Change WebRTC SslCipher to be exposed as number only.

webrtc/base/opensslstreamadapter.cc

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 40 matching lines @@
 
 // This isn't elegant, but it's better than an external reference
 static SrtpCipherMapEntry SrtpCipherMap[] = {
   {"AES_CM_128_HMAC_SHA1_80", "SRTP_AES128_CM_SHA1_80"},
   {"AES_CM_128_HMAC_SHA1_32", "SRTP_AES128_CM_SHA1_32"},
   {NULL, NULL}
 };
 #endif
 
 #ifndef OPENSSL_IS_BORINGSSL
-// Cipher name table. Maps internal OpenSSL cipher ids to the RFC name.
-struct SslCipherMapEntry {
-  uint32_t openssl_id;
-  const char* rfc_name;
-};
 
 #define DEFINE_CIPHER_ENTRY_SSL3(name)  {SSL3_CK_##name, "TLS_"#name}
 #define DEFINE_CIPHER_ENTRY_TLS1(name)  {TLS1_CK_##name, "TLS_"#name}
 
 // There currently is no method available to get a RFC-compliant name for a
 // cipher suite from BoringSSL, so we need to define the mapping manually here.
 // This should go away once BoringSSL supports "SSL_CIPHER_standard_name"
 // (as available in OpenSSL if compiled with tracing enabled) or a similar
 // method.
 static const SslCipherMapEntry kSslCipherMap[] = {
@@ skipping 56 matching lines @@
   // ECDH GCM based ciphersuites from RFC5289.
   DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
   DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
   DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
   DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384),
 
   {0, NULL}
 };
 #endif  // #ifndef OPENSSL_IS_BORINGSSL
 
+// TLS_NULL_WITH_NULL_NULL provides no more protection than an unsecured
+// connection. Must not be negotiated.
+static const SslCipher kNullSslCipher = {0, "TLS_NULL_WITH_NULL_NULL"};
+
 // Default cipher used between OpenSSL/BoringSSL stream adapters.
 // This needs to be updated when the default of the SSL library changes.
-static const char kDefaultSslCipher10[] =
-    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
-static const char kDefaultSslEcCipher10[] =
-    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
+static const SslCipher kDefaultSslCipher10 = {
+    0xC014,

[juberti, 2015/09/24 13:41:15]

The fact we need to get the id and name right here seems overly complex to me.
The tests should be able to get by with just the name.

[guoweis_webrtc, 2015/09/24 18:27:13]

Problem is that when doing the verification of UMA, it needs ID and since there
is no name to ID mapping, we have to provide the ID together.

[juberti, 2015/09/24 21:37:31]

This still seems like a bad path. I could totally see us somehow mixing up the
wrong IDs and strings here.

+    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"};
+static const SslCipher kDefaultSslEcCipher10 = {
+    0xC00A,
+    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"};
 
 #ifdef OPENSSL_IS_BORINGSSL
-static const char kDefaultSslCipher12[] =
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
-static const char kDefaultSslEcCipher12[] =
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
+static const SslCipher kDefaultSslCipher12 = {
+    0xC02F,
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"};
+static const SslCipher kDefaultSslEcCipher12 = {
+    0xC02B,
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"};
 // Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable.
-static const char kDefaultSslCipher12NoAesGcm[] =
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256";
-static const char kDefaultSslEcCipher12NoAesGcm[] =
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256";
+static const SslCipher kDefaultSslCipher12NoAesGcm = {
+    0xCC13,
+    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"};
+static const SslCipher kDefaultSslEcCipher12NoAesGcm = {
+    0xCC14,
+    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"};
 #else  // !OPENSSL_IS_BORINGSSL
 // OpenSSL sorts differently than BoringSSL, so the default cipher doesn't
 // change between TLS 1.0 and TLS 1.2 with the current setup.
-static const char kDefaultSslCipher12[] =
-    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
-static const char kDefaultSslEcCipher12[] =
-    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
+static const SslCipher kDefaultSslCipher12 = {
+    0xC014,
+    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"};
+static const SslCipher kDefaultSslEcCipher12 = {
+    0xC00A,
+    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"};
 #endif
 
 //////////////////////////////////////////////////////////////////////
 // StreamBIO
 //////////////////////////////////////////////////////////////////////
 
 static int stream_write(BIO* h, const char* buf, int num);
 static int stream_read(BIO* h, char* buf, int size);
 static int stream_puts(BIO* h, const char* str);
 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2);
@@ skipping 169 matching lines @@
   for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name;
        ++entry) {
     if (cipher->id == entry->openssl_id) {
       return entry->rfc_name;
     }
   }
   return NULL;
 }
 #endif
 
-bool OpenSSLStreamAdapter::GetSslCipher(std::string* cipher) {
+bool OpenSSLStreamAdapter::GetSslCipher(SslCipher* cipher) {
   if (state_ != SSL_CONNECTED)
     return false;
 
   const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_);
   if (current_cipher == NULL) {
     return false;
   }
 
+  cipher->ssl_id = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher));
+
 #ifdef OPENSSL_IS_BORINGSSL
   char* cipher_name = SSL_CIPHER_get_rfc_name(current_cipher);
 #else
   const char* cipher_name = GetRfcSslCipherName(current_cipher);
 #endif
   if (cipher_name == NULL) {
     return false;
   }
 
-  *cipher = cipher_name;
+  cipher->rfc_name = cipher_name;
 #ifdef OPENSSL_IS_BORINGSSL
   OPENSSL_free(cipher_name);
 #endif
   return true;
 }
 
 // Key Extractor interface
 bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label,
                                                 const uint8* context,
                                                 size_t context_len,
@@ skipping 734 matching lines @@
 }
 
 bool OpenSSLStreamAdapter::HaveExporter() {
 #ifdef HAVE_DTLS_SRTP
   return true;
 #else
   return false;
 #endif
 }
 
-std::string OpenSSLStreamAdapter::GetDefaultSslCipher(
+const SslCipher& OpenSSLStreamAdapter::GetDefaultSslCipher(
     SSLProtocolVersion version,
     KeyType key_type) {
   if (key_type == KT_RSA) {
     switch (version) {
       case SSL_PROTOCOL_TLS_10:
       case SSL_PROTOCOL_TLS_11:
         return kDefaultSslCipher10;
       case SSL_PROTOCOL_TLS_12:
       default:
 #ifdef OPENSSL_IS_BORINGSSL
@@ skipping 17 matching lines @@
         if (EVP_has_aes_hardware()) {
           return kDefaultSslEcCipher12;
         } else {
           return kDefaultSslEcCipher12NoAesGcm;
         }
 #else  // !OPENSSL_IS_BORINGSSL
         return kDefaultSslEcCipher12;
 #endif
     }
   } else {
-    return std::string();
+    RTC_NOTREACHED();
+    return kNullSslCipher;
   }
 }
 
 }  // namespace rtc
 
 #endif  // HAVE_OPENSSL_SSL_H