Blame - rtc_base/openssl_adapter.cc - src

blob: d0c12781448a8c75fb8bf732cdf5446e975dc352 [file] [log] [blame]

henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	1	/*
				2	* Copyright 2008 The WebRTC Project Authors. All rights reserved.
				3	*
				4	* Use of this source code is governed by a BSD-style license
				5	* that can be found in the LICENSE file in the root of the source
				6	* tree. An additional intellectual property rights grant can be found
				7	* in the file PATENTS. All contributing project authors may
				8	* be found in the AUTHORS file in the root of the source tree.
				9	*/
				10
Steve Anton	10542f2	2019-01-11 17:11:00	[diff] [blame]	11	#include "rtc_base/openssl_adapter.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	12
Yves Gerey	988cc08	2018-10-23 10:03:01	[diff] [blame]	13	#include <errno.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	14	#include <openssl/bio.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	15	#include <openssl/err.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	16	#include <openssl/rand.h>
henrike@webrtc.org	d5a0506	2014-06-30 20:38:56	[diff] [blame]	17	#include <openssl/x509.h>
Yves Gerey	988cc08	2018-10-23 10:03:01	[diff] [blame]	18	#include <string.h>
				19	#include <time.h>
				20
Mirko Bonadei	317a1f0	2019-09-17 15:06:18	[diff] [blame]	21	#include <memory>
				22
Mirko Bonadei	92ea95e	2017-09-15 04:47:31	[diff] [blame]	23	#include "rtc_base/checks.h"
Yves Gerey	988cc08	2018-10-23 10:03:01	[diff] [blame]	24	#include "rtc_base/location.h"
Mirko Bonadei	92ea95e	2017-09-15 04:47:31	[diff] [blame]	25	#include "rtc_base/logging.h"
Karl Wiberg	e40468b	2017-11-22 09:42:26	[diff] [blame]	26	#include "rtc_base/numerics/safe_conversions.h"
Jonas Olsson	a4d8737	2019-07-05 17:08:33	[diff] [blame]	27	#include "rtc_base/openssl.h"
Steve Anton	10542f2	2019-01-11 17:11:00	[diff] [blame]	28	#include "rtc_base/openssl_certificate.h"
				29	#include "rtc_base/openssl_utility.h"
				30	#include "rtc_base/string_encode.h"
Mirko Bonadei	92ea95e	2017-09-15 04:47:31	[diff] [blame]	31	#include "rtc_base/thread.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	32
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	33	//////////////////////////////////////////////////////////////////////
				34	// SocketBIO
				35	//////////////////////////////////////////////////////////////////////
				36
				37	static int socket_write(BIO* h, const char* buf, int num);
				38	static int socket_read(BIO* h, char* buf, int size);
				39	static int socket_puts(BIO* h, const char* str);
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	40	static long socket_ctrl(BIO* h, int cmd, long arg1, void* arg2); // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	41	static int socket_new(BIO* h);
				42	static int socket_free(BIO* data);
				43
Jiawei Ou	eb0df08	2018-02-02 22:51:18	[diff] [blame]	44	static BIO_METHOD* BIO_socket_method() {
				45	static BIO_METHOD* methods = [] {
				46	BIO_METHOD* methods = BIO_meth_new(BIO_TYPE_BIO, "socket");
				47	BIO_meth_set_write(methods, socket_write);
				48	BIO_meth_set_read(methods, socket_read);
				49	BIO_meth_set_puts(methods, socket_puts);
				50	BIO_meth_set_ctrl(methods, socket_ctrl);
				51	BIO_meth_set_create(methods, socket_new);
				52	BIO_meth_set_destroy(methods, socket_free);
				53	return methods;
				54	}();
				55	return methods;
				56	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	57
henrike@webrtc.org	c50bf7c	2014-05-14 18:24:13	[diff] [blame]	58	static BIO* BIO_new_socket(rtc::AsyncSocket* socket) {
Jiawei Ou	eb0df08	2018-02-02 22:51:18	[diff] [blame]	59	BIO* ret = BIO_new(BIO_socket_method());
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	60	if (ret == nullptr) {
				61	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	62	}
Jiawei Ou	eb0df08	2018-02-02 22:51:18	[diff] [blame]	63	BIO_set_data(ret, socket);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	64	return ret;
				65	}
				66
				67	static int socket_new(BIO* b) {
Jiawei Ou	eb0df08	2018-02-02 22:51:18	[diff] [blame]	68	BIO_set_shutdown(b, 0);
				69	BIO_set_init(b, 1);
				70	BIO_set_data(b, 0);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	71	return 1;
				72	}
				73
				74	static int socket_free(BIO* b) {
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	75	if (b == nullptr)
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	76	return 0;
				77	return 1;
				78	}
				79
				80	static int socket_read(BIO* b, char* out, int outl) {
				81	if (!out)
				82	return -1;
Jiawei Ou	eb0df08	2018-02-02 22:51:18	[diff] [blame]	83	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	84	BIO_clear_retry_flags(b);
Stefan Holmer	9131efd	2016-05-23 16:19:26	[diff] [blame]	85	int result = socket->Recv(out, outl, nullptr);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	86	if (result > 0) {
				87	return result;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	88	} else if (socket->IsBlocking()) {
				89	BIO_set_retry_read(b);
				90	}
				91	return -1;
				92	}
				93
				94	static int socket_write(BIO* b, const char* in, int inl) {
				95	if (!in)
				96	return -1;
Jiawei Ou	eb0df08	2018-02-02 22:51:18	[diff] [blame]	97	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	98	BIO_clear_retry_flags(b);
				99	int result = socket->Send(in, inl);
				100	if (result > 0) {
				101	return result;
				102	} else if (socket->IsBlocking()) {
				103	BIO_set_retry_write(b);
				104	}
				105	return -1;
				106	}
				107
				108	static int socket_puts(BIO* b, const char* str) {
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09	[diff] [blame]	109	return socket_write(b, str, rtc::checked_cast<int>(strlen(str)));
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	110	}
				111
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	112	static long socket_ctrl(BIO* b, int cmd, long num, void* ptr) { // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	113	switch (cmd) {
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	114	case BIO_CTRL_RESET:
				115	return 0;
				116	case BIO_CTRL_EOF: {
				117	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(ptr);
				118	// 1 means socket closed.
