Blame - rtc_base/openssl_adapter.cc - webrtc.googlesource.com/src

blob: e71758b66cf133d72bf5066b72c96a448026d196 [file] [log] [blame]

henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	1	/*
				2	* Copyright 2008 The WebRTC Project Authors. All rights reserved.
				3	*
				4	* Use of this source code is governed by a BSD-style license
				5	* that can be found in the LICENSE file in the root of the source
				6	* tree. An additional intellectual property rights grant can be found
				7	* in the file PATENTS. All contributing project authors may
				8	* be found in the AUTHORS file in the root of the source tree.
				9	*/
				10
Steve Anton	10542f2	2019-01-11 09:11:00 -0800	[diff] [blame]	11	#include "rtc_base/openssl_adapter.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	12
Yves Gerey	988cc08	2018-10-23 12:03:01 +0200	[diff] [blame]	13	#include <errno.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	14	#include <openssl/bio.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	15	#include <openssl/err.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	16	#include <openssl/rand.h>
henrike@webrtc.org	d5a0506	2014-06-30 20:38:56 +0000	[diff] [blame]	17	#include <openssl/x509.h>
Yves Gerey	988cc08	2018-10-23 12:03:01 +0200	[diff] [blame]	18	#include <string.h>
				19	#include <time.h>
				20
Mirko Bonadei	317a1f0	2019-09-17 17:06:18 +0200	[diff] [blame]	21	#include <memory>
				22
Harald Alvestrand	8515d5a	2020-03-20 22:51:32 +0100	[diff] [blame]	23	#include "absl/memory/memory.h"
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	24	#include "rtc_base/checks.h"
Yves Gerey	988cc08	2018-10-23 12:03:01 +0200	[diff] [blame]	25	#include "rtc_base/location.h"
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	26	#include "rtc_base/logging.h"
Karl Wiberg	e40468b	2017-11-22 10:42:26 +0100	[diff] [blame]	27	#include "rtc_base/numerics/safe_conversions.h"
Jonas Olsson	a4d8737	2019-07-05 19:08:33 +0200	[diff] [blame]	28	#include "rtc_base/openssl.h"
Steve Anton	10542f2	2019-01-11 09:11:00 -0800	[diff] [blame]	29	#include "rtc_base/openssl_certificate.h"
				30	#include "rtc_base/openssl_utility.h"
				31	#include "rtc_base/string_encode.h"
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	32	#include "rtc_base/thread.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	33
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	34	//////////////////////////////////////////////////////////////////////
				35	// SocketBIO
				36	//////////////////////////////////////////////////////////////////////
				37
				38	static int socket_write(BIO* h, const char* buf, int num);
				39	static int socket_read(BIO* h, char* buf, int size);
				40	static int socket_puts(BIO* h, const char* str);
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	41	static long socket_ctrl(BIO* h, int cmd, long arg1, void* arg2); // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	42	static int socket_new(BIO* h);
				43	static int socket_free(BIO* data);
				44
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	45	static BIO_METHOD* BIO_socket_method() {
				46	static BIO_METHOD* methods = [] {
				47	BIO_METHOD* methods = BIO_meth_new(BIO_TYPE_BIO, "socket");
				48	BIO_meth_set_write(methods, socket_write);
				49	BIO_meth_set_read(methods, socket_read);
				50	BIO_meth_set_puts(methods, socket_puts);
				51	BIO_meth_set_ctrl(methods, socket_ctrl);
				52	BIO_meth_set_create(methods, socket_new);
				53	BIO_meth_set_destroy(methods, socket_free);
				54	return methods;
				55	}();
				56	return methods;
				57	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	58
henrike@webrtc.org	c50bf7c	2014-05-14 18:24:13 +0000	[diff] [blame]	59	static BIO* BIO_new_socket(rtc::AsyncSocket* socket) {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	60	BIO* ret = BIO_new(BIO_socket_method());
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	61	if (ret == nullptr) {
				62	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	63	}
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	64	BIO_set_data(ret, socket);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	65	return ret;
				66	}
				67
				68	static int socket_new(BIO* b) {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	69	BIO_set_shutdown(b, 0);
				70	BIO_set_init(b, 1);
				71	BIO_set_data(b, 0);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	72	return 1;
				73	}
				74
				75	static int socket_free(BIO* b) {
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	76	if (b == nullptr)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	77	return 0;
				78	return 1;
				79	}
				80
				81	static int socket_read(BIO* b, char* out, int outl) {
				82	if (!out)
				83	return -1;
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	84	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	85	BIO_clear_retry_flags(b);
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	86	int result = socket->Recv(out, outl, nullptr);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	87	if (result > 0) {
				88	return result;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	89	} else if (socket->IsBlocking()) {
				90	BIO_set_retry_read(b);
				91	}
				92	return -1;
				93	}
				94
				95	static int socket_write(BIO* b, const char* in, int inl) {
				96	if (!in)
				97	return -1;
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	98	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	99	BIO_clear_retry_flags(b);
				100	int result = socket->Send(in, inl);
				101	if (result > 0) {
				102	return result;
				103	} else if (socket->IsBlocking()) {
				104	BIO_set_retry_write(b);
				105	}
				106	return -1;
				107	}
				108
				109	static int socket_puts(BIO* b, const char* str) {
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09 +0000	[diff] [blame]	110	return socket_write(b, str, rtc::checked_cast<int>(strlen(str)));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	111	}
				112
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	113	static long socket_ctrl(BIO* b, int cmd, long num, void* ptr) { // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	114	switch (cmd) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	115	case BIO_CTRL_RESET:
				116	return 0;
				117	case BIO_CTRL_EOF: {
				118	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(ptr);
				119	// 1 means socket closed.
