| /* |
| * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| * |
| * Use of this source code is governed by a BSD-style license |
| * that can be found in the LICENSE file in the root of the source |
| * tree. An additional intellectual property rights grant can be found |
| * in the file PATENTS. All contributing project authors may |
| * be found in the AUTHORS file in the root of the source tree. |
| */ |
| |
| #ifndef RTC_BASE_OPENSSLADAPTER_H_ |
| #define RTC_BASE_OPENSSLADAPTER_H_ |
| |
| #include <openssl/ossl_typ.h> |
| |
| #include <map> |
| #include <memory> |
| #include <string> |
| #include <vector> |
| |
| #include "rtc_base/buffer.h" |
| #include "rtc_base/messagehandler.h" |
| #include "rtc_base/messagequeue.h" |
| #include "rtc_base/opensslcertificate.h" |
| #include "rtc_base/opensslidentity.h" |
| #include "rtc_base/opensslsessioncache.h" |
| #include "rtc_base/ptr_util.h" |
| #include "rtc_base/ssladapter.h" |
| |
| namespace rtc { |
| |
| class OpenSSLAdapter : public SSLAdapter, public MessageHandler { |
| public: |
| static bool InitializeSSL(); |
| static bool CleanupSSL(); |
| |
| // Creating an OpenSSLAdapter requires a socket to bind to, an optional |
| // session cache if you wish to improve performance by caching sessions for |
| // hostnames you have previously connected to and an optional |
| // SSLCertificateVerifier which can override any existing trusted roots to |
| // validate a peer certificate. The cache and verifier are effectively |
| // immutable after the the SSL connection starts. |
| explicit OpenSSLAdapter(AsyncSocket* socket, |
| OpenSSLSessionCache* ssl_session_cache = nullptr, |
| SSLCertificateVerifier* ssl_cert_verifier = nullptr); |
| ~OpenSSLAdapter() override; |
| |
| void SetIgnoreBadCert(bool ignore) override; |
| void SetAlpnProtocols(const std::vector<std::string>& protos) override; |
| void SetEllipticCurves(const std::vector<std::string>& curves) override; |
| void SetMode(SSLMode mode) override; |
| void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override; |
| void SetIdentity(SSLIdentity* identity) override; |
| void SetRole(SSLRole role) override; |
| AsyncSocket* Accept(SocketAddress* paddr) override; |
| int StartSSL(const char* hostname, bool restartable) override; |
| int Send(const void* pv, size_t cb) override; |
| int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override; |
| int Recv(void* pv, size_t cb, int64_t* timestamp) override; |
| int RecvFrom(void* pv, |
| size_t cb, |
| SocketAddress* paddr, |
| int64_t* timestamp) override; |
| int Close() override; |
| // Note that the socket returns ST_CONNECTING while SSL is being negotiated. |
| ConnState GetState() const override; |
| bool IsResumedSession() override; |
| // Creates a new SSL_CTX object, configured for client-to-server usage |
| // with SSLMode |mode|, and if |enable_cache| is true, with support for |
| // storing successful sessions so that they can be later resumed. |
| // OpenSSLAdapterFactory will call this method to create its own internal |
| // SSL_CTX, and OpenSSLAdapter will also call this when used without a |
| // factory. |
| static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache); |
| |
| protected: |
| void OnConnectEvent(AsyncSocket* socket) override; |
| void OnReadEvent(AsyncSocket* socket) override; |
| void OnWriteEvent(AsyncSocket* socket) override; |
| void OnCloseEvent(AsyncSocket* socket, int err) override; |
| |
| private: |
| enum SSLState { |
| SSL_NONE, SSL_WAIT, SSL_CONNECTING, SSL_CONNECTED, SSL_ERROR |
| }; |
| |
| enum { MSG_TIMEOUT }; |
| |
| int BeginSSL(); |
| int ContinueSSL(); |
| void Error(const char* context, int err, bool signal = true); |
| void Cleanup(); |
| |
| // Return value and arguments have the same meanings as for Send; |error| is |
| // an output parameter filled with the result of SSL_get_error. |
| int DoSslWrite(const void* pv, size_t cb, int* error); |
| void OnMessage(Message* msg) override; |
| bool SSLPostConnectionCheck(SSL* ssl, const std::string& host); |
| |
| #if !defined(NDEBUG) |
| // In debug builds, logs info about the state of the SSL connection. |
