Chromium Code Reviews Chromium Code Reviews
Issue 1774583002:
Add IsAcceptableCipher, use instead of GetDefaultCipher. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master| Index: webrtc/base/opensslstreamadapter.cc |
| diff --git a/webrtc/base/opensslstreamadapter.cc b/webrtc/base/opensslstreamadapter.cc |
| index b2afebb75be6c32e0b770349fde2b4d8180e8f66..d31e9f4f015511c1dfa8788b0a65fc950156ab51 100644 |
| --- a/webrtc/base/opensslstreamadapter.cc |
| +++ b/webrtc/base/opensslstreamadapter.cc |
| @@ -147,51 +147,6 @@ static const SslCipherMapEntry kSslCipherMap[] = { |
| #pragma warning(disable : 4310) |
| #endif // defined(_MSC_VER) |
| -// Default cipher used between OpenSSL/BoringSSL stream adapters. |
| -// This needs to be updated when the default of the SSL library changes. |
| -// static_cast<uint16_t> causes build warnings on windows platform. |
| -static int kDefaultSslCipher10 = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA); |
| -static int kDefaultSslEcCipher10 = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA); |
| -#ifdef OPENSSL_IS_BORINGSSL |
| -static int kDefaultSslCipher12 = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256); |
| -static int kDefaultSslEcCipher12 = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); |
| -// Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable. |
| - |
| -#ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
| -// This ciphersuite was added in boringssl 13414b3a..., changing the fallback |
| -// ciphersuite. For compatibility during a transitional period, support old |
| -// boringssl versions. TODO(torbjorng): Remove this. |
| -static int kDefaultSslCipher12NoAesGcm = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256); |
| -#else |
| -static int kDefaultSslCipher12NoAesGcm = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD); |
| -#endif |
| - |
| -#ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
| -// This ciphersuite was added in boringssl 13414b3a..., changing the fallback |
| -// ciphersuite. For compatibility during a transitional period, support old |
| -// boringssl versions. TODO(torbjorng): Remove this. |
| -static int kDefaultSslEcCipher12NoAesGcm = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); |
| -#else |
| -static int kDefaultSslEcCipher12NoAesGcm = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD); |
| -#endif |
| - |
| -#else // !OPENSSL_IS_BORINGSSL |
| -// OpenSSL sorts differently than BoringSSL, so the default cipher doesn't |
| -// change between TLS 1.0 and TLS 1.2 with the current setup. |
| -static int kDefaultSslCipher12 = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA); |
| -static int kDefaultSslEcCipher12 = |
| - static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA); |
| -#endif // OPENSSL_IS_BORINGSSL |
| - |
| #if defined(_MSC_VER) |
| #pragma warning(pop) |
| #endif // defined(_MSC_VER) |
| @@ -404,6 +359,28 @@ bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) { |
| return true; |
| } |
| +int OpenSSLStreamAdapter::GetSslVersion() const { |
| + if (state_ != SSL_CONNECTED) |
| + return -1; |
| + |
| + int ssl_version = SSL_version(ssl_); |
| + if (ssl_mode_ == SSL_MODE_DTLS) { |
| + if (ssl_version == DTLS1_VERSION) |
| + return SSL_PROTOCOL_DTLS_10; |
| + else if (ssl_version == DTLS1_2_VERSION) |
| + return SSL_PROTOCOL_DTLS_12; |
| + } else { |
| + if (ssl_version == TLS1_VERSION) |
| + return SSL_PROTOCOL_TLS_10; |
| + else if (ssl_version == TLS1_1_VERSION) |
| + return SSL_PROTOCOL_TLS_11; |
| + else if (ssl_version == TLS1_2_VERSION) |
| + return SSL_PROTOCOL_TLS_12; |
| + } |
| + |
| + return -1; |
| +} |
| + |
| // Key Extractor interface |
| bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label, |
| const uint8_t* context, |
| @@ -1147,46 +1124,70 @@ bool OpenSSLStreamAdapter::HaveExporter() { |
| #endif |
| } |
| -int OpenSSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version, |
| - KeyType key_type) { |
| - if (key_type == KT_RSA) { |
| - switch (version) { |
| - case SSL_PROTOCOL_TLS_10: |
| - case SSL_PROTOCOL_TLS_11: |
| - return kDefaultSslCipher10; |
| - case SSL_PROTOCOL_TLS_12: |
| - default: |
| -#ifdef OPENSSL_IS_BORINGSSL |
| - if (EVP_has_aes_hardware()) { |
| - return kDefaultSslCipher12; |
| - } else { |
| - return kDefaultSslCipher12NoAesGcm; |
| - } |
| -#else // !OPENSSL_IS_BORINGSSL |
| - return kDefaultSslCipher12; |
| +#define CDEF(X) \ |
| + { static_cast<uint16_t>(TLS1_CK_##X & 0xffff), "TLS_" #X } |
| + |
| +struct cipher_list { |
| + uint16_t cipher; |
| + const char* cipher_str; |
| +}; |
| + |
| +// TODO(torbjorng): Perhaps add more cipher suites to these lists. |
| +static const cipher_list OK_RSA_ciphers[] = { |
| + CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA), |
| + CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA), |
| + CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256), |
| +#ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256 |
| + CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256), |
| #endif |
| - } |
| - } else if (key_type == KT_ECDSA) { |
| - switch (version) { |
| - case SSL_PROTOCOL_TLS_10: |
| - case SSL_PROTOCOL_TLS_11: |
| - return kDefaultSslEcCipher10; |
| - case SSL_PROTOCOL_TLS_12: |
| - default: |
| -#ifdef OPENSSL_IS_BORINGSSL |
| - if (EVP_has_aes_hardware()) { |
| - return kDefaultSslEcCipher12; |
| - } else { |
| - return kDefaultSslEcCipher12NoAesGcm; |
| - } |
| -#else // !OPENSSL_IS_BORINGSSL |
| - return kDefaultSslEcCipher12; |
| + CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), |
| +}; |
| + |
| +static const cipher_list OK_ECDSA_ciphers[] = { |
| + CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), |
| + CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), |
| + CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), |
| +#ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256 |
| + CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256), |
| #endif |
| + CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), |
| +}; |
| + |
|
tommi
2016/03/10 21:37:59
#undef CDEF ?
torbjorng (webrtc)
2016/03/11 07:50:18
Done.
|
| +bool OpenSSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) { |
| + if (key_type == KT_RSA) { |
| + for (const cipher_list& c : OK_RSA_ciphers) { |
| + if (cipher == c.cipher) |
| + return true; |
| + } |
| + } |
| + |
| + if (key_type == KT_ECDSA) { |
| + for (const cipher_list& c : OK_ECDSA_ciphers) { |
| + if (cipher == c.cipher) |
| + return true; |
| } |
| - } else { |
| - RTC_NOTREACHED(); |
| - return kDefaultSslEcCipher12; |
| } |
| + |
| + return false; |
| +} |
| + |
| +bool OpenSSLStreamAdapter::IsAcceptableCipher(std::string cipher, |
| + KeyType key_type) { |
| + if (key_type == KT_RSA) { |
| + for (const cipher_list& c : OK_RSA_ciphers) { |
| + if (cipher == c.cipher_str) |
| + return true; |
| + } |
| + } |
| + |
| + if (key_type == KT_ECDSA) { |
| + for (const cipher_list& c : OK_ECDSA_ciphers) { |
| + if (cipher == c.cipher_str) |
| + return true; |
| + } |
| + } |
| + |
| + return false; |
| } |
| } // namespace rtc |
