diff options
29 files changed, 274 insertions, 253 deletions
diff --git a/chrome/common/net/x509_certificate_model_openssl.cc b/chrome/common/net/x509_certificate_model_openssl.cc index 044a5ee..9762889 100644 --- a/chrome/common/net/x509_certificate_model_openssl.cc +++ b/chrome/common/net/x509_certificate_model_openssl.cc @@ -17,6 +17,7 @@ #include "base/strings/utf_string_conversions.h" #include "crypto/openssl_bio_string.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "grit/generated_resources.h" #include "net/base/net_util.h" #include "net/cert/x509_util_openssl.h" @@ -463,7 +464,7 @@ std::string ProcessNSCertTypeExtension(X509_EXTENSION* ex) { {NS_OBJSIGN_CA, IDS_CERT_USAGE_OBJECT_SIGNER}, }; - crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free> value( + crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free>::Type value( reinterpret_cast<ASN1_BIT_STRING*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -486,7 +487,7 @@ std::string ProcessKeyUsageExtension(X509_EXTENSION* ex) { {KU_DECIPHER_ONLY, IDS_CERT_X509_KEY_USAGE_DECIPHER_ONLY}, }; - crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free> value( + crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free>::Type value( reinterpret_cast<ASN1_BIT_STRING*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -498,7 +499,7 @@ std::string ProcessKeyUsageExtension(X509_EXTENSION* ex) { std::string ProcessBasicConstraints(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free> value( + crypto::ScopedOpenSSL<BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free>::Type value( reinterpret_cast<BASIC_CONSTRAINTS*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -523,8 +524,8 @@ std::string ProcessBasicConstraints(X509_EXTENSION* ex) { std::string ProcessExtKeyUsage(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<EXTENDED_KEY_USAGE, EXTENDED_KEY_USAGE_free> value( - reinterpret_cast<EXTENDED_KEY_USAGE*>(X509V3_EXT_d2i(ex))); + crypto::ScopedOpenSSL<EXTENDED_KEY_USAGE, EXTENDED_KEY_USAGE_free>::Type + value(reinterpret_cast<EXTENDED_KEY_USAGE*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); for (int i = 0; i < sk_ASN1_OBJECT_num(value.get()); i++) { @@ -672,7 +673,7 @@ std::string ProcessGeneralNames(GENERAL_NAMES* names) { } std::string ProcessAltName(X509_EXTENSION* ex) { - crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free> alt_names( + crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>::Type alt_names( reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ex))); if (!alt_names.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -681,7 +682,7 @@ std::string ProcessAltName(X509_EXTENSION* ex) { } std::string ProcessSubjectKeyId(X509_EXTENSION* ex) { - crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free> value( + crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free>::Type value( reinterpret_cast<ASN1_OCTET_STRING*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -693,7 +694,7 @@ std::string ProcessSubjectKeyId(X509_EXTENSION* ex) { std::string ProcessAuthKeyId(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<AUTHORITY_KEYID, AUTHORITY_KEYID_free> value( + crypto::ScopedOpenSSL<AUTHORITY_KEYID, AUTHORITY_KEYID_free>::Type value( reinterpret_cast<AUTHORITY_KEYID*>(X509V3_EXT_d2i(ex))); if (!value.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -749,8 +750,8 @@ std::string ProcessUserNotice(USERNOTICE* notice) { std::string ProcessCertificatePolicies(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<CERTIFICATEPOLICIES, CERTIFICATEPOLICIES_free> policies( - reinterpret_cast<CERTIFICATEPOLICIES*>(X509V3_EXT_d2i(ex))); + crypto::ScopedOpenSSL<CERTIFICATEPOLICIES, CERTIFICATEPOLICIES_free>::Type + policies(reinterpret_cast<CERTIFICATEPOLICIES*>(X509V3_EXT_d2i(ex))); if (!policies.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -820,8 +821,8 @@ std::string ProcessCrlDistPoints(X509_EXTENSION* ex) { const int kDistPointRelativeName = 1; std::string rv; - crypto::ScopedOpenSSL<CRL_DIST_POINTS, CRL_DIST_POINTS_free> dist_points( - reinterpret_cast<CRL_DIST_POINTS*>(X509V3_EXT_d2i(ex))); + crypto::ScopedOpenSSL<CRL_DIST_POINTS, CRL_DIST_POINTS_free>::Type + dist_points(reinterpret_cast<CRL_DIST_POINTS*>(X509V3_EXT_d2i(ex))); if (!dist_points.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -861,8 +862,8 @@ std::string ProcessCrlDistPoints(X509_EXTENSION* ex) { std::string ProcessAuthInfoAccess(X509_EXTENSION* ex) { std::string rv; - crypto::ScopedOpenSSL<AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_ACCESS_free> aia( - reinterpret_cast<AUTHORITY_INFO_ACCESS*>(X509V3_EXT_d2i(ex))); + crypto::ScopedOpenSSL<AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_ACCESS_free>::Type + aia(reinterpret_cast<AUTHORITY_INFO_ACCESS*>(X509V3_EXT_d2i(ex))); if (!aia.get()) return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR); @@ -894,7 +895,7 @@ std::string ProcessAuthInfoAccess(X509_EXTENSION* ex) { std::string ProcessIA5StringData(ASN1_OCTET_STRING* asn1_string) { const unsigned char* data = ASN1_STRING_data(asn1_string); - crypto::ScopedOpenSSL<ASN1_IA5STRING, ASN1_IA5STRING_free> ia5_string( + crypto::ScopedOpenSSL<ASN1_IA5STRING, ASN1_IA5STRING_free>::Type ia5_string( d2i_ASN1_IA5STRING(NULL, &data, ASN1_STRING_length(asn1_string))); if (!ia5_string.get()) @@ -907,7 +908,7 @@ std::string ProcessIA5StringData(ASN1_OCTET_STRING* asn1_string) { std::string ProcessBMPStringData(ASN1_OCTET_STRING* asn1_string) { const unsigned char* data = ASN1_STRING_data(asn1_string); - crypto::ScopedOpenSSL<ASN1_BMPSTRING, ASN1_BMPSTRING_free> bmp_string( + crypto::ScopedOpenSSL<ASN1_BMPSTRING, ASN1_BMPSTRING_free>::Type bmp_string( d2i_ASN1_BMPSTRING(NULL, &data, ASN1_STRING_length(asn1_string))); if (!bmp_string.get()) @@ -970,7 +971,7 @@ std::string GetCertNameOrNickname(X509Certificate::OSCertHandle cert_handle) { if (!name.empty()) return name; - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&name)); + crypto::ScopedBIO bio(crypto::BIO_new_string(&name)); if (!bio.get()) return name; X509_NAME_print_ex(bio.get(), @@ -1080,7 +1081,7 @@ std::string GetTitle(net::X509Certificate::OSCertHandle cert_handle) { if (!title.empty()) return title; - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&title)); + crypto::ScopedBIO bio(crypto::BIO_new_string(&title)); if (!bio.get()) return title; X509_NAME_print_ex(bio.get(), @@ -1150,7 +1151,7 @@ void DestroyCertChain(net::X509Certificate::OSCertHandles* cert_handles) { std::string GetCMSString(const net::X509Certificate::OSCertHandles& cert_chain, size_t start, size_t end) { std::string rv; - crypto::ScopedOpenSSL<PKCS7, PKCS7_free> p7(PKCS7_new()); + crypto::ScopedOpenSSL<PKCS7, PKCS7_free>::Type p7(PKCS7_new()); if (!p7.get()) return rv; if (!PKCS7_set_type(p7.get(), NID_pkcs7_signed)) @@ -1161,7 +1162,8 @@ std::string GetCMSString(const net::X509Certificate::OSCertHandles& cert_chain, return rv; } - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&rv)); + crypto::ScopedOpenSSL<BIO, BIO_free_all>::Type bio( + crypto::BIO_new_string(&rv)); if (!bio.get()) return rv; @@ -1192,13 +1194,13 @@ std::string ProcessSecAlgorithmSignatureWrap( std::string ProcessSubjectPublicKeyInfo( net::X509Certificate::OSCertHandle cert_handle) { std::string rv; - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> public_key( + crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free>::Type public_key( X509_get_pubkey(cert_handle)); if (!public_key.get()) return rv; switch (EVP_PKEY_type(public_key.get()->type)) { case EVP_PKEY_RSA: { - crypto::ScopedOpenSSL<RSA, RSA_free> rsa_key( + crypto::ScopedOpenSSL<RSA, RSA_free>::Type rsa_key( EVP_PKEY_get1_RSA(public_key.get())); if (!rsa_key.get()) return rv; diff --git a/content/child/webcrypto/platform_crypto_openssl.cc b/content/child/webcrypto/platform_crypto_openssl.cc index 84ed9d8..89212ea 100644 --- a/content/child/webcrypto/platform_crypto_openssl.cc +++ b/content/child/webcrypto/platform_crypto_openssl.cc @@ -17,6 +17,7 @@ #include "content/child/webcrypto/status.h" #include "content/child/webcrypto/webcrypto_util.