| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2008 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2008 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 686 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 697 //LOG(LS_INFO) << " -- onStreamWriteable"; | 697 //LOG(LS_INFO) << " -- onStreamWriteable"; |
| 698 AsyncSocketAdapter::OnWriteEvent(socket); | 698 AsyncSocketAdapter::OnWriteEvent(socket); |
| 699 } | 699 } |
| 700 | 700 |
| 701 void | 701 void |
| 702 OpenSSLAdapter::OnCloseEvent(AsyncSocket* socket, int err) { | 702 OpenSSLAdapter::OnCloseEvent(AsyncSocket* socket, int err) { |
| 703 LOG(LS_INFO) << "OpenSSLAdapter::OnCloseEvent(" << err << ")"; | 703 LOG(LS_INFO) << "OpenSSLAdapter::OnCloseEvent(" << err << ")"; |
| 704 AsyncSocketAdapter::OnCloseEvent(socket, err); | 704 AsyncSocketAdapter::OnCloseEvent(socket, err); |
| 705 } | 705 } |
| 706 | 706 |
| 707 // This code is taken from the "Network Security with OpenSSL" | |
| 708 // sample in chapter 5 | |
| 709 | |
| 710 bool OpenSSLAdapter::VerifyServerName(SSL* ssl, const char* host, | 707 bool OpenSSLAdapter::VerifyServerName(SSL* ssl, const char* host, |
| 711 bool ignore_bad_cert) { | 708 bool ignore_bad_cert) { |
| 712 if (!host) | 709 if (!host) |
| 713 return false; | 710 return false; |
| 714 | 711 |
| 715 // Checking the return from SSL_get_peer_certificate here is not strictly | 712 // Checking the return from SSL_get_peer_certificate here is not strictly |
| 716 // necessary. With our setup, it is not possible for it to return | 713 // necessary. With our setup, it is not possible for it to return |
| 717 // NULL. However, it is good form to check the return. | 714 // NULL. However, it is good form to check the return. |
| 718 X509* certificate = SSL_get_peer_certificate(ssl); | 715 X509* certificate = SSL_get_peer_certificate(ssl); |
| 719 if (!certificate) | 716 if (!certificate) |
| (...skipping 12 matching lines...) Expand all Loading... |
| 732 BIO_free(mem); | 729 BIO_free(mem); |
| 733 | 730 |
| 734 char* cipher_description = | 731 char* cipher_description = |
| 735 SSL_CIPHER_description(SSL_get_current_cipher(ssl), NULL, 128); | 732 SSL_CIPHER_description(SSL_get_current_cipher(ssl), NULL, 128); |
| 736 LOG(LS_INFO) << "Cipher: " << cipher_description; | 733 LOG(LS_INFO) << "Cipher: " << cipher_description; |
| 737 OPENSSL_free(cipher_description); | 734 OPENSSL_free(cipher_description); |
| 738 } | 735 } |
| 739 #endif | 736 #endif |
| 740 | 737 |
| 741 bool ok = false; | 738 bool ok = false; |
| 742 int extension_count = X509_get_ext_count(certificate); | 739 GENERAL_NAMES* names = reinterpret_cast<GENERAL_NAMES*>( |
| 743 for (int i = 0; i < extension_count; ++i) { | 740 X509_get_ext_d2i(certificate, NID_subject_alt_name, nullptr, nullptr)); |
| 744 X509_EXTENSION* extension = X509_get_ext(certificate, i); | 741 if (names) { |
| 745 int extension_nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension)); | 742 for (size_t i = 0; i < sk_GENERAL_NAME_num(names); i++) { |
| 746 | 743 const GENERAL_NAME* name = sk_GENERAL_NAME_value(names, i); |
| 747 if (extension_nid == NID_subject_alt_name) { | 744 if (name->type != GEN_DNS) |
| 748 const X509V3_EXT_METHOD* meth = X509V3_EXT_get(extension); | 745 continue; |
| 749 if (!meth) | 746 std::string value( |
