OLD | NEW |
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
86 explicit SSLStreamAdapter(StreamInterface* stream) | 86 explicit SSLStreamAdapter(StreamInterface* stream) |
87 : StreamAdapterInterface(stream), ignore_bad_cert_(false), | 87 : StreamAdapterInterface(stream), ignore_bad_cert_(false), |
88 client_auth_enabled_(true) { } | 88 client_auth_enabled_(true) { } |
89 | 89 |
90 void set_ignore_bad_cert(bool ignore) { ignore_bad_cert_ = ignore; } | 90 void set_ignore_bad_cert(bool ignore) { ignore_bad_cert_ = ignore; } |
91 bool ignore_bad_cert() const { return ignore_bad_cert_; } | 91 bool ignore_bad_cert() const { return ignore_bad_cert_; } |
92 | 92 |
93 void set_client_auth_enabled(bool enabled) { client_auth_enabled_ = enabled; } | 93 void set_client_auth_enabled(bool enabled) { client_auth_enabled_ = enabled; } |
94 bool client_auth_enabled() const { return client_auth_enabled_; } | 94 bool client_auth_enabled() const { return client_auth_enabled_; } |
95 | 95 |
96 // Specify our SSL identity: key and certificate. Mostly this is | 96 // Specify our SSL identity: key and certificate. SSLStream takes ownership |
97 // only used in the peer-to-peer mode (unless we actually want to | 97 // of the SSLIdentity object and will free it when appropriate. Should be |
98 // provide a client certificate to a server). | 98 // called no more than once on a given SSLStream instance. |
99 // SSLStream takes ownership of the SSLIdentity object and will | |
100 // free it when appropriate. Should be called no more than once on a | |
101 // given SSLStream instance. | |
102 virtual void SetIdentity(SSLIdentity* identity) = 0; | 99 virtual void SetIdentity(SSLIdentity* identity) = 0; |
103 | 100 |
104 // Call this to indicate that we are to play the server's role in | 101 // Call this to indicate that we are to play the server role (or client role, |
105 // the peer-to-peer mode. | 102 // if the default argument is replaced by SSL_CLIENT). |
106 // The default argument is for backward compatibility | 103 // The default argument is for backward compatibility. |
107 // TODO(ekr@rtfm.com): rename this SetRole to reflect its new function | 104 // TODO(ekr@rtfm.com): rename this SetRole to reflect its new function |
108 virtual void SetServerRole(SSLRole role = SSL_SERVER) = 0; | 105 virtual void SetServerRole(SSLRole role = SSL_SERVER) = 0; |
109 | 106 |
110 // Do DTLS or TLS | 107 // Do DTLS or TLS. |
111 virtual void SetMode(SSLMode mode) = 0; | 108 virtual void SetMode(SSLMode mode) = 0; |
112 | 109 |
113 // Set maximum supported protocol version. The highest version supported by | 110 // Set maximum supported protocol version. The highest version supported by |
114 // both ends will be used for the connection, i.e. if one party supports | 111 // both ends will be used for the connection, i.e. if one party supports |
115 // DTLS 1.0 and the other DTLS 1.2, DTLS 1.0 will be used. | 112 // DTLS 1.0 and the other DTLS 1.2, DTLS 1.0 will be used. |
116 // If requested version is not supported by underlying crypto library, the | 113 // If requested version is not supported by underlying crypto library, the |
117 // next lower will be used. | 114 // next lower will be used. |
118 virtual void SetMaxProtocolVersion(SSLProtocolVersion version) = 0; | 115 virtual void SetMaxProtocolVersion(SSLProtocolVersion version) = 0; |
119 | 116 |
120 // The mode of operation is selected by calling either | 117 // StartSSL starts negotiation with a peer, whose certificate is verified |
121 // StartSSLWithServer or StartSSLWithPeer. | 118 // using the certificate digest. Generally, SetIdentity() and possibly |
122 // Use of the stream prior to calling either of these functions will | 119 // SetServerRole() should have been called before this. |
123 // pass data in clear text. | 120 // SetPeerCertificateDigest() must also be called. It may be called after |
124 // Calling one of these functions causes SSL negotiation to begin as | 121 // StartSSLWithPeer() but must be called before the underlying stream opens. |
125 // soon as possible: right away if the underlying wrapped stream is | |
126 // already opened, or else as soon as it opens. | |
127 // | 122 // |
