Blame - rtc_base/openssladapter.cc - webrtc.googlesource.com/src

blob: 2ca17a618e3181479288ccd1ab90be48f4b420c0 [file] [log] [blame]

henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	1	/*
				2	* Copyright 2008 The WebRTC Project Authors. All rights reserved.
				3	*
				4	* Use of this source code is governed by a BSD-style license
				5	* that can be found in the LICENSE file in the root of the source
				6	* tree. An additional intellectual property rights grant can be found
				7	* in the file PATENTS. All contributing project authors may
				8	* be found in the AUTHORS file in the root of the source tree.
				9	*/
				10
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	11	#include "rtc_base/openssladapter.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	12
				13	#if defined(WEBRTC_POSIX)
				14	#include <unistd.h>
				15	#endif
				16
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	17	#include <openssl/bio.h>
				18	#include <openssl/crypto.h>
				19	#include <openssl/err.h>
				20	#include <openssl/opensslv.h>
				21	#include <openssl/rand.h>
henrike@webrtc.org	d5a0506	2014-06-30 20:38:56 +0000	[diff] [blame]	22	#include <openssl/x509.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	23	#include <openssl/x509v3.h>
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	24	#include "rtc_base/openssl.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	25
Yves Gerey	2e00abc	2018-10-05 15:39:24 +0200	[diff] [blame]	26	#include "absl/memory/memory.h" // for make_unique
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	27	#include "rtc_base/checks.h"
				28	#include "rtc_base/logging.h"
Karl Wiberg	e40468b	2017-11-22 10:42:26 +0100	[diff] [blame]	29	#include "rtc_base/numerics/safe_conversions.h"
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	30	#include "rtc_base/opensslutility.h"
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	31	#include "rtc_base/stringencode.h"
				32	#include "rtc_base/stringutils.h"
				33	#include "rtc_base/thread.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	34
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	35	#ifndef OPENSSL_IS_BORINGSSL
				36
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	37	// TODO(benwright): Use a nicer abstraction for mutex.
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	38
				39	#if defined(WEBRTC_WIN)
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	40	#define MUTEX_TYPE HANDLE
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	41	#define MUTEX_SETUP(x) (x) = CreateMutex(nullptr, FALSE, nullptr)
				42	#define MUTEX_CLEANUP(x) CloseHandle(x)
				43	#define MUTEX_LOCK(x) WaitForSingleObject((x), INFINITE)
				44	#define MUTEX_UNLOCK(x) ReleaseMutex(x)
				45	#define THREAD_ID GetCurrentThreadId()
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	46	#elif defined(WEBRTC_POSIX)
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	47	#define MUTEX_TYPE pthread_mutex_t
				48	#define MUTEX_SETUP(x) pthread_mutex_init(&(x), nullptr)
				49	#define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x))
				50	#define MUTEX_LOCK(x) pthread_mutex_lock(&(x))
				51	#define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x))
				52	#define THREAD_ID pthread_self()
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	53	#else
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	54	#error You must define mutex operations appropriate for your platform!
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	55	#endif
				56
				57	struct CRYPTO_dynlock_value {
				58	MUTEX_TYPE mutex;
				59	};
				60
				61	#endif // #ifndef OPENSSL_IS_BORINGSSL
				62
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	63	//////////////////////////////////////////////////////////////////////
				64	// SocketBIO
				65	//////////////////////////////////////////////////////////////////////
				66
				67	static int socket_write(BIO* h, const char* buf, int num);
				68	static int socket_read(BIO* h, char* buf, int size);
				69	static int socket_puts(BIO* h, const char* str);
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	70	static long socket_ctrl(BIO* h, int cmd, long arg1, void* arg2); // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	71	static int socket_new(BIO* h);
				72	static int socket_free(BIO* data);
				73
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	74	static BIO_METHOD* BIO_socket_method() {
				75	static BIO_METHOD* methods = [] {
				76	BIO_METHOD* methods = BIO_meth_new(BIO_TYPE_BIO, "socket");
				77	BIO_meth_set_write(methods, socket_write);
				78	BIO_meth_set_read(methods, socket_read);
				79	BIO_meth_set_puts(methods, socket_puts);
				80	BIO_meth_set_ctrl(methods, socket_ctrl);
				81	BIO_meth_set_create(methods, socket_new);
				82	BIO_meth_set_destroy(methods, socket_free);
				83	return methods;
				84	}();
				85	return methods;
				86	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	87
henrike@webrtc.org	c50bf7c	2014-05-14 18:24:13 +0000	[diff] [blame]	88	static BIO* BIO_new_socket(rtc::AsyncSocket* socket) {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	89	BIO* ret = BIO_new(BIO_socket_method());
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	90	if (ret == nullptr) {
				91	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	92	}
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	93	BIO_set_data(ret, socket);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	94	return ret;
				95	}
				96
				97	static int socket_new(BIO* b) {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	98	BIO_set_shutdown(b, 0);
				99	BIO_set_init(b, 1);
				100	BIO_set_data(b, 0);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	101	return 1;
				102	}
				103
				104	static int socket_free(BIO* b) {
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	105	if (b == nullptr)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	106	return 0;
				107	return 1;
				108	}
				109
				110	static int socket_read(BIO* b, char* out, int outl) {
				111	if (!out)
				112	return -1;
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	113	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	114	BIO_clear_retry_flags(b);
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	115	int result = socket->Recv(out, outl, nullptr);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	116	if (result > 0) {
				117	return result;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	118	} else if (socket->IsBlocking()) {
				119	BIO_set_retry_read(b);
				120	}
				121	return -1;
				122	}
				123
				124	static int socket_write(BIO* b, const char* in, int inl) {
				125	if (!in)
				126	return -1;
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	127	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	128	BIO_clear_retry_flags(b);
				129	int result = socket->Send(in, inl);
				130	if (result > 0) {
				131	return result;
				132	} else if (socket->IsBlocking()) {
				133	BIO_set_retry_write(b);
				134	}
				135	return -1;
				136	}
				137
				138	static int socket_puts(BIO* b, const char* str) {
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09 +0000	[diff] [blame]	139	return socket_write(b, str, rtc::checked_cast<int>(strlen(str)));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	140	}
				141
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	142	static long socket_ctrl(BIO* b, int cmd, long num, void* ptr) { // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	143	switch (cmd) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	144	case BIO_CTRL_RESET:
				145	return 0;
				146	case BIO_CTRL_EOF: {
				147	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(ptr);
				148	// 1 means socket closed.
