| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 20 matching lines...) Expand all Loading... |
| 31 #include "webrtc/base/stream.h" | 31 #include "webrtc/base/stream.h" |
| 32 #include "webrtc/base/openssl.h" | 32 #include "webrtc/base/openssl.h" |
| 33 #include "webrtc/base/openssladapter.h" | 33 #include "webrtc/base/openssladapter.h" |
| 34 #include "webrtc/base/openssldigest.h" | 34 #include "webrtc/base/openssldigest.h" |
| 35 #include "webrtc/base/opensslidentity.h" | 35 #include "webrtc/base/opensslidentity.h" |
| 36 #include "webrtc/base/stringutils.h" | 36 #include "webrtc/base/stringutils.h" |
| 37 #include "webrtc/base/thread.h" | 37 #include "webrtc/base/thread.h" |
| 38 | 38 |
| 39 namespace rtc { | 39 namespace rtc { |
| 40 | 40 |
| 41 #if (OPENSSL_VERSION_NUMBER >= 0x10001000L) | |
| 42 #define HAVE_DTLS_SRTP | |
| 43 #endif | |
| 44 | |
| 45 #ifdef HAVE_DTLS_SRTP | |
| 46 // SRTP cipher suite table. |internal_name| is used to construct a | 41 // SRTP cipher suite table. |internal_name| is used to construct a |
| 47 // colon-separated profile strings which is needed by | 42 // colon-separated profile strings which is needed by |
| 48 // SSL_CTX_set_tlsext_use_srtp(). | 43 // SSL_CTX_set_tlsext_use_srtp(). |
| 49 struct SrtpCipherMapEntry { | 44 struct SrtpCipherMapEntry { |
| 50 const char* internal_name; | 45 const char* internal_name; |
| 51 const int id; | 46 const int id; |
| 52 }; | 47 }; |
| 53 | 48 |
| 54 // This isn't elegant, but it's better than an external reference | 49 // This isn't elegant, but it's better than an external reference |
| 55 static SrtpCipherMapEntry SrtpCipherMap[] = { | 50 static SrtpCipherMapEntry SrtpCipherMap[] = { |
| 56 {"SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80}, | 51 {"SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80}, |
| 57 {"SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32}, | 52 {"SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32}, |
| 58 {nullptr, 0}}; | 53 {nullptr, 0}}; |
| 59 #endif | |
| 60 | |
| 61 #ifndef OPENSSL_IS_BORINGSSL | |
| 62 | |
| 63 // Cipher name table. Maps internal OpenSSL cipher ids to the RFC name. | |
| 64 struct SslCipherMapEntry { | |
| 65 uint32_t openssl_id; | |
| 66 const char* rfc_name; | |
| 67 }; | |
| 68 | |
| 69 #define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name} | |
| 70 #define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name} | |
| 71 | |
| 72 // There currently is no method available to get a RFC-compliant name for a | |
| 73 // cipher suite from BoringSSL, so we need to define the mapping manually here. | |
| 74 // This should go away once BoringSSL supports "SSL_CIPHER_standard_name" | |
| 75 // (as available in OpenSSL if compiled with tracing enabled) or a similar | |
| 76 // method. | |
| 77 static const SslCipherMapEntry kSslCipherMap[] = { | |
| 78 // TLS v1.0 ciphersuites from RFC2246. | |
| 79 DEFINE_CIPHER_ENTRY_SSL3(RSA_RC4_128_SHA), | |
| 80 {SSL3_CK_RSA_DES_192_CBC3_SHA, | |
| 81 "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, | |
| 82 | |
| 83 // AES ciphersuites from RFC3268. | |
| 84 {TLS1_CK_RSA_WITH_AES_128_SHA, | |
| 85 "TLS_RSA_WITH_AES_128_CBC_SHA"}, | |
| 86 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA, | |
| 87 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"}, | |
| 88 {TLS1_CK_RSA_WITH_AES_256_SHA, | |
| 89 "TLS_RSA_WITH_AES_256_CBC_SHA"}, | |
| 90 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, | |
