Porting SecureSocket to use BoringSSL on OSX

runtime/bin/secure_socket_macos.h

 // Copyright (c) 2016, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #ifndef RUNTIME_BIN_SECURE_SOCKET_MACOS_H_
 #define RUNTIME_BIN_SECURE_SOCKET_MACOS_H_
 
 #if !defined(RUNTIME_BIN_SECURE_SOCKET_H_)
 #error Do not include secure_socket_macos.h directly. Use secure_socket.h.
 #endif
 
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
 #include <sys/types.h>
 
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/SecureTransport.h>
 #include <Security/Security.h>
 
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <openssl/x509.h>
+
 #include "bin/builtin.h"
 #include "bin/dartutils.h"
 #include "bin/lockers.h"
 #include "bin/reference_counting.h"
 #include "bin/socket.h"
 #include "bin/thread.h"
 #include "bin/utils.h"
 
 namespace dart {
 namespace bin {
 
+// Forward declaration
+class SSLFilter;
+
 // SSLCertContext wraps the certificates needed for a SecureTransport
 // connection. Fields are protected by the mutex_ field, and may only be set
 // once. This is to allow access by both the Dart thread and the IOService
 // thread. Setters return false if the field was already set.
 class SSLCertContext : public ReferenceCounted<SSLCertContext> {
  public:
-  SSLCertContext()
+  static const intptr_t kApproximateSize;
+
+  explicit SSLCertContext(SSL_CTX* context)
       : ReferenceCounted(),
-        mutex_(new Mutex()),
-        private_key_(NULL),
-        keychain_(NULL),
+        context_(context),
+        alpn_protocol_string_(NULL),
         cert_chain_(NULL),
         trusted_certs_(NULL),
         cert_authorities_(NULL),
         trust_builtin_(false) {}
 
   ~SSLCertContext() {
-    {
-      MutexLocker m(mutex_);
-      if (private_key_ != NULL) {
-        CFRelease(private_key_);
-      }
-      if (keychain_ != NULL) {
-        SecKeychainDelete(keychain_);
-        CFRelease(keychain_);
-      }
-      if (cert_chain_ != NULL) {
-        CFRelease(cert_chain_);
-      }
-      if (trusted_certs_ != NULL) {
-        CFRelease(trusted_certs_);
-      }
-      if (cert_authorities_ != NULL) {
-        CFRelease(cert_authorities_);
-      }
+    SSL_CTX_free(context_);
+    if (alpn_protocol_string_ != NULL) {
+      free(alpn_protocol_string_);
     }
-    delete mutex_;
+    if (cert_chain_ != NULL) {
+      CFRelease(cert_chain_);
+    }
+    if (trusted_certs_ != NULL) {
+      CFRelease(trusted_certs_);
+    }
+    if (cert_authorities_ != NULL) {
+      CFRelease(cert_authorities_);
+    }
   }
 
-  SecKeyRef private_key() {
-    MutexLocker m(mutex_);
-    return private_key_;
-  }
-  bool set_private_key(SecKeyRef private_key) {
-    MutexLocker m(mutex_);
-    if (private_key_ != NULL) {
-      return false;
+  static SSLCertContext* GetSecurityContext(Dart_NativeArguments args);
+  static const char* GetPasswordArgument(Dart_NativeArguments args,
+                                         intptr_t index);
+
+  SSL_CTX* context() const { return context_; }
+
+  uint8_t* alpn_protocol_string() const { return alpn_protocol_string_; }
+  void set_alpn_protocol_string(uint8_t* protocol_string) {
+    if (alpn_protocol_string_ != NULL) {
+      free(alpn_protocol_string_);
     }
-    private_key_ = private_key;
-    return true;
-  }
-
-  SecKeychainRef keychain() {
-    MutexLocker m(mutex_);
-    return keychain_;
-  }
-  bool set_keychain(SecKeychainRef keychain) {
-    MutexLocker m(mutex_);
-    if (keychain_ != NULL) {
-      return false;
-    }
-    keychain_ = keychain;
-    return true;
+    alpn_protocol_string_ = protocol_string;
   }
 
   CFArrayRef cert_chain() {

[zra, 2017/05/26 18:11:13]

const

[bkonyi, 2017/05/26 23:35:31]

Done.

-    MutexLocker m(mutex_);
     return cert_chain_;
   }
+
   bool set_cert_chain(CFArrayRef cert_chain) {
-    MutexLocker m(mutex_);
     if (cert_chain_ != NULL) {
       return false;
     }
     cert_chain_ = cert_chain;
     return true;
   }
 
   CFArrayRef trusted_certs() {

[zra, 2017/05/26 18:11:13]

const

[bkonyi, 2017/05/26 23:35:31]

Done.

-    MutexLocker m(mutex_);
     return trusted_certs_;
   }
+
   bool set_trusted_certs(CFArrayRef trusted_certs) {
-    MutexLocker m(mutex_);
     if (trusted_certs_ != NULL) {
       return false;
     }
     trusted_certs_ = trusted_certs;
     return true;
   }
 
   CFArrayRef cert_authorities() {

[zra, 2017/05/26 18:11:13]

const

[bkonyi, 2017/05/26 23:35:31]

Done.

-    MutexLocker m(mutex_);
     return cert_authorities_;
   }
+
   bool set_cert_authorities(CFArrayRef cert_authorities) {
-    MutexLocker m(mutex_);
     if (cert_authorities_ != NULL) {
       return false;
     }
     cert_authorities_ = cert_authorities;
     return true;
   }
 
   bool trust_builtin() {

[zra, 2017/05/26 18:11:13]

const

[bkonyi, 2017/05/26 23:35:31]

Done.

