OLD | NEW |
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
(...skipping 266 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
277 ///////////////////////////////////////////////////////////////////////////// | 277 ///////////////////////////////////////////////////////////////////////////// |
278 | 278 |
279 OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream) | 279 OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream) |
280 : SSLStreamAdapter(stream), | 280 : SSLStreamAdapter(stream), |
281 state_(SSL_NONE), | 281 state_(SSL_NONE), |
282 role_(SSL_CLIENT), | 282 role_(SSL_CLIENT), |
283 ssl_read_needs_write_(false), | 283 ssl_read_needs_write_(false), |
284 ssl_write_needs_read_(false), | 284 ssl_write_needs_read_(false), |
285 ssl_(NULL), | 285 ssl_(NULL), |
286 ssl_ctx_(NULL), | 286 ssl_ctx_(NULL), |
287 custom_verification_succeeded_(false), | |
288 ssl_mode_(SSL_MODE_TLS), | 287 ssl_mode_(SSL_MODE_TLS), |
289 ssl_max_version_(SSL_PROTOCOL_TLS_12) {} | 288 ssl_max_version_(SSL_PROTOCOL_TLS_12) {} |
290 | 289 |
291 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() { | 290 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() { |
292 Cleanup(); | 291 Cleanup(); |
293 } | 292 } |
294 | 293 |
295 void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) { | 294 void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) { |
296 ASSERT(!identity_); | 295 ASSERT(!identity_); |
297 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); | 296 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); |
(...skipping 10 matching lines...) Expand all Loading... |
308 : nullptr; | 307 : nullptr; |
309 } | 308 } |
310 | 309 |
311 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string | 310 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string |
312 &digest_alg, | 311 &digest_alg, |
313 const unsigned char* | 312 const unsigned char* |
314 digest_val, | 313 digest_val, |
315 size_t digest_len) { | 314 size_t digest_len) { |
316 ASSERT(!peer_certificate_); | 315 ASSERT(!peer_certificate_); |
317 ASSERT(peer_certificate_digest_algorithm_.size() == 0); | 316 ASSERT(peer_certificate_digest_algorithm_.size() == 0); |
318 ASSERT(ssl_server_name_.empty()); | |
319 size_t expected_len; | 317 size_t expected_len; |
320 | 318 |
321 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) { | 319 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) { |
322 LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg; | 320 LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg; |
323 return false; | 321 return false; |
324 } | 322 } |
325 if (expected_len != digest_len) | 323 if (expected_len != digest_len) |
326 return false; | 324 return false; |
327 | 325 |
328 peer_certificate_digest_value_.SetData(digest_val, digest_len); | 326 peer_certificate_digest_value_.SetData(digest_val, digest_len); |
(...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
461 return false; | 459 return false; |
462 | 460 |
463 *crypto_suite = srtp_profile->id; | 461 *crypto_suite = srtp_profile->id; |
464 ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty()); | 462 ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty()); |
465 return true; | 463 return true; |
466 #else | 464 #else |
467 return false; | 465 return false; |
468 #endif | 466 #endif |
469 } | 467 } |
470 | 468 |
471 int OpenSSLStreamAdapter::StartSSLWithServer(const char* server_name) { | 469 int OpenSSLStreamAdapter::StartSSL() { |
472 ASSERT(server_name != NULL && server_name[0] != '\0'); | 470 ASSERT(state_ == SSL_NONE); |
473 ssl_server_name_ = server_name; | |
474 return StartSSL(); | |
475 } | |
476 | 471 |
477 int OpenSSLStreamAdapter::StartSSLWithPeer() { | 472 if (StreamAdapterInterface::GetState() != SS_OPEN) { |
