Reland: Use CRYPTO_BUFFER APIs instead of X509 when building with BoringSSL.

Using CRYPTO_BUFFERs instead of legacy X509 objects offers memory and security gains, and will provide binary size improvements as well once the default list of built-in certificates can be removed; the code dealing with them still depends on the X509 API. Implemented by splitting openssl_identity and openssl_certificate into BoringSSL and vanilla OpenSSL implementations. No-Try: True Bug: webrtc:11410 Change-Id: I86ddb361b94ad85b15ebb8743490de83632ca53f Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/196941 Commit-Queue: Mirko Bonadei <mbonadei@webrtc.org> Reviewed-by: Harald Alvestrand <hta@webrtc.org> Reviewed-by: Mirko Bonadei <mbonadei@webrtc.org> Cr-Commit-Position: refs/heads/master@{#32818}
2020-12-10 16:23:03 -08:00
parent c1ad1ff178
commit 165c618bb9
24 changed files with 1620 additions and 279 deletions
--- a/rtc_base/openssl_session_cache_unittest.cc
+++ b/rtc_base/openssl_session_cache_unittest.cc
@ -19,10 +19,28 @@
 #include "rtc_base/gunit.h"
 #include "rtc_base/openssl.h"

+namespace {
+// Use methods that avoid X509 objects if possible.
+SSL_CTX* NewDtlsContext() {
+#ifdef OPENSSL_IS_BORINGSSL
+  return SSL_CTX_new(DTLS_with_buffers_method());
+#else
+  return SSL_CTX_new(DTLS_method());
+#endif
+}
+SSL_CTX* NewTlsContext() {
+#ifdef OPENSSL_IS_BORINGSSL
+  return SSL_CTX_new(TLS_with_buffers_method());
+#else
+  return SSL_CTX_new(TLS_method());
+#endif
+}
+}  // namespace
+
 namespace rtc {

 TEST(OpenSSLSessionCache, DTLSModeSetCorrectly) {
-  SSL_CTX* ssl_ctx = SSL_CTX_new(DTLSv1_2_client_method());
+  SSL_CTX* ssl_ctx = NewDtlsContext();

  OpenSSLSessionCache session_cache(SSL_MODE_DTLS, ssl_ctx);
  EXPECT_EQ(session_cache.GetSSLMode(), SSL_MODE_DTLS);
@ -31,7 +49,7 @@ TEST(OpenSSLSessionCache, DTLSModeSetCorrectly) {
 }

 TEST(OpenSSLSessionCache, TLSModeSetCorrectly) {
-  SSL_CTX* ssl_ctx = SSL_CTX_new(TLSv1_2_client_method());
+  SSL_CTX* ssl_ctx = NewTlsContext();

  OpenSSLSessionCache session_cache(SSL_MODE_TLS, ssl_ctx);
  EXPECT_EQ(session_cache.GetSSLMode(), SSL_MODE_TLS);
@ -40,7 +58,7 @@ TEST(OpenSSLSessionCache, TLSModeSetCorrectly) {
 }

 TEST(OpenSSLSessionCache, SSLContextSetCorrectly) {
-  SSL_CTX* ssl_ctx = SSL_CTX_new(DTLSv1_2_client_method());
+  SSL_CTX* ssl_ctx = NewDtlsContext();

  OpenSSLSessionCache session_cache(SSL_MODE_DTLS, ssl_ctx);
  EXPECT_EQ(session_cache.GetSSLContext(), ssl_ctx);
@ -49,7 +67,7 @@ TEST(OpenSSLSessionCache, SSLContextSetCorrectly) {
 }

 TEST(OpenSSLSessionCache, InvalidLookupReturnsNullptr) {
-  SSL_CTX* ssl_ctx = SSL_CTX_new(DTLSv1_2_client_method());
+  SSL_CTX* ssl_ctx = NewDtlsContext();

  OpenSSLSessionCache session_cache(SSL_MODE_DTLS, ssl_ctx);
  EXPECT_EQ(session_cache.LookupSession("Invalid"), nullptr);
@ -60,7 +78,7 @@ TEST(OpenSSLSessionCache, InvalidLookupReturnsNullptr) {
 }

 TEST(OpenSSLSessionCache, SimpleValidSessionLookup) {
-  SSL_CTX* ssl_ctx = SSL_CTX_new(DTLSv1_2_client_method());
+  SSL_CTX* ssl_ctx = NewDtlsContext();
  SSL_SESSION* ssl_session = SSL_SESSION_new(ssl_ctx);

  OpenSSLSessionCache session_cache(SSL_MODE_DTLS, ssl_ctx);
@ -71,7 +89,7 @@ TEST(OpenSSLSessionCache, SimpleValidSessionLookup) {
 }

 TEST(OpenSSLSessionCache, AddToExistingReplacesPrevious) {
-  SSL_CTX* ssl_ctx = SSL_CTX_new(DTLSv1_2_client_method());
+  SSL_CTX* ssl_ctx = NewDtlsContext();
  SSL_SESSION* ssl_session_1 = SSL_SESSION_new(ssl_ctx);
  SSL_SESSION* ssl_session_2 = SSL_SESSION_new(ssl_ctx);