				119	return (socket->GetState() == rtc::AsyncSocket::CS_CLOSED) ? 1 : 0;
				120	}
				121	case BIO_CTRL_WPENDING:
				122	case BIO_CTRL_PENDING:
				123	return 0;
				124	case BIO_CTRL_FLUSH:
				125	return 1;
				126	default:
				127	return 0;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	128	}
				129	}
				130
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	131	static void LogSslError() {
				132	// Walk down the error stack to find the SSL error.
				133	uint32_t error_code;
				134	const char* file;
				135	int line;
				136	do {
				137	error_code = ERR_get_error_line(&file, &line);
				138	if (ERR_GET_LIB(error_code) == ERR_LIB_SSL) {
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	139	RTC_LOG(LS_ERROR) << "ERR_LIB_SSL: " << error_code << ", " << file << ":"
				140	<< line;
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	141	break;
				142	}
				143	} while (error_code != 0);
				144	}
				145
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	146	/////////////////////////////////////////////////////////////////////////////
				147	// OpenSSLAdapter
				148	/////////////////////////////////////////////////////////////////////////////
				149
				150	namespace rtc {
				151
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	152	bool OpenSSLAdapter::InitializeSSL() {
Jiawei Ou	eb0df08	2018-02-02 22:51:18	[diff] [blame]	153	if (!SSL_library_init())
				154	return false;
Torbjorn Granlund	9adc91d	2016-03-24 13:05:06	[diff] [blame]	155	#if !defined(ADDRESS_SANITIZER) \|\| !defined(WEBRTC_MAC) \|\| defined(WEBRTC_IOS)
				156	// Loading the error strings crashes mac_asan. Omit this debugging aid there.
				157	SSL_load_error_strings();
				158	#endif
				159	ERR_load_BIO_strings();
				160	OpenSSL_add_all_algorithms();
				161	RAND_poll();
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	162	return true;
				163	}
				164
Torbjorn Granlund	9adc91d	2016-03-24 13:05:06	[diff] [blame]	165	bool OpenSSLAdapter::CleanupSSL() {
Torbjorn Granlund	9adc91d	2016-03-24 13:05:06	[diff] [blame]	166	return true;
				167	}
				168
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	169	OpenSSLAdapter::OpenSSLAdapter(AsyncSocket* socket,
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	170	OpenSSLSessionCache* ssl_session_cache,
				171	SSLCertificateVerifier* ssl_cert_verifier)
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	172	: SSLAdapter(socket),
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	173	ssl_session_cache_(ssl_session_cache),
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	174	ssl_cert_verifier_(ssl_cert_verifier),
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	175	state_(SSL_NONE),
Steve Anton	786de70	2017-08-17 22:15:46	[diff] [blame]	176	role_(SSL_CLIENT),
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	177	ssl_read_needs_write_(false),
				178	ssl_write_needs_read_(false),
				179	restartable_(false),
				180	ssl_(nullptr),
				181	ssl_ctx_(nullptr),
				182	ssl_mode_(SSL_MODE_TLS),
Sergey Silkin	9c147dd	2018-09-12 10:45:38	[diff] [blame]	183	ignore_bad_cert_(false),
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	184	custom_cert_verifier_status_(false) {
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	185	// If a factory is used, take a reference on the factory's SSL_CTX.
				186	// Otherwise, we'll create our own later.
				187	// Either way, we'll release our reference via SSL_CTX_free() in Cleanup().
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	188	if (ssl_session_cache_ != nullptr) {
				189	ssl_ctx_ = ssl_session_cache_->GetSSLContext();
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	190	RTC_DCHECK(ssl_ctx_);
				191	// Note: if using OpenSSL, requires version 1.1.0 or later.