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h" #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h" @@ -99,7 +100,7 @@ Status AesCbcEncryptDecrypt(EncryptOrDecrypt mode, } // Note: PKCS padding is enabled by default - crypto::ScopedOpenSSL<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free> context( + crypto::ScopedOpenSSL<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free>::Type context( EVP_CIPHER_CTX_new()); if (!context.get()) @@ -233,7 +234,7 @@ class DigestorOpenSSL : public blink::WebCryptoDigestor { } bool initialized_; - crypto::ScopedOpenSSL<EVP_MD_CTX, EVP_MD_CTX_destroy> digest_context_; + crypto::ScopedEVP_MD_CTX digest_context_; blink::WebCryptoAlgorithmId algorithm_id_; unsigned char result_[EVP_MAX_MD_SIZE]; }; @@ -435,7 +436,8 @@ Status EncryptDecryptAesGcm(EncryptOrDecrypt mode, return Status::OperationError(); } - crypto::ScopedOpenSSL<EVP_AEAD_CTX, EVP_AEAD_CTX_cleanup> ctx_cleanup(&ctx); + crypto::ScopedOpenSSL<EVP_AEAD_CTX, EVP_AEAD_CTX_cleanup>::Type ctx_cleanup( + &ctx); ssize_t len; diff --git a/crypto/ec_private_key_openssl.cc b/crypto/ec_private_key_openssl.cc index b7b6b48..beda29f 100644 --- a/crypto/ec_private_key_openssl.cc +++ b/crypto/ec_private_key_openssl.cc @@ -12,6 +12,7 @@ #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" namespace crypto { @@ -24,6 +25,10 @@ namespace { // style guide, hence the unusual parameter placement / types. typedef int (*ExportBioFunction)(BIO* bio, const void* key); +typedef ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>::Type + ScopedPKCS8_PRIV_KEY_INFO; +typedef ScopedOpenSSL<X509_SIG, X509_SIG_free>::Type ScopedX509_SIG; + // Helper to export |key| into |output| via the specified ExportBioFunction. bool ExportKeyWithBio(const void* key, ExportBioFunction export_fn, @@ -31,7 +36,7 @@ bool ExportKeyWithBio(const void* key, if (!key) return false; - ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new(BIO_s_mem())); + ScopedBIO bio(BIO_new(BIO_s_mem())); if (!bio.get()) return false; @@ -87,8 +92,7 @@ bool ECPrivateKey::IsSupported() { return true; } ECPrivateKey* ECPrivateKey::Create() { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key( - EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); + ScopedEC_KEY ec_key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); if (!ec_key.get() || !EC_KEY_generate_key(ec_key.get())) return NULL; @@ -118,21 +122,17 @@ ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( const_cast<uint8*>(&encrypted_private_key_info[0])); int private_key_data_len = static_cast<int>(encrypted_private_key_info.size()); - ScopedOpenSSL<BIO, BIO_free_all> bio( - BIO_new_mem_buf(private_key_data, private_key_data_len)); + ScopedBIO bio(BIO_new_mem_buf(private_key_data, private_key_data_len)); if (!bio.get()) return NULL; // Convert it, then decrypt it into a PKCS#8 object. - ScopedOpenSSL<X509_SIG, X509_SIG_free> p8_encrypted( - d2i_PKCS8_bio(bio.get(), NULL)); + ScopedX509_SIG p8_encrypted(d2i_PKCS8_bio(bio.get(), NULL)); if (!p8_encrypted.get()) return NULL; - ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> p8_decrypted( - PKCS8_decrypt(p8_encrypted.get(), - password.c_str(), - static_cast<int>(password.size()))); + ScopedPKCS8_PRIV_KEY_INFO p8_decrypted(PKCS8_decrypt( + p8_encrypted.get(), password.c_str(), static_cast<int>(password.size()))); if (!p8_decrypted.get() && password.empty()) { // Hack for reading keys generated by ec_private_key_nss. Passing NULL // causes OpenSSL to use an empty password instead of "\0\0". @@ -156,8 +156,7 @@ bool ECPrivateKey::ExportEncryptedPrivateKey( std::vector<uint8>* output) { OpenSSLErrStackTracer err_tracer(FROM_HERE); // Convert into a PKCS#8 object. - ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> pkcs8( - EVP_PKEY2PKCS8(key_)); + ScopedPKCS8_PRIV_KEY_INFO pkcs8(EVP_PKEY2PKCS8(key_)); if (!pkcs8.get()) return false; @@ -165,15 +164,14 @@ bool ECPrivateKey::ExportEncryptedPrivateKey( // NOTE: NSS uses SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC // so use NID_pbe_WithSHA1And3_Key_TripleDES_CBC which should be the OpenSSL // equivalent. - ScopedOpenSSL<X509_SIG, X509_SIG_free> encrypted( - PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - NULL, - password.c_str(), - static_cast<int>(password.size()), - NULL, - 0, - iterations, - pkcs8.get())); + ScopedX509_SIG encrypted(PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + NULL, + password.c_str(), + static_cast<int>(password.size()), + NULL, + 0, + iterations, + pkcs8.get())); if (!encrypted.get()) return false; @@ -211,7 +209,7 @@ bool ECPrivateKey::ExportRawPublicKey(std::string* output) { bool ECPrivateKey::ExportValue(std::vector<uint8>* output) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_)); + ScopedEC_KEY ec_key(EVP_PKEY_get1_EC_KEY(key_)); return ExportKey(ec_key.get(), reinterpret_cast<ExportDataFunction>(i2d_ECPrivateKey), output); @@ -219,7 +217,7 @@ bool ECPrivateKey::ExportValue(std::vector<uint8>* output) { bool ECPrivateKey::ExportECParams(std::vector<uint8>* output) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_)); + ScopedEC_KEY ec_key(EVP_PKEY_get1_EC_KEY(key_)); return ExportKey(ec_key.get(), reinterpret_cast<ExportDataFunction>(i2d_ECParameters), output); diff --git a/crypto/ec_signature_creator_openssl.cc b/crypto/ec_signature_creator_openssl.cc index 7f0a873..adff2c9 100644 --- a/crypto/ec_signature_creator_openssl.cc +++ b/crypto/ec_signature_creator_openssl.cc @@ -13,9 +13,16 @@ #include "base/logging.h" #include "crypto/ec_private_key.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" namespace crypto { +namespace { + +typedef ScopedOpenSSL<ECDSA_SIG, ECDSA_SIG_free>::Type ScopedECDSA_SIG; + +} // namespace + ECSignatureCreatorImpl::ECSignatureCreatorImpl(ECPrivateKey* key) : key_(key), signature_len_(0) { EnsureOpenSSLInit(); @@ -27,7 +34,7 @@ bool ECSignatureCreatorImpl::Sign(const uint8* data, int data_len, std::vector<uint8>* signature) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<EVP_MD_CTX, EVP_MD_CTX_destroy> ctx(EVP_MD_CTX_create()); + ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create()); size_t sig_len = 0; if (!ctx.get() || !EVP_DigestSignInit(ctx.get(), NULL, EVP_sha256(), NULL, key_->key()) || @@ -52,7 +59,7 @@ bool ECSignatureCreatorImpl::DecodeSignature(const std::vector<uint8>& der_sig, OpenSSLErrStackTracer err_tracer(FROM_HERE); // Create ECDSA_SIG object from DER-encoded data. const unsigned char* der_data = &der_sig.front(); - ScopedOpenSSL<ECDSA_SIG, ECDSA_SIG_free> ecdsa_sig( + ScopedECDSA_SIG ecdsa_sig( d2i_ECDSA_SIG(NULL, &der_data, static_cast<long>(der_sig.size()))); if (!ecdsa_sig.get()) return false; diff --git a/crypto/openssl_bio_string_unittest.cc b/crypto/openssl_bio_string_unittest.cc index 39d3a9a..2467215 100644 --- a/crypto/openssl_bio_string_unittest.cc +++ b/crypto/openssl_bio_string_unittest.cc @@ -6,16 +6,18 @@ #include <openssl/bio.h> -#include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "testing/gtest/include/gtest/gtest.h" +namespace crypto { + TEST(OpenSSLBIOString, TestWrite) { std::string s; const std::string