				120	return (socket->GetState() == rtc::AsyncSocket::CS_CLOSED) ? 1 : 0;
				121	}
				122	case BIO_CTRL_WPENDING:
				123	case BIO_CTRL_PENDING:
				124	return 0;
				125	case BIO_CTRL_FLUSH:
				126	return 1;
				127	default:
				128	return 0;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	129	}
				130	}
				131
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	132	static void LogSslError() {
				133	// Walk down the error stack to find the SSL error.
				134	uint32_t error_code;
				135	const char* file;
				136	int line;
				137	do {
				138	error_code = ERR_get_error_line(&file, &line);
				139	if (ERR_GET_LIB(error_code) == ERR_LIB_SSL) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	140	RTC_LOG(LS_ERROR) << "ERR_LIB_SSL: " << error_code << ", " << file << ":"
				141	<< line;
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	142	break;
				143	}
				144	} while (error_code != 0);
				145	}
				146
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	147	/////////////////////////////////////////////////////////////////////////////
				148	// OpenSSLAdapter
				149	/////////////////////////////////////////////////////////////////////////////
				150
				151	namespace rtc {
				152
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	153	bool OpenSSLAdapter::InitializeSSL() {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	154	if (!SSL_library_init())
				155	return false;
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	156	#if !defined(ADDRESS_SANITIZER) \|\| !defined(WEBRTC_MAC) \|\| defined(WEBRTC_IOS)
				157	// Loading the error strings crashes mac_asan. Omit this debugging aid there.
				158	SSL_load_error_strings();
				159	#endif
				160	ERR_load_BIO_strings();
				161	OpenSSL_add_all_algorithms();
				162	RAND_poll();
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	163	return true;
				164	}
				165
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	166	bool OpenSSLAdapter::CleanupSSL() {
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	167	return true;
				168	}
				169
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	170	OpenSSLAdapter::OpenSSLAdapter(AsyncSocket* socket,
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	171	OpenSSLSessionCache* ssl_session_cache,
				172	SSLCertificateVerifier* ssl_cert_verifier)
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	173	: SSLAdapter(socket),
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	174	ssl_session_cache_(ssl_session_cache),
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	175	ssl_cert_verifier_(ssl_cert_verifier),
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	176	state_(SSL_NONE),
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	177	role_(SSL_CLIENT),
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	178	ssl_read_needs_write_(false),
				179	ssl_write_needs_read_(false),
				180	restartable_(false),
				181	ssl_(nullptr),
				182	ssl_ctx_(nullptr),
				183	ssl_mode_(SSL_MODE_TLS),
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	184	ignore_bad_cert_(false),
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	185	custom_cert_verifier_status_(false) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	186	// If a factory is used, take a reference on the factory's SSL_CTX.
				187	// Otherwise, we'll create our own later.
				188	// Either way, we'll release our reference via SSL_CTX_free() in Cleanup().
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	189	if (ssl_session_cache_ != nullptr) {
				190	ssl_ctx_ = ssl_session_cache_->GetSSLContext();
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	191	RTC_DCHECK(ssl_ctx_);
				192	// Note: if using OpenSSL, requires version 1.1.0 or later.