478 ASSERT(ssl_server_name_.empty()); | 473 state_ = SSL_WAIT; |
479 // It is permitted to specify peer_certificate_ only later. | 474 return 0; |
480 return StartSSL(); | 475 } |
| 476 |
| 477 state_ = SSL_CONNECTING; |
| 478 if (int err = BeginSSL()) { |
| 479 Error("BeginSSL", err, false); |
| 480 return err; |
| 481 } |
| 482 |
| 483 return 0; |
481 } | 484 } |
482 | 485 |
483 void OpenSSLStreamAdapter::SetMode(SSLMode mode) { | 486 void OpenSSLStreamAdapter::SetMode(SSLMode mode) { |
484 ASSERT(state_ == SSL_NONE); | 487 ASSERT(state_ == SSL_NONE); |
485 ssl_mode_ = mode; | 488 ssl_mode_ = mode; |
486 } | 489 } |
487 | 490 |
488 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { | 491 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { |
489 ASSERT(ssl_ctx_ == NULL); | 492 ASSERT(ssl_ctx_ == NULL); |
490 ssl_max_version_ = version; | 493 ssl_max_version_ = version; |
(...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
723 Cleanup(); | 726 Cleanup(); |
724 events_to_signal |= SE_CLOSE; | 727 events_to_signal |= SE_CLOSE; |
725 // SE_CLOSE is the only event that uses the final parameter to OnEvent(). | 728 // SE_CLOSE is the only event that uses the final parameter to OnEvent(). |
726 ASSERT(signal_error == 0); | 729 ASSERT(signal_error == 0); |
727 signal_error = err; | 730 signal_error = err; |
728 } | 731 } |
729 if (events_to_signal) | 732 if (events_to_signal) |
730 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error); | 733 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error); |
731 } | 734 } |
732 | 735 |
733 int OpenSSLStreamAdapter::StartSSL() { | |
734 ASSERT(state_ == SSL_NONE); | |
735 | |
736 if (StreamAdapterInterface::GetState() != SS_OPEN) { | |
737 state_ = SSL_WAIT; | |
738 return 0; | |
739 } | |
740 | |
741 state_ = SSL_CONNECTING; | |
742 if (int err = BeginSSL()) { | |
743 Error("BeginSSL", err, false); | |
744 return err; | |
745 } | |
746 | |
747 return 0; | |
748 } | |
749 | |
750 int OpenSSLStreamAdapter::BeginSSL() { | 736 int OpenSSLStreamAdapter::BeginSSL() { |
751 ASSERT(state_ == SSL_CONNECTING); | 737 ASSERT(state_ == SSL_CONNECTING); |
752 // The underlying stream has open. If we are in peer-to-peer mode | 738 // The underlying stream has opened. |
753 // then a peer certificate must have been specified by now. | 739 // A peer certificate digest must have been specified by now. |
754 ASSERT(!ssl_server_name_.empty() || | 740 ASSERT(!peer_certificate_digest_algorithm_.empty()); |
755 !peer_certificate_digest_algorithm_.empty()); | 741 LOG(LS_INFO) << "BeginSSL with peer."; |
756 LOG(LS_INFO) << "BeginSSL: " | |
757 << (!ssl_server_name_.empty() ? ssl_server_name_ : | |
758 "with peer"); | |
759 | 742 |
760 BIO* bio = NULL; | 743 BIO* bio = NULL; |
761 | 744 |
762 // First set up the context | 745 // First set up the context. |
763 ASSERT(ssl_ctx_ == NULL); | 746 ASSERT(ssl_ctx_ == NULL); |
764 ssl_ctx_ = SetupSSLContext(); | 747 ssl_ctx_ = SetupSSLContext(); |
765 if (!ssl_ctx_) | 748 if (!ssl_ctx_) |
766 return -1; | 749 return -1; |
767 | 750 |
768 bio = BIO_new_stream(static_cast<StreamInterface*>(stream())); | 751 bio = BIO_new_stream(static_cast<StreamInterface*>(stream())); |
769 if (!bio) | 752 if (!bio) |
770 return -1; | 753 return -1; |
771 | 754 |
772 ssl_ = SSL_new(ssl_ctx_); | 755 ssl_ = SSL_new(ssl_ctx_); |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
818 | 801 |
819 // Clear the DTLS timer | 802 // Clear the DTLS timer |
820 Thread::Current()->Clear(this, MSG_TIMEOUT); | 803 Thread::Current()->Clear(this, MSG_TIMEOUT); |
821 | 804 |
822 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_); | 805 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_); |
823 int ssl_error; | 806 int ssl_error; |
824 switch (ssl_error = SSL_get_error(ssl_, code)) { | 807 switch (ssl_error = SSL_get_error(ssl_, code)) { |
