blob: 50a7c0845ca459dedd282105c773ac97ea8a2d6a [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:261/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
Mirko Bonadei92ea95e2017-09-15 04:47:3111#ifndef RTC_BASE_OPENSSLADAPTER_H_
12#define RTC_BASE_OPENSSLADAPTER_H_
henrike@webrtc.orgf0488722014-05-13 18:00:2613
Benjamin Wright19aab2e2018-04-05 22:39:0614#include <openssl/ossl_typ.h>
15
Justin Uberti1d445502017-08-15 00:04:3416#include <map>
Benjamin Wright19aab2e2018-04-05 22:39:0617#include <memory>
Henrik Kjellanderec78f1c2017-06-29 05:52:5018#include <string>
Benjamin Wright19aab2e2018-04-05 22:39:0619#include <vector>
20
Karl Wiberg918f50c2018-07-05 09:40:3321#include "absl/memory/memory.h"
Mirko Bonadei92ea95e2017-09-15 04:47:3122#include "rtc_base/buffer.h"
23#include "rtc_base/messagehandler.h"
24#include "rtc_base/messagequeue.h"
Benjamin Wrightd6f86e82018-05-08 20:12:2525#include "rtc_base/opensslcertificate.h"
Mirko Bonadei92ea95e2017-09-15 04:47:3126#include "rtc_base/opensslidentity.h"
Benjamin Wright19aab2e2018-04-05 22:39:0627#include "rtc_base/opensslsessioncache.h"
Mirko Bonadei92ea95e2017-09-15 04:47:3128#include "rtc_base/ssladapter.h"
henrike@webrtc.orgf0488722014-05-13 18:00:2629
Henrik Kjellanderec78f1c2017-06-29 05:52:5030namespace rtc {
31
Henrik Kjellanderec78f1c2017-06-29 05:52:5032class OpenSSLAdapter : public SSLAdapter, public MessageHandler {
Justin Uberti1d445502017-08-15 00:04:3433 public:
Benjamin Wrightd6f86e82018-05-08 20:12:2534 static bool InitializeSSL();
Henrik Kjellanderec78f1c2017-06-29 05:52:5035 static bool CleanupSSL();
36
Benjamin Wrightd6f86e82018-05-08 20:12:2537 // Creating an OpenSSLAdapter requires a socket to bind to, an optional
38 // session cache if you wish to improve performance by caching sessions for
39 // hostnames you have previously connected to and an optional
40 // SSLCertificateVerifier which can override any existing trusted roots to
41 // validate a peer certificate. The cache and verifier are effectively
42 // immutable after the the SSL connection starts.
Justin Uberti1d445502017-08-15 00:04:3443 explicit OpenSSLAdapter(AsyncSocket* socket,
Benjamin Wrightd6f86e82018-05-08 20:12:2544 OpenSSLSessionCache* ssl_session_cache = nullptr,
45 SSLCertificateVerifier* ssl_cert_verifier = nullptr);
Henrik Kjellanderec78f1c2017-06-29 05:52:5046 ~OpenSSLAdapter() override;
47
Sergey Silkin9c147dd2018-09-12 10:45:3848 void SetIgnoreBadCert(bool ignore) override;
49 void SetAlpnProtocols(const std::vector<std::string>& protos) override;
50 void SetEllipticCurves(const std::vector<std::string>& curves) override;
Henrik Kjellanderec78f1c2017-06-29 05:52:5051 void SetMode(SSLMode mode) override;
Benjamin Wrightd6f86e82018-05-08 20:12:2552 void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override;
Steve Anton786de702017-08-17 22:15:4653 void SetIdentity(SSLIdentity* identity) override;
54 void SetRole(SSLRole role) override;
55 AsyncSocket* Accept(SocketAddress* paddr) override;
Henrik Kjellanderec78f1c2017-06-29 05:52:5056 int StartSSL(const char* hostname, bool restartable) override;
57 int Send(const void* pv, size_t cb) override;
58 int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override;
59 int Recv(void* pv, size_t cb, int64_t* timestamp) override;
60 int RecvFrom(void* pv,
61 size_t cb,
62 SocketAddress* paddr,
63 int64_t* timestamp) override;
64 int Close() override;
Henrik Kjellanderec78f1c2017-06-29 05:52:5065 // Note that the socket returns ST_CONNECTING while SSL is being negotiated.