				192	SSL_CTX_up_ref(ssl_ctx_);
				193	}
				194	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	195
				196	OpenSSLAdapter::~OpenSSLAdapter() {
				197	Cleanup();
				198	}
				199
Sergey Silkin	9c147dd	2018-09-12 10:45:38	[diff] [blame]	200	void OpenSSLAdapter::SetIgnoreBadCert(bool ignore) {
				201	ignore_bad_cert_ = ignore;
				202	}
				203
				204	void OpenSSLAdapter::SetAlpnProtocols(const std::vector<std::string>& protos) {
				205	alpn_protocols_ = protos;
				206	}
				207
				208	void OpenSSLAdapter::SetEllipticCurves(const std::vector<std::string>& curves) {
				209	elliptic_curves_ = curves;
Diogo Real	7bd1f1b	2017-09-08 19:50:41	[diff] [blame]	210	}
				211
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	212	void OpenSSLAdapter::SetMode(SSLMode mode) {
				213	RTC_DCHECK(!ssl_ctx_);
nisse	ede5da4	2017-01-12 13:15:36	[diff] [blame]	214	RTC_DCHECK(state_ == SSL_NONE);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	215	ssl_mode_ = mode;
				216	}
				217
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	218	void OpenSSLAdapter::SetCertVerifier(
				219	SSLCertificateVerifier* ssl_cert_verifier) {
				220	RTC_DCHECK(!ssl_ctx_);
				221	ssl_cert_verifier_ = ssl_cert_verifier;
				222	}
				223
Steve Anton	786de70	2017-08-17 22:15:46	[diff] [blame]	224	void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) {
				225	RTC_DCHECK(!identity_);
				226	identity_.reset(static_cast<OpenSSLIdentity*>(identity));
				227	}
				228
				229	void OpenSSLAdapter::SetRole(SSLRole role) {
				230	role_ = role;
				231	}
				232
				233	AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) {
				234	RTC_DCHECK(role_ == SSL_SERVER);
				235	AsyncSocket* socket = SSLAdapter::Accept(paddr);
				236	if (!socket) {
				237	return nullptr;
				238	}
				239
				240	SSLAdapter* adapter = SSLAdapter::Create(socket);
				241	adapter->SetIdentity(identity_->GetReference());
				242	adapter->SetRole(rtc::SSL_SERVER);
Sergey Silkin	9c147dd	2018-09-12 10:45:38	[diff] [blame]	243	adapter->SetIgnoreBadCert(ignore_bad_cert_);
Steve Anton	786de70	2017-08-17 22:15:46	[diff] [blame]	244	adapter->StartSSL("", false);
				245	return adapter;
				246	}
				247
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	248	int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	249	if (state_ != SSL_NONE)
				250	return -1;
				251
				252	ssl_host_name_ = hostname;
				253	restartable_ = restartable;
				254
				255	if (socket_->GetState() != Socket::CS_CONNECTED) {
				256	state_ = SSL_WAIT;
				257	return 0;
				258	}
				259
				260	state_ = SSL_CONNECTING;
				261	if (int err = BeginSSL()) {
				262	Error("BeginSSL", err, false);
				263	return err;
				264	}
				265
				266	return 0;
				267	}
				268
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	269	int OpenSSLAdapter::BeginSSL() {
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	270	RTC_LOG(LS_INFO) << "OpenSSLAdapter::BeginSSL: " << ssl_host_name_;
nisse	ede5da4	2017-01-12 13:15:36	[diff] [blame]	271	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	272
				273	int err = 0;
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	274	BIO* bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	275
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	276	// First set up the context. We should either have a factory, with its own
				277	// pre-existing context, or be running standalone, in which case we will
				278	// need to create one, and specify \|false\| to disable session caching.
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	279	if (ssl_session_cache_ == nullptr) {
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	280	RTC_DCHECK(!ssl_ctx_);
				281	ssl_ctx_ = CreateContext(ssl_mode_, false);
				282	}
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	283
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	284	if (!ssl_ctx_) {
				285	err = -1;
				286	goto ssl_error;
				287	}
				288
Steve Anton	786de70	2017-08-17 22:15:46	[diff] [blame]	289	if (identity_ && !identity_->ConfigureIdentity(ssl_ctx_)) {
				290	SSL_CTX_free(ssl_ctx_);
				291	err = -1;
				292	goto ssl_error;
				293	}
				294
Peter Boström	0b518bf	2016-01-27 11:35:40	[diff] [blame]	295	bio = BIO_new_socket(socket_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	296	if (!bio) {
				297	err = -1;
				298	goto ssl_error;
				299	}
				300
				301	ssl_ = SSL_new(ssl_ctx_);
				302	if (!ssl_) {
				303	err = -1;
				304	goto ssl_error;
				305	}
				306
				307	SSL_set_app_data(ssl_, this);
				308
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	309	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER allows different buffers to be passed
				310	// into SSL_write when a record could only be partially transmitted (and thus
				311	// requires another call to SSL_write to finish transmission). This allows us
				312	// to copy the data into our own buffer when this occurs, since the original
				313	// buffer can't safely be accessed after control exits Send.
				314	// TODO(deadbeef): Do we want SSL_MODE_ENABLE_PARTIAL_WRITE? It doesn't
				315	// appear Send handles partial writes properly, though maybe we never notice
				316	// since we never send more than 16KB at once..
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	317	SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE \|
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	318	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	319
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	320	// Enable SNI, if a hostname is supplied.
Emad Omara	dab1d2d	2017-06-16 22:43:11	[diff] [blame]	321	if (!ssl_host_name_.empty()) {
				322	SSL_set_tlsext_host_name(ssl_, ssl_host_name_.c_str());
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	323
				324	// Enable session caching, if configured and a hostname is supplied.
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	325	if (ssl_session_cache_ != nullptr) {
				326	SSL_SESSION* cached = ssl_session_cache_->LookupSession(ssl_host_name_);
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	327	if (cached) {
				328	if (SSL_set_session(ssl_, cached) == 0) {
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	329	RTC_LOG(LS_WARNING) << "Failed to apply SSL session from cache";
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	330	err = -1;
				331	goto ssl_error;
				332	}
				333
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	334	RTC_LOG(LS_INFO) << "Attempting to resume SSL session to "
				335	<< ssl_host_name_;
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	336	}
				337	}
Emad Omara	dab1d2d	2017-06-16 22:43:11	[diff] [blame]	338	}
				339
Jiawei Ou	eb0df08	2018-02-02 22:51:18	[diff] [blame]	340	#ifdef OPENSSL_IS_BORINGSSL
Sergey Silkin	9c147dd	2018-09-12 10:45:38	[diff] [blame]	341	// Set a couple common TLS extensions; even though we don't use them yet.