| static void SSLInfoCallback(const SSL* ssl, int where, int ret); |
| #endif |
| static int SSLVerifyCallback(int ok, X509_STORE_CTX* store); |
| friend class OpenSSLStreamAdapter; // for custom_verify_callback_; |
| |
| // If the SSL_CTX was created with |enable_cache| set to true, this callback |
| // will be called when a SSL session has been successfully established, |
| // to allow its SSL_SESSION* to be cached for later resumption. |
| static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session); |
| |
| // Optional SSL Shared session cache to improve performance. |
| OpenSSLSessionCache* ssl_session_cache_ = nullptr; |
| // Optional SSL Certificate verifier which can be set by a third party. |
| SSLCertificateVerifier* ssl_cert_verifier_ = nullptr; |
| // The current connection state of the (d)TLS connection. |
| SSLState state_; |
| std::unique_ptr<OpenSSLIdentity> identity_; |
| // Indicates whethere this is a client or a server. |
| SSLRole role_; |
| bool ssl_read_needs_write_; |
| bool ssl_write_needs_read_; |
| // If true, socket will retain SSL configuration after Close. |
| // TODO(juberti): Remove this unused flag. |
| bool restartable_; |
| // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which |
| // means we need to keep retrying with *the same exact data* until it |
| // succeeds. Afterwards it will be cleared. |
| Buffer pending_data_; |
| SSL* ssl_; |
| // Holds the SSL context, which may be shared if an session cache is provided. |
| SSL_CTX* ssl_ctx_; |
| // Hostname of server that is being connected, used for SNI. |
| std::string ssl_host_name_; |
| // Set the adapter to DTLS or TLS mode before creating the context. |
| SSLMode ssl_mode_; |
| // If true, the server certificate need not match the configured hostname. |
| bool ignore_bad_cert_; |
| // List of protocols to be used in the TLS ALPN extension. |
| std::vector<std::string> alpn_protocols_; |
| // List of elliptic curves to be used in the TLS elliptic curves extension. |
| std::vector<std::string> elliptic_curves_; |
| // Holds the result of the call to run of the ssl_cert_verify_->Verify() |
| bool custom_cert_verifier_status_; |
| }; |
| |
| // The OpenSSLAdapterFactory is responsbile for creating multiple new |
| // OpenSSLAdapters with a shared SSL_CTX and a shared SSL_SESSION cache. The |
| // SSL_SESSION cache allows existing SSL_SESSIONS to be reused instead of |
| // recreating them leading to a significant performance improvement. |
| class OpenSSLAdapterFactory : public SSLAdapterFactory { |
| public: |
| OpenSSLAdapterFactory(); |
| ~OpenSSLAdapterFactory() override; |
| // Set the SSL Mode to use with this factory. This should only be set before |
| // the first adapter is created with the factory. If it is called after it |
| // will DCHECK. |
| void SetMode(SSLMode mode) override; |
| // Set a custom certificate verifier to be passed down to each instance |
| // created with this factory. This should only ever be set before the first |
| // call to the factory and cannot be changed after the fact. |
| void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override; |
| // Constructs a new socket using the shared OpenSSLSessionCache. This means |
| // existing SSLSessions already in the cache will be reused instead of |
| // re-created for improved performance. |
| OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override; |
| |
| private: |
| // Holds the SSLMode (DTLS,TLS) that will be used to set the session cache. |
| SSLMode ssl_mode_ = SSL_MODE_TLS; |
| // Holds a cache of existing SSL Sessions. |
| std::unique_ptr<OpenSSLSessionCache> ssl_session_cache_; |
| // Provides an optional custom callback for verifying SSL certificates, this |
| // in currently only used for TLS-TURN connections. |
| SSLCertificateVerifier* ssl_cert_verifier_ = nullptr; |
| // TODO(benwright): Remove this when context is moved to OpenSSLCommon. |
| // Hold a friend class to the OpenSSLAdapter to retrieve the context. |
| friend class OpenSSLAdapter; |
| }; |
| |
| std::string TransformAlpnProtocols(const std::vector<std::string>& protos); |
| |
| } // namespace rtc |
| |
| #endif // RTC_BASE_OPENSSLADAPTER_H_ |