diff options
| -rw-r--r-- | libs/binder/Android.bp | 3 | ||||
| -rw-r--r-- | libs/binder/RpcTransportTls.cpp | 6 | ||||
| -rw-r--r-- | libs/binder/include_tls/binder/RpcCertificateVerifier.h | 13 | ||||
| -rw-r--r-- | libs/binder/tests/RpcCertificateVerifierSimple.cpp | 9 | ||||
| -rw-r--r-- | libs/binder/tests/RpcCertificateVerifierSimple.h | 2 |
5 files changed, 24 insertions, 9 deletions
diff --git a/libs/binder/Android.bp b/libs/binder/Android.bp index 91f961553a..6cb45ca394 100644 --- a/libs/binder/Android.bp +++ b/libs/binder/Android.bp @@ -256,6 +256,9 @@ cc_defaults { export_header_lib_headers: [ "libbinder_headers", ], + export_shared_lib_headers: [ + "libssl", + ], export_include_dirs: ["include_tls"], static_libs: [ "libbase", diff --git a/libs/binder/RpcTransportTls.cpp b/libs/binder/RpcTransportTls.cpp index e55da77e96..8c066ee6b2 100644 --- a/libs/binder/RpcTransportTls.cpp +++ b/libs/binder/RpcTransportTls.cpp @@ -460,17 +460,13 @@ ssl_verify_result_t RpcTransportCtxTls::sslCustomVerify(SSL* ssl, uint8_t* outAl LOG_ALWAYS_FATAL_IF(outAlert == nullptr); const char* logPrefix = SSL_is_server(ssl) ? "Server" : "Client"; - bssl::UniquePtr<X509> peerCert(SSL_get_peer_certificate(ssl)); // Does not set error queue - LOG_ALWAYS_FATAL_IF(peerCert == nullptr, - "%s: libssl should not ask to verify non-existing cert", logPrefix); - auto ctx = SSL_get_SSL_CTX(ssl); // Does not set error queue LOG_ALWAYS_FATAL_IF(ctx == nullptr); // void* -> RpcTransportCtxTls* auto rpcTransportCtxTls = reinterpret_cast<RpcTransportCtxTls*>(SSL_CTX_get_app_data(ctx)); LOG_ALWAYS_FATAL_IF(rpcTransportCtxTls == nullptr); - status_t verifyStatus = rpcTransportCtxTls->mCertVerifier->verify(peerCert.get(), outAlert); + status_t verifyStatus = rpcTransportCtxTls->mCertVerifier->verify(ssl, outAlert); if (verifyStatus == OK) { return ssl_verify_ok; } diff --git a/libs/binder/include_tls/binder/RpcCertificateVerifier.h b/libs/binder/include_tls/binder/RpcCertificateVerifier.h index 97af31cea1..800e375827 100644 --- a/libs/binder/include_tls/binder/RpcCertificateVerifier.h +++ b/libs/binder/include_tls/binder/RpcCertificateVerifier.h @@ -26,7 +26,18 @@ namespace android { class RpcCertificateVerifier { public: virtual ~RpcCertificateVerifier() = default; - virtual status_t verify(const X509* peerCert, uint8_t* outAlert) = 0; + + // The implementation may use the following function to get + // the peer certificate and chain: + // - SSL_get_peer_certificate + // - SSL_get_peer_cert_chain + // - SSL_get_peer_full_cert_chain + // + // The implementation should return OK on success or error codes on error. For example: + // - PERMISSION_DENIED for rejected certificates + // - NO_INIT for not presenting a certificate when requested + // - UNKNOWN_ERROR for other errors + virtual status_t verify(const SSL* ssl, uint8_t* outAlert) = 0; }; } // namespace android diff --git a/libs/binder/tests/RpcCertificateVerifierSimple.cpp b/libs/binder/tests/RpcCertificateVerifierSimple.cpp index da98f59127..1f74adc465 100644 --- a/libs/binder/tests/RpcCertificateVerifierSimple.cpp +++ b/libs/binder/tests/RpcCertificateVerifierSimple.cpp @@ -22,10 +22,15 @@ namespace android { -status_t RpcCertificateVerifierSimple::verify(const X509* peerCert, uint8_t* outAlert) { +status_t RpcCertificateVerifierSimple::verify(const SSL* ssl, uint8_t* outAlert) { + const char* logPrefix = SSL_is_server(ssl) ? "Server" : "Client"; + bssl::UniquePtr<X509> peerCert(SSL_get_peer_certificate(ssl)); // Does not set error queue + LOG_ALWAYS_FATAL_IF(peerCert == nullptr, + "%s: libssl should not ask to verify non-existing cert", logPrefix); + std::lock_guard<std::mutex> lock(mMutex); for (const auto& trustedCert : mTrustedPeerCertificates) { - if (0 == X509_cmp(trustedCert.get(), peerCert)) { + if (0 == X509_cmp(trustedCert.get(), peerCert.get())) { return OK; } } diff --git a/libs/binder/tests/RpcCertificateVerifierSimple.h b/libs/binder/tests/RpcCertificateVerifierSimple.h index 1f2e531b5b..bdb2426df7 100644 --- a/libs/binder/tests/RpcCertificateVerifierSimple.h +++ b/libs/binder/tests/RpcCertificateVerifierSimple.h @@ -35,7 +35,7 @@ namespace android { // certificate being added. class RpcCertificateVerifierSimple : public RpcCertificateVerifier { public: - status_t verify(const X509*, uint8_t*) override; + status_t verify(const SSL*, uint8_t*) override; // Add a trusted peer certificate. Peers presenting this certificate are accepted. // |