OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
(...skipping 15 matching lines...) Expand all Loading... | |
26 #include <vector> | 26 #include <vector> |
27 | 27 |
28 #include "webrtc/base/common.h" | 28 #include "webrtc/base/common.h" |
29 #include "webrtc/base/logging.h" | 29 #include "webrtc/base/logging.h" |
30 #include "webrtc/base/safe_conversions.h" | 30 #include "webrtc/base/safe_conversions.h" |
31 #include "webrtc/base/stream.h" | 31 #include "webrtc/base/stream.h" |
32 #include "webrtc/base/openssl.h" | 32 #include "webrtc/base/openssl.h" |
33 #include "webrtc/base/openssladapter.h" | 33 #include "webrtc/base/openssladapter.h" |
34 #include "webrtc/base/openssldigest.h" | 34 #include "webrtc/base/openssldigest.h" |
35 #include "webrtc/base/opensslidentity.h" | 35 #include "webrtc/base/opensslidentity.h" |
36 #include "webrtc/base/sslstrings.h" | |
36 #include "webrtc/base/stringutils.h" | 37 #include "webrtc/base/stringutils.h" |
37 #include "webrtc/base/thread.h" | 38 #include "webrtc/base/thread.h" |
38 | 39 |
39 namespace rtc { | 40 namespace rtc { |
40 | 41 |
41 #if (OPENSSL_VERSION_NUMBER >= 0x10001000L) | 42 #if (OPENSSL_VERSION_NUMBER >= 0x10001000L) |
42 #define HAVE_DTLS_SRTP | 43 #define HAVE_DTLS_SRTP |
43 #endif | 44 #endif |
44 | 45 |
45 #ifdef HAVE_DTLS_SRTP | 46 #ifdef HAVE_DTLS_SRTP |
46 // SRTP cipher suite table | 47 // SRTP cipher suite table |
47 struct SrtpCipherMapEntry { | 48 struct SrtpCipherMapEntry { |
48 const char* external_name; | 49 const char* external_name; |
49 const char* internal_name; | 50 const char* internal_name; |
50 }; | 51 }; |
51 | 52 |
52 // This isn't elegant, but it's better than an external reference | 53 // This isn't elegant, but it's better than an external reference |
53 static SrtpCipherMapEntry SrtpCipherMap[] = { | 54 static SrtpCipherMapEntry SrtpCipherMap[] = { |
54 {"AES_CM_128_HMAC_SHA1_80", "SRTP_AES128_CM_SHA1_80"}, | 55 {AES_CM_128_HMAC_SHA1_80_NAME, "SRTP_AES128_CM_SHA1_80"}, |
55 {"AES_CM_128_HMAC_SHA1_32", "SRTP_AES128_CM_SHA1_32"}, | 56 {AES_CM_128_HMAC_SHA1_32_NAME, "SRTP_AES128_CM_SHA1_32"}, |
56 {NULL, NULL} | 57 {NULL, NULL}}; |
57 }; | |
58 #endif | 58 #endif |
59 | 59 |
60 #ifndef OPENSSL_IS_BORINGSSL | 60 #ifndef OPENSSL_IS_BORINGSSL |
61 | |
61 // Cipher name table. Maps internal OpenSSL cipher ids to the RFC name. | 62 // Cipher name table. Maps internal OpenSSL cipher ids to the RFC name. |
62 struct SslCipherMapEntry { | 63 struct SslCipherMapEntry { |
63 uint32_t openssl_id; | 64 uint32_t openssl_id; |
64 const char* rfc_name; | 65 const char* rfc_name; |
65 }; | 66 }; |
66 | 67 |
67 #define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name} | 68 #define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name} |
68 #define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name} | 69 #define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name} |
69 | 70 |
70 // There currently is no method available to get a RFC-compliant name for a | 71 // There currently is no method available to get a RFC-compliant name for a |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
132 // ECDH GCM based ciphersuites from RFC5289. | 133 // ECDH GCM based ciphersuites from RFC5289. |
133 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), | 134 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), |
134 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), | 135 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), |
135 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256), | 136 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256), |
136 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384), | 137 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384), |
137 | 138 |
138 {0, NULL} | 139 {0, NULL} |
139 }; | 140 }; |
140 #endif // #ifndef OPENSSL_IS_BORINGSSL | 141 #endif // #ifndef OPENSSL_IS_BORINGSSL |
141 | 142 |
143 #if SSL_USE_SCHANNEL | |
144 // This is only added to allow GetDefaultSslCipherForTest compile on Windows | |
145 // platform. Should never be used. | |
146 static const SslCipher kNullSslCipher = {0, ""}; | |
juberti
2015/09/24 21:37:32
Null cipher is a thing, and so this is confusing.
