Switch to BoringSSL.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
+#include <errno.h>
 #include <openssl/err.h>
-#include <openssl/opensslv.h>
 #include <openssl/ssl.h>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/synchronization/lock.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/openssl_util.h"
 #include "crypto/scoped_openssl_types.h"
@@ skipping 124 matching lines @@
     ssl_ctx_.reset(SSL_CTX_new(SSLv23_client_method()));
     session_cache_.Reset(ssl_ctx_.get(), kDefaultSessionCacheConfig);
     SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), CertVerifyCallback, NULL);
     SSL_CTX_set_client_cert_cb(ssl_ctx_.get(), ClientCertCallback);
     SSL_CTX_set_verify(ssl_ctx_.get(), SSL_VERIFY_PEER, NULL);
     // TODO(kristianm): Only select this if ssl_config_.next_proto is not empty.
     // It would be better if the callback were not a global setting,
     // but that is an OpenSSL issue.
     SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), SelectNextProtoCallback,
                                      NULL);
+    ssl_ctx_->tlsext_channel_id_enabled_new = 1;
   }
 
   static std::string GetSessionCacheKey(const SSL* ssl) {
     SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
     DCHECK(socket);
     return GetSocketSessionCacheKey(*socket);
   }
 
   static SSLSessionCacheOpenSSL::Config kDefaultSessionCacheConfig;
 
@@ skipping 75 matching lines @@
 SSLClientSocketOpenSSL::PeerCertificateChain::operator=(
     const PeerCertificateChain& other) {
   if (this == &other)
     return *this;
 
   // os_chain_ is reference counted by scoped_refptr;
   os_chain_ = other.os_chain_;
 
   // Must increase the reference count manually for sk_X509_dup
   openssl_chain_.reset(sk_X509_dup(other.openssl_chain_.get()));
-  for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
+  for (size_t i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
     X509* x = sk_X509_value(openssl_chain_.get(), i);
     CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
   }
   return *this;
 }
 
 #if defined(USE_OPENSSL_CERTS)
 // When OSCertHandle is typedef'ed to X509, this implementation does a short cut
 // to avoid converting back and forth between der and X509 struct.
 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
     STACK_OF(X509)* chain) {
   openssl_chain_.reset(NULL);
   os_chain_ = NULL;
 
   if (!chain)
     return;
 
   X509Certificate::OSCertHandles intermediates;
-  for (int i = 1; i < sk_X509_num(chain); ++i)
+  for (size_t i = 1; i < sk_X509_num(chain); ++i)
     intermediates.push_back(sk_X509_value(chain, i));
 
   os_chain_ =
       X509Certificate::CreateFromHandle(sk_X509_value(chain, 0), intermediates);
 
   // sk_X509_dup does not increase reference count on the certs in the stack.
   openssl_chain_.reset(sk_X509_dup(chain));
 
   std::vector<base::StringPiece> der_chain;
-  for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
+  for (size_t i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
     X509* x = sk_X509_value(openssl_chain_.get(), i);
     // Increase the reference count for the certs in openssl_chain_.
     CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
   }
 }
 #else  // !defined(USE_OPENSSL_CERTS)
 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
     STACK_OF(X509)* chain) {
   openssl_chain_.reset(NULL);
   os_chain_ = NULL;
 
   if (!chain)
     return;
 
   // sk_X509_dup does not increase reference count on the certs in the stack.
   openssl_chain_.reset(sk_X509_dup(chain));
 
   std::vector<base::StringPiece> der_chain;
-  for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
+  for (size_t i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
     X509* x = sk_X509_value(openssl_chain_.get(), i);
 
     // Increase the reference count for the certs in openssl_chain_.
     CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
 
     unsigned char* cert_data = NULL;
     int cert_data_length = i2d_X509(x, &cert_data);
     if (cert_data_length && cert_data)
       der_chain.push_back(base::StringPiece(reinterpret_cast<char*>(cert_data),
                                             cert_data_length));
@@ skipping 190 matching lines @@
 
 bool SSLClientSocketOpenSSL::IsConnectedAndIdle() const {
   // If the handshake has not yet completed.
   if (!completed_handshake_)
     return false;
   // If an asynchronous operation is still pending.
   if (user_read_buf_.get() || user_write_buf_.get())
     return false;
   // If there is data waiting to be sent, or data read from the network that
   // has not yet been consumed.
-  if (BIO_ctrl_pending(transport_bio_) > 0 ||
-      BIO_ctrl_wpending(transport_bio_) > 0) {
+  if (BIO_pending(transport_bio_) > 0 ||
+      BIO_wpending(transport_bio_) > 0) {
     return false;
   }
 
   return transport_->socket()->IsConnectedAndIdle();
 }
 
 int SSLClientSocketOpenSSL::GetPeerAddress(IPEndPoint* addressList) const {
   return transport_->socket()->GetPeerAddress(addressList);
 }
 