				193	SSL_CTX_up_ref(ssl_ctx_);
				194	}
				195	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	196
				197	OpenSSLAdapter::~OpenSSLAdapter() {
				198	Cleanup();
				199	}
				200
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	201	void OpenSSLAdapter::SetIgnoreBadCert(bool ignore) {
				202	ignore_bad_cert_ = ignore;
				203	}
				204
				205	void OpenSSLAdapter::SetAlpnProtocols(const std::vector<std::string>& protos) {
				206	alpn_protocols_ = protos;
				207	}
				208
				209	void OpenSSLAdapter::SetEllipticCurves(const std::vector<std::string>& curves) {
				210	elliptic_curves_ = curves;
Diogo Real	7bd1f1b	2017-09-08 12:50:41 -0700	[diff] [blame]	211	}
				212
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	213	void OpenSSLAdapter::SetMode(SSLMode mode) {
				214	RTC_DCHECK(!ssl_ctx_);
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	215	RTC_DCHECK(state_ == SSL_NONE);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	216	ssl_mode_ = mode;
				217	}
				218
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	219	void OpenSSLAdapter::SetCertVerifier(
				220	SSLCertificateVerifier* ssl_cert_verifier) {
				221	RTC_DCHECK(!ssl_ctx_);
				222	ssl_cert_verifier_ = ssl_cert_verifier;
				223	}
				224
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	225	void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) {
				226	RTC_DCHECK(!identity_);
				227	identity_.reset(static_cast<OpenSSLIdentity*>(identity));
				228	}
				229
Harald Alvestrand	8515d5a	2020-03-20 22:51:32 +0100	[diff] [blame]	230	void OpenSSLAdapter::SetIdentity(std::unique_ptr<SSLIdentity> identity) {
				231	RTC_DCHECK(!identity_);
				232	identity_ =
				233	absl::WrapUnique(static_cast<OpenSSLIdentity*>(identity.release()));
				234	}
				235
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	236	void OpenSSLAdapter::SetRole(SSLRole role) {
				237	role_ = role;
				238	}
				239
				240	AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) {
				241	RTC_DCHECK(role_ == SSL_SERVER);
				242	AsyncSocket* socket = SSLAdapter::Accept(paddr);
				243	if (!socket) {
				244	return nullptr;
				245	}
				246
				247	SSLAdapter* adapter = SSLAdapter::Create(socket);
Harald Alvestrand	8515d5a	2020-03-20 22:51:32 +0100	[diff] [blame]	248	adapter->SetIdentity(identity_->Clone());
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	249	adapter->SetRole(rtc::SSL_SERVER);
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	250	adapter->SetIgnoreBadCert(ignore_bad_cert_);
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	251	adapter->StartSSL("", false);
				252	return adapter;
				253	}
				254
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	255	int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	256	if (state_ != SSL_NONE)
				257	return -1;
				258
				259	ssl_host_name_ = hostname;
				260	restartable_ = restartable;
				261
				262	if (socket_->GetState() != Socket::CS_CONNECTED) {
				263	state_ = SSL_WAIT;
				264	return 0;
				265	}
				266
				267	state_ = SSL_CONNECTING;
				268	if (int err = BeginSSL()) {
				269	Error("BeginSSL", err, false);
				270	return err;
				271	}
				272
				273	return 0;
				274	}
				275
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	276	int OpenSSLAdapter::BeginSSL() {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	277	RTC_LOG(LS_INFO) << "OpenSSLAdapter::BeginSSL: " << ssl_host_name_;
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	278	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	279
				280	int err = 0;
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	281	BIO* bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	282
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	283	// First set up the context. We should either have a factory, with its own
				284	// pre-existing context, or be running standalone, in which case we will
				285	// need to create one, and specify \|false\| to disable session caching.
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	286	if (ssl_session_cache_ == nullptr) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	287	RTC_DCHECK(!ssl_ctx_);
				288	ssl_ctx_ = CreateContext(ssl_mode_, false);
				289	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	290
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	291	if (!ssl_ctx_) {
				292	err = -1;
				293	goto ssl_error;
				294	}
				295
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	296	if (identity_ && !identity_->ConfigureIdentity(ssl_ctx_)) {
				297	SSL_CTX_free(ssl_ctx_);
				298	err = -1;
				299	goto ssl_error;
				300	}
				301
Peter Boström	0b518bf	2016-01-27 12:35:40 +0100	[diff] [blame]	302	bio = BIO_new_socket(socket_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	303	if (!bio) {
				304	err = -1;
				305	goto ssl_error;
				306	}
				307
				308	ssl_ = SSL_new(ssl_ctx_);
				309	if (!ssl_) {
				310	err = -1;
				311	goto ssl_error;
				312	}
				313
				314	SSL_set_app_data(ssl_, this);
				315
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	316	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER allows different buffers to be passed
				317	// into SSL_write when a record could only be partially transmitted (and thus
				318	// requires another call to SSL_write to finish transmission). This allows us
				319	// to copy the data into our own buffer when this occurs, since the original
				320	// buffer can't safely be accessed after control exits Send.
				321	// TODO(deadbeef): Do we want SSL_MODE_ENABLE_PARTIAL_WRITE? It doesn't
				322	// appear Send handles partial writes properly, though maybe we never notice
				323	// since we never send more than 16KB at once..
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	324	SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE \|
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	325	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	326
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	327	// Enable SNI, if a hostname is supplied.
Emad Omara	dab1d2d	2017-06-16 15:43:11 -0700	[diff] [blame]	328	if (!ssl_host_name_.empty()) {
				329	SSL_set_tlsext_host_name(ssl_, ssl_host_name_.c_str());
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	330
				331	// Enable session caching, if configured and a hostname is supplied.
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	332	if (ssl_session_cache_ != nullptr) {
				333	SSL_SESSION* cached = ssl_session_cache_->LookupSession(ssl_host_name_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	334	if (cached) {
				335	if (SSL_set_session(ssl_, cached) == 0) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	336	RTC_LOG(LS_WARNING) << "Failed to apply SSL session from cache";
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	337	err = -1;
				338	goto ssl_error;
				339	}
				340
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	341	RTC_LOG(LS_INFO) << "Attempting to resume SSL session to "
				342	<< ssl_host_name_;
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	343	}
				344	}
Emad Omara	dab1d2d	2017-06-16 15:43:11 -0700	[diff] [blame]	345	}
				346
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	347	#ifdef OPENSSL_IS_BORINGSSL
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	348	// Set a couple common TLS extensions; even though we don't use them yet.
