| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 20 matching lines...) Expand all Loading... |
| 31 #include "rtc_base/openssldigest.h" | 31 #include "rtc_base/openssldigest.h" |
| 32 #include "rtc_base/opensslidentity.h" | 32 #include "rtc_base/opensslidentity.h" |
| 33 #include "rtc_base/safe_conversions.h" | 33 #include "rtc_base/safe_conversions.h" |
| 34 #include "rtc_base/stream.h" | 34 #include "rtc_base/stream.h" |
| 35 #include "rtc_base/stringutils.h" | 35 #include "rtc_base/stringutils.h" |
| 36 #include "rtc_base/thread.h" | 36 #include "rtc_base/thread.h" |
| 37 #include "rtc_base/timeutils.h" | 37 #include "rtc_base/timeutils.h" |
| 38 | 38 |
| 39 namespace { | 39 namespace { |
| 40 bool g_use_time_callback_for_testing = false; | 40 bool g_use_time_callback_for_testing = false; |
| 41 const int kMaxSupportedCertChainDepth = 3; |
| 41 } | 42 } |
| 42 | 43 |
| 43 namespace rtc { | 44 namespace rtc { |
| 44 | 45 |
| 45 #if (OPENSSL_VERSION_NUMBER < 0x10001000L) | 46 #if (OPENSSL_VERSION_NUMBER < 0x10001000L) |
| 46 #error "webrtc requires at least OpenSSL version 1.0.1, to support DTLS-SRTP" | 47 #error "webrtc requires at least OpenSSL version 1.0.1, to support DTLS-SRTP" |
| 47 #endif | 48 #endif |
| 48 | 49 |
| 49 // SRTP cipher suite table. |internal_name| is used to construct a | 50 // SRTP cipher suite table. |internal_name| is used to construct a |
| 50 // colon-separated profile strings which is needed by | 51 // colon-separated profile strings which is needed by |
| (...skipping 1054 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1105 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { | 1106 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { |
| 1106 // Get our SSL structure from the store | 1107 // Get our SSL structure from the store |
| 1107 SSL* ssl = reinterpret_cast<SSL*>( | 1108 SSL* ssl = reinterpret_cast<SSL*>( |
| 1108 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx())); | 1109 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx())); |
| 1109 X509* cert = X509_STORE_CTX_get_current_cert(store); | 1110 X509* cert = X509_STORE_CTX_get_current_cert(store); |
| 1110 int depth = X509_STORE_CTX_get_error_depth(store); | 1111 int depth = X509_STORE_CTX_get_error_depth(store); |
| 1111 | 1112 |
| 1112 // For now we ignore the parent certificates and verify the leaf against | 1113 // For now we ignore the parent certificates and verify the leaf against |
| 1113 // the digest. | 1114 // the digest. |
| 1114 // | 1115 // |
| 1115 // TODO(jiayl): Verify the chain is a proper chain and report the chain to | |
| 1116 // |stream->peer_certificate_|. | |
| 1117 if (depth > 0) { | |
| 1118 LOG(LS_INFO) << "Ignored chained certificate at depth " << depth; | |
| 1119 return 1; | |
| 1120 } | |
| 1121 | 1116 |
| 1122 OpenSSLStreamAdapter* stream = | 1117 OpenSSLStreamAdapter* stream = |
| 1123 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl)); | 1118 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl)); |
| 1124 | 1119 |
| 1125 // Record the peer's certificate. | 1120 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store); |
| 1126 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); | 1121 if (sk_X509_num(chain) >= kMaxSupportedCertChainDepth) { |
| 1122 LOG(LS_INFO) << "Ignore chained certificate at depth " << depth; |
| 1123 return 1; |
| 1124 } |
| 1125 stream->peer_certificate_.reset(new OpenSSLCertificate(chain)); |
| 1127 | 1126 |
| 1128 // If the peer certificate digest isn't known yet, we'll wait to verify | 1127 // If the peer certificate digest isn't known yet, we'll wait to verify |
| 1129 // until it's known, and for now just return a success status. | 1128 // until it's known, and for now just return a success status. |
| 1130 if (stream->peer_certificate_digest_algorithm_.empty()) { | 1129 if (stream->peer_certificate_digest_algorithm_.empty()) { |
| 1131 LOG(LS_INFO) << "Waiting to verify certificate until digest is known."; | 1130 LOG(LS_INFO) << "Waiting to verify certificate until digest is known."; |
| 1132 return 1; | 1131 return 1; |
| 1133 } | 1132 } |
| 1134 | 1133 |
| 1135 return stream->VerifyPeerCertificate(); | 1134 return stream->VerifyPeerCertificate(); |
| 1136 } | 1135 } |
| (...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1212 } | 1211 } |
| 1213 | 1212 |
| 1214 return false; | 1213 return false; |
| 1215 } | 1214 } |
| 1216 | 1215 |
| 1217 void OpenSSLStreamAdapter::enable_time_callback_for_testing() { | 1216 void OpenSSLStreamAdapter::enable_time_callback_for_testing() { |
| 1218 g_use_time_callback_for_testing = true; | 1217 g_use_time_callback_for_testing = true; |
| 1219 } | 1218 } |
| 1220 | 1219 |
| 1221 } // namespace rtc | 1220 } // namespace rtc |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3010363002:
Implement GetChain for OpenSSLCertificate.
