/* * Copyright 2004 The WebRTC Project Authors. All rights reserved. * * Use of this source code is governed by a BSD-style license * that can be found in the LICENSE file in the root of the source * tree. An additional intellectual property rights grant can be found * in the file PATENTS. All contributing project authors may * be found in the AUTHORS file in the root of the source tree. */ #ifndef RTC_BASE_OPENSSL_ADAPTER_H_ #define RTC_BASE_OPENSSL_ADAPTER_H_ #include #include #include #include #include #include #include "rtc_base/async_socket.h" #include "rtc_base/buffer.h" #include "rtc_base/message_handler.h" #ifdef OPENSSL_IS_BORINGSSL #include "rtc_base/boringssl_identity.h" #else #include "rtc_base/openssl_identity.h" #endif #include "rtc_base/openssl_session_cache.h" #include "rtc_base/socket.h" #include "rtc_base/socket_address.h" #include "rtc_base/ssl_adapter.h" #include "rtc_base/ssl_certificate.h" #include "rtc_base/ssl_identity.h" #include "rtc_base/ssl_stream_adapter.h" namespace rtc { class OpenSSLAdapter final : public SSLAdapter, public MessageHandlerAutoCleanup { public: static bool InitializeSSL(); static bool CleanupSSL(); // Creating an OpenSSLAdapter requires a socket to bind to, an optional // session cache if you wish to improve performance by caching sessions for // hostnames you have previously connected to and an optional // SSLCertificateVerifier which can override any existing trusted roots to // validate a peer certificate. The cache and verifier are effectively // immutable after the the SSL connection starts. explicit OpenSSLAdapter(AsyncSocket* socket, OpenSSLSessionCache* ssl_session_cache = nullptr, SSLCertificateVerifier* ssl_cert_verifier = nullptr); ~OpenSSLAdapter() override; void SetIgnoreBadCert(bool ignore) override; void SetAlpnProtocols(const std::vector& protos) override; void SetEllipticCurves(const std::vector& curves) override; void SetMode(SSLMode mode) override; void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override; void SetIdentity(std::unique_ptr identity) override; void SetRole(SSLRole role) override; AsyncSocket* Accept(SocketAddress* paddr) override; int StartSSL(const char* hostname) override; int Send(const void* pv, size_t cb) override; int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override; int Recv(void* pv, size_t cb, int64_t* timestamp) override; int RecvFrom(void* pv, size_t cb, SocketAddress* paddr, int64_t* timestamp) override; int Close() override; // Note that the socket returns ST_CONNECTING while SSL is being negotiated. ConnState GetState() const override; bool IsResumedSession() override; // Creates a new SSL_CTX object, configured for client-to-server usage // with SSLMode |mode|, and if |enable_cache| is true, with support for // storing successful sessions so that they can be later resumed. // OpenSSLAdapterFactory will call this method to create its own internal // SSL_CTX, and OpenSSLAdapter will also call this when used without a // factory. static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache); protected: void OnConnectEvent(AsyncSocket* socket) override; void OnReadEvent(AsyncSocket* socket) override; void OnWriteEvent(AsyncSocket* socket) override; void OnCloseEvent(AsyncSocket* socket, int err) override; private: enum SSLState { SSL_NONE, SSL_WAIT, SSL_CONNECTING, SSL_CONNECTED, SSL_ERROR }; enum { MSG_TIMEOUT }; int BeginSSL(); int ContinueSSL(); void Error(const char* context, int err, bool signal = true); void Cleanup(); // Return value and arguments have the same meanings as for Send; |error| is // an output parameter filled with the result of SSL_get_error. int DoSslWrite(const void* pv, size_t cb, int* error); void OnMessage(Message* msg) override; bool SSLPostConnectionCheck(SSL* ssl, const std::string& host); #if !defined(NDEBUG) // In debug builds, logs info about the state of the SSL connection. static void SSLInfoCallback(const SSL* ssl, int where, int ret); #endif #if defined(OPENSSL_IS_BORINGSSL) && \ defined(WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS) static enum ssl_verify_result_t SSLVerifyCallback(SSL* ssl, uint8_t* out_alert); enum ssl_verify_result_t SSLVerifyInternal(SSL* ssl, uint8_t* out_alert); #else static int SSLVerifyCallback(int ok, X509_STORE_CTX* store); int SSLVerifyInternal(int ok, SSL* ssl, X509_STORE_CTX* store); #endif friend class OpenSSLStreamAdapter; // for custom_verify_callback_; // If the SSL_CTX was created with |enable_cache| set to true, this callback // will be called when a SSL session has been successfully established, // to allow its SSL_SESSION* to be cached for later resumption. static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session); // Optional SSL Shared session cache to improve performance. OpenSSLSessionCache* ssl_session_cache_ = nullptr; // Optional SSL Certificate verifier which can be set by a third party. SSLCertificateVerifier* ssl_cert_verifier_ = nullptr; // The current connection state of the (d)TLS connection. SSLState state_; #ifdef OPENSSL_IS_BORINGSSL std::unique_ptr identity_; #else std::unique_ptr identity_; #endif // Indicates whethere this is a client or a server. SSLRole role_; bool ssl_read_needs_write_; bool ssl_write_needs_read_; // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which // means we need to keep retrying with *the same exact data* until it // succeeds. Afterwards it will be cleared. Buffer pending_data_; SSL* ssl_; // Holds the SSL context, which may be shared if an session cache is provided. SSL_CTX* ssl_ctx_; // Hostname of server that is being connected, used for SNI. std::string ssl_host_name_; // Set the adapter to DTLS or TLS mode before creating the context. SSLMode ssl_mode_; // If true, the server certificate need not match the configured hostname. bool ignore_bad_cert_; // List of protocols to be used in the TLS ALPN extension. std::vector alpn_protocols_; // List of elliptic curves to be used in the TLS elliptic curves extension. std::vector elliptic_curves_; // Holds the result of the call to run of the ssl_cert_verify_->Verify() bool custom_cert_verifier_status_; }; // The OpenSSLAdapterFactory is responsbile for creating multiple new // OpenSSLAdapters with a shared SSL_CTX and a shared SSL_SESSION cache. The // SSL_SESSION cache allows existing SSL_SESSIONS to be reused instead of // recreating them leading to a significant performance improvement. class OpenSSLAdapterFactory : public SSLAdapterFactory { public: OpenSSLAdapterFactory(); ~OpenSSLAdapterFactory() override; // Set the SSL Mode to use with this factory. This should only be set before // the first adapter is created with the factory. If it is called after it // will DCHECK. void SetMode(SSLMode mode) override; // Set a custom certificate verifier to be passed down to each instance // created with this factory. This should only ever be set before the first // call to the factory and cannot be changed after the fact. void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override; // Constructs a new socket using the shared OpenSSLSessionCache. This means // existing SSLSessions already in the cache will be reused instead of // re-created for improved performance. OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override; private: // Holds the SSLMode (DTLS,TLS) that will be used to set the session cache. SSLMode ssl_mode_ = SSL_MODE_TLS; // Holds a cache of existing SSL Sessions. std::unique_ptr ssl_session_cache_; // Provides an optional custom callback for verifying SSL certificates, this // in currently only used for TLS-TURN connections. SSLCertificateVerifier* ssl_cert_verifier_ = nullptr; // TODO(benwright): Remove this when context is moved to OpenSSLCommon. // Hold a friend class to the OpenSSLAdapter to retrieve the context. friend class OpenSSLAdapter; }; std::string TransformAlpnProtocols(const std::vector& protos); } // namespace rtc #endif // RTC_BASE_OPENSSL_ADAPTER_H_