WebRTC is currently using the SSL_CTX_set_verify callback. This
configures a callback for use with X509_STORE_CTX_set_verify_cb. See
https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_set_verify_cb.html
This callback does not override certificate verification. Rather, it
allows EACH failure in OpenSSL's built-in certificate verification, as
well as the final success, to be overridden (that's why there's an ok
parameter). It still runs the usual OpenSSL certificate verification
(which will never succeed).
The upshot is that the callback is called multiple times and
OpenSSLStreamAdapter does a ton of redundant work and checks the hash at
least twice, or more for certificates with other errors.
Instead, use SSL_CTX_set_cert_verify_callback. This short-circuits the
OpenSSL behavior entirely and uses a caller-supplied one.
https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_cert_verify_callbackhttps://wiki.openssl.org/index.php/Manual:SSL_CTX_set_cert_verify_callback(3)
(This also removes the SSL_CTX_set_verify_depth call which is ignored
with SSL_CTX_set_cert_verify_callback. It didn't do anything before
either---it tells OpenSSL to reject chains that are too short, but the
rejection was overwritten by the callback anyway.)
(Later on, we'll need to switch this to the BoringSSL-only
SSL_CTX_set_custom_verify and CRYPTO_BUFFER APIs to fix WebRTC's
contribution to Chrome's binary size, but I've left that alone for the
time being.)
Bug: none
Change-Id: I9320a367d0961935836df63dc6f0868b069f0af0
Reviewed-on: https://webrtc-review.googlesource.com/4581
Commit-Queue: David Benjamin <davidben@webrtc.org>
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#20053}
It is now used only by FileRotatingStream.
Bug: webrtc:6424
Change-Id: I216b20baadae836d24c39899efe4cb45c2935f41
Reviewed-on: https://webrtc-review.googlesource.com/4720
Reviewed-by: Karl Wiberg <kwiberg@webrtc.org>
Commit-Queue: Niels Moller <nisse@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#20040}
All previous initialize methods are deprecated and a new initialize
that uses a builder pattern is added. This gives us full control over
the order of initialization.
Bug: webrtc:7474
Change-Id: I006190e50f2e75c5015f0be75b86d367676db2cc
Reviewed-on: https://webrtc-review.googlesource.com/4160
Reviewed-by: Magnus Jedvert <magjed@webrtc.org>
Commit-Queue: Sami Kalliomäki <sakal@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#20037}
This reverts commit 57fb3154b5411934b80051ad827db4e54d00f381.
Reason for revert: Breaks jingle_glue in chromium; need to leave candidate.h in place and include the new location until it's fixed.
Original change's description:
> Clean up libjingle API dependencies.
>
> This CL moves candidate.h into the public API, since it has
> been implicitly included before.
>
> This is a straightforward way of solving the circular
> dependencies involving that file. For instance,
> libjingle_peerconnection_api includes candidate.h from
> jsepicecandidate.h, but _api can't depend on rtc_p2p, which
> depends on _api. In fact, _api can't depend on much at all
> since it's a very high level abstraction; instead, things
> should depend on it.
>
> Furthermore, we have the case where deprecated headers
> include headers in internal modules. I just have to turn
> off include checking for those, but that's not a big deal.
>
> This CL punts the problem of callfactoryinterface.h being
> implicitly included, and pulling in most of the call
> module with it. This should be addressed in a follow-up
> CL.
>
> Bug: webrtc:7504
> Change-Id: I1b1729408158418333ccdf702bf529386090f0d7
> Reviewed-on: https://webrtc-review.googlesource.com/2020
> Commit-Queue: Patrik Höglund <phoglund@webrtc.org>
> Reviewed-by: Fredrik Solenberg <solenberg@webrtc.org>
> Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
> Cr-Commit-Position: refs/heads/master@{#20034}
TBR=phoglund@webrtc.org,deadbeef@webrtc.org,solenberg@webrtc.org,perkj@webrtc.org
Change-Id: Ic5c3d0cf0b8c4d48ecbc49efdb76b373e3c950a5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: webrtc:7504
Reviewed-on: https://webrtc-review.googlesource.com/4702
Reviewed-by: Patrik Höglund <phoglund@webrtc.org>
Commit-Queue: Patrik Höglund <phoglund@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#20036}
This CL moves candidate.h into the public API, since it has
been implicitly included before.
