Blame - rtc_base/openssladapter.cc - webrtc.googlesource.com/src

blob: 2662b37a9714290ab94871acef0c4420b3302085 [file] [log] [blame]

henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	1	/*
				2	* Copyright 2008 The WebRTC Project Authors. All rights reserved.
				3	*
				4	* Use of this source code is governed by a BSD-style license
				5	* that can be found in the LICENSE file in the root of the source
				6	* tree. An additional intellectual property rights grant can be found
				7	* in the file PATENTS. All contributing project authors may
				8	* be found in the AUTHORS file in the root of the source tree.
				9	*/
				10
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	11	#include "rtc_base/openssladapter.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	12
				13	#if defined(WEBRTC_POSIX)
				14	#include <unistd.h>
				15	#endif
				16
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	17	#include <openssl/bio.h>
				18	#include <openssl/crypto.h>
				19	#include <openssl/err.h>
				20	#include <openssl/opensslv.h>
				21	#include <openssl/rand.h>
henrike@webrtc.org	d5a0506	2014-06-30 20:38:56 +0000	[diff] [blame]	22	#include <openssl/x509.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	23	#include <openssl/x509v3.h>
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	24	#include "rtc_base/openssl.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	25
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	26	#include "rtc_base/checks.h"
				27	#include "rtc_base/logging.h"
Karl Wiberg	e40468b	2017-11-22 10:42:26 +0100	[diff] [blame]	28	#include "rtc_base/numerics/safe_conversions.h"
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	29	#include "rtc_base/opensslutility.h"
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	30	#include "rtc_base/stringencode.h"
				31	#include "rtc_base/stringutils.h"
				32	#include "rtc_base/thread.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	33
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	34	#ifndef OPENSSL_IS_BORINGSSL
				35
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	36	// TODO(benwright): Use a nicer abstraction for mutex.
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	37
				38	#if defined(WEBRTC_WIN)
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	39	#define MUTEX_TYPE HANDLE
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	40	#define MUTEX_SETUP(x) (x) = CreateMutex(nullptr, FALSE, nullptr)
				41	#define MUTEX_CLEANUP(x) CloseHandle(x)
				42	#define MUTEX_LOCK(x) WaitForSingleObject((x), INFINITE)
				43	#define MUTEX_UNLOCK(x) ReleaseMutex(x)
				44	#define THREAD_ID GetCurrentThreadId()
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	45	#elif defined(WEBRTC_POSIX)
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	46	#define MUTEX_TYPE pthread_mutex_t
				47	#define MUTEX_SETUP(x) pthread_mutex_init(&(x), nullptr)
				48	#define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x))
				49	#define MUTEX_LOCK(x) pthread_mutex_lock(&(x))
				50	#define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x))
				51	#define THREAD_ID pthread_self()
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	52	#else
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	53	#error You must define mutex operations appropriate for your platform!
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	54	#endif
				55
				56	struct CRYPTO_dynlock_value {
				57	MUTEX_TYPE mutex;
				58	};
				59
				60	#endif // #ifndef OPENSSL_IS_BORINGSSL
				61
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	62	//////////////////////////////////////////////////////////////////////
				63	// SocketBIO
				64	//////////////////////////////////////////////////////////////////////
				65
				66	static int socket_write(BIO* h, const char* buf, int num);
				67	static int socket_read(BIO* h, char* buf, int size);
				68	static int socket_puts(BIO* h, const char* str);
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	69	static long socket_ctrl(BIO* h, int cmd, long arg1, void* arg2); // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	70	static int socket_new(BIO* h);
				71	static int socket_free(BIO* data);
				72
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	73	static BIO_METHOD* BIO_socket_method() {
				74	static BIO_METHOD* methods = [] {
				75	BIO_METHOD* methods = BIO_meth_new(BIO_TYPE_BIO, "socket");
				76	BIO_meth_set_write(methods, socket_write);
				77	BIO_meth_set_read(methods, socket_read);
				78	BIO_meth_set_puts(methods, socket_puts);
				79	BIO_meth_set_ctrl(methods, socket_ctrl);
