| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 79 | 79 |
| 80 #define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name} | 80 #define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name} |
| 81 #define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name} | 81 #define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name} |
| 82 | 82 |
| 83 // There currently is no method available to get a RFC-compliant name for a | 83 // There currently is no method available to get a RFC-compliant name for a |
| 84 // cipher suite from BoringSSL, so we need to define the mapping manually here. | 84 // cipher suite from BoringSSL, so we need to define the mapping manually here. |
| 85 // This should go away once BoringSSL supports "SSL_CIPHER_standard_name" | 85 // This should go away once BoringSSL supports "SSL_CIPHER_standard_name" |
| 86 // (as available in OpenSSL if compiled with tracing enabled) or a similar | 86 // (as available in OpenSSL if compiled with tracing enabled) or a similar |
| 87 // method. | 87 // method. |
| 88 static const SslCipherMapEntry kSslCipherMap[] = { | 88 static const SslCipherMapEntry kSslCipherMap[] = { |
| 89 // TLS v1.0 ciphersuites from RFC2246. | 89 // TLS v1.0 ciphersuites from RFC2246. |
| 90 DEFINE_CIPHER_ENTRY_SSL3(RSA_RC4_128_SHA), | 90 DEFINE_CIPHER_ENTRY_SSL3(RSA_RC4_128_SHA), |
| 91 {SSL3_CK_RSA_DES_192_CBC3_SHA, | 91 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, |
| 92 "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, | |
| 93 | 92 |
| 94 // AES ciphersuites from RFC3268. | 93 // AES ciphersuites from RFC3268. |
| 95 {TLS1_CK_RSA_WITH_AES_128_SHA, | 94 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"}, |
| 96 "TLS_RSA_WITH_AES_128_CBC_SHA"}, | 95 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"}, |
| 97 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA, | 96 {TLS1_CK_RSA_WITH_AES_256_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA"}, |
| 98 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"}, | 97 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"}, |
| 99 {TLS1_CK_RSA_WITH_AES_256_SHA, | |
| 100 "TLS_RSA_WITH_AES_256_CBC_SHA"}, | |
| 101 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, | |
| 102 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"}, | |
| 103 | 98 |
| 104 // ECC ciphersuites from RFC4492. | 99 // ECC ciphersuites from RFC4492. |
| 105 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_RC4_128_SHA), | 100 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_RC4_128_SHA), |
| 106 {TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, | 101 {TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, |
| 107 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"}, | 102 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"}, |
| 108 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), | 103 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), |
| 109 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), | 104 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), |
| 110 | 105 |
| 111 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_RC4_128_SHA), | 106 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_RC4_128_SHA), |
| 112 {TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, | 107 {TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, |
| 113 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"}, | 108 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"}, |
| 114 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_CBC_SHA), | 109 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_CBC_SHA), |
| 115 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_CBC_SHA), | 110 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_CBC_SHA), |
| 116 | 111 |
| 117 // TLS v1.2 ciphersuites. | 112 // TLS v1.2 ciphersuites. |
| 118 {TLS1_CK_RSA_WITH_AES_128_SHA256, | 113 {TLS1_CK_RSA_WITH_AES_128_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"}, |
