| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 266 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 277 ///////////////////////////////////////////////////////////////////////////// | 277 ///////////////////////////////////////////////////////////////////////////// |
| 278 | 278 |
| 279 OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream) | 279 OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream) |
| 280 : SSLStreamAdapter(stream), | 280 : SSLStreamAdapter(stream), |
| 281 state_(SSL_NONE), | 281 state_(SSL_NONE), |
| 282 role_(SSL_CLIENT), | 282 role_(SSL_CLIENT), |
| 283 ssl_read_needs_write_(false), | 283 ssl_read_needs_write_(false), |
| 284 ssl_write_needs_read_(false), | 284 ssl_write_needs_read_(false), |
| 285 ssl_(NULL), | 285 ssl_(NULL), |
| 286 ssl_ctx_(NULL), | 286 ssl_ctx_(NULL), |
| 287 custom_verification_succeeded_(false), | |
| 288 ssl_mode_(SSL_MODE_TLS), | 287 ssl_mode_(SSL_MODE_TLS), |
| 289 ssl_max_version_(SSL_PROTOCOL_TLS_12) {} | 288 ssl_max_version_(SSL_PROTOCOL_TLS_12) {} |
| 290 | 289 |
| 291 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() { | 290 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() { |
| 292 Cleanup(); | 291 Cleanup(); |
| 293 } | 292 } |
| 294 | 293 |
| 295 void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) { | 294 void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) { |
| 296 ASSERT(!identity_); | 295 ASSERT(!identity_); |
| 297 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); | 296 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 308 : nullptr; | 307 : nullptr; |
| 309 } | 308 } |
| 310 | 309 |
| 311 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string | 310 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string |
| 312 &digest_alg, | 311 &digest_alg, |
| 313 const unsigned char* | 312 const unsigned char* |
| 314 digest_val, | 313 digest_val, |
| 315 size_t digest_len) { | 314 size_t digest_len) { |
| 316 ASSERT(!peer_certificate_); | 315 ASSERT(!peer_certificate_); |
| 317 ASSERT(peer_certificate_digest_algorithm_.size() == 0); | 316 ASSERT(peer_certificate_digest_algorithm_.size() == 0); |
| 318 ASSERT(ssl_server_name_.empty()); | |
| 319 size_t expected_len; | 317 size_t expected_len; |
| 320 | 318 |
| 321 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) { | 319 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) { |
| 322 LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg; | 320 LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg; |
| 323 return false; | 321 return false; |
| 324 } | 322 } |
| 325 if (expected_len != digest_len) | 323 if (expected_len != digest_len) |
| 326 return false; | 324 return false; |
| 327 | 325 |
| 328 peer_certificate_digest_value_.SetData(digest_val, digest_len); | 326 peer_certificate_digest_value_.SetData(digest_val, digest_len); |
| (...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 461 return false; | 459 return false; |
| 462 | 460 |
| 463 *crypto_suite = srtp_profile->id; | 461 *crypto_suite = srtp_profile->id; |
| 464 ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty()); | 462 ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty()); |
| 465 return true; | 463 return true; |
| 466 #else | 464 #else |
| 467 return false; | 465 return false; |
| 468 #endif | 466 #endif |
| 469 } | 467 } |
| 470 | 468 |
| 471 int OpenSSLStreamAdapter::StartSSLWithServer(const char* server_name) { | 469 int OpenSSLStreamAdapter::StartSSL() { |
| 472 ASSERT(server_name != NULL && server_name[0] != '\0'); | 470 ASSERT(state_ == SSL_NONE); |
| 473 ssl_server_name_ = server_name; | |
| 474 return StartSSL(); | |
| 475 } | |
| 476 | 471 |
| 477 int OpenSSLStreamAdapter::StartSSLWithPeer() { | 472 if (StreamAdapterInterface::GetState() != SS_OPEN) { |
| 478 ASSERT(ssl_server_name_.empty()); | 473 state_ = SSL_WAIT; |
| 479 // It is permitted to specify peer_certificate_ only later. | 474 return 0; |