				342	SSL_enable_ocsp_stapling(ssl_);
				343	SSL_enable_signed_cert_timestamps(ssl_);
Jiawei Ou	eb0df08	2018-02-02 22:51:18	[diff] [blame]	344	#endif
Emad Omara	cb79d23	2017-07-20 23:34:34	[diff] [blame]	345
Sergey Silkin	9c147dd	2018-09-12 10:45:38	[diff] [blame]	346	if (!alpn_protocols_.empty()) {
				347	std::string tls_alpn_string = TransformAlpnProtocols(alpn_protocols_);
Diogo Real	1dca9d5	2017-08-29 19:18:32	[diff] [blame]	348	if (!tls_alpn_string.empty()) {
				349	SSL_set_alpn_protos(
				350	ssl_, reinterpret_cast<const unsigned char*>(tls_alpn_string.data()),
Mirko Bonadei	a041f92	2018-05-23 08:22:36	[diff] [blame]	351	rtc::dchecked_cast<unsigned>(tls_alpn_string.size()));
Diogo Real	1dca9d5	2017-08-29 19:18:32	[diff] [blame]	352	}
				353	}
				354
Sergey Silkin	9c147dd	2018-09-12 10:45:38	[diff] [blame]	355	if (!elliptic_curves_.empty()) {
				356	SSL_set1_curves_list(ssl_, rtc::join(elliptic_curves_, ':').c_str());
Diogo Real	7bd1f1b	2017-09-08 19:50:41	[diff] [blame]	357	}
				358
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	359	// Now that the initial config is done, transfer ownership of \|bio\| to the
				360	// SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup().
				361	SSL_set_bio(ssl_, bio, bio);
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	362	bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	363
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	364	// Do the connect.
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	365	err = ContinueSSL();
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	366	if (err != 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	367	goto ssl_error;
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	368	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	369
				370	return err;
				371
				372	ssl_error:
				373	Cleanup();
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	374	if (bio) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	375	BIO_free(bio);
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	376	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	377
				378	return err;
				379	}
				380
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	381	int OpenSSLAdapter::ContinueSSL() {
nisse	ede5da4	2017-01-12 13:15:36	[diff] [blame]	382	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	383
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	384	// Clear the DTLS timer
				385	Thread::Current()->Clear(this, MSG_TIMEOUT);
				386
Steve Anton	786de70	2017-08-17 22:15:46	[diff] [blame]	387	int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	388	switch (SSL_get_error(ssl_, code)) {
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	389	case SSL_ERROR_NONE:
				390	if (!SSLPostConnectionCheck(ssl_, ssl_host_name_)) {
				391	RTC_LOG(LS_ERROR) << "TLS post connection check failed";
				392	// make sure we close the socket
				393	Cleanup();
				394	// The connect failed so return -1 to shut down the socket
				395	return -1;
				396	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	397
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	398	state_ = SSL_CONNECTED;
				399	AsyncSocketAdapter::OnConnectEvent(this);
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	400	// TODO(benwright): Refactor this code path.
				401	// Don't let ourselves go away during the callbacks
				402	// PRefPtr<OpenSSLAdapter> lock(this);
				403	// RTC_LOG(LS_INFO) << " -- onStreamReadable";
				404	// AsyncSocketAdapter::OnReadEvent(this);
				405	// RTC_LOG(LS_INFO) << " -- onStreamWriteable";
				406	// AsyncSocketAdapter::OnWriteEvent(this);
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	407	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	408
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	409	case SSL_ERROR_WANT_READ:
				410	RTC_LOG(LS_VERBOSE) << " -- error want read";
				411	struct timeval timeout;
				412	if (DTLSv1_get_timeout(ssl_, &timeout)) {
				413	int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	414
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	415	Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this, MSG_TIMEOUT,
				416	0);
				417	}
				418	break;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	419
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	420	case SSL_ERROR_WANT_WRITE:
				421	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	422
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	423	case SSL_ERROR_ZERO_RETURN:
				424	default:
				425	RTC_LOG(LS_WARNING) << "ContinueSSL -- error " << code;
				426	return (code != 0) ? code : -1;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	427	}
				428
				429	return 0;
				430	}
				431
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	432	void OpenSSLAdapter::Error(const char* context, int err, bool signal) {
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	433	RTC_LOG(LS_WARNING) << "OpenSSLAdapter::Error(" << context << ", " << err
				434	<< ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	435	state_ = SSL_ERROR;
				436	SetError(err);
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	437	if (signal) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	438	AsyncSocketAdapter::OnCloseEvent(this, err);
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	439	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	440	}
				441
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	442	void OpenSSLAdapter::Cleanup() {
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	443	RTC_LOG(LS_INFO) << "OpenSSLAdapter::Cleanup";
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	444
				445	state_ = SSL_NONE;
				446	ssl_read_needs_write_ = false;
				447	ssl_write_needs_read_ = false;
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	448	custom_cert_verifier_status_ = false;
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	449	pending_data_.Clear();
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	450
				451	if (ssl_) {
				452	SSL_free(ssl_);
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	453	ssl_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	454	}
				455
				456	if (ssl_ctx_) {
				457	SSL_CTX_free(ssl_ctx_);
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	458	ssl_ctx_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	459	}
Steve Anton	786de70	2017-08-17 22:15:46	[diff] [blame]	460	identity_.reset();
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	461
				462	// Clear the DTLS timer
				463	Thread::Current()->Clear(this, MSG_TIMEOUT);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	464	}
				465
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	466	int OpenSSLAdapter::DoSslWrite(const void* pv, size_t cb, int* error) {
				467	// If we have pending data (that was previously only partially written by
				468	// SSL_write), we shouldn't be attempting to write anything else.
