Chromium Code Reviews Chromium Code Reviews
Issue 2204883004:
Remove StartSSLWithServer from SSLStreamAdapter. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 297 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 308 : nullptr; | 308 : nullptr; |
| 309 } | 309 } |
| 310 | 310 |
| 311 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string | 311 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string |
| 312 &digest_alg, | 312 &digest_alg, |
| 313 const unsigned char* | 313 const unsigned char* |
| 314 digest_val, | 314 digest_val, |
| 315 size_t digest_len) { | 315 size_t digest_len) { |
| 316 ASSERT(!peer_certificate_); | 316 ASSERT(!peer_certificate_); |
| 317 ASSERT(peer_certificate_digest_algorithm_.size() == 0); | 317 ASSERT(peer_certificate_digest_algorithm_.size() == 0); |
| 318 ASSERT(ssl_server_name_.empty()); | |
| 319 size_t expected_len; | 318 size_t expected_len; |
| 320 | 319 |
| 321 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) { | 320 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) { |
| 322 LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg; | 321 LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg; |
| 323 return false; | 322 return false; |
| 324 } | 323 } |
| 325 if (expected_len != digest_len) | 324 if (expected_len != digest_len) |
| 326 return false; | 325 return false; |
| 327 | 326 |
| 328 peer_certificate_digest_value_.SetData(digest_val, digest_len); | 327 peer_certificate_digest_value_.SetData(digest_val, digest_len); |
| (...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 461 return false; | 460 return false; |
| 462 | 461 |
| 463 *crypto_suite = srtp_profile->id; | 462 *crypto_suite = srtp_profile->id; |
| 464 ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty()); | 463 ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty()); |
| 465 return true; | 464 return true; |
| 466 #else | 465 #else |
| 467 return false; | 466 return false; |
| 468 #endif | 467 #endif |
| 469 } | 468 } |
| 470 | 469 |
| 471 int OpenSSLStreamAdapter::StartSSLWithServer(const char* server_name) { | 470 int OpenSSLStreamAdapter::StartSSL() { |
| 472 ASSERT(server_name != NULL && server_name[0] != '\0'); | 471 ASSERT(state_ == SSL_NONE); |
| 473 ssl_server_name_ = server_name; | |
| 474 return StartSSL(); | |
| 475 } | |
| 476 | 472 |
| 477 int OpenSSLStreamAdapter::StartSSLWithPeer() { | 473 if (StreamAdapterInterface::GetState() != SS_OPEN) { |
| 478 ASSERT(ssl_server_name_.empty()); | 474 state_ = SSL_WAIT; |
| 479 // It is permitted to specify peer_certificate_ only later. | 475 return 0; |
| 480 return StartSSL(); | 476 } |
| 477 | |
| 478 state_ = SSL_CONNECTING; | |
| 479 if (int err = BeginSSL()) { | |
| 480 Error("BeginSSL", err, false); | |
| 481 return err; | |
| 482 } | |
| 483 | |
| 484 return 0; | |
| 481 } | 485 } |
| 482 | 486 |
| 483 void OpenSSLStreamAdapter::SetMode(SSLMode mode) { | 487 void OpenSSLStreamAdapter::SetMode(SSLMode mode) { |
| 484 ASSERT(state_ == SSL_NONE); | 488 ASSERT(state_ == SSL_NONE); |
| 485 ssl_mode_ = mode; | 489 ssl_mode_ = mode; |
| 486 } | 490 } |
| 487 | 491 |
| 488 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { | 492 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { |
| 489 ASSERT(ssl_ctx_ == NULL); | 493 ASSERT(ssl_ctx_ == NULL); |
| 490 ssl_max_version_ = version; | 494 ssl_max_version_ = version; |
| (...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 723 Cleanup(); | 727 Cleanup(); |
