henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 | * |
| 4 | * Use of this source code is governed by a BSD-style license |
| 5 | * that can be found in the LICENSE file in the root of the source |
| 6 | * tree. An additional intellectual property rights grant can be found |
| 7 | * in the file PATENTS. All contributing project authors may |
| 8 | * be found in the AUTHORS file in the root of the source tree. |
| 9 | */ |
| 10 | |
Mirko Bonadei | 92ea95e | 2017-09-15 04:47:31 | [diff] [blame] | 11 | #ifndef RTC_BASE_OPENSSLADAPTER_H_ |
| 12 | #define RTC_BASE_OPENSSLADAPTER_H_ |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 | [diff] [blame] | 13 | |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 14 | #include <openssl/ossl_typ.h> |
| 15 | |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 16 | #include <map> |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 17 | #include <memory> |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 18 | #include <string> |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 19 | #include <vector> |
| 20 | |
Karl Wiberg | 918f50c | 2018-07-05 09:40:33 | [diff] [blame] | 21 | #include "absl/memory/memory.h" |
Mirko Bonadei | 92ea95e | 2017-09-15 04:47:31 | [diff] [blame] | 22 | #include "rtc_base/buffer.h" |
| 23 | #include "rtc_base/messagehandler.h" |
| 24 | #include "rtc_base/messagequeue.h" |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 25 | #include "rtc_base/opensslcertificate.h" |
Mirko Bonadei | 92ea95e | 2017-09-15 04:47:31 | [diff] [blame] | 26 | #include "rtc_base/opensslidentity.h" |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 27 | #include "rtc_base/opensslsessioncache.h" |
Mirko Bonadei | 92ea95e | 2017-09-15 04:47:31 | [diff] [blame] | 28 | #include "rtc_base/ssladapter.h" |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 | [diff] [blame] | 29 | |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 30 | namespace rtc { |
| 31 | |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 32 | class OpenSSLAdapter : public SSLAdapter, public MessageHandler { |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 33 | public: |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 34 | static bool InitializeSSL(); |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 35 | static bool CleanupSSL(); |
| 36 | |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 37 | // Creating an OpenSSLAdapter requires a socket to bind to, an optional |
| 38 | // session cache if you wish to improve performance by caching sessions for |
| 39 | // hostnames you have previously connected to and an optional |
| 40 | // SSLCertificateVerifier which can override any existing trusted roots to |
| 41 | // validate a peer certificate. The cache and verifier are effectively |
| 42 | // immutable after the the SSL connection starts. |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 43 | explicit OpenSSLAdapter(AsyncSocket* socket, |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 44 | OpenSSLSessionCache* ssl_session_cache = nullptr, |
| 45 | SSLCertificateVerifier* ssl_cert_verifier = nullptr); |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 46 | ~OpenSSLAdapter() override; |
| 47 | |
Sergey Silkin | 9c147dd | 2018-09-12 10:45:38 | [diff] [blame] | 48 | void SetIgnoreBadCert(bool ignore) override; |
| 49 | void SetAlpnProtocols(const std::vector<std::string>& protos) override; |
| 50 | void SetEllipticCurves(const std::vector<std::string>& curves) override; |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 51 | void SetMode(SSLMode mode) override; |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 52 | void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override; |
Steve Anton | 786de70 | 2017-08-17 22:15:46 | [diff] [blame] | 53 | void SetIdentity(SSLIdentity* identity) override; |
| 54 | void SetRole(SSLRole role) override; |
| 55 | AsyncSocket* Accept(SocketAddress* paddr) override; |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 56 | int StartSSL(const char* hostname, bool restartable) override; |
| 57 | int Send(const void* pv, size_t cb) override; |
| 58 | int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override; |
| 59 | int Recv(void* pv, size_t cb, int64_t* timestamp) override; |
| 60 | int RecvFrom(void* pv, |
| 61 | size_t cb, |
| 62 | SocketAddress* paddr, |
| 63 | int64_t* timestamp) override; |
| 64 | int Close() override; |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 65 | // Note that the socket returns ST_CONNECTING while SSL is being negotiated. |
