int64_t>(value)));
-}
-
-
-OSStatus SSLFilter::ProcessAllBuffers(intptr_t starts[kNumBuffers],
-                                      intptr_t ends[kNumBuffers],
-                                      bool in_handshake) {
-  for (intptr_t i = 0; i < kNumBuffers; ++i) {
-    buffer_starts_[i] = &starts[i];
-    buffer_ends_[i] = &ends[i];
-  }
-
-  if (in_handshake) {
-    OSStatus status = Handshake();
-    if (status != noErr) {
-      return status;
-    }
-  } else {
-    for (intptr_t i = 0; i < kNumBuffers; ++i) {
-      intptr_t start = starts[i];
-      intptr_t end = ends[i];
-      intptr_t size =
-          isBufferEncrypted(i) ? encrypted_buffer_size_ : buffer_size_;
-      if (start < 0 || end < 0 || start >= size || end >= size) {
-        FATAL("Out-of-bounds internal buffer access in dart:io SecureSocket");
-      }
-      switch (i) {
-        case kReadPlaintext:
-          // Write data to the circular buffer's free space.  If the buffer
-          // is full, neither if statement is executed and nothing happens.
-          if (start <= end) {
-            // If the free space may be split into two segments,
-            // then the first is [end, size), unless start == 0.
-            // Then, since the last free byte is at position start - 2,
-            // the interval is [end, size - 1).
-            intptr_t buffer_end = (start == 0) ? size - 1 : size;
-            intptr_t bytes = 0;
-            OSStatus status =
-                ProcessReadPlaintextBuffer(end, buffer_end, &bytes);
-            if ((status != noErr) && (status != errSSLWouldBlock)) {
-              return status;
-            }
-            end += bytes;
-            ASSERT(end <= size);
-            if (end == size) {
-              end = 0;
-            }
-          }
-          if (start > end + 1) {
-            intptr_t bytes = 0;
-            OSStatus status =
-                ProcessReadPlaintextBuffer(end, start - 1, &bytes);
-            if ((status != noErr) && (status != errSSLWouldBlock)) {
-              return status;
-            }
-            end += bytes;
-            ASSERT(end < start);
-          }
-          ends[i] = end;
-          break;
-        case kWritePlaintext:
-          // Read/Write data from circular buffer.  If the buffer is empty,
-          // neither if statement's condition is true.
-          if (end < start) {
-            // Data may be split into two segments.  In this case,
-            // the first is [start, size).
-            intptr_t bytes = 0;
-            OSStatus status = ProcessWritePlaintextBuffer(start, size, &bytes);
-            if ((status != noErr) && (status != errSSLWouldBlock)) {
-              return status;
-            }
-            start += bytes;
-            ASSERT(start <= size);
-            if (start == size) {
-              start = 0;
-            }
-          }
-          if (start < end) {
-            intptr_t bytes = 0;
-            OSStatus status = ProcessWritePlaintextBuffer(start, end, &bytes);
-            if ((status != noErr) && (status != errSSLWouldBlock)) {
-              return status;
-            }
-            start += bytes;
-            ASSERT(start <= end);
-          }
-          starts[i] = start;
-          break;
-        case kReadEncrypted:
-        case kWriteEncrypted:
-          // These buffers are advanced through SSLReadCallback and
-          // SSLWriteCallback, which are called from SSLRead, SSLWrite, and
-          // SSLHandshake.
-          break;
-        default:
-          UNREACHABLE();
-      }
-    }
-  }
-
-  for (intptr_t i = 0; i < kNumBuffers; ++i) {
-    buffer_starts_[i] = NULL;
-    buffer_ends_[i] = NULL;
-  }
-  return noErr;
-}
-
-
-Dart_Handle SSLFilter::Init(Dart_Handle dart_this) {
-  ASSERT(string_start_ == NULL);
-  string_start_ = Dart_NewPersistentHandle(DartUtils::NewString("start"));
-  ASSERT(string_start_ != NULL);
-  ASSERT(string_length_ == NULL);
-  string_length_ = Dart_NewPersistentHandle(DartUtils::NewString("length"));
-  ASSERT(string_length_ != NULL);
-  ASSERT(bad_certificate_callback_ == NULL);
-  bad_certificate_callback_ = Dart_NewPersistentHandle(Dart_Null());
-  ASSERT(bad_certificate_callback_ != NULL);
-
-  // Caller handles cleanup on an error.