				80	BIO_meth_set_create(methods, socket_new);
				81	BIO_meth_set_destroy(methods, socket_free);
				82	return methods;
				83	}();
				84	return methods;
				85	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	86
henrike@webrtc.org	c50bf7c	2014-05-14 18:24:13 +0000	[diff] [blame]	87	static BIO* BIO_new_socket(rtc::AsyncSocket* socket) {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	88	BIO* ret = BIO_new(BIO_socket_method());
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	89	if (ret == nullptr) {
				90	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	91	}
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	92	BIO_set_data(ret, socket);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	93	return ret;
				94	}
				95
				96	static int socket_new(BIO* b) {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	97	BIO_set_shutdown(b, 0);
				98	BIO_set_init(b, 1);
				99	BIO_set_data(b, 0);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	100	return 1;
				101	}
				102
				103	static int socket_free(BIO* b) {
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	104	if (b == nullptr)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	105	return 0;
				106	return 1;
				107	}
				108
				109	static int socket_read(BIO* b, char* out, int outl) {
				110	if (!out)
				111	return -1;
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	112	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	113	BIO_clear_retry_flags(b);
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	114	int result = socket->Recv(out, outl, nullptr);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	115	if (result > 0) {
				116	return result;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	117	} else if (socket->IsBlocking()) {
				118	BIO_set_retry_read(b);
				119	}
				120	return -1;
				121	}
				122
				123	static int socket_write(BIO* b, const char* in, int inl) {
				124	if (!in)
				125	return -1;
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	126	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	127	BIO_clear_retry_flags(b);
				128	int result = socket->Send(in, inl);
				129	if (result > 0) {
				130	return result;
				131	} else if (socket->IsBlocking()) {
				132	BIO_set_retry_write(b);
				133	}
				134	return -1;
				135	}
				136
				137	static int socket_puts(BIO* b, const char* str) {
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09 +0000	[diff] [blame]	138	return socket_write(b, str, rtc::checked_cast<int>(strlen(str)));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	139	}
				140
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	141	static long socket_ctrl(BIO* b, int cmd, long num, void* ptr) { // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	142	switch (cmd) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	143	case BIO_CTRL_RESET:
				144	return 0;
				145	case BIO_CTRL_EOF: {
				146	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(ptr);
				147	// 1 means socket closed.
				148	return (socket->GetState() == rtc::AsyncSocket::CS_CLOSED) ? 1 : 0;
				149	}
				150	case BIO_CTRL_WPENDING:
				151	case BIO_CTRL_PENDING:
				152	return 0;
				153	case BIO_CTRL_FLUSH:
				154	return 1;
				155	default:
				156	return 0;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	157	}
				158	}
				159
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	160	static void LogSslError() {
				161	// Walk down the error stack to find the SSL error.
				162	uint32_t error_code;
				163	const char* file;
				164	int line;
				165	do {
				166	error_code = ERR_get_error_line(&file, &line);
				167	if (ERR_GET_LIB(error_code) == ERR_LIB_SSL) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	168	RTC_LOG(LS_ERROR) << "ERR_LIB_SSL: " << error_code << ", " << file << ":"
				169	<< line;
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	170	break;
				171	}
				172	} while (error_code != 0);
				173	}
				174
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	175	/////////////////////////////////////////////////////////////////////////////
				176	// OpenSSLAdapter
				177	/////////////////////////////////////////////////////////////////////////////
				178
				179	namespace rtc {
				180
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	181	bool OpenSSLAdapter::InitializeSSL() {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	182	if (!SSL_library_init())
				183	return false;
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	184	#if !defined(ADDRESS_SANITIZER) \|\| !defined(WEBRTC_MAC) \|\| defined(WEBRTC_IOS)
				185	// Loading the error strings crashes mac_asan. Omit this debugging aid there.
