Use CRYPTO_BUFFER APIs instead of X509 when building with BoringSSL.
Using CRYPTO_BUFFERs instead of legacy X509 objects offers memory and security gains, and will provide binary size improvements as well once the default list of built-in certificates can be removed; the code dealing with them still depends on the X509 API. Implemented by splitting openssl_identity and openssl_certificate into BoringSSL and vanilla OpenSSL implementations. Bug: webrtc:11410 Change-Id: Idc043462faac5e4ab1b75bedab2057197f80aba6 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/174120 Reviewed-by: Mirko Bonadei <mbonadei@webrtc.org> Reviewed-by: David Benjamin <davidben@webrtc.org> Reviewed-by: Harald Alvestrand <hta@webrtc.org> Commit-Queue: Taylor <deadbeef@webrtc.org> Cr-Commit-Position: refs/heads/master@{#32811}
This commit is contained in:
Taylor Brandstetter
committed by
Commit Bot
Commit Bot
parent
20ecd8f777
commit
72f638a9a2
@ -21,7 +21,11 @@
|
||||
|
||||
#include "absl/types/optional.h"
|
||||
#include "rtc_base/buffer.h"
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
#include "rtc_base/boringssl_identity.h"
|
||||
#else
|
||||
#include "rtc_base/openssl_identity.h"
|
||||
#endif
|
||||
#include "rtc_base/ssl_identity.h"
|
||||
#include "rtc_base/ssl_stream_adapter.h"
|
||||
#include "rtc_base/stream.h"
|
||||
@ -71,7 +75,7 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter {
|
||||
~OpenSSLStreamAdapter() override;
|
||||
|
||||
void SetIdentity(std::unique_ptr<SSLIdentity> identity) override;
|
||||
OpenSSLIdentity* GetIdentityForTesting() const override;
|
||||
SSLIdentity* GetIdentityForTesting() const override;
|
||||
|
||||
// Default argument is for compatibility
|
||||
void SetServerRole(SSLRole role = SSL_SERVER) override;
|
||||
@ -179,9 +183,16 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter {
|
||||
SSL_CTX* SetupSSLContext();
|
||||
// Verify the peer certificate matches the signaled digest.
|
||||
bool VerifyPeerCertificate();
|
||||
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
// SSL certificate verification callback. See SSL_CTX_set_custom_verify.
|
||||
static enum ssl_verify_result_t SSLVerifyCallback(SSL* ssl,
|
||||
uint8_t* out_alert);
|
||||
#else
|
||||
// SSL certificate verification callback. See
|
||||
// SSL_CTX_set_cert_verify_callback.
|
||||
static int SSLVerifyCallback(X509_STORE_CTX* store, void* arg);
|
||||
#endif
|
||||
|
||||
bool WaitingToVerifyPeerCertificate() const {
|
||||
return GetClientAuthEnabled() && !peer_certificate_verified_;
|
||||
@ -208,7 +219,11 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter {
|
||||
SSL_CTX* ssl_ctx_;
|
||||
|
||||
// Our key and certificate.
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
std::unique_ptr<BoringSSLIdentity> identity_;
|
||||
#else
|
||||
std::unique_ptr<OpenSSLIdentity> identity_;
|
||||
#endif
|
||||
// The certificate chain that the peer presented. Initially null, until the
|
||||
// connection is established.
|
||||
std::unique_ptr<SSLCertChain> peer_cert_chain_;
|
||||
|
||||
Reference in New Issue
Block a user