expected1("a one\nb 2\n"); const std::string expected2("c d e f"); const std::string expected3("g h i"); { - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&s)); + ScopedBIO bio(BIO_new_string(&s)); ASSERT_TRUE(bio.get()); EXPECT_EQ(static_cast<int>(expected1.size()), @@ -48,7 +50,7 @@ TEST(OpenSSLBIOString, TestReset) { const std::string expected1("a b c\n"); const std::string expected2("d e f g\n"); { - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(crypto::BIO_new_string(&s)); + ScopedBIO bio(BIO_new_string(&s)); ASSERT_TRUE(bio.get()); EXPECT_EQ(static_cast<int>(expected1.size()), @@ -64,3 +66,5 @@ TEST(OpenSSLBIOString, TestReset) { } EXPECT_EQ(expected2, s); } + +} // namespace crypto diff --git a/crypto/openssl_util.h b/crypto/openssl_util.h index bf83e47..2743883 100644 --- a/crypto/openssl_util.h +++ b/crypto/openssl_util.h @@ -11,36 +11,6 @@ namespace crypto { -// A helper class that takes care of destroying OpenSSL objects when they go out -// of scope. -template <typename T, void (*destructor)(T*)> -class ScopedOpenSSL { - public: - ScopedOpenSSL() : ptr_(NULL) { } - explicit ScopedOpenSSL(T* ptr) : ptr_(ptr) { } - ~ScopedOpenSSL() { - reset(NULL); - } - - T* get() const { return ptr_; } - T* release() { - T* ptr = ptr_; - ptr_ = NULL; - return ptr; - } - void reset(T* ptr) { - if (ptr != ptr_) { - if (ptr_) (*destructor)(ptr_); - ptr_ = ptr; - } - } - - private: - T* ptr_; - - DISALLOW_COPY_AND_ASSIGN(ScopedOpenSSL); -}; - // Provides a buffer of at least MIN_SIZE bytes, for use when calling OpenSSL's // SHA256, HMAC, etc functions, adapting the buffer sizing rules to meet those // of the our base wrapper APIs. diff --git a/crypto/rsa_private_key_openssl.cc b/crypto/rsa_private_key_openssl.cc index f191e39..bd00a73 100644 --- a/crypto/rsa_private_key_openssl.cc +++ b/crypto/rsa_private_key_openssl.cc @@ -11,6 +11,7 @@ #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" namespace crypto { @@ -29,7 +30,7 @@ bool ExportKey(EVP_PKEY* key, return false; OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new(BIO_s_mem())); + ScopedBIO bio(BIO_new(BIO_s_mem())); int res = export_fn(bio.get(), key); if (!res) @@ -50,8 +51,8 @@ bool ExportKey(EVP_PKEY* key, RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<RSA, RSA_free> rsa_key(RSA_new()); - ScopedOpenSSL<BIGNUM, BN_free> bn(BN_new()); + ScopedRSA rsa_key(RSA_new()); + ScopedBIGNUM bn(BN_new()); if (!rsa_key.get() || !bn.get() || !BN_set_word(bn.get(), 65537L)) return NULL; @@ -75,14 +76,14 @@ RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo( OpenSSLErrStackTracer err_tracer(FROM_HERE); // BIO_new_mem_buf is not const aware, but it does not modify the buffer. char* data = reinterpret_cast<char*>(const_cast<uint8*>(&input[0])); - ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new_mem_buf(data, input.size())); + ScopedBIO bio(BIO_new_mem_buf(data, input.size())); if (!bio.get()) return NULL; // Importing is a little more involved than exporting, as we must first // PKCS#8 decode the input, and then import the EVP_PKEY from Private Key // Info structure returned. - ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> p8inf( + ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>::Type p8inf( d2i_PKCS8_PRIV_KEY_INFO_bio(bio.get(), NULL)); if (!p8inf.get()) return NULL; diff --git a/crypto/scoped_openssl_types.h b/crypto/scoped_openssl_types.h new file mode 100644 index 0000000..a949233 --- /dev/null +++ b/crypto/scoped_openssl_types.h @@ -0,0 +1,49 @@ +// Copyright 2014 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CRYPTO_SCOPED_OPENSSL_TYPES_H_ +#define CRYPTO_SCOPED_OPENSSL_TYPES_H_ + +#include <openssl/bn.h> +#include <openssl/dsa.h> +#include <openssl/ec.h> +#include <openssl/ecdsa.h> +#include <openssl/evp.h> +#include <openssl/rsa.h> + +#include "base/memory/scoped_ptr.h" + +namespace crypto { + +// Simplistic helper that wraps a call to a deleter function. In a C++11 world, +// this would be std::function<>. An alternative would be to re-use +// base::internal::RunnableAdapter<>, but that's far too heavy weight. +template <typename Type, void (*Destroyer)(Type*)> +struct OpenSSLDestroyer { + void operator()(Type* ptr) const { Destroyer(ptr); } +}; + +template <typename PointerType, void (*Destroyer)(PointerType*)> +struct ScopedOpenSSL { + typedef scoped_ptr<PointerType, OpenSSLDestroyer<PointerType, Destroyer> > + Type; +}; + +// Several typedefs are provided for crypto-specific primitives, for +// short-hand and prevalence. Note that OpenSSL types related to X.509 are +// intentionally not included, as crypto/ does not generally deal with +// certificates or PKI. +typedef ScopedOpenSSL<BIGNUM, BN_free>::Type ScopedBIGNUM; +typedef ScopedOpenSSL<EC_KEY, EC_KEY_free>::Type ScopedEC_KEY; +typedef ScopedOpenSSL<BIO, BIO_free_all>::Type ScopedBIO; +typedef ScopedOpenSSL<DSA, DSA_free>::Type ScopedDSA; +typedef ScopedOpenSSL<ECDSA_SIG, ECDSA_SIG_free>::Type ScopedECDSA_SIG; +typedef ScopedOpenSSL<EC_KEY, EC_KEY_free>::Type ScopedEC_KEY; +typedef ScopedOpenSSL<EVP_MD_CTX, EVP_MD_CTX_destroy>::Type ScopedEVP_MD_CTX; +typedef ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free>::Type ScopedEVP_PKEY; +typedef ScopedOpenSSL<RSA, RSA_free>::Type ScopedRSA; + +} // namespace crypto + +#endif // CRYPTO_SCOPED_OPENSSL_TYPES_H_ diff --git a/crypto/signature_verifier_openssl.cc b/crypto/signature_verifier_openssl.cc index a85f00b..155a2cf3 100644 --- a/crypto/signature_verifier_openssl.cc +++ b/crypto/signature_verifier_openssl.cc @@ -13,6 +13,7 @@ #include "base/memory/scoped_ptr.h" #include "base/stl_util.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" namespace crypto { @@ -31,7 +32,7 @@ const EVP_MD* ToOpenSSLDigest(SignatureVerifier::HashAlgorithm hash_alg) { } // namespace struct SignatureVerifier::VerifyContext { - ScopedOpenSSL<EVP_MD_CTX, EVP_MD_CTX_destroy> ctx; + ScopedEVP_MD_CTX ctx; }; SignatureVerifier::SignatureVerifier() @@ -49,7 +50,7 @@ bool SignatureVerifier::VerifyInit(const uint8* signature_algorithm, const uint8* public_key_info, int public_key_info_len) { OpenSSLErrStackTracer err_tracer(FROM_HERE); - ScopedOpenSSL<X509_ALGOR, X509_ALGOR_free> algorithm( + ScopedOpenSSL<X509_ALGOR, X509_ALGOR_free>::Type algorithm( d2i_X509_ALGOR(NULL, &signature_algorithm, signature_algorithm_len)); if (!algorithm.get()) return false; @@ -135,13 +136,11 @@ bool SignatureVerifier::CommonInit(const EVP_MD* digest, // BIO_new_mem_buf is not const aware, but it does not modify the buffer. char* data = reinterpret_cast<char*>(const_cast<uint8*>(public_key_info)); - ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new_mem_buf(data, - public_key_info_len)); + ScopedBIO bio(BIO_new_mem_buf(data, public_key_info_len)); if (!bio.get()) return false; - ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> public_key( - d2i_PUBKEY_bio(bio.get(), NULL)); + ScopedEVP_PKEY public_key(d2i_PUBKEY_bio(bio.get(), NULL)); if (!public_key.get()) return false; diff --git a/net/android/keystore_openssl.cc b/net/android/keystore_openssl.cc index ec08d70..e2e53d7b 100644 --- a/net/android/keystore_openssl.cc +++ b/net/android/keystore_openssl.cc @@ -26,6 +26,7 @@ #include "base/lazy_instance.h" #include "base/logging.