				149	return (socket->GetState() == rtc::AsyncSocket::CS_CLOSED) ? 1 : 0;
				150	}
				151	case BIO_CTRL_WPENDING:
				152	case BIO_CTRL_PENDING:
				153	return 0;
				154	case BIO_CTRL_FLUSH:
				155	return 1;
				156	default:
				157	return 0;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	158	}
				159	}
				160
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	161	static void LogSslError() {
				162	// Walk down the error stack to find the SSL error.
				163	uint32_t error_code;
				164	const char* file;
				165	int line;
				166	do {
				167	error_code = ERR_get_error_line(&file, &line);
				168	if (ERR_GET_LIB(error_code) == ERR_LIB_SSL) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	169	RTC_LOG(LS_ERROR) << "ERR_LIB_SSL: " << error_code << ", " << file << ":"
				170	<< line;
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	171	break;
				172	}
				173	} while (error_code != 0);
				174	}
				175
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	176	/////////////////////////////////////////////////////////////////////////////
				177	// OpenSSLAdapter
				178	/////////////////////////////////////////////////////////////////////////////
				179
				180	namespace rtc {
				181
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	182	bool OpenSSLAdapter::InitializeSSL() {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	183	if (!SSL_library_init())
				184	return false;
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	185	#if !defined(ADDRESS_SANITIZER) \|\| !defined(WEBRTC_MAC) \|\| defined(WEBRTC_IOS)
				186	// Loading the error strings crashes mac_asan. Omit this debugging aid there.
				187	SSL_load_error_strings();
				188	#endif
				189	ERR_load_BIO_strings();
				190	OpenSSL_add_all_algorithms();
				191	RAND_poll();
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	192	return true;
				193	}
				194
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	195	bool OpenSSLAdapter::CleanupSSL() {
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	196	return true;
				197	}
				198
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	199	OpenSSLAdapter::OpenSSLAdapter(AsyncSocket* socket,
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	200	OpenSSLSessionCache* ssl_session_cache,
				201	SSLCertificateVerifier* ssl_cert_verifier)
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	202	: SSLAdapter(socket),
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	203	ssl_session_cache_(ssl_session_cache),
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	204	ssl_cert_verifier_(ssl_cert_verifier),
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	205	state_(SSL_NONE),
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	206	role_(SSL_CLIENT),
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	207	ssl_read_needs_write_(false),
				208	ssl_write_needs_read_(false),
				209	restartable_(false),
				210	ssl_(nullptr),
				211	ssl_ctx_(nullptr),
				212	ssl_mode_(SSL_MODE_TLS),
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	213	ignore_bad_cert_(false),
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	214	custom_cert_verifier_status_(false) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	215	// If a factory is used, take a reference on the factory's SSL_CTX.
				216	// Otherwise, we'll create our own later.
				217	// Either way, we'll release our reference via SSL_CTX_free() in Cleanup().
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	218	if (ssl_session_cache_ != nullptr) {
				219	ssl_ctx_ = ssl_session_cache_->GetSSLContext();
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	220	RTC_DCHECK(ssl_ctx_);
				221	// Note: if using OpenSSL, requires version 1.1.0 or later.
