Use CRYPTO_BUFFER APIs instead of X509 when building with BoringSSL.
Using CRYPTO_BUFFERs instead of legacy X509 objects offers memory and security gains, and will provide binary size improvements as well once the default list of built-in certificates can be removed; the code dealing with them still depends on the X509 API. Implemented by splitting openssl_identity and openssl_certificate into BoringSSL and vanilla OpenSSL implementations. Bug: webrtc:11410 Change-Id: Idc043462faac5e4ab1b75bedab2057197f80aba6 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/174120 Reviewed-by: Mirko Bonadei <mbonadei@webrtc.org> Reviewed-by: David Benjamin <davidben@webrtc.org> Reviewed-by: Harald Alvestrand <hta@webrtc.org> Commit-Queue: Taylor <deadbeef@webrtc.org> Cr-Commit-Position: refs/heads/master@{#32811}
This commit is contained in:
Taylor Brandstetter
committed by
Commit Bot
Commit Bot
parent
20ecd8f777
commit
72f638a9a2
@ -11,6 +11,7 @@
|
||||
#ifndef RTC_BASE_OPENSSL_ADAPTER_H_
|
||||
#define RTC_BASE_OPENSSL_ADAPTER_H_
|
||||
|
||||
#include <openssl/ossl_typ.h>
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
|
||||
@ -21,7 +22,11 @@
|
||||
#include "rtc_base/async_socket.h"
|
||||
#include "rtc_base/buffer.h"
|
||||
#include "rtc_base/message_handler.h"
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
#include "rtc_base/boringssl_identity.h"
|
||||
#else
|
||||
#include "rtc_base/openssl_identity.h"
|
||||
#endif
|
||||
#include "rtc_base/openssl_session_cache.h"
|
||||
#include "rtc_base/socket.h"
|
||||
#include "rtc_base/socket_address.h"
|
||||
@ -109,7 +114,16 @@ class OpenSSLAdapter final : public SSLAdapter,
|
||||
// In debug builds, logs info about the state of the SSL connection.
|
||||
static void SSLInfoCallback(const SSL* ssl, int where, int ret);
|
||||
#endif
|
||||
|
||||
#if defined(OPENSSL_IS_BORINGSSL) && \
|
||||
defined(WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS)
|
||||
static enum ssl_verify_result_t SSLVerifyCallback(SSL* ssl,
|
||||
uint8_t* out_alert);
|
||||
enum ssl_verify_result_t SSLVerifyInternal(SSL* ssl, uint8_t* out_alert);
|
||||
#else
|
||||
static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
|
||||
int SSLVerifyInternal(int ok, SSL* ssl, X509_STORE_CTX* store);
|
||||
#endif
|
||||
friend class OpenSSLStreamAdapter; // for custom_verify_callback_;
|
||||
|
||||
// If the SSL_CTX was created with |enable_cache| set to true, this callback
|
||||
@ -123,7 +137,12 @@ class OpenSSLAdapter final : public SSLAdapter,
|
||||
SSLCertificateVerifier* ssl_cert_verifier_ = nullptr;
|
||||
// The current connection state of the (d)TLS connection.
|
||||
SSLState state_;
|
||||
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
std::unique_ptr<BoringSSLIdentity> identity_;
|
||||
#else
|
||||
std::unique_ptr<OpenSSLIdentity> identity_;
|
||||
#endif
|
||||
// Indicates whethere this is a client or a server.
|
||||
SSLRole role_;
|
||||
bool ssl_read_needs_write_;
|
||||
|
||||
Reference in New Issue
Block a user