guoweis_webrtc
2015/09/25 18:30:32
Done.
| |
147 #endif | |
148 | |
142 // Default cipher used between OpenSSL/BoringSSL stream adapters. | 149 // Default cipher used between OpenSSL/BoringSSL stream adapters. |
143 // This needs to be updated when the default of the SSL library changes. | 150 // This needs to be updated when the default of the SSL library changes. |
144 static const char kDefaultSslCipher10[] = | 151 static const SslCipher kDefaultSslCipher10 = { |
Ryan Sleevi
2015/09/24 21:09:58
Each of these is a static initializer, which is fo
guoweis_webrtc
2015/09/25 18:30:32
Done.
| |
145 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; | 152 0xC014, |
146 static const char kDefaultSslEcCipher10[] = | 153 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}; |
147 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; | 154 static const SslCipher kDefaultSslEcCipher10 = { |
155 0xC00A, | |
156 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"}; | |
148 | 157 |
149 #ifdef OPENSSL_IS_BORINGSSL | 158 #ifdef OPENSSL_IS_BORINGSSL |
150 static const char kDefaultSslCipher12[] = | 159 static const SslCipher kDefaultSslCipher12 = { |
151 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; | 160 0xC02F, |
152 static const char kDefaultSslEcCipher12[] = | 161 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}; |
153 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; | 162 static const SslCipher kDefaultSslEcCipher12 = { |
163 0xC02B, | |
164 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}; | |
154 // Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable. | 165 // Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable. |
155 static const char kDefaultSslCipher12NoAesGcm[] = | 166 static const SslCipher kDefaultSslCipher12NoAesGcm = { |
156 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; | 167 0xCC13, |
157 static const char kDefaultSslEcCipher12NoAesGcm[] = | 168 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"}; |
158 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; | 169 static const SslCipher kDefaultSslEcCipher12NoAesGcm = { |
170 0xCC14, | |
171 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}; | |
159 #else // !OPENSSL_IS_BORINGSSL | 172 #else // !OPENSSL_IS_BORINGSSL |
160 // OpenSSL sorts differently than BoringSSL, so the default cipher doesn't | 173 // OpenSSL sorts differently than BoringSSL, so the default cipher doesn't |
161 // change between TLS 1.0 and TLS 1.2 with the current setup. | 174 // change between TLS 1.0 and TLS 1.2 with the current setup. |
162 static const char kDefaultSslCipher12[] = | 175 static const SslCipher kDefaultSslCipher12 = { |
163 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; | 176 0xC014, |
164 static const char kDefaultSslEcCipher12[] = | 177 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}; |
165 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; | 178 static const SslCipher kDefaultSslEcCipher12 = { |
179 0xC00A, | |
180 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"}; | |
166 #endif | 181 #endif |
167 | 182 |
168 ////////////////////////////////////////////////////////////////////// | 183 ////////////////////////////////////////////////////////////////////// |
169 // StreamBIO | 184 // StreamBIO |
170 ////////////////////////////////////////////////////////////////////// | 185 ////////////////////////////////////////////////////////////////////// |
171 | 186 |
172 static int stream_write(BIO* h, const char* buf, int num); | 187 static int stream_write(BIO* h, const char* buf, int num); |
173 static int stream_read(BIO* h, char* buf, int size); | 188 static int stream_read(BIO* h, char* buf, int size); |
174 static int stream_puts(BIO* h, const char* str); | 189 static int stream_puts(BIO* h, const char* str); |
175 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2); | 190 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2); |
(...skipping 169 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
345 for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name; | 360 for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name; |