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/android/keystore.h" #include "net/ssl/ssl_client_cert_type.h" @@ -101,11 +102,7 @@ namespace android { namespace { -typedef crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ScopedEVP_PKEY; -typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA; -typedef crypto::ScopedOpenSSL<DSA, DSA_free> ScopedDSA; -typedef crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ScopedEC_KEY; -typedef crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> ScopedEC_GROUP; +typedef crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free>::Type ScopedEC_GROUP; // Custom RSA_METHOD that uses the platform APIs. // Note that for now, only signing through RSA_sign() is really supported. @@ -283,7 +280,7 @@ bool SwapBigNumPtrFromBytes(const std::vector<uint8>& new_bytes, // IMPORTANT: The EVP_PKEY will *only* work on Android >= 4.2. For older // platforms, use GetRsaLegacyKey() instead. bool GetRsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { - ScopedRSA rsa(RSA_new()); + crypto::ScopedRSA rsa(RSA_new()); RSA_set_method(rsa.get(), &android_rsa_method); // HACK: RSA_size() doesn't work with custom RSA_METHODs. To ensure that @@ -327,7 +324,7 @@ class KeystoreEngineWorkaround { void LeakRsaEngine(EVP_PKEY* pkey) { if (leaked_engine_) return; - ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey)); + crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey)); if (!rsa.get() || !rsa.get()->engine || strcmp(ENGINE_get_id(rsa.get()->engine), "keystore") || @@ -480,7 +477,7 @@ const DSA_METHOD android_dsa_method = { // On success, this creates a global JNI reference to the same object // that will be owned by and destroyed with the EVP_PKEY. bool GetDsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { - ScopedDSA dsa(DSA_new()); + crypto::ScopedDSA dsa(DSA_new()); DSA_set_method(dsa.get(), &android_dsa_method); // DSA_size() doesn't work with custom DSA_METHODs. To ensure it @@ -649,7 +646,7 @@ const ECDSA_METHOD android_ecdsa_method = { // is owned by and destroyed with the EVP_PKEY. I.e. the caller shall // always free |private_key| after the call. bool GetEcdsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { - ScopedEC_KEY eckey(EC_KEY_new()); + crypto::ScopedEC_KEY eckey(EC_KEY_new()); ECDSA_set_method(eckey.get(), &android_ecdsa_method); // To ensure that ECDSA_size() works properly, craft a custom EC_GROUP @@ -688,7 +685,7 @@ bool GetEcdsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { EVP_PKEY* GetOpenSSLPrivateKeyWrapper(jobject private_key) { // Create new empty EVP_PKEY instance. - ScopedEVP_PKEY pkey(EVP_PKEY_new()); + crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new()); if (!pkey.get()) return NULL; diff --git a/net/android/keystore_unittest.cc b/net/android/keystore_unittest.cc index ff20435..076693f 100644 --- a/net/android/keystore_unittest.cc +++ b/net/android/keystore_unittest.cc @@ -25,6 +25,7 @@ #include "base/strings/string_number_conversions.h" #include "base/strings/string_util.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "jni/AndroidKeyStoreTestUtil_jni.h" #include "net/android/keystore.h" #include "net/android/keystore_openssl.h" @@ -56,15 +57,9 @@ namespace android { namespace { -typedef crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ScopedEVP_PKEY; -typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA; -typedef crypto::ScopedOpenSSL<DSA, DSA_free> ScopedDSA; -typedef crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ScopedEC_KEY; -typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM; - -typedef crypto::ScopedOpenSSL< - PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> - ScopedPKCS8_PRIV_KEY_INFO; +typedef crypto::ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, + PKCS8_PRIV_KEY_INFO_free>::Type + ScopedPKCS8_PRIV_KEY_INFO; typedef base::android::ScopedJavaLocalRef<jobject> ScopedJava; @@ -136,7 +131,7 @@ EVP_PKEY* ImportPrivateKeyFile(const char* filename) { // |pkey| is the EVP_PKEY handle for the private key. // |pkcs8| will receive the PKCS#8 bytes. // Returns true on success, false otherwise. -bool GetPrivateKeyPkcs8Bytes(const ScopedEVP_PKEY& pkey, +bool GetPrivateKeyPkcs8Bytes(const crypto::ScopedEVP_PKEY& pkey, std::string* pkcs8) { // Convert to PKCS#8 object. ScopedPKCS8_PRIV_KEY_INFO p8_info(EVP_PKEY2PKCS8(pkey.get())); @@ -155,7 +150,7 @@ bool GetPrivateKeyPkcs8Bytes(const ScopedEVP_PKEY& pkey, bool ImportPrivateKeyFileAsPkcs8(const char* filename, std::string* pkcs8) { - ScopedEVP_PKEY pkey(ImportPrivateKeyFile(filename)); + crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(filename)); if (!pkey.get()) return false; return GetPrivateKeyPkcs8Bytes(pkey, pkcs8); @@ -231,11 +226,11 @@ ScopedJava GetDSATestKeyJava() { // to do the check. bool VerifyTestDSASignature(const base::StringPiece& message, const base::StringPiece& signature) { - ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestDsaPublicKeyFile)); + crypto::ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestDsaPublicKeyFile)); if (!pkey.get()) return false; - ScopedDSA pub_key(EVP_PKEY_get1_DSA(pkey.get())); + crypto::ScopedDSA pub_key(EVP_PKEY_get1_DSA(pkey.get())); if (!pub_key.get()) { LOG(ERROR) << "Could not get DSA public key: " << GetOpenSSLErrorString(); @@ -279,10 +274,10 @@ ScopedJava GetECDSATestKeyJava() { // to do the check. bool VerifyTestECDSASignature(const base::StringPiece& message, const base::StringPiece& signature) { - ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestEcdsaPublicKeyFile)); + crypto::ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestEcdsaPublicKeyFile)); if (!pkey.get()) return false; - ScopedEC_KEY pub_key(EVP_PKEY_get1_EC_KEY(pkey.get())); + crypto::ScopedEC_KEY pub_key(EVP_PKEY_get1_EC_KEY(pkey.get())); if (!pub_key.get()) { LOG(ERROR) << "Could not get ECDSA public key: " << GetOpenSSLErrorString(); @@ -323,7 +318,7 @@ bool SignWithOpenSSL(const base::StringPiece& message, switch (key_type) { case EVP_PKEY_RSA: { - ScopedRSA rsa(EVP_PKEY_get1_RSA(openssl_key)); + crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(openssl_key)); if (!rsa.get()) { LOG(ERROR) << "Could not get RSA from EVP_PKEY: " << GetOpenSSLErrorString(); @@ -345,7 +340,7 @@ bool SignWithOpenSSL(const base::StringPiece& message, } case EVP_PKEY_DSA: { - ScopedDSA dsa(EVP_PKEY_get1_DSA(openssl_key)); + crypto::ScopedDSA dsa(EVP_PKEY_get1_DSA(openssl_key)); if (!dsa.get()) { LOG(ERROR) << "Could not get DSA from EVP_PKEY: " << GetOpenSSLErrorString(); @@ -367,7 +362,7 @@ bool SignWithOpenSSL(const base::StringPiece& message, } case EVP_PKEY_EC: { - ScopedEC_KEY ecdsa(EVP_PKEY_get1_EC_KEY(openssl_key)); + crypto::ScopedEC_KEY ecdsa(EVP_PKEY_get1_EC_KEY(openssl_key)); if (!ecdsa.get()) { LOG(ERROR) << "Could not get EC_KEY from EVP_PKEY: " << GetOpenSSLErrorString(); @@ -494,7 +489,7 @@ TEST(AndroidKeyStore,GetRSAKeyModulus) { InitEnv(); // Load the test RSA key. - ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestRsaKeyFile)); + crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestRsaKeyFile)); ASSERT_TRUE(pkey.get()); // Convert it to encoded PKCS#8 bytes. @@ -511,15 +506,14 @@ TEST(AndroidKeyStore,GetRSAKeyModulus) { ASSERT_TRUE(GetRSAKeyModulus(key_java.obj(), &modulus_java)); // Create an OpenSSL BIGNUM from it. - ScopedBIGNUM bn( - BN_bin2bn( - reinterpret_cast<const unsigned char*>(&modulus_java[0]), - static_cast<int>(modulus_java.size()), - NULL)); + crypto::ScopedBIGNUM bn( + BN_bin2bn(reinterpret_cast<const unsigned char*>(&modulus_java[0]), + static_cast<int>(modulus_java.size()), + NULL)); ASSERT_TRUE(bn.get()); // Compare it to the one in the RSA key, they must be identical. - ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey.get())); + crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey.get())); ASSERT_TRUE(rsa.get()) << GetOpenSSLErrorString(); ASSERT_EQ(0, BN_cmp(bn.get(), rsa.get()->n)); @@ -530,7 +524,7 @@ TEST(AndroidKeyStore,GetDSAKeyParamQ) { InitEnv(); // Load