zqz/platform-external-webrtc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reland: Use CRYPTO_BUFFER APIs instead of X509 when building with BoringSSL.

Browse Source 
Using CRYPTO_BUFFERs instead of legacy X509 objects offers memory and
security gains, and will provide binary size improvements as well once
the default list of built-in certificates can be removed; the code
dealing with them still depends on the X509 API.

Implemented by splitting openssl_identity and openssl_certificate
into BoringSSL and vanilla OpenSSL implementations.

No-Try: True
Bug: webrtc:11410
Change-Id: I86ddb361b94ad85b15ebb8743490de83632ca53f
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/196941
Commit-Queue: Mirko Bonadei <mbonadei@webrtc.org>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Reviewed-by: Mirko Bonadei <mbonadei@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#32818}
This commit is contained in:
Taylor Brandstetter
2020-12-10 16:23:03 -08:00
committed by Commit Bot
parent c1ad1ff178
commit 165c618bb9
24 changed files with 1620 additions and 279 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
rtc_base/openssl_identity.cc
View File

@ -20,10 +20,8 @@
#endif // WEBRTC_WIN
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <stdint.h>
#include "absl/memory/memory.h"
@ -35,160 +33,6 @@
namespace rtc {
// We could have exposed a myriad of parameters for the crypto stuff,
// but keeping it simple seems best.
// Generate a key pair. Caller is responsible for freeing the returned object.
static EVP_PKEY* MakeKey(const KeyParams& key_params) {
RTC_LOG(LS_INFO) << "Making key pair";
EVP_PKEY* pkey = EVP_PKEY_new();
if (key_params.type() == KT_RSA) {
int key_length = key_params.rsa_params().mod_size;
BIGNUM* exponent = BN_new();
RSA* rsa = RSA_new();
if (!pkey || !exponent || !rsa ||
!BN_set_word(exponent, key_params.rsa_params().pub_exp) ||
!RSA_generate_key_ex(rsa, key_length, exponent, nullptr) ||
!EVP_PKEY_assign_RSA(pkey, rsa)) {
EVP_PKEY_free(pkey);
BN_free(exponent);
RSA_free(rsa);
RTC_LOG(LS_ERROR) << "Failed to make RSA key pair";
return nullptr;
}
// ownership of rsa struct was assigned, don't free it.
BN_free(exponent);
} else if (key_params.type() == KT_ECDSA) {
if (key_params.ec_curve() == EC_NIST_P256) {
EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
// Ensure curve name is included when EC key is serialized.
// Without this call, OpenSSL versions before 1.1.0 will create
// certificates that don't work for TLS.
// This is a no-op for BoringSSL and OpenSSL 1.1.0+
EC_KEY_set_asn1_flag(ec_key, OPENSSL_EC_NAMED_CURVE);
if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) ||
!EVP_PKEY_assign_EC_KEY(pkey, ec_key)) {
EVP_PKEY_free(pkey);
EC_KEY_free(ec_key);
RTC_LOG(LS_ERROR) << "Failed to make EC key pair";
return nullptr;
}
// ownership of ec_key struct was assigned, don't free it.
} else {
// Add generation of any other curves here.
EVP_PKEY_free(pkey);
RTC_LOG(LS_ERROR) << "ECDSA key requested for unknown curve";
return nullptr;
}
} else {
EVP_PKEY_free(pkey);
RTC_LOG(LS_ERROR) << "Key type requested not understood";
return nullptr;
}
RTC_LOG(LS_INFO) << "Returning key pair";
return pkey;
}
OpenSSLKeyPair* OpenSSLKeyPair::Generate(const KeyParams& key_params) {
EVP_PKEY* pkey = MakeKey(key_params);
if (!pkey) {
openssl::LogSSLErrors("Generating key pair");
return nullptr;
}
return new OpenSSLKeyPair(pkey);
}
OpenSSLKeyPair* OpenSSLKeyPair::FromPrivateKeyPEMString(
const std::string& pem_string) {
BIO* bio = BIO_new_mem_buf(const_cast<char*>(pem_string.c_str()), -1);
if (!bio) {
RTC_LOG(LS_ERROR) << "Failed to create a new BIO buffer.";
return nullptr;
}
BIO_set_mem_eof_return(bio, 0);
EVP_PKEY* pkey =
PEM_read_bio_PrivateKey(bio, nullptr, nullptr, const_cast<char*>("\0"));
BIO_free(bio); // Frees the BIO, but not the pointed-to string.
if (!pkey) {
RTC_LOG(LS_ERROR) << "Failed to create the private key from PEM string.";
