| Index: webrtc/rtc_base/opensslstreamadapter.cc
|
| diff --git a/webrtc/rtc_base/opensslstreamadapter.cc b/webrtc/rtc_base/opensslstreamadapter.cc
|
| index 1c0b57894acd8de29a0bb5d9565ae079168053f6..fea692fef06915119c3c0dd22524a17ab9a0bb5a 100644
|
| --- a/webrtc/rtc_base/opensslstreamadapter.cc
|
| +++ b/webrtc/rtc_base/opensslstreamadapter.cc
|
| @@ -37,7 +37,7 @@
|
| #include "webrtc/rtc_base/timeutils.h"
|
|
|
| namespace {
|
| - bool g_use_time_callback_for_testing = false;
|
| +bool g_use_time_callback_for_testing = false;
|
| }
|
|
|
| namespace rtc {
|
| @@ -77,8 +77,10 @@ struct SslCipherMapEntry {
|
| const char* rfc_name;
|
| };
|
|
|
| -#define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name}
|
| -#define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name}
|
| +#define DEFINE_CIPHER_ENTRY_SSL3(name) \
|
| + { SSL3_CK_##name, "TLS_" #name }
|
| +#define DEFINE_CIPHER_ENTRY_TLS1(name) \
|
| + { TLS1_CK_##name, "TLS_" #name }
|
|
|
| // There currently is no method available to get a RFC-compliant name for a
|
| // cipher suite from BoringSSL, so we need to define the mapping manually here.
|
| @@ -171,7 +173,9 @@ static BIO_METHOD methods_stream = {
|
| stream_ctrl, stream_new, stream_free, nullptr,
|
| };
|
|
|
| -static BIO_METHOD* BIO_s_stream() { return(&methods_stream); }
|
| +static BIO_METHOD* BIO_s_stream() {
|
| + return (&methods_stream);
|
| +}
|
|
|
| static BIO* BIO_new_stream(StreamInterface* stream) {
|
| BIO* ret = BIO_new(BIO_s_stream());
|
| @@ -459,7 +463,7 @@ bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) {
|
| if (state_ != SSL_CONNECTED)
|
| return false;
|
|
|
| - const SRTP_PROTECTION_PROFILE *srtp_profile =
|
| + const SRTP_PROTECTION_PROFILE* srtp_profile =
|
| SSL_get_selected_srtp_profile(ssl_);
|
|
|
| if (!srtp_profile)
|
| @@ -504,8 +508,7 @@ void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) {
|
| ssl_max_version_ = version;
|
| }
|
|
|
| -void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout(
|
| - int timeout_ms) {
|
| +void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout(int timeout_ms) {
|
| RTC_DCHECK(ssl_ctx_ == nullptr);
|
| dtls_handshake_timeout_ms_ = timeout_ms;
|
| }
|
| @@ -514,31 +517,33 @@ void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout(
|
| // StreamInterface Implementation
|
| //
|
|
|
| -StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len,
|
| - size_t* written, int* error) {
|
| +StreamResult OpenSSLStreamAdapter::Write(const void* data,
|
| + size_t data_len,
|
| + size_t* written,
|
| + int* error) {
|
| LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")";
|
|
|
| switch (state_) {
|
| - case SSL_NONE:
|
| - // pass-through in clear text
|
| - return StreamAdapterInterface::Write(data, data_len, written, error);
|
| -
|
| - case SSL_WAIT:
|
| - case SSL_CONNECTING:
|
| - return SR_BLOCK;
|
| + case SSL_NONE:
|
| + // pass-through in clear text
|
| + return StreamAdapterInterface::Write(data, data_len, written, error);
|
|
|
| - case SSL_CONNECTED:
|
| - if (waiting_to_verify_peer_certificate()) {
|
| + case SSL_WAIT:
|
| + case SSL_CONNECTING:
|
| return SR_BLOCK;
|
| - }
|
| - break;
|
| -
|
| - case SSL_ERROR:
|
| - case SSL_CLOSED:
|
| - default:
|
| - if (error)
|
| - *error = ssl_error_code_;
|
| - return SR_ERROR;
|
| +
|
| + case SSL_CONNECTED:
|
| + if (waiting_to_verify_peer_certificate()) {
|
| + return SR_BLOCK;
|
| + }
|
| + break;
|
| +
|
| + case SSL_ERROR:
|
| + case SSL_CLOSED:
|
| + default:
|
| + if (error)
|
| + *error = ssl_error_code_;
|
| + return SR_ERROR;
|
| }
|
|
|
| // OpenSSL will return an error if we try to write zero bytes
|
| @@ -553,32 +558,34 @@ StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len,
|
| int code = SSL_write(ssl_, data, checked_cast<int>(data_len));
|
| int ssl_error = SSL_get_error(ssl_, code);
|
| switch (ssl_error) {
|
| - case SSL_ERROR_NONE:
|
| - LOG(LS_VERBOSE) << " -- success";
|
| - RTC_DCHECK(0 < code && static_cast<unsigned>(code) <= data_len);
|
| - if (written)
|
| - *written = code;
|
| - return SR_SUCCESS;
|
| - case SSL_ERROR_WANT_READ:
|