				469	RTC_DCHECK(pending_data_.empty() \|\| pv == pending_data_.data());
				470	RTC_DCHECK(error != nullptr);
				471
				472	ssl_write_needs_read_ = false;
				473	int ret = SSL_write(ssl_, pv, checked_cast<int>(cb));
				474	*error = SSL_get_error(ssl_, ret);
				475	switch (*error) {
				476	case SSL_ERROR_NONE:
				477	// Success!
				478	return ret;
				479	case SSL_ERROR_WANT_READ:
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	480	RTC_LOG(LS_INFO) << " -- error want read";
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	481	ssl_write_needs_read_ = true;
				482	SetError(EWOULDBLOCK);
				483	break;
				484	case SSL_ERROR_WANT_WRITE:
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	485	RTC_LOG(LS_INFO) << " -- error want write";
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	486	SetError(EWOULDBLOCK);
				487	break;
				488	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	489	SetError(EWOULDBLOCK);
				490	// do we need to signal closure?
				491	break;
				492	case SSL_ERROR_SSL:
				493	LogSslError();
				494	Error("SSL_write", ret ? ret : -1, false);
				495	break;
				496	default:
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	497	Error("SSL_write", ret ? ret : -1, false);
				498	break;
				499	}
				500
				501	return SOCKET_ERROR;
				502	}
				503
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	504	///////////////////////////////////////////////////////////////////////////////
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	505	// AsyncSocket Implementation
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	506	///////////////////////////////////////////////////////////////////////////////
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	507
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	508	int OpenSSLAdapter::Send(const void* pv, size_t cb) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	509	switch (state_) {
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	510	case SSL_NONE:
				511	return AsyncSocketAdapter::Send(pv, cb);
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	512	case SSL_WAIT:
				513	case SSL_CONNECTING:
				514	SetError(ENOTCONN);
				515	return SOCKET_ERROR;
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	516	case SSL_CONNECTED:
				517	break;
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	518	case SSL_ERROR:
				519	default:
				520	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	521	}
				522
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	523	int ret;
				524	int error;
				525
				526	if (!pending_data_.empty()) {
				527	ret = DoSslWrite(pending_data_.data(), pending_data_.size(), &error);
				528	if (ret != static_cast<int>(pending_data_.size())) {
				529	// We couldn't finish sending the pending data, so we definitely can't
				530	// send any more data. Return with an EWOULDBLOCK error.
				531	SetError(EWOULDBLOCK);
				532	return SOCKET_ERROR;
				533	}
				534	// We completed sending the data previously passed into SSL_write! Now
				535	// we're allowed to send more data.
				536	pending_data_.Clear();
				537	}
				538
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	539	// OpenSSL will return an error if we try to write zero bytes
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	540	if (cb == 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	541	return 0;
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	542	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	543
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	544	ret = DoSslWrite(pv, cb, &error);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	545
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	546	// If SSL_write fails with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, this
				547	// means the underlying socket is blocked on reading or (more typically)
				548	// writing. When this happens, OpenSSL requires that the next call to
				549	// SSL_write uses the same arguments (though, with
				550	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, the actual buffer pointer may be
				551	// different).
				552	//
				553	// However, after Send exits, we will have lost access to data the user of
				554	// this class is trying to send, and there's no guarantee that the user of
				555	// this class will call Send with the same arguements when it fails. So, we
				556	// buffer the data ourselves. When we know the underlying socket is writable
				557	// again from OnWriteEvent (or if Send is called again before that happens),
				558	// we'll retry sending this buffered data.
deadbeef	e5dce2b	2017-06-02 18:52:06	[diff] [blame]	559	if (error == SSL_ERROR_WANT_READ \|\| error == SSL_ERROR_WANT_WRITE) {
				560	// Shouldn't be able to get to this point if we already have pending data.
				561	RTC_DCHECK(pending_data_.empty());
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	562	RTC_LOG(LS_WARNING)
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	563	<< "SSL_write couldn't write to the underlying socket; buffering data.";
				564	pending_data_.SetData(static_cast<const uint8_t*>(pv), cb);
				565	// Since we're taking responsibility for sending this data, return its full
				566	// size. The user of this class can consider it sent.
Mirko Bonadei	a041f92	2018-05-23 08:22:36	[diff] [blame]	567	return rtc::dchecked_cast<int>(cb);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	568	}
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	569	return ret;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	570	}
				571
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	572	int OpenSSLAdapter::SendTo(const void* pv,
				573	size_t cb,
				574	const SocketAddress& addr) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	575	if (socket_->GetState() == Socket::CS_CONNECTED &&
				576	addr == socket_->GetRemoteAddress()) {
				577	return Send(pv, cb);
				578	}
				579
				580	SetError(ENOTCONN);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	581	return SOCKET_ERROR;
				582	}
				583
Stefan Holmer	9131efd	2016-05-23 16:19:26	[diff] [blame]	584	int OpenSSLAdapter::Recv(void* pv, size_t cb, int64_t* timestamp) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	585	switch (state_) {
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	586	case SSL_NONE:
				587	return AsyncSocketAdapter::Recv(pv, cb, timestamp);
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	588	case SSL_WAIT:
				589	case SSL_CONNECTING:
				590	SetError(ENOTCONN);
				591	return SOCKET_ERROR;
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	592	case SSL_CONNECTED:
				593	break;
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	594	case SSL_ERROR:
				595	default:
				596	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	597	}
				598
				599	// Don't trust OpenSSL with zero byte reads
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	600	if (cb == 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	601	return 0;
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	602	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	603
				604	ssl_read_needs_write_ = false;
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09	[diff] [blame]	605	int code = SSL_read(ssl_, pv, checked_cast<int>(cb));
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	606	int error = SSL_get_error(ssl_, code);
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	607
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	608	switch (error) {
				609	case SSL_ERROR_NONE:
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	610	return code;
				611	case SSL_ERROR_WANT_READ:
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	612	SetError(EWOULDBLOCK);
				613	break;
				614	case SSL_ERROR_WANT_WRITE:
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	615	ssl_read_needs_write_ = true;
				616	SetError(EWOULDBLOCK);
				617	break;
				618	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	619	SetError(EWOULDBLOCK);
				620	// do we need to signal closure?
