diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-10 04:39:38 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-10 04:39:38 +0000 |
| commit | cd9b75b1194ef656668b4d848c99d24d5968eb3a (patch) | |
| tree | 2f0ee7adcb172a43aa6f635538daf57e52e48e6d | |
| parent | 253a24133db77bda145e3599e2d7582e4f8c7409 (diff) | |
| download | chromium_src-cd9b75b1194ef656668b4d848c99d24d5968eb3a.zip chromium_src-cd9b75b1194ef656668b4d848c99d24d5968eb3a.tar.gz chromium_src-cd9b75b1194ef656668b4d848c99d24d5968eb3a.tar.bz2 | |
Eliminate ScopedOpenSSL in favour of scoped_ptr<> specializations.
Match the NSS, CryptoAPI (Win) and Security (OS X) approaches by
declaring the scoped types as specializations of our existing scoped
classes.
Like NSS, this requires an intermediate helper type, because our
scoped_ptr<> doesn't accept deleter functions as template
arguments (though they are valid in C++11's unique_ptr<>). A few base
cryptographic (non-certificate) types are used in
scoped_openssl_types.h, while the remainder are left for
implementations to specialize as needed.
In an ideal world, this would be scoped_ptr<FOO, FOO_free>, but that
will require unique_ptr<> support.
BUG=388904
Review URL: https://codereview.chromium.org/361193003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282257 0039d316-1c4b-4281-b951-d872f2087c98
29 files changed, 274 insertions, 253 deletions
diff --git a/chrome/common/net/x509_certificate_model_openssl.cc b/chrome/common/net/x509_certificate_model_openssl.cc index 044a5ee..9762889 100644 --- a/chrome/common/net/x509_certificate_model_openssl.cc +++ b/chrome/common/net/x509_certificate_model_openssl.cc @@ -17,6 +17,7 @@ #include "base/strings/utf_string_conversions.h" #include "crypto/openssl_bio_string.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "grit/generated_resources.h" #include "net/base/net_util.h" #include "net/cert/x509_util_openssl.h" @@ -463,7 +464,7 @@ std::string ProcessNSCertTypeExtension(X509_EXTENSION* ex) { {NS_OBJSIGN_CA, IDS_CERT_USAGE_OBJECT_SIGNER}, }; - crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free> value( + crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free>::Type value( reinterpret_cast<ASN1_BIT_STRING*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -486,7 +487,7 @@ std::string ProcessKeyUsageExtension(X509_EXTENSION* ex) { {KU_DECIPHER_ONLY, IDS_CERT_X509_KEY_USAGE_DECIPHER_ONLY}, }; - crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free> value( + crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free>::Type value( reinterpret_cast<ASN1_BIT_STRING*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -498,7 +499,7 @@ std::string ProcessKeyUsageExtension(X509_EXTENSION* ex) { std::string ProcessBasicConstraints(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free> value( + crypto::ScopedOpenSSL<BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free>::Type value( reinterpret_cast<BASIC_CONSTRAINTS*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -523,8 +524,8 @@ std::string ProcessBasicConstraints(X509_EXTENSION* ex) { std::string ProcessExtKeyUsage(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<EXTENDED_KEY_USAGE, EXTENDED_KEY_USAGE_free> value( - reinterpret_cast<EXTENDED_KEY_USAGE*>(X509V3_EXT_d2i(ex))); + crypto::ScopedOpenSSL<EXTENDED_KEY_USAGE, EXTENDED_KEY_USAGE_free>::Type + value(reinterpret_cast<EXTENDED_KEY_USAGE*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); for (int i = 0; i < sk_ASN1_OBJECT_num(value.get()); i++) { @@ -672,7 +673,7 @@ std::string ProcessGeneralNames(GENERAL_NAMES* names) { } std::string ProcessAltName(X509_EXTENSION* ex) { - crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free> alt_names( + crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>::Type alt_names( reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ex))); if (!alt_names.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -681,7 +682,7 @@ std::string ProcessAltName(X509_EXTENSION* ex) { } std::string ProcessSubjectKeyId(X509_EXTENSION* ex) { - crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free> value( + crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free>::Type value( reinterpret_cast<ASN1_OCTET_STRING*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -693,7 +694,7 @@ std::string ProcessSubjectKeyId(X509_EXTENSION* ex) { std::string ProcessAuthKeyId(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<AUTHORITY_KEYID, AUTHORITY_KEYID_free> value( + crypto::ScopedOpenSSL<AUTHORITY_KEYID, AUTHORITY_KEYID_free>::Type value( reinterpret_cast<AUTHORITY_KEYID*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -749,8 +750,8 @@ std::string ProcessUserNotice(USERNOTICE* notice) { std::string ProcessCertificatePolicies(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<CERTIFICATEPOLICIES, CERTIFICATEPOLICIES_free> policies( - reinterpret_cast<CERTIFICATEPOLICIES*>(X509V3_EXT_d2i(ex))); + crypto::ScopedOpenSSL<CERTIFICATEPOLICIES, CERTIFICATEPOLICIES_free>::Type + policies(reinterpret_cast<CERTIFICATEPOLICIES*>(X509V3_EXT_d2i(ex))); if (!policies.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -820,8 +821,8 @@ std::string ProcessCrlDistPoints(X509_EXTENSION* ex) { const int kDistPointRelativeName = 1; std::string rv; - crypto::ScopedOpenSSL<CRL_DIST_POINTS, CRL_DIST_POINTS_free> dist_points( - reinterpret_cast<CRL_DIST_POINTS*>(X509V3_EXT_d2i(ex))); + crypto::ScopedOpenSSL<CRL_DIST_POINTS, CRL_DIST_POINTS_free>::Type + dist_points(reinterpret_cast<CRL_DIST_POINTS*>(X509V3_EXT_d2i(ex))); if (!dist_points.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -861,8 +862,8 @@ std::string ProcessCrlDistPoints(X509_EXTENSION* ex) { std::string ProcessAuthInfoAccess(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_ACCESS_free> aia( - reinterpret_cast<AUTHORITY_INFO_ACCESS*>(X509V3_EXT_d2i(ex))); + crypto::ScopedOpenSSL<AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_ACCESS_free>::Type + aia(reinterpret_cast<AUTHORITY_INFO_ACCESS*>(X509V3_EXT_d2i(ex))); if (!aia.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -894,7 +895,7 @@ std::string ProcessAuthInfoAccess(X509_EXTENSION* ex) { std::string ProcessIA5StringData(ASN1_OCTET_STRING* asn1_string) { const unsigned char* data = ASN1_STRING_data(asn1_string); - crypto::ScopedOpenSSL<ASN1_IA5STRING, ASN1_IA5STRING_free> ia5_string( + crypto::ScopedOpenSSL<ASN1_IA5STRING, ASN1_IA5STRING_free>::Type ia5_string( d2i_ASN1_IA5STRING(NULL, &data, ASN1_STRING_length(asn1_string))); if (!ia5_string.get()) @@ -907,7 +908,7 @@ std::string ProcessIA5StringData(ASN1_OCTET_STRING* asn1_string) { std::string ProcessBMPStringData(ASN1_OCTET_STRING* asn1_string) { const unsigned char* data = ASN1_STRING_data(asn1_string); - crypto::ScopedOpenSSL<ASN1_BMPSTRING, ASN1_BMPSTRING_free> bmp_string( + crypto::ScopedOpenSSL<ASN1_BMPSTRING, ASN1_BMPSTRING_free>::Type bmp_string( d2i_ASN1_BMPSTRING(NULL, &data, ASN1_STRING_length(asn1_string))); if (!bmp_string.get()) @@ -970,7 +971,7 @@ std::string GetCertNameOrNickname(X509Certificate::OSCertHandle cert_handle) { if (!name.empty()) return name; - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&name)); + crypto::ScopedBIO bio(crypto::BIO_new_string(&name)); if (!bio.get()) return name; X509_NAME_print_ex(bio.get(), @@ -1080,7 +1081,7 @@ std::string GetTitle(net::X509Certificate::OSCertHandle cert_handle) { if (!title.empty()) return title; - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&title)); + crypto::ScopedBIO bio(crypto::BIO_new_string(&title)); if (!bio.get()) return title; X509_NAME_print_ex(bio.get(), @@ -1150,7 +1151,7 @@ void DestroyCertChain(net::X509Certificate::OSCertHandles* cert_handles) { std::string GetCMSString(const