				186	SSL_load_error_strings();
				187	#endif
				188	ERR_load_BIO_strings();
				189	OpenSSL_add_all_algorithms();
				190	RAND_poll();
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	191	return true;
				192	}
				193
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	194	bool OpenSSLAdapter::CleanupSSL() {
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	195	return true;
				196	}
				197
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	198	OpenSSLAdapter::OpenSSLAdapter(AsyncSocket* socket,
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	199	OpenSSLSessionCache* ssl_session_cache,
				200	SSLCertificateVerifier* ssl_cert_verifier)
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	201	: SSLAdapter(socket),
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	202	ssl_session_cache_(ssl_session_cache),
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	203	ssl_cert_verifier_(ssl_cert_verifier),
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	204	state_(SSL_NONE),
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	205	role_(SSL_CLIENT),
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	206	ssl_read_needs_write_(false),
				207	ssl_write_needs_read_(false),
				208	restartable_(false),
				209	ssl_(nullptr),
				210	ssl_ctx_(nullptr),
				211	ssl_mode_(SSL_MODE_TLS),
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	212	custom_cert_verifier_status_(false) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	213	// If a factory is used, take a reference on the factory's SSL_CTX.
				214	// Otherwise, we'll create our own later.
				215	// Either way, we'll release our reference via SSL_CTX_free() in Cleanup().
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	216	if (ssl_session_cache_ != nullptr) {
				217	ssl_ctx_ = ssl_session_cache_->GetSSLContext();
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	218	RTC_DCHECK(ssl_ctx_);
				219	// Note: if using OpenSSL, requires version 1.1.0 or later.
				220	SSL_CTX_up_ref(ssl_ctx_);
				221	}
				222	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	223
				224	OpenSSLAdapter::~OpenSSLAdapter() {
				225	Cleanup();
				226	}
				227
Diogo Real	4f08543	2018-09-11 16:00:22 -0700	[diff] [blame]	228	void OpenSSLAdapter::SetSSLConfig(const SSLConfig& ssl_config) {
				229	ssl_config_ = ssl_config;
Diogo Real	7bd1f1b	2017-09-08 12:50:41 -0700	[diff] [blame]	230	}
				231
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	232	void OpenSSLAdapter::SetMode(SSLMode mode) {
				233	RTC_DCHECK(!ssl_ctx_);
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	234	RTC_DCHECK(state_ == SSL_NONE);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	235	ssl_mode_ = mode;
				236	}
				237
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	238	void OpenSSLAdapter::SetCertVerifier(
				239	SSLCertificateVerifier* ssl_cert_verifier) {
				240	RTC_DCHECK(!ssl_ctx_);
				241	ssl_cert_verifier_ = ssl_cert_verifier;
				242	}
				243
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	244	void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) {
				245	RTC_DCHECK(!identity_);
				246	identity_.reset(static_cast<OpenSSLIdentity*>(identity));
				247	}
				248
				249	void OpenSSLAdapter::SetRole(SSLRole role) {
				250	role_ = role;
				251	}
				252
				253	AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) {
				254	RTC_DCHECK(role_ == SSL_SERVER);
				255	AsyncSocket* socket = SSLAdapter::Accept(paddr);
				256	if (!socket) {
				257	return nullptr;
				258	}
				259
				260	SSLAdapter* adapter = SSLAdapter::Create(socket);
				261	adapter->SetIdentity(identity_->GetReference());
				262	adapter->SetRole(rtc::SSL_SERVER);
Diogo Real	4f08543	2018-09-11 16:00:22 -0700	[diff] [blame]	263	adapter->SetSSLConfig(ssl_config_);
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	264	adapter->StartSSL("", false);
				265	return adapter;
				266	}
				267
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	268	int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	269	if (state_ != SSL_NONE)
				270	return -1;
				271
				272	ssl_host_name_ = hostname;
				273	restartable_ = restartable;
				274
				275	if (socket_->GetState() != Socket::CS_CONNECTED) {
				276	state_ = SSL_WAIT;
				277	return 0;
				278	}
				279
				280	state_ = SSL_CONNECTING;
				281	if (int err = BeginSSL()) {
				282	Error("BeginSSL", err, false);
				283	return err;
				284	}
				285
				286	return 0;
				287	}
				288
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	289	int OpenSSLAdapter::BeginSSL() {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	290	RTC_LOG(LS_INFO) << "OpenSSLAdapter::BeginSSL: " << ssl_host_name_;
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	291	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	292
				293	int err = 0;
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	294	BIO* bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	295
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	296	// First set up the context. We should either have a factory, with its own
				297	// pre-existing context, or be running standalone, in which case we will
				298	// need to create one, and specify \|false\| to disable session caching.