				621	break;
				622	case SSL_ERROR_SSL:
				623	LogSslError();
				624	Error("SSL_read", (code ? code : -1), false);
				625	break;
				626	default:
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	627	Error("SSL_read", (code ? code : -1), false);
				628	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	629	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	630	return SOCKET_ERROR;
				631	}
				632
Stefan Holmer	9131efd	2016-05-23 16:19:26	[diff] [blame]	633	int OpenSSLAdapter::RecvFrom(void* pv,
				634	size_t cb,
				635	SocketAddress* paddr,
				636	int64_t* timestamp) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	637	if (socket_->GetState() == Socket::CS_CONNECTED) {
Stefan Holmer	9131efd	2016-05-23 16:19:26	[diff] [blame]	638	int ret = Recv(pv, cb, timestamp);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	639	*paddr = GetRemoteAddress();
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	640	return ret;
				641	}
				642
				643	SetError(ENOTCONN);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	644	return SOCKET_ERROR;
				645	}
				646
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	647	int OpenSSLAdapter::Close() {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	648	Cleanup();
				649	state_ = restartable_ ? SSL_WAIT : SSL_NONE;
				650	return AsyncSocketAdapter::Close();
				651	}
				652
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	653	Socket::ConnState OpenSSLAdapter::GetState() const {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	654	ConnState state = socket_->GetState();
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	655	if ((state == CS_CONNECTED) &&
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	656	((state_ == SSL_WAIT) \|\| (state_ == SSL_CONNECTING))) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	657	state = CS_CONNECTING;
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	658	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	659	return state;
				660	}
				661
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	662	bool OpenSSLAdapter::IsResumedSession() {
				663	return (ssl_ && SSL_session_reused(ssl_) == 1);
				664	}
				665
				666	void OpenSSLAdapter::OnMessage(Message* msg) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	667	if (MSG_TIMEOUT == msg->message_id) {
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	668	RTC_LOG(LS_INFO) << "DTLS timeout expired";
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	669	DTLSv1_handle_timeout(ssl_);
				670	ContinueSSL();
				671	}
				672	}
				673
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	674	void OpenSSLAdapter::OnConnectEvent(AsyncSocket* socket) {
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	675	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnConnectEvent";
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	676	if (state_ != SSL_WAIT) {
nisse	ede5da4	2017-01-12 13:15:36	[diff] [blame]	677	RTC_DCHECK(state_ == SSL_NONE);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	678	AsyncSocketAdapter::OnConnectEvent(socket);
				679	return;
				680	}
				681
				682	state_ = SSL_CONNECTING;
				683	if (int err = BeginSSL()) {
				684	AsyncSocketAdapter::OnCloseEvent(socket, err);
				685	}
				686	}
				687
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	688	void OpenSSLAdapter::OnReadEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	689	if (state_ == SSL_NONE) {
				690	AsyncSocketAdapter::OnReadEvent(socket);
				691	return;
				692	}
				693
				694	if (state_ == SSL_CONNECTING) {
				695	if (int err = ContinueSSL()) {
				696	Error("ContinueSSL", err);
				697	}
				698	return;
				699	}
				700
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	701	if (state_ != SSL_CONNECTED) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	702	return;
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	703	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	704
				705	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	706	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	707	if (ssl_write_needs_read_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	708	AsyncSocketAdapter::OnWriteEvent(socket);
				709	}
				710
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	711	AsyncSocketAdapter::OnReadEvent(socket);
				712	}
				713
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	714	void OpenSSLAdapter::OnWriteEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	715	if (state_ == SSL_NONE) {
				716	AsyncSocketAdapter::OnWriteEvent(socket);
				717	return;
				718	}
				719
				720	if (state_ == SSL_CONNECTING) {
				721	if (int err = ContinueSSL()) {
				722	Error("ContinueSSL", err);
				723	}
				724	return;
				725	}
				726
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	727	if (state_ != SSL_CONNECTED) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	728	return;
Benjamin Wright	243cabe	2018-10-16 08:55:28	[diff] [blame]	729	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	730
				731	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	732	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	733
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	734	if (ssl_read_needs_write_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	735	AsyncSocketAdapter::OnReadEvent(socket);
				736	}
				737
deadbeef	ed3b986	2017-06-02 17:33:16	[diff] [blame]	738	// If a previous SSL_write failed due to the underlying socket being blocked,
				739	// this will attempt finishing the write operation.
