blob: 9c6c34479beaf44406284945caecf1b7c0894656 [file] [log] [blame]
henrike@webrtc.org47be73b2014-05-13 18:00:261/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
Henrik Kjellanderfb3e1b62017-06-29 06:03:0411#ifndef WEBRTC_RTC_BASE_OPENSSLADAPTER_H_
12#define WEBRTC_RTC_BASE_OPENSSLADAPTER_H_
henrike@webrtc.org47be73b2014-05-13 18:00:2613
Justin Ubertid5bb8312017-08-15 00:04:3414#include <map>
Henrik Kjellander88b2dd42017-06-29 05:52:5015#include <string>
kjellander19796962017-06-30 17:45:2116#include "webrtc/rtc_base/buffer.h"
17#include "webrtc/rtc_base/messagehandler.h"
18#include "webrtc/rtc_base/messagequeue.h"
Steve Antonf933fb72017-08-17 22:15:4619#include "webrtc/rtc_base/opensslidentity.h"
kjellander19796962017-06-30 17:45:2120#include "webrtc/rtc_base/ssladapter.h"
henrike@webrtc.org47be73b2014-05-13 18:00:2621
Henrik Kjellander88b2dd42017-06-29 05:52:5022typedef struct ssl_st SSL;
23typedef struct ssl_ctx_st SSL_CTX;
24typedef struct x509_store_ctx_st X509_STORE_CTX;
Justin Ubertid5bb8312017-08-15 00:04:3425typedef struct ssl_session_st SSL_SESSION;
henrike@webrtc.org47be73b2014-05-13 18:00:2626
Henrik Kjellander88b2dd42017-06-29 05:52:5027namespace rtc {
28
Justin Ubertid5bb8312017-08-15 00:04:3429class OpenSSLAdapterFactory;
Henrik Kjellander88b2dd42017-06-29 05:52:5030
31class OpenSSLAdapter : public SSLAdapter, public MessageHandler {
Justin Ubertid5bb8312017-08-15 00:04:3432 public:
Henrik Kjellander88b2dd42017-06-29 05:52:5033 static bool InitializeSSL(VerificationCallback callback);
34 static bool InitializeSSLThread();
35 static bool CleanupSSL();
36
Justin Ubertid5bb8312017-08-15 00:04:3437 explicit OpenSSLAdapter(AsyncSocket* socket,
38 OpenSSLAdapterFactory* factory = nullptr);
Henrik Kjellander88b2dd42017-06-29 05:52:5039 ~OpenSSLAdapter() override;
40
Diogo Realadaf22f2017-08-29 19:18:3241 void SetIgnoreBadCert(bool ignore) override;
42 void SetAlpnProtocols(const std::vector<std::string>& protos) override;
43
Henrik Kjellander88b2dd42017-06-29 05:52:5044 void SetMode(SSLMode mode) override;
Steve Antonf933fb72017-08-17 22:15:4645 void SetIdentity(SSLIdentity* identity) override;
46 void SetRole(SSLRole role) override;
47 AsyncSocket* Accept(SocketAddress* paddr) override;
Henrik Kjellander88b2dd42017-06-29 05:52:5048 int StartSSL(const char* hostname, bool restartable) override;
49 int Send(const void* pv, size_t cb) override;
50 int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override;
51 int Recv(void* pv, size_t cb, int64_t* timestamp) override;
52 int RecvFrom(void* pv,
53 size_t cb,
54 SocketAddress* paddr,
55 int64_t* timestamp) override;
56 int Close() override;
57
58 // Note that the socket returns ST_CONNECTING while SSL is being negotiated.
59 ConnState GetState() const override;
Justin Ubertid5bb8312017-08-15 00:04:3460 bool IsResumedSession() override;
Henrik Kjellander88b2dd42017-06-29 05:52:5061
Justin Ubertid5bb8312017-08-15 00:04:3462 // Creates a new SSL_CTX object, configured for client-to-server usage
63 // with SSLMode |mode|, and if |enable_cache| is true, with support for
64 // storing successful sessions so that they can be later resumed.
65 // OpenSSLAdapterFactory will call this method to create its own internal
66 // SSL_CTX, and OpenSSLAdapter will also call this when used without a
67 // factory.
68 static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache);
Henrik Kjellander88b2dd42017-06-29 05:52:5069
Justin Ubertid5bb8312017-08-15 00:04:3470 protected:
71 void OnConnectEvent(AsyncSocket* socket) override;
72 void OnReadEvent(AsyncSocket* socket) override;
73 void OnWriteEvent(AsyncSocket* socket) override;
74 void OnCloseEvent(AsyncSocket* socket, int err) override;
75
76 private:
Henrik Kjellander88b2dd42017-06-29 05:52:5077 enum SSLState {
78 SSL_NONE, SSL_WAIT, SSL_CONNECTING, SSL_CONNECTED, SSL_ERROR
79 };
80
81 enum { MSG_TIMEOUT };
82
83 int BeginSSL();
84 int ContinueSSL();
85 void Error(const char* context, int err, bool signal = true);
86 void Cleanup();
87
88 // Return value and arguments have the same meanings as for Send; |error| is
89 // an output parameter filled with the result of SSL_get_error.