66 ConnState GetState() const override;
Justin Uberti1d445502017-08-15 00:04:3467 bool IsResumedSession() override;
Justin Uberti1d445502017-08-15 00:04:3468 // Creates a new SSL_CTX object, configured for client-to-server usage
69 // with SSLMode |mode|, and if |enable_cache| is true, with support for
70 // storing successful sessions so that they can be later resumed.
71 // OpenSSLAdapterFactory will call this method to create its own internal
72 // SSL_CTX, and OpenSSLAdapter will also call this when used without a
73 // factory.
74 static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache);
Henrik Kjellanderec78f1c2017-06-29 05:52:5075
Justin Uberti1d445502017-08-15 00:04:3476 protected:
77 void OnConnectEvent(AsyncSocket* socket) override;
78 void OnReadEvent(AsyncSocket* socket) override;
79 void OnWriteEvent(AsyncSocket* socket) override;
80 void OnCloseEvent(AsyncSocket* socket, int err) override;
81
82 private:
Henrik Kjellanderec78f1c2017-06-29 05:52:5083 enum SSLState {
Yves Gerey665174f2018-06-19 13:03:0584 SSL_NONE,
85 SSL_WAIT,
86 SSL_CONNECTING,
87 SSL_CONNECTED,
88 SSL_ERROR
Henrik Kjellanderec78f1c2017-06-29 05:52:5089 };
90
91 enum { MSG_TIMEOUT };
92
93 int BeginSSL();
94 int ContinueSSL();
95 void Error(const char* context, int err, bool signal = true);
96 void Cleanup();
97
98 // Return value and arguments have the same meanings as for Send; |error| is
99 // an output parameter filled with the result of SSL_get_error.
100 int DoSslWrite(const void* pv, size_t cb, int* error);
Henrik Kjellanderec78f1c2017-06-29 05:52:50101 void OnMessage(Message* msg) override;
Benjamin Wright9201d1a2018-04-05 19:12:26102 bool SSLPostConnectionCheck(SSL* ssl, const std::string& host);
103
Henrik Kjellanderec78f1c2017-06-29 05:52:50104#if !defined(NDEBUG)
Justin Uberti1d445502017-08-15 00:04:34105 // In debug builds, logs info about the state of the SSL connection.
106 static void SSLInfoCallback(const SSL* ssl, int where, int ret);
Henrik Kjellanderec78f1c2017-06-29 05:52:50107#endif
108 static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
Henrik Kjellanderec78f1c2017-06-29 05:52:50109 friend class OpenSSLStreamAdapter; // for custom_verify_callback_;
110
Justin Uberti1d445502017-08-15 00:04:34111 // If the SSL_CTX was created with |enable_cache| set to true, this callback
112 // will be called when a SSL session has been successfully established,
113 // to allow its SSL_SESSION* to be cached for later resumption.
114 static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session);
115
Benjamin Wrightd6f86e82018-05-08 20:12:25116 // Optional SSL Shared session cache to improve performance.
Benjamin Wright19aab2e2018-04-05 22:39:06117 OpenSSLSessionCache* ssl_session_cache_ = nullptr;
Benjamin Wrightd6f86e82018-05-08 20:12:25118 // Optional SSL Certificate verifier which can be set by a third party.
119 SSLCertificateVerifier* ssl_cert_verifier_ = nullptr;
120 // The current connection state of the (d)TLS connection.
Henrik Kjellanderec78f1c2017-06-29 05:52:50121 SSLState state_;
Steve Anton786de702017-08-17 22:15:46122 std::unique_ptr<OpenSSLIdentity> identity_;
Benjamin Wrightd6f86e82018-05-08 20:12:25123 // Indicates whethere this is a client or a server.
Steve Anton786de702017-08-17 22:15:46124 SSLRole role_;
Henrik Kjellanderec78f1c2017-06-29 05:52:50125 bool ssl_read_needs_write_;
126 bool ssl_write_needs_read_;
127 // If true, socket will retain SSL configuration after Close.
Justin Uberti1d445502017-08-15 00:04:34128 // TODO(juberti): Remove this unused flag.
Henrik Kjellanderec78f1c2017-06-29 05:52:50129 bool restartable_;
Henrik Kjellanderec78f1c2017-06-29 05:52:50130 // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which
131 // means we need to keep retrying with *the same exact data* until it
132 // succeeds. Afterwards it will be cleared.