| - LOG(LS_VERBOSE) << " -- error want read";
|
| - ssl_write_needs_read_ = true;
|
| - return SR_BLOCK;
|
| - case SSL_ERROR_WANT_WRITE:
|
| - LOG(LS_VERBOSE) << " -- error want write";
|
| - return SR_BLOCK;
|
| -
|
| - case SSL_ERROR_ZERO_RETURN:
|
| - default:
|
| - Error("SSL_write", (ssl_error ? ssl_error : -1), 0, false);
|
| - if (error)
|
| - *error = ssl_error_code_;
|
| - return SR_ERROR;
|
| + case SSL_ERROR_NONE:
|
| + LOG(LS_VERBOSE) << " -- success";
|
| + RTC_DCHECK(0 < code && static_cast<unsigned>(code) <= data_len);
|
| + if (written)
|
| + *written = code;
|
| + return SR_SUCCESS;
|
| + case SSL_ERROR_WANT_READ:
|
| + LOG(LS_VERBOSE) << " -- error want read";
|
| + ssl_write_needs_read_ = true;
|
| + return SR_BLOCK;
|
| + case SSL_ERROR_WANT_WRITE:
|
| + LOG(LS_VERBOSE) << " -- error want write";
|
| + return SR_BLOCK;
|
| +
|
| + case SSL_ERROR_ZERO_RETURN:
|
| + default:
|
| + Error("SSL_write", (ssl_error ? ssl_error : -1), 0, false);
|
| + if (error)
|
| + *error = ssl_error_code_;
|
| + return SR_ERROR;
|
| }
|
| // not reached
|
| }
|
|
|
| -StreamResult OpenSSLStreamAdapter::Read(void* data, size_t data_len,
|
| - size_t* read, int* error) {
|
| +StreamResult OpenSSLStreamAdapter::Read(void* data,
|
| + size_t data_len,
|
| + size_t* read,
|
| + int* error) {
|
| LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Read(" << data_len << ")";
|
| switch (state_) {
|
| case SSL_NONE:
|
| @@ -705,7 +712,8 @@ StreamState OpenSSLStreamAdapter::GetState() const {
|
| // not reached
|
| }
|
|
|
| -void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream, int events,
|
| +void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream,
|
| + int events,
|
| int err) {
|
| int events_to_signal = 0;
|
| int signal_error = 0;
|
| @@ -723,12 +731,12 @@ void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream, int events,
|
| }
|
| }
|
| }
|
| - if ((events & (SE_READ|SE_WRITE))) {
|
| + if ((events & (SE_READ | SE_WRITE))) {
|
| LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent"
|
| - << ((events & SE_READ) ? " SE_READ" : "")
|
| - << ((events & SE_WRITE) ? " SE_WRITE" : "");
|
| + << ((events & SE_READ) ? " SE_READ" : "")
|
| + << ((events & SE_WRITE) ? " SE_WRITE" : "");
|
| if (state_ == SSL_NONE) {
|
| - events_to_signal |= events & (SE_READ|SE_WRITE);
|
| + events_to_signal |= events & (SE_READ | SE_WRITE);
|
| } else if (state_ == SSL_CONNECTING) {
|
| if (int err = ContinueSSL()) {
|
| Error("ContinueSSL", err, 0, true);
|
| @@ -796,7 +804,7 @@ int OpenSSLStreamAdapter::BeginSSL() {
|
| }
|
|
|
| SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
|
| - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
| + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
|
|
| #if !defined(OPENSSL_IS_BORINGSSL)
|
| // Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot
|
| @@ -847,16 +855,15 @@ int OpenSSLStreamAdapter::ContinueSSL() {
|
| break;
|
|
|
| case SSL_ERROR_WANT_READ: {
|
| - LOG(LS_VERBOSE) << " -- error want read";
|
| - struct timeval timeout;
|
| - if (DTLSv1_get_timeout(ssl_, &timeout)) {
|
| - int delay = timeout.tv_sec * 1000 + timeout.tv_usec/1000;
|
| + LOG(LS_VERBOSE) << " -- error want read";
|
| + struct timeval timeout;
|
| + if (DTLSv1_get_timeout(ssl_, &timeout)) {
|
| + int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
|
|
|
| - Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this,
|
| - MSG_TIMEOUT, 0);
|
| - }
|
| + Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this, MSG_TIMEOUT,
|
| + 0);
|
| }
|
| - break;
|
| + } break;
|
|
|
| case SSL_ERROR_WANT_WRITE:
|
| LOG(LS_VERBOSE) << " -- error want write";
|
| @@ -932,7 +939,6 @@ void OpenSSLStreamAdapter::Cleanup(uint8_t alert) {
|
| Thread::Current()->Clear(this, MSG_TIMEOUT);
|
| }
|
|
|
| -
|
| void OpenSSLStreamAdapter::OnMessage(Message* msg) {
|
| // Process our own messages and then pass others to the superclass
|
| if (MSG_TIMEOUT == msg->message_id) {
|
| @@ -948,9 +954,8 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
|
| SSL_CTX* ctx = nullptr;
|
|
|
| #ifdef OPENSSL_IS_BORINGSSL
|
| - ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ?