net::X509Certificate::OSCertHandles& cert_chain, size_t start, size_t end) { std::string rv; - crypto::ScopedOpenSSL<PKCS7, PKCS7_free> p7(PKCS7_new()); + crypto::ScopedOpenSSL<PKCS7, PKCS7_free>::Type p7(PKCS7_new()); if (!p7.get()) return rv; if (!PKCS7_set_type(p7.get(), NID_pkcs7_signed)) @@ -1161,7 +1162,8 @@ std::string GetCMSString(const net::X509Certificate::OSCertHandles& cert_chain, return rv; } - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&rv)); + crypto::ScopedOpenSSL<BIO, BIO_free_all>::Type bio( + crypto::BIO_new_string(&rv)); if (!bio.get()) return rv; @@ -1192,13 +1194,13 @@ std::string ProcessSecAlgorithmSignatureWrap( std::string ProcessSubjectPublicKeyInfo( net::X509Certificate::OSCertHandle cert_handle) { std::string rv; - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> public_key( + crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free>::Type public_key( X509_get_pubkey(cert_handle)); if (!public_key.get()) return rv; switch (EVP_PKEY_type(public_key.get()->type)) { case EVP_PKEY_RSA: { - crypto::ScopedOpenSSL<RSA, RSA_free> rsa_key( + crypto::ScopedOpenSSL<RSA, RSA_free>::Type rsa_key( EVP_PKEY_get1_RSA(public_key.get())); if (!rsa_key.get()) return rv; diff --git a/content/child/webcrypto/platform_crypto_openssl.cc b/content/child/webcrypto/platform_crypto_openssl.cc index 84ed9d8..89212ea 100644 --- a/content/child/webcrypto/platform_crypto_openssl.cc +++ b/content/child/webcrypto/platform_crypto_openssl.cc @@ -17,6 +17,7 @@ #include "content/child/webcrypto/status.h" #include "content/child/webcrypto/webcrypto_util.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h" #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h" @@ -99,7 +100,7 @@ Status AesCbcEncryptDecrypt(EncryptOrDecrypt mode, } // Note: PKCS padding is enabled by default - crypto::ScopedOpenSSL<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free> context( + crypto::ScopedOpenSSL<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free>::Type context( EVP_CIPHER_CTX_new()); if (!context.get()) @@ -233,7 +234,7 @@ class DigestorOpenSSL : public blink::WebCryptoDigestor { } bool initialized_; - crypto::ScopedOpenSSL<EVP_MD_CTX, EVP_MD_CTX_destroy> digest_context_; + crypto::ScopedEVP_MD_CTX digest_context_; blink::WebCryptoAlgorithmId algorithm_id_; unsigned char result_[EVP_MAX_MD_SIZE]; }; @@ -435,7 +436,8 @@ Status EncryptDecryptAesGcm(EncryptOrDecrypt mode, return Status::OperationError(); } - crypto::ScopedOpenSSL<EVP_AEAD_CTX, EVP_AEAD_CTX_cleanup> ctx_cleanup(&ctx); + crypto::ScopedOpenSSL<EVP_AEAD_CTX, EVP_AEAD_CTX_cleanup>::Type ctx_cleanup( + &ctx); ssize_t len; diff --git a/crypto/ec_private_key_openssl.cc b/crypto/ec_private_key_openssl.cc index b7b6b48..beda29f 100644 --- a/crypto/ec_private_key_openssl.cc +++ b/crypto/ec_private_key_openssl.cc @@ -12,6 +12,7 @@ #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" namespace crypto { @@ -24,6 +25,10 @@ namespace { // style guide, hence the unusual parameter placement / types. typedef int (*ExportBioFunction)(BIO* bio, const void* key); +typedef ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>::Type + ScopedPKCS8_PRIV_KEY_INFO; +typedef ScopedOpenSSL<X509_SIG, X509_SIG_free>::Type ScopedX509_SIG; + // Helper to export |key| into |output| via the specified ExportBioFunction. bool ExportKeyWithBio(const void* key, ExportBioFunction export_fn, @@ -31,7 +36,7 @@ bool ExportKeyWithBio(const void* key, if (!key) return false; - ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new(BIO_s_mem())); + ScopedBIO bio(BIO_new(BIO_s_mem())); if (!bio.get()) return false; @@ -87,8 +92,7 @@ bool ECPrivateKey::IsSupported() { return true; } ECPrivateKey* ECPrivateKey::Create() { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key( - EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); + ScopedEC_KEY ec_key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); if (!ec_key.get() || !EC_KEY_generate_key(ec_key.get())) return NULL; @@ -118,21 +122,17 @@ ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( const_cast<uint8*>(&encrypted_private_key_info[0])); int private_key_data_len = static_cast<int>(encrypted_private_key_info.size()); - ScopedOpenSSL<BIO, BIO_free_all> bio( - BIO_new_mem_buf(private_key_data, private_key_data_len)); + ScopedBIO bio(BIO_new_mem_buf(private_key_data, private_key_data_len)); if (!bio.get()) return NULL; // Convert it, then decrypt it into a PKCS#8 object. - ScopedOpenSSL<X509_SIG, X509_SIG_free> p8_encrypted( - d2i_PKCS8_bio(bio.get(), NULL)); + ScopedX509_SIG p8_encrypted(d2i_PKCS8_bio(bio.get(), NULL)); if (!p8_encrypted.get()) return NULL; - ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> p8_decrypted( - PKCS8_decrypt(p8_encrypted.get(), - password.c_str(), - static_cast<int>(password.size()))); + ScopedPKCS8_PRIV_KEY_INFO p8_decrypted(PKCS8_decrypt( + p8_encrypted.get(), password.c_str(), static_cast<int>(password.size()))); if (!p8_decrypted.get() && password.empty()) { // Hack for reading keys generated by ec_private_key_nss. Passing NULL // causes OpenSSL to use an empty password instead of "\0\0". @@ -156,8 +156,7 @@ bool ECPrivateKey::ExportEncryptedPrivateKey( std::vector<uint8>* output) { OpenSSLErrStackTracer err_tracer(FROM_HERE); // Convert into a PKCS#8 object. - ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> pkcs8( - EVP_PKEY2PKCS8(key_)); + ScopedPKCS8_PRIV_KEY_INFO pkcs8(EVP_PKEY2PKCS8(key_)); if (!pkcs8.get()) return false; @@ -165,15 +164,14 @@ bool ECPrivateKey::ExportEncryptedPrivateKey( // NOTE: NSS uses SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC // so use NID_pbe_WithSHA1And3_Key_TripleDES_CBC which should be the OpenSSL // equivalent. - ScopedOpenSSL<X509_SIG, X509_SIG_free> encrypted( - PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - NULL, - password.c_str(), - static_cast<int>(password.size()), - NULL, - 0, - iterations, - pkcs8.get())); + ScopedX509_SIG encrypted(PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + NULL, + password.c_str(), + static_cast<int>(password.size()), + NULL, + 0, + iterations, + pkcs8.get())); if (!encrypted.get()) return false; @@ -211,7 +209,7 @@ bool ECPrivateKey::ExportRawPublicKey(std::string* output) { bool ECPrivateKey::ExportValue(std::vector<uint8>* output) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_)); + ScopedEC_KEY ec_key(EVP_PKEY_get1_EC_KEY(key_)); return ExportKey(ec_key.get(), reinterpret_cast<ExportDataFunction>(i2d_ECPrivateKey), output); @@ -219,7 +217,7 @@ bool ECPrivateKey::ExportValue(std::vector<uint8>* output) { bool ECPrivateKey::ExportECParams(std::vector<uint8>* output) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_)); + ScopedEC_KEY ec_key(EVP_PKEY_get1_EC_KEY(key_)); return ExportKey(ec_key.get(), reinterpret_cast<ExportDataFunction>(i2d_ECParameters), output); diff --git a/crypto/ec_signature_creator_openssl.cc b/crypto/ec_signature_creator_openssl.cc index 7f0a873..adff2c9 100644 --- a/crypto/ec_signature_creator_openssl.cc +++ b/crypto/ec_signature_creator_openssl.cc @@ -13,9 +13,16 @@ #include "base/logging.h" #include "crypto/ec_private_key.