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	299	if (ssl_session_cache_ == nullptr) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	300	RTC_DCHECK(!ssl_ctx_);
				301	ssl_ctx_ = CreateContext(ssl_mode_, false);
				302	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	303
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	304	if (!ssl_ctx_) {
				305	err = -1;
				306	goto ssl_error;
				307	}
				308
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	309	if (identity_ && !identity_->ConfigureIdentity(ssl_ctx_)) {
				310	SSL_CTX_free(ssl_ctx_);
				311	err = -1;
				312	goto ssl_error;
				313	}
				314
Peter Boström	0b518bf	2016-01-27 12:35:40 +0100	[diff] [blame]	315	bio = BIO_new_socket(socket_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	316	if (!bio) {
				317	err = -1;
				318	goto ssl_error;
				319	}
				320
				321	ssl_ = SSL_new(ssl_ctx_);
				322	if (!ssl_) {
				323	err = -1;
				324	goto ssl_error;
				325	}
				326
				327	SSL_set_app_data(ssl_, this);
				328
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	329	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER allows different buffers to be passed
				330	// into SSL_write when a record could only be partially transmitted (and thus
				331	// requires another call to SSL_write to finish transmission). This allows us
				332	// to copy the data into our own buffer when this occurs, since the original
				333	// buffer can't safely be accessed after control exits Send.
				334	// TODO(deadbeef): Do we want SSL_MODE_ENABLE_PARTIAL_WRITE? It doesn't
				335	// appear Send handles partial writes properly, though maybe we never notice
				336	// since we never send more than 16KB at once..
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	337	SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE \|
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	338	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	339
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	340	// Enable SNI, if a hostname is supplied.
Emad Omara	dab1d2d	2017-06-16 15:43:11 -0700	[diff] [blame]	341	if (!ssl_host_name_.empty()) {
				342	SSL_set_tlsext_host_name(ssl_, ssl_host_name_.c_str());
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	343
				344	// Enable session caching, if configured and a hostname is supplied.
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	345	if (ssl_session_cache_ != nullptr) {
				346	SSL_SESSION* cached = ssl_session_cache_->LookupSession(ssl_host_name_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	347	if (cached) {
				348	if (SSL_set_session(ssl_, cached) == 0) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	349	RTC_LOG(LS_WARNING) << "Failed to apply SSL session from cache";
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	350	err = -1;
				351	goto ssl_error;
				352	}
				353
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	354	RTC_LOG(LS_INFO) << "Attempting to resume SSL session to "
				355	<< ssl_host_name_;
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	356	}
				357	}
Emad Omara	dab1d2d	2017-06-16 15:43:11 -0700	[diff] [blame]	358	}
				359
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	360	#ifdef OPENSSL_IS_BORINGSSL
Diogo Real	4f08543	2018-09-11 16:00:22 -0700	[diff] [blame]	361	// Potentially set a couple common TLS extensions; even though we don't use
				362	// them yet.
