runtime/bin/secure_socket_macos.h - Issue 2903743002: Porting SecureSocket to use BoringSSL on OSX

Unified Diff: runtime/bin/secure_socket_macos.h

Issue 2903743002: Porting SecureSocket to use BoringSSL on OSX (Closed)

Patch Set: General cleanup Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: runtime/bin/secure_socket_macos.h

diff --git a/runtime/bin/secure_socket_macos.h b/runtime/bin/secure_socket_macos.h

index f84cc428cd3cf8a17f1e9961bd24fb667c4881ef..0a011e004047f73356151f55373144bd62b5ac14 100644

--- a/runtime/bin/secure_socket_macos.h

+++ b/runtime/bin/secure_socket_macos.h

@@ -18,6 +18,11 @@

#include <Security/SecureTransport.h>

#include <Security/Security.h>

+#include <openssl/bio.h>

+#include <openssl/err.h>

+#include <openssl/ssl.h>

+#include <openssl/x509.h>

#include "bin/builtin.h"

#include "bin/dartutils.h"

#include "bin/lockers.h"

@@ -29,77 +34,61 @@

namespace dart {

namespace bin {

+// Forward declaration

+class SSLFilter;

// SSLCertContext wraps the certificates needed for a SecureTransport

// connection. Fields are protected by the mutex_ field, and may only be set

// once. This is to allow access by both the Dart thread and the IOService

// thread. Setters return false if the field was already set.

class SSLCertContext : public ReferenceCounted<SSLCertContext> {

public:

- SSLCertContext()

+ static const intptr_t kApproximateSize;

+ explicit SSLCertContext(SSL_CTX* context)

: ReferenceCounted(),

- mutex_(new Mutex()),

- private_key_(NULL),

- keychain_(NULL),

+ context_(context),

+ alpn_protocol_string_(NULL),

cert_chain_(NULL),

trusted_certs_(NULL),

cert_authorities_(NULL),

trust_builtin_(false) {}

~SSLCertContext() {

- {

- MutexLocker m(mutex_);

- if (private_key_ != NULL) {

- CFRelease(private_key_);

- }

- if (keychain_ != NULL) {

- SecKeychainDelete(keychain_);

- CFRelease(keychain_);

- }

- if (cert_chain_ != NULL) {

- CFRelease(cert_chain_);

- }

- if (trusted_certs_ != NULL) {

- CFRelease(trusted_certs_);

- }

- if (cert_authorities_ != NULL) {

- CFRelease(cert_authorities_);

- }

+ SSL_CTX_free(context_);

+ if (alpn_protocol_string_ != NULL) {

+ free(alpn_protocol_string_);

}

- delete mutex_;

- }

- SecKeyRef private_key() {

- MutexLocker m(mutex_);

- return private_key_;

- }

- bool set_private_key(SecKeyRef private_key) {

- MutexLocker m(mutex_);

- if (private_key_ != NULL) {

- return false;

+ if (cert_chain_ != NULL) {

+ CFRelease(cert_chain_);

+ }

+ if (trusted_certs_ != NULL) {

+ CFRelease(trusted_certs_);

+ }

+ if (cert_authorities_ != NULL) {

+ CFRelease(cert_authorities_);

}

- private_key_ = private_key;

- return true;

}

- SecKeychainRef keychain() {

- MutexLocker m(mutex_);

- return keychain_;

- }

- bool set_keychain(SecKeychainRef keychain) {

- MutexLocker m(mutex_);

- if (keychain_ != NULL) {

- return false;

+ static SSLCertContext* GetSecurityContext(Dart_NativeArguments args);

+ static const char* GetPasswordArgument(Dart_NativeArguments args,

+ intptr_t index);

+ SSL_CTX* context() const { return context_; }

+ uint8_t* alpn_protocol_string() const { return alpn_protocol_string_; }

+ void set_alpn_protocol_string(uint8_t* protocol_string) {

+ if (alpn_protocol_string_ != NULL) {

+ free(alpn_protocol_string_);

}

- keychain_ = keychain;

- return true;

+ alpn_protocol_string_ = protocol_string;

}

CFArrayRef cert_chain() {

zra 2017/05/26 18:11:13 const

bkonyi 2017/05/26 23:35:31 Done.

- MutexLocker m(mutex_);

return cert_chain_;

}

bool set_cert_chain(CFArrayRef cert_chain) {

- MutexLocker m(mutex_);

if (cert_chain_ != NULL) {

return false;

}

@@ -108,11 +97,10 @@ class SSLCertContext : public ReferenceCounted<SSLCertContext> {

}

CFArrayRef trusted_certs() {

zra 2017/05/26 18:11:13 const

bkonyi 2017/05/26 23:35:31 Done.

- MutexLocker m(mutex_);

return trusted_certs_;

}

bool set_trusted_certs(CFArrayRef trusted_certs) {

- MutexLocker m(mutex_);

if (trusted_certs_ != NULL) {

return false;

}

@@ -121,11 +109,10 @@ class SSLCertContext : public ReferenceCounted<SSLCertContext> {

}

CFArrayRef cert_authorities() {

zra 2017/05/26 18:11:13 const

bkonyi 2017/05/26 23:35:31 Done.

- MutexLocker m(mutex_);

return cert_authorities_;

}

bool set_cert_authorities(CFArrayRef cert_authorities) {

- MutexLocker m(mutex_);

if (cert_authorities_ != NULL) {

return false;

}

@@ -134,21 +121,17 @@ class SSLCertContext : public ReferenceCounted<SSLCertContext> {

}

bool trust_builtin() {

zra 2017/05/26 18:11:13 const

bkonyi 2017/05/26 23:35:31 Done.