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" namespace crypto { +namespace { + +typedef ScopedOpenSSL<ECDSA_SIG, ECDSA_SIG_free>::Type ScopedECDSA_SIG; + +} // namespace + ECSignatureCreatorImpl::ECSignatureCreatorImpl(ECPrivateKey* key) : key_(key), signature_len_(0) { EnsureOpenSSLInit(); @@ -27,7 +34,7 @@ bool ECSignatureCreatorImpl::Sign(const uint8* data, int data_len, std::vector<uint8>* signature) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<EVP_MD_CTX, EVP_MD_CTX_destroy> ctx(EVP_MD_CTX_create()); + ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create()); size_t sig_len = 0; if (!ctx.get() || !EVP_DigestSignInit(ctx.get(), NULL, EVP_sha256(), NULL, key_->key()) || @@ -52,7 +59,7 @@ bool ECSignatureCreatorImpl::DecodeSignature(const std::vector<uint8>& der_sig, OpenSSLErrStackTracer err_tracer(FROM_HERE); // Create ECDSA_SIG object from DER-encoded data. const unsigned char* der_data = &der_sig.front(); - ScopedOpenSSL<ECDSA_SIG, ECDSA_SIG_free> ecdsa_sig( + ScopedECDSA_SIG ecdsa_sig( d2i_ECDSA_SIG(NULL, &der_data, static_cast<long>(der_sig.size()))); if (!ecdsa_sig.get()) return false; diff --git a/crypto/openssl_bio_string_unittest.cc b/crypto/openssl_bio_string_unittest.cc index 39d3a9a..2467215 100644 --- a/crypto/openssl_bio_string_unittest.cc +++ b/crypto/openssl_bio_string_unittest.cc @@ -6,16 +6,18 @@ #include <openssl/bio.h> -#include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "testing/gtest/include/gtest/gtest.h" +namespace crypto { + TEST(OpenSSLBIOString, TestWrite) { std::string s; const std::string expected1("a one\nb 2\n"); const std::string expected2("c d e f"); const std::string expected3("g h i"); { - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&s)); + ScopedBIO bio(BIO_new_string(&s)); ASSERT_TRUE(bio.get()); EXPECT_EQ(static_cast<int>(expected1.size()), @@ -48,7 +50,7 @@ TEST(OpenSSLBIOString, TestReset) { const std::string expected1("a b c\n"); const std::string expected2("d e f g\n"); { - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&s)); + ScopedBIO bio(BIO_new_string(&s)); ASSERT_TRUE(bio.get()); EXPECT_EQ(static_cast<int>(expected1.size()), @@ -64,3 +66,5 @@ TEST(OpenSSLBIOString, TestReset) { } EXPECT_EQ(expected2, s); } + +} // namespace crypto diff --git a/crypto/openssl_util.h b/crypto/openssl_util.h index bf83e47..2743883 100644 --- a/crypto/openssl_util.h +++ b/crypto/openssl_util.h @@ -11,36 +11,6 @@ namespace crypto { -// A helper class that takes care of destroying OpenSSL objects when they go out -// of scope. -template <typename T, void (*destructor)(T*)> -class ScopedOpenSSL { - public: - ScopedOpenSSL() : ptr_(NULL) { } - explicit ScopedOpenSSL(T* ptr) : ptr_(ptr) { } - ~ScopedOpenSSL() { - reset(NULL); - } - - T* get() const { return ptr_; } - T* release() { - T* ptr = ptr_; - ptr_ = NULL; - return ptr; - } - void reset(T* ptr) { - if (ptr != ptr_) { - if (ptr_) (*destructor)(ptr_); - ptr_ = ptr; - } - } - - private: - T* ptr_; - - DISALLOW_COPY_AND_ASSIGN(ScopedOpenSSL); -}; - // Provides a buffer of at least MIN_SIZE bytes, for use when calling OpenSSL's // SHA256, HMAC, etc functions, adapting the buffer sizing rules to meet those // of the our base wrapper APIs. diff --git a/crypto/rsa_private_key_openssl.cc b/crypto/rsa_private_key_openssl.cc index f191e39..bd00a73 100644 --- a/crypto/rsa_private_key_openssl.cc +++ b/crypto/rsa_private_key_openssl.cc @@ -11,6 +11,7 @@ #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" namespace crypto { @@ -29,7 +30,7 @@ bool ExportKey(EVP_PKEY* key, return false; OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new(BIO_s_mem())); + ScopedBIO bio(BIO_new(BIO_s_mem())); int res = export_fn(bio.get(), key); if (!res) @@ -50,8 +51,8 @@ bool ExportKey(EVP_PKEY* key, RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<RSA, RSA_free> rsa_key(RSA_new()); - ScopedOpenSSL<BIGNUM, BN_free> bn(BN_new()); + ScopedRSA rsa_key(RSA_new()); + ScopedBIGNUM bn(BN_new()); if (!rsa_key.get() || !bn.get() || !BN_set_word(bn.get(), 65537L)) return NULL; @@ -75,14 +76,14 @@ RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo( OpenSSLErrStackTracer err_tracer(FROM_HERE); // BIO_new_mem_buf is not const aware, but it does not modify the buffer. char* data = reinterpret_cast<char*>(const_cast<uint8*>(&input[0])); - ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new_mem_buf(data, input.size())); + ScopedBIO bio(BIO_new_mem_buf(data, input.size())); if (!bio.get()) return NULL; // Importing is a little more involved than exporting, as we must first // PKCS#8 decode the input, and then import the EVP_PKEY from Private Key // Info structure returned. - ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> p8inf( + ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>::Type p8inf( d2i_PKCS8_PRIV_KEY_INFO_bio(bio.get(), NULL)); if (!p8inf.get()) return NULL; diff --git a/crypto/scoped_openssl_types.h b/crypto/scoped_openssl_types.h new file mode 100644 index 0000000..a949233 --- /dev/null +++ b/crypto/scoped_openssl_types.h @@ -0,0 +1,49 @@ +// Copyright 2014 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CRYPTO_SCOPED_OPENSSL_TYPES_H_ +#define CRYPTO_SCOPED_OPENSSL_TYPES_H_ + +#include <openssl/bn.h> +#include <openssl/dsa.h> +#include <openssl/ec.h> +#include <openssl/ecdsa.h> +#include <openssl/evp.h> +#include <openssl/rsa.h> + +#include "base/memory/scoped_ptr.h" + +namespace crypto { + +// Simplistic helper that wraps a call to a deleter function. In a C++11 world, +// this would be std::function<>. An alternative would be to re-use +// base::internal::RunnableAdapter<>, but that's far too heavy weight. +template <typename Type, void (*Destroyer)(Type*)> +struct OpenSSLDestroyer { + void operator()(Type* ptr) const { Destroyer(ptr); } +}; + +template <typename PointerType, void (*Destroyer)(PointerType*)> +struct ScopedOpenSSL { + typedef scoped_ptr<PointerType, OpenSSLDestroyer<PointerType, Destroyer> > + Type; +}; + +// Several typedefs are provided for crypto-specific primitives, for +// short-hand and prevalence. Note that OpenSSL types related to X.509 are +// intentionally not included, as crypto/ does not generally deal with +// certificates or PKI. +typedef ScopedOpenSSL<BIGNUM, BN_free>::Type ScopedBIGNUM; +typedef ScopedOpenSSL<EC_KEY, EC_KEY_free>::Type ScopedEC_KEY; +typedef ScopedOpenSSL<BIO, BIO_free_all>::Type ScopedBIO; +typedef ScopedOpenSSL<DSA, DSA_free>::Type ScopedDSA; +typedef ScopedOpenSSL<ECDSA_SIG, ECDSA_SIG_free>::Type ScopedECDSA_SIG; +typedef ScopedOpenSSL<EC_KEY, EC_KEY_free>::Type ScopedEC_KEY; +typedef ScopedOpenSSL<EVP_MD_CTX, EVP_MD_CTX_destroy>::Type ScopedEVP_MD_CTX; +typedef ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free>::Type ScopedEVP_PKEY; +typedef ScopedOpenSSL<RSA, RSA_free>::Type ScopedRSA; + +} // namespace crypto + +#endif // CRYPTO_SCOPED_OPENSSL_TYPES_H_ diff --git a/crypto/signature_verifier_openssl.cc b/crypto/signature_verifier_openssl.cc index a85f00b..155a2cf3 100644 --- a/crypto/signature_verifier_openssl.cc +++ b/crypto/signature_verifier_openssl.cc @@ -13,6 +13,7 @@ #include "base/memory/scoped_ptr.h" #include "base/stl_util.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" namespace crypto { @@ -31,7 +32,7 @@ const EVP_MD* ToOpenSSLDigest(SignatureVerifier::HashAlgorithm hash_alg) { } // namespace struct SignatureVerifier::VerifyContext { - ScopedOpenSSL<EVP_MD_CTX, EVP_MD_CTX_destroy> ctx; + ScopedEVP_MD_CTX ctx; }; SignatureVerifier::SignatureVerifier() @@ -49,7 +50,7 @@ bool SignatureVerifier::VerifyInit(const uint8* signature_algorithm, const uint8* public_key_info, int public_key_info_len) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<X509_ALGOR, X509_ALGOR_free> algorithm( + ScopedOpenSSL<X509_ALGOR, X509_ALGOR_free>::Type algorithm( d2i_X509_ALGOR(NULL, &signature_algorithm, signature_algorithm_len)); if (!algorithm.get()) return false; @@ -135,13 +136,11 @@ bool SignatureVerifier::CommonInit(const EVP_MD* digest, // BIO_new_mem_buf is not const aware, but it does not modify the buffer. char* data = reinterpret_cast<char*>(const_cast<uint8*>(public_key_info)); - ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new_mem_buf(data, - public_key_info_len)); + ScopedBIO bio(BIO_new_mem_buf(data, public_key_info_len)); if (!bio.get()) return false; - ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> public_key( - d2i_PUBKEY_bio(bio.get(), NULL)); + ScopedEVP_PKEY public_key(d2i_PUBKEY_bio(bio.get(), NULL)); if (!public_key.get()) return false; diff --git a/net/android/keystore_openssl.cc b/net/android/keystore_openssl.cc index ec08d70..e2e53d7b 100644 --- a/net/android/keystore_openssl.cc +++ b/net/android/keystore_openssl.cc @@ -26,6 +26,7 @@ #include "base/lazy_instance.h" #include "base/logging.