| 119 "TLS_RSA_WITH_AES_128_CBC_SHA256"}, | 114 {TLS1_CK_RSA_WITH_AES_256_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"}, |
| 120 {TLS1_CK_RSA_WITH_AES_256_SHA256, | 115 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, |
| 121 "TLS_RSA_WITH_AES_256_CBC_SHA256"}, | 116 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"}, |
| 122 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, | 117 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, |
| 123 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"}, | 118 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"}, |
| 124 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |
| 125 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"}, | |
| 126 | 119 |
| 127 // TLS v1.2 GCM ciphersuites from RFC5288. | 120 // TLS v1.2 GCM ciphersuites from RFC5288. |
| 128 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_128_GCM_SHA256), | 121 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_128_GCM_SHA256), |
| 129 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_256_GCM_SHA384), | 122 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_256_GCM_SHA384), |
| 130 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_128_GCM_SHA256), | 123 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_128_GCM_SHA256), |
| 131 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_256_GCM_SHA384), | 124 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_256_GCM_SHA384), |
| 132 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_128_GCM_SHA256), | 125 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_128_GCM_SHA256), |
| 133 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_256_GCM_SHA384), | 126 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_256_GCM_SHA384), |
| 134 | 127 |
| 135 // ECDH HMAC based ciphersuites from RFC5289. | 128 // ECDH HMAC based ciphersuites from RFC5289. |
| 136 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, | 129 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, |
| 137 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"}, | 130 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"}, |
| 138 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, | 131 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, |
| 139 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"}, | 132 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"}, |
| 140 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | 133 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, |
| 141 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}, | 134 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}, |
| 142 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | 135 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, |
| 143 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}, | 136 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}, |
| 144 | 137 |
| 145 // ECDH GCM based ciphersuites from RFC5289. | 138 // ECDH GCM based ciphersuites from RFC5289. |
| 146 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), | 139 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), |
| 147 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), | 140 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), |
| 148 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256), | 141 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256), |
| 149 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384), | 142 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384), |
| 150 | 143 |
| 151 {0, NULL} | 144 {0, nullptr}}; |
| 152 }; | |
| 153 #endif // #ifndef OPENSSL_IS_BORINGSSL | 145 #endif // #ifndef OPENSSL_IS_BORINGSSL |
| 154 | 146 |
| 155 #if defined(_MSC_VER) | 147 #if defined(_MSC_VER) |
| 156 #pragma warning(push) | 148 #pragma warning(push) |
| 157 #pragma warning(disable : 4309) | 149 #pragma warning(disable : 4309) |
| 158 #pragma warning(disable : 4310) | 150 #pragma warning(disable : 4310) |
