Chromium Code Reviews Chromium Code Reviews
Issue 2163683003:
Relanding: Allow the DTLS fingerprint verification to occur after the handshake. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master| Index: webrtc/base/opensslstreamadapter.h |
| diff --git a/webrtc/base/opensslstreamadapter.h b/webrtc/base/opensslstreamadapter.h |
| index 05e81021696162b626029bf2a9d723475305665c..0a424e2735727c84735011e9c875f0253cb1f6fe 100644 |
| --- a/webrtc/base/opensslstreamadapter.h |
| +++ b/webrtc/base/opensslstreamadapter.h |
| @@ -107,6 +107,8 @@ class OpenSSLStreamAdapter : public SSLStreamAdapter { |
| bool SetDtlsSrtpCryptoSuites(const std::vector<int>& crypto_suites) override; |
| bool GetDtlsSrtpCryptoSuite(int* crypto_suite) override; |
| + bool IsTlsConnected() override { return state_ == SSL_CONNECTED; } |
| + |
| // Capabilities interfaces |
| static bool HaveDtls(); |
| static bool HaveDtlsSrtp(); |
| @@ -165,15 +167,36 @@ class OpenSSLStreamAdapter : public SSLStreamAdapter { |
| // SSL library configuration |
| SSL_CTX* SetupSSLContext(); |
| // SSL verification check |
| - bool SSLPostConnectionCheck(SSL* ssl, const char* server_name, |
| - const X509* peer_cert, |
| - const std::string& peer_digest); |
| + bool SSLPostConnectionCheck(); |
| + bool VerifyPeerCertificate(); |
| // SSL certification verification error handler, called back from |
| // the openssl library. Returns an int interpreted as a boolean in |
| // the C style: zero means verification failure, non-zero means |
| // passed. |
| static int SSLVerifyCallback(int ok, X509_STORE_CTX* store); |
| + bool waiting_to_verify_client_cert() const { |
|
pthatcher1
2016/07/27 19:32:35
Whould this be waiting_to_verify_peer_certificate(
Taylor Brandstetter
2016/08/13 00:09:53
I'll change it to "peer". I prefer "waiting" to "n
|
| + // If |ssl_server_name_| is non-empty we're in client/server mode and don't |
| + // need to verify a peer certificate. |
| + return ssl_server_name_.empty() && client_auth_enabled() && |
| + !peer_certificate_verified_; |
| + } |
|
pthatcher1
2016/07/27 19:32:35
If we're going to keep the ssl_server_name_ stuff,
|
| + |
| + bool have_peer_certificate_digest() const { |
|
pthatcher1
2016/07/27 19:32:35
Should this be has_peer_certificate_digest()?
Taylor Brandstetter
2016/08/13 00:09:53
Sure.
|
| + return !peer_certificate_digest_algorithm_.empty() && |
| + !peer_certificate_digest_value_.empty(); |
| + } |
| + |
| + // These methods tell us whether we're in "traditional" mode (verifying the |
| + // server name using the certificate chain) or "peer-to-peer" mode (verifying |
| + // the digest of a self-signed certificate). |
| + bool verify_certificate_using_server_name() const { |
| + return state_ != SSL_NONE && !ssl_server_name_.empty(); |
|
pthatcher1
2016/07/27 19:32:35
Here in_peer_mode() would be nice as well.
Taylor Brandstetter
2016/08/13 00:09:53
These functions *were* the equivalent of in_peer_m
|
| + } |
| + bool verify_certificate_using_peer_digest() const { |
| + return state_ != SSL_NONE && ssl_server_name_.empty(); |
| + } |
| + |
| SSLState state_; |
| SSLRole role_; |
| int ssl_error_code_; // valid when state_ == SSL_ERROR or SSL_CLOSED |
| @@ -187,12 +210,13 @@ class OpenSSLStreamAdapter : public SSLStreamAdapter { |
| // Our key and certificate, mostly useful in peer-to-peer mode. |
| std::unique_ptr<OpenSSLIdentity> identity_; |
| - // in traditional mode, the server name that the server's certificate |
| + // In traditional mode, the server name that the server's certificate |
| // must specify. Empty in peer-to-peer mode. |
| std::string ssl_server_name_; |
| // The certificate that the peer must present or did present. Initially |
| // null in traditional mode, until the connection is established. |
| std::unique_ptr<OpenSSLCertificate> peer_certificate_; |
| + bool peer_certificate_verified_ = false; |
| // In peer-to-peer mode, the digest of the certificate that |
| // the peer must present. |
| Buffer peer_certificate_digest_value_; |