128 // These functions return a negative error code on failure. | 123 // Use of the stream prior to calling StartSSL will pass data in clear text. |
129 // Returning 0 means success so far, but negotiation is probably not | 124 // Calling StartSSL causes SSL negotiation to begin as soon as possible: right |
130 // complete and will continue asynchronously. In that case, the | 125 // away if the underlying wrapped stream is already opened, or else as soon as |
131 // exposed stream will open after successful negotiation and | 126 // it opens. |
132 // verification, or an SE_CLOSE event will be raised if negotiation | 127 // |
133 // fails. | 128 // StartSSL returns a negative error code on failure. Returning 0 means |
| 129 // success so far, but negotiation is probably not complete and will continue |
| 130 // asynchronously. In that case, the exposed stream will open after |
| 131 // successful negotiation and verification, or an SE_CLOSE event will be |
| 132 // raised if negotiation fails. |
| 133 virtual int StartSSL() = 0; |
134 | 134 |
135 // StartSSLWithServer starts SSL negotiation with a server in | 135 // Specify the digest of the certificate that our peer is expected to use. |
136 // traditional mode. server_name specifies the expected server name | 136 // Only this certificate will be accepted during SSL verification. The |
137 // which the server's certificate needs to specify. | 137 // certificate is assumed to have been obtained through some other secure |
138 virtual int StartSSLWithServer(const char* server_name) = 0; | 138 // channel (such as the signaling channel). This must specify the terminal |
139 | 139 // certificate, not just a CA. SSLStream makes a copy of the digest value. |
140 // StartSSLWithPeer starts negotiation in the special peer-to-peer | |
141 // mode. | |
142 // Generally, SetIdentity() and possibly SetServerRole() should have | |
143 // been called before this. | |
144 // SetPeerCertificate() or SetPeerCertificateDigest() must also be called. | |
145 // It may be called after StartSSLWithPeer() but must be called before the | |
146 // underlying stream opens. | |
147 virtual int StartSSLWithPeer() = 0; | |
148 | |
149 // Specify the digest of the certificate that our peer is expected to use in | |
150 // peer-to-peer mode. Only this certificate will be accepted during | |
151 // SSL verification. The certificate is assumed to have been | |
152 // obtained through some other secure channel (such as the XMPP | |
153 // channel). Unlike SetPeerCertificate(), this must specify the | |
154 // terminal certificate, not just a CA. | |
155 // SSLStream makes a copy of the digest value. | |
156 virtual bool SetPeerCertificateDigest(const std::string& digest_alg, | 140 virtual bool SetPeerCertificateDigest(const std::string& digest_alg, |
157 const unsigned char* digest_val, | 141 const unsigned char* digest_val, |
158 size_t digest_len) = 0; | 142 size_t digest_len) = 0; |
159 | 143 |
160 // Retrieves the peer's X.509 certificate, if a connection has been | 144 // Retrieves the peer's X.509 certificate, if a connection has been |
161 // established. It returns the transmitted over SSL, including the entire | 145 // established. It returns the transmitted over SSL, including the entire |
162 // chain. | 146 // chain. |
163 virtual std::unique_ptr<SSLCertificate> GetPeerCertificate() const = 0; | 147 virtual std::unique_ptr<SSLCertificate> GetPeerCertificate() const = 0; |
164 | 148 |
165 // Retrieves the IANA registration id of the cipher suite used for the | 149 // Retrieves the IANA registration id of the cipher suite used for the |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
215 | 199 |
216 // If true (default), the client is required to provide a certificate during | 200 // If true (default), the client is required to provide a certificate during |
217 // handshake. If no certificate is given, handshake fails. This applies to | 201 // handshake. If no certificate is given, handshake fails. This applies to |
218 // server mode only. | 202 // server mode only. |
219 bool client_auth_enabled_; | 203 bool client_auth_enabled_; |
220 }; | 204 }; |
221 | 205 |
222 } // namespace rtc | 206 } // namespace rtc |
223 | 207 |
224 #endif // WEBRTC_BASE_SSLSTREAMADAPTER_H_ | 208 #endif // WEBRTC_BASE_SSLSTREAMADAPTER_H_ |
OLD | NEW |