zqz/platform-external-webrtc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reland: Use CRYPTO_BUFFER APIs instead of X509 when building with BoringSSL.

Browse Source 
Using CRYPTO_BUFFERs instead of legacy X509 objects offers memory and
security gains, and will provide binary size improvements as well once
the default list of built-in certificates can be removed; the code
dealing with them still depends on the X509 API.

Implemented by splitting openssl_identity and openssl_certificate
into BoringSSL and vanilla OpenSSL implementations.

No-Try: True
Bug: webrtc:11410
Change-Id: I86ddb361b94ad85b15ebb8743490de83632ca53f
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/196941
Commit-Queue: Mirko Bonadei <mbonadei@webrtc.org>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Reviewed-by: Mirko Bonadei <mbonadei@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#32818}
This commit is contained in:
Taylor Brandstetter
2020-12-10 16:23:03 -08:00
committed by Commit Bot
parent c1ad1ff178
commit 165c618bb9
24 changed files with 1620 additions and 279 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
rtc_base/openssl_utility.h
View File

@ -20,8 +20,21 @@ namespace rtc {
// to OpenSSL that are commonly used and don't require global state should be
// placed here.
namespace openssl {
#ifdef OPENSSL_IS_BORINGSSL
// Does minimal parsing of a certificate (only verifying the presence of major
// fields), primarily for the purpose of extracting the relevant out
// parameters. Any that the caller is uninterested in can be null.
bool ParseCertificate(CRYPTO_BUFFER* cert_buffer,
CBS* signature_algorithm_oid,
int64_t* expiration_time);
#endif
// Verifies that the hostname provided matches that in the peer certificate
// attached to this SSL state.
// TODO(crbug.com/webrtc/11710): When OS certificate verification is available,
// skip compiling this as it adds a dependency on OpenSSL X509 objects, which we
// are trying to avoid in favor of CRYPTO_BUFFERs (see crbug.com/webrtc/11410).
bool VerifyPeerCertMatchesHost(SSL* ssl, const std::string& host);
// Logs all the errors in the OpenSSL errror queue from the current thread. A
@ -35,6 +48,10 @@ void LogSSLErrors(const std::string& prefix);
bool LoadBuiltinSSLRootCertificates(SSL_CTX* ssl_ctx);
#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
#ifdef OPENSSL_IS_BORINGSSL
CRYPTO_BUFFER_POOL* GetBufferPool();
#endif
} // namespace openssl
} // namespace rtc