| 480 return StartSSL(); | 475 } |
| 476 |
| 477 state_ = SSL_CONNECTING; |
| 478 if (int err = BeginSSL()) { |
| 479 Error("BeginSSL", err, false); |
| 480 return err; |
| 481 } |
| 482 |
| 483 return 0; |
| 481 } | 484 } |
| 482 | 485 |
| 483 void OpenSSLStreamAdapter::SetMode(SSLMode mode) { | 486 void OpenSSLStreamAdapter::SetMode(SSLMode mode) { |
| 484 ASSERT(state_ == SSL_NONE); | 487 ASSERT(state_ == SSL_NONE); |
| 485 ssl_mode_ = mode; | 488 ssl_mode_ = mode; |
| 486 } | 489 } |
| 487 | 490 |
| 488 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { | 491 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { |
| 489 ASSERT(ssl_ctx_ == NULL); | 492 ASSERT(ssl_ctx_ == NULL); |
| 490 ssl_max_version_ = version; | 493 ssl_max_version_ = version; |
| (...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 723 Cleanup(); | 726 Cleanup(); |
| 724 events_to_signal |= SE_CLOSE; | 727 events_to_signal |= SE_CLOSE; |
| 725 // SE_CLOSE is the only event that uses the final parameter to OnEvent(). | 728 // SE_CLOSE is the only event that uses the final parameter to OnEvent(). |
| 726 ASSERT(signal_error == 0); | 729 ASSERT(signal_error == 0); |
| 727 signal_error = err; | 730 signal_error = err; |
| 728 } | 731 } |
| 729 if (events_to_signal) | 732 if (events_to_signal) |
| 730 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error); | 733 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error); |
| 731 } | 734 } |
| 732 | 735 |
| 733 int OpenSSLStreamAdapter::StartSSL() { | |
| 734 ASSERT(state_ == SSL_NONE); | |
| 735 | |
| 736 if (StreamAdapterInterface::GetState() != SS_OPEN) { | |
| 737 state_ = SSL_WAIT; | |
| 738 return 0; | |
| 739 } | |
| 740 | |
| 741 state_ = SSL_CONNECTING; | |
| 742 if (int err = BeginSSL()) { | |
| 743 Error("BeginSSL", err, false); | |
| 744 return err; | |
| 745 } | |
| 746 | |
| 747 return 0; | |
| 748 } | |
| 749 | |
| 750 int OpenSSLStreamAdapter::BeginSSL() { | 736 int OpenSSLStreamAdapter::BeginSSL() { |
| 751 ASSERT(state_ == SSL_CONNECTING); | 737 ASSERT(state_ == SSL_CONNECTING); |
| 752 // The underlying stream has open. If we are in peer-to-peer mode | 738 // The underlying stream has opened. |
| 753 // then a peer certificate must have been specified by now. | 739 // A peer certificate digest must have been specified by now. |
| 754 ASSERT(!ssl_server_name_.empty() || | 740 ASSERT(!peer_certificate_digest_algorithm_.empty()); |
| 755 !peer_certificate_digest_algorithm_.empty()); | 741 LOG(LS_INFO) << "BeginSSL with peer."; |
| 756 LOG(LS_INFO) << "BeginSSL: " | |
| 757 << (!ssl_server_name_.empty() ? ssl_server_name_ : | |
| 758 "with peer"); | |
| 759 | 742 |
| 760 BIO* bio = NULL; | 743 BIO* bio = NULL; |
| 761 | 744 |
| 762 // First set up the context | 745 // First set up the context. |
| 763 ASSERT(ssl_ctx_ == NULL); | 746 ASSERT(ssl_ctx_ == NULL); |
| 764 ssl_ctx_ = SetupSSLContext(); | 747 ssl_ctx_ = SetupSSLContext(); |
| 765 if (!ssl_ctx_) | 748 if (!ssl_ctx_) |
| 766 return -1; | 749 return -1; |
| 767 | 750 |
| 768 bio = BIO_new_stream(static_cast<StreamInterface*>(stream())); | 751 bio = BIO_new_stream(static_cast<StreamInterface*>(stream())); |
| 769 if (!bio) | 752 if (!bio) |
| 770 return -1; | 753 return -1; |
| 771 | 754 |
| 772 ssl_ = SSL_new(ssl_ctx_); | 755 ssl_ = SSL_new(ssl_ctx_); |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 818 | 801 |
| 819 // Clear the DTLS timer | 802 // Clear the DTLS timer |
| 820 Thread::Current()->Clear(this, MSG_TIMEOUT); | 803 Thread::Current()->Clear(this, MSG_TIMEOUT); |
| 821 | 804 |
| 822 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_); | 805 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_); |
| 823 int ssl_error; | 806 int ssl_error; |
| 824 switch (ssl_error = SSL_get_error(ssl_, code)) { | 807 switch (ssl_error = SSL_get_error(ssl_, code)) { |
| 825 case SSL_ERROR_NONE: | 808 case SSL_ERROR_NONE: |
| 826 LOG(LS_VERBOSE) << " -- success"; | 809 LOG(LS_VERBOSE) << " -- success"; |