| 91 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"}, | |
| 92 | |
| 93 // ECC ciphersuites from RFC4492. | |
| 94 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_RC4_128_SHA), | |
| 95 {TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, | |
| 96 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"}, | |
| 97 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), | |
| 98 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), | |
| 99 | |
| 100 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_RC4_128_SHA), | |
| 101 {TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, | |
| 102 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"}, | |
| 103 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_CBC_SHA), | |
| 104 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_CBC_SHA), | |
| 105 | |
| 106 // TLS v1.2 ciphersuites. | |
| 107 {TLS1_CK_RSA_WITH_AES_128_SHA256, | |
| 108 "TLS_RSA_WITH_AES_128_CBC_SHA256"}, | |
| 109 {TLS1_CK_RSA_WITH_AES_256_SHA256, | |
| 110 "TLS_RSA_WITH_AES_256_CBC_SHA256"}, | |
| 111 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, | |
| 112 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"}, | |
| 113 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |
| 114 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"}, | |
| 115 | |
| 116 // TLS v1.2 GCM ciphersuites from RFC5288. | |
| 117 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_128_GCM_SHA256), | |
| 118 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_256_GCM_SHA384), | |
| 119 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_128_GCM_SHA256), | |
| 120 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_256_GCM_SHA384), | |
| 121 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_128_GCM_SHA256), | |
| 122 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_256_GCM_SHA384), | |
| 123 | |
| 124 // ECDH HMAC based ciphersuites from RFC5289. | |
| 125 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, | |
| 126 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"}, | |
| 127 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, | |
| 128 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"}, | |
| 129 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | |
| 130 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}, | |
| 131 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | |
| 132 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}, | |
| 133 | |
| 134 // ECDH GCM based ciphersuites from RFC5289. | |
| 135 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), | |
| 136 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), | |
| 137 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256), | |
| 138 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384), | |
| 139 | |
| 140 {0, NULL} | |
| 141 }; | |
| 142 #endif // #ifndef OPENSSL_IS_BORINGSSL | |
| 143 | 54 |
| 144 #if defined(_MSC_VER) | 55 #if defined(_MSC_VER) |
| 145 #pragma warning(push) | 56 #pragma warning(push) |
| 146 #pragma warning(disable : 4309) | 57 #pragma warning(disable : 4309) |
| 147 #pragma warning(disable : 4310) | 58 #pragma warning(disable : 4310) |
| 148 #endif // defined(_MSC_VER) | 59 #endif // defined(_MSC_VER) |
| 149 | 60 |
| 150 #if defined(_MSC_VER) | 61 #if defined(_MSC_VER) |
| 151 #pragma warning(pop) | 62 #pragma warning(pop) |
| 152 #endif // defined(_MSC_VER) | 63 #endif // defined(_MSC_VER) |
| (...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 319 if (expected_len != digest_len) | 230 if (expected_len != digest_len) |