| 159 #endif // defined(_MSC_VER) | 151 #endif // defined(_MSC_VER) |
| 160 | 152 |
| 161 #if defined(_MSC_VER) | 153 #if defined(_MSC_VER) |
| 162 #pragma warning(pop) | 154 #pragma warning(pop) |
| 163 #endif // defined(_MSC_VER) | 155 #endif // defined(_MSC_VER) |
| 164 | 156 |
| 165 ////////////////////////////////////////////////////////////////////// | 157 ////////////////////////////////////////////////////////////////////// |
| 166 // StreamBIO | 158 // StreamBIO |
| 167 ////////////////////////////////////////////////////////////////////// | 159 ////////////////////////////////////////////////////////////////////// |
| 168 | 160 |
| 169 static int stream_write(BIO* h, const char* buf, int num); | 161 static int stream_write(BIO* h, const char* buf, int num); |
| 170 static int stream_read(BIO* h, char* buf, int size); | 162 static int stream_read(BIO* h, char* buf, int size); |
| 171 static int stream_puts(BIO* h, const char* str); | 163 static int stream_puts(BIO* h, const char* str); |
| 172 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2); | 164 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2); |
| 173 static int stream_new(BIO* h); | 165 static int stream_new(BIO* h); |
| 174 static int stream_free(BIO* data); | 166 static int stream_free(BIO* data); |
| 175 | 167 |
| 176 // TODO(davidben): This should be const once BoringSSL is assumed. | 168 // TODO(davidben): This should be const once BoringSSL is assumed. |
| 177 static BIO_METHOD methods_stream = { | 169 static BIO_METHOD methods_stream = { |
| 178 BIO_TYPE_BIO, | 170 BIO_TYPE_BIO, "stream", stream_write, stream_read, stream_puts, 0, |
| 179 "stream", | 171 stream_ctrl, stream_new, stream_free, nullptr, |
| 180 stream_write, | |
| 181 stream_read, | |
| 182 stream_puts, | |
| 183 0, | |
| 184 stream_ctrl, | |
| 185 stream_new, | |
| 186 stream_free, | |
| 187 NULL, | |
| 188 }; | 172 }; |
| 189 | 173 |
| 190 static BIO_METHOD* BIO_s_stream() { return(&methods_stream); } | 174 static BIO_METHOD* BIO_s_stream() { return(&methods_stream); } |
| 191 | 175 |
| 192 static BIO* BIO_new_stream(StreamInterface* stream) { | 176 static BIO* BIO_new_stream(StreamInterface* stream) { |
| 193 BIO* ret = BIO_new(BIO_s_stream()); | 177 BIO* ret = BIO_new(BIO_s_stream()); |
| 194 if (ret == NULL) | 178 if (ret == nullptr) |
| 195 return NULL; | 179 return nullptr; |
| 196 ret->ptr = stream; | 180 ret->ptr = stream; |
| 197 return ret; | 181 return ret; |
| 198 } | 182 } |
| 199 | 183 |
| 200 // bio methods return 1 (or at least non-zero) on success and 0 on failure. | 184 // bio methods return 1 (or at least non-zero) on success and 0 on failure. |
| 201 | 185 |
| 202 static int stream_new(BIO* b) { | 186 static int stream_new(BIO* b) { |
| 203 b->shutdown = 0; | 187 b->shutdown = 0; |
| 204 b->init = 1; | 188 b->init = 1; |
| 205 b->num = 0; // 1 means end-of-stream | 189 b->num = 0; // 1 means end-of-stream |
| 206 b->ptr = 0; | 190 b->ptr = 0; |
| 207 return 1; | 191 return 1; |
| 208 } | 192 } |
| 209 | 193 |
| 210 static int stream_free(BIO* b) { | 194 static int stream_free(BIO* b) { |
| 211 if (b == NULL) | 195 if (b == nullptr) |
| 212 return 0; | 196 return 0; |
| 213 return 1; | 197 return 1; |
| 214 } | 198 } |
| 215 | 199 |
| 216 static int stream_read(BIO* b, char* out, int outl) { | 200 static int stream_read(BIO* b, char* out, int outl) { |
| 217 if (!out) | 201 if (!out) |
| 218 return -1; | 202 return -1; |
| 219 StreamInterface* stream = static_cast<StreamInterface*>(b->ptr); | 203 StreamInterface* stream = static_cast<StreamInterface*>(b->ptr); |
| 220 BIO_clear_retry_flags(b); | 204 BIO_clear_retry_flags(b); |
| 221 size_t read; | 205 size_t read; |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 276 ///////////////////////////////////////////////////////////////////////////// | 260 ///////////////////////////////////////////////////////////////////////////// |