-  return InitializeBuffers(dart_this);
-}
-
-
-Dart_Handle SSLFilter::InitializeBuffers(Dart_Handle dart_this) {
-  // Create SSLFilter buffers as ExternalUint8Array objects.
-  Dart_Handle buffers_string = DartUtils::NewString("buffers");
-  RETURN_IF_ERROR(buffers_string);
-  Dart_Handle dart_buffers_object = Dart_GetField(dart_this, buffers_string);
-  RETURN_IF_ERROR(dart_buffers_object);
-  Dart_Handle secure_filter_impl_type = Dart_InstanceGetType(dart_this);
-  RETURN_IF_ERROR(secure_filter_impl_type);
-  Dart_Handle size_string = DartUtils::NewString("SIZE");
-  RETURN_IF_ERROR(size_string);
-  Dart_Handle dart_buffer_size =
-      Dart_GetField(secure_filter_impl_type, size_string);
-  RETURN_IF_ERROR(dart_buffer_size);
-
-  int64_t buffer_size = 0;
-  Dart_Handle err = Dart_IntegerToInt64(dart_buffer_size, &buffer_size);
-  RETURN_IF_ERROR(err);
-
-  Dart_Handle encrypted_size_string = DartUtils::NewString("ENCRYPTED_SIZE");
-  RETURN_IF_ERROR(encrypted_size_string);
-
-  Dart_Handle dart_encrypted_buffer_size =
-      Dart_GetField(secure_filter_impl_type, encrypted_size_string);
-  RETURN_IF_ERROR(dart_encrypted_buffer_size);
-
-  int64_t encrypted_buffer_size = 0;
-  err = Dart_IntegerToInt64(dart_encrypted_buffer_size, &encrypted_buffer_size);
-  RETURN_IF_ERROR(err);
-
-  if (buffer_size <= 0 || buffer_size > 1 * MB) {
-    FATAL("Invalid buffer size in _ExternalBuffer");
-  }
-  if (encrypted_buffer_size <= 0 || encrypted_buffer_size > 1 * MB) {
-    FATAL("Invalid encrypted buffer size in _ExternalBuffer");
-  }
-  buffer_size_ = static_cast<intptr_t>(buffer_size);
-  encrypted_buffer_size_ = static_cast<intptr_t>(encrypted_buffer_size);
-
-  Dart_Handle data_identifier = DartUtils::NewString("data");
-  RETURN_IF_ERROR(data_identifier);
-
-  for (int i = 0; i < kNumBuffers; i++) {
-    int size = isBufferEncrypted(i) ? encrypted_buffer_size_ : buffer_size_;
-    buffers_[i] = new uint8_t[size];
-    ASSERT(buffers_[i] != NULL);
-    buffer_starts_[i] = NULL;
-    buffer_ends_[i] = NULL;
-    dart_buffer_objects_[i] = NULL;
-  }
-
-  Dart_Handle result = Dart_Null();
-  for (int i = 0; i < kNumBuffers; ++i) {
-    int size = isBufferEncrypted(i) ? encrypted_buffer_size_ : buffer_size_;
-    result = Dart_ListGetAt(dart_buffers_object, i);
-    if (Dart_IsError(result)) {
-      break;
-    }
-
-    dart_buffer_objects_[i] = Dart_NewPersistentHandle(result);
-    ASSERT(dart_buffer_objects_[i] != NULL);
-    Dart_Handle data =
-        Dart_NewExternalTypedData(Dart_TypedData_kUint8, buffers_[i], size);
-    if (Dart_IsError(data)) {
-      result = data;
-      break;
-    }
-    result = Dart_HandleFromPersistent(dart_buffer_objects_[i]);
-    if (Dart_IsError(result)) {
-      break;
-    }
-    result = Dart_SetField(result, data_identifier, data);
-    if (Dart_IsError(result)) {
-      break;
-    }
-  }
-
-  // Caller handles cleanup on an error.