				363	if (ssl_config_.enable_ocsp_stapling) {
				364	SSL_enable_ocsp_stapling(ssl_);
				365	}
				366	if (ssl_config_.enable_signed_cert_timestamp) {
				367	SSL_enable_signed_cert_timestamps(ssl_);
				368	}
				369	SSL_CTX_set_grease_enabled(ssl_ctx_, ssl_config_.enable_grease);
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	370	#endif
Emad Omara	cb79d23	2017-07-20 16:34:34 -0700	[diff] [blame]	371
Diogo Real	4f08543	2018-09-11 16:00:22 -0700	[diff] [blame]	372	if (ssl_config_.max_ssl_version.has_value()) {
				373	SSL_set_max_proto_version(ssl_, ssl_config_.max_ssl_version.value());
				374	}
				375
				376	if (ssl_config_.enable_tls_channel_id) {
				377	SSL_enable_tls_channel_id(ssl_);
				378	}
				379
				380	if (ssl_config_.tls_alpn_protocols.has_value()) {
				381	std::string tls_alpn_string =
				382	TransformAlpnProtocols(ssl_config_.tls_alpn_protocols.value());
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	383	if (!tls_alpn_string.empty()) {
				384	SSL_set_alpn_protos(
				385	ssl_, reinterpret_cast<const unsigned char*>(tls_alpn_string.data()),
Mirko Bonadei	a041f92	2018-05-23 10:22:36 +0200	[diff] [blame]	386	rtc::dchecked_cast<unsigned>(tls_alpn_string.size()));
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	387	}
				388	}
				389
Diogo Real	4f08543	2018-09-11 16:00:22 -0700	[diff] [blame]	390	if (ssl_config_.tls_elliptic_curves.has_value()) {
				391	SSL_set1_curves_list(
				392	ssl_, rtc::join(ssl_config_.tls_elliptic_curves.value(), ':').c_str());
Diogo Real	7bd1f1b	2017-09-08 12:50:41 -0700	[diff] [blame]	393	}
				394
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	395	// Now that the initial config is done, transfer ownership of \|bio\| to the
				396	// SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup().
				397	SSL_set_bio(ssl_, bio, bio);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	398	bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	399
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	400	// Do the connect.
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	401	err = ContinueSSL();
				402	if (err != 0)
				403	goto ssl_error;
				404
				405	return err;
				406
				407	ssl_error:
				408	Cleanup();
				409	if (bio)
				410	BIO_free(bio);
				411
				412	return err;
				413	}
				414
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	415	int OpenSSLAdapter::ContinueSSL() {
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	416	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	417
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	418	// Clear the DTLS timer
				419	Thread::Current()->Clear(this, MSG_TIMEOUT);
				420
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	421	int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	422	switch (SSL_get_error(ssl_, code)) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	423	case SSL_ERROR_NONE:
				424	if (!SSLPostConnectionCheck(ssl_, ssl_host_name_)) {
				425	RTC_LOG(LS_ERROR) << "TLS post connection check failed";
				426	// make sure we close the socket
				427	Cleanup();
				428	// The connect failed so return -1 to shut down the socket
				429	return -1;
				430	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	431
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	432	state_ = SSL_CONNECTED;
				433	AsyncSocketAdapter::OnConnectEvent(this);
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	434	#if 0 // TODO(benwright): worry about this
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	435	// Don't let ourselves go away during the callbacks
				436	PRefPtr<OpenSSLAdapter> lock(this);
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	437	RTC_LOG(LS_INFO) << " -- onStreamReadable";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	438	AsyncSocketAdapter::OnReadEvent(this);
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	439	RTC_LOG(LS_INFO) << " -- onStreamWriteable";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	440	AsyncSocketAdapter::OnWriteEvent(this);
				441	#endif
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	442	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	443
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	444	case SSL_ERROR_WANT_READ:
				445	RTC_LOG(LS_VERBOSE) << " -- error want read";
				446	struct timeval timeout;
				447	if (DTLSv1_get_timeout(ssl_, &timeout)) {
				448	int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	449
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	450	Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this, MSG_TIMEOUT,
				451	0);
				452	}
				453	break;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	454
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	455	case SSL_ERROR_WANT_WRITE:
				456	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	457
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	458	case SSL_ERROR_ZERO_RETURN:
				459	default:
				460	RTC_LOG(LS_WARNING) << "ContinueSSL -- error " << code;
				461	return (code != 0) ? code : -1;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	462	}
				463
				464	return 0;
				465	}
				466
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	467	void OpenSSLAdapter::Error(const char* context, int err, bool signal) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	468	RTC_LOG(LS_WARNING) << "OpenSSLAdapter::Error(" << context << ", " << err
				469	<< ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	470	state_ = SSL_ERROR;
				471	SetError(err);
				472	if (signal)
				473	AsyncSocketAdapter::OnCloseEvent(this, err);
				474	}
				475
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	476	void OpenSSLAdapter::Cleanup() {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	477	RTC_LOG(LS_INFO) << "OpenSSLAdapter::Cleanup";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	478
				479	state_ = SSL_NONE;
				480	ssl_read_needs_write_ = false;
				481	ssl_write_needs_read_ = false;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	482	custom_cert_verifier_status_ = false;
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	483	pending_data_.Clear();
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	484
				485	if (ssl_) {
				486	SSL_free(ssl_);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	487	ssl_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	488	}
				489
				490	if (ssl_ctx_) {
				491	SSL_CTX_free(ssl_ctx_);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	492	ssl_ctx_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	493	}
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	494	identity_.reset();
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	495
				496	// Clear the DTLS timer
				497	Thread::Current()->Clear(this, MSG_TIMEOUT);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	498	}
				499
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	500	int OpenSSLAdapter::DoSslWrite(const void* pv, size_t cb, int* error) {
				501	// If we have pending data (that was previously only partially written by
				502	// SSL_write), we shouldn't be attempting to write anything else.