				349	SSL_enable_ocsp_stapling(ssl_);
				350	SSL_enable_signed_cert_timestamps(ssl_);
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	351	#endif
Emad Omara	cb79d23	2017-07-20 16:34:34 -0700	[diff] [blame]	352
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	353	if (!alpn_protocols_.empty()) {
				354	std::string tls_alpn_string = TransformAlpnProtocols(alpn_protocols_);
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	355	if (!tls_alpn_string.empty()) {
				356	SSL_set_alpn_protos(
				357	ssl_, reinterpret_cast<const unsigned char*>(tls_alpn_string.data()),
Mirko Bonadei	a041f92	2018-05-23 10:22:36 +0200	[diff] [blame]	358	rtc::dchecked_cast<unsigned>(tls_alpn_string.size()));
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	359	}
				360	}
				361
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	362	if (!elliptic_curves_.empty()) {
				363	SSL_set1_curves_list(ssl_, rtc::join(elliptic_curves_, ':').c_str());
Diogo Real	7bd1f1b	2017-09-08 12:50:41 -0700	[diff] [blame]	364	}
				365
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	366	// Now that the initial config is done, transfer ownership of \|bio\| to the
				367	// SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup().
				368	SSL_set_bio(ssl_, bio, bio);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	369	bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	370
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	371	// Do the connect.
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	372	err = ContinueSSL();
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	373	if (err != 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	374	goto ssl_error;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	375	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	376
				377	return err;
				378
				379	ssl_error:
				380	Cleanup();
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	381	if (bio) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	382	BIO_free(bio);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	383	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	384
				385	return err;
				386	}
				387
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	388	int OpenSSLAdapter::ContinueSSL() {
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	389	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	390
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	391	// Clear the DTLS timer
				392	Thread::Current()->Clear(this, MSG_TIMEOUT);
				393
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	394	int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	395	switch (SSL_get_error(ssl_, code)) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	396	case SSL_ERROR_NONE:
				397	if (!SSLPostConnectionCheck(ssl_, ssl_host_name_)) {
				398	RTC_LOG(LS_ERROR) << "TLS post connection check failed";
				399	// make sure we close the socket
				400	Cleanup();
				401	// The connect failed so return -1 to shut down the socket
				402	return -1;
				403	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	404
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	405	state_ = SSL_CONNECTED;
				406	AsyncSocketAdapter::OnConnectEvent(this);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	407	// TODO(benwright): Refactor this code path.
				408	// Don't let ourselves go away during the callbacks
				409	// PRefPtr<OpenSSLAdapter> lock(this);
				410	// RTC_LOG(LS_INFO) << " -- onStreamReadable";
				411	// AsyncSocketAdapter::OnReadEvent(this);
				412	// RTC_LOG(LS_INFO) << " -- onStreamWriteable";
				413	// AsyncSocketAdapter::OnWriteEvent(this);
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	414	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	415
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	416	case SSL_ERROR_WANT_READ:
				417	RTC_LOG(LS_VERBOSE) << " -- error want read";
				418	struct timeval timeout;
				419	if (DTLSv1_get_timeout(ssl_, &timeout)) {
				420	int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	421
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	422	Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this, MSG_TIMEOUT,
				423	0);
				424	}
				425	break;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	426
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	427	case SSL_ERROR_WANT_WRITE:
				428	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	429
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	430	case SSL_ERROR_ZERO_RETURN:
				431	default:
				432	RTC_LOG(LS_WARNING) << "ContinueSSL -- error " << code;
				433	return (code != 0) ? code : -1;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	434	}
				435
				436	return 0;
				437	}
				438
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	439	void OpenSSLAdapter::Error(const char* context, int err, bool signal) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	440	RTC_LOG(LS_WARNING) << "OpenSSLAdapter::Error(" << context << ", " << err
				441	<< ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	442	state_ = SSL_ERROR;
				443	SetError(err);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	444	if (signal) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	445	AsyncSocketAdapter::OnCloseEvent(this, err);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	446	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	447	}
				448
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	449	void OpenSSLAdapter::Cleanup() {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	450	RTC_LOG(LS_INFO) << "OpenSSLAdapter::Cleanup";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	451
				452	state_ = SSL_NONE;
				453	ssl_read_needs_write_ = false;
				454	ssl_write_needs_read_ = false;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	455	custom_cert_verifier_status_ = false;
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	456	pending_data_.Clear();
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	457
				458	if (ssl_) {
				459	SSL_free(ssl_);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	460	ssl_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	461	}
				462
				463	if (ssl_ctx_) {
				464	SSL_CTX_free(ssl_ctx_);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	465	ssl_ctx_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	466	}
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	467	identity_.reset();
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	468
				469	// Clear the DTLS timer
				470	Thread::Current()->Clear(this, MSG_TIMEOUT);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	471	}
				472
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	473	int OpenSSLAdapter::DoSslWrite(const void* pv, size_t cb, int* error) {
				474	// If we have pending data (that was previously only partially written by
				475	// SSL_write), we shouldn't be attempting to write anything else.