- MutexLocker m(mutex_);

return trust_builtin_;

}

void set_trust_builtin(bool trust_builtin) {

- MutexLocker m(mutex_);

trust_builtin_ = trust_builtin;

}

- private:

- // The context is accessed both by Dart code and the IOService. This mutex

- // protects all fields.

- Mutex* mutex_;

+ void RegisterCallbacks(SSLFilter* filter);

- SecKeyRef private_key_;

- SecKeychainRef keychain_;

+ private:

+ SSL_CTX* context_;

+ uint8_t* alpn_protocol_string_;

// CFArrays of SecCertificateRef.

CFArrayRef cert_chain_;

@@ -160,119 +143,6 @@ class SSLCertContext : public ReferenceCounted<SSLCertContext> {

DISALLOW_COPY_AND_ASSIGN(SSLCertContext);

};

-// SSLFilter encapsulates the SecureTransport code in a filter that communicates

-// with the containing _SecureFilterImpl Dart object through four shared

-// ExternalByteArray buffers, for reading and writing plaintext, and

-// reading and writing encrypted text. The filter handles handshaking

-// and certificate verification.

-class SSLFilter : public ReferenceCounted<SSLFilter> {

- public:

- // These enums must agree with those in sdk/lib/io/secure_socket.dart.

- enum BufferIndex {

- kReadPlaintext,

- kWritePlaintext,

- kReadEncrypted,

- kWriteEncrypted,

- kNumBuffers,

- kFirstEncrypted = kReadEncrypted

- };

- SSLFilter()

- : ReferenceCounted(),

- cert_context_(NULL),

- ssl_context_(NULL),

- peer_certs_(NULL),

- string_start_(NULL),

- string_length_(NULL),

- handshake_complete_(NULL),

- bad_certificate_callback_(NULL),

- in_handshake_(false),

- connected_(false),

- bad_cert_(false),

- is_server_(false),

- hostname_(NULL) {}

- ~SSLFilter();

- // Callback called by the IOService.

- static CObject* ProcessFilterRequest(const CObjectArray& request);

- Dart_Handle Init(Dart_Handle dart_this);

- void Connect(Dart_Handle dart_this,

- const char* hostname,

- SSLCertContext* context,

- bool is_server,

- bool request_client_certificate,

- bool require_client_certificate);

- void Destroy();

- OSStatus CheckHandshake();

- void Renegotiate(bool use_session_cache,

- bool request_client_certificate,

- bool require_client_certificate);

- void RegisterHandshakeCompleteCallback(Dart_Handle handshake_complete);

- void RegisterBadCertificateCallback(Dart_Handle callback);

- Dart_Handle PeerCertificate();

- private:

- static OSStatus SSLReadCallback(SSLConnectionRef connection,

- void* data,

- size_t* data_length);

- static OSStatus SSLWriteCallback(SSLConnectionRef connection,

- const void* data,

- size_t* data_length);

- static bool isBufferEncrypted(intptr_t i) {

- return static_cast<BufferIndex>(i) >= kFirstEncrypted;

- }

- Dart_Handle InitializeBuffers(Dart_Handle dart_this);

- intptr_t GetBufferStart(intptr_t idx) const;

- intptr_t GetBufferEnd(intptr_t idx) const;

- void SetBufferStart(intptr_t idx, intptr_t value);

- void SetBufferEnd(intptr_t idx, intptr_t value);

- OSStatus ProcessAllBuffers(intptr_t starts[kNumBuffers],

- intptr_t ends[kNumBuffers],

- bool in_handshake);

- OSStatus ProcessReadPlaintextBuffer(intptr_t start,

- intptr_t end,

- intptr_t* bytes_processed);

- OSStatus ProcessWritePlaintextBuffer(intptr_t start,

- intptr_t end,

- intptr_t* bytes_processed);

- // These calls can block on IO, and should only be invoked from

- // from ProcessAllBuffers from ProcessFilterRequest.

- OSStatus EvaluatePeerTrust();

- OSStatus Handshake();

- Dart_Handle InvokeBadCertCallback(SecCertificateRef peer_cert);

- RetainedPointer<SSLCertContext> cert_context_;

- SSLContextRef ssl_context_;

- CFArrayRef peer_certs_;

- // starts and ends filled in at the start of ProcessAllBuffers.

- // If these are NULL, then try to get the pointers out of

- // dart_buffer_objects_.

- uint8_t* buffers_[kNumBuffers];

- intptr_t* buffer_starts_[kNumBuffers];

- intptr_t* buffer_ends_[kNumBuffers];

- intptr_t buffer_size_;

- intptr_t encrypted_buffer_size_;

- Dart_PersistentHandle string_start_;

- Dart_PersistentHandle string_length_;

- Dart_PersistentHandle dart_buffer_objects_[kNumBuffers];

- Dart_PersistentHandle handshake_complete_;

- Dart_PersistentHandle bad_certificate_callback_;

- bool in_handshake_;

- bool connected_;

- bool bad_cert_;

- bool is_server_;

- char* hostname_;

- DISALLOW_COPY_AND_ASSIGN(SSLFilter);

-};

} // namespace bin

} // namespace dart

« runtime/bin/secure_socket_ios.cc ('K') | « runtime/bin/secure_socket_ios.cc ('k') | runtime/bin/secure_socket_macos.cc » ('j') | runtime/bin/secure_socket_macos.cc » ('J')