henrike@webrtc.org | 47be73b | 2014-05-13 18:00:26 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 | * |
| 4 | * Use of this source code is governed by a BSD-style license |
| 5 | * that can be found in the LICENSE file in the root of the source |
| 6 | * tree. An additional intellectual property rights grant can be found |
| 7 | * in the file PATENTS. All contributing project authors may |
| 8 | * be found in the AUTHORS file in the root of the source tree. |
| 9 | */ |
| 10 | |
Henrik Kjellander | fb3e1b6 | 2017-06-29 06:03:04 | [diff] [blame] | 11 | #ifndef WEBRTC_RTC_BASE_OPENSSLADAPTER_H_ |
| 12 | #define WEBRTC_RTC_BASE_OPENSSLADAPTER_H_ |
henrike@webrtc.org | 47be73b | 2014-05-13 18:00:26 | [diff] [blame] | 13 | |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 14 | #include <map> |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 15 | #include <string> |
kjellander | 1979696 | 2017-06-30 17:45:21 | [diff] [blame] | 16 | #include "webrtc/rtc_base/buffer.h" |
| 17 | #include "webrtc/rtc_base/messagehandler.h" |
| 18 | #include "webrtc/rtc_base/messagequeue.h" |
Steve Anton | f933fb7 | 2017-08-17 22:15:46 | [diff] [blame] | 19 | #include "webrtc/rtc_base/opensslidentity.h" |
kjellander | 1979696 | 2017-06-30 17:45:21 | [diff] [blame] | 20 | #include "webrtc/rtc_base/ssladapter.h" |
henrike@webrtc.org | 47be73b | 2014-05-13 18:00:26 | [diff] [blame] | 21 | |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 22 | typedef struct ssl_st SSL; |
| 23 | typedef struct ssl_ctx_st SSL_CTX; |
| 24 | typedef struct x509_store_ctx_st X509_STORE_CTX; |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 25 | typedef struct ssl_session_st SSL_SESSION; |
henrike@webrtc.org | 47be73b | 2014-05-13 18:00:26 | [diff] [blame] | 26 | |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 27 | namespace rtc { |
| 28 | |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 29 | class OpenSSLAdapterFactory; |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 30 | |
| 31 | class OpenSSLAdapter : public SSLAdapter, public MessageHandler { |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 32 | public: |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 33 | static bool InitializeSSL(VerificationCallback callback); |
| 34 | static bool InitializeSSLThread(); |
| 35 | static bool CleanupSSL(); |
| 36 | |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 37 | explicit OpenSSLAdapter(AsyncSocket* socket, |
| 38 | OpenSSLAdapterFactory* factory = nullptr); |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 39 | ~OpenSSLAdapter() override; |
| 40 | |
Diogo Real | adaf22f | 2017-08-29 19:18:32 | [diff] [blame] | 41 | void SetIgnoreBadCert(bool ignore) override; |
| 42 | void SetAlpnProtocols(const std::vector<std::string>& protos) override; |
| 43 | |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 44 | void SetMode(SSLMode mode) override; |
Steve Anton | f933fb7 | 2017-08-17 22:15:46 | [diff] [blame] | 45 | void SetIdentity(SSLIdentity* identity) override; |
| 46 | void SetRole(SSLRole role) override; |
| 47 | AsyncSocket* Accept(SocketAddress* paddr) override; |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 48 | int StartSSL(const char* hostname, bool restartable) override; |
| 49 | int Send(const void* pv, size_t cb) override; |
| 50 | int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override; |
| 51 | int Recv(void* pv, size_t cb, int64_t* timestamp) override; |
| 52 | int RecvFrom(void* pv, |
| 53 | size_t cb, |
| 54 | SocketAddress* paddr, |
| 55 | int64_t* timestamp) override; |
| 56 | int Close() override; |
| 57 | |
| 58 | // Note that the socket returns ST_CONNECTING while SSL is being negotiated. |
| 59 | ConnState GetState() const override; |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 60 | bool IsResumedSession() override; |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 61 | |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 62 | // Creates a new SSL_CTX object, configured for client-to-server usage |
| 63 | // with SSLMode |mode|, and if |enable_cache| is true, with support for |
| 64 | // storing successful sessions so that they can be later resumed. |
| 65 | // OpenSSLAdapterFactory will call this method to create its own internal |
| 66 | // SSL_CTX, and OpenSSLAdapter will also call this when used without a |
| 67 | // factory. |
| 68 | static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache); |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 69 | |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 70 | protected: |
| 71 | void OnConnectEvent(AsyncSocket* socket) override; |
| 72 | void OnReadEvent(AsyncSocket* socket) override; |
| 73 | void OnWriteEvent(AsyncSocket* socket) override; |
| 74 | void OnCloseEvent(AsyncSocket* socket, int err) override; |
| 75 | |
| 76 | private: |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 77 | enum SSLState { |
| 78 | SSL_NONE, SSL_WAIT, SSL_CONNECTING, SSL_CONNECTED, SSL_ERROR |
| 79 | }; |
| 80 | |
| 81 | enum { MSG_TIMEOUT }; |
| 82 | |
| 83 | int BeginSSL(); |
| 84 | int ContinueSSL(); |
| 85 | void Error(const char* context, int err, bool signal = true); |
