Diff - dc24656e5eb175b257bde449c42efb8226d8f2ed^! - webrtc.googlesource.com/src

commit	dc24656e5eb175b257bde449c42efb8226d8f2ed	[log] [tgz]
author	David Benjamin <davidben@webrtc.org>	Fri Sep 29 12:14:08 2017 -0400
committer	Commit Bot <commit-bot@chromium.org>	Sun Oct 01 01:13:51 2017 +0000
tree	b11b0701878f37d66478f19750c9bababf62a970
parent	5e0f1ceb8f02de3b5a144fc6d9fe3401afb9fe74 [diff] [blame]

Only verify the certificate once.

WebRTC is currently using the SSL_CTX_set_verify callback. This
configures a callback for use with X509_STORE_CTX_set_verify_cb. See
https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_set_verify_cb.html

This callback does not override certificate verification. Rather, it
allows EACH failure in OpenSSL's built-in certificate verification, as
well as the final success, to be overridden (that's why there's an ok
parameter). It still runs the usual OpenSSL certificate verification
(which will never succeed).

The upshot is that the callback is called multiple times and
OpenSSLStreamAdapter does a ton of redundant work and checks the hash at
least twice, or more for certificates with other errors.

Instead, use SSL_CTX_set_cert_verify_callback. This short-circuits the
OpenSSL behavior entirely and uses a caller-supplied one.
https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_cert_verify_callback
https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_cert_verify_callback(3)

(This also removes the SSL_CTX_set_verify_depth call which is ignored
with SSL_CTX_set_cert_verify_callback. It didn't do anything before
either---it tells OpenSSL to reject chains that are too short, but the
rejection was overwritten by the callback anyway.)

(Later on, we'll need to switch this to the BoringSSL-only
SSL_CTX_set_custom_verify and CRYPTO_BUFFER APIs to fix WebRTC's
contribution to Chrome's binary size, but I've left that alone for the
time being.)

Bug: none
Change-Id: I9320a367d0961935836df63dc6f0868b069f0af0
Reviewed-on: https://webrtc-review.googlesource.com/4581
Commit-Queue: David Benjamin <davidben@webrtc.org>
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#20053}

diff --git a/rtc_base/opensslstreamadapter.h b/rtc_base/opensslstreamadapter.h
index 802e6b0..ccd6460 100644
--- a/rtc_base/opensslstreamadapter.h
+++ b/rtc_base/opensslstreamadapter.h

@@ -169,11 +169,9 @@
   SSL_CTX* SetupSSLContext();
   // Verify the peer certificate matches the signaled digest.
   bool VerifyPeerCertificate();
-  // SSL certification verification error handler, called back from
-  // the openssl library. Returns an int interpreted as a boolean in
-  // the C style: zero means verification failure, non-zero means
-  // passed.
-  static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
+  // SSL certificate verification callback. See
+  // SSL_CTX_set_cert_verify_callback.
+  static int SSLVerifyCallback(X509_STORE_CTX* store, void* arg);
 
   bool waiting_to_verify_peer_certificate() const {
     return client_auth_enabled() && !peer_certificate_verified_;