Index: webrtc/rtc_base/opensslstreamadapter.cc |
diff --git a/webrtc/rtc_base/opensslstreamadapter.cc b/webrtc/rtc_base/opensslstreamadapter.cc |
index 1c0b57894acd8de29a0bb5d9565ae079168053f6..fea692fef06915119c3c0dd22524a17ab9a0bb5a 100644 |
--- a/webrtc/rtc_base/opensslstreamadapter.cc |
+++ b/webrtc/rtc_base/opensslstreamadapter.cc |
@@ -37,7 +37,7 @@ |
#include "webrtc/rtc_base/timeutils.h" |
namespace { |
- bool g_use_time_callback_for_testing = false; |
+bool g_use_time_callback_for_testing = false; |
} |
namespace rtc { |
@@ -77,8 +77,10 @@ struct SslCipherMapEntry { |
const char* rfc_name; |
}; |
-#define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name} |
-#define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name} |
+#define DEFINE_CIPHER_ENTRY_SSL3(name) \ |
+ { SSL3_CK_##name, "TLS_" #name } |
+#define DEFINE_CIPHER_ENTRY_TLS1(name) \ |
+ { TLS1_CK_##name, "TLS_" #name } |
// There currently is no method available to get a RFC-compliant name for a |
// cipher suite from BoringSSL, so we need to define the mapping manually here. |
@@ -171,7 +173,9 @@ static BIO_METHOD methods_stream = { |
stream_ctrl, stream_new, stream_free, nullptr, |
}; |
-static BIO_METHOD* BIO_s_stream() { return(&methods_stream); } |
+static BIO_METHOD* BIO_s_stream() { |
+ return (&methods_stream); |
+} |
static BIO* BIO_new_stream(StreamInterface* stream) { |
BIO* ret = BIO_new(BIO_s_stream()); |
@@ -459,7 +463,7 @@ bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) { |
if (state_ != SSL_CONNECTED) |
return false; |
- const SRTP_PROTECTION_PROFILE *srtp_profile = |
+ const SRTP_PROTECTION_PROFILE* srtp_profile = |
SSL_get_selected_srtp_profile(ssl_); |
if (!srtp_profile) |
@@ -504,8 +508,7 @@ void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { |
ssl_max_version_ = version; |
} |
-void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout( |
- int timeout_ms) { |
+void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout(int timeout_ms) { |
RTC_DCHECK(ssl_ctx_ == nullptr); |
dtls_handshake_timeout_ms_ = timeout_ms; |
} |
@@ -514,31 +517,33 @@ void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout( |
// StreamInterface Implementation |
// |
-StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len, |
- size_t* written, int* error) { |
+StreamResult OpenSSLStreamAdapter::Write(const void* data, |
+ size_t data_len, |
+ size_t* written, |
+ int* error) { |
LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")"; |
switch (state_) { |
- case SSL_NONE: |
- // pass-through in clear text |
- return StreamAdapterInterface::Write(data, data_len, written, error); |
- |
- case SSL_WAIT: |
- case SSL_CONNECTING: |
- return SR_BLOCK; |
+ case SSL_NONE: |
+ // pass-through in clear text |
+ return StreamAdapterInterface::Write(data, data_len, written, error); |
- case SSL_CONNECTED: |
- if (waiting_to_verify_peer_certificate()) { |
+ case SSL_WAIT: |
+ case SSL_CONNECTING: |
return SR_BLOCK; |
- } |
- break; |
- |
- case SSL_ERROR: |
- case SSL_CLOSED: |
- default: |
- if (error) |
- *error = ssl_error_code_; |
- return SR_ERROR; |
+ |
+ case SSL_CONNECTED: |
+ if (waiting_to_verify_peer_certificate()) { |
+ return SR_BLOCK; |
+ } |
+ break; |
+ |
+ case SSL_ERROR: |
+ case SSL_CLOSED: |
+ default: |
+ if (error) |
+ *error = ssl_error_code_; |
+ return SR_ERROR; |
} |
// OpenSSL will return an error if we try to write zero bytes |
@@ -553,32 +558,34 @@ StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len, |
int code = SSL_write(ssl_, data, checked_cast<int>(data_len)); |
int ssl_error = SSL_get_error(ssl_, code); |
switch (ssl_error) { |
- case SSL_ERROR_NONE: |
- LOG(LS_VERBOSE) << " -- success"; |
- RTC_DCHECK(0 < code && static_cast<unsigned>(code) <= data_len); |
- if (written) |
- *written = code; |
- return SR_SUCCESS; |
- case SSL_ERROR_WANT_READ: |
- LOG(LS_VERBOSE) << " -- error want read"; |
- ssl_write_needs_read_ = true; |