-  return result;
-}
-
-
-void SSLFilter::RegisterHandshakeCompleteCallback(Dart_Handle complete) {
-  ASSERT(NULL == handshake_complete_);
-  handshake_complete_ = Dart_NewPersistentHandle(complete);
-  ASSERT(handshake_complete_ != NULL);
-}
-
-
-void SSLFilter::RegisterBadCertificateCallback(Dart_Handle callback) {
-  ASSERT(bad_certificate_callback_ != NULL);
-  Dart_DeletePersistentHandle(bad_certificate_callback_);
-  bad_certificate_callback_ = Dart_NewPersistentHandle(callback);
-  ASSERT(bad_certificate_callback_ != NULL);
-}
-
-
-Dart_Handle SSLFilter::PeerCertificate() {
-  if (peer_certs_ == NULL) {
-    return Dart_Null();
-  }
-
-  CFTypeRef item = CFArrayGetValueAtIndex(peer_certs_, 0);
-  ASSERT(CFGetTypeID(item) == SecCertificateGetTypeID());
-  SecCertificateRef cert =
-      reinterpret_cast<SecCertificateRef>(const_cast<void*>(item));
-  if (cert == NULL) {
-    return Dart_Null();
-  }
-
-  return WrappedX509Certificate(cert);
-}
-
-
-void SSLFilter::Connect(Dart_Handle dart_this,
-                        const char* hostname,
-                        SSLCertContext* context,
-                        bool is_server,
-                        bool request_client_certificate,
-                        bool require_client_certificate) {
-  if (in_handshake_) {
-    FATAL("Connect called twice on the same _SecureFilter.");
-  }
-
-  // Create the underlying context
-  SSLContextRef ssl_context = SSLCreateContext(
-      NULL, is_server ? kSSLServerSide : kSSLClientSide, kSSLStreamType);
-
-  // Configure the context.
-  OSStatus status;
-  status = SSLSetPeerDomainName(ssl_context, hostname, strlen(hostname));
-  CheckStatus(status, "TlsException", "Failed to set peer domain name");
-
-  status = SSLSetIOFuncs(ssl_context, SSLFilter::SSLReadCallback,
-                         SSLFilter::SSLWriteCallback);
-  CheckStatus(status, "TlsException", "Failed to set IO Callbacks");
-
-  status =
-      SSLSetConnection(ssl_context, reinterpret_cast<SSLConnectionRef>(this));
-  CheckStatus(status, "TlsException", "Failed to set connection object");
-
-  // Always evaluate the certs manually so that we can cache the peer
-  // certificates in the context for calls to peerCertificate.
-  status = SSLSetSessionOption(ssl_context, kSSLSessionOptionBreakOnServerAuth,
-                               true);
-  CheckStatus(status, "TlsException", "Failed to set BreakOnServerAuth option");
-
-  status = SSLSetProtocolVersionMin(ssl_context, kTLSProtocol1);
-  CheckStatus(status, "TlsException",
-              "Failed to set minimum protocol version to kTLSProtocol1");
-
-  // If the context has an identity pass it to SSLSetCertificate().
-  if (context->identity() != NULL) {
-    CFMutableArrayRef chain =
-        CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
-    CFArrayAppendValue(chain, context->identity());
-
-    // Append the certificate chain if there is one.
-    if (context->cert_chain() != NULL) {
-      // Skip the first one, it's already included in the identity.
-      CFIndex chain_length = CFArrayGetCount(context->cert_chain());
-      if (chain_length > 1) {
-        CFArrayAppendArray(chain, context->cert_chain(),
-                           CFRangeMake(1, chain_length));
-      }
-    }
-
-    status = SSLSetCertificate(ssl_context, chain);
-    CFRelease(chain);
-    CheckStatus(status, "TlsException", "SSLSetCertificate failed");
-  }
-
-  if (is_server) {
-    SSLAuthenticate auth =
-        require_client_certificate
-            ? kAlwaysAuthenticate
-            : (request_client_certificate ? kTryAuthenticate
-                                          : kNeverAuthenticate);
-    status = SSLSetClientSideAuthenticate(ssl_context, auth);
-    CheckStatus(status, "TlsException",
-                "Failed to set client authentication mode");
-
-    // If we're at least trying client authentication, then break handshake
-    // for client authentication.
-    if (auth != kNeverAuthenticate) {
-      status = SSLSetSessionOption(ssl_context,
-                                   kSSLSessionOptionBreakOnClientAuth, true);
-      CheckStatus(status, "TlsException",
-                  "Failed to set client authentication mode");
-    }
-  }
-
-  // Add the contexts to our wrapper.