				222	SSL_CTX_up_ref(ssl_ctx_);
				223	}
				224	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	225
				226	OpenSSLAdapter::~OpenSSLAdapter() {
				227	Cleanup();
				228	}
				229
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	230	void OpenSSLAdapter::SetIgnoreBadCert(bool ignore) {
				231	ignore_bad_cert_ = ignore;
				232	}
				233
				234	void OpenSSLAdapter::SetAlpnProtocols(const std::vector<std::string>& protos) {
				235	alpn_protocols_ = protos;
				236	}
				237
				238	void OpenSSLAdapter::SetEllipticCurves(const std::vector<std::string>& curves) {
				239	elliptic_curves_ = curves;
Diogo Real	7bd1f1b	2017-09-08 12:50:41 -0700	[diff] [blame]	240	}
				241
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	242	void OpenSSLAdapter::SetMode(SSLMode mode) {
				243	RTC_DCHECK(!ssl_ctx_);
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	244	RTC_DCHECK(state_ == SSL_NONE);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	245	ssl_mode_ = mode;
				246	}
				247
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	248	void OpenSSLAdapter::SetCertVerifier(
				249	SSLCertificateVerifier* ssl_cert_verifier) {
				250	RTC_DCHECK(!ssl_ctx_);
				251	ssl_cert_verifier_ = ssl_cert_verifier;
				252	}
				253
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	254	void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) {
				255	RTC_DCHECK(!identity_);
				256	identity_.reset(static_cast<OpenSSLIdentity*>(identity));
				257	}
				258
				259	void OpenSSLAdapter::SetRole(SSLRole role) {
				260	role_ = role;
				261	}
				262
				263	AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) {
				264	RTC_DCHECK(role_ == SSL_SERVER);
				265	AsyncSocket* socket = SSLAdapter::Accept(paddr);
				266	if (!socket) {
				267	return nullptr;
				268	}
				269
				270	SSLAdapter* adapter = SSLAdapter::Create(socket);
				271	adapter->SetIdentity(identity_->GetReference());
				272	adapter->SetRole(rtc::SSL_SERVER);
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	273	adapter->SetIgnoreBadCert(ignore_bad_cert_);
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	274	adapter->StartSSL("", false);
				275	return adapter;
				276	}
				277
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	278	int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	279	if (state_ != SSL_NONE)
				280	return -1;
				281
				282	ssl_host_name_ = hostname;
				283	restartable_ = restartable;
				284
				285	if (socket_->GetState() != Socket::CS_CONNECTED) {
				286	state_ = SSL_WAIT;
				287	return 0;
				288	}
				289
				290	state_ = SSL_CONNECTING;
				291	if (int err = BeginSSL()) {
				292	Error("BeginSSL", err, false);
				293	return err;
				294	}
				295
				296	return 0;
				297	}
				298
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	299	int OpenSSLAdapter::BeginSSL() {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	300	RTC_LOG(LS_INFO) << "OpenSSLAdapter::BeginSSL: " << ssl_host_name_;
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	301	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	302
				303	int err = 0;
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	304	BIO* bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	305
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	306	// First set up the context. We should either have a factory, with its own
				307	// pre-existing context, or be running standalone, in which case we will
				308	// need to create one, and specify \|false\| to disable session caching.
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	309	if (ssl_session_cache_ == nullptr) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	310	RTC_DCHECK(!ssl_ctx_);
				311	ssl_ctx_ = CreateContext(ssl_mode_, false);
				312	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	313
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	314	if (!ssl_ctx_) {
				315	err = -1;
				316	goto ssl_error;
				317	}
				318
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	319	if (identity_ && !identity_->ConfigureIdentity(ssl_ctx_)) {
				320	SSL_CTX_free(ssl_ctx_);
				321	err = -1;
				322	goto ssl_error;
				323	}
				324
Peter Boström	0b518bf	2016-01-27 12:35:40 +0100	[diff] [blame]	325	bio = BIO_new_socket(socket_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	326	if (!bio) {
				327	err = -1;
				328	goto ssl_error;
				329	}
				330
				331	ssl_ = SSL_new(ssl_ctx_);
				332	if (!ssl_) {
				333	err = -1;
				334	goto ssl_error;
				335	}
				336
				337	SSL_set_app_data(ssl_, this);
				338
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	339	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER allows different buffers to be passed
				340	// into SSL_write when a record could only be partially transmitted (and thus
				341	// requires another call to SSL_write to finish transmission). This allows us
				342	// to copy the data into our own buffer when this occurs, since the original
				343	// buffer can't safely be accessed after control exits Send.
				344	// TODO(deadbeef): Do we want SSL_MODE_ENABLE_PARTIAL_WRITE? It doesn't
				345	// appear Send handles partial writes properly, though maybe we never notice
				346	// since we never send more than 16KB at once..
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	347	SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE \|
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	348	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	349
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	350	// Enable SNI, if a hostname is supplied.
Emad Omara	dab1d2d	2017-06-16 15:43:11 -0700	[diff] [blame]	351	if (!ssl_host_name_.empty()) {
				352	SSL_set_tlsext_host_name(ssl_, ssl_host_name_.c_str());
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	353
				354	// Enable session caching, if configured and a hostname is supplied.