| 724 events_to_signal |= SE_CLOSE; | 728 events_to_signal |= SE_CLOSE; |
| 725 // SE_CLOSE is the only event that uses the final parameter to OnEvent(). | 729 // SE_CLOSE is the only event that uses the final parameter to OnEvent(). |
| 726 ASSERT(signal_error == 0); | 730 ASSERT(signal_error == 0); |
| 727 signal_error = err; | 731 signal_error = err; |
| 728 } | 732 } |
| 729 if (events_to_signal) | 733 if (events_to_signal) |
| 730 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error); | 734 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error); |
| 731 } | 735 } |
| 732 | 736 |
| 733 int OpenSSLStreamAdapter::StartSSL() { | |
| 734 ASSERT(state_ == SSL_NONE); | |
| 735 | |
| 736 if (StreamAdapterInterface::GetState() != SS_OPEN) { | |
| 737 state_ = SSL_WAIT; | |
| 738 return 0; | |
| 739 } | |
| 740 | |
| 741 state_ = SSL_CONNECTING; | |
| 742 if (int err = BeginSSL()) { | |
| 743 Error("BeginSSL", err, false); | |
| 744 return err; | |
| 745 } | |
| 746 | |
| 747 return 0; | |
| 748 } | |
| 749 | |
| 750 int OpenSSLStreamAdapter::BeginSSL() { | 737 int OpenSSLStreamAdapter::BeginSSL() { |
| 751 ASSERT(state_ == SSL_CONNECTING); | 738 ASSERT(state_ == SSL_CONNECTING); |
| 752 // The underlying stream has open. If we are in peer-to-peer mode | 739 // The underlying stream has opened. |
| 753 // then a peer certificate must have been specified by now. | 740 // A peer certificate digest must have been specified by now. |
| 754 ASSERT(!ssl_server_name_.empty() || | 741 ASSERT(!peer_certificate_digest_algorithm_.empty()); |
| 755 !peer_certificate_digest_algorithm_.empty()); | 742 LOG(LS_INFO) << "BeginSSL with peer."; |
| 756 LOG(LS_INFO) << "BeginSSL: " | |
| 757 << (!ssl_server_name_.empty() ? ssl_server_name_ : | |
| 758 "with peer"); | |
| 759 | 743 |
| 760 BIO* bio = NULL; | 744 BIO* bio = NULL; |
| 761 | 745 |
| 762 // First set up the context | 746 // First set up the context. |
| 763 ASSERT(ssl_ctx_ == NULL); | 747 ASSERT(ssl_ctx_ == NULL); |
| 764 ssl_ctx_ = SetupSSLContext(); | 748 ssl_ctx_ = SetupSSLContext(); |
| 765 if (!ssl_ctx_) | 749 if (!ssl_ctx_) |
| 766 return -1; | 750 return -1; |
| 767 | 751 |
| 768 bio = BIO_new_stream(static_cast<StreamInterface*>(stream())); | 752 bio = BIO_new_stream(static_cast<StreamInterface*>(stream())); |
| 769 if (!bio) | 753 if (!bio) |
| 770 return -1; | 754 return -1; |
| 771 | 755 |
| 772 ssl_ = SSL_new(ssl_ctx_); | 756 ssl_ = SSL_new(ssl_ctx_); |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 818 | 802 |
| 819 // Clear the DTLS timer | 803 // Clear the DTLS timer |
| 820 Thread::Current()->Clear(this, MSG_TIMEOUT); | 804 Thread::Current()->Clear(this, MSG_TIMEOUT); |
| 821 | 805 |
| 822 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_); | 806 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_); |
| 823 int ssl_error; | 807 int ssl_error; |
| 824 switch (ssl_error = SSL_get_error(ssl_, code)) { | 808 switch (ssl_error = SSL_get_error(ssl_, code)) { |
| 825 case SSL_ERROR_NONE: | 809 case SSL_ERROR_NONE: |
| 826 LOG(LS_VERBOSE) << " -- success"; | 810 LOG(LS_VERBOSE) << " -- success"; |
| 827 | 811 |
| 828 if (!SSLPostConnectionCheck(ssl_, ssl_server_name_.c_str(), NULL, | 812 if (!SSLPostConnectionCheck(ssl_, NULL, |
| 829 peer_certificate_digest_algorithm_)) { | 813 peer_certificate_digest_algorithm_)) { |
| 830 LOG(LS_ERROR) << "TLS post connection check failed"; | 814 LOG(LS_ERROR) << "TLS post connection check failed"; |
| 831 return -1; | 815 return -1; |