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/android/keystore.h" #include "net/ssl/ssl_client_cert_type.h" @@ -101,11 +102,7 @@ namespace android { namespace { -typedef crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ScopedEVP_PKEY; -typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA; -typedef crypto::ScopedOpenSSL<DSA, DSA_free> ScopedDSA; -typedef crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ScopedEC_KEY; -typedef crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> ScopedEC_GROUP; +typedef crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free>::Type ScopedEC_GROUP; // Custom RSA_METHOD that uses the platform APIs. // Note that for now, only signing through RSA_sign() is really supported. @@ -283,7 +280,7 @@ bool SwapBigNumPtrFromBytes(const std::vector<uint8>& new_bytes, // IMPORTANT: The EVP_PKEY will *only* work on Android >= 4.2. For older // platforms, use GetRsaLegacyKey() instead. bool GetRsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { - ScopedRSA rsa(RSA_new()); + crypto::ScopedRSA rsa(RSA_new()); RSA_set_method(rsa.get(), &android_rsa_method); // HACK: RSA_size() doesn't work with custom RSA_METHODs. To ensure that @@ -327,7 +324,7 @@ class KeystoreEngineWorkaround { void LeakRsaEngine(EVP_PKEY* pkey) { if (leaked_engine_) return; - ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey)); + crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey)); if (!rsa.get() || !rsa.get()->engine || strcmp(ENGINE_get_id(rsa.get()->engine), "keystore") || @@ -480,7 +477,7 @@ const DSA_METHOD android_dsa_method = { // On success, this creates a global JNI reference to the same object // that will be owned by and destroyed with the EVP_PKEY. bool GetDsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { - ScopedDSA dsa(DSA_new()); + crypto::ScopedDSA dsa(DSA_new()); DSA_set_method(dsa.get(), &android_dsa_method); // DSA_size() doesn't work with custom DSA_METHODs. To ensure it @@ -649,7 +646,7 @@ const ECDSA_METHOD android_ecdsa_method = { // is owned by and destroyed with the EVP_PKEY. I.e. the caller shall // always free |private_key| after the call. bool GetEcdsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { - ScopedEC_KEY eckey(EC_KEY_new()); + crypto::ScopedEC_KEY eckey(EC_KEY_new()); ECDSA_set_method(eckey.get(), &android_ecdsa_method); // To ensure that ECDSA_size() works properly, craft a custom EC_GROUP @@ -688,7 +685,7 @@ bool GetEcdsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { EVP_PKEY* GetOpenSSLPrivateKeyWrapper(jobject private_key) { // Create new empty EVP_PKEY instance. - ScopedEVP_PKEY pkey(EVP_PKEY_new()); + crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new()); if (!pkey.get()) return NULL; diff --git a/net/android/keystore_unittest.cc b/net/android/keystore_unittest.cc index ff20435..076693f 100644 --- a/net/android/keystore_unittest.cc +++ b/net/android/keystore_unittest.cc @@ -25,6 +25,7 @@ #include "base/strings/string_number_conversions.h" #include "base/strings/string_util.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "jni/AndroidKeyStoreTestUtil_jni.h" #include "net/android/keystore.h" #include "net/android/keystore_openssl.h" @@ -56,15 +57,9 @@ namespace android { namespace { -typedef crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ScopedEVP_PKEY; -typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA; -typedef crypto::ScopedOpenSSL<DSA, DSA_free> ScopedDSA; -typedef crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ScopedEC_KEY; -typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM; - -typedef crypto::ScopedOpenSSL< - PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> - ScopedPKCS8_PRIV_KEY_INFO; +typedef crypto::ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, + PKCS8_PRIV_KEY_INFO_free>::Type + ScopedPKCS8_PRIV_KEY_INFO; typedef base::android::ScopedJavaLocalRef<jobject> ScopedJava; @@ -136,7 +131,7 @@ EVP_PKEY* ImportPrivateKeyFile(const char* filename) { // |pkey| is the EVP_PKEY handle for the private key. // |pkcs8| will receive the PKCS#8 bytes. // Returns true on success, false otherwise. -bool GetPrivateKeyPkcs8Bytes(const ScopedEVP_PKEY& pkey, +bool GetPrivateKeyPkcs8Bytes(const crypto::ScopedEVP_PKEY& pkey, std::string* pkcs8) { // Convert to PKCS#8 object. ScopedPKCS8_PRIV_KEY_INFO p8_info(EVP_PKEY2PKCS8(pkey.get())); @@ -155,7 +150,7 @@ bool GetPrivateKeyPkcs8Bytes(const ScopedEVP_PKEY& pkey, bool ImportPrivateKeyFileAsPkcs8(const char* filename, std::string* pkcs8) { - ScopedEVP_PKEY pkey(ImportPrivateKeyFile(filename)); + crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(filename)); if (!pkey.get()) return false; return GetPrivateKeyPkcs8Bytes(pkey, pkcs8); @@ -231,11 +226,11 @@ ScopedJava GetDSATestKeyJava() { // to do the check. bool VerifyTestDSASignature(const base::StringPiece& message, const base::StringPiece& signature) { - ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestDsaPublicKeyFile)); + crypto::ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestDsaPublicKeyFile)); if (!pkey.get()) return false; - ScopedDSA pub_key(EVP_PKEY_get1_DSA(pkey.get())); + crypto::ScopedDSA pub_key(EVP_PKEY_get1_DSA(pkey.get())); if (!pub_key.get()) { LOG(ERROR) << "Could not get DSA public key: " << GetOpenSSLErrorString(); @@ -279,10 +274,10 @@ ScopedJava GetECDSATestKeyJava() { // to do the check. bool VerifyTestECDSASignature(const base::StringPiece& message, const base::StringPiece& signature) { - ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestEcdsaPublicKeyFile)); + crypto::ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestEcdsaPublicKeyFile)); if (!pkey.get()) return false; - ScopedEC_KEY pub_key(EVP_PKEY_get1_EC_KEY(pkey.get())); + crypto::ScopedEC_KEY pub_key(EVP_PKEY_get1_EC_KEY(pkey.get())); if (!pub_key.get()) { LOG(ERROR) << "Could not get ECDSA public key: " << GetOpenSSLErrorString(); @@ -323,7 +318,7 @@ bool SignWithOpenSSL(const base::StringPiece& message, switch (key_type) { case EVP_PKEY_RSA: { - ScopedRSA rsa(EVP_PKEY_get1_RSA(openssl_key)); + crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(openssl_key)); if (!rsa.get()) { LOG(ERROR) << "Could not get RSA from EVP_PKEY: " << GetOpenSSLErrorString(); @@ -345,7 +340,7 @@ bool SignWithOpenSSL(const base::StringPiece& message, } case EVP_PKEY_DSA: { - ScopedDSA dsa(EVP_PKEY_get1_DSA(openssl_key)); + crypto::ScopedDSA dsa(EVP_PKEY_get1_DSA(openssl_key)); if (!dsa.get()) { LOG(ERROR) << "Could not get DSA from EVP_PKEY: " << GetOpenSSLErrorString(); @@ -367,7 +362,7 @@ bool SignWithOpenSSL(const base::StringPiece& message, } case EVP_PKEY_EC: { - ScopedEC_KEY ecdsa(EVP_PKEY_get1_EC_KEY(openssl_key)); + crypto::ScopedEC_KEY ecdsa(EVP_PKEY_get1_EC_KEY(openssl_key)); if (!ecdsa.get()) { LOG(ERROR) << "Could not get EC_KEY from EVP_PKEY: " << GetOpenSSLErrorString(); @@ -494,7 +489,7 @@ TEST(AndroidKeyStore,GetRSAKeyModulus) { InitEnv(); // Load the test RSA key. - ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestRsaKeyFile)); + crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestRsaKeyFile)); ASSERT_TRUE(pkey.get()); // Convert it to encoded PKCS#8 bytes. @@ -511,15 +506,14 @@ TEST(AndroidKeyStore,GetRSAKeyModulus) { ASSERT_TRUE(GetRSAKeyModulus(key_java.obj(), &modulus_java)); // Create an OpenSSL BIGNUM from