90 int DoSslWrite(const void* pv, size_t cb, int* error);
91
92 void OnMessage(Message* msg) override;
93
94 static bool VerifyServerName(SSL* ssl, const char* host,
95 bool ignore_bad_cert);
96 bool SSLPostConnectionCheck(SSL* ssl, const char* host);
97#if !defined(NDEBUG)
Justin Ubertid5bb8312017-08-15 00:04:3498 // In debug builds, logs info about the state of the SSL connection.
99 static void SSLInfoCallback(const SSL* ssl, int where, int ret);
Henrik Kjellander88b2dd42017-06-29 05:52:50100#endif
101 static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
102 static VerificationCallback custom_verify_callback_;
103 friend class OpenSSLStreamAdapter; // for custom_verify_callback_;
104
Justin Ubertid5bb8312017-08-15 00:04:34105 // If the SSL_CTX was created with |enable_cache| set to true, this callback
106 // will be called when a SSL session has been successfully established,
107 // to allow its SSL_SESSION* to be cached for later resumption.
108 static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session);
109
Henrik Kjellander88b2dd42017-06-29 05:52:50110 static bool ConfigureTrustedRootCertificates(SSL_CTX* ctx);
Justin Ubertid5bb8312017-08-15 00:04:34111
112 // Parent object that maintains shared state.
113 // Can be null if state sharing is not needed.
114 OpenSSLAdapterFactory* factory_;
Henrik Kjellander88b2dd42017-06-29 05:52:50115
116 SSLState state_;
Steve Antonf933fb72017-08-17 22:15:46117 std::unique_ptr<OpenSSLIdentity> identity_;
118 SSLRole role_;
Henrik Kjellander88b2dd42017-06-29 05:52:50119 bool ssl_read_needs_write_;
120 bool ssl_write_needs_read_;
121 // If true, socket will retain SSL configuration after Close.
Justin Ubertid5bb8312017-08-15 00:04:34122 // TODO(juberti): Remove this unused flag.
Henrik Kjellander88b2dd42017-06-29 05:52:50123 bool restartable_;
124
125 // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which
126 // means we need to keep retrying with *the same exact data* until it
127 // succeeds. Afterwards it will be cleared.
128 Buffer pending_data_;
129
130 SSL* ssl_;
131 SSL_CTX* ssl_ctx_;
132 std::string ssl_host_name_;
133 // Do DTLS or not
134 SSLMode ssl_mode_;
Diogo Realadaf22f2017-08-29 19:18:32135 // If true, the server certificate need not match the configured hostname.
136 bool ignore_bad_cert_;
137 // List of protocols to be used in the TLS ALPN extension.
138 std::vector<std::string> alpn_protocols_;
Henrik Kjellander88b2dd42017-06-29 05:52:50139
140 bool custom_verification_succeeded_;
141};
142
Diogo Realadaf22f2017-08-29 19:18:32143std::string TransformAlpnProtocols(const std::vector<std::string>& protos);
144
145/////////////////////////////////////////////////////////////////////////////
Justin Ubertid5bb8312017-08-15 00:04:34146class OpenSSLAdapterFactory : public SSLAdapterFactory {
147 public:
148 OpenSSLAdapterFactory();
149 ~OpenSSLAdapterFactory() override;
Henrik Kjellander88b2dd42017-06-29 05:52:50150
Justin Ubertid5bb8312017-08-15 00:04:34151 void SetMode(SSLMode mode) override;
152 OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override;
Henrik Kjellander88b2dd42017-06-29 05:52:50153
Justin Ubertid5bb8312017-08-15 00:04:34154 static OpenSSLAdapterFactory* Create();
Henrik Kjellanderfb3e1b62017-06-29 06:03:04155
Justin Ubertid5bb8312017-08-15 00:04:34156 private:
157 SSL_CTX* ssl_ctx() { return ssl_ctx_; }
158 // Looks up a session by hostname. The returned SSL_SESSION is not up_refed.
159 SSL_SESSION* LookupSession(const std::string& hostname);
160 // Adds a session to the cache, and up_refs it. Any existing session with the
161 // same hostname is replaced.
162 void AddSession(const std::string& hostname, SSL_SESSION* session);
163 friend class OpenSSLAdapter;
164
165 SSLMode ssl_mode_;
166 // Holds the shared SSL_CTX for all created adapters.
167 SSL_CTX* ssl_ctx_;
168 // Map of hostnames to SSL_SESSIONs; holds references to the SSL_SESSIONs,
169 // which are cleaned up when the factory is destroyed.
170 // TODO(juberti): Add LRU eviction to keep the cache from growing forever.
171 std::map<std::string, SSL_SESSION*> sessions_;
172};
173
174} // namespace rtc
175
176#endif // WEBRTC_RTC_BASE_OPENSSLADAPTER_H_