Relanding: Allow the DTLS fingerprint verification to occur after the handshake.

webrtc/base/sslstreamadapter.h

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 88 matching lines @@
 
 enum SSLRole { SSL_CLIENT, SSL_SERVER };
 enum SSLMode { SSL_MODE_TLS, SSL_MODE_DTLS };
 enum SSLProtocolVersion {
   SSL_PROTOCOL_TLS_10,
   SSL_PROTOCOL_TLS_11,
   SSL_PROTOCOL_TLS_12,
   SSL_PROTOCOL_DTLS_10 = SSL_PROTOCOL_TLS_11,
   SSL_PROTOCOL_DTLS_12 = SSL_PROTOCOL_TLS_12,
 };
+enum class SSLPeerCertificateDigestError {
+  NONE,
+  UNKNOWN_ALGORITHM,
+  INVALID_LENGTH,
+  VERIFICATION_FAILED,
+};
 
 // Errors for Read -- in the high range so no conflict with OpenSSL.
 enum { SSE_MSG_TRUNC = 0xff0001 };
 
 // Used to send back UMA histogram value. Logged when Dtls handshake fails.
 enum class SSLHandshakeError { UNKNOWN, INCOMPATIBLE_CIPHERSUITE, MAX_VALUE };
 
 class SSLStreamAdapter : public StreamAdapterInterface {
  public:
   // Instantiate an SSLStreamAdapter wrapping the given stream,
@@ skipping 47 matching lines @@
   // asynchronously. In that case, the exposed stream will open after
   // successful negotiation and verification, or an SE_CLOSE event will be
   // raised if negotiation fails.
   virtual int StartSSL() = 0;
 
   // Specify the digest of the certificate that our peer is expected to use.
   // Only this certificate will be accepted during SSL verification. The
   // certificate is assumed to have been obtained through some other secure
   // channel (such as the signaling channel). This must specify the terminal
   // certificate, not just a CA. SSLStream makes a copy of the digest value.
-  virtual bool SetPeerCertificateDigest(const std::string& digest_alg,
-                                        const unsigned char* digest_val,
-                                        size_t digest_len) = 0;
+  //
+  // Returns true if successful.
+  // |error| is optional and provides more information about the failure.
+  virtual bool SetPeerCertificateDigest(
+      const std::string& digest_alg,
+      const unsigned char* digest_val,
+      size_t digest_len,
+      SSLPeerCertificateDigestError* error = nullptr) = 0;
 
   // Retrieves the peer's X.509 certificate, if a connection has been
   // established. It returns the transmitted over SSL, including the entire
   // chain.
   virtual std::unique_ptr<SSLCertificate> GetPeerCertificate() const = 0;
 
   // Retrieves the IANA registration id of the cipher suite used for the
   // connection (e.g. 0x2F for "TLS_RSA_WITH_AES_128_CBC_SHA").
   virtual bool GetSslCipherSuite(int* cipher_suite);
 
@@ skipping 15 matching lines @@
                                     const uint8_t* context,
                                     size_t context_len,
                                     bool use_context,
                                     uint8_t* result,
                                     size_t result_len);
 
   // DTLS-SRTP interface
   virtual bool SetDtlsSrtpCryptoSuites(const std::vector<int>& crypto_suites);
   virtual bool GetDtlsSrtpCryptoSuite(int* crypto_suite);
 
+  // Returns true if a TLS connection has been established.
+  // The only difference between this and "GetState() == SE_OPEN" is that if
+  // the peer certificate digest hasn't been verified, the state will still be
+  // SS_OPENING but IsTlsConnected should return true.
+  virtual bool IsTlsConnected() = 0;
+
   // Capabilities testing
   static bool HaveDtls();
   static bool HaveDtlsSrtp();
   static bool HaveExporter();
   static bool IsBoringSsl();
 
   // Returns true iff the supplied cipher is deemed to be strong.
   // TODO(torbjorng): Consider removing the KeyType argument.
   static bool IsAcceptableCipher(int cipher, KeyType key_type);
   static bool IsAcceptableCipher(const std::string& cipher, KeyType key_type);
@@ skipping 13 matching lines @@
 
   // If true (default), the client is required to provide a certificate during
   // handshake. If no certificate is given, handshake fails. This applies to
   // server mode only.
   bool client_auth_enabled_;
 };
 
 }  // namespace rtc
 
 #endif  // WEBRTC_BASE_SSLSTREAMADAPTER_H_