				476	RTC_DCHECK(pending_data_.empty() \|\| pv == pending_data_.data());
				477	RTC_DCHECK(error != nullptr);
				478
				479	ssl_write_needs_read_ = false;
				480	int ret = SSL_write(ssl_, pv, checked_cast<int>(cb));
				481	*error = SSL_get_error(ssl_, ret);
				482	switch (*error) {
				483	case SSL_ERROR_NONE:
				484	// Success!
				485	return ret;
				486	case SSL_ERROR_WANT_READ:
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	487	RTC_LOG(LS_INFO) << " -- error want read";
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	488	ssl_write_needs_read_ = true;
				489	SetError(EWOULDBLOCK);
				490	break;
				491	case SSL_ERROR_WANT_WRITE:
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	492	RTC_LOG(LS_INFO) << " -- error want write";
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	493	SetError(EWOULDBLOCK);
				494	break;
				495	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	496	SetError(EWOULDBLOCK);
				497	// do we need to signal closure?
				498	break;
				499	case SSL_ERROR_SSL:
				500	LogSslError();
				501	Error("SSL_write", ret ? ret : -1, false);
				502	break;
				503	default:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	504	Error("SSL_write", ret ? ret : -1, false);
				505	break;
				506	}
				507
				508	return SOCKET_ERROR;
				509	}
				510
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	511	///////////////////////////////////////////////////////////////////////////////
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	512	// AsyncSocket Implementation
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	513	///////////////////////////////////////////////////////////////////////////////
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	514
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	515	int OpenSSLAdapter::Send(const void* pv, size_t cb) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	516	switch (state_) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	517	case SSL_NONE:
				518	return AsyncSocketAdapter::Send(pv, cb);
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	519	case SSL_WAIT:
				520	case SSL_CONNECTING:
				521	SetError(ENOTCONN);
				522	return SOCKET_ERROR;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	523	case SSL_CONNECTED:
				524	break;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	525	case SSL_ERROR:
				526	default:
				527	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	528	}
				529
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	530	int ret;
				531	int error;
				532
				533	if (!pending_data_.empty()) {
				534	ret = DoSslWrite(pending_data_.data(), pending_data_.size(), &error);
				535	if (ret != static_cast<int>(pending_data_.size())) {
				536	// We couldn't finish sending the pending data, so we definitely can't
				537	// send any more data. Return with an EWOULDBLOCK error.
				538	SetError(EWOULDBLOCK);
				539	return SOCKET_ERROR;
				540	}
				541	// We completed sending the data previously passed into SSL_write! Now
				542	// we're allowed to send more data.
				543	pending_data_.Clear();
				544	}
				545
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	546	// OpenSSL will return an error if we try to write zero bytes
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	547	if (cb == 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	548	return 0;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	549	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	550
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	551	ret = DoSslWrite(pv, cb, &error);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	552
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	553	// If SSL_write fails with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, this
				554	// means the underlying socket is blocked on reading or (more typically)
				555	// writing. When this happens, OpenSSL requires that the next call to
				556	// SSL_write uses the same arguments (though, with
				557	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, the actual buffer pointer may be
				558	// different).
				559	//
				560	// However, after Send exits, we will have lost access to data the user of
				561	// this class is trying to send, and there's no guarantee that the user of
				562	// this class will call Send with the same arguements when it fails. So, we
				563	// buffer the data ourselves. When we know the underlying socket is writable
				564	// again from OnWriteEvent (or if Send is called again before that happens),
				565	// we'll retry sending this buffered data.
deadbeef	e5dce2b	2017-06-02 11:52:06 -0700	[diff] [blame]	566	if (error == SSL_ERROR_WANT_READ \|\| error == SSL_ERROR_WANT_WRITE) {
				567	// Shouldn't be able to get to this point if we already have pending data.
				568	RTC_DCHECK(pending_data_.empty());
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	569	RTC_LOG(LS_WARNING)
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	570	<< "SSL_write couldn't write to the underlying socket; buffering data.";
				571	pending_data_.SetData(static_cast<const uint8_t*>(pv), cb);
				572	// Since we're taking responsibility for sending this data, return its full
				573	// size. The user of this class can consider it sent.
