Chromium Code Reviews Chromium Code Reviews
Issue 2163683003:
Relanding: Allow the DTLS fingerprint verification to occur after the handshake. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master| Index: webrtc/p2p/base/dtlstransportchannel.cc |
| diff --git a/webrtc/p2p/base/dtlstransportchannel.cc b/webrtc/p2p/base/dtlstransportchannel.cc |
| index a6b06361f45bb568508e4839fdef228cdb2414d4..49d08a5f663e41d554367520cea988af892e43bd 100644 |
| --- a/webrtc/p2p/base/dtlstransportchannel.cc |
| +++ b/webrtc/p2p/base/dtlstransportchannel.cc |
| @@ -179,7 +179,7 @@ bool DtlsTransportChannelWrapper::SetSslMaxProtocolVersion( |
| } |
| bool DtlsTransportChannelWrapper::SetSslRole(rtc::SSLRole role) { |
| - if (dtls_state() == DTLS_TRANSPORT_CONNECTED) { |
| + if (dtls_) { |
| if (ssl_role_ != role) { |
| LOG(LS_ERROR) << "SSL Role can't be reversed after the session is setup."; |
| return false; |
| @@ -235,10 +235,12 @@ bool DtlsTransportChannelWrapper::SetRemoteFingerprint( |
| } |
| // At this point we know we are doing DTLS |
| + bool fingerprint_changing = remote_fingerprint_value_.size() > 0u; |
| remote_fingerprint_value_ = std::move(remote_fingerprint_value); |
| remote_fingerprint_algorithm_ = digest_alg; |
| - if (dtls_) { |
| + // If the fingerprint is changing, start a completely new DTLS association. |
| + if (dtls_ && fingerprint_changing) { |
| // If the fingerprint is changing, we'll tear down the DTLS association and |
| // create a new one, resetting our state. |
| dtls_.reset(nullptr); |
| @@ -246,9 +248,23 @@ bool DtlsTransportChannelWrapper::SetRemoteFingerprint( |
| set_writable(false); |
| } |
| - if (!SetupDtls()) { |
| - set_dtls_state(DTLS_TRANSPORT_FAILED); |
| - return false; |
| + if (dtls_) { |
| + // This can occur if DTLS is set up before a remote fingerprint is |
| + // received. For instance, if we set up DTLS due to receiving an early |
| + // ClientHello. |
| + if (!dtls_->SetPeerCertificateDigest( |
| + remote_fingerprint_algorithm_, |
| + reinterpret_cast<unsigned char*>(remote_fingerprint_value_.data()), |
| + remote_fingerprint_value_.size())) { |
| + LOG_J(LS_ERROR, this) << "Couldn't set DTLS certificate digest."; |
| + set_dtls_state(DTLS_TRANSPORT_FAILED); |
| + return false; |
| + } |
| + } else { |
| + if (!SetupDtls()) { |
| + set_dtls_state(DTLS_TRANSPORT_FAILED); |
| + return false; |
| + } |
| } |
|
pthatcher1
2016/07/27 19:32:35
Would this be more clear as this flow?
if (dtls_
Taylor Brandstetter
2016/08/13 00:09:53
Done.
|
| return true; |
| @@ -280,7 +296,8 @@ bool DtlsTransportChannelWrapper::SetupDtls() { |
| dtls_->SetMaxProtocolVersion(ssl_max_version_); |
| dtls_->SetServerRole(ssl_role_); |
| dtls_->SignalEvent.connect(this, &DtlsTransportChannelWrapper::OnDtlsEvent); |
| - if (!dtls_->SetPeerCertificateDigest( |
| + if (remote_fingerprint_value_.size() && |
| + !dtls_->SetPeerCertificateDigest( |
| remote_fingerprint_algorithm_, |
| reinterpret_cast<unsigned char*>(remote_fingerprint_value_.data()), |
| remote_fingerprint_value_.size())) { |
| @@ -399,6 +416,10 @@ int DtlsTransportChannelWrapper::SendPacket( |
| } |
| } |
| +bool DtlsTransportChannelWrapper::IsDtlsConnected() { |
| + return dtls_ && dtls_->IsTlsConnected(); |
| +} |
| + |
| // The state transition logic here is as follows: |
| // (1) If we're not doing DTLS-SRTP, then the state is just the |
| // state of the underlying impl() |
| @@ -479,6 +500,14 @@ void DtlsTransportChannelWrapper::OnReadPacket( |
| LOG_J(LS_INFO, this) << "Caching DTLS ClientHello packet until DTLS is " |
| << "started."; |
| cached_client_hello_.SetData(data, size); |
| + // If we haven't started setting up DTLS yet (because we don't have a |
| + // remote fingerprint/role), we can use the client hello as a clue that |
| + // the peer has chosen the client role, and proceed with the handshake. |
| + // The fingerprint will be verified when it's set. |
| + if (!dtls_ && local_certificate_) { |
| + SetSslRole(rtc::SSL_SERVER); |
| + SetupDtls(); |
| + } |
| } else { |
| LOG_J(LS_INFO, this) << "Not a DTLS ClientHello packet; dropping."; |
| } |