it. - ScopedBIGNUM bn( - BN_bin2bn( - reinterpret_cast<const unsigned char*>(&modulus_java[0]), - static_cast<int>(modulus_java.size()), - NULL)); + crypto::ScopedBIGNUM bn( + BN_bin2bn(reinterpret_cast<const unsigned char*>(&modulus_java[0]), + static_cast<int>(modulus_java.size()), + NULL)); ASSERT_TRUE(bn.get()); // Compare it to the one in the RSA key, they must be identical. - ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey.get())); + crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey.get())); ASSERT_TRUE(rsa.get()) << GetOpenSSLErrorString(); ASSERT_EQ(0, BN_cmp(bn.get(), rsa.get()->n)); @@ -530,7 +524,7 @@ TEST(AndroidKeyStore,GetDSAKeyParamQ) { InitEnv(); // Load the test DSA key. - ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestDsaKeyFile)); + crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestDsaKeyFile)); ASSERT_TRUE(pkey.get()); // Convert it to encoded PKCS#8 bytes. @@ -547,15 +541,14 @@ TEST(AndroidKeyStore,GetDSAKeyParamQ) { ASSERT_TRUE(GetDSAKeyParamQ(key_java.obj(), &q_java)); // Create an OpenSSL BIGNUM from it. - ScopedBIGNUM bn( - BN_bin2bn( - reinterpret_cast<const unsigned char*>(&q_java[0]), - static_cast<int>(q_java.size()), - NULL)); + crypto::ScopedBIGNUM bn( + BN_bin2bn(reinterpret_cast<const unsigned char*>(&q_java[0]), + static_cast<int>(q_java.size()), + NULL)); ASSERT_TRUE(bn.get()); // Compare it to the one in the RSA key, they must be identical. - ScopedDSA dsa(EVP_PKEY_get1_DSA(pkey.get())); + crypto::ScopedDSA dsa(EVP_PKEY_get1_DSA(pkey.get())); ASSERT_TRUE(dsa.get()) << GetOpenSSLErrorString(); ASSERT_EQ(0, BN_cmp(bn.get(), dsa.get()->q)); @@ -579,7 +572,7 @@ TEST(AndroidKeyStore,SignWithPrivateKeyRSA) { return; } - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile)); ASSERT_TRUE(openssl_key.get()); std::string message = kTestRsaHash; @@ -598,10 +591,11 @@ TEST(AndroidKeyStore,SignWithWrapperKeyRSA) { ScopedJava rsa_key = GetRSATestKeyJava(); ASSERT_FALSE(rsa_key.is_null()); - ScopedEVP_PKEY wrapper_key(GetOpenSSLPrivateKeyWrapper(rsa_key.obj())); + crypto::ScopedEVP_PKEY wrapper_key( + GetOpenSSLPrivateKeyWrapper(rsa_key.obj())); ASSERT_TRUE(wrapper_key.get() != NULL); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile)); ASSERT_TRUE(openssl_key.get()); // Check that RSA_size() works properly on the wrapper key. @@ -635,7 +629,7 @@ TEST(AndroidKeyStore,SignWithPrivateKeyDSA) { ScopedJava dsa_key = GetDSATestKeyJava(); ASSERT_FALSE(dsa_key.is_null()); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile)); ASSERT_TRUE(openssl_key.get()); std::string message = kTestDsaHash; @@ -652,11 +646,11 @@ TEST(AndroidKeyStore,SignWithWrapperKeyDSA) { ScopedJava dsa_key = GetDSATestKeyJava(); ASSERT_FALSE(dsa_key.is_null()); - ScopedEVP_PKEY wrapper_key( + crypto::ScopedEVP_PKEY wrapper_key( GetOpenSSLPrivateKeyWrapper(dsa_key.obj())); ASSERT_TRUE(wrapper_key.get()); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile)); ASSERT_TRUE(openssl_key.get()); // Check that DSA_size() works correctly on the wrapper. @@ -685,7 +679,7 @@ TEST(AndroidKeyStore,SignWithPrivateKeyECDSA) { ScopedJava ecdsa_key = GetECDSATestKeyJava(); ASSERT_FALSE(ecdsa_key.is_null()); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile)); ASSERT_TRUE(openssl_key.get()); std::string message = kTestEcdsaHash; @@ -700,11 +694,11 @@ TEST(AndroidKeyStore, SignWithWrapperKeyECDSA) { ScopedJava ecdsa_key = GetECDSATestKeyJava(); ASSERT_FALSE(ecdsa_key.is_null()); - ScopedEVP_PKEY wrapper_key( + crypto::ScopedEVP_PKEY wrapper_key( GetOpenSSLPrivateKeyWrapper(ecdsa_key.obj())); ASSERT_TRUE(wrapper_key.get()); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile)); ASSERT_TRUE(openssl_key.get()); // Check that ECDSA size works correctly on the wrapper. diff --git a/net/base/keygen_handler_openssl.cc b/net/base/keygen_handler_openssl.cc index edd0eb1..aeb64a8 100644 --- a/net/base/keygen_handler_openssl.cc +++ b/net/base/keygen_handler_openssl.cc @@ -10,6 +10,7 @@ #include "base/memory/scoped_ptr.h" #include "crypto/openssl_util.h" #include "crypto/rsa_private_key.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/openssl_private_key_store.h" namespace net { @@ -22,8 +23,8 @@ std::string KeygenHandler::GenKeyAndSignChallenge() { if (stores_key_) OpenSSLPrivateKeyStore::StoreKeyPair(url_, pkey); - crypto::ScopedOpenSSL<NETSCAPE_SPKI, NETSCAPE_SPKI_free> spki( - NETSCAPE_SPKI_new()); + crypto::ScopedOpenSSL<NETSCAPE_SPKI, NETSCAPE_SPKI_free>::Type spki( + NETSCAPE_SPKI_new()); ASN1_STRING_set(spki.get()->spkac->challenge, challenge_.data(), challenge_.size()); NETSCAPE_SPKI_set_pubkey(spki.get(), pkey); diff --git a/net/base/openssl_private_key_store_android.cc b/net/base/openssl_private_key_store_android.cc index e985107..56a63d2 100644 --- a/net/base/openssl_private_key_store_android.cc +++ b/net/base/openssl_private_key_store_android.cc @@ -10,6 +10,7 @@ #include "base/logging.h" #include "base/memory/singleton.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/android/network_library.h" namespace net { @@ -29,9 +30,8 @@ bool OpenSSLPrivateKeyStore::StoreKeyPair(const GURL& url, // in a format that is incompatible with what the platform expects. unsigned char* private_key = NULL; int private_len = 0; - crypto::ScopedOpenSSL< - PKCS8_PRIV_KEY_INFO, - PKCS8_PRIV_KEY_INFO_free> pkcs8(EVP_PKEY2PKCS8(pkey)); + crypto::ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>::Type + pkcs8(EVP_PKEY2PKCS8(pkey)); if (pkcs8.get() != NULL) { private_len = i2d_PKCS8_PRIV_KEY_INFO(pkcs8.get(), &private_key); } diff --git a/net/cert/cert_database_openssl.cc b/net/cert/cert_database_openssl.cc index 23b64cc..a67ac1b 100644 --- a/net/cert/cert_database_openssl.cc +++ b/net/cert/cert_database_openssl.cc @@ -8,7 +8,7 @@ #include "base/logging.h" #include "base/observer_list_threadsafe.h" -#include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/crypto_module.h" #include "net/base/net_errors.h" #include "net/base/openssl_private_key_store.h" @@ -40,7 +40,7 @@ int CertDatabase::CheckUserCert(X509Certificate* cert) { return ERR_CERT_DATE_INVALID; // X509_PUBKEY_get() transfers ownership, not X509_get_X509_PUBKEY() - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> public_key( + crypto::ScopedEVP_PKEY public_key( X509_PUBKEY_get(X509_get_X509_PUBKEY(cert->os_cert_handle()))); if (!OpenSSLPrivateKeyStore::HasPrivateKey(public_key.get())) diff --git a/net/cert/cert_verify_proc_openssl.cc b/net/cert/cert_verify_proc_openssl.cc index 0f21daa..0122fac 100644 --- a/net/cert/cert_verify_proc_openssl.cc +++ b/net/cert/cert_verify_proc_openssl.cc @@ -12,6 +12,7 @@ #include "base/logging.h" #include "base/sha1.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "crypto/sha2.h" #include "net/base/net_errors.h" #include "net/cert/asn1_util.h" @@ -197,10 +198,10 @@ int CertVerifyProcOpenSSL::VerifyInternal( verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; } - crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx( + crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free>::Type ctx( X509_STORE_CTX_new()); - crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates( + crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn>::Type intermediates( sk_X509_new_null()); if (!intermediates.get()) return ERR_OUT_OF_MEMORY; diff --git a/net/cert/ct_log_verifier_openssl.cc b/net/cert/ct_log_verifier_openssl.cc index 0b05d96..b85c0d6 100644 --- a/net/cert/ct_log_verifier_openssl.cc +++ b/net/cert/ct_log_verifier_openssl.cc @@ -9,6 +9,7 @@ #include "base/logging.