Mirko Bonadei	a041f92	2018-05-23 10:22:36 +0200	[diff] [blame]	574	return rtc::dchecked_cast<int>(cb);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	575	}
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	576	return ret;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	577	}
				578
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	579	int OpenSSLAdapter::SendTo(const void* pv,
				580	size_t cb,
				581	const SocketAddress& addr) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	582	if (socket_->GetState() == Socket::CS_CONNECTED &&
				583	addr == socket_->GetRemoteAddress()) {
				584	return Send(pv, cb);
				585	}
				586
				587	SetError(ENOTCONN);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	588	return SOCKET_ERROR;
				589	}
				590
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	591	int OpenSSLAdapter::Recv(void* pv, size_t cb, int64_t* timestamp) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	592	switch (state_) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	593	case SSL_NONE:
				594	return AsyncSocketAdapter::Recv(pv, cb, timestamp);
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	595	case SSL_WAIT:
				596	case SSL_CONNECTING:
				597	SetError(ENOTCONN);
				598	return SOCKET_ERROR;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	599	case SSL_CONNECTED:
				600	break;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	601	case SSL_ERROR:
				602	default:
				603	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	604	}
				605
				606	// Don't trust OpenSSL with zero byte reads
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	607	if (cb == 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	608	return 0;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	609	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	610
				611	ssl_read_needs_write_ = false;
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09 +0000	[diff] [blame]	612	int code = SSL_read(ssl_, pv, checked_cast<int>(cb));
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	613	int error = SSL_get_error(ssl_, code);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	614
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	615	switch (error) {
				616	case SSL_ERROR_NONE:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	617	return code;
				618	case SSL_ERROR_WANT_READ:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	619	SetError(EWOULDBLOCK);
				620	break;
				621	case SSL_ERROR_WANT_WRITE:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	622	ssl_read_needs_write_ = true;
				623	SetError(EWOULDBLOCK);
				624	break;
				625	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	626	SetError(EWOULDBLOCK);
				627	// do we need to signal closure?
				628	break;
				629	case SSL_ERROR_SSL:
				630	LogSslError();
				631	Error("SSL_read", (code ? code : -1), false);
				632	break;
				633	default:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	634	Error("SSL_read", (code ? code : -1), false);
				635	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	636	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	637	return SOCKET_ERROR;
				638	}
				639
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	640	int OpenSSLAdapter::RecvFrom(void* pv,
				641	size_t cb,
				642	SocketAddress* paddr,
				643	int64_t* timestamp) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	644	if (socket_->GetState() == Socket::CS_CONNECTED) {
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	645	int ret = Recv(pv, cb, timestamp);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	646	*paddr = GetRemoteAddress();
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	647	return ret;
				648	}
				649
				650	SetError(ENOTCONN);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	651	return SOCKET_ERROR;
				652	}
				653
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	654	int OpenSSLAdapter::Close() {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	655	Cleanup();
				656	state_ = restartable_ ? SSL_WAIT : SSL_NONE;
				657	return AsyncSocketAdapter::Close();
				658	}
				659
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	660	Socket::ConnState OpenSSLAdapter::GetState() const {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	661	ConnState state = socket_->GetState();
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	662	if ((state == CS_CONNECTED) &&
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	663	((state_ == SSL_WAIT) \|\| (state_ == SSL_CONNECTING))) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	664	state = CS_CONNECTING;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	665	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	666	return state;
				667	}
				668
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	669	bool OpenSSLAdapter::IsResumedSession() {
				670	return (ssl_ && SSL_session_reused(ssl_) == 1);
				671	}
				672
				673	void OpenSSLAdapter::OnMessage(Message* msg) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	674	if (MSG_TIMEOUT == msg->message_id) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	675	RTC_LOG(LS_INFO) << "DTLS timeout expired";
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	676	DTLSv1_handle_timeout(ssl_);
				677	ContinueSSL();
				678	}
				679	}
				680
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	681	void OpenSSLAdapter::OnConnectEvent(AsyncSocket* socket) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	682	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnConnectEvent";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	683	if (state_ != SSL_WAIT) {
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	684	RTC_DCHECK(state_ == SSL_NONE);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	685	AsyncSocketAdapter::OnConnectEvent(socket);
				686	return;
				687	}
				688
				689	state_ = SSL_CONNECTING;
				690	if (int err = BeginSSL()) {
				691	AsyncSocketAdapter::OnCloseEvent(socket, err);
				692	}
				693	}
				694
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	695	void OpenSSLAdapter::OnReadEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	696	if (state_ == SSL_NONE) {
				697	AsyncSocketAdapter::OnReadEvent(socket);
				698	return;
				699	}
				700
				701	if (state_ == SSL_CONNECTING) {
				702	if (int err = ContinueSSL()) {
				703	Error("ContinueSSL", err);
				704	}
				705	return;
				706	}
				707
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	708	if (state_ != SSL_CONNECTED) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	709	return;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	710	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	711
				712	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	713	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	714	if (ssl_write_needs_read_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	715	AsyncSocketAdapter::OnWriteEvent(socket);
				716	}
				717
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	718	AsyncSocketAdapter::OnReadEvent(socket);
				719	}
				720
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	721	void OpenSSLAdapter::OnWriteEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	722	if (state_ == SSL_NONE) {
				723	AsyncSocketAdapter::OnWriteEvent(socket);
				724	return;
				725	}
				726
				727	if (state_ == SSL_CONNECTING) {
				728	if (int err = ContinueSSL()) {
				729	Error("ContinueSSL", err);
				730	}
				731	return;
				732	}
				733
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	734	if (state_ != SSL_CONNECTED) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	735	return;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	736	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	737
				738	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	739	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	740
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	741	if (ssl_read_needs_write_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	742	AsyncSocketAdapter::OnReadEvent(socket);
				743	}
				744
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	745	// If a previous SSL_write failed due to the underlying socket being blocked,
				746	// this will attempt finishing the write operation.