| 320 return false; | 231 return false; |
| 321 | 232 |
| 322 peer_certificate_digest_value_.SetData(digest_val, digest_len); | 233 peer_certificate_digest_value_.SetData(digest_val, digest_len); |
| 323 peer_certificate_digest_algorithm_ = digest_alg; | 234 peer_certificate_digest_algorithm_ = digest_alg; |
| 324 | 235 |
| 325 return true; | 236 return true; |
| 326 } | 237 } |
| 327 | 238 |
| 328 std::string OpenSSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) { | 239 std::string OpenSSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) { |
| 329 #ifdef OPENSSL_IS_BORINGSSL | |
| 330 const SSL_CIPHER* ssl_cipher = SSL_get_cipher_by_value(cipher_suite); | 240 const SSL_CIPHER* ssl_cipher = SSL_get_cipher_by_value(cipher_suite); |
| 331 if (!ssl_cipher) { | 241 if (!ssl_cipher) { |
| 332 return std::string(); | 242 return std::string(); |
| 333 } | 243 } |
| 334 char* cipher_name = SSL_CIPHER_get_rfc_name(ssl_cipher); | 244 char* cipher_name = SSL_CIPHER_get_rfc_name(ssl_cipher); |
| 335 std::string rfc_name = std::string(cipher_name); | 245 std::string rfc_name = std::string(cipher_name); |
| 336 OPENSSL_free(cipher_name); | 246 OPENSSL_free(cipher_name); |
| 337 return rfc_name; | 247 return rfc_name; |
| 338 #else | |
| 339 for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name; | |
| 340 ++entry) { | |
| 341 if (cipher_suite == static_cast<int>(entry->openssl_id)) { | |
| 342 return entry->rfc_name; | |
| 343 } | |
| 344 } | |
| 345 return std::string(); | |
| 346 #endif | |
| 347 } | 248 } |
| 348 | 249 |
| 349 bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) { | 250 bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) { |
| 350 if (state_ != SSL_CONNECTED) | 251 if (state_ != SSL_CONNECTED) |
| 351 return false; | 252 return false; |
| 352 | 253 |
| 353 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_); | 254 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_); |
| 354 if (current_cipher == NULL) { | 255 if (current_cipher == NULL) { |
| 355 return false; | 256 return false; |
| 356 } | 257 } |
| (...skipping 24 matching lines...) Expand all Loading... |
| 381 return -1; | 282 return -1; |
| 382 } | 283 } |
| 383 | 284 |
| 384 // Key Extractor interface | 285 // Key Extractor interface |
| 385 bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label, | 286 bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label, |
| 386 const uint8_t* context, | 287 const uint8_t* context, |
| 387 size_t context_len, | 288 size_t context_len, |
| 388 bool use_context, | 289 bool use_context, |
| 389 uint8_t* result, | 290 uint8_t* result, |
| 390 size_t result_len) { | 291 size_t result_len) { |
| 391 #ifdef HAVE_DTLS_SRTP | |
| 392 int i; | 292 int i; |
| 393 | 293 |
| 394 i = SSL_export_keying_material(ssl_, result, result_len, label.c_str(), | 294 i = SSL_export_keying_material(ssl_, result, result_len, label.c_str(), |
| 395 label.length(), const_cast<uint8_t*>(context), | 295 label.length(), const_cast<uint8_t*>(context), |
| 396 context_len, use_context); | 296 context_len, use_context); |
| 397 | 297 |
| 398 if (i != 1) | 298 if (i != 1) |
| 399 return false; | 299 return false; |
| 400 | 300 |
| 401 return true; | 301 return true; |
| 402 #else | |
| 403 return false; | |
| 404 #endif | |
| 405 } | 302 } |
| 406 | 303 |
| 407 bool OpenSSLStreamAdapter::SetDtlsSrtpCryptoSuites( | 304 bool OpenSSLStreamAdapter::SetDtlsSrtpCryptoSuites( |