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "crypto/sha2.h" #include "net/cert/signed_tree_head.h" @@ -55,7 +56,7 @@ bool CTLogVerifier::Init(const base::StringPiece& public_key, const base::StringPiece& description) { crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio( + crypto::ScopedBIO bio( BIO_new_mem_buf(const_cast<char*>(public_key.data()), public_key.size())); if (!bio.get()) return false; diff --git a/net/cert/x509_certificate_openssl.cc b/net/cert/x509_certificate_openssl.cc index 71d558d..005423ba 100644 --- a/net/cert/x509_certificate_openssl.cc +++ b/net/cert/x509_certificate_openssl.cc @@ -19,6 +19,7 @@ #include "base/strings/string_number_conversions.h" #include "base/strings/string_util.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/net_errors.h" #include "net/base/net_util.h" #include "net/cert/x509_util_openssl.h" @@ -32,12 +33,15 @@ namespace net { namespace { +typedef crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>::Type + ScopedGENERAL_NAMES; + void CreateOSCertHandlesFromPKCS7Bytes( const char* data, int length, X509Certificate::OSCertHandles* handles) { crypto::EnsureOpenSSLInit(); const unsigned char* der_data = reinterpret_cast<const unsigned char*>(data); - crypto::ScopedOpenSSL<PKCS7, PKCS7_free> pkcs7_cert( + crypto::ScopedOpenSSL<PKCS7, PKCS7_free>::Type pkcs7_cert( d2i_PKCS7(NULL, &der_data, length)); if (!pkcs7_cert.get()) return; @@ -105,7 +109,7 @@ void ParseSubjectAltName(X509Certificate::OSCertHandle cert, if (!alt_name_ext) return; - crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free> alt_names( + ScopedGENERAL_NAMES alt_names( reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext))); if (!alt_names.get()) return; @@ -182,7 +186,7 @@ class X509InitSingleton { } int der_cache_ex_index_; - crypto::ScopedOpenSSL<X509_STORE, X509_STORE_free> store_; + crypto::ScopedOpenSSL<X509_STORE, X509_STORE_free>::Type store_; DISALLOW_COPY_AND_ASSIGN(X509InitSingleton); }; @@ -437,8 +441,7 @@ void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle, *type = kPublicKeyTypeUnknown; *size_bits = 0; - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> scoped_key( - X509_get_pubkey(cert_handle)); + crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle)); if (!scoped_key.get()) return; @@ -472,7 +475,7 @@ bool X509Certificate::IsIssuedByEncoded( // Convert to a temporary list of X509_NAME objects. // It will own the objects it points to. - crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all> + crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all>::Type issuer_names(sk_X509_NAME_new_null()); if (!issuer_names.get()) return false; diff --git a/net/cert/x509_util_openssl.cc b/net/cert/x509_util_openssl.cc index 5a6e9aa..38a987c 100644 --- a/net/cert/x509_util_openssl.cc +++ b/net/cert/x509_util_openssl.cc @@ -13,6 +13,7 @@ #include "crypto/ec_private_key.h" #include "crypto/openssl_util.h" #include "crypto/rsa_private_key.h" +#include "crypto/scoped_openssl_types.h" #include "net/cert/x509_cert_types.h" #include "net/cert/x509_util.h" @@ -20,6 +21,18 @@ namespace net { namespace { +typedef crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free>::Type + ScopedASN1_INTEGER; +typedef crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free>::Type + ScopedASN1_OCTET_STRING; +typedef crypto::ScopedOpenSSL<ASN1_STRING, ASN1_STRING_free>::Type + ScopedASN1_STRING; +typedef crypto::ScopedOpenSSL<ASN1_TIME, ASN1_TIME_free>::Type ScopedASN1_TIME; +typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509; +typedef crypto::ScopedOpenSSL<X509_EXTENSION, X509_EXTENSION_free>::Type + ScopedX509_EXTENSION; +typedef crypto::ScopedOpenSSL<X509_NAME, X509_NAME_free>::Type ScopedX509_NAME; + const EVP_MD* ToEVP(x509_util::DigestAlgorithm alg) { switch (alg) { case x509_util::DIGEST_SHA1: @@ -43,8 +56,7 @@ X509* CreateCertificate(EVP_PKEY* key, base::Time not_valid_before, base::Time not_valid_after) { // Put the serial number into an OpenSSL-friendly object. - crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free> asn1_serial( - ASN1_INTEGER_new()); + ScopedASN1_INTEGER asn1_serial(ASN1_INTEGER_new()); if (!asn1_serial.get() || !ASN1_INTEGER_set(asn1_serial.get(), static_cast<long>(serial_number))) { LOG(ERROR) << "Invalid serial number " << serial_number; @@ -52,7 +64,7 @@ X509* CreateCertificate(EVP_PKEY* key, } // Do the same for the time stamps. - crypto::ScopedOpenSSL<ASN1_TIME, ASN1_TIME_free> asn1_not_before_time( + ScopedASN1_TIME asn1_not_before_time( ASN1_TIME_set(NULL, not_valid_before.ToTimeT())); if (!asn1_not_before_time.get()) { LOG(ERROR) << "Invalid not_valid_before time: " @@ -60,7 +72,7 @@ X509* CreateCertificate(EVP_PKEY* key, return NULL; } - crypto::ScopedOpenSSL<ASN1_TIME, ASN1_TIME_free> asn1_not_after_time( + ScopedASN1_TIME asn1_not_after_time( ASN1_TIME_set(NULL, not_valid_after.ToTimeT())); if (!asn1_not_after_time.get()) { LOG(ERROR) << "Invalid not_valid_after time: " << not_valid_after.ToTimeT(); @@ -87,7 +99,7 @@ X509* CreateCertificate(EVP_PKEY* key, int common_name_len = static_cast<int>(common_name.size() - kCommonNamePrefixLen); - crypto::ScopedOpenSSL<X509_NAME, X509_NAME_free> name(X509_NAME_new()); + ScopedX509_NAME name(X509_NAME_new()); if (!name.get() || !X509_NAME_add_entry_by_NID(name.get(), NID_commonName, MBSTRING_ASC, @@ -100,7 +112,7 @@ X509* CreateCertificate(EVP_PKEY* key, } // Now create certificate and populate it. - crypto::ScopedOpenSSL<X509, X509_free> cert(X509_new()); + ScopedX509 cert(X509_new()); if (!cert.get() || !X509_set_version(cert.get(), 2L) /* i.e. version 3 */ || !X509_set_pubkey(cert.get(), key) || !X509_set_serialNumber(cert.get(), asn1_serial.get()) || @@ -221,20 +233,18 @@ bool CreateDomainBoundCertEC( std::string* der_cert) { crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); // Create certificate. - crypto::ScopedOpenSSL<X509, X509_free> cert( - CreateCertificate(key->key(), - alg, - "CN=anonymous.invalid", - serial_number, - not_valid_before, - not_valid_after)); + ScopedX509 cert(CreateCertificate(key->key(), + alg, + "CN=anonymous.invalid", + serial_number, + not_valid_before, + not_valid_after)); if (!cert.get()) return false; // Add TLS-Channel-ID extension to the certificate before signing it. // The value must be stored DER-encoded, as a ASN.1 IA5String. - crypto::ScopedOpenSSL<ASN1_STRING, ASN1_STRING_free> domain_ia5( - ASN1_IA5STRING_new()); + ScopedASN1_STRING domain_ia5(ASN1_IA5STRING_new()); if (!domain_ia5.get() || !ASN1_STRING_set(domain_ia5.get(), domain.data(), domain.size())) return false; @@ -250,15 +260,13 @@ bool CreateDomainBoundCertEC( if (i2d_ASN1_IA5STRING(domain_ia5.get(), &domain_der_data) < 0) return false; - crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free> domain_str( - ASN1_OCTET_STRING_new()); + ScopedASN1_OCTET_STRING domain_str(ASN1_OCTET_STRING_new()); if (!domain_str.get() || !ASN1_STRING_set(domain_str.get(), domain_der.data(), domain_der.size())) return false; - crypto::ScopedOpenSSL<X509_EXTENSION, X509_EXTENSION_free> ext( - X509_EXTENSION_create_by_OBJ( - NULL, GetDomainBoundOid(), 1 /* critical */, domain_str.get())); + ScopedX509_EXTENSION ext(X509_EXTENSION_create_by_OBJ( + NULL, GetDomainBoundOid(), 1 /* critical */, domain_str.get())); if (!ext.get() || !X509_add_ext(cert.get(), ext.get(), -1)) { return false; } @@ -275,13 +283,12 @@ bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, base::Time not_valid_after, std::string* der_encoded) { crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); - crypto::ScopedOpenSSL<X509, X509_free> cert( - CreateCertificate(key->key(), - alg, - common_name, - serial_number, - not_valid_before, - not_valid_after)); + ScopedX509 cert(CreateCertificate(key->key(), + alg, + common_name, + serial_number, + not_valid_before, + not_valid_after)); if (!cert.get()) return false; diff --git a/net/cert/x509_util_openssl_unittest.cc b/net/cert/x509_util_openssl_unittest.cc index c99f811..77746eb 100644 --- a/net/cert/x509_util_openssl_unittest.cc +++ b/net/cert/x509_util_openssl_unittest.cc @@ -5,6 +5,7 @@ #include "base/memory/scoped_ptr.h" #include "crypto/ec_private_key.