return nullptr;
}
if (EVP_PKEY_missing_parameters(pkey) != 0) {
RTC_LOG(LS_ERROR)
<< "The resulting key pair is missing public key parameters.";
EVP_PKEY_free(pkey);
return nullptr;
}
return new OpenSSLKeyPair(pkey);
}
OpenSSLKeyPair::~OpenSSLKeyPair() {
EVP_PKEY_free(pkey_);
}
OpenSSLKeyPair* OpenSSLKeyPair::GetReference() {
AddReference();
return new OpenSSLKeyPair(pkey_);
}
void OpenSSLKeyPair::AddReference() {
EVP_PKEY_up_ref(pkey_);
}
std::string OpenSSLKeyPair::PrivateKeyToPEMString() const {
BIO* temp_memory_bio = BIO_new(BIO_s_mem());
if (!temp_memory_bio) {
RTC_LOG_F(LS_ERROR) << "Failed to allocate temporary memory bio";
RTC_NOTREACHED();
return "";
}
if (!PEM_write_bio_PrivateKey(temp_memory_bio, pkey_, nullptr, nullptr, 0,
nullptr, nullptr)) {
RTC_LOG_F(LS_ERROR) << "Failed to write private key";
BIO_free(temp_memory_bio);
RTC_NOTREACHED();
return "";
}
BIO_write(temp_memory_bio, "\0", 1);
char* buffer;
BIO_get_mem_data(temp_memory_bio, &buffer);
std::string priv_key_str = buffer;
BIO_free(temp_memory_bio);
return priv_key_str;
}
std::string OpenSSLKeyPair::PublicKeyToPEMString() const {
BIO* temp_memory_bio = BIO_new(BIO_s_mem());
if (!temp_memory_bio) {
RTC_LOG_F(LS_ERROR) << "Failed to allocate temporary memory bio";
RTC_NOTREACHED();
return "";
}
if (!PEM_write_bio_PUBKEY(temp_memory_bio, pkey_)) {
RTC_LOG_F(LS_ERROR) << "Failed to write public key";
BIO_free(temp_memory_bio);
RTC_NOTREACHED();
return "";
}
BIO_write(temp_memory_bio, "\0", 1);
char* buffer;
BIO_get_mem_data(temp_memory_bio, &buffer);
std::string pub_key_str = buffer;
BIO_free(temp_memory_bio);
return pub_key_str;
}
bool OpenSSLKeyPair::operator==(const OpenSSLKeyPair& other) const {
return EVP_PKEY_cmp(this->pkey_, other.pkey_) == 1;
}
bool OpenSSLKeyPair::operator!=(const OpenSSLKeyPair& other) const {
return !(*this == other);
}
OpenSSLIdentity::OpenSSLIdentity(
std::unique_ptr<OpenSSLKeyPair> key_pair,
std::unique_ptr<OpenSSLCertificate> certificate)
@ -211,8 +55,7 @@ OpenSSLIdentity::~OpenSSLIdentity() = default;
std::unique_ptr<OpenSSLIdentity> OpenSSLIdentity::CreateInternal(
const SSLIdentityParams& params) {
std::unique_ptr<OpenSSLKeyPair> key_pair(
OpenSSLKeyPair::Generate(params.key_params));
auto key_pair = OpenSSLKeyPair::Generate(params.key_params);
if (key_pair) {
std::unique_ptr<OpenSSLCertificate> certificate(
OpenSSLCertificate::Generate(key_pair.get(), params));
@ -221,7 +64,7 @@ std::unique_ptr<OpenSSLIdentity> OpenSSLIdentity::CreateInternal(
new OpenSSLIdentity(std::move(key_pair), std::move(certificate)));
}
}
RTC_LOG(LS_INFO) << "Identity generation failed";
RTC_LOG(LS_ERROR) << "Identity generation failed";
return nullptr;
}
@ -256,8 +99,7 @@ std::unique_ptr<SSLIdentity> OpenSSLIdentity::CreateFromPEMStrings(
return nullptr;
}
std::unique_ptr<OpenSSLKeyPair> key_pair(
OpenSSLKeyPair::FromPrivateKeyPEMString(private_key));
auto key_pair = OpenSSLKeyPair::FromPrivateKeyPEMString(private_key);
if (!key_pair) {
RTC_LOG(LS_ERROR) << "Failed to create key pair from PEM string.";
return nullptr;
@ -298,8 +140,7 @@ std::unique_ptr<SSLIdentity> OpenSSLIdentity::CreateFromPEMChainStrings(
return nullptr;
}
std::unique_ptr<OpenSSLKeyPair> key_pair(
OpenSSLKeyPair::FromPrivateKeyPEMString(private_key));
auto key_pair = OpenSSLKeyPair::FromPrivateKeyPEMString(private_key);
if (!key_pair) {
RTC_LOG(LS_ERROR) << "Failed to create key pair from PEM string.";
return nullptr;
@ -320,8 +161,8 @@ const SSLCertChain& OpenSSLIdentity::cert_chain() const {
std::unique_ptr<SSLIdentity> OpenSSLIdentity::CloneInternal() const {
// We cannot use std::make_unique here because the referenced OpenSSLIdentity
// constructor is private.
return absl::WrapUnique(new OpenSSLIdentity(
absl::WrapUnique(key_pair_->GetReference()), cert_chain_->Clone()));
return absl::WrapUnique(
new OpenSSLIdentity(key_pair_->Clone(), cert_chain_->Clone()));
}
bool OpenSSLIdentity::ConfigureIdentity(SSL_CTX* ctx) {