|
| - DTLS_method() : TLS_method());
|
| - // Version limiting for BoringSSL will be done below.
|
| + ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
|
| + // Version limiting for BoringSSL will be done below.
|
| #else
|
| const SSL_METHOD* method;
|
| switch (ssl_max_version_) {
|
| @@ -1014,21 +1019,21 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
|
| return nullptr;
|
|
|
| #ifdef OPENSSL_IS_BORINGSSL
|
| - SSL_CTX_set_min_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
|
| - DTLS1_VERSION : TLS1_VERSION);
|
| + SSL_CTX_set_min_proto_version(
|
| + ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
|
| switch (ssl_max_version_) {
|
| case SSL_PROTOCOL_TLS_10:
|
| - SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
|
| - DTLS1_VERSION : TLS1_VERSION);
|
| + SSL_CTX_set_max_proto_version(
|
| + ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
|
| break;
|
| case SSL_PROTOCOL_TLS_11:
|
| - SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
|
| - DTLS1_VERSION : TLS1_1_VERSION);
|
| + SSL_CTX_set_max_proto_version(
|
| + ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_1_VERSION);
|
| break;
|
| case SSL_PROTOCOL_TLS_12:
|
| default:
|
| - SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
|
| - DTLS1_2_VERSION : TLS1_2_VERSION);
|
| + SSL_CTX_set_max_proto_version(
|
| + ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
|
| break;
|
| }
|
| if (g_use_time_callback_for_testing) {
|
| @@ -1110,15 +1115,16 @@ int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
|
| // For now we ignore the parent certificates and verify the leaf against
|
| // the digest.
|
| //
|
| - // TODO(jiayl): Verify the chain is a proper chain and report the chain to
|
| - // |stream->peer_certificate_|.
|
| - if (depth > 0) {
|
| - LOG(LS_INFO) << "Ignored chained certificate at depth " << depth;
|
| - return 1;
|
| - }
|
|
|
| OpenSSLStreamAdapter* stream =
|
| reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
|
| + if (depth == 0) {
|
| + // Record the peer's certificate.
|
| + stream->peer_certificate_.reset(new OpenSSLCertificate(cert));
|
| + } else {
|
| + STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store);
|
| + stream->peer_certificate_.reset(new OpenSSLCertificate(chain));
|
| + }
|
|
|
| // Record the peer's certificate.
|
| stream->peer_certificate_.reset(new OpenSSLCertificate(cert));
|
| @@ -1151,26 +1157,26 @@ struct cipher_list {
|
|
|
| // TODO(torbjorng): Perhaps add more cipher suites to these lists.
|
| static const cipher_list OK_RSA_ciphers[] = {
|
| - CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA),
|
| - CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA),
|
| - CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
|
| + CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA),
|
| + CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA),
|
| + CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
|
| #ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256
|
| - CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256),
|
| + CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256),
|
| #endif
|
| #ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
| - CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
|
| + CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
|
| #endif
|
| };
|
|
|
| static const cipher_list OK_ECDSA_ciphers[] = {
|
| - CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
|
| - CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
|
| - CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
|
| + CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
|
| + CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
|
| + CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
|
| #ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
|
| - CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256),
|
| + CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256),
|
| #endif
|
| #ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
| - CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
|
| + CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
|
| #endif
|
| };
|
| #undef CDEF
|
|
|
Chromium Code Reviews
Issue 3010363002:
Implement GetChain for OpenSSLCertificate.