| 66 | ConnState GetState() const override; |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 67 | bool IsResumedSession() override; |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 68 | // Creates a new SSL_CTX object, configured for client-to-server usage |
| 69 | // with SSLMode |mode|, and if |enable_cache| is true, with support for |
| 70 | // storing successful sessions so that they can be later resumed. |
| 71 | // OpenSSLAdapterFactory will call this method to create its own internal |
| 72 | // SSL_CTX, and OpenSSLAdapter will also call this when used without a |
| 73 | // factory. |
| 74 | static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache); |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 75 | |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 76 | protected: |
| 77 | void OnConnectEvent(AsyncSocket* socket) override; |
| 78 | void OnReadEvent(AsyncSocket* socket) override; |
| 79 | void OnWriteEvent(AsyncSocket* socket) override; |
| 80 | void OnCloseEvent(AsyncSocket* socket, int err) override; |
| 81 | |
| 82 | private: |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 83 | enum SSLState { |
Yves Gerey | 665174f | 2018-06-19 13:03:05 | [diff] [blame] | 84 | SSL_NONE, |
| 85 | SSL_WAIT, |
| 86 | SSL_CONNECTING, |
| 87 | SSL_CONNECTED, |
| 88 | SSL_ERROR |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 89 | }; |
| 90 | |
| 91 | enum { MSG_TIMEOUT }; |
| 92 | |
| 93 | int BeginSSL(); |
| 94 | int ContinueSSL(); |
| 95 | void Error(const char* context, int err, bool signal = true); |
| 96 | void Cleanup(); |
| 97 | |
| 98 | // Return value and arguments have the same meanings as for Send; |error| is |
| 99 | // an output parameter filled with the result of SSL_get_error. |
| 100 | int DoSslWrite(const void* pv, size_t cb, int* error); |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 101 | void OnMessage(Message* msg) override; |
Benjamin Wright | 9201d1a | 2018-04-05 19:12:26 | [diff] [blame] | 102 | bool SSLPostConnectionCheck(SSL* ssl, const std::string& host); |
| 103 | |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 104 | #if !defined(NDEBUG) |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 105 | // In debug builds, logs info about the state of the SSL connection. |
| 106 | static void SSLInfoCallback(const SSL* ssl, int where, int ret); |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 107 | #endif |
| 108 | static int SSLVerifyCallback(int ok, X509_STORE_CTX* store); |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 109 | friend class OpenSSLStreamAdapter; // for custom_verify_callback_; |
| 110 | |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 111 | // If the SSL_CTX was created with |enable_cache| set to true, this callback |
| 112 | // will be called when a SSL session has been successfully established, |
| 113 | // to allow its SSL_SESSION* to be cached for later resumption. |
| 114 | static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session); |
| 115 | |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 116 | // Optional SSL Shared session cache to improve performance. |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 117 | OpenSSLSessionCache* ssl_session_cache_ = nullptr; |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 118 | // Optional SSL Certificate verifier which can be set by a third party. |
| 119 | SSLCertificateVerifier* ssl_cert_verifier_ = nullptr; |
| 120 | // The current connection state of the (d)TLS connection. |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 121 | SSLState state_; |
Steve Anton | 786de70 | 2017-08-17 22:15:46 | [diff] [blame] | 122 | std::unique_ptr<OpenSSLIdentity> identity_; |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 123 | // Indicates whethere this is a client or a server. |
Steve Anton | 786de70 | 2017-08-17 22:15:46 | [diff] [blame] | 124 | SSLRole role_; |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 125 | bool ssl_read_needs_write_; |
| 126 | bool ssl_write_needs_read_; |
| 127 | // If true, socket will retain SSL configuration after Close. |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 128 | // TODO(juberti): Remove this unused flag. |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 129 | bool restartable_; |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 130 | // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which |
| 131 | // means we need to keep retrying with *the same exact data* until it |
| 132 | // succeeds. Afterwards it will be cleared. |
