mollyim/webrtc
1
0
Fork 0
mirror of https://github.com/mollyim/webrtc.git synced 2025-05-19 08:37:54 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
webrtc/rtc_base/opensslcommon.cc
Benjamin Wright 9201d1aa8a Fixed Hostname Validation in OpenSSLAdapter. 
This changeset addresses concerns about how the OpenSSLAdapter does certificate
name matching. The current approach has a number of issues which are outlined
in the bug description. The approach taken in this changeset is to use the
standard function X509_check_host which should correctly parse the wildcard
expansions and is directly supported in OpenSSL instead of attempting my own
implementation. This changeset uses this as an opportunity to add additional
parameter checking and refactoring logging code out of the main code path.

Bug: webrtc:8888
Change-Id: Iaffe1daddcd52193ba674489f613ce8515b81e91
Reviewed-on: https://webrtc-review.googlesource.com/65022
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Reviewed-by: Emad Omara <emadomara@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#22755}
2018-04-05 21:23:20 +00:00

95 lines
2.6 KiB
C++
Raw Blame History

/*
* Copyright 2018 The WebRTC Project Authors. All rights reserved.
*
* Use of this source code is governed by a BSD-style license
* that can be found in the LICENSE file in the root of the source
* tree. An additional intellectual property rights grant can be found
* in the file PATENTS. All contributing project authors may
* be found in the AUTHORS file in the root of the source tree.
*/
#include "rtc_base/opensslcommon.h"
#if defined(WEBRTC_POSIX)
#include <unistd.h>
#endif
#if defined(WEBRTC_WIN)
// Must be included first before openssl headers.
#include "rtc_base/win32.h" // NOLINT
#endif // WEBRTC_WIN
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "rtc_base/checks.h"
#include "rtc_base/logging.h"
#include "rtc_base/openssl.h"
namespace rtc {
namespace openssl {
// Holds various helper methods.
namespace {
void LogCertificates(SSL* ssl, X509* certificate) {
// Logging certificates is extremely verbose. So it is disabled by default.
#ifdef LOG_CERTIFICATES
BIO* mem = BIO_new(BIO_s_mem());
if (mem == nullptr) {
RTC_DLOG(LS_ERROR) << "BIO_new() failed to allocate memory.";
return;
}
RTC_DLOG(LS_INFO) << "Certificate from server:";
X509_print_ex(mem, certificate, XN_FLAG_SEP_CPLUS_SPC, X509_FLAG_NO_HEADER);
BIO_write(mem, "\0", 1);
char* buffer = nullptr;
BIO_get_mem_data(mem, &buffer);
if (buffer != nullptr) {
RTC_DLOG(LS_INFO) << buffer;
} else {
RTC_DLOG(LS_ERROR) << "BIO_get_mem_data() failed to get buffer.";
}
BIO_free(mem);
const char* cipher_name = SSL_CIPHER_get_name(SSL_get_current_cipher(ssl));
if (cipher_name != nullptr) {
RTC_DLOG(LS_INFO) << "Cipher: " << cipher_name;
} else {
RTC_DLOG(LS_ERROR) << "SSL_CIPHER_DESCRIPTION() failed to get cipher_name.";
}
#endif
}
} // namespace
bool VerifyPeerCertMatchesHost(SSL* ssl, const std::string& host) {
if (host.empty()) {
RTC_DLOG(LS_ERROR) << "Hostname is empty. Cannot verify peer certificate.";
return false;
}
if (ssl == nullptr) {
RTC_DLOG(LS_ERROR) << "SSL is nullptr. Cannot verify peer certificate.";
return false;
}
X509* certificate = SSL_get_peer_certificate(ssl);
if (certificate == nullptr) {
RTC_DLOG(LS_ERROR)
<< "SSL_get_peer_certificate failed. This should never happen.";
return false;
}
LogCertificates(ssl, certificate);
bool is_valid_cert_name =
X509_check_host(certificate, host.c_str(), host.size(), 0, nullptr) == 1;
X509_free(certificate);
return is_valid_cert_name;
}
} // namespace openssl
} // namespace rtc
Reference in a new issue View git blame Copy permalink