825 case SSL_ERROR_NONE: | 808 case SSL_ERROR_NONE: |
826 LOG(LS_VERBOSE) << " -- success"; | 809 LOG(LS_VERBOSE) << " -- success"; |
827 | 810 |
828 if (!SSLPostConnectionCheck(ssl_, ssl_server_name_.c_str(), NULL, | 811 if (!SSLPostConnectionCheck(ssl_, NULL, |
829 peer_certificate_digest_algorithm_)) { | 812 peer_certificate_digest_algorithm_)) { |
830 LOG(LS_ERROR) << "TLS post connection check failed"; | 813 LOG(LS_ERROR) << "TLS post connection check failed"; |
831 return -1; | 814 return -1; |
832 } | 815 } |
833 | 816 |
834 state_ = SSL_CONNECTED; | 817 state_ = SSL_CONNECTED; |
835 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0); | 818 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0); |
836 break; | 819 break; |
837 | 820 |
838 case SSL_ERROR_WANT_READ: { | 821 case SSL_ERROR_WANT_READ: { |
(...skipping 246 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1085 // Ignore any verification error if the digest matches, since there is no | 1068 // Ignore any verification error if the digest matches, since there is no |
1086 // value in checking the validity of a self-signed cert issued by untrusted | 1069 // value in checking the validity of a self-signed cert issued by untrusted |
1087 // sources. | 1070 // sources. |
1088 LOG(LS_INFO) << "Accepted peer certificate."; | 1071 LOG(LS_INFO) << "Accepted peer certificate."; |
1089 | 1072 |
1090 // Record the peer's certificate. | 1073 // Record the peer's certificate. |
1091 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); | 1074 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); |
1092 return 1; | 1075 return 1; |
1093 } | 1076 } |
1094 | 1077 |
1095 // This code is taken from the "Network Security with OpenSSL" | |
1096 // sample in chapter 5 | |
1097 bool OpenSSLStreamAdapter::SSLPostConnectionCheck(SSL* ssl, | 1078 bool OpenSSLStreamAdapter::SSLPostConnectionCheck(SSL* ssl, |
1098 const char* server_name, | |
1099 const X509* peer_cert, | 1079 const X509* peer_cert, |
1100 const std::string | 1080 const std::string |
1101 &peer_digest) { | 1081 &peer_digest) { |
1102 ASSERT(server_name != NULL); | 1082 ASSERT((peer_cert != NULL) || (!peer_digest.empty())); |
1103 bool ok; | 1083 return true; |
1104 if (server_name[0] != '\0') { // traditional mode | |
1105 ok = OpenSSLAdapter::VerifyServerName(ssl, server_name, ignore_bad_cert()); | |
1106 | |
1107 if (ok) { | |
1108 ok = (SSL_get_verify_result(ssl) == X509_V_OK || | |
1109 custom_verification_succeeded_); | |
1110 } | |
1111 } else { // peer-to-peer mode | |
1112 ASSERT((peer_cert != NULL) || (!peer_digest.empty())); | |
1113 // no server name validation | |
1114 ok = true; | |
1115 } | |
1116 | |
1117 if (!ok && ignore_bad_cert()) { | |
1118 LOG(LS_ERROR) << "SSL_get_verify_result(ssl) = " | |
1119 << SSL_get_verify_result(ssl); | |
1120 LOG(LS_INFO) << "Other TLS post connection checks failed."; | |
1121 ok = true; | |
1122 } | |
1123 | |
1124 return ok; | |
1125 } | 1084 } |
1126 | 1085 |
1127 bool OpenSSLStreamAdapter::HaveDtls() { | 1086 bool OpenSSLStreamAdapter::HaveDtls() { |
1128 return true; | 1087 return true; |
1129 } | 1088 } |
1130 | 1089 |
1131 bool OpenSSLStreamAdapter::HaveDtlsSrtp() { | 1090 bool OpenSSLStreamAdapter::HaveDtlsSrtp() { |
1132 #ifdef HAVE_DTLS_SRTP | 1091 #ifdef HAVE_DTLS_SRTP |
1133 return true; | 1092 return true; |
1134 #else | 1093 #else |
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1219 return true; | 1178 return true; |
1220 } | 1179 } |
1221 } | 1180 } |
1222 | 1181 |
1223 return false; | 1182 return false; |
1224 } | 1183 } |
1225 | 1184 |
1226 } // namespace rtc | 1185 } // namespace rtc |
1227 | 1186 |
1228 #endif // HAVE_OPENSSL_SSL_H | 1187 #endif // HAVE_OPENSSL_SSL_H |
OLD | NEW |