Index: webrtc/base/opensslstreamadapter.cc |
diff --git a/webrtc/base/opensslstreamadapter.cc b/webrtc/base/opensslstreamadapter.cc |
index ed2505e8b7fe28c0b14e285470e3c149462db4e0..47b37cd0c2c09bfed7d5254e8810d88ad743f5e9 100644 |
--- a/webrtc/base/opensslstreamadapter.cc |
+++ b/webrtc/base/opensslstreamadapter.cc |
@@ -58,11 +58,6 @@ static SrtpCipherMapEntry SrtpCipherMap[] = { |
#endif |
#ifndef OPENSSL_IS_BORINGSSL |
-// Cipher name table. Maps internal OpenSSL cipher ids to the RFC name. |
-struct SslCipherMapEntry { |
- uint32_t openssl_id; |
- const char* rfc_name; |
-}; |
#define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name} |
#define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name} |
@@ -139,30 +134,42 @@ static const SslCipherMapEntry kSslCipherMap[] = { |
}; |
#endif // #ifndef OPENSSL_IS_BORINGSSL |
+// TLS_NULL_WITH_NULL_NULL provides no more protection than an unsecured |
+// connection. Must not be negotiated. |
+static const SslCipher kNullSslCipher = {0, "TLS_NULL_WITH_NULL_NULL"}; |
+ |
// Default cipher used between OpenSSL/BoringSSL stream adapters. |
// This needs to be updated when the default of the SSL library changes. |
-static const char kDefaultSslCipher10[] = |
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; |
-static const char kDefaultSslEcCipher10[] = |
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; |
+static const SslCipher kDefaultSslCipher10 = { |
+ 0xC014, |
juberti
2015/09/24 13:41:15
The fact we need to get the id and name right here
guoweis_webrtc
2015/09/24 18:27:13
Problem is that when doing the verification of UMA
juberti
2015/09/24 21:37:31
This still seems like a bad path. I could totally
|
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}; |
+static const SslCipher kDefaultSslEcCipher10 = { |
+ 0xC00A, |
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"}; |
#ifdef OPENSSL_IS_BORINGSSL |
-static const char kDefaultSslCipher12[] = |
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; |
-static const char kDefaultSslEcCipher12[] = |
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; |
+static const SslCipher kDefaultSslCipher12 = { |
+ 0xC02F, |
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}; |
+static const SslCipher kDefaultSslEcCipher12 = { |
+ 0xC02B, |
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}; |
// Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable. |
-static const char kDefaultSslCipher12NoAesGcm[] = |
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; |
-static const char kDefaultSslEcCipher12NoAesGcm[] = |
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; |
+static const SslCipher kDefaultSslCipher12NoAesGcm = { |
+ 0xCC13, |
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"}; |
+static const SslCipher kDefaultSslEcCipher12NoAesGcm = { |
+ 0xCC14, |
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}; |
#else // !OPENSSL_IS_BORINGSSL |
// OpenSSL sorts differently than BoringSSL, so the default cipher doesn't |
// change between TLS 1.0 and TLS 1.2 with the current setup. |
-static const char kDefaultSslCipher12[] = |
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; |
-static const char kDefaultSslEcCipher12[] = |
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; |
+static const SslCipher kDefaultSslCipher12 = { |
+ 0xC014, |
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}; |
+static const SslCipher kDefaultSslEcCipher12 = { |
+ 0xC00A, |
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"}; |
#endif |
////////////////////////////////////////////////////////////////////// |
@@ -352,7 +359,7 @@ const char* OpenSSLStreamAdapter::GetRfcSslCipherName( |
} |
#endif |
-bool OpenSSLStreamAdapter::GetSslCipher(std::string* cipher) { |
+bool OpenSSLStreamAdapter::GetSslCipher(SslCipher* cipher) { |
if (state_ != SSL_CONNECTED) |
return false; |
@@ -361,6 +368,8 @@ bool OpenSSLStreamAdapter::GetSslCipher(std::string* cipher) { |
return false; |
} |
+ cipher->ssl_id = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher)); |
+ |
#ifdef OPENSSL_IS_BORINGSSL |
char* cipher_name = SSL_CIPHER_get_rfc_name(current_cipher); |
#else |
@@ -370,7 +379,7 @@ bool OpenSSLStreamAdapter::GetSslCipher(std::string* cipher) { |
return false; |
} |
- *cipher = cipher_name; |
+ cipher->rfc_name = cipher_name; |
#ifdef OPENSSL_IS_BORINGSSL |
OPENSSL_free(cipher_name); |
#endif |
@@ -1125,7 +1134,7 @@ bool OpenSSLStreamAdapter::HaveExporter() { |
#endif |
} |
-std::string OpenSSLStreamAdapter::GetDefaultSslCipher( |
+const SslCipher& OpenSSLStreamAdapter::GetDefaultSslCipher( |
SSLProtocolVersion version, |
KeyType key_type) { |
if (key_type == KT_RSA) { |
@@ -1163,7 +1172,8 @@ std::string OpenSSLStreamAdapter::GetDefaultSslCipher( |
#endif |
} |
} else { |
- return std::string(); |
+ RTC_NOTREACHED(); |
+ return kNullSslCipher; |
} |
} |