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	355	if (ssl_session_cache_ != nullptr) {
				356	SSL_SESSION* cached = ssl_session_cache_->LookupSession(ssl_host_name_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	357	if (cached) {
				358	if (SSL_set_session(ssl_, cached) == 0) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	359	RTC_LOG(LS_WARNING) << "Failed to apply SSL session from cache";
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	360	err = -1;
				361	goto ssl_error;
				362	}
				363
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	364	RTC_LOG(LS_INFO) << "Attempting to resume SSL session to "
				365	<< ssl_host_name_;
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	366	}
				367	}
Emad Omara	dab1d2d	2017-06-16 15:43:11 -0700	[diff] [blame]	368	}
				369
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	370	#ifdef OPENSSL_IS_BORINGSSL
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	371	// Set a couple common TLS extensions; even though we don't use them yet.
				372	SSL_enable_ocsp_stapling(ssl_);
				373	SSL_enable_signed_cert_timestamps(ssl_);
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	374	#endif
Emad Omara	cb79d23	2017-07-20 16:34:34 -0700	[diff] [blame]	375
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	376	if (!alpn_protocols_.empty()) {
				377	std::string tls_alpn_string = TransformAlpnProtocols(alpn_protocols_);
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	378	if (!tls_alpn_string.empty()) {
				379	SSL_set_alpn_protos(
				380	ssl_, reinterpret_cast<const unsigned char*>(tls_alpn_string.data()),
Mirko Bonadei	a041f92	2018-05-23 10:22:36 +0200	[diff] [blame]	381	rtc::dchecked_cast<unsigned>(tls_alpn_string.size()));
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	382	}
				383	}
				384
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	385	if (!elliptic_curves_.empty()) {
				386	SSL_set1_curves_list(ssl_, rtc::join(elliptic_curves_, ':').c_str());
Diogo Real	7bd1f1b	2017-09-08 12:50:41 -0700	[diff] [blame]	387	}
				388
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	389	// Now that the initial config is done, transfer ownership of \|bio\| to the
				390	// SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup().
				391	SSL_set_bio(ssl_, bio, bio);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	392	bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	393
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	394	// Do the connect.
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	395	err = ContinueSSL();
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	396	if (err != 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	397	goto ssl_error;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	398	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	399
				400	return err;
				401
				402	ssl_error:
				403	Cleanup();
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	404	if (bio) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	405	BIO_free(bio);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	406	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	407
				408	return err;
				409	}
				410
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	411	int OpenSSLAdapter::ContinueSSL() {
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	412	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	413
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	414	// Clear the DTLS timer
				415	Thread::Current()->Clear(this, MSG_TIMEOUT);
				416
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	417	int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	418	switch (SSL_get_error(ssl_, code)) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	419	case SSL_ERROR_NONE:
				420	if (!SSLPostConnectionCheck(ssl_, ssl_host_name_)) {
				421	RTC_LOG(LS_ERROR) << "TLS post connection check failed";
				422	// make sure we close the socket
				423	Cleanup();
				424	// The connect failed so return -1 to shut down the socket
				425	return -1;
				426	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	427
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	428	state_ = SSL_CONNECTED;
				429	AsyncSocketAdapter::OnConnectEvent(this);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	430	// TODO(benwright): Refactor this code path.
				431	// Don't let ourselves go away during the callbacks
				432	// PRefPtr<OpenSSLAdapter> lock(this);
				433	// RTC_LOG(LS_INFO) << " -- onStreamReadable";
				434	// AsyncSocketAdapter::OnReadEvent(this);
				435	// RTC_LOG(LS_INFO) << " -- onStreamWriteable";
				436	// AsyncSocketAdapter::OnWriteEvent(this);
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	437	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	438
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	439	case SSL_ERROR_WANT_READ:
				440	RTC_LOG(LS_VERBOSE) << " -- error want read";
				441	struct timeval timeout;
				442	if (DTLSv1_get_timeout(ssl_, &timeout)) {
				443	int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	444
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	445	Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this, MSG_TIMEOUT,
				446	0);
				447	}
				448	break;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	449
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	450	case SSL_ERROR_WANT_WRITE:
				451	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	452
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	453	case SSL_ERROR_ZERO_RETURN:
				454	default:
				455	RTC_LOG(LS_WARNING) << "ContinueSSL -- error " << code;
				456	return (code != 0) ? code : -1;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	457	}
				458
				459	return 0;
				460	}
				461
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	462	void OpenSSLAdapter::Error(const char* context, int err, bool signal) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	463	RTC_LOG(LS_WARNING) << "OpenSSLAdapter::Error(" << context << ", " << err
				464	<< ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	465	state_ = SSL_ERROR;
				466	SetError(err);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	467	if (signal) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	468	AsyncSocketAdapter::OnCloseEvent(this, err);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	469	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	470	}
				471
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	472	void OpenSSLAdapter::Cleanup() {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	473	RTC_LOG(LS_INFO) << "OpenSSLAdapter::Cleanup";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	474
				475	state_ = SSL_NONE;
				476	ssl_read_needs_write_ = false;
				477	ssl_write_needs_read_ = false;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	478	custom_cert_verifier_status_ = false;
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	479	pending_data_.Clear();
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	480
				481	if (ssl_) {
				482	SSL_free(ssl_);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	483	ssl_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	484	}
				485
				486	if (ssl_ctx_) {
				487	SSL_CTX_free(ssl_ctx_);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	488	ssl_ctx_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	489	}
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	490	identity_.reset();
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	491
				492	// Clear the DTLS timer
				493	Thread::Current()->Clear(this, MSG_TIMEOUT);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	494	}
				495
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	496	int OpenSSLAdapter::DoSslWrite(const void* pv, size_t cb, int* error) {
				497	// If we have pending data (that was previously only partially written by
				498	// SSL_write), we shouldn't be attempting to write anything else.