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/cert/x509_util.h" #include "net/cert/x509_util_openssl.h" #include "testing/gtest/include/gtest/gtest.h" @@ -13,6 +14,8 @@ namespace net { namespace { +typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509; + // Verify that a given certificate was signed with the private key corresponding // to a given public key. // |der_cert| is the DER-encoded X.509 certificate. @@ -22,8 +25,7 @@ void VerifyCertificateSignature(const std::string& der_cert, const unsigned char* cert_data = reinterpret_cast<const unsigned char*>(der_cert.data()); int cert_data_len = static_cast<int>(der_cert.size()); - crypto::ScopedOpenSSL<X509, X509_free> cert( - d2i_X509(NULL, &cert_data, cert_data_len)); + ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len)); ASSERT_TRUE(cert.get()); // NOTE: SignatureVerifier wants the DER-encoded ASN.1 AlgorithmIdentifier @@ -31,8 +33,7 @@ void VerifyCertificateSignature(const std::string& der_cert, // Use X509_verify() directly instead, which takes an EVP_PKEY. const unsigned char* pub_key_data = &der_spki.front(); int pub_key_len = static_cast<int>(der_spki.size()); - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> pub_key( - d2i_PUBKEY(NULL, &pub_key_data, pub_key_len)); + crypto::ScopedEVP_PKEY pub_key(d2i_PUBKEY(NULL, &pub_key_data, pub_key_len)); ASSERT_TRUE(pub_key.get()); // NOTE: X509_verify() returns 1 in case of succes, 0 or -1 on error. @@ -46,15 +47,14 @@ void VerifyDomainBoundCert(const std::string& domain, const std::string& der_cert) { // Origin Bound Cert OID. static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; - crypto::ScopedOpenSSL<ASN1_OBJECT, ASN1_OBJECT_free> oid_obj( + crypto::ScopedOpenSSL<ASN1_OBJECT, ASN1_OBJECT_free>::Type oid_obj( OBJ_txt2obj(oid_string, 0)); ASSERT_TRUE(oid_obj.get()); const unsigned char* cert_data = reinterpret_cast<const unsigned char*>(der_cert.data()); int cert_data_len = static_cast<int>(der_cert.size()); - crypto::ScopedOpenSSL<X509, X509_free> cert( - d2i_X509(NULL, &cert_data, cert_data_len)); + ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len)); ASSERT_TRUE(cert.get()); // Find the extension. diff --git a/net/net.gyp b/net/net.gyp index 62b80cc..ee7ee38 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -265,6 +265,7 @@ 'cert/jwk_serializer_openssl.cc', 'cert/x509_util_openssl.cc', 'cert/x509_util_openssl.h', + 'crypto/scoped_openssl_types.h', 'quic/crypto/aead_base_decrypter_openssl.cc', 'quic/crypto/aead_base_encrypter_openssl.cc', 'quic/crypto/aes_128_gcm_12_decrypter_openssl.cc', diff --git a/net/net.gypi b/net/net.gypi index 9919905..ddec22d 100644 --- a/net/net.gypi +++ b/net/net.gypi @@ -334,6 +334,7 @@ 'cert/nss_profile_filter_chromeos.cc', 'cert/nss_profile_filter_chromeos.h', 'cert/scoped_nss_types.h', + 'cert/scoped_openssl_types.h', 'cert/sct_status_flags.h', 'cert/test_root_certs.cc', 'cert/test_root_certs.h', diff --git a/net/quic/crypto/channel_id_openssl.cc b/net/quic/crypto/channel_id_openssl.cc index 241acae..130f3bd 100644 --- a/net/quic/crypto/channel_id_openssl.cc +++ b/net/quic/crypto/channel_id_openssl.cc @@ -11,6 +11,7 @@ #include <openssl/sha.h> #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" using base::StringPiece; @@ -33,14 +34,13 @@ bool ChannelIDVerifier::VerifyRaw(StringPiece key, return false; } - crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> p256( + crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free>::Type p256( EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); if (p256.get() == NULL) { return false; } - crypto::ScopedOpenSSL<BIGNUM, BN_free> x(BN_new()), y(BN_new()), - r(BN_new()), s(BN_new()); + crypto::ScopedBIGNUM x(BN_new()), y(BN_new()), r(BN_new()), s(BN_new()); ECDSA_SIG sig; sig.r = r.get(); @@ -57,7 +57,7 @@ bool ChannelIDVerifier::VerifyRaw(StringPiece key, return false; } - crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free> point( + crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free>::Type point( EC_POINT_new(p256.get())); if (point.get() == NULL || !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(), @@ -65,7 +65,7 @@ bool ChannelIDVerifier::VerifyRaw(StringPiece key, return false; } - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ecdsa_key(EC_KEY_new()); + crypto::ScopedEC_KEY ecdsa_key(EC_KEY_new()); if (ecdsa_key.get() == NULL || !EC_KEY_set_group(ecdsa_key.get(), p256.get()) || !EC_KEY_set_public_key(ecdsa_key.get(), point.get())) { diff --git a/net/quic/crypto/p256_key_exchange.h b/net/quic/crypto/p256_key_exchange.h index 49a66ce..2c3b4a7 100644 --- a/net/quic/crypto/p256_key_exchange.h +++ b/net/quic/crypto/p256_key_exchange.h @@ -14,9 +14,7 @@ #if defined(USE_OPENSSL) #include "crypto/openssl_util.h" -// Forward declaration for openssl/*.h -typedef struct ec_key_st EC_KEY; -extern "C" void EC_KEY_free(EC_KEY* key); +#include "crypto/scoped_openssl_types.h" #else #include "crypto/ec_private_key.h" #include "crypto/scoped_nss_types.h" @@ -63,7 +61,7 @@ class NET_EXPORT_PRIVATE P256KeyExchange : public KeyExchange { // |public_key| consists of |kUncompressedP256PointBytes| bytes. P256KeyExchange(EC_KEY* private_key, const uint8* public_key); - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> private_key_; + crypto::ScopedEC_KEY private_key_; #else // P256KeyExchange takes ownership of |key_pair|, and expects // |public_key| consists of |kUncompressedP256PointBytes| bytes. diff --git a/net/quic/crypto/p256_key_exchange_openssl.cc b/net/quic/crypto/p256_key_exchange_openssl.cc index 197df6a..086e9cc 100644 --- a/net/quic/crypto/p256_key_exchange_openssl.cc +++ b/net/quic/crypto/p256_key_exchange_openssl.cc @@ -30,8 +30,7 @@ P256KeyExchange* P256KeyExchange::New(StringPiece key) { } const uint8* keyp = reinterpret_cast<const uint8*>(key.data()); - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> private_key( - d2i_ECPrivateKey(NULL, &keyp, key.size())); + crypto::ScopedEC_KEY private_key(d2i_ECPrivateKey(NULL, &keyp, key.size())); if (!private_key.get() || !EC_KEY_check_key(private_key.get())) { DVLOG(1) << "Private key is invalid."; return NULL; @@ -51,8 +50,7 @@ P256KeyExchange* P256KeyExchange::New(StringPiece key) { // static string P256KeyExchange::NewPrivateKey() { - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> key( - EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); + crypto::ScopedEC_KEY key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); if (!key.get() || !EC_KEY_generate_key(key.get())) { DVLOG(1) << "Can't generate a new private key."; return string(); @@ -85,7 +83,7 @@ bool P256KeyExchange::CalculateSharedKey(const StringPiece& peer_public_value, return false; } - crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free> point( + crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free>::Type point( EC_POINT_new(EC_KEY_get0_group(private_key_.get()))); if (!point.get() || !EC_POINT_oct2point( /* also test if point is on curve */ diff --git a/net/quic/test_tools/crypto_test_utils_openssl.cc b/net/quic/test_tools/crypto_test_utils_openssl.cc index 388d257..a6a164b 100644 --- a/net/quic/test_tools/crypto_test_utils_openssl.cc +++ b/net/quic/test_tools/crypto_test_utils_openssl.cc @@ -12,20 +12,13 @@ #include <openssl/sha.h> #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "crypto/secure_hash.h" #include "net/quic/crypto/channel_id.h" using base::StringPiece; using std::string; -namespace { - -void EvpMdCtxCleanUp(EVP_MD_CTX* ctx) { - (void)EVP_MD_CTX_cleanup(ctx); -} - -} // namespace