				747	if (!pending_data_.empty()) {
				748	int error;
				749	if (DoSslWrite(pending_data_.data(), pending_data_.size(), &error) ==
				750	static_cast<int>(pending_data_.size())) {
				751	pending_data_.Clear();
				752	}
				753	}
				754
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	755	AsyncSocketAdapter::OnWriteEvent(socket);
				756	}
				757
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	758	void OpenSSLAdapter::OnCloseEvent(AsyncSocket* socket, int err) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	759	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnCloseEvent(" << err << ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	760	AsyncSocketAdapter::OnCloseEvent(socket, err);
				761	}
				762
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	763	bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const std::string& host) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	764	bool is_valid_cert_name =
				765	openssl::VerifyPeerCertMatchesHost(ssl, host) &&
				766	(SSL_get_verify_result(ssl) == X509_V_OK \|\| custom_cert_verifier_status_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	767
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	768	if (!is_valid_cert_name && ignore_bad_cert_) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	769	RTC_DLOG(LS_WARNING) << "Other TLS post connection checks failed. "
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	770	"ignore_bad_cert_ set to true. Overriding name "
				771	"verification failure!";
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	772	is_valid_cert_name = true;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	773	}
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	774	return is_valid_cert_name;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	775	}
				776
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	777	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	778
				779	// We only use this for tracing and so it is only needed in debug mode
				780
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	781	void OpenSSLAdapter::SSLInfoCallback(const SSL* s, int where, int ret) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	782	const char* str = "undefined";
				783	int w = where & ~SSL_ST_MASK;
				784	if (w & SSL_ST_CONNECT) {
				785	str = "SSL_connect";
				786	} else if (w & SSL_ST_ACCEPT) {
				787	str = "SSL_accept";
				788	}
				789	if (where & SSL_CB_LOOP) {
Harald Alvestrand	977b265	2019-12-12 13:40:50 +0100	[diff] [blame]	790	RTC_DLOG(LS_VERBOSE) << str << ":" << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	791	} else if (where & SSL_CB_ALERT) {
				792	str = (where & SSL_CB_READ) ? "read" : "write";
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	793	RTC_DLOG(LS_INFO) << "SSL3 alert " << str << ":"
				794	<< SSL_alert_type_string_long(ret) << ":"
				795	<< SSL_alert_desc_string_long(ret);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	796	} else if (where & SSL_CB_EXIT) {
				797	if (ret == 0) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	798	RTC_DLOG(LS_INFO) << str << ":failed in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	799	} else if (ret < 0) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	800	RTC_DLOG(LS_INFO) << str << ":error in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	801	}
				802	}
				803	}
				804
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	805	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	806
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	807	int OpenSSLAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	808	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	809	if (!ok) {
				810	char data[256];
				811	X509* cert = X509_STORE_CTX_get_current_cert(store);
				812	int depth = X509_STORE_CTX_get_error_depth(store);
				813	int err = X509_STORE_CTX_get_error(store);
				814
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	815	RTC_DLOG(LS_INFO) << "Error with certificate at depth: " << depth;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	816	X509_NAME_oneline(X509_get_issuer_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	817	RTC_DLOG(LS_INFO) << " issuer = " << data;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	818	X509_NAME_oneline(X509_get_subject_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	819	RTC_DLOG(LS_INFO) << " subject = " << data;
				820	RTC_DLOG(LS_INFO) << " err = " << err << ":"
				821	<< X509_verify_cert_error_string(err);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	822	}
				823	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	824	// Get our stream pointer from the store
				825	SSL* ssl = reinterpret_cast<SSL*>(
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	826	X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	827
				828	OpenSSLAdapter* stream =
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	829	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	830
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	831	if (!ok && stream->ssl_cert_verifier_ != nullptr) {
				832	RTC_LOG(LS_INFO) << "Invoking SSL Verify Callback.";
				833	const OpenSSLCertificate cert(X509_STORE_CTX_get_current_cert(store));
				834	if (stream->ssl_cert_verifier_->Verify(cert)) {
				835	stream->custom_cert_verifier_status_ = true;
				836	RTC_LOG(LS_INFO) << "Validated certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	837	ok = true;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	838	} else {
				839	RTC_LOG(LS_INFO) << "Failed to verify certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	840	}
				841	}
				842
				843	// Should only be used for debugging and development.
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	844	if (!ok && stream->ignore_bad_cert_) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	845	RTC_DLOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	846	ok = 1;
				847	}
				848
				849	return ok;
				850	}
				851
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	852	int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) {
				853	OpenSSLAdapter* stream =
				854	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	855	RTC_DCHECK(stream->ssl_session_cache_);
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	856	RTC_LOG(LS_INFO) << "Caching SSL session for " << stream->ssl_host_name_;
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	857	stream->ssl_session_cache_->AddSession(stream->ssl_host_name_, session);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	858	return 1; // We've taken ownership of the session; OpenSSL shouldn't free it.