				499	RTC_DCHECK(pending_data_.empty() \|\| pv == pending_data_.data());
				500	RTC_DCHECK(error != nullptr);
				501
				502	ssl_write_needs_read_ = false;
				503	int ret = SSL_write(ssl_, pv, checked_cast<int>(cb));
				504	*error = SSL_get_error(ssl_, ret);
				505	switch (*error) {
				506	case SSL_ERROR_NONE:
				507	// Success!
				508	return ret;
				509	case SSL_ERROR_WANT_READ:
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	510	RTC_LOG(LS_INFO) << " -- error want read";
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	511	ssl_write_needs_read_ = true;
				512	SetError(EWOULDBLOCK);
				513	break;
				514	case SSL_ERROR_WANT_WRITE:
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	515	RTC_LOG(LS_INFO) << " -- error want write";
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	516	SetError(EWOULDBLOCK);
				517	break;
				518	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	519	SetError(EWOULDBLOCK);
				520	// do we need to signal closure?
				521	break;
				522	case SSL_ERROR_SSL:
				523	LogSslError();
				524	Error("SSL_write", ret ? ret : -1, false);
				525	break;
				526	default:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	527	Error("SSL_write", ret ? ret : -1, false);
				528	break;
				529	}
				530
				531	return SOCKET_ERROR;
				532	}
				533
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	534	///////////////////////////////////////////////////////////////////////////////
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	535	// AsyncSocket Implementation
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	536	///////////////////////////////////////////////////////////////////////////////
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	537
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	538	int OpenSSLAdapter::Send(const void* pv, size_t cb) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	539	switch (state_) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	540	case SSL_NONE:
				541	return AsyncSocketAdapter::Send(pv, cb);
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	542	case SSL_WAIT:
				543	case SSL_CONNECTING:
				544	SetError(ENOTCONN);
				545	return SOCKET_ERROR;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	546	case SSL_CONNECTED:
				547	break;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	548	case SSL_ERROR:
				549	default:
				550	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	551	}
				552
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	553	int ret;
				554	int error;
				555
				556	if (!pending_data_.empty()) {
				557	ret = DoSslWrite(pending_data_.data(), pending_data_.size(), &error);
				558	if (ret != static_cast<int>(pending_data_.size())) {
				559	// We couldn't finish sending the pending data, so we definitely can't
				560	// send any more data. Return with an EWOULDBLOCK error.
				561	SetError(EWOULDBLOCK);
				562	return SOCKET_ERROR;
				563	}
				564	// We completed sending the data previously passed into SSL_write! Now
				565	// we're allowed to send more data.
				566	pending_data_.Clear();
				567	}
				568
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	569	// OpenSSL will return an error if we try to write zero bytes
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	570	if (cb == 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	571	return 0;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	572	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	573
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	574	ret = DoSslWrite(pv, cb, &error);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	575
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	576	// If SSL_write fails with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, this
				577	// means the underlying socket is blocked on reading or (more typically)
				578	// writing. When this happens, OpenSSL requires that the next call to
				579	// SSL_write uses the same arguments (though, with
				580	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, the actual buffer pointer may be
				581	// different).
				582	//
				583	// However, after Send exits, we will have lost access to data the user of
				584	// this class is trying to send, and there's no guarantee that the user of
				585	// this class will call Send with the same arguements when it fails. So, we
				586	// buffer the data ourselves. When we know the underlying socket is writable
				587	// again from OnWriteEvent (or if Send is called again before that happens),
				588	// we'll retry sending this buffered data.
deadbeef	e5dce2b	2017-06-02 11:52:06 -0700	[diff] [blame]	589	if (error == SSL_ERROR_WANT_READ \|\| error == SSL_ERROR_WANT_WRITE) {
				590	// Shouldn't be able to get to this point if we already have pending data.
				591	RTC_DCHECK(pending_data_.empty());
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	592	RTC_LOG(LS_WARNING)
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	593	<< "SSL_write couldn't write to the underlying socket; buffering data.";
				594	pending_data_.SetData(static_cast<const uint8_t*>(pv), cb);
				595	// Since we're taking responsibility for sending this data, return its full
				596	// size. The user of this class can consider it sent.