| 832 } | 816 } |
| 833 | 817 |
| 834 state_ = SSL_CONNECTED; | 818 state_ = SSL_CONNECTED; |
| 835 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0); | 819 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0); |
| 836 break; | 820 break; |
| 837 | 821 |
| 838 case SSL_ERROR_WANT_READ: { | 822 case SSL_ERROR_WANT_READ: { |
| (...skipping 246 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1085 // Ignore any verification error if the digest matches, since there is no | 1069 // Ignore any verification error if the digest matches, since there is no |
| 1086 // value in checking the validity of a self-signed cert issued by untrusted | 1070 // value in checking the validity of a self-signed cert issued by untrusted |
| 1087 // sources. | 1071 // sources. |
| 1088 LOG(LS_INFO) << "Accepted peer certificate."; | 1072 LOG(LS_INFO) << "Accepted peer certificate."; |
| 1089 | 1073 |
| 1090 // Record the peer's certificate. | 1074 // Record the peer's certificate. |
| 1091 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); | 1075 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); |
| 1092 return 1; | 1076 return 1; |
| 1093 } | 1077 } |
| 1094 | 1078 |
| 1095 // This code is taken from the "Network Security with OpenSSL" | |
| 1096 // sample in chapter 5 | |
| 1097 bool OpenSSLStreamAdapter::SSLPostConnectionCheck(SSL* ssl, | 1079 bool OpenSSLStreamAdapter::SSLPostConnectionCheck(SSL* ssl, |
| 1098 const char* server_name, | |
| 1099 const X509* peer_cert, | 1080 const X509* peer_cert, |
| 1100 const std::string | 1081 const std::string |
| 1101 &peer_digest) { | 1082 &peer_digest) { |
| 1102 ASSERT(server_name != NULL); | 1083 ASSERT((peer_cert != NULL) || (!peer_digest.empty())); |
| 1103 bool ok; | 1084 return true; |
|
Taylor Brandstetter
2016/08/02 20:27:45
I'll modify the logic in this method in the other
| |
| 1104 if (server_name[0] != '\0') { // traditional mode | |
| 1105 ok = OpenSSLAdapter::VerifyServerName(ssl, server_name, ignore_bad_cert()); | |
| 1106 | |
| 1107 if (ok) { | |
| 1108 ok = (SSL_get_verify_result(ssl) == X509_V_OK || | |
| 1109 custom_verification_succeeded_); | |
| 1110 } | |
| 1111 } else { // peer-to-peer mode | |
| 1112 ASSERT((peer_cert != NULL) || (!peer_digest.empty())); | |
| 1113 // no server name validation | |
| 1114 ok = true; | |
| 1115 } | |
| 1116 | |
| 1117 if (!ok && ignore_bad_cert()) { | |
| 1118 LOG(LS_ERROR) << "SSL_get_verify_result(ssl) = " | |
| 1119 << SSL_get_verify_result(ssl); | |
| 1120 LOG(LS_INFO) << "Other TLS post connection checks failed."; | |
| 1121 ok = true; | |
| 1122 } | |
| 1123 | |
| 1124 return ok; | |
| 1125 } | 1085 } |
| 1126 | 1086 |
| 1127 bool OpenSSLStreamAdapter::HaveDtls() { | 1087 bool OpenSSLStreamAdapter::HaveDtls() { |
| 1128 return true; | 1088 return true; |
| 1129 } | 1089 } |
| 1130 | 1090 |
| 1131 bool OpenSSLStreamAdapter::HaveDtlsSrtp() { | 1091 bool OpenSSLStreamAdapter::HaveDtlsSrtp() { |
| 1132 #ifdef HAVE_DTLS_SRTP | 1092 #ifdef HAVE_DTLS_SRTP |
| 1133 return true; | 1093 return true; |
| 1134 #else | 1094 #else |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1219 return true; | 1179 return true; |
| 1220 } | 1180 } |
| 1221 } | 1181 } |
| 1222 | 1182 |
| 1223 return false; | 1183 return false; |
| 1224 } | 1184 } |
| 1225 | 1185 |
| 1226 } // namespace rtc | 1186 } // namespace rtc |
| 1227 | 1187 |
| 1228 #endif // HAVE_OPENSSL_SSL_H | 1188 #endif // HAVE_OPENSSL_SSL_H |
| OLD | NEW |