-  cert_context_.set(context);
-  ssl_context_ = ssl_context;
-  is_server_ = is_server;
-
-  // Kick-off the handshake. Expect the handshake to need more data.
-  // SSLHandshake calls our SSLReadCallback and SSLWriteCallback.
-  status = SSLHandshake(ssl_context);
-  ASSERT(status != noErr);
-  if (status == errSSLWouldBlock) {
-    status = noErr;
-    in_handshake_ = true;
-  }
-  CheckStatus(status, "HandshakeException", is_server_
-                                                ? "Handshake error in server"
-                                                : "Handshake error in client");
-}
-
-
-OSStatus SSLFilter::EvaluatePeerTrust() {
-  OSStatus status = noErr;
-
-  if (SSL_LOG_STATUS) {
-    Log::PrintErr("Handshake evaluating trust.\n");
-  }
-  SecTrustRef peer_trust = NULL;
-  status = SSLCopyPeerTrust(ssl_context_, &peer_trust);
-  if (status != noErr) {
-    if (is_server_ && (status == errSSLBadCert)) {
-      // A client certificate was requested, but not required, and wasn't sent.
-      return noErr;
-    }
-    if (SSL_LOG_STATUS) {
-      Log::PrintErr("Handshake error from SSLCopyPeerTrust(): %ld.\n",
-                    static_cast<intptr_t>(status));
-    }
-    return status;
-  }
-
-  CFArrayRef trusted_certs = NULL;
-  if (cert_context_.get()->trusted_certs() != NULL) {
-    trusted_certs =
-        CFArrayCreateCopy(NULL, cert_context_.get()->trusted_certs());
-  } else {
-    trusted_certs = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
-  }
-
-  status = SecTrustSetAnchorCertificates(peer_trust, trusted_certs);
-  if (status != noErr) {
-    if (SSL_LOG_STATUS) {
-      Log::PrintErr("Handshake error from SecTrustSetAnchorCertificates: %ld\n",
-                    static_cast<intptr_t>(status));
-    }
-    CFRelease(trusted_certs);
-    CFRelease(peer_trust);
-    return status;
-  }
-
-  if (SSL_LOG_STATUS) {
-    Log::PrintErr(
-        "Handshake %s built in root certs\n",
-        cert_context_.get()->trust_builtin() ? "trusting" : "not trusting");
-  }
-
-  status = SecTrustSetAnchorCertificatesOnly(
-      peer_trust, !cert_context_.get()->trust_builtin());
-  if (status != noErr) {
-    CFRelease(trusted_certs);
-    CFRelease(peer_trust);
-    return status;
-  }
-
-  SecTrustResultType trust_result;
-  status = SecTrustEvaluate(peer_trust, &trust_result);
-  if (status != noErr) {
-    CFRelease(trusted_certs);
-    CFRelease(peer_trust);
-    return status;
-  }
-
-  // Grab the peer's certificate chain.
-  CFIndex peer_chain_length = SecTrustGetCertificateCount(peer_trust);
-  CFMutableArrayRef peer_certs =
-      CFArrayCreateMutable(NULL, peer_chain_length, &kCFTypeArrayCallBacks);
-  for (CFIndex i = 0; i < peer_chain_length; ++i) {
-    CFArrayAppendValue(peer_certs,
-                       SecTrustGetCertificateAtIndex(peer_trust, i));
-  }
-  peer_certs_ = peer_certs;
-
-  CFRelease(trusted_certs);
-  CFRelease(peer_trust);
-
-  if ((trust_result == kSecTrustResultProceed) ||
-      (trust_result == kSecTrustResultUnspecified)) {
-    // Trusted.
-    return noErr;
-  } else {
-    if (SSL_LOG_STATUS) {
-      Log::PrintErr("Trust eval failed: trust_result = %d\n", trust_result);
-    }
-    bad_cert_ = true;
-    return errSSLBadCert;
-  }
-}
-
-
-OSStatus SSLFilter::Handshake() {
-  ASSERT(cert_context_.get() != NULL);
-  ASSERT(ssl_context_ != NULL);
-  // Try and push handshake along.