-    MutexLocker m(mutex_);
     return trust_builtin_;
   }
   void set_trust_builtin(bool trust_builtin) {
-    MutexLocker m(mutex_);
     trust_builtin_ = trust_builtin;
   }
 
+  void RegisterCallbacks(SSLFilter* filter);
+
  private:
-  // The context is accessed both by Dart code and the IOService. This mutex
-  // protects all fields.
-  Mutex* mutex_;
-
-  SecKeyRef private_key_;
-  SecKeychainRef keychain_;
+  SSL_CTX* context_;
+  uint8_t* alpn_protocol_string_;
 
   // CFArrays of SecCertificateRef.
   CFArrayRef cert_chain_;
   CFArrayRef trusted_certs_;
   CFArrayRef cert_authorities_;
 
   bool trust_builtin_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLCertContext);
 };
 
-// SSLFilter encapsulates the SecureTransport code in a filter that communicates
-// with the containing _SecureFilterImpl Dart object through four shared
-// ExternalByteArray buffers, for reading and writing plaintext, and
-// reading and writing encrypted text.  The filter handles handshaking
-// and certificate verification.
-class SSLFilter : public ReferenceCounted<SSLFilter> {
- public:
-  // These enums must agree with those in sdk/lib/io/secure_socket.dart.
-  enum BufferIndex {
-    kReadPlaintext,
-    kWritePlaintext,
-    kReadEncrypted,
-    kWriteEncrypted,
-    kNumBuffers,
-    kFirstEncrypted = kReadEncrypted
-  };
-
-  SSLFilter()
-      : ReferenceCounted(),
-        cert_context_(NULL),
-        ssl_context_(NULL),
-        peer_certs_(NULL),
-        string_start_(NULL),
-        string_length_(NULL),
-        handshake_complete_(NULL),
-        bad_certificate_callback_(NULL),
-        in_handshake_(false),
-        connected_(false),
-        bad_cert_(false),
-        is_server_(false),
-        hostname_(NULL) {}
-
-  ~SSLFilter();
-
-  // Callback called by the IOService.
-  static CObject* ProcessFilterRequest(const CObjectArray& request);
-
-  Dart_Handle Init(Dart_Handle dart_this);
-  void Connect(Dart_Handle dart_this,
-               const char* hostname,
-               SSLCertContext* context,
-               bool is_server,
-               bool request_client_certificate,
-               bool require_client_certificate);
-  void Destroy();
-  OSStatus CheckHandshake();
-  void Renegotiate(bool use_session_cache,
-                   bool request_client_certificate,
-                   bool require_client_certificate);
-  void RegisterHandshakeCompleteCallback(Dart_Handle handshake_complete);
-  void RegisterBadCertificateCallback(Dart_Handle callback);
-  Dart_Handle PeerCertificate();
-
- private:
-  static OSStatus SSLReadCallback(SSLConnectionRef connection,
-                                  void* data,
-                                  size_t* data_length);
-  static OSStatus SSLWriteCallback(SSLConnectionRef connection,
-                                   const void* data,
-                                   size_t* data_length);
-
-  static bool isBufferEncrypted(intptr_t i) {
-    return static_cast<BufferIndex>(i) >= kFirstEncrypted;
-  }
-  Dart_Handle InitializeBuffers(Dart_Handle dart_this);
-
-  intptr_t GetBufferStart(intptr_t idx) const;
-  intptr_t GetBufferEnd(intptr_t idx) const;
-  void SetBufferStart(intptr_t idx, intptr_t value);
-  void SetBufferEnd(intptr_t idx, intptr_t value);
-
-  OSStatus ProcessAllBuffers(intptr_t starts[kNumBuffers],
-                             intptr_t ends[kNumBuffers],
-                             bool in_handshake);
-  OSStatus ProcessReadPlaintextBuffer(intptr_t start,
-                                      intptr_t end,
-                                      intptr_t* bytes_processed);
-  OSStatus ProcessWritePlaintextBuffer(intptr_t start,
-                                       intptr_t end,
-                                       intptr_t* bytes_processed);
-
-  // These calls can block on IO, and should only be invoked from
-  // from ProcessAllBuffers from ProcessFilterRequest.
-  OSStatus EvaluatePeerTrust();
-  OSStatus Handshake();
-  Dart_Handle InvokeBadCertCallback(SecCertificateRef peer_cert);
-
-  RetainedPointer<SSLCertContext> cert_context_;
-  SSLContextRef ssl_context_;
-  CFArrayRef peer_certs_;
-
-  // starts and ends filled in at the start of ProcessAllBuffers.
-  // If these are NULL, then try to get the pointers out of
-  // dart_buffer_objects_.
-  uint8_t* buffers_[kNumBuffers];
-  intptr_t* buffer_starts_[kNumBuffers];
-  intptr_t* buffer_ends_[kNumBuffers];
-  intptr_t buffer_size_;
-  intptr_t encrypted_buffer_size_;
-  Dart_PersistentHandle string_start_;
-  Dart_PersistentHandle string_length_;
-  Dart_PersistentHandle dart_buffer_objects_[kNumBuffers];
-  Dart_PersistentHandle handshake_complete_;
-  Dart_PersistentHandle bad_certificate_callback_;
-  bool in_handshake_;
-  bool connected_;
-  bool bad_cert_;
-  bool is_server_;
-  char* hostname_;
-
-  DISALLOW_COPY_AND_ASSIGN(SSLFilter);
-};
-
 }  // namespace bin
 }  // namespace dart
 
 #endif  // RUNTIME_BIN_SECURE_SOCKET_MACOS_H_