Relanding: Allow the DTLS fingerprint verification to occur after the handshake.

webrtc/base/opensslstreamadapter.h

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 45 matching lines @@
 
 class OpenSSLStreamAdapter : public SSLStreamAdapter {
  public:
   explicit OpenSSLStreamAdapter(StreamInterface* stream);
   ~OpenSSLStreamAdapter() override;
 
   void SetIdentity(SSLIdentity* identity) override;
 
   // Default argument is for compatibility
   void SetServerRole(SSLRole role = SSL_SERVER) override;
-  bool SetPeerCertificateDigest(const std::string& digest_alg,
-                                const unsigned char* digest_val,
-                                size_t digest_len) override;
+  bool SetPeerCertificateDigest(
+      const std::string& digest_alg,
+      const unsigned char* digest_val,
+      size_t digest_len,
+      SSLPeerCertificateDigestError* error = nullptr) override;
 
   std::unique_ptr<SSLCertificate> GetPeerCertificate() const override;
 
   // Goes from state SSL_NONE to either SSL_CONNECTING or SSL_WAIT, depending
   // on whether the underlying stream is already open or not.
   int StartSSL() override;
   void SetMode(SSLMode mode) override;
   void SetMaxProtocolVersion(SSLProtocolVersion version) override;
 
   StreamResult Read(void* data,
@@ skipping 19 matching lines @@
                             const uint8_t* context,
                             size_t context_len,
                             bool use_context,
                             uint8_t* result,
                             size_t result_len) override;
 
   // DTLS-SRTP interface
   bool SetDtlsSrtpCryptoSuites(const std::vector<int>& crypto_suites) override;
   bool GetDtlsSrtpCryptoSuite(int* crypto_suite) override;
 
+  bool IsTlsConnected() override;
+
   // Capabilities interfaces
   static bool HaveDtls();
   static bool HaveDtlsSrtp();
   static bool HaveExporter();
   static bool IsBoringSsl();
 
   static bool IsAcceptableCipher(int cipher, KeyType key_type);
   static bool IsAcceptableCipher(const std::string& cipher, KeyType key_type);
 
  protected:
@@ skipping 22 matching lines @@
   int BeginSSL();
   // Perform SSL negotiation steps.
   int ContinueSSL();
 
   // Error handler helper. signal is given as true for errors in
   // asynchronous contexts (when an error method was not returned
   // through some other method), and in that case an SE_CLOSE event is
   // raised on the stream with the specified error.
   // A 0 error means a graceful close, otherwise there is not really enough
   // context to interpret the error code.
-  void Error(const char* context, int err, bool signal);
-  void Cleanup();
+  // |alert| indicates an alert description (one of the SSL_AD constants) to
+  // send to the remote endpoint when closing the association. If 0, a normal
+  // shutdown will be performed.
+  void Error(const char* context, int err, uint8_t alert, bool signal);
+  void Cleanup(uint8_t alert);
 
   // Override MessageHandler
   void OnMessage(Message* msg) override;
 
   // Flush the input buffers by reading left bytes (for DTLS)
   void FlushInput(unsigned int left);
 
   // SSL library configuration
   SSL_CTX* SetupSSLContext();
-  // SSL verification check
-  bool SSLPostConnectionCheck(SSL* ssl,
-                              const X509* peer_cert,
-                              const std::string& peer_digest);
+  // Verify the peer certificate matches the signaled digest.
+  bool VerifyPeerCertificate();
   // SSL certification verification error handler, called back from
   // the openssl library. Returns an int interpreted as a boolean in
   // the C style: zero means verification failure, non-zero means
   // passed.
   static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
 
+  bool waiting_to_verify_peer_certificate() const {
+    return client_auth_enabled() && !peer_certificate_verified_;
+  }
+
+  bool has_peer_certificate_digest() const {
+    return !peer_certificate_digest_algorithm_.empty() &&
+           !peer_certificate_digest_value_.empty();
+  }
+
   SSLState state_;
   SSLRole role_;
   int ssl_error_code_;  // valid when state_ == SSL_ERROR or SSL_CLOSED
   // Whether the SSL negotiation is blocked on needing to read or
   // write to the wrapped stream.
   bool ssl_read_needs_write_;
   bool ssl_write_needs_read_;
 
   SSL* ssl_;
   SSL_CTX* ssl_ctx_;
 
   // Our key and certificate.
   std::unique_ptr<OpenSSLIdentity> identity_;
   // The certificate that the peer presented. Initially null, until the
   // connection is established.
   std::unique_ptr<OpenSSLCertificate> peer_certificate_;
+  bool peer_certificate_verified_ = false;
   // The digest of the certificate that the peer must present.
   Buffer peer_certificate_digest_value_;
   std::string peer_certificate_digest_algorithm_;
 
   // The DtlsSrtp ciphers
   std::string srtp_ciphers_;
 
   // Do DTLS or not
   SSLMode ssl_mode_;
 
   // Max. allowed protocol version
   SSLProtocolVersion ssl_max_version_;
 };
 
 /////////////////////////////////////////////////////////////////////////////
 
 }  // namespace rtc
 
 #endif  // WEBRTC_BASE_OPENSSLSTREAMADAPTER_H__