| 277 // OpenSSLStreamAdapter | 261 // OpenSSLStreamAdapter |
| 278 ///////////////////////////////////////////////////////////////////////////// | 262 ///////////////////////////////////////////////////////////////////////////// |
| 279 | 263 |
| 280 OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream) | 264 OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream) |
| 281 : SSLStreamAdapter(stream), | 265 : SSLStreamAdapter(stream), |
| 282 state_(SSL_NONE), | 266 state_(SSL_NONE), |
| 283 role_(SSL_CLIENT), | 267 role_(SSL_CLIENT), |
| 284 ssl_read_needs_write_(false), | 268 ssl_read_needs_write_(false), |
| 285 ssl_write_needs_read_(false), | 269 ssl_write_needs_read_(false), |
| 286 ssl_(NULL), | 270 ssl_(nullptr), |
| 287 ssl_ctx_(NULL), | 271 ssl_ctx_(nullptr), |
| 288 ssl_mode_(SSL_MODE_TLS), | 272 ssl_mode_(SSL_MODE_TLS), |
| 289 ssl_max_version_(SSL_PROTOCOL_TLS_12) {} | 273 ssl_max_version_(SSL_PROTOCOL_TLS_12) {} |
| 290 | 274 |
| 291 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() { | 275 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() { |
| 292 Cleanup(0); | 276 Cleanup(0); |
| 293 } | 277 } |
| 294 | 278 |
| 295 void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) { | 279 void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) { |
| 296 RTC_DCHECK(!identity_); | 280 RTC_DCHECK(!identity_); |
| 297 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); | 281 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 380 } | 364 } |
| 381 return std::string(); | 365 return std::string(); |
| 382 #endif | 366 #endif |
| 383 } | 367 } |
| 384 | 368 |
| 385 bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) { | 369 bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) { |
| 386 if (state_ != SSL_CONNECTED) | 370 if (state_ != SSL_CONNECTED) |
| 387 return false; | 371 return false; |
| 388 | 372 |
| 389 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_); | 373 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_); |
| 390 if (current_cipher == NULL) { | 374 if (current_cipher == nullptr) { |
| 391 return false; | 375 return false; |
| 392 } | 376 } |
| 393 | 377 |
| 394 *cipher_suite = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher)); | 378 *cipher_suite = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher)); |
| 395 return true; | 379 return true; |
| 396 } | 380 } |
| 397 | 381 |
| 398 int OpenSSLStreamAdapter::GetSslVersion() const { | 382 int OpenSSLStreamAdapter::GetSslVersion() const { |
| 399 if (state_ != SSL_CONNECTED) | 383 if (state_ != SSL_CONNECTED) |
| 400 return -1; | 384 return -1; |
| (...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 509 | 493 |
| 510 return 0; | 494 return 0; |
| 511 } | 495 } |
| 512 | 496 |
| 513 void OpenSSLStreamAdapter::SetMode(SSLMode mode) { | 497 void OpenSSLStreamAdapter::SetMode(SSLMode mode) { |
| 514 RTC_DCHECK(state_ == SSL_NONE); | 498 RTC_DCHECK(state_ == SSL_NONE); |
| 515 ssl_mode_ = mode; | 499 ssl_mode_ = mode; |
| 516 } | 500 } |
| 517 | 501 |
| 518 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { | 502 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { |
| 519 RTC_DCHECK(ssl_ctx_ == NULL); | 503 RTC_DCHECK(ssl_ctx_ == nullptr); |
| 520 ssl_max_version_ = version; | 504 ssl_max_version_ = version; |
| 521 } | 505 } |
| 522 | 506 |
| 523 void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout( | 507 void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout( |
| 524 int timeout_ms) { | 508 int timeout_ms) { |
| 525 RTC_DCHECK(ssl_ctx_ == NULL); | 509 RTC_DCHECK(ssl_ctx_ == nullptr); |
| 526 dtls_handshake_timeout_ms_ = timeout_ms; | 510 dtls_handshake_timeout_ms_ = timeout_ms; |
| 527 } | 511 } |
| 528 | 512 |
| 529 // | 513 // |
| 530 // StreamInterface Implementation | 514 // StreamInterface Implementation |
| 531 // | 515 // |
| 532 | 516 |
| 533 StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len, | 517 StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len, |