the test DSA key. - ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestDsaKeyFile)); + crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestDsaKeyFile)); ASSERT_TRUE(pkey.get()); // Convert it to encoded PKCS#8 bytes. @@ -547,15 +541,14 @@ TEST(AndroidKeyStore,GetDSAKeyParamQ) { ASSERT_TRUE(GetDSAKeyParamQ(key_java.obj(), &q_java)); // Create an OpenSSL BIGNUM from it. - ScopedBIGNUM bn( - BN_bin2bn( - reinterpret_cast<const unsigned char*>(&q_java[0]), - static_cast<int>(q_java.size()), - NULL)); + crypto::ScopedBIGNUM bn( + BN_bin2bn(reinterpret_cast<const unsigned char*>(&q_java[0]), + static_cast<int>(q_java.size()), + NULL)); ASSERT_TRUE(bn.get()); // Compare it to the one in the RSA key, they must be identical. - ScopedDSA dsa(EVP_PKEY_get1_DSA(pkey.get())); + crypto::ScopedDSA dsa(EVP_PKEY_get1_DSA(pkey.get())); ASSERT_TRUE(dsa.get()) << GetOpenSSLErrorString(); ASSERT_EQ(0, BN_cmp(bn.get(), dsa.get()->q)); @@ -579,7 +572,7 @@ TEST(AndroidKeyStore,SignWithPrivateKeyRSA) { return; } - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile)); ASSERT_TRUE(openssl_key.get()); std::string message = kTestRsaHash; @@ -598,10 +591,11 @@ TEST(AndroidKeyStore,SignWithWrapperKeyRSA) { ScopedJava rsa_key = GetRSATestKeyJava(); ASSERT_FALSE(rsa_key.is_null()); - ScopedEVP_PKEY wrapper_key(GetOpenSSLPrivateKeyWrapper(rsa_key.obj())); + crypto::ScopedEVP_PKEY wrapper_key( + GetOpenSSLPrivateKeyWrapper(rsa_key.obj())); ASSERT_TRUE(wrapper_key.get() != NULL); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile)); ASSERT_TRUE(openssl_key.get()); // Check that RSA_size() works properly on the wrapper key. @@ -635,7 +629,7 @@ TEST(AndroidKeyStore,SignWithPrivateKeyDSA) { ScopedJava dsa_key = GetDSATestKeyJava(); ASSERT_FALSE(dsa_key.is_null()); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile)); ASSERT_TRUE(openssl_key.get()); std::string message = kTestDsaHash; @@ -652,11 +646,11 @@ TEST(AndroidKeyStore,SignWithWrapperKeyDSA) { ScopedJava dsa_key = GetDSATestKeyJava(); ASSERT_FALSE(dsa_key.is_null()); - ScopedEVP_PKEY wrapper_key( + crypto::ScopedEVP_PKEY wrapper_key( GetOpenSSLPrivateKeyWrapper(dsa_key.obj())); ASSERT_TRUE(wrapper_key.get()); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile)); ASSERT_TRUE(openssl_key.get()); // Check that DSA_size() works correctly on the wrapper. @@ -685,7 +679,7 @@ TEST(AndroidKeyStore,SignWithPrivateKeyECDSA) { ScopedJava ecdsa_key = GetECDSATestKeyJava(); ASSERT_FALSE(ecdsa_key.is_null()); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile)); ASSERT_TRUE(openssl_key.get()); std::string message = kTestEcdsaHash; @@ -700,11 +694,11 @@ TEST(AndroidKeyStore, SignWithWrapperKeyECDSA) { ScopedJava ecdsa_key = GetECDSATestKeyJava(); ASSERT_FALSE(ecdsa_key.is_null()); - ScopedEVP_PKEY wrapper_key( + crypto::ScopedEVP_PKEY wrapper_key( GetOpenSSLPrivateKeyWrapper(ecdsa_key.obj())); ASSERT_TRUE(wrapper_key.get()); - ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile)); + crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile)); ASSERT_TRUE(openssl_key.get()); // Check that ECDSA size works correctly on the wrapper. diff --git a/net/base/keygen_handler_openssl.cc b/net/base/keygen_handler_openssl.cc index edd0eb1..aeb64a8 100644 --- a/net/base/keygen_handler_openssl.cc +++ b/net/base/keygen_handler_openssl.cc @@ -10,6 +10,7 @@ #include "base/memory/scoped_ptr.h" #include "crypto/openssl_util.h" #include "crypto/rsa_private_key.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/openssl_private_key_store.h" namespace net { @@ -22,8 +23,8 @@ std::string KeygenHandler::GenKeyAndSignChallenge() { if (stores_key_) OpenSSLPrivateKeyStore::StoreKeyPair(url_, pkey); - crypto::ScopedOpenSSL<NETSCAPE_SPKI, NETSCAPE_SPKI_free> spki( - NETSCAPE_SPKI_new()); + crypto::ScopedOpenSSL<NETSCAPE_SPKI, NETSCAPE_SPKI_free>::Type spki( + NETSCAPE_SPKI_new()); ASN1_STRING_set(spki.get()->spkac->challenge, challenge_.data(), challenge_.size()); NETSCAPE_SPKI_set_pubkey(spki.get(), pkey); diff --git a/net/base/openssl_private_key_store_android.cc b/net/base/openssl_private_key_store_android.cc index e985107..56a63d2 100644 --- a/net/base/openssl_private_key_store_android.cc +++ b/net/base/openssl_private_key_store_android.cc @@ -10,6 +10,7 @@ #include "base/logging.h" #include "base/memory/singleton.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/android/network_library.h" namespace net { @@ -29,9 +30,8 @@ bool OpenSSLPrivateKeyStore::StoreKeyPair(const GURL& url, // in a format that is incompatible with what the platform expects. unsigned char* private_key = NULL; int private_len = 0; - crypto::ScopedOpenSSL< - PKCS8_PRIV_KEY_INFO, - PKCS8_PRIV_KEY_INFO_free> pkcs8(EVP_PKEY2PKCS8(pkey)); + crypto::ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>::Type + pkcs8(EVP_PKEY2PKCS8(pkey)); if (pkcs8.get() != NULL) { private_len = i2d_PKCS8_PRIV_KEY_INFO(pkcs8.get(), &private_key); } diff --git a/net/cert/cert_database_openssl.cc b/net/cert/cert_database_openssl.cc index 23b64cc..a67ac1b 100644 --- a/net/cert/cert_database_openssl.cc +++ b/net/cert/cert_database_openssl.cc @@ -8,7 +8,7 @@ #include "base/logging.h" #include "base/observer_list_threadsafe.h" -#include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/crypto_module.h" #include "net/base/net_errors.h" #include "net/base/openssl_private_key_store.h" @@ -40,7 +40,7 @@ int CertDatabase::CheckUserCert(X509Certificate* cert) { return ERR_CERT_DATE_INVALID; // X509_PUBKEY_get() transfers ownership, not X509_get_X509_PUBKEY() - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> public_key( + crypto::ScopedEVP_PKEY public_key( X509_PUBKEY_get(X509_get_X509_PUBKEY(cert->os_cert_handle()))); if (!OpenSSLPrivateKeyStore::HasPrivateKey(public_key.get())) diff --git a/net/cert/cert_verify_proc_openssl.cc b/net/cert/cert_verify_proc_openssl.cc index 0f21daa..0122fac 100644 --- a/net/cert/cert_verify_proc_openssl.cc +++ b/net/cert/cert_verify_proc_openssl.cc @@ -12,6 +12,7 @@ #include "base/logging.h" #include "base/sha1.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "crypto/sha2.h" #include "net/base/net_errors.h" #include "net/cert/asn1_util.h" @@ -197,10 +198,10 @@ int CertVerifyProcOpenSSL::VerifyInternal( verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; } - crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx( + crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free>::Type ctx( X509_STORE_CTX_new()); - crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates( + crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn>::Type intermediates( sk_X509_new_null()); if (!intermediates.get()) return ERR_OUT_OF_MEMORY; diff --git a/net/cert/ct_log_verifier_openssl.cc b/net/cert/ct_log_verifier_openssl.cc index 0b05d96..b85c0d6 100644 --- a/net/cert/ct_log_verifier_openssl.cc +++ b/net/cert/ct_log_verifier_openssl.cc @@ -9,6 +9,7 @@ #include "base/logging.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "crypto/sha2.h" #include "net/cert/signed_tree_head.h" @@ -55,7 +56,7 @@ bool CTLogVerifier::Init(const base::StringPiece& public_key, const base::StringPiece& description) { crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); - crypto::ScopedOpenSSL<BIO, BIO_free_all> bio( + crypto::ScopedBIO bio( BIO_new_mem_buf(const_cast<char*>(public_key.data()), public_key.size())); if (!bio.get()) return false; diff --git a/net/cert/x509_certificate_openssl.cc b/net/cert/x509_certificate_openssl.cc index 71d558d..005423ba 100644 --- a/net/cert/x509_certificate_openssl.cc +++ b/net/cert/x509_certificate_openssl.cc @@ -19,6 +19,7 @@ #include "base/strings/string_number_conversions.h" #include "base/strings/string_util.