Mirko Bonadei	a041f92	2018-05-23 10:22:36 +0200	[diff] [blame]	597	return rtc::dchecked_cast<int>(cb);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	598	}
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	599	return ret;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	600	}
				601
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	602	int OpenSSLAdapter::SendTo(const void* pv,
				603	size_t cb,
				604	const SocketAddress& addr) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	605	if (socket_->GetState() == Socket::CS_CONNECTED &&
				606	addr == socket_->GetRemoteAddress()) {
				607	return Send(pv, cb);
				608	}
				609
				610	SetError(ENOTCONN);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	611	return SOCKET_ERROR;
				612	}
				613
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	614	int OpenSSLAdapter::Recv(void* pv, size_t cb, int64_t* timestamp) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	615	switch (state_) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	616	case SSL_NONE:
				617	return AsyncSocketAdapter::Recv(pv, cb, timestamp);
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	618	case SSL_WAIT:
				619	case SSL_CONNECTING:
				620	SetError(ENOTCONN);
				621	return SOCKET_ERROR;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	622	case SSL_CONNECTED:
				623	break;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	624	case SSL_ERROR:
				625	default:
				626	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	627	}
				628
				629	// Don't trust OpenSSL with zero byte reads
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	630	if (cb == 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	631	return 0;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	632	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	633
				634	ssl_read_needs_write_ = false;
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09 +0000	[diff] [blame]	635	int code = SSL_read(ssl_, pv, checked_cast<int>(cb));
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	636	int error = SSL_get_error(ssl_, code);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	637
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	638	switch (error) {
				639	case SSL_ERROR_NONE:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	640	return code;
				641	case SSL_ERROR_WANT_READ:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	642	SetError(EWOULDBLOCK);
				643	break;
				644	case SSL_ERROR_WANT_WRITE:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	645	ssl_read_needs_write_ = true;
				646	SetError(EWOULDBLOCK);
				647	break;
				648	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	649	SetError(EWOULDBLOCK);
				650	// do we need to signal closure?
				651	break;
				652	case SSL_ERROR_SSL:
				653	LogSslError();
				654	Error("SSL_read", (code ? code : -1), false);
				655	break;
				656	default:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	657	Error("SSL_read", (code ? code : -1), false);
				658	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	659	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	660	return SOCKET_ERROR;
				661	}
				662
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	663	int OpenSSLAdapter::RecvFrom(void* pv,
				664	size_t cb,
				665	SocketAddress* paddr,
				666	int64_t* timestamp) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	667	if (socket_->GetState() == Socket::CS_CONNECTED) {
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	668	int ret = Recv(pv, cb, timestamp);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	669	*paddr = GetRemoteAddress();
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	670	return ret;
				671	}
				672
				673	SetError(ENOTCONN);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	674	return SOCKET_ERROR;
				675	}
				676
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	677	int OpenSSLAdapter::Close() {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	678	Cleanup();
				679	state_ = restartable_ ? SSL_WAIT : SSL_NONE;
				680	return AsyncSocketAdapter::Close();
				681	}
				682
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	683	Socket::ConnState OpenSSLAdapter::GetState() const {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	684	ConnState state = socket_->GetState();
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	685	if ((state == CS_CONNECTED) &&
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	686	((state_ == SSL_WAIT) \|\| (state_ == SSL_CONNECTING))) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	687	state = CS_CONNECTING;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	688	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	689	return state;
				690	}
				691
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	692	bool OpenSSLAdapter::IsResumedSession() {
				693	return (ssl_ && SSL_session_reused(ssl_) == 1);
				694	}
				695
				696	void OpenSSLAdapter::OnMessage(Message* msg) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	697	if (MSG_TIMEOUT == msg->message_id) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	698	RTC_LOG(LS_INFO) << "DTLS timeout expired";
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	699	DTLSv1_handle_timeout(ssl_);
				700	ContinueSSL();
				701	}
				702	}
				703
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	704	void OpenSSLAdapter::OnConnectEvent(AsyncSocket* socket) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	705	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnConnectEvent";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	706	if (state_ != SSL_WAIT) {
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	707	RTC_DCHECK(state_ == SSL_NONE);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	708	AsyncSocketAdapter::OnConnectEvent(socket);
				709	return;
				710	}
				711
				712	state_ = SSL_CONNECTING;
				713	if (int err = BeginSSL()) {
				714	AsyncSocketAdapter::OnCloseEvent(socket, err);
				715	}
				716	}
				717
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	718	void OpenSSLAdapter::OnReadEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	719	if (state_ == SSL_NONE) {
				720	AsyncSocketAdapter::OnReadEvent(socket);
				721	return;
				722	}
				723
				724	if (state_ == SSL_CONNECTING) {
				725	if (int err = ContinueSSL()) {
				726	Error("ContinueSSL", err);
				727	}
				728	return;
				729	}
				730
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	731	if (state_ != SSL_CONNECTED) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	732	return;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	733	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	734
				735	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	736	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	737	if (ssl_write_needs_read_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	738	AsyncSocketAdapter::OnWriteEvent(socket);
				739	}
				740
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	741	AsyncSocketAdapter::OnReadEvent(socket);
				742	}
				743
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	744	void OpenSSLAdapter::OnWriteEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	745	if (state_ == SSL_NONE) {
				746	AsyncSocketAdapter::OnWriteEvent(socket);
				747	return;
				748	}
				749
				750	if (state_ == SSL_CONNECTING) {
				751	if (int err = ContinueSSL()) {
				752	Error("ContinueSSL", err);
				753	}
				754	return;
				755	}
				756
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	757	if (state_ != SSL_CONNECTED) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	758	return;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	759	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	760
				761	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	762	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	763
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	764	if (ssl_read_needs_write_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	765	AsyncSocketAdapter::OnReadEvent(socket);
				766	}
				767
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	768	// If a previous SSL_write failed due to the underlying socket being blocked,
				769	// this will attempt finishing the write operation.