| 827 | 810 |
| 828 if (!SSLPostConnectionCheck(ssl_, ssl_server_name_.c_str(), NULL, | 811 if (!SSLPostConnectionCheck(ssl_, NULL, |
| 829 peer_certificate_digest_algorithm_)) { | 812 peer_certificate_digest_algorithm_)) { |
| 830 LOG(LS_ERROR) << "TLS post connection check failed"; | 813 LOG(LS_ERROR) << "TLS post connection check failed"; |
| 831 return -1; | 814 return -1; |
| 832 } | 815 } |
| 833 | 816 |
| 834 state_ = SSL_CONNECTED; | 817 state_ = SSL_CONNECTED; |
| 835 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0); | 818 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0); |
| 836 break; | 819 break; |
| 837 | 820 |
| 838 case SSL_ERROR_WANT_READ: { | 821 case SSL_ERROR_WANT_READ: { |
| (...skipping 246 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1085 // Ignore any verification error if the digest matches, since there is no | 1068 // Ignore any verification error if the digest matches, since there is no |
| 1086 // value in checking the validity of a self-signed cert issued by untrusted | 1069 // value in checking the validity of a self-signed cert issued by untrusted |
| 1087 // sources. | 1070 // sources. |
| 1088 LOG(LS_INFO) << "Accepted peer certificate."; | 1071 LOG(LS_INFO) << "Accepted peer certificate."; |
| 1089 | 1072 |
| 1090 // Record the peer's certificate. | 1073 // Record the peer's certificate. |
| 1091 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); | 1074 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); |
| 1092 return 1; | 1075 return 1; |
| 1093 } | 1076 } |
| 1094 | 1077 |
| 1095 // This code is taken from the "Network Security with OpenSSL" | |
| 1096 // sample in chapter 5 | |
| 1097 bool OpenSSLStreamAdapter::SSLPostConnectionCheck(SSL* ssl, | 1078 bool OpenSSLStreamAdapter::SSLPostConnectionCheck(SSL* ssl, |
| 1098 const char* server_name, | |
| 1099 const X509* peer_cert, | 1079 const X509* peer_cert, |
| 1100 const std::string | 1080 const std::string |
| 1101 &peer_digest) { | 1081 &peer_digest) { |
| 1102 ASSERT(server_name != NULL); | 1082 ASSERT((peer_cert != NULL) || (!peer_digest.empty())); |
| 1103 bool ok; | 1083 return true; |
| 1104 if (server_name[0] != '\0') { // traditional mode | |
| 1105 ok = OpenSSLAdapter::VerifyServerName(ssl, server_name, ignore_bad_cert()); | |
| 1106 | |
| 1107 if (ok) { | |
| 1108 ok = (SSL_get_verify_result(ssl) == X509_V_OK || | |
| 1109 custom_verification_succeeded_); | |
| 1110 } | |
| 1111 } else { // peer-to-peer mode | |
| 1112 ASSERT((peer_cert != NULL) || (!peer_digest.empty())); | |
| 1113 // no server name validation | |
| 1114 ok = true; | |
| 1115 } | |
| 1116 | |
| 1117 if (!ok && ignore_bad_cert()) { | |
| 1118 LOG(LS_ERROR) << "SSL_get_verify_result(ssl) = " | |
| 1119 << SSL_get_verify_result(ssl); | |
| 1120 LOG(LS_INFO) << "Other TLS post connection checks failed."; | |
| 1121 ok = true; | |
| 1122 } | |
| 1123 | |
| 1124 return ok; | |
| 1125 } | 1084 } |
| 1126 | 1085 |
| 1127 bool OpenSSLStreamAdapter::HaveDtls() { | 1086 bool OpenSSLStreamAdapter::HaveDtls() { |
| 1128 return true; | 1087 return true; |
| 1129 } | 1088 } |
| 1130 | 1089 |
| 1131 bool OpenSSLStreamAdapter::HaveDtlsSrtp() { | 1090 bool OpenSSLStreamAdapter::HaveDtlsSrtp() { |
| 1132 #ifdef HAVE_DTLS_SRTP | 1091 #ifdef HAVE_DTLS_SRTP |
| 1133 return true; | 1092 return true; |
| 1134 #else | 1093 #else |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1219 return true; | 1178 return true; |
| 1220 } | 1179 } |
| 1221 } | 1180 } |
| 1222 | 1181 |
| 1223 return false; | 1182 return false; |
| 1224 } | 1183 } |
| 1225 | 1184 |
| 1226 } // namespace rtc | 1185 } // namespace rtc |
| 1227 | 1186 |
| 1228 #endif // HAVE_OPENSSL_SSL_H | 1187 #endif // HAVE_OPENSSL_SSL_H |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2204883004:
Remove StartSSLWithServer from SSLStreamAdapter. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master