-  if (SSL_LOG_STATUS) {
-    Log::PrintErr("Doing SSLHandshake\n");
-  }
-  OSStatus status = SSLHandshake(ssl_context_);
-  if (SSL_LOG_STATUS) {
-    Log::PrintErr("SSLHandshake returned %ld\n", static_cast<intptr_t>(status));
-  }
-
-  if ((status == errSSLServerAuthCompleted) ||
-      (status == errSSLClientAuthCompleted)) {
-    status = EvaluatePeerTrust();
-    if (status == errSSLBadCert) {
-      // Need to invoke the bad certificate callback.
-      return noErr;
-    } else if (status != noErr) {
-      return status;
-    }
-    // When trust evaluation succeeds, we can call SSLHandshake again
-    // immediately.
-    status = SSLHandshake(ssl_context_);
-  }
-
-  if (status == errSSLWouldBlock) {
-    in_handshake_ = true;
-    return noErr;
-  }
-
-  // Handshake succeeded.
-  if ((in_handshake_) && (status == noErr)) {
-    if (SSL_LOG_STATUS) {
-      Log::PrintErr("Finished with the Handshake\n");
-    }
-    connected_ = true;
-  }
-  return status;
-}
-
-
-// Returns false if Handshake should fail, and true if Handshake should
-// proceed.
-Dart_Handle SSLFilter::InvokeBadCertCallback(SecCertificateRef peer_cert) {
-  Dart_Handle callback = bad_certificate_callback_;
-  if (Dart_IsNull(callback)) {
-    return callback;
-  }
-  Dart_Handle args[1];
-  args[0] = WrappedX509Certificate(peer_cert);
-  if (Dart_IsError(args[0])) {
-    return args[0];
-  }
-  Dart_Handle result = Dart_InvokeClosure(callback, 1, args);
-  if (!Dart_IsError(result) && !Dart_IsBoolean(result)) {
-    result = Dart_NewUnhandledExceptionError(DartUtils::NewDartIOException(
-        "HandshakeException",
-        "BadCertificateCallback returned a value that was not a boolean",
-        Dart_Null()));
-  }
-  return result;
-}
-
-
-OSStatus SSLFilter::CheckHandshake() {
-  if (bad_cert_ && in_handshake_) {
-    if (SSL_LOG_STATUS) {
-      Log::PrintErr("Invoking bad certificate callback\n");
-    }
-    ASSERT(peer_certs_ != NULL);
-    CFIndex peer_certs_len = CFArrayGetCount(peer_certs_);
-    ASSERT(peer_certs_len > 0);
-    CFTypeRef item = CFArrayGetValueAtIndex(peer_certs_, peer_certs_len - 1);
-    ASSERT(item != NULL);
-    ASSERT(CFGetTypeID(item) == SecCertificateGetTypeID());
-    SecCertificateRef peer_cert =
-        reinterpret_cast<SecCertificateRef>(const_cast<void*>(item));
-    Dart_Handle result = InvokeBadCertCallback(peer_cert);
-    ThrowIfError(result);
-    if (Dart_IsNull(result)) {
-      return errSSLBadCert;
-    } else {
-      bool good_cert = DartUtils::GetBooleanValue(result);
-      bad_cert_ = !good_cert;
-      return good_cert ? noErr : errSSLBadCert;
-    }
-  }
-
-  if (connected_ && in_handshake_) {
-    if (SSL_LOG_STATUS) {
-      Log::PrintErr("Invoking handshake complete callback\n");
-    }
-    ThrowIfError(Dart_InvokeClosure(
-        Dart_HandleFromPersistent(handshake_complete_), 0, NULL));
-    in_handshake_ = false;
-  }
-  return noErr;
-}
-
-
-void SSLFilter::Renegotiate(bool use_session_cache,
-                            bool request_client_certificate,
-                            bool require_client_certificate) {
-  // The SSL_REQUIRE_CERTIFICATE option only takes effect if the
-  // SSL_REQUEST_CERTIFICATE option is also set, so set it.
-  request_client_certificate =
-      request_client_certificate || require_client_certificate;
-  // TODO(24070, 24069): Implement setting the client certificate parameters,
-  //   and triggering rehandshake.