				859	}
				860
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	861	SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
David Benjamin	170a4b3	2019-01-30 09:46:16 -0600	[diff] [blame]	862	SSL_CTX* ctx =
				863	SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	864	if (ctx == nullptr) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	865	unsigned long error = ERR_get_error(); // NOLINT: type used by OpenSSL.
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	866	RTC_LOG(LS_WARNING) << "SSL_CTX creation failed: " << '"'
Jonas Olsson	b2b2031	2020-01-14 12:11:31 +0100	[diff] [blame]	867	<< ERR_reason_error_string(error)
				868	<< "\" "
				869	"(error="
				870	<< error << ')';
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	871	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	872	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	873
Mirko Bonadei	b889a20	2018-08-15 11:41:27 +0200	[diff] [blame]	874	#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	875	if (!openssl::LoadBuiltinSSLRootCertificates(ctx)) {
				876	RTC_LOG(LS_ERROR) << "SSL_CTX creation failed: Failed to load any trusted "
				877	"ssl root certificates.";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	878	SSL_CTX_free(ctx);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	879	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	880	}
Mirko Bonadei	b889a20	2018-08-15 11:41:27 +0200	[diff] [blame]	881	#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	882
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	883	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	884	SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
				885	#endif
				886
				887	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
				888	SSL_CTX_set_verify_depth(ctx, 4);
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	889	// Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
				890	// (note that SHA256 and SHA384 only select legacy CBC ciphers).
				891	// Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
				892	// CBC-mode ECDSA ciphers.
				893	SSL_CTX_set_cipher_list(
				894	ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5");
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	895
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	896	if (mode == SSL_MODE_DTLS) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	897	SSL_CTX_set_read_ahead(ctx, 1);
				898	}
				899
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	900	if (enable_cache) {
				901	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
				902	SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback);
				903	}
				904
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	905	return ctx;
				906	}
				907
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	908	std::string TransformAlpnProtocols(
				909	const std::vector<std::string>& alpn_protocols) {
				910	// Transforms the alpn_protocols list to the format expected by
				911	// Open/BoringSSL. This requires joining the protocols into a single string
				912	// and prepending a character with the size of the protocol string before
				913	// each protocol.
				914	std::string transformed_alpn;
				915	for (const std::string& proto : alpn_protocols) {
				916	if (proto.size() == 0 \|\| proto.size() > 0xFF) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	917	RTC_LOG(LS_ERROR) << "OpenSSLAdapter::Error("
Jonas Olsson	b2b2031	2020-01-14 12:11:31 +0100	[diff] [blame]	918	"TransformAlpnProtocols received proto with size "
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	919	<< proto.size() << ")";
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	920	return "";
				921	}
				922	transformed_alpn += static_cast<char>(proto.size());
				923	transformed_alpn += proto;
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	924	RTC_LOG(LS_VERBOSE) << "TransformAlpnProtocols: Adding proto: " << proto;
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	925	}
				926	return transformed_alpn;
				927	}
				928
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	929	//////////////////////////////////////////////////////////////////////
				930	// OpenSSLAdapterFactory
				931	//////////////////////////////////////////////////////////////////////
				932
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	933	OpenSSLAdapterFactory::OpenSSLAdapterFactory() = default;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	934
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	935	OpenSSLAdapterFactory::~OpenSSLAdapterFactory() = default;
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	936
				937	void OpenSSLAdapterFactory::SetMode(SSLMode mode) {
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	938	RTC_DCHECK(!ssl_session_cache_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	939	ssl_mode_ = mode;
				940	}
				941
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	942	void OpenSSLAdapterFactory::SetCertVerifier(
				943	SSLCertificateVerifier* ssl_cert_verifier) {
				944	RTC_DCHECK(!ssl_session_cache_);
				945	ssl_cert_verifier_ = ssl_cert_verifier;
				946	}
				947
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	948	OpenSSLAdapter* OpenSSLAdapterFactory::CreateAdapter(AsyncSocket* socket) {
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	949	if (ssl_session_cache_ == nullptr) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	950	SSL_CTX* ssl_ctx = OpenSSLAdapter::CreateContext(ssl_mode_, true);
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	951	if (ssl_ctx == nullptr) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	952	return nullptr;
				953	}
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	954	// The OpenSSLSessionCache will upref the ssl_ctx.
Karl Wiberg	918f50c	2018-07-05 11:40:33 +0200	[diff] [blame]	955	ssl_session_cache_ =
Mirko Bonadei	317a1f0	2019-09-17 17:06:18 +0200	[diff] [blame]	956	std::make_unique<OpenSSLSessionCache>(ssl_mode_, ssl_ctx);
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	957	SSL_CTX_free(ssl_ctx);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	958	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	959	return new OpenSSLAdapter(socket, ssl_session_cache_.get(),
				960	ssl_cert_verifier_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	961	}
				962
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	963	} // namespace rtc