blob: 5f5eb80c6e7458ce1cb7b2be6aacce148b26317f [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
Mirko Bonadei92ea95e2017-09-15 06:47:31 +020011#ifndef RTC_BASE_OPENSSLADAPTER_H_
12#define RTC_BASE_OPENSSLADAPTER_H_
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000013
Benjamin Wright19aab2e2018-04-05 15:39:06 -070014#include <openssl/ossl_typ.h>
15
Justin Uberti1d445502017-08-14 17:04:34 -070016#include <map>
Benjamin Wright19aab2e2018-04-05 15:39:06 -070017#include <memory>
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020018#include <string>
Benjamin Wright19aab2e2018-04-05 15:39:06 -070019#include <vector>
20
Mirko Bonadei92ea95e2017-09-15 06:47:31 +020021#include "rtc_base/buffer.h"
22#include "rtc_base/messagehandler.h"
23#include "rtc_base/messagequeue.h"
24#include "rtc_base/opensslidentity.h"
Benjamin Wright19aab2e2018-04-05 15:39:06 -070025#include "rtc_base/opensslsessioncache.h"
Mirko Bonadei92ea95e2017-09-15 06:47:31 +020026#include "rtc_base/ssladapter.h"
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000027
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020028namespace rtc {
29
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020030class OpenSSLAdapter : public SSLAdapter, public MessageHandler {
Justin Uberti1d445502017-08-14 17:04:34 -070031 public:
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020032 static bool InitializeSSL(VerificationCallback callback);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020033 static bool CleanupSSL();
34
Justin Uberti1d445502017-08-14 17:04:34 -070035 explicit OpenSSLAdapter(AsyncSocket* socket,
Benjamin Wright19aab2e2018-04-05 15:39:06 -070036 OpenSSLSessionCache* ssl_session_cache = nullptr);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020037 ~OpenSSLAdapter() override;
38
Diogo Real1dca9d52017-08-29 12:18:32 -070039 void SetIgnoreBadCert(bool ignore) override;
40 void SetAlpnProtocols(const std::vector<std::string>& protos) override;
Diogo Real7bd1f1b2017-09-08 12:50:41 -070041 void SetEllipticCurves(const std::vector<std::string>& curves) override;
Diogo Real1dca9d52017-08-29 12:18:32 -070042
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020043 void SetMode(SSLMode mode) override;
Steve Anton786de702017-08-17 15:15:46 -070044 void SetIdentity(SSLIdentity* identity) override;
45 void SetRole(SSLRole role) override;
46 AsyncSocket* Accept(SocketAddress* paddr) override;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020047 int StartSSL(const char* hostname, bool restartable) override;
48 int Send(const void* pv, size_t cb) override;
49 int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override;
50 int Recv(void* pv, size_t cb, int64_t* timestamp) override;
51 int RecvFrom(void* pv,
52 size_t cb,
53 SocketAddress* paddr,
54 int64_t* timestamp) override;
55 int Close() override;
56
57 // Note that the socket returns ST_CONNECTING while SSL is being negotiated.
58 ConnState GetState() const override;
Justin Uberti1d445502017-08-14 17:04:34 -070059 bool IsResumedSession() override;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020060
Justin Uberti1d445502017-08-14 17:04:34 -070061 // Creates a new SSL_CTX object, configured for client-to-server usage
62 // with SSLMode |mode|, and if |enable_cache| is true, with support for
63 // storing successful sessions so that they can be later resumed.
64 // OpenSSLAdapterFactory will call this method to create its own internal
65 // SSL_CTX, and OpenSSLAdapter will also call this when used without a
66 // factory.
67 static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020068
Justin Uberti1d445502017-08-14 17:04:34 -070069 protected:
70 void OnConnectEvent(AsyncSocket* socket) override;
71 void OnReadEvent(AsyncSocket* socket) override;
72 void OnWriteEvent(AsyncSocket* socket) override;
73 void OnCloseEvent(AsyncSocket* socket, int err) override;
74
75 private:
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020076 enum SSLState {
77 SSL_NONE, SSL_WAIT, SSL_CONNECTING, SSL_CONNECTED, SSL_ERROR
78 };
79
80 enum { MSG_TIMEOUT };
81
82 int BeginSSL();
83 int ContinueSSL();
84 void Error(const char* context, int err, bool signal = true);
85 void Cleanup();
86
87 // Return value and arguments have the same meanings as for Send; |error| is
88 // an output parameter filled with the result of SSL_get_error.
89 int DoSslWrite(const void* pv, size_t cb, int* error);
90
91 void OnMessage(Message* msg) override;
92
Benjamin Wright9201d1a2018-04-05 12:12:26 -070093 bool SSLPostConnectionCheck(SSL* ssl, const std::string& host);
94
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020095#if !defined(NDEBUG)
Justin Uberti1d445502017-08-14 17:04:34 -070096 // In debug builds, logs info about the state of the SSL connection.