-}
-
-
-SSLFilter::~SSLFilter() {
-  if (ssl_context_ != NULL) {
-    CFRelease(ssl_context_);
-    ssl_context_ = NULL;
-  }
-  if (peer_certs_ != NULL) {
-    CFRelease(peer_certs_);
-    peer_certs_ = NULL;
-  }
-  if (hostname_ != NULL) {
-    free(hostname_);
-    hostname_ = NULL;
-  }
-  for (int i = 0; i < kNumBuffers; ++i) {
-    if (buffers_[i] != NULL) {
-      delete[] buffers_[i];
-      buffers_[i] = NULL;
-    }
-  }
-}
-
-
-void SSLFilter::Destroy() {
-  if (ssl_context_ != NULL) {
-    SSLClose(ssl_context_);
-  }
-  for (int i = 0; i < kNumBuffers; ++i) {
-    if (dart_buffer_objects_[i] != NULL) {
-      Dart_DeletePersistentHandle(dart_buffer_objects_[i]);
-      dart_buffer_objects_[i] = NULL;
-    }
-  }
-  if (string_start_ != NULL) {
-    Dart_DeletePersistentHandle(string_start_);
-    string_start_ = NULL;
-  }
-  if (string_length_ != NULL) {
-    Dart_DeletePersistentHandle(string_length_);
-    string_length_ = NULL;
-  }
-  if (handshake_complete_ != NULL) {
-    Dart_DeletePersistentHandle(handshake_complete_);
-    handshake_complete_ = NULL;
-  }
-  if (bad_certificate_callback_ != NULL) {
-    Dart_DeletePersistentHandle(bad_certificate_callback_);
-    bad_certificate_callback_ = NULL;
-  }
-}
-
-
-OSStatus SSLFilter::SSLReadCallback(SSLConnectionRef connection,
-                                    void* data,
-                                    size_t* data_requested) {
-  // Copy at most `data_requested` bytes from `buffers_[kReadEncrypted]` into
-  // `data`
-  ASSERT(connection != NULL);
-  ASSERT(data != NULL);
-  ASSERT(data_requested != NULL);
-
-  SSLFilter* filter =
-      const_cast<SSLFilter*>(reinterpret_cast<const SSLFilter*>(connection));
-  uint8_t* datap = reinterpret_cast<uint8_t*>(data);
-  uint8_t* buffer = filter->buffers_[kReadEncrypted];
-  intptr_t start = filter->GetBufferStart(kReadEncrypted);
-  intptr_t end = filter->GetBufferEnd(kReadEncrypted);
-  intptr_t size = filter->encrypted_buffer_size_;
-  intptr_t requested = static_cast<intptr_t>(*data_requested);
-  intptr_t data_read = 0;
-
-  if (end < start) {
-    // Data may be split into two segments.  In this case,
-    // the first is [start, size).
-    intptr_t buffer_end = (start == 0) ? size - 1 : size;
-    intptr_t available = buffer_end - start;
-    intptr_t bytes = requested < available ? requested : available;
-    memmove(datap, &buffer[start], bytes);
-    start += bytes;
-    datap += bytes;
-    data_read += bytes;
-    requested -= bytes;
-    ASSERT(start <= size);
-    if (start == size) {
-      start = 0;
-    }
-  }
-  if ((requested > 0) && (start < end)) {
-    intptr_t available = end - start;
-    intptr_t bytes = requested < available ? requested : available;
-    memmove(datap, &buffer[start], bytes);
-    start += bytes;
-    datap += bytes;
-    data_read += bytes;
-    requested -= bytes;
-    ASSERT(start <= end);
-  }
-
-  if (SSL_LOG_DATA) {
-    Log::PrintErr("SSLReadCallback: requested: %ld, read %ld bytes\n",
-                  *data_requested, data_read);
-  }
-
-  filter->SetBufferStart(kReadEncrypted, start);
-  bool short_read = data_read < static_cast<intptr_t>(*data_requested);
-  *data_requested = data_read;
-  return short_read ? errSSLWouldBlock : noErr;
-}
-
-
-// Read decrypted data from the filter to the circular buffer.