				503	RTC_DCHECK(pending_data_.empty() \|\| pv == pending_data_.data());
				504	RTC_DCHECK(error != nullptr);
				505
				506	ssl_write_needs_read_ = false;
				507	int ret = SSL_write(ssl_, pv, checked_cast<int>(cb));
				508	*error = SSL_get_error(ssl_, ret);
				509	switch (*error) {
				510	case SSL_ERROR_NONE:
				511	// Success!
				512	return ret;
				513	case SSL_ERROR_WANT_READ:
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	514	RTC_LOG(LS_INFO) << " -- error want read";
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	515	ssl_write_needs_read_ = true;
				516	SetError(EWOULDBLOCK);
				517	break;
				518	case SSL_ERROR_WANT_WRITE:
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	519	RTC_LOG(LS_INFO) << " -- error want write";
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	520	SetError(EWOULDBLOCK);
				521	break;
				522	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	523	SetError(EWOULDBLOCK);
				524	// do we need to signal closure?
				525	break;
				526	case SSL_ERROR_SSL:
				527	LogSslError();
				528	Error("SSL_write", ret ? ret : -1, false);
				529	break;
				530	default:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	531	Error("SSL_write", ret ? ret : -1, false);
				532	break;
				533	}
				534
				535	return SOCKET_ERROR;
				536	}
				537
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	538	//
				539	// AsyncSocket Implementation
				540	//
				541
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	542	int OpenSSLAdapter::Send(const void* pv, size_t cb) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	543	switch (state_) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	544	case SSL_NONE:
				545	return AsyncSocketAdapter::Send(pv, cb);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	546
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	547	case SSL_WAIT:
				548	case SSL_CONNECTING:
				549	SetError(ENOTCONN);
				550	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	551
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	552	case SSL_CONNECTED:
				553	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	554
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	555	case SSL_ERROR:
				556	default:
				557	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	558	}
				559
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	560	int ret;
				561	int error;
				562
				563	if (!pending_data_.empty()) {
				564	ret = DoSslWrite(pending_data_.data(), pending_data_.size(), &error);
				565	if (ret != static_cast<int>(pending_data_.size())) {
				566	// We couldn't finish sending the pending data, so we definitely can't
				567	// send any more data. Return with an EWOULDBLOCK error.
				568	SetError(EWOULDBLOCK);
				569	return SOCKET_ERROR;
				570	}
				571	// We completed sending the data previously passed into SSL_write! Now
				572	// we're allowed to send more data.
				573	pending_data_.Clear();
				574	}
				575
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	576	// OpenSSL will return an error if we try to write zero bytes
				577	if (cb == 0)
				578	return 0;
				579
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	580	ret = DoSslWrite(pv, cb, &error);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	581
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	582	// If SSL_write fails with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, this
				583	// means the underlying socket is blocked on reading or (more typically)
				584	// writing. When this happens, OpenSSL requires that the next call to
				585	// SSL_write uses the same arguments (though, with
				586	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, the actual buffer pointer may be
				587	// different).
				588	//
				589	// However, after Send exits, we will have lost access to data the user of
				590	// this class is trying to send, and there's no guarantee that the user of
				591	// this class will call Send with the same arguements when it fails. So, we
				592	// buffer the data ourselves. When we know the underlying socket is writable
				593	// again from OnWriteEvent (or if Send is called again before that happens),
				594	// we'll retry sending this buffered data.
deadbeef	e5dce2b	2017-06-02 11:52:06 -0700	[diff] [blame]	595	if (error == SSL_ERROR_WANT_READ \|\| error == SSL_ERROR_WANT_WRITE) {
				596	// Shouldn't be able to get to this point if we already have pending data.