97 static void SSLInfoCallback(const SSL* ssl, int where, int ret);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +020098#endif
99 static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
100 static VerificationCallback custom_verify_callback_;
101 friend class OpenSSLStreamAdapter; // for custom_verify_callback_;
102
Justin Uberti1d445502017-08-14 17:04:34 -0700103 // If the SSL_CTX was created with |enable_cache| set to true, this callback
104 // will be called when a SSL session has been successfully established,
105 // to allow its SSL_SESSION* to be cached for later resumption.
106 static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session);
107
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200108 static bool ConfigureTrustedRootCertificates(SSL_CTX* ctx);
Justin Uberti1d445502017-08-14 17:04:34 -0700109
110 // Parent object that maintains shared state.
111 // Can be null if state sharing is not needed.
Benjamin Wright19aab2e2018-04-05 15:39:06 -0700112 OpenSSLSessionCache* ssl_session_cache_ = nullptr;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200113
114 SSLState state_;
Steve Anton786de702017-08-17 15:15:46 -0700115 std::unique_ptr<OpenSSLIdentity> identity_;
116 SSLRole role_;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200117 bool ssl_read_needs_write_;
118 bool ssl_write_needs_read_;
119 // If true, socket will retain SSL configuration after Close.
Justin Uberti1d445502017-08-14 17:04:34 -0700120 // TODO(juberti): Remove this unused flag.
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200121 bool restartable_;
122
123 // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which
124 // means we need to keep retrying with *the same exact data* until it
125 // succeeds. Afterwards it will be cleared.
126 Buffer pending_data_;
127
128 SSL* ssl_;
129 SSL_CTX* ssl_ctx_;
130 std::string ssl_host_name_;
131 // Do DTLS or not
132 SSLMode ssl_mode_;
Diogo Real1dca9d52017-08-29 12:18:32 -0700133 // If true, the server certificate need not match the configured hostname.
134 bool ignore_bad_cert_;
135 // List of protocols to be used in the TLS ALPN extension.
136 std::vector<std::string> alpn_protocols_;
Diogo Real7bd1f1b2017-09-08 12:50:41 -0700137 // List of elliptic curves to be used in the TLS elliptic curves extension.
138 std::vector<std::string> elliptic_curves_;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200139
140 bool custom_verification_succeeded_;
141};
142
Diogo Real1dca9d52017-08-29 12:18:32 -0700143std::string TransformAlpnProtocols(const std::vector<std::string>& protos);
144
145/////////////////////////////////////////////////////////////////////////////
Benjamin Wright19aab2e2018-04-05 15:39:06 -0700146
147// The OpenSSLAdapterFactory is responsbile for creating multiple new
148// OpenSSLAdapters with a shared SSL_CTX and a shared SSL_SESSION cache. The
149// SSL_SESSION cache allows existing SSL_SESSIONS to be reused instead of
150// recreating them leading to a significant performance improvement.
Justin Uberti1d445502017-08-14 17:04:34 -0700151class OpenSSLAdapterFactory : public SSLAdapterFactory {
152 public:
153 OpenSSLAdapterFactory();
154 ~OpenSSLAdapterFactory() override;
Benjamin Wright19aab2e2018-04-05 15:39:06 -0700155 // Set the SSL Mode to use with this factory. This should only be set before
156 // the first adapter is created with the factory. If it is called after it
157 // will DCHECK.
Justin Uberti1d445502017-08-14 17:04:34 -0700158 void SetMode(SSLMode mode) override;
Benjamin Wright19aab2e2018-04-05 15:39:06 -0700159 // Constructs a new socket using the shared OpenSSLSessionCache. This means
160 // existing SSLSessions already in the cache will be reused instead of
161 // re-created for improved performance.
Justin Uberti1d445502017-08-14 17:04:34 -0700162 OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override;
Henrik Kjellanderc0362762017-06-29 08:03:04 +0200163
Justin Uberti1d445502017-08-14 17:04:34 -0700164 private:
Benjamin Wright19aab2e2018-04-05 15:39:06 -0700165 // Holds the SSLMode (DTLS,TLS) that will be used to set the session cache.
166 SSLMode ssl_mode_ = SSL_MODE_TLS;
167 // Holds a cache of existing SSL Sessions.
168 std::unique_ptr<OpenSSLSessionCache> ssl_session_cache_;
169 // TODO(benwright): Remove this when context is moved to OpenSSLCommon.
170 // Hold a friend class to the OpenSSLAdapter to retrieve the context.
Justin Uberti1d445502017-08-14 17:04:34 -0700171 friend class OpenSSLAdapter;
Justin Uberti1d445502017-08-14 17:04:34 -0700172};
173
174} // namespace rtc
175
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200176#endif // RTC_BASE_OPENSSLADAPTER_H_