-OSStatus SSLFilter::ProcessReadPlaintextBuffer(intptr_t start,
-                                               intptr_t end,
-                                               intptr_t* bytes_processed) {
-  ASSERT(bytes_processed != NULL);
-  intptr_t length = end - start;
-  OSStatus status = noErr;
-  size_t bytes = 0;
-  if (length > 0) {
-    status =
-        SSLRead(ssl_context_,
-                reinterpret_cast<void*>((buffers_[kReadPlaintext] + start)),
-                length, &bytes);
-    if (SSL_LOG_STATUS) {
-      Log::PrintErr("SSLRead: status = %ld\n", static_cast<intptr_t>(status));
-    }
-    if ((status != noErr) && (status != errSSLWouldBlock)) {
-      *bytes_processed = 0;
-      return status;
-    }
-  }
-  if (SSL_LOG_DATA) {
-    Log::PrintErr(
-        "ProcessReadPlaintextBuffer: requested: %ld, read %ld bytes\n", length,
-        bytes);
-  }
-  *bytes_processed = static_cast<intptr_t>(bytes);
-  return status;
-}
-
-
-OSStatus SSLFilter::SSLWriteCallback(SSLConnectionRef connection,
-                                     const void* data,
-                                     size_t* data_provided) {
-  // Copy at most `data_provided` bytes from data into
-  // `buffers_[kWriteEncrypted]`.
-  ASSERT(connection != NULL);
-  ASSERT(data != NULL);
-  ASSERT(data_provided != NULL);
-
-  SSLFilter* filter =
-      const_cast<SSLFilter*>(reinterpret_cast<const SSLFilter*>(connection));
-  const uint8_t* datap = reinterpret_cast<const uint8_t*>(data);
-  uint8_t* buffer = filter->buffers_[kWriteEncrypted];
-  intptr_t start = filter->GetBufferStart(kWriteEncrypted);
-  intptr_t end = filter->GetBufferEnd(kWriteEncrypted);
-  intptr_t size = filter->encrypted_buffer_size_;
-  intptr_t provided = static_cast<intptr_t>(*data_provided);
-  intptr_t data_written = 0;
-
-  // is full, neither if statement is executed and nothing happens.
-  if (start <= end) {
-    // If the free space may be split into two segments,
-    // then the first is [end, size), unless start == 0.
-    // Then, since the last free byte is at position start - 2,
-    // the interval is [end, size - 1).
-    intptr_t buffer_end = (start == 0) ? size - 1 : size;
-    intptr_t available = buffer_end - end;
-    intptr_t bytes = provided < available ? provided : available;
-    memmove(&buffer[end], datap, bytes);
-    end += bytes;
-    datap += bytes;
-    data_written += bytes;
-    provided -= bytes;
-    ASSERT(end <= size);
-    if (end == size) {
-      end = 0;
-    }
-  }
-  if ((provided > 0) && (start > end + 1)) {
-    intptr_t available = (start - 1) - end;
-    intptr_t bytes = provided < available ? provided : available;
-    memmove(&buffer[end], datap, bytes);
-    end += bytes;
-    datap += bytes;
-    data_written += bytes;
-    provided -= bytes;
-    ASSERT(end < start);
-  }
-
-  if (SSL_LOG_DATA) {
-    Log::PrintErr("SSLWriteCallback: provided: %ld, written %ld bytes\n",
-                  *data_provided, data_written);
-  }
-
-  filter->SetBufferEnd(kWriteEncrypted, end);
-  *data_provided = data_written;
-  return (data_written == 0) ? errSSLWouldBlock : noErr;
-}
-
-
-OSStatus SSLFilter::ProcessWritePlaintextBuffer(intptr_t start,
-                                                intptr_t end,
-                                                intptr_t* bytes_processed) {
-  ASSERT(bytes_processed != NULL);
-  intptr_t length = end - start;
-  OSStatus status = noErr;
-  size_t bytes = 0;
-  if (length > 0) {
-    status =
-        SSLWrite(ssl_context_,
-                 reinterpret_cast<void*>(buffers_[kWritePlaintext] + start),
-                 length, &bytes);
-    if (SSL_LOG_STATUS) {
-      Log::PrintErr("SSLWrite: status = %ld\n", static_cast<intptr_t>(status));
-    }
-    if ((status != noErr) && (status != errSSLWouldBlock)) {
-      *bytes_processed = 0;
-      return status;
-    }
-  }
-  if (SSL_LOG_DATA) {
-    Log::PrintErr("ProcessWritePlaintextBuffer: requested: %ld, written: %ld\n",
-                  length, bytes);
-  }
-  *bytes_processed = static_cast<intptr_t>(bytes);
-  return status;
-}
-
 }  // namespace bin
 }  // namespace dart
 
 #endif  // HOST_OS_IOS
 
 #endif  // !defined(DART_IO_SECURE_SOCKET_DISABLED)