- return SR_BLOCK; |
- case SSL_ERROR_WANT_WRITE: |
- LOG(LS_VERBOSE) << " -- error want write"; |
- return SR_BLOCK; |
- |
- case SSL_ERROR_ZERO_RETURN: |
- default: |
- Error("SSL_write", (ssl_error ? ssl_error : -1), 0, false); |
- if (error) |
- *error = ssl_error_code_; |
- return SR_ERROR; |
+ case SSL_ERROR_NONE: |
+ LOG(LS_VERBOSE) << " -- success"; |
+ RTC_DCHECK(0 < code && static_cast<unsigned>(code) <= data_len); |
+ if (written) |
+ *written = code; |
+ return SR_SUCCESS; |
+ case SSL_ERROR_WANT_READ: |
+ LOG(LS_VERBOSE) << " -- error want read"; |
+ ssl_write_needs_read_ = true; |
+ return SR_BLOCK; |
+ case SSL_ERROR_WANT_WRITE: |
+ LOG(LS_VERBOSE) << " -- error want write"; |
+ return SR_BLOCK; |
+ |
+ case SSL_ERROR_ZERO_RETURN: |
+ default: |
+ Error("SSL_write", (ssl_error ? ssl_error : -1), 0, false); |
+ if (error) |
+ *error = ssl_error_code_; |
+ return SR_ERROR; |
} |
// not reached |
} |
-StreamResult OpenSSLStreamAdapter::Read(void* data, size_t data_len, |
- size_t* read, int* error) { |
+StreamResult OpenSSLStreamAdapter::Read(void* data, |
+ size_t data_len, |
+ size_t* read, |
+ int* error) { |
LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Read(" << data_len << ")"; |
switch (state_) { |
case SSL_NONE: |
@@ -705,7 +712,8 @@ StreamState OpenSSLStreamAdapter::GetState() const { |
// not reached |
} |
-void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream, int events, |
+void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream, |
+ int events, |
int err) { |
int events_to_signal = 0; |
int signal_error = 0; |
@@ -723,12 +731,12 @@ void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream, int events, |
} |
} |
} |
- if ((events & (SE_READ|SE_WRITE))) { |
+ if ((events & (SE_READ | SE_WRITE))) { |
LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent" |
- << ((events & SE_READ) ? " SE_READ" : "") |
- << ((events & SE_WRITE) ? " SE_WRITE" : ""); |
+ << ((events & SE_READ) ? " SE_READ" : "") |
+ << ((events & SE_WRITE) ? " SE_WRITE" : ""); |
if (state_ == SSL_NONE) { |
- events_to_signal |= events & (SE_READ|SE_WRITE); |
+ events_to_signal |= events & (SE_READ | SE_WRITE); |
} else if (state_ == SSL_CONNECTING) { |
if (int err = ContinueSSL()) { |
Error("ContinueSSL", err, 0, true); |
@@ -796,7 +804,7 @@ int OpenSSLStreamAdapter::BeginSSL() { |
} |
SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | |
- SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); |
+ SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); |
#if !defined(OPENSSL_IS_BORINGSSL) |
// Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot |
@@ -847,16 +855,15 @@ int OpenSSLStreamAdapter::ContinueSSL() { |
break; |
case SSL_ERROR_WANT_READ: { |
- LOG(LS_VERBOSE) << " -- error want read"; |
- struct timeval timeout; |
- if (DTLSv1_get_timeout(ssl_, &timeout)) { |
- int delay = timeout.tv_sec * 1000 + timeout.tv_usec/1000; |
+ LOG(LS_VERBOSE) << " -- error want read"; |
+ struct timeval timeout; |
+ if (DTLSv1_get_timeout(ssl_, &timeout)) { |
+ int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000; |
- Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this, |
- MSG_TIMEOUT, 0); |
- } |
+ Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this, MSG_TIMEOUT, |
+ 0); |
} |
- break; |
+ } break; |
case SSL_ERROR_WANT_WRITE: |
LOG(LS_VERBOSE) << " -- error want write"; |
@@ -932,7 +939,6 @@ void OpenSSLStreamAdapter::Cleanup(uint8_t alert) { |
Thread::Current()->Clear(this, MSG_TIMEOUT); |
} |
- |
void OpenSSLStreamAdapter::OnMessage(Message* msg) { |
// Process our own messages and then pass others to the superclass |
if (MSG_TIMEOUT == msg->message_id) { |
@@ -948,9 +954,8 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { |
SSL_CTX* ctx = nullptr; |
#ifdef OPENSSL_IS_BORINGSSL |
- ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? |
- DTLS_method() : TLS_method()); |
- // Version limiting for BoringSSL will be done below. |
+ ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method()); |
+ // Version limiting for BoringSSL will be done below. |
#else |
const SSL_METHOD* method; |
switch (ssl_max_version_) { |
@@ -1014,21 +1019,21 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { |
return nullptr; |
#ifdef OPENSSL_IS_BORINGSSL |
- SSL_CTX_set_min_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
- DTLS1_VERSION : TLS1_VERSION); |
+ SSL_CTX_set_min_proto_version( |
+ ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION); |
switch (ssl_max_version_) { |
case SSL_PROTOCOL_TLS_10: |
- SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
- DTLS1_VERSION : TLS1_VERSION); |
+ SSL_CTX_set_max_proto_version( |
+ ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION); |
break; |
case SSL_PROTOCOL_TLS_11: |
- SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
- DTLS1_VERSION : TLS1_1_VERSION); |
+ SSL_CTX_set_max_proto_version( |
+ ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_1_VERSION); |
break; |
case SSL_PROTOCOL_TLS_12: |
default: |
- SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? |
- DTLS1_2_VERSION : TLS1_2_VERSION); |
+ SSL_CTX_set_max_proto_version( |
+ ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION); |
break; |
} |
if (g_use_time_callback_for_testing) { |
@@ -1110,15 +1115,16 @@ int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { |
// For now we ignore the parent certificates and verify the leaf against |
// the digest. |
// |
- // TODO(jiayl): Verify the chain is a proper chain and report the chain to |
- // |stream->peer_certificate_|. |
- if (depth > 0) { |
- LOG(LS_INFO) << "Ignored chained certificate at depth " << depth; |
- return 1; |
- } |
OpenSSLStreamAdapter* stream = |
reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl)); |
+ if (depth == 0) { |
+ // Record the peer's certificate. |
+ stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); |
+ } else { |
+ STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store); |
+ stream->peer_certificate_.reset(new OpenSSLCertificate(chain)); |
+ } |
// Record the peer's certificate. |
stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); |
@@ -1151,26 +1157,26 @@ struct cipher_list { |
// TODO(torbjorng): Perhaps add more cipher suites to these lists. |
static const cipher_list OK_RSA_ciphers[] = { |
- CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA), |
- CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA), |
- CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256), |
+ CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA), |
+ CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA), |
+ CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256), |
#ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256 |
- CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256), |
+ CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256), |
#endif |
#ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
- CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), |
+ CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), |
#endif |
}; |
static const cipher_list OK_ECDSA_ciphers[] = { |
- CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), |
- CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), |
- CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), |
+ CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), |
+ CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), |
+ CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), |
#ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256 |
- CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256), |
+ CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256), |
#endif |
#ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
- CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), |
+ CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), |
#endif |
}; |
#undef CDEF |