| 408 const std::vector<int>& ciphers) { | 305 const std::vector<int>& ciphers) { |
| 409 #ifdef HAVE_DTLS_SRTP | |
| 410 std::string internal_ciphers; | 306 std::string internal_ciphers; |
| 411 | 307 |
| 412 if (state_ != SSL_NONE) | 308 if (state_ != SSL_NONE) |
| 413 return false; | 309 return false; |
| 414 | 310 |
| 415 for (std::vector<int>::const_iterator cipher = ciphers.begin(); | 311 for (std::vector<int>::const_iterator cipher = ciphers.begin(); |
| 416 cipher != ciphers.end(); ++cipher) { | 312 cipher != ciphers.end(); ++cipher) { |
| 417 bool found = false; | 313 bool found = false; |
| 418 for (SrtpCipherMapEntry* entry = SrtpCipherMap; entry->internal_name; | 314 for (SrtpCipherMapEntry* entry = SrtpCipherMap; entry->internal_name; |
| 419 ++entry) { | 315 ++entry) { |
| (...skipping 10 matching lines...) Expand all Loading... |
| 430 LOG(LS_ERROR) << "Could not find cipher: " << *cipher; | 326 LOG(LS_ERROR) << "Could not find cipher: " << *cipher; |
| 431 return false; | 327 return false; |
| 432 } | 328 } |
| 433 } | 329 } |
| 434 | 330 |
| 435 if (internal_ciphers.empty()) | 331 if (internal_ciphers.empty()) |
| 436 return false; | 332 return false; |
| 437 | 333 |
| 438 srtp_ciphers_ = internal_ciphers; | 334 srtp_ciphers_ = internal_ciphers; |
| 439 return true; | 335 return true; |
| 440 #else | |
| 441 return false; | |
| 442 #endif | |
| 443 } | 336 } |
| 444 | 337 |
| 445 bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) { | 338 bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) { |
| 446 #ifdef HAVE_DTLS_SRTP | |
| 447 ASSERT(state_ == SSL_CONNECTED); | 339 ASSERT(state_ == SSL_CONNECTED); |
| 448 if (state_ != SSL_CONNECTED) | 340 if (state_ != SSL_CONNECTED) |
| 449 return false; | 341 return false; |
| 450 | 342 |
| 451 const SRTP_PROTECTION_PROFILE *srtp_profile = | 343 const SRTP_PROTECTION_PROFILE *srtp_profile = |
| 452 SSL_get_selected_srtp_profile(ssl_); | 344 SSL_get_selected_srtp_profile(ssl_); |
| 453 | 345 |
| 454 if (!srtp_profile) | 346 if (!srtp_profile) |
| 455 return false; | 347 return false; |
| 456 | 348 |
| 457 *crypto_suite = srtp_profile->id; | 349 *crypto_suite = srtp_profile->id; |
| 458 ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty()); | 350 ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty()); |
| 459 return true; | 351 return true; |
| 460 #else | |
| 461 return false; | |
| 462 #endif | |
| 463 } | 352 } |
| 464 | 353 |
| 465 int OpenSSLStreamAdapter::StartSSLWithServer(const char* server_name) { | 354 int OpenSSLStreamAdapter::StartSSLWithServer(const char* server_name) { |
| 466 ASSERT(server_name != NULL && server_name[0] != '\0'); | 355 ASSERT(server_name != NULL && server_name[0] != '\0'); |
| 467 ssl_server_name_ = server_name; | 356 ssl_server_name_ = server_name; |
| 468 return StartSSL(); | 357 return StartSSL(); |
| 469 } | 358 } |
| 470 | 359 |
| 471 int OpenSSLStreamAdapter::StartSSLWithPeer() { | 360 int OpenSSLStreamAdapter::StartSSLWithPeer() { |
| 472 ASSERT(ssl_server_name_.empty()); | 361 ASSERT(ssl_server_name_.empty()); |
| (...skipping 292 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 765 | 654 |
| 766 ssl_ = SSL_new(ssl_ctx_); | 655 ssl_ = SSL_new(ssl_ctx_); |
| 767 if (!ssl_) { | 656 if (!ssl_) { |
| 768 BIO_free(bio); | 657 BIO_free(bio); |
| 769 return -1; | 658 return -1; |
| 770 } | 659 } |
| 771 | 660 |
| 772 SSL_set_app_data(ssl_, this); | 661 SSL_set_app_data(ssl_, this); |
| 773 | 662 |