				770	if (!pending_data_.empty()) {
				771	int error;
				772	if (DoSslWrite(pending_data_.data(), pending_data_.size(), &error) ==
				773	static_cast<int>(pending_data_.size())) {
				774	pending_data_.Clear();
				775	}
				776	}
				777
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	778	AsyncSocketAdapter::OnWriteEvent(socket);
				779	}
				780
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	781	void OpenSSLAdapter::OnCloseEvent(AsyncSocket* socket, int err) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	782	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnCloseEvent(" << err << ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	783	AsyncSocketAdapter::OnCloseEvent(socket, err);
				784	}
				785
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	786	bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const std::string& host) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	787	bool is_valid_cert_name =
				788	openssl::VerifyPeerCertMatchesHost(ssl, host) &&
				789	(SSL_get_verify_result(ssl) == X509_V_OK \|\| custom_cert_verifier_status_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	790
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	791	if (!is_valid_cert_name && ignore_bad_cert_) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	792	RTC_DLOG(LS_WARNING) << "Other TLS post connection checks failed. "
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	793	"ignore_bad_cert_ set to true. Overriding name "
				794	"verification failure!";
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	795	is_valid_cert_name = true;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	796	}
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	797	return is_valid_cert_name;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	798	}
				799
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	800	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	801
				802	// We only use this for tracing and so it is only needed in debug mode
				803
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	804	void OpenSSLAdapter::SSLInfoCallback(const SSL* s, int where, int ret) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	805	const char* str = "undefined";
				806	int w = where & ~SSL_ST_MASK;
				807	if (w & SSL_ST_CONNECT) {
				808	str = "SSL_connect";
				809	} else if (w & SSL_ST_ACCEPT) {
				810	str = "SSL_accept";
				811	}
				812	if (where & SSL_CB_LOOP) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	813	RTC_DLOG(LS_INFO) << str << ":" << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	814	} else if (where & SSL_CB_ALERT) {
				815	str = (where & SSL_CB_READ) ? "read" : "write";
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	816	RTC_DLOG(LS_INFO) << "SSL3 alert " << str << ":"
				817	<< SSL_alert_type_string_long(ret) << ":"
				818	<< SSL_alert_desc_string_long(ret);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	819	} else if (where & SSL_CB_EXIT) {
				820	if (ret == 0) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	821	RTC_DLOG(LS_INFO) << str << ":failed in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	822	} else if (ret < 0) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	823	RTC_DLOG(LS_INFO) << str << ":error in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	824	}
				825	}
				826	}
				827
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	828	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	829
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	830	int OpenSSLAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	831	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	832	if (!ok) {
				833	char data[256];
				834	X509* cert = X509_STORE_CTX_get_current_cert(store);
				835	int depth = X509_STORE_CTX_get_error_depth(store);
				836	int err = X509_STORE_CTX_get_error(store);
				837
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	838	RTC_DLOG(LS_INFO) << "Error with certificate at depth: " << depth;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	839	X509_NAME_oneline(X509_get_issuer_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	840	RTC_DLOG(LS_INFO) << " issuer = " << data;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	841	X509_NAME_oneline(X509_get_subject_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	842	RTC_DLOG(LS_INFO) << " subject = " << data;
				843	RTC_DLOG(LS_INFO) << " err = " << err << ":"
				844	<< X509_verify_cert_error_string(err);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	845	}
				846	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	847	// Get our stream pointer from the store
				848	SSL* ssl = reinterpret_cast<SSL*>(
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	849	X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	850
				851	OpenSSLAdapter* stream =
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	852	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	853
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	854	if (!ok && stream->ssl_cert_verifier_ != nullptr) {
				855	RTC_LOG(LS_INFO) << "Invoking SSL Verify Callback.";
				856	const OpenSSLCertificate cert(X509_STORE_CTX_get_current_cert(store));
				857	if (stream->ssl_cert_verifier_->Verify(cert)) {
				858	stream->custom_cert_verifier_status_ = true;
				859	RTC_LOG(LS_INFO) << "Validated certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	860	ok = true;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	861	} else {
				862	RTC_LOG(LS_INFO) << "Failed to verify certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	863	}
				864	}
				865
				866	// Should only be used for debugging and development.
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	867	if (!ok && stream->ignore_bad_cert_) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	868	RTC_DLOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	869	ok = 1;
				870	}
				871
				872	return ok;
				873	}
				874
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	875	int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) {
				876	OpenSSLAdapter* stream =
				877	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	878	RTC_DCHECK(stream->ssl_session_cache_);
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	879	RTC_LOG(LS_INFO) << "Caching SSL session for " << stream->ssl_host_name_;
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	880	stream->ssl_session_cache_->AddSession(stream->ssl_host_name_, session);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	881	return 1; // We've taken ownership of the session; OpenSSL shouldn't free it.