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/net_errors.h" #include "net/base/net_util.h" #include "net/cert/x509_util_openssl.h" @@ -32,12 +33,15 @@ namespace net { namespace { +typedef crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>::Type + ScopedGENERAL_NAMES; + void CreateOSCertHandlesFromPKCS7Bytes( const char* data, int length, X509Certificate::OSCertHandles* handles) { crypto::EnsureOpenSSLInit(); const unsigned char* der_data = reinterpret_cast<const unsigned char*>(data); - crypto::ScopedOpenSSL<PKCS7, PKCS7_free> pkcs7_cert( + crypto::ScopedOpenSSL<PKCS7, PKCS7_free>::Type pkcs7_cert( d2i_PKCS7(NULL, &der_data, length)); if (!pkcs7_cert.get()) return; @@ -105,7 +109,7 @@ void ParseSubjectAltName(X509Certificate::OSCertHandle cert, if (!alt_name_ext) return; - crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free> alt_names( + ScopedGENERAL_NAMES alt_names( reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext))); if (!alt_names.get()) return; @@ -182,7 +186,7 @@ class X509InitSingleton { } int der_cache_ex_index_; - crypto::ScopedOpenSSL<X509_STORE, X509_STORE_free> store_; + crypto::ScopedOpenSSL<X509_STORE, X509_STORE_free>::Type store_; DISALLOW_COPY_AND_ASSIGN(X509InitSingleton); }; @@ -437,8 +441,7 @@ void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle, *type = kPublicKeyTypeUnknown; *size_bits = 0; - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> scoped_key( - X509_get_pubkey(cert_handle)); + crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle)); if (!scoped_key.get()) return; @@ -472,7 +475,7 @@ bool X509Certificate::IsIssuedByEncoded( // Convert to a temporary list of X509_NAME objects. // It will own the objects it points to. - crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all> + crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all>::Type issuer_names(sk_X509_NAME_new_null()); if (!issuer_names.get()) return false; diff --git a/net/cert/x509_util_openssl.cc b/net/cert/x509_util_openssl.cc index 5a6e9aa..38a987c 100644 --- a/net/cert/x509_util_openssl.cc +++ b/net/cert/x509_util_openssl.cc @@ -13,6 +13,7 @@ #include "crypto/ec_private_key.h" #include "crypto/openssl_util.h" #include "crypto/rsa_private_key.h" +#include "crypto/scoped_openssl_types.h" #include "net/cert/x509_cert_types.h" #include "net/cert/x509_util.h" @@ -20,6 +21,18 @@ namespace net { namespace { +typedef crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free>::Type + ScopedASN1_INTEGER; +typedef crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free>::Type + ScopedASN1_OCTET_STRING; +typedef crypto::ScopedOpenSSL<ASN1_STRING, ASN1_STRING_free>::Type + ScopedASN1_STRING; +typedef crypto::ScopedOpenSSL<ASN1_TIME, ASN1_TIME_free>::Type ScopedASN1_TIME; +typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509; +typedef crypto::ScopedOpenSSL<X509_EXTENSION, X509_EXTENSION_free>::Type + ScopedX509_EXTENSION; +typedef crypto::ScopedOpenSSL<X509_NAME, X509_NAME_free>::Type ScopedX509_NAME; + const EVP_MD* ToEVP(x509_util::DigestAlgorithm alg) { switch (alg) { case x509_util::DIGEST_SHA1: @@ -43,8 +56,7 @@ X509* CreateCertificate(EVP_PKEY* key, base::Time not_valid_before, base::Time not_valid_after) { // Put the serial number into an OpenSSL-friendly object. - crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free> asn1_serial( - ASN1_INTEGER_new()); + ScopedASN1_INTEGER asn1_serial(ASN1_INTEGER_new()); if (!asn1_serial.get() || !ASN1_INTEGER_set(asn1_serial.get(), static_cast<long>(serial_number))) { LOG(ERROR) << "Invalid serial number " << serial_number; @@ -52,7 +64,7 @@ X509* CreateCertificate(EVP_PKEY* key, } // Do the same for the time stamps. - crypto::ScopedOpenSSL<ASN1_TIME, ASN1_TIME_free> asn1_not_before_time( + ScopedASN1_TIME asn1_not_before_time( ASN1_TIME_set(NULL, not_valid_before.ToTimeT())); if (!asn1_not_before_time.get()) { LOG(ERROR) << "Invalid not_valid_before time: " @@ -60,7 +72,7 @@ X509* CreateCertificate(EVP_PKEY* key, return NULL; } - crypto::ScopedOpenSSL<ASN1_TIME, ASN1_TIME_free> asn1_not_after_time( + ScopedASN1_TIME asn1_not_after_time( ASN1_TIME_set(NULL, not_valid_after.ToTimeT())); if (!asn1_not_after_time.get()) { LOG(ERROR) << "Invalid not_valid_after time: " << not_valid_after.ToTimeT(); @@ -87,7 +99,7 @@ X509* CreateCertificate(EVP_PKEY* key, int common_name_len = static_cast<int>(common_name.size() - kCommonNamePrefixLen); - crypto::ScopedOpenSSL<X509_NAME, X509_NAME_free> name(X509_NAME_new()); + ScopedX509_NAME name(X509_NAME_new()); if (!name.get() || !X509_NAME_add_entry_by_NID(name.get(), NID_commonName, MBSTRING_ASC, @@ -100,7 +112,7 @@ X509* CreateCertificate(EVP_PKEY* key, } // Now create certificate and populate it. - crypto::ScopedOpenSSL<X509, X509_free> cert(X509_new()); + ScopedX509 cert(X509_new()); if (!cert.get() || !X509_set_version(cert.get(), 2L) /* i.e. version 3 */ || !X509_set_pubkey(cert.get(), key) || !X509_set_serialNumber(cert.get(), asn1_serial.get()) || @@ -221,20 +233,18 @@ bool CreateDomainBoundCertEC( std::string* der_cert) { crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); // Create certificate. - crypto::ScopedOpenSSL<X509, X509_free> cert( - CreateCertificate(key->key(), - alg, - "CN=anonymous.invalid", - serial_number, - not_valid_before, - not_valid_after)); + ScopedX509 cert(CreateCertificate(key->key(), + alg, + "CN=anonymous.invalid", + serial_number, + not_valid_before, + not_valid_after)); if (!cert.get()) return false; // Add TLS-Channel-ID extension to the certificate before signing it. // The value must be stored DER-encoded, as a ASN.1 IA5String. - crypto::ScopedOpenSSL<ASN1_STRING, ASN1_STRING_free> domain_ia5( - ASN1_IA5STRING_new()); + ScopedASN1_STRING domain_ia5(ASN1_IA5STRING_new()); if (!domain_ia5.get() || !ASN1_STRING_set(domain_ia5.get(), domain.data(), domain.size())) return false; @@ -250,15 +260,13 @@ bool CreateDomainBoundCertEC( if (i2d_ASN1_IA5STRING(domain_ia5.get(), &domain_der_data) < 0) return false; - crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free> domain_str( - ASN1_OCTET_STRING_new()); + ScopedASN1_OCTET_STRING domain_str(ASN1_OCTET_STRING_new()); if (!domain_str.get() || !ASN1_STRING_set(domain_str.get(), domain_der.data(), domain_der.size())) return false; - crypto::ScopedOpenSSL<X509_EXTENSION, X509_EXTENSION_free> ext( - X509_EXTENSION_create_by_OBJ( - NULL, GetDomainBoundOid(), 1 /* critical */, domain_str.get())); + ScopedX509_EXTENSION ext(X509_EXTENSION_create_by_OBJ( + NULL, GetDomainBoundOid(), 1 /* critical */, domain_str.get())); if (!ext.get() || !X509_add_ext(cert.get(), ext.get(), -1)) { return false; } @@ -275,13 +283,12 @@ bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, base::Time not_valid_after, std::string* der_encoded) { crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); - crypto::ScopedOpenSSL<X509, X509_free> cert( - CreateCertificate(key->key(), - alg, - common_name, - serial_number, - not_valid_before, - not_valid_after)); + ScopedX509 cert(CreateCertificate(key->key(), + alg, + common_name, + serial_number, + not_valid_before, + not_valid_after)); if (!cert.get()) return false; diff --git a/net/cert/x509_util_openssl_unittest.cc b/net/cert/x509_util_openssl_unittest.cc index c99f811..77746eb 100644 --- a/net/cert/x509_util_openssl_unittest.cc +++ b/net/cert/x509_util_openssl_unittest.cc @@ -5,6 +5,7 @@ #include "base/memory/scoped_ptr.h" #include "crypto/ec_private_key.