| 534 size_t* written, int* error) { | 518 size_t* written, int* error) { |
| 535 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")"; | 519 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")"; |
| (...skipping 237 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 773 } | 757 } |
| 774 if (events_to_signal) | 758 if (events_to_signal) |
| 775 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error); | 759 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error); |
| 776 } | 760 } |
| 777 | 761 |
| 778 int OpenSSLStreamAdapter::BeginSSL() { | 762 int OpenSSLStreamAdapter::BeginSSL() { |
| 779 RTC_DCHECK(state_ == SSL_CONNECTING); | 763 RTC_DCHECK(state_ == SSL_CONNECTING); |
| 780 // The underlying stream has opened. | 764 // The underlying stream has opened. |
| 781 LOG(LS_INFO) << "BeginSSL with peer."; | 765 LOG(LS_INFO) << "BeginSSL with peer."; |
| 782 | 766 |
| 783 BIO* bio = NULL; | 767 BIO* bio = nullptr; |
| 784 | 768 |
| 785 // First set up the context. | 769 // First set up the context. |
| 786 RTC_DCHECK(ssl_ctx_ == NULL); | 770 RTC_DCHECK(ssl_ctx_ == nullptr); |
| 787 ssl_ctx_ = SetupSSLContext(); | 771 ssl_ctx_ = SetupSSLContext(); |
| 788 if (!ssl_ctx_) | 772 if (!ssl_ctx_) |
| 789 return -1; | 773 return -1; |
| 790 | 774 |
| 791 bio = BIO_new_stream(static_cast<StreamInterface*>(stream())); | 775 bio = BIO_new_stream(static_cast<StreamInterface*>(stream())); |
| 792 if (!bio) | 776 if (!bio) |
| 793 return -1; | 777 return -1; |
| 794 | 778 |
| 795 ssl_ = SSL_new(ssl_ctx_); | 779 ssl_ = SSL_new(ssl_ctx_); |
| 796 if (!ssl_) { | 780 if (!ssl_) { |
| (...skipping 16 matching lines...) Expand all Loading... |
| 813 | 797 |
| 814 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | | 798 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | |
| 815 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | 799 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); |
| 816 | 800 |
| 817 #if !defined(OPENSSL_IS_BORINGSSL) | 801 #if !defined(OPENSSL_IS_BORINGSSL) |
| 818 // Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot | 802 // Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot |
| 819 // negotiate them when acting as the server. Use NIST's P-256 which is | 803 // negotiate them when acting as the server. Use NIST's P-256 which is |
| 820 // commonly supported. BoringSSL doesn't need explicit configuration and has | 804 // commonly supported. BoringSSL doesn't need explicit configuration and has |
| 821 // a reasonable default set. | 805 // a reasonable default set. |
| 822 EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | 806 EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
| 823 if (ecdh == NULL) | 807 if (ecdh == nullptr) |
| 824 return -1; | 808 return -1; |
| 825 SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE); | 809 SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE); |
| 826 SSL_set_tmp_ecdh(ssl_, ecdh); | 810 SSL_set_tmp_ecdh(ssl_, ecdh); |
| 827 EC_KEY_free(ecdh); | 811 EC_KEY_free(ecdh); |
| 828 #endif | 812 #endif |
| 829 | 813 |
| 830 // Do the connect | 814 // Do the connect |
| 831 return ContinueSSL(); | 815 return ContinueSSL(); |
| 832 } | 816 } |
| 833 | 817 |
| (...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 928 #endif | 912 #endif |
| 929 ret = SSL_shutdown(ssl_); | 913 ret = SSL_shutdown(ssl_); |
| 930 if (ret < 0) { | 914 if (ret < 0) { |
| 931 LOG(LS_WARNING) << "SSL_shutdown failed, error = " | 915 LOG(LS_WARNING) << "SSL_shutdown failed, error = " |
| 932 << SSL_get_error(ssl_, ret); | 916 << SSL_get_error(ssl_, ret); |
| 933 } | 917 } |
| 934 #ifdef OPENSSL_IS_BORINGSSL | 918 #ifdef OPENSSL_IS_BORINGSSL |
| 935 } | 919 } |
| 936 #endif | 920 #endif |
| 937 SSL_free(ssl_); | 921 SSL_free(ssl_); |
| 938 ssl_ = NULL; | 922 ssl_ = nullptr; |
| 939 } | 923 } |
| 940 if (ssl_ctx_) { | 924 if (ssl_ctx_) { |
| 941 SSL_CTX_free(ssl_ctx_); | 925 SSL_CTX_free(ssl_ctx_); |