| 774 SSL_set_bio(ssl_, bio, bio); // the SSL object owns the bio now. | 663 SSL_set_bio(ssl_, bio, bio); // the SSL object owns the bio now. |
| 775 #ifndef OPENSSL_IS_BORINGSSL | |
| 776 if (ssl_mode_ == SSL_MODE_DTLS) { | |
| 777 // Enable read-ahead for DTLS so whole packets are read from internal BIO | |
| 778 // before parsing. This is done internally by BoringSSL for DTLS. | |
| 779 SSL_set_read_ahead(ssl_, 1); | |
| 780 } | |
| 781 #endif | |
| 782 | 664 |
| 783 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | | 665 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | |
| 784 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | 666 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); |
| 785 | 667 |
| 786 // Specify an ECDH group for ECDHE ciphers, otherwise they cannot be | 668 // Specify an ECDH group for ECDHE ciphers, otherwise they cannot be |
| 787 // negotiated when acting as the server. Use NIST's P-256 which is commonly | 669 // negotiated when acting as the server. Use NIST's P-256 which is commonly |
| 788 // supported. | 670 // supported. |
| 789 EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | 671 EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
| 790 if (ecdh == NULL) | 672 if (ecdh == NULL) |
| 791 return -1; | 673 return -1; |
| (...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 891 DTLSv1_handle_timeout(ssl_); | 773 DTLSv1_handle_timeout(ssl_); |
| 892 ContinueSSL(); | 774 ContinueSSL(); |
| 893 } else { | 775 } else { |
| 894 StreamInterface::OnMessage(msg); | 776 StreamInterface::OnMessage(msg); |
| 895 } | 777 } |
| 896 } | 778 } |
| 897 | 779 |
| 898 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { | 780 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { |
| 899 SSL_CTX *ctx = NULL; | 781 SSL_CTX *ctx = NULL; |
| 900 | 782 |
| 901 #ifdef OPENSSL_IS_BORINGSSL | |
| 902 ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? | 783 ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? |
| 903 DTLS_method() : TLS_method()); | 784 DTLS_method() : TLS_method()); |
| 904 // Version limiting for BoringSSL will be done below. | 785 // Version limiting for BoringSSL will be done below. |
| 905 #else | |
| 906 const SSL_METHOD* method; | |
| 907 switch (ssl_max_version_) { | |
| 908 case SSL_PROTOCOL_TLS_10: | |
| 909 case SSL_PROTOCOL_TLS_11: | |
| 910 // OpenSSL doesn't support setting min/max versions, so we always use | |
| 911 // (D)TLS 1.0 if a max. version below the max. available is requested. | |
| 912 if (ssl_mode_ == SSL_MODE_DTLS) { | |
| 913 if (role_ == SSL_CLIENT) { | |
| 914 method = DTLSv1_client_method(); | |
| 915 } else { | |
| 916 method = DTLSv1_server_method(); | |
| 917 } | |
| 918 } else { | |
| 919 if (role_ == SSL_CLIENT) { | |
| 920 method = TLSv1_client_method(); | |
| 921 } else { | |
| 922 method = TLSv1_server_method(); | |
| 923 } | |
| 924 } | |
| 925 break; | |
| 926 case SSL_PROTOCOL_TLS_12: | |
| 927 default: | |
| 928 if (ssl_mode_ == SSL_MODE_DTLS) { | |
| 929 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) | |
| 930 // DTLS 1.2 only available starting from OpenSSL 1.0.2 | |
| 931 if (role_ == SSL_CLIENT) { | |
| 932 method = DTLS_client_method(); | |
| 933 } else { | |
| 934 method = DTLS_server_method(); | |
| 935 } | |
| 936 #else | |
| 937 if (role_ == SSL_CLIENT) { | |
| 938 method = DTLSv1_client_method(); | |
| 939 } else { | |
| 940 method = DTLSv1_server_method(); | |
| 941 } | |
| 942 #endif | |