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/cert/x509_util.h" #include "net/cert/x509_util_openssl.h" #include "testing/gtest/include/gtest/gtest.h" @@ -13,6 +14,8 @@ namespace net { namespace { +typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509; + // Verify that a given certificate was signed with the private key corresponding // to a given public key. // |der_cert| is the DER-encoded X.509 certificate. @@ -22,8 +25,7 @@ void VerifyCertificateSignature(const std::string& der_cert, const unsigned char* cert_data = reinterpret_cast<const unsigned char*>(der_cert.data()); int cert_data_len = static_cast<int>(der_cert.size()); - crypto::ScopedOpenSSL<X509, X509_free> cert( - d2i_X509(NULL, &cert_data, cert_data_len)); + ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len)); ASSERT_TRUE(cert.get()); // NOTE: SignatureVerifier wants the DER-encoded ASN.1 AlgorithmIdentifier @@ -31,8 +33,7 @@ void VerifyCertificateSignature(const std::string& der_cert, // Use X509_verify() directly instead, which takes an EVP_PKEY. const unsigned char* pub_key_data = &der_spki.front(); int pub_key_len = static_cast<int>(der_spki.size()); - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> pub_key( - d2i_PUBKEY(NULL, &pub_key_data, pub_key_len)); + crypto::ScopedEVP_PKEY pub_key(d2i_PUBKEY(NULL, &pub_key_data, pub_key_len)); ASSERT_TRUE(pub_key.get()); // NOTE: X509_verify() returns 1 in case of succes, 0 or -1 on error. @@ -46,15 +47,14 @@ void VerifyDomainBoundCert(const std::string& domain, const std::string& der_cert) { // Origin Bound Cert OID. static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; - crypto::ScopedOpenSSL<ASN1_OBJECT, ASN1_OBJECT_free> oid_obj( + crypto::ScopedOpenSSL<ASN1_OBJECT, ASN1_OBJECT_free>::Type oid_obj( OBJ_txt2obj(oid_string, 0)); ASSERT_TRUE(oid_obj.get()); const unsigned char* cert_data = reinterpret_cast<const unsigned char*>(der_cert.data()); int cert_data_len = static_cast<int>(der_cert.size()); - crypto::ScopedOpenSSL<X509, X509_free> cert( - d2i_X509(NULL, &cert_data, cert_data_len)); + ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len)); ASSERT_TRUE(cert.get()); // Find the extension. diff --git a/net/net.gyp b/net/net.gyp index 62b80cc..ee7ee38 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -265,6 +265,7 @@ 'cert/jwk_serializer_openssl.cc', 'cert/x509_util_openssl.cc', 'cert/x509_util_openssl.h', + 'crypto/scoped_openssl_types.h', 'quic/crypto/aead_base_decrypter_openssl.cc', 'quic/crypto/aead_base_encrypter_openssl.cc', 'quic/crypto/aes_128_gcm_12_decrypter_openssl.cc', diff --git a/net/net.gypi b/net/net.gypi index 9919905..ddec22d 100644 --- a/net/net.gypi +++ b/net/net.gypi @@ -334,6 +334,7 @@ 'cert/nss_profile_filter_chromeos.cc', 'cert/nss_profile_filter_chromeos.h', 'cert/scoped_nss_types.h', + 'cert/scoped_openssl_types.h', 'cert/sct_status_flags.h', 'cert/test_root_certs.cc', 'cert/test_root_certs.h', diff --git a/net/quic/crypto/channel_id_openssl.cc b/net/quic/crypto/channel_id_openssl.cc index 241acae..130f3bd 100644 --- a/net/quic/crypto/channel_id_openssl.cc +++ b/net/quic/crypto/channel_id_openssl.cc @@ -11,6 +11,7 @@ #include <openssl/sha.h> #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" using base::StringPiece; @@ -33,14 +34,13 @@ bool ChannelIDVerifier::VerifyRaw(StringPiece key, return false; } - crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> p256( + crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free>::Type p256( EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); if (p256.get() == NULL) { return false; } - crypto::ScopedOpenSSL<BIGNUM, BN_free> x(BN_new()), y(BN_new()), - r(BN_new()), s(BN_new()); + crypto::ScopedBIGNUM x(BN_new()), y(BN_new()), r(BN_new()), s(BN_new()); ECDSA_SIG sig; sig.r = r.get(); @@ -57,7 +57,7 @@ bool ChannelIDVerifier::VerifyRaw(StringPiece key, return false; } - crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free> point( + crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free>::Type point( EC_POINT_new(p256.get())); if (point.get() == NULL || !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(), @@ -65,7 +65,7 @@ bool ChannelIDVerifier::VerifyRaw(StringPiece key, return false; } - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ecdsa_key(EC_KEY_new()); + crypto::ScopedEC_KEY ecdsa_key(EC_KEY_new()); if (ecdsa_key.get() == NULL || !EC_KEY_set_group(ecdsa_key.get(), p256.get()) || !EC_KEY_set_public_key(ecdsa_key.get(), point.get())) { diff --git a/net/quic/crypto/p256_key_exchange.h b/net/quic/crypto/p256_key_exchange.h index 49a66ce..2c3b4a7 100644 --- a/net/quic/crypto/p256_key_exchange.h +++ b/net/quic/crypto/p256_key_exchange.h @@ -14,9 +14,7 @@ #if defined(USE_OPENSSL) #include "crypto/openssl_util.h" -// Forward declaration for openssl/*.h -typedef struct ec_key_st EC_KEY; -extern "C" void EC_KEY_free(EC_KEY* key); +#include "crypto/scoped_openssl_types.h" #else #include "crypto/ec_private_key.h" #include "crypto/scoped_nss_types.h" @@ -63,7 +61,7 @@ class NET_EXPORT_PRIVATE P256KeyExchange : public KeyExchange { // |public_key| consists of |kUncompressedP256PointBytes| bytes. P256KeyExchange(EC_KEY* private_key, const uint8* public_key); - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> private_key_; + crypto::ScopedEC_KEY private_key_; #else // P256KeyExchange takes ownership of |key_pair|, and expects // |public_key| consists of |kUncompressedP256PointBytes| bytes. diff --git a/net/quic/crypto/p256_key_exchange_openssl.cc b/net/quic/crypto/p256_key_exchange_openssl.cc index 197df6a..086e9cc 100644 --- a/net/quic/crypto/p256_key_exchange_openssl.cc +++ b/net/quic/crypto/p256_key_exchange_openssl.cc @@ -30,8 +30,7 @@ P256KeyExchange* P256KeyExchange::New(StringPiece key) { } const uint8* keyp = reinterpret_cast<const uint8*>(key.data()); - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> private_key( - d2i_ECPrivateKey(NULL, &keyp, key.size())); + crypto::ScopedEC_KEY private_key(d2i_ECPrivateKey(NULL, &keyp, key.size())); if (!private_key.get() || !EC_KEY_check_key(private_key.get())) { DVLOG(1) << "Private key is invalid."; return NULL; @@ -51,8 +50,7 @@ P256KeyExchange* P256KeyExchange::New(StringPiece key) { // static string P256KeyExchange::NewPrivateKey() { - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> key( - EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); + crypto::ScopedEC_KEY key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); if (!key.get() || !EC_KEY_generate_key(key.get())) { DVLOG(1) << "Can't generate a new private key."; return string(); @@ -85,7 +83,7 @@ bool P256KeyExchange::CalculateSharedKey(const StringPiece& peer_public_value, return false; } - crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free> point( + crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free>::Type point( EC_POINT_new(EC_KEY_get0_group(private_key_.get()))); if (!point.get() || !EC_POINT_oct2point( /* also test if point is on curve */ diff --git a/net/quic/test_tools/crypto_test_utils_openssl.cc b/net/quic/test_tools/crypto_test_utils_openssl.cc index 388d257..a6a164b 100644 --- a/net/quic/test_tools/crypto_test_utils_openssl.cc +++ b/net/quic/test_tools/crypto_test_utils_openssl.cc @@ -12,20 +12,13 @@ #include <openssl/sha.h> #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "crypto/secure_hash.h" #include "net/quic/crypto/channel_id.h" using base::StringPiece; using std::string; -namespace { - -void EvpMdCtxCleanUp(EVP_MD_CTX* ctx) { - (void)EVP_MD_CTX_cleanup(ctx); -} - -} // namespace anonymous - namespace net { namespace test { @@ -41,8 +34,7 @@ class TestChannelIDKey : public ChannelIDKey { string* out_signature) const OVERRIDE { EVP_MD_CTX md_ctx; EVP_MD_CTX_init(&md_ctx); - crypto::ScopedOpenSSL<EVP_MD_CTX, EvpMdCtxCleanUp> - md_ctx_cleanup(&md_ctx); + crypto::ScopedEVP_MD_CTX md_ctx_cleanup(&md_ctx); if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, ecdsa_key_.get()) != 1) { @@ -66,7 +58,7 @@ class TestChannelIDKey : public ChannelIDKey { } uint8* derp = der_sig.get(); - crypto::ScopedOpenSSL<ECDSA_SIG, ECDSA_SIG_free> sig( + crypto::ScopedECDSA_SIG sig( d2i_ECDSA_SIG(NULL, const_cast<const uint8**>(&derp), sig_len)); if (sig.get() == NULL) { return false; @@ -104,7 +96,7 @@ class TestChannelIDKey : public ChannelIDKey { } private: - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ecdsa_key_; + crypto::ScopedEVP_PKEY ecdsa_key_; }; class TestChannelIDSource : public ChannelIDSource { @@ -140,25 +132,25 @@ class TestChannelIDSource : public ChannelIDSource { // clearing the most-significant bit. digest[0] &= 0x7f; - crypto::ScopedOpenSSL<BIGNUM, BN_free> k(BN_new()); + crypto::ScopedBIGNUM k(BN_new()); CHECK(BN_bin2bn(digest, sizeof(digest), k.get()) != NULL); - crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> p256( + crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free>::Type p256( EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); CHECK(p256.get()); - crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ecdsa_key(EC_KEY_new()); + crypto::ScopedEC_KEY ecdsa_key(EC_KEY_new()); CHECK(ecdsa_key.get() != NULL && EC_KEY_set_group(ecdsa_key.get(), p256.get())); - crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free> point( + crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free>::Type point( EC_POINT_new(p256.get())); CHECK(EC_POINT_mul(p256.get(), point.get(), k.get(), NULL, NULL, NULL)); EC_KEY_set_private_key(ecdsa_key.get(), k.get()); EC_KEY_set_public_key(ecdsa_key.get(), point.get()); - crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> pkey(EVP_PKEY_new()); + crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new()); // EVP_PKEY_set1_EC_KEY takes a reference so no |release| here. EVP_PKEY_set1_EC_KEY(pkey.get(), ecdsa_key.get()); diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index b63e120..8bdc314 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -18,6 +18,7 @@ #include "base/synchronization/lock.h" #include "crypto/ec_private_key.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/net_errors.h" #include "net/cert/cert_verifier.h" #include "net/cert/single_request_cert_verifier.h" @@ -96,6 +97,10 @@ std::string GetSocketSessionCacheKey(const SSLClientSocketOpenSSL& socket) { return result; } +static void FreeX509Stack(STACK_OF(X509) * ptr) { + sk_X509_pop_free(ptr, X509_free); +} + } // namespace class SSLClientSocketOpenSSL::SSLContext { @@ -170,7 +175,7 @@ class SSLClientSocketOpenSSL::SSLContext { // SSLClientSocketOpenSSL object from an SSL instance. int ssl_socket_data_index_; - crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_; + crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>::Type ssl_ctx_; // |session_cache_| must be destroyed before |ssl_ctx_|. SSLSessionCacheOpenSSL session_cache_; }; @@ -209,13 +214,10 @@ class SSLClientSocketOpenSSL::PeerCertificateChain { bool IsValid() { return os_chain_.get() && openssl_chain_.get(); } private: - static void FreeX509Stack(STACK_OF(X509)* cert_chain) { - sk_X509_pop_free(cert_chain, X509_free); - } - - friend class crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; + typedef crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>::Type + ScopedX509Stack; - crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack> openssl_chain_; + ScopedX509Stack openssl_chain_; scoped_refptr<X509Certificate> os_chain_; }; diff --git a/net/socket/ssl_client_socket_openssl_unittest.cc b/net/socket/ssl_client_socket_openssl_unittest.cc index d4e0685..52758e3 100644 --- a/net/socket/ssl_client_socket_openssl_unittest.cc +++ b/net/socket/ssl_client_socket_openssl_unittest.cc @@ -19,6 +19,7 @@ #include "base/message_loop/message_loop_proxy.h" #include "base/values.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/address_list.h" #include "net/base/io_buffer.h" #include "net/base/net_errors.h" @@ -48,16 +49,6 @@ namespace { // These client auth tests are currently dependent on OpenSSL's struct X509. #if defined(USE_OPENSSL_CERTS) -typedef OpenSSLClientKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY; - -// BIO_free is a macro, it can't be used as a template parameter. -void BIO_free_func(BIO* bio) { - BIO_free(bio); -} - -typedef crypto::ScopedOpenSSL<BIO, BIO_free_func> ScopedBIO; -typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA; -typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM; const SSLConfig kDefaultSSLConfig; @@ -74,10 +65,9 @@ bool LoadPrivateKeyOpenSSL( << filepath.value() << ": " << strerror(errno); return false; } - ScopedBIO bio( - BIO_new_mem_buf( - const_cast<char*>(reinterpret_cast<const char*>(data.data())), - static_cast<int>(data.size()))); + crypto::ScopedBIO bio(BIO_new_mem_buf( + const_cast<char*>(reinterpret_cast<const char*>(data.data())), + static_cast<int>(data.size()))); if (!bio.get()) { LOG(ERROR) << "Could not allocate BIO for buffer?"; return false; diff --git a/net/socket/ssl_server_socket_openssl.cc b/net/socket/ssl_server_socket_openssl.cc index f6bd0cd..7a1ce16 100644 --- a/net/socket/ssl_server_socket_openssl.cc +++ b/net/socket/ssl_server_socket_openssl.cc @@ -11,6 +11,7 @@ #include "base/logging.h" #include "crypto/openssl_util.h" #include "crypto/rsa_private_key.h" +#include "crypto/scoped_openssl_types.h" #include "net/base/net_errors.h" #include "net/socket/openssl_ssl_util.h" #include "net/socket/ssl_error_params.h" @@ -598,7 +599,7 @@ int SSLServerSocketOpenSSL::Init() { crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); - crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx( + crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>::Type ssl_ctx( // It support SSLv2, SSLv3, and TLSv1. SSL_CTX_new(SSLv23_server_method())); ssl_ = SSL_new(ssl_ctx.get()); @@ -630,8 +631,8 @@ int SSLServerSocketOpenSSL::Init() { const unsigned char* der_string_array = reinterpret_cast<const unsigned char*>(der_string.data()); - crypto::ScopedOpenSSL<X509, X509_free> - x509(d2i_X509(NULL, &der_string_array, der_string.length())); + crypto::ScopedOpenSSL<X509, X509_free>::Type x509( + d2i_X509(NULL, &der_string_array, der_string.length())); if (!x509.get()) return ERR_UNEXPECTED; diff --git a/net/socket/ssl_session_cache_openssl_unittest.cc b/net/socket/ssl_session_cache_openssl_unittest.cc index 22c4fba..41e195f 100644 --- a/net/socket/ssl_session_cache_openssl_unittest.cc +++ b/net/socket/ssl_session_cache_openssl_unittest.cc @@ -10,6 +10,7 @@ #include "base/logging.h" #include "base/strings/stringprintf.h" #include "crypto/openssl_util.h" +#include "crypto/scoped_openssl_types.h" #include "testing/gtest/include/gtest/gtest.h" @@ -30,7 +31,8 @@ namespace net { namespace { -typedef crypto::ScopedOpenSSL<SSL, SSL_free> ScopedSSL; +typedef crypto::ScopedOpenSSL<SSL, SSL_free>::Type ScopedSSL; +typedef crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>::Type ScopedSSL_CTX; // Helper class used to associate arbitrary std::string keys with SSL objects. class SSLKeyHelper { @@ -142,7 +144,7 @@ class SSLSessionCacheOpenSSLTest : public testing::Test { static const SSLSessionCacheOpenSSL::Config kDefaultConfig; protected: - crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ctx_; + ScopedSSL_CTX ctx_; // |cache_| must be destroyed before |ctx_| and thus appears after it. SSLSessionCacheOpenSSL cache_; }; |