This is a straightforward way of solving the circular
dependencies involving that file. For instance,
libjingle_peerconnection_api includes candidate.h from
jsepicecandidate.h, but _api can't depend on rtc_p2p, which
depends on _api. In fact, _api can't depend on much at all
since it's a very high level abstraction; instead, things
should depend on it.
Furthermore, we have the case where deprecated headers
include headers in internal modules. I just have to turn
off include checking for those, but that's not a big deal.
This CL punts the problem of callfactoryinterface.h being
implicitly included, and pulling in most of the call
module with it. This should be addressed in a follow-up
CL.
Bug: webrtc:7504
Change-Id: I1b1729408158418333ccdf702bf529386090f0d7
Reviewed-on: https://webrtc-review.googlesource.com/2020
Commit-Queue: Patrik Höglund <phoglund@webrtc.org>
Reviewed-by: Fredrik Solenberg <solenberg@webrtc.org>
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#20034}
Function pointer tables require relocations, so this goes into
.data.rel.ro, not .rodata, but this will at least mark the pages
read-only after relocations are resolved.
Bug: None
Change-Id: I8625e7466b2dcadafc4e4e5f9c6eccbd87af7109
Reviewed-on: https://webrtc-review.googlesource.com/4580
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Commit-Queue: Taylor Brandstetter <deadbeef@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#20029}
SSL_CIPHER_standard_name is a bit easier to use. BoringSSL has the
strings in the library statically these days. (Turns out that's more
size-efficient than the code to build it up anyway!)
Bug: None
Change-Id: I91ffa725fa716791cdf75d944cf8d9a3e2cb9021
Reviewed-on: https://webrtc-review.googlesource.com/4362
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Commit-Queue: Taylor Brandstetter <deadbeef@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#20028}
Now that we have moved WebRTC from src/webrtc to src/, common_types.h
and typedefs.h are triggering a cpplint error.
The cpplint complaint is:
Include the directory when naming .h files [build/include] [4]
This CL disables the error but we have to remove these two headers
from the root directory.
NOPRESUBMIT=true
Bug: webrtc:5876
Change-Id: I08e1b69aadcc4b28ab83bf25e3819d135d41d333
Reviewed-on: https://webrtc-review.googlesource.com/1577
Commit-Queue: Mirko Bonadei <mbonadei@webrtc.org>
Reviewed-by: Henrik Kjellander <kjellander@google.com>
Reviewed-by: Karl Wiberg <kwiberg@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#19859}
There were a number of unused includes and undeclared
dependencies. I removed the includes that were causing
problems and added dependencies for the includes that
turned out to be needed.
Bug: webrtc:7239,webrtc:6828
Change-Id: I5b57f9b8411d969e96eaa46fb49101b7b7c32284
Reviewed-on: https://webrtc-review.googlesource.com/1185
Commit-Queue: Patrik Höglund <phoglund@webrtc.org>
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#19858}
In order to eliminate the WebRTC Subtree mirror in Chromium,
WebRTC is moving the content of the src/webrtc directory up
to the src/ directory.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
TBR=tommi@webrtc.org
Bug: chromium:611808
Change-Id: Iac59c5b51b950f174119565bac87955a7994bc38
Reviewed-on: https://webrtc-review.googlesource.com/1560
Commit-Queue: Mirko Bonadei <mbonadei@webrtc.org>
Reviewed-by: Henrik Kjellander <kjellander@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#19845}
