OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
(...skipping 20 matching lines...) Expand all Loading... | |
31 #include "webrtc/rtc_base/openssldigest.h" | 31 #include "webrtc/rtc_base/openssldigest.h" |
32 #include "webrtc/rtc_base/opensslidentity.h" | 32 #include "webrtc/rtc_base/opensslidentity.h" |
33 #include "webrtc/rtc_base/safe_conversions.h" | 33 #include "webrtc/rtc_base/safe_conversions.h" |
34 #include "webrtc/rtc_base/stream.h" | 34 #include "webrtc/rtc_base/stream.h" |
35 #include "webrtc/rtc_base/stringutils.h" | 35 #include "webrtc/rtc_base/stringutils.h" |
36 #include "webrtc/rtc_base/thread.h" | 36 #include "webrtc/rtc_base/thread.h" |
37 #include "webrtc/rtc_base/timeutils.h" | 37 #include "webrtc/rtc_base/timeutils.h" |
38 | 38 |
39 namespace { | 39 namespace { |
40 bool g_use_time_callback_for_testing = false; | 40 bool g_use_time_callback_for_testing = false; |
41 const int kMaxSupportedCertChainDepth = 3; | |
davidben_webrtc
2017/09/26 23:21:46
3 is a remarkably small number. Where did you get
| |
41 } | 42 } |
42 | 43 |
43 namespace rtc { | 44 namespace rtc { |
44 | 45 |
45 #if (OPENSSL_VERSION_NUMBER < 0x10001000L) | 46 #if (OPENSSL_VERSION_NUMBER < 0x10001000L) |
46 #error "webrtc requires at least OpenSSL version 1.0.1, to support DTLS-SRTP" | 47 #error "webrtc requires at least OpenSSL version 1.0.1, to support DTLS-SRTP" |
47 #endif | 48 #endif |
48 | 49 |
49 // SRTP cipher suite table. |internal_name| is used to construct a | 50 // SRTP cipher suite table. |internal_name| is used to construct a |
50 // colon-separated profile strings which is needed by | 51 // colon-separated profile strings which is needed by |
(...skipping 1052 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1103 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { | 1104 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { |
1104 // Get our SSL structure from the store | 1105 // Get our SSL structure from the store |
1105 SSL* ssl = reinterpret_cast<SSL*>( | 1106 SSL* ssl = reinterpret_cast<SSL*>( |
1106 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx())); | 1107 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx())); |
1107 X509* cert = X509_STORE_CTX_get_current_cert(store); | 1108 X509* cert = X509_STORE_CTX_get_current_cert(store); |
1108 int depth = X509_STORE_CTX_get_error_depth(store); | 1109 int depth = X509_STORE_CTX_get_error_depth(store); |
1109 | 1110 |
1110 // For now we ignore the parent certificates and verify the leaf against | 1111 // For now we ignore the parent certificates and verify the leaf against |
1111 // the digest. | 1112 // the digest. |
1112 // | 1113 // |
1113 // TODO(jiayl): Verify the chain is a proper chain and report the chain to | |
1114 // |stream->peer_certificate_|. | |
1115 if (depth > 0) { | |
1116 LOG(LS_INFO) << "Ignored chained certificate at depth " << depth; | |
1117 return 1; | |
1118 } | |
1119 | 1114 |
1120 OpenSSLStreamAdapter* stream = | 1115 OpenSSLStreamAdapter* stream = |
1121 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl)); | 1116 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl)); |
1117 if (depth == 0) { | |
davidben_webrtc
2017/09/26 23:21:46
Huh? This is the error depth...
| |
1118 // Record the peer's certificate. | |
1119 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); | |
1120 } else { | |
1121 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store); | |
1122 if (sk_X509_num(chain) >= kMaxSupportedCertChainDepth) { | |
1123 LOG(LS_INFO) << "Ignore chained certificate at depth " << depth; | |
1124 return 1; | |
1125 } | |
1126 stream->peer_certificate_.reset(new OpenSSLCertificate(chain)); | |
davidben_webrtc
2017/09/26 23:21:46
This callback gets called multiple times as the ce
| |
1127 } | |
1122 | 1128 |
1123 // Record the peer's certificate. | 1129 // Record the peer's certificate. |
1124 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); | 1130 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); |
1125 | 1131 |
1126 // If the peer certificate digest isn't known yet, we'll wait to verify | 1132 // If the peer certificate digest isn't known yet, we'll wait to verify |
1127 // until it's known, and for now just return a success status. | 1133 // until it's known, and for now just return a success status. |
1128 if (stream->peer_certificate_digest_algorithm_.empty()) { | 1134 if (stream->peer_certificate_digest_algorithm_.empty()) { |
1129 LOG(LS_INFO) << "Waiting to verify certificate until digest is known."; | 1135 LOG(LS_INFO) << "Waiting to verify certificate until digest is known."; |
1130 return 1; | 1136 return 1; |
1131 } | 1137 } |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1210 } | 1216 } |
1211 | 1217 |
1212 return false; | 1218 return false; |
1213 } | 1219 } |
1214 | 1220 |
1215 void OpenSSLStreamAdapter::enable_time_callback_for_testing() { | 1221 void OpenSSLStreamAdapter::enable_time_callback_for_testing() { |
1216 g_use_time_callback_for_testing = true; | 1222 g_use_time_callback_for_testing = true; |
1217 } | 1223 } |
1218 | 1224 |
1219 } // namespace rtc | 1225 } // namespace rtc |
OLD | NEW |