Fixed Hostname Validation in OpenSSLAdapter.

This changeset addresses concerns about how the OpenSSLAdapter does certificate name matching. The current approach has a number of issues which are outlined in the bug description. The approach taken in this changeset is to use the standard function X509_check_host which should correctly parse the wildcard expansions and is directly supported in OpenSSL instead of attempting my own implementation. This changeset uses this as an opportunity to add additional parameter checking and refactoring logging code out of the main code path. Bug: webrtc:8888 Change-Id: Iaffe1daddcd52193ba674489f613ce8515b81e91 Reviewed-on: https://webrtc-review.googlesource.com/65022 Commit-Queue: Benjamin Wright <benwright@webrtc.org> Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org> Reviewed-by: Emad Omara <emadomara@webrtc.org> Cr-Commit-Position: refs/heads/master@{#22755}
2018-04-05 12:12:26 -07:00
parent 5150ee40f4
commit 9201d1aa8a
6 changed files with 293 additions and 93 deletions
--- a/rtc_base/BUILD.gn
+++ b/rtc_base/BUILD.gn
@ -855,6 +855,8 @@ rtc_static_library("rtc_base_generic") {
    "openssl.h",
    "openssladapter.cc",
    "openssladapter.h",
+    "opensslcommon.cc",
+    "opensslcommon.h",
    "openssldigest.cc",
    "openssldigest.h",
    "opensslidentity.cc",
@ -1356,6 +1358,7 @@ if (rtc_include_tests) {
    if (is_posix || is_fuchsia) {
      sources += [
        "openssladapter_unittest.cc",
+        "opensslcommon_unittest.cc",
        "ssladapter_unittest.cc",
        "sslidentity_unittest.cc",
        "sslstreamadapter_unittest.cc",