| 943 } else { | |
| 944 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) | |
| 945 // New API only available starting from OpenSSL 1.1.0 | |
| 946 if (role_ == SSL_CLIENT) { | |
| 947 method = TLS_client_method(); | |
| 948 } else { | |
| 949 method = TLS_server_method(); | |
| 950 } | |
| 951 #else | |
| 952 if (role_ == SSL_CLIENT) { | |
| 953 method = SSLv23_client_method(); | |
| 954 } else { | |
| 955 method = SSLv23_server_method(); | |
| 956 } | |
| 957 #endif | |
| 958 } | |
| 959 break; | |
| 960 } | |
| 961 ctx = SSL_CTX_new(method); | |
| 962 #endif // OPENSSL_IS_BORINGSSL | |
| 963 | 786 |
| 964 if (ctx == NULL) | 787 if (ctx == NULL) |
| 965 return NULL; | 788 return NULL; |
| 966 | 789 |
| 967 #ifdef OPENSSL_IS_BORINGSSL | |
| 968 SSL_CTX_set_min_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | 790 SSL_CTX_set_min_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
| 969 DTLS1_VERSION : TLS1_VERSION); | 791 DTLS1_VERSION : TLS1_VERSION); |
| 970 switch (ssl_max_version_) { | 792 switch (ssl_max_version_) { |
| 971 case SSL_PROTOCOL_TLS_10: | 793 case SSL_PROTOCOL_TLS_10: |
| 972 SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | 794 SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
| 973 DTLS1_VERSION : TLS1_VERSION); | 795 DTLS1_VERSION : TLS1_VERSION); |
| 974 break; | 796 break; |
| 975 case SSL_PROTOCOL_TLS_11: | 797 case SSL_PROTOCOL_TLS_11: |
| 976 SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | 798 SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
| 977 DTLS1_VERSION : TLS1_1_VERSION); | 799 DTLS1_VERSION : TLS1_1_VERSION); |
| 978 break; | 800 break; |
| 979 case SSL_PROTOCOL_TLS_12: | 801 case SSL_PROTOCOL_TLS_12: |
| 980 default: | 802 default: |
| 981 SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | 803 SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
| 982 DTLS1_2_VERSION : TLS1_2_VERSION); | 804 DTLS1_2_VERSION : TLS1_2_VERSION); |
| 983 break; | 805 break; |
| 984 } | 806 } |
| 985 #endif | |
| 986 | 807 |
| 987 if (identity_ && !identity_->ConfigureIdentity(ctx)) { | 808 if (identity_ && !identity_->ConfigureIdentity(ctx)) { |
| 988 SSL_CTX_free(ctx); | 809 SSL_CTX_free(ctx); |
| 989 return NULL; | 810 return NULL; |
| 990 } | 811 } |
| 991 | 812 |
| 992 #if !defined(NDEBUG) | 813 #if !defined(NDEBUG) |
| 993 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback); | 814 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback); |
| 994 #endif | 815 #endif |
| 995 | 816 |
| 996 int mode = SSL_VERIFY_PEER; | 817 int mode = SSL_VERIFY_PEER; |
| 997 if (client_auth_enabled()) { | 818 if (client_auth_enabled()) { |
| 998 // Require a certificate from the client. | 819 // Require a certificate from the client. |
| 999 // Note: Normally this is always true in production, but it may be disabled | 820 // Note: Normally this is always true in production, but it may be disabled |
| 1000 // for testing purposes (e.g. SSLAdapter unit tests). | 821 // for testing purposes (e.g. SSLAdapter unit tests). |
| 1001 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | 822 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
| 1002 } | 823 } |
| 1003 | 824 |
| 1004 SSL_CTX_set_verify(ctx, mode, SSLVerifyCallback); | 825 SSL_CTX_set_verify(ctx, mode, SSLVerifyCallback); |
| 1005 SSL_CTX_set_verify_depth(ctx, 4); | 826 SSL_CTX_set_verify_depth(ctx, 4); |
| 1006 // Select list of available ciphers. Note that !SHA256 and !SHA384 only | 827 // Select list of available ciphers. Note that !SHA256 and !SHA384 only |