346 ++entry) { | 361 ++entry) { |
347 if (cipher->id == entry->openssl_id) { | 362 if (cipher->id == entry->openssl_id) { |
348 return entry->rfc_name; | 363 return entry->rfc_name; |
349 } | 364 } |
350 } | 365 } |
351 return NULL; | 366 return NULL; |
352 } | 367 } |
353 #endif | 368 #endif |
354 | 369 |
355 bool OpenSSLStreamAdapter::GetSslCipher(std::string* cipher) { | 370 bool OpenSSLStreamAdapter::GetSslCipher(SslCipher* cipher) { |
356 if (state_ != SSL_CONNECTED) | 371 if (state_ != SSL_CONNECTED) |
357 return false; | 372 return false; |
358 | 373 |
359 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_); | 374 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_); |
360 if (current_cipher == NULL) { | 375 if (current_cipher == NULL) { |
361 return false; | 376 return false; |
362 } | 377 } |
363 | 378 |
379 cipher->ssl_id = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher)); | |
380 | |
364 #ifdef OPENSSL_IS_BORINGSSL | 381 #ifdef OPENSSL_IS_BORINGSSL |
365 char* cipher_name = SSL_CIPHER_get_rfc_name(current_cipher); | 382 char* cipher_name = SSL_CIPHER_get_rfc_name(current_cipher); |
366 #else | 383 #else |
367 const char* cipher_name = GetRfcSslCipherName(current_cipher); | 384 const char* cipher_name = GetRfcSslCipherName(current_cipher); |
368 #endif | 385 #endif |
369 if (cipher_name == NULL) { | 386 if (cipher_name == NULL) { |
370 return false; | 387 return false; |
371 } | 388 } |
372 | 389 |
373 *cipher = cipher_name; | 390 cipher->name = cipher_name; |
374 #ifdef OPENSSL_IS_BORINGSSL | 391 #ifdef OPENSSL_IS_BORINGSSL |
375 OPENSSL_free(cipher_name); | 392 OPENSSL_free(cipher_name); |
376 #endif | 393 #endif |
377 return true; | 394 return true; |
378 } | 395 } |
379 | 396 |
380 // Key Extractor interface | 397 // Key Extractor interface |
381 bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label, | 398 bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label, |
382 const uint8* context, | 399 const uint8* context, |
383 size_t context_len, | 400 size_t context_len, |
(...skipping 734 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1118 } | 1135 } |
1119 | 1136 |
1120 bool OpenSSLStreamAdapter::HaveExporter() { | 1137 bool OpenSSLStreamAdapter::HaveExporter() { |
1121 #ifdef HAVE_DTLS_SRTP | 1138 #ifdef HAVE_DTLS_SRTP |
1122 return true; | 1139 return true; |
1123 #else | 1140 #else |
1124 return false; | 1141 return false; |
1125 #endif | 1142 #endif |
1126 } | 1143 } |
1127 | 1144 |
1128 std::string OpenSSLStreamAdapter::GetDefaultSslCipher( | 1145 const SslCipher& OpenSSLStreamAdapter::GetDefaultSslCipherForTest( |
1129 SSLProtocolVersion version, | 1146 SSLProtocolVersion version, |
1130 KeyType key_type) { | 1147 KeyType key_type) { |
1131 if (key_type == KT_RSA) { | 1148 if (key_type == KT_RSA) { |
1132 switch (version) { | 1149 switch (version) { |
1133 case SSL_PROTOCOL_TLS_10: | 1150 case SSL_PROTOCOL_TLS_10: |
1134 case SSL_PROTOCOL_TLS_11: | 1151 case SSL_PROTOCOL_TLS_11: |
1135 return kDefaultSslCipher10; | 1152 return kDefaultSslCipher10; |
1136 case SSL_PROTOCOL_TLS_12: | 1153 case SSL_PROTOCOL_TLS_12: |
1137 default: | 1154 default: |
1138 #ifdef OPENSSL_IS_BORINGSSL | 1155 #ifdef OPENSSL_IS_BORINGSSL |
(...skipping 17 matching lines...) Expand all Loading... | |
1156 if (EVP_has_aes_hardware()) { | 1173 if (EVP_has_aes_hardware()) { |
1157 return kDefaultSslEcCipher12; | 1174 return kDefaultSslEcCipher12; |
1158 } else { | 1175 } else { |
1159 return kDefaultSslEcCipher12NoAesGcm; | 1176 return kDefaultSslEcCipher12NoAesGcm; |
1160 } | 1177 } |
1161 #else // !OPENSSL_IS_BORINGSSL | 1178 #else // !OPENSSL_IS_BORINGSSL |
1162 return kDefaultSslEcCipher12; | 1179 return kDefaultSslEcCipher12; |
1163 #endif | 1180 #endif |
1164 } | 1181 } |
1165 } else { | 1182 } else { |
1166 return std::string(); | 1183 RTC_NOTREACHED(); |
1184 return kDefaultSslEcCipher12; | |
1167 } | 1185 } |
1168 } | 1186 } |
1169 | 1187 |
1170 } // namespace rtc | 1188 } // namespace rtc |
1171 | 1189 |
1172 #endif // HAVE_OPENSSL_SSL_H | 1190 #endif // HAVE_OPENSSL_SSL_H |
OLD | NEW |