133 Buffer pending_data_;
Henrik Kjellanderec78f1c2017-06-29 05:52:50134 SSL* ssl_;
Benjamin Wrightd6f86e82018-05-08 20:12:25135 // Holds the SSL context, which may be shared if an session cache is provided.
Henrik Kjellanderec78f1c2017-06-29 05:52:50136 SSL_CTX* ssl_ctx_;
Benjamin Wrightd6f86e82018-05-08 20:12:25137 // Hostname of server that is being connected, used for SNI.
Henrik Kjellanderec78f1c2017-06-29 05:52:50138 std::string ssl_host_name_;
Benjamin Wrightd6f86e82018-05-08 20:12:25139 // Set the adapter to DTLS or TLS mode before creating the context.
Henrik Kjellanderec78f1c2017-06-29 05:52:50140 SSLMode ssl_mode_;
Sergey Silkin9c147dd2018-09-12 10:45:38141 // If true, the server certificate need not match the configured hostname.
142 bool ignore_bad_cert_;
143 // List of protocols to be used in the TLS ALPN extension.
144 std::vector<std::string> alpn_protocols_;
145 // List of elliptic curves to be used in the TLS elliptic curves extension.
146 std::vector<std::string> elliptic_curves_;
Benjamin Wrightd6f86e82018-05-08 20:12:25147 // Holds the result of the call to run of the ssl_cert_verify_->Verify()
148 bool custom_cert_verifier_status_;
Henrik Kjellanderec78f1c2017-06-29 05:52:50149};
150
Benjamin Wright19aab2e2018-04-05 22:39:06151// The OpenSSLAdapterFactory is responsbile for creating multiple new
152// OpenSSLAdapters with a shared SSL_CTX and a shared SSL_SESSION cache. The
153// SSL_SESSION cache allows existing SSL_SESSIONS to be reused instead of
154// recreating them leading to a significant performance improvement.
Justin Uberti1d445502017-08-15 00:04:34155class OpenSSLAdapterFactory : public SSLAdapterFactory {
156 public:
157 OpenSSLAdapterFactory();
158 ~OpenSSLAdapterFactory() override;
Benjamin Wright19aab2e2018-04-05 22:39:06159 // Set the SSL Mode to use with this factory. This should only be set before
160 // the first adapter is created with the factory. If it is called after it
161 // will DCHECK.
Justin Uberti1d445502017-08-15 00:04:34162 void SetMode(SSLMode mode) override;
Benjamin Wrightd6f86e82018-05-08 20:12:25163 // Set a custom certificate verifier to be passed down to each instance
164 // created with this factory. This should only ever be set before the first
165 // call to the factory and cannot be changed after the fact.
166 void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override;
Benjamin Wright19aab2e2018-04-05 22:39:06167 // Constructs a new socket using the shared OpenSSLSessionCache. This means
168 // existing SSLSessions already in the cache will be reused instead of
169 // re-created for improved performance.
Justin Uberti1d445502017-08-15 00:04:34170 OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override;
Henrik Kjellanderc0362762017-06-29 06:03:04171
Justin Uberti1d445502017-08-15 00:04:34172 private:
Benjamin Wright19aab2e2018-04-05 22:39:06173 // Holds the SSLMode (DTLS,TLS) that will be used to set the session cache.
174 SSLMode ssl_mode_ = SSL_MODE_TLS;
175 // Holds a cache of existing SSL Sessions.
176 std::unique_ptr<OpenSSLSessionCache> ssl_session_cache_;
Benjamin Wrightd6f86e82018-05-08 20:12:25177 // Provides an optional custom callback for verifying SSL certificates, this
178 // in currently only used for TLS-TURN connections.
179 SSLCertificateVerifier* ssl_cert_verifier_ = nullptr;
Benjamin Wright19aab2e2018-04-05 22:39:06180 // TODO(benwright): Remove this when context is moved to OpenSSLCommon.
181 // Hold a friend class to the OpenSSLAdapter to retrieve the context.
Justin Uberti1d445502017-08-15 00:04:34182 friend class OpenSSLAdapter;
Justin Uberti1d445502017-08-15 00:04:34183};
184
Benjamin Wrightd6f86e82018-05-08 20:12:25185std::string TransformAlpnProtocols(const std::vector<std::string>& protos);
186
Justin Uberti1d445502017-08-15 00:04:34187} // namespace rtc
188
Mirko Bonadei92ea95e2017-09-15 04:47:31189#endif // RTC_BASE_OPENSSLADAPTER_H_