| 1007 // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites | 828 // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites |
| 1008 // with SHA256 or SHA384 as the handshake hash. | 829 // with SHA256 or SHA384 as the handshake hash. |
| 1009 // This matches the list of SSLClientSocketOpenSSL in Chromium. | 830 // This matches the list of SSLClientSocketOpenSSL in Chromium. |
| 1010 SSL_CTX_set_cipher_list(ctx, | 831 SSL_CTX_set_cipher_list(ctx, |
| 1011 "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"); | 832 "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"); |
| 1012 | 833 |
| 1013 #ifdef HAVE_DTLS_SRTP | |
| 1014 if (!srtp_ciphers_.empty()) { | 834 if (!srtp_ciphers_.empty()) { |
| 1015 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) { | 835 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) { |
| 1016 SSL_CTX_free(ctx); | 836 SSL_CTX_free(ctx); |
| 1017 return NULL; | 837 return NULL; |
| 1018 } | 838 } |
| 1019 } | 839 } |
| 1020 #endif | |
| 1021 | 840 |
| 1022 return ctx; | 841 return ctx; |
| 1023 } | 842 } |
| 1024 | 843 |
| 1025 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { | 844 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { |
| 1026 // Get our SSL structure from the store | 845 // Get our SSL structure from the store |
| 1027 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data( | 846 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data( |
| 1028 store, | 847 store, |
| 1029 SSL_get_ex_data_X509_STORE_CTX_idx())); | 848 SSL_get_ex_data_X509_STORE_CTX_idx())); |
| 1030 OpenSSLStreamAdapter* stream = | 849 OpenSSLStreamAdapter* stream = |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1102 } | 921 } |
| 1103 | 922 |
| 1104 return ok; | 923 return ok; |
| 1105 } | 924 } |
| 1106 | 925 |
| 1107 bool OpenSSLStreamAdapter::HaveDtls() { | 926 bool OpenSSLStreamAdapter::HaveDtls() { |
| 1108 return true; | 927 return true; |
| 1109 } | 928 } |
| 1110 | 929 |
| 1111 bool OpenSSLStreamAdapter::HaveDtlsSrtp() { | 930 bool OpenSSLStreamAdapter::HaveDtlsSrtp() { |
| 1112 #ifdef HAVE_DTLS_SRTP | |
| 1113 return true; | 931 return true; |
| 1114 #else | |
| 1115 return false; | |
| 1116 #endif | |
| 1117 } | 932 } |
| 1118 | 933 |
| 1119 bool OpenSSLStreamAdapter::HaveExporter() { | 934 bool OpenSSLStreamAdapter::HaveExporter() { |
| 1120 #ifdef HAVE_DTLS_SRTP | |
| 1121 return true; | 935 return true; |
| 1122 #else | |
| 1123 return false; | |
| 1124 #endif | |
| 1125 } | 936 } |
| 1126 | 937 |
| 1127 #define CDEF(X) \ | 938 #define CDEF(X) \ |
| 1128 { static_cast<uint16_t>(TLS1_CK_##X & 0xffff), "TLS_" #X } | 939 { static_cast<uint16_t>(TLS1_CK_##X & 0xffff), "TLS_" #X } |
| 1129 | 940 |
| 1130 struct cipher_list { | 941 struct cipher_list { |
| 1131 uint16_t cipher; | 942 uint16_t cipher; |
| 1132 const char* cipher_str; | 943 const char* cipher_str; |
| 1133 }; | 944 }; |
| 1134 | 945 |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1187 return true; | 998 return true; |
| 1188 } | 999 } |
| 1189 } | 1000 } |
| 1190 | 1001 |
| 1191 return false; | 1002 return false; |
| 1192 } | 1003 } |
| 1193 | 1004 |
| 1194 } // namespace rtc | 1005 } // namespace rtc |
| 1195 | 1006 |
| 1196 #endif // HAVE_OPENSSL_SSL_H | 1007 #endif // HAVE_OPENSSL_SSL_H |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1808763002:
Remove code interfacing legacy openssl. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master