| 86 | void Cleanup(); |
| 87 | |
| 88 | // Return value and arguments have the same meanings as for Send; |error| is |
| 89 | // an output parameter filled with the result of SSL_get_error. |
| 90 | int DoSslWrite(const void* pv, size_t cb, int* error); |
| 91 | |
| 92 | void OnMessage(Message* msg) override; |
| 93 | |
| 94 | static bool VerifyServerName(SSL* ssl, const char* host, |
| 95 | bool ignore_bad_cert); |
| 96 | bool SSLPostConnectionCheck(SSL* ssl, const char* host); |
| 97 | #if !defined(NDEBUG) |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 98 | // In debug builds, logs info about the state of the SSL connection. |
| 99 | static void SSLInfoCallback(const SSL* ssl, int where, int ret); |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 100 | #endif |
| 101 | static int SSLVerifyCallback(int ok, X509_STORE_CTX* store); |
| 102 | static VerificationCallback custom_verify_callback_; |
| 103 | friend class OpenSSLStreamAdapter; // for custom_verify_callback_; |
| 104 | |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 105 | // If the SSL_CTX was created with |enable_cache| set to true, this callback |
| 106 | // will be called when a SSL session has been successfully established, |
| 107 | // to allow its SSL_SESSION* to be cached for later resumption. |
| 108 | static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session); |
| 109 | |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 110 | static bool ConfigureTrustedRootCertificates(SSL_CTX* ctx); |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 111 | |
| 112 | // Parent object that maintains shared state. |
| 113 | // Can be null if state sharing is not needed. |
| 114 | OpenSSLAdapterFactory* factory_; |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 115 | |
| 116 | SSLState state_; |
Steve Anton | f933fb7 | 2017-08-17 22:15:46 | [diff] [blame] | 117 | std::unique_ptr<OpenSSLIdentity> identity_; |
| 118 | SSLRole role_; |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 119 | bool ssl_read_needs_write_; |
| 120 | bool ssl_write_needs_read_; |
| 121 | // If true, socket will retain SSL configuration after Close. |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 122 | // TODO(juberti): Remove this unused flag. |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 123 | bool restartable_; |
| 124 | |
| 125 | // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which |
| 126 | // means we need to keep retrying with *the same exact data* until it |
| 127 | // succeeds. Afterwards it will be cleared. |
| 128 | Buffer pending_data_; |
| 129 | |
| 130 | SSL* ssl_; |
| 131 | SSL_CTX* ssl_ctx_; |
| 132 | std::string ssl_host_name_; |
| 133 | // Do DTLS or not |
| 134 | SSLMode ssl_mode_; |
Diogo Real | adaf22f | 2017-08-29 19:18:32 | [diff] [blame] | 135 | // If true, the server certificate need not match the configured hostname. |
| 136 | bool ignore_bad_cert_; |
| 137 | // List of protocols to be used in the TLS ALPN extension. |
| 138 | std::vector<std::string> alpn_protocols_; |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 139 | |
| 140 | bool custom_verification_succeeded_; |
| 141 | }; |
| 142 | |
Diogo Real | adaf22f | 2017-08-29 19:18:32 | [diff] [blame] | 143 | std::string TransformAlpnProtocols(const std::vector<std::string>& protos); |
| 144 | |
| 145 | ///////////////////////////////////////////////////////////////////////////// |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 146 | class OpenSSLAdapterFactory : public SSLAdapterFactory { |
| 147 | public: |
| 148 | OpenSSLAdapterFactory(); |
| 149 | ~OpenSSLAdapterFactory() override; |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 150 | |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 151 | void SetMode(SSLMode mode) override; |
| 152 | OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override; |
Henrik Kjellander | 88b2dd4 | 2017-06-29 05:52:50 | [diff] [blame] | 153 | |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 154 | static OpenSSLAdapterFactory* Create(); |
Henrik Kjellander | fb3e1b6 | 2017-06-29 06:03:04 | [diff] [blame] | 155 | |
Justin Uberti | d5bb831 | 2017-08-15 00:04:34 | [diff] [blame] | 156 | private: |
| 157 | SSL_CTX* ssl_ctx() { return ssl_ctx_; } |
| 158 | // Looks up a session by hostname. The returned SSL_SESSION is not up_refed. |
| 159 | SSL_SESSION* LookupSession(const std::string& hostname); |
| 160 | // Adds a session to the cache, and up_refs it. Any existing session with the |
| 161 | // same hostname is replaced. |
| 162 | void AddSession(const std::string& hostname, SSL_SESSION* session); |
| 163 | friend class OpenSSLAdapter; |
| 164 | |
| 165 | SSLMode ssl_mode_; |
| 166 | // Holds the shared SSL_CTX for all created adapters. |
| 167 | SSL_CTX* ssl_ctx_; |
| 168 | // Map of hostnames to SSL_SESSIONs; holds references to the SSL_SESSIONs, |
| 169 | // which are cleaned up when the factory is destroyed. |
| 170 | // TODO(juberti): Add LRU eviction to keep the cache from growing forever. |
| 171 | std::map<std::string, SSL_SESSION*> sessions_; |
| 172 | }; |
| 173 | |
| 174 | } // namespace rtc |
| 175 | |
| 176 | #endif // WEBRTC_RTC_BASE_OPENSSLADAPTER_H_ |