				740	if (!pending_data_.empty()) {
				741	int error;
				742	if (DoSslWrite(pending_data_.data(), pending_data_.size(), &error) ==
				743	static_cast<int>(pending_data_.size())) {
				744	pending_data_.Clear();
				745	}
				746	}
				747
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	748	AsyncSocketAdapter::OnWriteEvent(socket);
				749	}
				750
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	751	void OpenSSLAdapter::OnCloseEvent(AsyncSocket* socket, int err) {
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	752	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnCloseEvent(" << err << ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	753	AsyncSocketAdapter::OnCloseEvent(socket, err);
				754	}
				755
Benjamin Wright	9201d1a	2018-04-05 19:12:26	[diff] [blame]	756	bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const std::string& host) {
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	757	bool is_valid_cert_name =
				758	openssl::VerifyPeerCertMatchesHost(ssl, host) &&
				759	(SSL_get_verify_result(ssl) == X509_V_OK \|\| custom_cert_verifier_status_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	760
Sergey Silkin	9c147dd	2018-09-12 10:45:38	[diff] [blame]	761	if (!is_valid_cert_name && ignore_bad_cert_) {
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	762	RTC_DLOG(LS_WARNING) << "Other TLS post connection checks failed. "
Sergey Silkin	9c147dd	2018-09-12 10:45:38	[diff] [blame]	763	"ignore_bad_cert_ set to true. Overriding name "
				764	"verification failure!";
Benjamin Wright	9201d1a	2018-04-05 19:12:26	[diff] [blame]	765	is_valid_cert_name = true;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	766	}
Benjamin Wright	9201d1a	2018-04-05 19:12:26	[diff] [blame]	767	return is_valid_cert_name;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	768	}
				769
tfarina	a41ab93	2015-10-30 23:08:48	[diff] [blame]	770	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	771
				772	// We only use this for tracing and so it is only needed in debug mode
				773
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	774	void OpenSSLAdapter::SSLInfoCallback(const SSL* s, int where, int ret) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	775	const char* str = "undefined";
				776	int w = where & ~SSL_ST_MASK;
				777	if (w & SSL_ST_CONNECT) {
				778	str = "SSL_connect";
				779	} else if (w & SSL_ST_ACCEPT) {
				780	str = "SSL_accept";
				781	}
				782	if (where & SSL_CB_LOOP) {
Jonas Olsson	addc380	2018-02-01 08:53:06	[diff] [blame]	783	RTC_DLOG(LS_INFO) << str << ":" << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	784	} else if (where & SSL_CB_ALERT) {
				785	str = (where & SSL_CB_READ) ? "read" : "write";
Jonas Olsson	addc380	2018-02-01 08:53:06	[diff] [blame]	786	RTC_DLOG(LS_INFO) << "SSL3 alert " << str << ":"
				787	<< SSL_alert_type_string_long(ret) << ":"
				788	<< SSL_alert_desc_string_long(ret);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	789	} else if (where & SSL_CB_EXIT) {
				790	if (ret == 0) {
Jonas Olsson	addc380	2018-02-01 08:53:06	[diff] [blame]	791	RTC_DLOG(LS_INFO) << str << ":failed in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	792	} else if (ret < 0) {
Jonas Olsson	addc380	2018-02-01 08:53:06	[diff] [blame]	793	RTC_DLOG(LS_INFO) << str << ":error in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	794	}
				795	}
				796	}
				797
tfarina	a41ab93	2015-10-30 23:08:48	[diff] [blame]	798	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	799
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	800	int OpenSSLAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
tfarina	a41ab93	2015-10-30 23:08:48	[diff] [blame]	801	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	802	if (!ok) {
				803	char data[256];
				804	X509* cert = X509_STORE_CTX_get_current_cert(store);
				805	int depth = X509_STORE_CTX_get_error_depth(store);
				806	int err = X509_STORE_CTX_get_error(store);
				807
Jonas Olsson	addc380	2018-02-01 08:53:06	[diff] [blame]	808	RTC_DLOG(LS_INFO) << "Error with certificate at depth: " << depth;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	809	X509_NAME_oneline(X509_get_issuer_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 08:53:06	[diff] [blame]	810	RTC_DLOG(LS_INFO) << " issuer = " << data;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	811	X509_NAME_oneline(X509_get_subject_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 08:53:06	[diff] [blame]	812	RTC_DLOG(LS_INFO) << " subject = " << data;
				813	RTC_DLOG(LS_INFO) << " err = " << err << ":"
				814	<< X509_verify_cert_error_string(err);
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	815	}
				816	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	817	// Get our stream pointer from the store
				818	SSL* ssl = reinterpret_cast<SSL*>(
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	819	X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	820
				821	OpenSSLAdapter* stream =
Yves Gerey	665174f	2018-06-19 13:03:05	[diff] [blame]	822	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	823
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	824	if (!ok && stream->ssl_cert_verifier_ != nullptr) {
				825	RTC_LOG(LS_INFO) << "Invoking SSL Verify Callback.";
				826	const OpenSSLCertificate cert(X509_STORE_CTX_get_current_cert(store));
				827	if (stream->ssl_cert_verifier_->Verify(cert)) {
				828	stream->custom_cert_verifier_status_ = true;
				829	RTC_LOG(LS_INFO) << "Validated certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	830	ok = true;
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	831	} else {
				832	RTC_LOG(LS_INFO) << "Failed to verify certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	833	}
				834	}
				835
				836	// Should only be used for debugging and development.
Sergey Silkin	9c147dd	2018-09-12 10:45:38	[diff] [blame]	837	if (!ok && stream->ignore_bad_cert_) {
Jonas Olsson	addc380	2018-02-01 08:53:06	[diff] [blame]	838	RTC_DLOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	839	ok = 1;
				840	}
				841
				842	return ok;
				843	}
				844
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	845	int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) {
				846	OpenSSLAdapter* stream =
				847	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	848	RTC_DCHECK(stream->ssl_session_cache_);
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	849	RTC_LOG(LS_INFO) << "Caching SSL session for " << stream->ssl_host_name_;
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	850	stream->ssl_session_cache_->AddSession(stream->ssl_host_name_, session);
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	851	return 1; // We've taken ownership of the session; OpenSSL shouldn't free it.