@@ skipping 49 matching lines @@
   ssl_info->channel_id_sent = WasChannelIDSent();
 
   RecordChannelIDSupport(server_bound_cert_service_,
                          channel_id_xtn_negotiated_,
                          ssl_config_.channel_id_enabled,
                          crypto::ECPrivateKey::IsSupported());
 
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
   CHECK(cipher);
   ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
-  const COMP_METHOD* compression = SSL_get_current_compression(ssl_);
 
   ssl_info->connection_status = EncodeSSLConnectionStatus(
-      SSL_CIPHER_get_id(cipher),
-      compression ? compression->type : 0,
+      SSL_CIPHER_get_id(cipher), 0 /* no compression */,
       GetNetSSLVersion(ssl_));
 
   bool peer_supports_renego_ext = !!SSL_get_secure_renegotiation_support(ssl_);
   if (!peer_supports_renego_ext)
     ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
   UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",
                             implicit_cast<int>(peer_supports_renego_ext), 2);
 
   if (ssl_config_.version_fallback)
     ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK;
@@ skipping 129 matching lines @@
   STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_);
   DCHECK(ciphers);
   // See SSLConfig::disabled_cipher_suites for description of the suites
   // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256
   // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
   // as the handshake hash.
   std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA256:!SHA384:"
                       "!aECDH:!AESGCM+AES256");
   // Walk through all the installed ciphers, seeing if any need to be
   // appended to the cipher removal |command|.
-  for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
+  for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
     const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);
     const uint16 id = SSL_CIPHER_get_id(cipher);
     // Remove any ciphers with a strength of less than 80 bits. Note the NSS
     // implementation uses "effective" bits here but OpenSSL does not provide
     // this detail. This only impacts Triple DES: reports 112 vs. 168 bits,
     // both of which are greater than 80 anyway.
     bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80;
     if (!disable) {
       disable = std::find(ssl_config_.disabled_cipher_suites.begin(),
                           ssl_config_.disabled_cipher_suites.end(), id) !=
@@ skipping 453 matching lines @@
   int err = SSL_get_error(ssl_, rv);
   return MapOpenSSLError(err, err_tracer);
 }
 
 int SSLClientSocketOpenSSL::BufferSend(void) {
   if (transport_send_busy_)
     return ERR_IO_PENDING;
 
   if (!send_buffer_.get()) {
     // Get a fresh send buffer out of the send BIO.
-    size_t max_read = BIO_ctrl_pending(transport_bio_);
+    size_t max_read = BIO_pending(transport_bio_);
     if (!max_read)
       return 0;  // Nothing pending in the OpenSSL write BIO.
     send_buffer_ = new DrainableIOBuffer(new IOBuffer(max_read), max_read);
     int read_bytes = BIO_read(transport_bio_, send_buffer_->data(), max_read);
     DCHECK_GT(read_bytes, 0);
     CHECK_EQ(static_cast<int>(max_read), read_bytes);
   }
 
   int rv = transport_->socket()->Write(
       send_buffer_.get(),
@@ skipping 102 matching lines @@
                                                       EVP_PKEY** pkey) {
   DVLOG(3) << "OpenSSL ClientCertRequestCallback called";
   DCHECK(ssl == ssl_);
   DCHECK(*x509 == NULL);
   DCHECK(*pkey == NULL);
   if (!ssl_config_.send_client_cert) {
     // First pass: we know that a client certificate is needed, but we do not
     // have one at hand.
     client_auth_cert_needed_ = true;
     STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl);
-    for (int i = 0; i < sk_X509_NAME_num(authorities); i++) {
+    for (size_t i = 0; i < sk_X509_NAME_num(authorities); i++) {
       X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i);
       unsigned char* str = NULL;
       int length = i2d_X509_NAME(ca_name, &str);
       cert_authorities_.push_back(std::string(
           reinterpret_cast<const char*>(str),
           static_cast<size_t>(length)));
       OPENSSL_free(str);
     }
 
     const unsigned char* client_cert_types;
@@ skipping 164 matching lines @@
   return socket->MaybeReplayTransportError(
       bio, cmd, argp, argi, argl, retvalue);
 }
 
 scoped_refptr<X509Certificate>
 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
   return server_cert_;
 }
 
 }  // namespace net