| /* |
| * Copyright 2018 The WebRTC Project Authors. All rights reserved. |
| * |
| * Use of this source code is governed by a BSD-style license |
| * that can be found in the LICENSE file in the root of the source |
| * tree. An additional intellectual property rights grant can be found |
| * in the file PATENTS. All contributing project authors may |
| * be found in the AUTHORS file in the root of the source tree. |
| */ |
| |
| #include "rtc_base/openssl_utility.h" |
| #if defined(WEBRTC_WIN) |
| // Must be included first before openssl headers. |
| #include "rtc_base/win32.h" // NOLINT |
| #endif // WEBRTC_WIN |
| |
| #include <openssl/err.h> |
| #include <openssl/x509.h> |
| #include <openssl/x509v3.h> |
| #include <stddef.h> |
| |
| #include "rtc_base/arraysize.h" |
| #include "rtc_base/logging.h" |
| #include "rtc_base/numerics/safe_conversions.h" |
| #include "rtc_base/openssl.h" |
| #include "rtc_base/openssl_certificate.h" |
| #ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS |
| #include "rtc_base/ssl_roots.h" |
| #endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS |
| |
| namespace rtc { |
| namespace openssl { |
| |
| // Holds various helper methods. |
| namespace { |
| void LogCertificates(SSL* ssl, X509* certificate) { |
| // Logging certificates is extremely verbose. So it is disabled by default. |
| #ifdef LOG_CERTIFICATES |
| BIO* mem = BIO_new(BIO_s_mem()); |
| if (mem == nullptr) { |
| RTC_DLOG(LS_ERROR) << "BIO_new() failed to allocate memory."; |
| return; |
| } |
| |
| RTC_DLOG(LS_INFO) << "Certificate from server:"; |
| X509_print_ex(mem, certificate, XN_FLAG_SEP_CPLUS_SPC, X509_FLAG_NO_HEADER); |
| BIO_write(mem, "\0", 1); |
| |
| char* buffer = nullptr; |
| BIO_get_mem_data(mem, &buffer); |
| if (buffer != nullptr) { |
| RTC_DLOG(LS_INFO) << buffer; |
| } else { |
| RTC_DLOG(LS_ERROR) << "BIO_get_mem_data() failed to get buffer."; |
| } |
| BIO_free(mem); |
| |
| const char* cipher_name = SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)); |
| if (cipher_name != nullptr) { |
| RTC_DLOG(LS_INFO) << "Cipher: " << cipher_name; |
| } else { |
| RTC_DLOG(LS_ERROR) << "SSL_CIPHER_DESCRIPTION() failed to get cipher_name."; |
| } |
| #endif |
| } |
| } // namespace |
| |
| bool VerifyPeerCertMatchesHost(SSL* ssl, const std::string& host) { |
| if (host.empty()) { |
| RTC_DLOG(LS_ERROR) << "Hostname is empty. Cannot verify peer certificate."; |
| return false; |
| } |
| |
| if (ssl == nullptr) { |
| RTC_DLOG(LS_ERROR) << "SSL is nullptr. Cannot verify peer certificate."; |
| return false; |
| } |
| |
| X509* certificate = SSL_get_peer_certificate(ssl); |
| if (certificate == nullptr) { |
| RTC_DLOG(LS_ERROR) |
| << "SSL_get_peer_certificate failed. This should never happen."; |
| return false; |
| } |
| |
| LogCertificates(ssl, certificate); |
| |
| bool is_valid_cert_name = |
| X509_check_host(certificate, host.c_str(), host.size(), 0, nullptr) == 1; |
| X509_free(certificate); |
| return is_valid_cert_name; |
| } |
| |
| void LogSSLErrors(const std::string& prefix) { |
| char error_buf[200]; |
| unsigned long err; // NOLINT |
| |
| while ((err = ERR_get_error()) != 0) { |
| ERR_error_string_n(err, error_buf, sizeof(error_buf)); |
| RTC_LOG(LS_ERROR) << prefix << ": " << error_buf << "\n"; |
| } |
| } |
| |
| #ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS |
| bool LoadBuiltinSSLRootCertificates(SSL_CTX* ctx) { |
| int count_of_added_certs = 0; |
| for (size_t i = 0; i < arraysize(kSSLCertCertificateList); i++) { |
| const unsigned char* cert_buffer = kSSLCertCertificateList[i]; |
| size_t cert_buffer_len = kSSLCertCertificateSizeList[i]; |
| X509* cert = d2i_X509(nullptr, &cert_buffer, |
| checked_cast<long>(cert_buffer_len)); // NOLINT |
| if (cert) { |
| int return_value = X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx), cert); |
| if (return_value == 0) { |
| RTC_LOG(LS_WARNING) << "Unable to add certificate."; |
| } else { |
| count_of_added_certs++; |
| } |
| X509_free(cert); |
| } |
| } |
| return count_of_added_certs > 0; |
| } |
| #endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS |
| |
| } // namespace openssl |
| } // namespace rtc |