| 747 reinterpret_cast<const char*>(ASN1_STRING_data(name->d.dNSName)), |
| 748 ASN1_STRING_length(name->d.dNSName)); |
| 749 // string_match takes NUL-terminated strings, so check for embedded NULs. |
| 750 if (value.find('\0') != std::string::npos) |
| 751 continue; |
| 752 if (string_match(host, value.c_str())) { |
| 753 ok = true; |
| 750 break; | 754 break; |
| 751 | |
| 752 void* ext_str = NULL; | |
| 753 | |
| 754 // We assign this to a local variable, instead of passing the address | |
| 755 // directly to ASN1_item_d2i. | |
| 756 // See http://readlist.com/lists/openssl.org/openssl-users/0/4761.html. | |
| 757 unsigned char* ext_value_data = extension->value->data; | |
| 758 | |
| 759 const unsigned char **ext_value_data_ptr = | |
| 760 (const_cast<const unsigned char **>(&ext_value_data)); | |
| 761 | |
| 762 if (meth->it) { | |
| 763 ext_str = ASN1_item_d2i(NULL, ext_value_data_ptr, | |
| 764 extension->value->length, | |
| 765 ASN1_ITEM_ptr(meth->it)); | |
| 766 } else { | |
| 767 ext_str = meth->d2i(NULL, ext_value_data_ptr, extension->value->length); | |
| 768 } | 755 } |
| 769 | |
| 770 STACK_OF(CONF_VALUE)* value = meth->i2v(meth, ext_str, NULL); | |
| 771 | |
| 772 // Cast to size_t to be compilable for both OpenSSL and BoringSSL. | |
| 773 for (size_t j = 0; j < static_cast<size_t>(sk_CONF_VALUE_num(value)); | |
| 774 ++j) { | |
| 775 CONF_VALUE* nval = sk_CONF_VALUE_value(value, j); | |
| 776 // The value for nval can contain wildcards | |
| 777 if (!strcmp(nval->name, "DNS") && string_match(host, nval->value)) { | |
| 778 ok = true; | |
| 779 break; | |
| 780 } | |
| 781 } | |
| 782 sk_CONF_VALUE_pop_free(value, X509V3_conf_free); | |
| 783 value = NULL; | |
| 784 | |
| 785 if (meth->it) { | |
| 786 ASN1_item_free(reinterpret_cast<ASN1_VALUE*>(ext_str), | |
| 787 ASN1_ITEM_ptr(meth->it)); | |
| 788 } else { | |
| 789 meth->ext_free(ext_str); | |
| 790 } | |
| 791 ext_str = NULL; | |
| 792 } | 756 } |
| 793 if (ok) | 757 GENERAL_NAMES_free(names); |
| 794 break; | |
| 795 } | 758 } |
| 796 | 759 |
| 797 char data[256]; | 760 char data[256]; |
| 798 X509_NAME* subject; | 761 X509_NAME* subject; |
| 799 if (!ok | 762 if (!ok |
| 800 && ((subject = X509_get_subject_name(certificate)) != NULL) | 763 && ((subject = X509_get_subject_name(certificate)) != NULL) |
| 801 && (X509_NAME_get_text_by_NID(subject, NID_commonName, | 764 && (X509_NAME_get_text_by_NID(subject, NID_commonName, |
| 802 data, sizeof(data)) > 0)) { | 765 data, sizeof(data)) > 0)) { |
| 803 data[sizeof(data)-1] = 0; | 766 data[sizeof(data)-1] = 0; |
| 804 if (_stricmp(data, host) == 0) | 767 if (_stricmp(data, host) == 0) |
| (...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 956 SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); | 919 SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); |
| 957 | 920 |
| 958 if (ssl_mode_ == SSL_MODE_DTLS) { | 921 if (ssl_mode_ == SSL_MODE_DTLS) { |
| 959 SSL_CTX_set_read_ahead(ctx, 1); | 922 SSL_CTX_set_read_ahead(ctx, 1); |
| 960 } | 923 } |
| 961 | 924 |
| 962 return ctx; | 925 return ctx; |
| 963 } | 926 } |
| 964 | 927 |
| 965 } // namespace rtc | 928 } // namespace rtc |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2705603003:
Don't use CONF_VALUE in VerifyServerName. (Closed)