				882	}
				883
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	884	SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	885	// Use (D)TLS 1.2.
				886	// Note: BoringSSL supports a range of versions by setting max/min version
				887	// (Default V1.0 to V1.2). However (D)TLSv1_2_client_method functions used
				888	// below in OpenSSL only support V1.2.
				889	SSL_CTX* ctx = nullptr;
				890	#ifdef OPENSSL_IS_BORINGSSL
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	891	ctx = SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	892	#else
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	893	ctx = SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLSv1_2_client_method()
				894	: TLSv1_2_client_method());
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	895	#endif // OPENSSL_IS_BORINGSSL
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	896	if (ctx == nullptr) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	897	unsigned long error = ERR_get_error(); // NOLINT: type used by OpenSSL.
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	898	RTC_LOG(LS_WARNING) << "SSL_CTX creation failed: " << '"'
				899	<< ERR_reason_error_string(error) << "\" "
				900	<< "(error=" << error << ')';
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	901	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	902	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	903
Mirko Bonadei	b889a20	2018-08-15 11:41:27 +0200	[diff] [blame]	904	#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	905	if (!openssl::LoadBuiltinSSLRootCertificates(ctx)) {
				906	RTC_LOG(LS_ERROR) << "SSL_CTX creation failed: Failed to load any trusted "
				907	"ssl root certificates.";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	908	SSL_CTX_free(ctx);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	909	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	910	}
Mirko Bonadei	b889a20	2018-08-15 11:41:27 +0200	[diff] [blame]	911	#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	912
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	913	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	914	SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
				915	#endif
				916
				917	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
				918	SSL_CTX_set_verify_depth(ctx, 4);
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	919	// Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
				920	// (note that SHA256 and SHA384 only select legacy CBC ciphers).
				921	// Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
				922	// CBC-mode ECDSA ciphers.
				923	SSL_CTX_set_cipher_list(
				924	ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5");
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	925
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	926	if (mode == SSL_MODE_DTLS) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	927	SSL_CTX_set_read_ahead(ctx, 1);
				928	}
				929
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	930	if (enable_cache) {
				931	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
				932	SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback);
				933	}
				934
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	935	return ctx;
				936	}
				937
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	938	std::string TransformAlpnProtocols(
				939	const std::vector<std::string>& alpn_protocols) {
				940	// Transforms the alpn_protocols list to the format expected by
				941	// Open/BoringSSL. This requires joining the protocols into a single string
				942	// and prepending a character with the size of the protocol string before
				943	// each protocol.
				944	std::string transformed_alpn;
				945	for (const std::string& proto : alpn_protocols) {
				946	if (proto.size() == 0 \|\| proto.size() > 0xFF) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	947	RTC_LOG(LS_ERROR) << "OpenSSLAdapter::Error("
				948	<< "TransformAlpnProtocols received proto with size "
				949	<< proto.size() << ")";
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	950	return "";
				951	}
				952	transformed_alpn += static_cast<char>(proto.size());
				953	transformed_alpn += proto;
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	954	RTC_LOG(LS_VERBOSE) << "TransformAlpnProtocols: Adding proto: " << proto;
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	955	}
				956	return transformed_alpn;
				957	}
				958
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	959	//////////////////////////////////////////////////////////////////////
				960	// OpenSSLAdapterFactory
				961	//////////////////////////////////////////////////////////////////////
				962
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	963	OpenSSLAdapterFactory::OpenSSLAdapterFactory() = default;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	964
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	965	OpenSSLAdapterFactory::~OpenSSLAdapterFactory() = default;
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	966
				967	void OpenSSLAdapterFactory::SetMode(SSLMode mode) {
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	968	RTC_DCHECK(!ssl_session_cache_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	969	ssl_mode_ = mode;
				970	}
				971
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	972	void OpenSSLAdapterFactory::SetCertVerifier(
				973	SSLCertificateVerifier* ssl_cert_verifier) {
				974	RTC_DCHECK(!ssl_session_cache_);
				975	ssl_cert_verifier_ = ssl_cert_verifier;
				976	}
				977
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	978	OpenSSLAdapter* OpenSSLAdapterFactory::CreateAdapter(AsyncSocket* socket) {
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	979	if (ssl_session_cache_ == nullptr) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	980	SSL_CTX* ssl_ctx = OpenSSLAdapter::CreateContext(ssl_mode_, true);
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	981	if (ssl_ctx == nullptr) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	982	return nullptr;
				983	}
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	984	// The OpenSSLSessionCache will upref the ssl_ctx.
Karl Wiberg	918f50c	2018-07-05 11:40:33 +0200	[diff] [blame]	985	ssl_session_cache_ =
				986	absl::make_unique<OpenSSLSessionCache>(ssl_mode_, ssl_ctx);
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	987	SSL_CTX_free(ssl_ctx);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	988	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	989	return new OpenSSLAdapter(socket, ssl_session_cache_.get(),
				990	ssl_cert_verifier_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	991	}
				992
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	993	} // namespace rtc