				852	}
				853
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	854	SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
David Benjamin	170a4b3	2019-01-30 15:46:16	[diff] [blame]	855	SSL_CTX* ctx =
				856	SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	857	if (ctx == nullptr) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	858	unsigned long error = ERR_get_error(); // NOLINT: type used by OpenSSL.
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	859	RTC_LOG(LS_WARNING) << "SSL_CTX creation failed: " << '"'
				860	<< ERR_reason_error_string(error) << "\" "
				861	<< "(error=" << error << ')';
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	862	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	863	}
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	864
Mirko Bonadei	b889a20	2018-08-15 09:41:27	[diff] [blame]	865	#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	866	if (!openssl::LoadBuiltinSSLRootCertificates(ctx)) {
				867	RTC_LOG(LS_ERROR) << "SSL_CTX creation failed: Failed to load any trusted "
				868	"ssl root certificates.";
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	869	SSL_CTX_free(ctx);
deadbeef	37f5ecf	2017-02-27 22:06:41	[diff] [blame]	870	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	871	}
Mirko Bonadei	b889a20	2018-08-15 09:41:27	[diff] [blame]	872	#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	873
tfarina	a41ab93	2015-10-30 23:08:48	[diff] [blame]	874	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	875	SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
				876	#endif
				877
				878	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
				879	SSL_CTX_set_verify_depth(ctx, 4);
Emad Omara	c6de0c9	2017-06-21 23:40:56	[diff] [blame]	880	// Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
				881	// (note that SHA256 and SHA384 only select legacy CBC ciphers).
				882	// Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
				883	// CBC-mode ECDSA ciphers.
				884	SSL_CTX_set_cipher_list(
				885	ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5");
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	886
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	887	if (mode == SSL_MODE_DTLS) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14	[diff] [blame]	888	SSL_CTX_set_read_ahead(ctx, 1);
				889	}
				890
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	891	if (enable_cache) {
				892	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
				893	SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback);
				894	}
				895
henrike@webrtc.org	f048872	2014-05-13 18:00:26	[diff] [blame]	896	return ctx;
				897	}
				898
Diogo Real	1dca9d5	2017-08-29 19:18:32	[diff] [blame]	899	std::string TransformAlpnProtocols(
				900	const std::vector<std::string>& alpn_protocols) {
				901	// Transforms the alpn_protocols list to the format expected by
				902	// Open/BoringSSL. This requires joining the protocols into a single string
				903	// and prepending a character with the size of the protocol string before
				904	// each protocol.
				905	std::string transformed_alpn;
				906	for (const std::string& proto : alpn_protocols) {
				907	if (proto.size() == 0 \|\| proto.size() > 0xFF) {
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	908	RTC_LOG(LS_ERROR) << "OpenSSLAdapter::Error("
				909	<< "TransformAlpnProtocols received proto with size "
				910	<< proto.size() << ")";
Diogo Real	1dca9d5	2017-08-29 19:18:32	[diff] [blame]	911	return "";
				912	}
				913	transformed_alpn += static_cast<char>(proto.size());
				914	transformed_alpn += proto;
Mirko Bonadei	675513b	2017-11-09 10:09:25	[diff] [blame]	915	RTC_LOG(LS_VERBOSE) << "TransformAlpnProtocols: Adding proto: " << proto;
Diogo Real	1dca9d5	2017-08-29 19:18:32	[diff] [blame]	916	}
				917	return transformed_alpn;
				918	}
				919
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	920	//////////////////////////////////////////////////////////////////////
				921	// OpenSSLAdapterFactory
				922	//////////////////////////////////////////////////////////////////////
				923
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	924	OpenSSLAdapterFactory::OpenSSLAdapterFactory() = default;
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	925
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	926	OpenSSLAdapterFactory::~OpenSSLAdapterFactory() = default;
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	927
				928	void OpenSSLAdapterFactory::SetMode(SSLMode mode) {
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	929	RTC_DCHECK(!ssl_session_cache_);
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	930	ssl_mode_ = mode;
				931	}
				932
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	933	void OpenSSLAdapterFactory::SetCertVerifier(
				934	SSLCertificateVerifier* ssl_cert_verifier) {
				935	RTC_DCHECK(!ssl_session_cache_);
				936	ssl_cert_verifier_ = ssl_cert_verifier;
				937	}
				938
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	939	OpenSSLAdapter* OpenSSLAdapterFactory::CreateAdapter(AsyncSocket* socket) {
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	940	if (ssl_session_cache_ == nullptr) {
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	941	SSL_CTX* ssl_ctx = OpenSSLAdapter::CreateContext(ssl_mode_, true);
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	942	if (ssl_ctx == nullptr) {
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	943	return nullptr;
				944	}
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	945	// The OpenSSLSessionCache will upref the ssl_ctx.
Karl Wiberg	918f50c	2018-07-05 09:40:33	[diff] [blame]	946	ssl_session_cache_ =
Mirko Bonadei	317a1f0	2019-09-17 15:06:18	[diff] [blame]	947	std::make_unique<OpenSSLSessionCache>(ssl_mode_, ssl_ctx);
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	948	SSL_CTX_free(ssl_ctx);
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	949	}
Benjamin Wright	d6f86e8	2018-05-08 20:12:25	[diff] [blame]	950	return new OpenSSLAdapter(socket, ssl_session_cache_.get(),
				951	ssl_cert_verifier_);
Justin Uberti	1d44550	2017-08-15 00:04:34	[diff] [blame]	952	}
				953
Benjamin Wright	19aab2e	2018-04-05 22:39:06	[diff] [blame]	954	} // namespace rtc