anonymous - namespace net { namespace test { @@ -41,8 +34,7 @@ class TestChannelIDKey : public ChannelIDKey { string* out_signature) const OVERRIDE { EVP_MD_CTX md_ctx; EVP_MD_CTX_init(&md_ctx); - crypto::ScopedOpenSSL<EVP_MD_CTX, EvpMdCtxCleanUp> - md_ctx_cleanup(&md_ctx); + crypto::ScopedEVP_MD_CTX md_ctx_cleanup(&md_ctx); if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, ecdsa_key_.get()) != 1) { @@ -66,7 +58,7 @@ class TestChannelIDKey : public ChannelIDKey { } uint8* derp = der_sig.get(); - crypto::ScopedOpenSSL<ECDSA_SIG, ECDSA_SIG_free> sig( + crypto::ScopedECDSA_SIG sig( d2i_ECDSA_SIG(NULL, const_cast<const uint8**>(&derp), sig_len)); if (sig.get() == NULL) { return false; @@ -104,7 +96,7 @@ class TestChannelIDKey : public ChannelIDKey { } private: - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ecdsa_key_; + crypto::ScopedEVP_PKEY ecdsa_key_; }; class TestChannelIDSource : public ChannelIDSource { @@ -140,25 +132,25 @@ class TestChannelIDSource : public ChannelIDSource { // clearing the most-significant bit. digest[0] &= 0x7f; - crypto::ScopedOpenSSL<BIGNUM, BN_free> k(BN_new()); + crypto::ScopedBIGNUM k(BN_new()); CHECK(BN_bin2bn(digest, sizeof(digest), k.get()) != NULL); - crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> p256( + crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free>::Type p256( EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); CHECK(p256.get()); - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ecdsa_key(EC_KEY_new()); + crypto::ScopedEC_KEY ecdsa_key(EC_KEY_new()); CHECK(ecdsa_key.get() != NULL && EC_KEY_set_group(ecdsa_key.get(), p256.get())); - crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free> point( + crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free>::Type point( EC_POINT_new(p256.get())); CHECK(EC_POINT_mul(p256.get(), point.get(), k.get(), NULL, NULL, NULL)); EC_KEY_set_private_key(ecdsa_key.get(), k.get()); EC_KEY_set_public_key(ecdsa_key.get(), point.get()); - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> pkey(EVP_PKEY_new()); + crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new()); // EVP_PKEY_set1_EC_KEY takes a reference so no |release| here. EVP_PKEY_set1_EC_KEY(pkey.get(), ecdsa_key.get()); diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index b63e120..8bdc314 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -18,6 +18,7 @@ #include "base/synchronization/lock.h" #include "crypto/ec_private_key.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/net_errors.h" #include "net/cert/cert_verifier.h" #include "net/cert/single_request_cert_verifier.h" @@ -96,6 +97,10 @@ std::string GetSocketSessionCacheKey(const SSLClientSocketOpenSSL& socket) { return result; } +static void FreeX509Stack(STACK_OF(X509) * ptr) { + sk_X509_pop_free(ptr, X509_free); +} + } // namespace class SSLClientSocketOpenSSL::SSLContext { @@ -170,7 +175,7 @@ class SSLClientSocketOpenSSL::SSLContext { // SSLClientSocketOpenSSL object from an SSL instance. int ssl_socket_data_index_; - crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_; + crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>::Type ssl_ctx_; // |session_cache_| must be destroyed before |ssl_ctx_|. SSLSessionCacheOpenSSL session_cache_; }; @@ -209,13 +214,10 @@ class SSLClientSocketOpenSSL::PeerCertificateChain { bool IsValid() { return os_chain_.get() && openssl_chain_.get(); } private: - static void FreeX509Stack(STACK_OF(X509)* cert_chain) { - sk_X509_pop_free(cert_chain, X509_free); - } - - friend class crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; + typedef crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>::Type + ScopedX509Stack; - crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack> openssl_chain_; + ScopedX509Stack openssl_chain_; scoped_refptr<X509Certificate> os_chain_; }; diff --git a/net/socket/ssl_client_socket_openssl_unittest.cc b/net/socket/ssl_client_socket_openssl_unittest.cc index d4e0685..52758e3 100644 --- a/net/socket/ssl_client_socket_openssl_unittest.cc +++ b/net/socket/ssl_client_socket_openssl_unittest.cc @@ -19,6 +19,7 @@ #include "base/message_loop/message_loop_proxy.h" #include "base/values.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/address_list.h" #include "net/base/io_buffer.h" #include "net/base/net_errors.h" @@ -48,16 +49,6 @@ namespace { // These client auth tests are currently dependent on OpenSSL's struct X509. #if defined(USE_OPENSSL_CERTS) -typedef OpenSSLClientKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY; - -// BIO_free is a macro, it can't be used as a template parameter. -void BIO_free_func(BIO* bio) { - BIO_free(bio); -} - -typedef crypto::ScopedOpenSSL<BIO, BIO_free_func> ScopedBIO; -typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA; -typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM; const SSLConfig kDefaultSSLConfig; @@ -74,10 +65,9 @@ bool LoadPrivateKeyOpenSSL( << filepath.value() << ": " << strerror(errno); return false; } - ScopedBIO bio( - BIO_new_mem_buf( - const_cast<char*>(reinterpret_cast<const char*>(data.data())), - static_cast<int>(data.size()))); + crypto::ScopedBIO bio(BIO_new_mem_buf( + const_cast<char*>(reinterpret_cast<const char*>(data.data())), + static_cast<int>(data.size()))); if (!bio.get()) { LOG(ERROR) << "Could not allocate BIO for buffer?"; return false; diff --git a/net/socket/ssl_server_socket_openssl.cc b/net/socket/ssl_server_socket_openssl.cc index f6bd0cd..7a1ce16 100644 --- a/net/socket/ssl_server_socket_openssl.cc +++ b/net/socket/ssl_server_socket_openssl.cc @@ -11,6 +11,7 @@ #include "base/logging.h" #include "crypto/openssl_util.h" #include "crypto/rsa_private_key.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/net_errors.h" #include "net/socket/openssl_ssl_util.h" #include "net/socket/ssl_error_params.h" @@ -598,7 +599,7 @@ int SSLServerSocketOpenSSL::Init() { crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); - crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx( + crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>::Type ssl_ctx( // It support SSLv2, SSLv3, and TLSv1. SSL_CTX_new(SSLv23_server_method())); ssl_ = SSL_new(ssl_ctx.get()); @@ -630,8 +631,8 @@ int SSLServerSocketOpenSSL::Init() { const unsigned char* der_string_array = reinterpret_cast<const unsigned char*>(der_string.data()); - crypto::ScopedOpenSSL<X509, X509_free> - x509(d2i_X509(NULL, &der_string_array, der_string.length())); + crypto::ScopedOpenSSL<X509, X509_free>::Type x509( + d2i_X509(NULL, &der_string_array, der_string.length())); if (!x509.get()) return ERR_UNEXPECTED; diff --git a/net/socket/ssl_session_cache_openssl_unittest.cc b/net/socket/ssl_session_cache_openssl_unittest.cc index 22c4fba..41e195f 100644 --- a/net/socket/ssl_session_cache_openssl_unittest.cc +++ b/net/socket/ssl_session_cache_openssl_unittest.cc @@ -10,6 +10,7 @@ #include "base/logging.h" #include "base/strings/stringprintf.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "testing/gtest/include/gtest/gtest.h" @@ -30,7 +31,8 @@ namespace net { namespace { -typedef crypto::ScopedOpenSSL<SSL, SSL_free> ScopedSSL; +typedef crypto::ScopedOpenSSL<SSL, SSL_free>::Type ScopedSSL; +typedef crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>::Type ScopedSSL_CTX; // Helper class used to associate arbitrary std::string keys with SSL objects. class SSLKeyHelper { @@ -142,7 +144,7 @@ class SSLSessionCacheOpenSSLTest : public testing::Test { static const SSLSessionCacheOpenSSL::Config kDefaultConfig; protected: - crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ctx_; + ScopedSSL_CTX ctx_; // |cache_| must be destroyed before |ctx_| and thus appears after it. SSLSessionCacheOpenSSL cache_; }; |