| 133 | Buffer pending_data_; |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 134 | SSL* ssl_; |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 135 | // Holds the SSL context, which may be shared if an session cache is provided. |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 136 | SSL_CTX* ssl_ctx_; |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 137 | // Hostname of server that is being connected, used for SNI. |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 138 | std::string ssl_host_name_; |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 139 | // Set the adapter to DTLS or TLS mode before creating the context. |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 140 | SSLMode ssl_mode_; |
Sergey Silkin | 9c147dd | 2018-09-12 10:45:38 | [diff] [blame] | 141 | // If true, the server certificate need not match the configured hostname. |
| 142 | bool ignore_bad_cert_; |
| 143 | // List of protocols to be used in the TLS ALPN extension. |
| 144 | std::vector<std::string> alpn_protocols_; |
| 145 | // List of elliptic curves to be used in the TLS elliptic curves extension. |
| 146 | std::vector<std::string> elliptic_curves_; |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 147 | // Holds the result of the call to run of the ssl_cert_verify_->Verify() |
| 148 | bool custom_cert_verifier_status_; |
Henrik Kjellander | ec78f1c | 2017-06-29 05:52:50 | [diff] [blame] | 149 | }; |
| 150 | |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 151 | // The OpenSSLAdapterFactory is responsbile for creating multiple new |
| 152 | // OpenSSLAdapters with a shared SSL_CTX and a shared SSL_SESSION cache. The |
| 153 | // SSL_SESSION cache allows existing SSL_SESSIONS to be reused instead of |
| 154 | // recreating them leading to a significant performance improvement. |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 155 | class OpenSSLAdapterFactory : public SSLAdapterFactory { |
| 156 | public: |
| 157 | OpenSSLAdapterFactory(); |
| 158 | ~OpenSSLAdapterFactory() override; |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 159 | // Set the SSL Mode to use with this factory. This should only be set before |
| 160 | // the first adapter is created with the factory. If it is called after it |
| 161 | // will DCHECK. |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 162 | void SetMode(SSLMode mode) override; |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 163 | // Set a custom certificate verifier to be passed down to each instance |
| 164 | // created with this factory. This should only ever be set before the first |
| 165 | // call to the factory and cannot be changed after the fact. |
| 166 | void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override; |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 167 | // Constructs a new socket using the shared OpenSSLSessionCache. This means |
| 168 | // existing SSLSessions already in the cache will be reused instead of |
| 169 | // re-created for improved performance. |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 170 | OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override; |
Henrik Kjellander | c036276 | 2017-06-29 06:03:04 | [diff] [blame] | 171 | |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 172 | private: |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 173 | // Holds the SSLMode (DTLS,TLS) that will be used to set the session cache. |
| 174 | SSLMode ssl_mode_ = SSL_MODE_TLS; |
| 175 | // Holds a cache of existing SSL Sessions. |
| 176 | std::unique_ptr<OpenSSLSessionCache> ssl_session_cache_; |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 177 | // Provides an optional custom callback for verifying SSL certificates, this |
| 178 | // in currently only used for TLS-TURN connections. |
| 179 | SSLCertificateVerifier* ssl_cert_verifier_ = nullptr; |
Benjamin Wright | 19aab2e | 2018-04-05 22:39:06 | [diff] [blame] | 180 | // TODO(benwright): Remove this when context is moved to OpenSSLCommon. |
| 181 | // Hold a friend class to the OpenSSLAdapter to retrieve the context. |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 182 | friend class OpenSSLAdapter; |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 183 | }; |
| 184 | |
Benjamin Wright | d6f86e8 | 2018-05-08 20:12:25 | [diff] [blame] | 185 | std::string TransformAlpnProtocols(const std::vector<std::string>& protos); |
| 186 | |
Justin Uberti | 1d44550 | 2017-08-15 00:04:34 | [diff] [blame] | 187 | } // namespace rtc |
| 188 | |
Mirko Bonadei | 92ea95e | 2017-09-15 04:47:31 | [diff] [blame] | 189 | #endif // RTC_BASE_OPENSSLADAPTER_H_ |