Handle HKDF key derivation when building with OpenSSL.

Change-Id: I3fd503109190d6a94e15576312c9cb79906a7f61 Bug: webrtc:10160 Reviewed-on: https://webrtc-review.googlesource.com/c/122622 Commit-Queue: Benjamin Wright <benwright@webrtc.org> Reviewed-by: Qingsi Wang <qingsi@webrtc.org> Reviewed-by: Benjamin Wright <benwright@webrtc.org> Cr-Commit-Position: refs/heads/master@{#26669}
2019-02-12 18:30:45 -08:00 · 2019-02-12 18:30:45 -08:00 · 3c119fb793
commit 3c119fb793
parent 5e2aad1c95
3 changed files with 37 additions and 3 deletions
--- a/rtc_base/openssl_digest.h
+++ b/rtc_base/openssl_digest.h
@ -11,7 +11,7 @@
 #ifndef RTC_BASE_OPENSSL_DIGEST_H_
 #define RTC_BASE_OPENSSL_DIGEST_H_

-#include <openssl/base.h>
+#include <openssl/ossl_typ.h>
 #include <stddef.h>
 #include <string>

--- a/rtc_base/openssl_key_derivation_hkdf.cc
+++ b/rtc_base/openssl_key_derivation_hkdf.cc
@ -10,9 +10,42 @@

 #include "rtc_base/openssl_key_derivation_hkdf.h"

+#include <openssl/ossl_typ.h>
+#ifdef OPENSSL_IS_BORINGSSL
 #include <openssl/digest.h>
-#include <openssl/err.h>
 #include <openssl/hkdf.h>
+#else
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+namespace {
+// the function with this interface is static within openssl and hence not
+// accessible to the caller. Implementing here to match boringssl.
+static int HKDF(uint8_t* out_key,
+                size_t out_len,
+                const EVP_MD* digest,
+                const uint8_t* secret,
+                size_t secret_len,
+                const uint8_t* salt,
+                size_t salt_len,
+                const uint8_t* info,
+                size_t info_len) {
+  EVP_PKEY_CTX* pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+
+  if (EVP_PKEY_derive_init(pctx) <= 0 ||
+      EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0 ||
+      EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0 ||
+      EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0 ||
+      EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0 ||
+      EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) {
+    EVP_PKEY_CTX_free(pctx);
+    return 0;
+  }
+  EVP_PKEY_CTX_free(pctx);
+  return 1;
+}
+}  // namespace
+#endif
+#include <openssl/err.h>
 #include <openssl/sha.h>

 #include <algorithm>
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@ -25,6 +25,7 @@
 #include <utility>
 #include <vector>

+#include "absl/memory/memory.h"
 #include "rtc_base/checks.h"
 #include "rtc_base/logging.h"
 #include "rtc_base/numerics/safe_conversions.h"
@ -1081,7 +1082,7 @@ int OpenSSLStreamAdapter::SSLVerifyCallback(X509_STORE_CTX* store, void* arg) {
  // Record the peer's certificate.
  X509* cert = X509_STORE_CTX_get0_cert(store);
  stream->peer_cert_chain_.reset(
-      new SSLCertChain(new OpenSSLCertificate(cert)));
+      new SSLCertChain(absl::make_unique<OpenSSLCertificate>(cert)));
 #endif

  // If the peer certificate digest isn't known yet, we'll wait to verify