| 942 ssl_ctx_ = NULL; | 926 ssl_ctx_ = nullptr; |
| 943 } | 927 } |
| 944 identity_.reset(); | 928 identity_.reset(); |
| 945 peer_certificate_.reset(); | 929 peer_certificate_.reset(); |
| 946 | 930 |
| 947 // Clear the DTLS timer | 931 // Clear the DTLS timer |
| 948 Thread::Current()->Clear(this, MSG_TIMEOUT); | 932 Thread::Current()->Clear(this, MSG_TIMEOUT); |
| 949 } | 933 } |
| 950 | 934 |
| 951 | 935 |
| 952 void OpenSSLStreamAdapter::OnMessage(Message* msg) { | 936 void OpenSSLStreamAdapter::OnMessage(Message* msg) { |
| 953 // Process our own messages and then pass others to the superclass | 937 // Process our own messages and then pass others to the superclass |
| 954 if (MSG_TIMEOUT == msg->message_id) { | 938 if (MSG_TIMEOUT == msg->message_id) { |
| 955 LOG(LS_INFO) << "DTLS timeout expired"; | 939 LOG(LS_INFO) << "DTLS timeout expired"; |
| 956 DTLSv1_handle_timeout(ssl_); | 940 DTLSv1_handle_timeout(ssl_); |
| 957 ContinueSSL(); | 941 ContinueSSL(); |
| 958 } else { | 942 } else { |
| 959 StreamInterface::OnMessage(msg); | 943 StreamInterface::OnMessage(msg); |
| 960 } | 944 } |
| 961 } | 945 } |
| 962 | 946 |
| 963 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { | 947 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { |
| 964 SSL_CTX *ctx = NULL; | 948 SSL_CTX* ctx = nullptr; |
| 965 | 949 |
| 966 #ifdef OPENSSL_IS_BORINGSSL | 950 #ifdef OPENSSL_IS_BORINGSSL |
| 967 ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? | 951 ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? |
| 968 DTLS_method() : TLS_method()); | 952 DTLS_method() : TLS_method()); |
| 969 // Version limiting for BoringSSL will be done below. | 953 // Version limiting for BoringSSL will be done below. |
| 970 #else | 954 #else |
| 971 const SSL_METHOD* method; | 955 const SSL_METHOD* method; |
| 972 switch (ssl_max_version_) { | 956 switch (ssl_max_version_) { |
| 973 case SSL_PROTOCOL_TLS_10: | 957 case SSL_PROTOCOL_TLS_10: |
| 974 case SSL_PROTOCOL_TLS_11: | 958 case SSL_PROTOCOL_TLS_11: |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1019 } else { | 1003 } else { |
| 1020 method = SSLv23_server_method(); | 1004 method = SSLv23_server_method(); |
| 1021 } | 1005 } |
| 1022 #endif | 1006 #endif |
| 1023 } | 1007 } |
| 1024 break; | 1008 break; |
| 1025 } | 1009 } |
| 1026 ctx = SSL_CTX_new(method); | 1010 ctx = SSL_CTX_new(method); |
| 1027 #endif // OPENSSL_IS_BORINGSSL | 1011 #endif // OPENSSL_IS_BORINGSSL |
| 1028 | 1012 |
| 1029 if (ctx == NULL) | 1013 if (ctx == nullptr) |
| 1030 return NULL; | 1014 return nullptr; |
| 1031 | 1015 |
| 1032 #ifdef OPENSSL_IS_BORINGSSL | 1016 #ifdef OPENSSL_IS_BORINGSSL |
| 1033 SSL_CTX_set_min_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | 1017 SSL_CTX_set_min_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
| 1034 DTLS1_VERSION : TLS1_VERSION); | 1018 DTLS1_VERSION : TLS1_VERSION); |
| 1035 switch (ssl_max_version_) { | 1019 switch (ssl_max_version_) { |
| 1036 case SSL_PROTOCOL_TLS_10: | 1020 case SSL_PROTOCOL_TLS_10: |
| 1037 SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | 1021 SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
| 1038 DTLS1_VERSION : TLS1_VERSION); | 1022 DTLS1_VERSION : TLS1_VERSION); |
| 1039 break; | 1023 break; |
| 1040 case SSL_PROTOCOL_TLS_11: | 1024 case SSL_PROTOCOL_TLS_11: |
| 1041 SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | 1025 SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
| 1042 DTLS1_VERSION : TLS1_1_VERSION); | 1026 DTLS1_VERSION : TLS1_1_VERSION); |
| 1043 break; | 1027 break; |
| 1044 case SSL_PROTOCOL_TLS_12: | 1028 case SSL_PROTOCOL_TLS_12: |
| 1045 default: | 1029 default: |
| 1046 SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | 1030 SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
| 1047 DTLS1_2_VERSION : TLS1_2_VERSION); | 1031 DTLS1_2_VERSION : TLS1_2_VERSION); |
| 1048 break; | 1032 break; |
| 1049 } | 1033 } |
