The original test did not properly test the bugs it fixed (SAN vs. CN)
and violated BoringSSL invariants:
- That SSL_get_peer_certificate works on the pending session before the
handshake is a weird OpenSSL quirk that may later get fixed in
BoringSSL. Calling code should not rely on this.
- SSL_SESSION is a private struct and may not be accessed directly by
callers.
- Caller especially may not mutate private structs. The tests did not
keep the SSL_SESSION's X509 and CRYPTO_BUFFER fields in sync.
Instead, make an actual connected SSL object and better test the SAN vs.
CN case.
Bug: webrtc:8888
Change-Id: I773508c676e47be12e52a1bd6bd71562f474e09c
Reviewed-on: https://webrtc-review.googlesource.com/73900
Commit-Queue: David Benjamin <davidben@webrtc.org>
Reviewed-by: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23129}
This changeset addresses concerns about how the OpenSSLAdapter does certificate
name matching. The current approach has a number of issues which are outlined
in the bug description. The approach taken in this changeset is to use the
standard function X509_check_host which should correctly parse the wildcard
expansions and is directly supported in OpenSSL instead of attempting my own
implementation. This changeset uses this as an opportunity to add additional
parameter checking and refactoring logging code out of the main code path.
Bug: webrtc:8888
Change-Id: Iaffe1daddcd52193ba674489f613ce8515b81e91
Reviewed-on: https://webrtc-review.googlesource.com/65022
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Reviewed-by: Emad Omara <emadomara@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#22755}