| 1050 if (g_use_time_callback_for_testing) { | 1034 if (g_use_time_callback_for_testing) { |
| 1051 SSL_CTX_set_current_time_cb(ctx, &TimeCallbackForTesting); | 1035 SSL_CTX_set_current_time_cb(ctx, &TimeCallbackForTesting); |
| 1052 } | 1036 } |
| 1053 #endif | 1037 #endif |
| 1054 | 1038 |
| 1055 if (identity_ && !identity_->ConfigureIdentity(ctx)) { | 1039 if (identity_ && !identity_->ConfigureIdentity(ctx)) { |
| 1056 SSL_CTX_free(ctx); | 1040 SSL_CTX_free(ctx); |
| 1057 return NULL; | 1041 return nullptr; |
| 1058 } | 1042 } |
| 1059 | 1043 |
| 1060 #if !defined(NDEBUG) | 1044 #if !defined(NDEBUG) |
| 1061 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback); | 1045 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback); |
| 1062 #endif | 1046 #endif |
| 1063 | 1047 |
| 1064 int mode = SSL_VERIFY_PEER; | 1048 int mode = SSL_VERIFY_PEER; |
| 1065 if (client_auth_enabled()) { | 1049 if (client_auth_enabled()) { |
| 1066 // Require a certificate from the client. | 1050 // Require a certificate from the client. |
| 1067 // Note: Normally this is always true in production, but it may be disabled | 1051 // Note: Normally this is always true in production, but it may be disabled |
| 1068 // for testing purposes (e.g. SSLAdapter unit tests). | 1052 // for testing purposes (e.g. SSLAdapter unit tests). |
| 1069 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | 1053 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
| 1070 } | 1054 } |
| 1071 | 1055 |
| 1072 SSL_CTX_set_verify(ctx, mode, SSLVerifyCallback); | 1056 SSL_CTX_set_verify(ctx, mode, SSLVerifyCallback); |
| 1073 SSL_CTX_set_verify_depth(ctx, 4); | 1057 SSL_CTX_set_verify_depth(ctx, 4); |
| 1074 // Select list of available ciphers. Note that !SHA256 and !SHA384 only | 1058 // Select list of available ciphers. Note that !SHA256 and !SHA384 only |
| 1075 // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites | 1059 // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites |
| 1076 // with SHA256 or SHA384 as the handshake hash. | 1060 // with SHA256 or SHA384 as the handshake hash. |
| 1077 // This matches the list of SSLClientSocketOpenSSL in Chromium. | 1061 // This matches the list of SSLClientSocketOpenSSL in Chromium. |
| 1078 SSL_CTX_set_cipher_list(ctx, | 1062 SSL_CTX_set_cipher_list( |
| 1079 "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"); | 1063 ctx, "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"); |
| 1080 | 1064 |
| 1081 if (!srtp_ciphers_.empty()) { | 1065 if (!srtp_ciphers_.empty()) { |
| 1082 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) { | 1066 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) { |
| 1083 SSL_CTX_free(ctx); | 1067 SSL_CTX_free(ctx); |
| 1084 return NULL; | 1068 return nullptr; |
| 1085 } | 1069 } |
| 1086 } | 1070 } |
| 1087 | 1071 |
| 1088 return ctx; | 1072 return ctx; |
| 1089 } | 1073 } |
| 1090 | 1074 |
| 1091 bool OpenSSLStreamAdapter::VerifyPeerCertificate() { | 1075 bool OpenSSLStreamAdapter::VerifyPeerCertificate() { |
| 1092 if (!has_peer_certificate_digest() || !peer_certificate_) { | 1076 if (!has_peer_certificate_digest() || !peer_certificate_) { |
| 1093 LOG(LS_WARNING) << "Missing digest or peer certificate."; | 1077 LOG(LS_WARNING) << "Missing digest or peer certificate."; |
| 1094 return false; | 1078 return false; |
| (...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1226 } | 1210 } |
| 1227 | 1211 |
| 1228 return false; | 1212 return false; |
| 1229 } | 1213 } |
| 1230 | 1214 |
| 1231 void OpenSSLStreamAdapter::enable_time_callback_for_testing() { | 1215 void OpenSSLStreamAdapter::enable_time_callback_for_testing() { |
| 1232 g_use_time_callback_for_testing = true; | 1216 g_use_time_callback_for_testing = true; |
| 1233 } | 1217 } |
| 1234 | 1218 |
| 1235 } // namespace rtc | 1219 } // namespace rtc |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2718663005:
Replace NULL with nullptr or null in webrtc/base/. (Closed)