				597	RTC_DCHECK(pending_data_.empty());
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	598	RTC_LOG(LS_WARNING)
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	599	<< "SSL_write couldn't write to the underlying socket; buffering data.";
				600	pending_data_.SetData(static_cast<const uint8_t*>(pv), cb);
				601	// Since we're taking responsibility for sending this data, return its full
				602	// size. The user of this class can consider it sent.
Mirko Bonadei	a041f92	2018-05-23 10:22:36 +0200	[diff] [blame]	603	return rtc::dchecked_cast<int>(cb);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	604	}
				605
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	606	return ret;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	607	}
				608
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	609	int OpenSSLAdapter::SendTo(const void* pv,
				610	size_t cb,
				611	const SocketAddress& addr) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	612	if (socket_->GetState() == Socket::CS_CONNECTED &&
				613	addr == socket_->GetRemoteAddress()) {
				614	return Send(pv, cb);
				615	}
				616
				617	SetError(ENOTCONN);
				618
				619	return SOCKET_ERROR;
				620	}
				621
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	622	int OpenSSLAdapter::Recv(void* pv, size_t cb, int64_t* timestamp) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	623	switch (state_) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	624	case SSL_NONE:
				625	return AsyncSocketAdapter::Recv(pv, cb, timestamp);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	626
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	627	case SSL_WAIT:
				628	case SSL_CONNECTING:
				629	SetError(ENOTCONN);
				630	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	631
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	632	case SSL_CONNECTED:
				633	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	634
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	635	case SSL_ERROR:
				636	default:
				637	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	638	}
				639
				640	// Don't trust OpenSSL with zero byte reads
				641	if (cb == 0)
				642	return 0;
				643
				644	ssl_read_needs_write_ = false;
				645
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09 +0000	[diff] [blame]	646	int code = SSL_read(ssl_, pv, checked_cast<int>(cb));
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	647	int error = SSL_get_error(ssl_, code);
				648	switch (error) {
				649	case SSL_ERROR_NONE:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	650	return code;
				651	case SSL_ERROR_WANT_READ:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	652	SetError(EWOULDBLOCK);
				653	break;
				654	case SSL_ERROR_WANT_WRITE:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	655	ssl_read_needs_write_ = true;
				656	SetError(EWOULDBLOCK);
				657	break;
				658	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	659	SetError(EWOULDBLOCK);
				660	// do we need to signal closure?
				661	break;
				662	case SSL_ERROR_SSL:
				663	LogSslError();
				664	Error("SSL_read", (code ? code : -1), false);
				665	break;
				666	default:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	667	Error("SSL_read", (code ? code : -1), false);
				668	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	669	}
				670
				671	return SOCKET_ERROR;
				672	}
				673
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	674	int OpenSSLAdapter::RecvFrom(void* pv,
				675	size_t cb,
				676	SocketAddress* paddr,
				677	int64_t* timestamp) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	678	if (socket_->GetState() == Socket::CS_CONNECTED) {
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	679	int ret = Recv(pv, cb, timestamp);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	680
				681	*paddr = GetRemoteAddress();
				682
				683	return ret;
				684	}
				685
				686	SetError(ENOTCONN);
				687
				688	return SOCKET_ERROR;
				689	}
				690
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	691	int OpenSSLAdapter::Close() {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	692	Cleanup();
				693	state_ = restartable_ ? SSL_WAIT : SSL_NONE;
				694	return AsyncSocketAdapter::Close();
				695	}
				696
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	697	Socket::ConnState OpenSSLAdapter::GetState() const {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	698	// if (signal_close_)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	699	// return CS_CONNECTED;
				700	ConnState state = socket_->GetState();
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	701	if ((state == CS_CONNECTED) &&
				702	((state_ == SSL_WAIT) \|\| (state_ == SSL_CONNECTING)))
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	703	state = CS_CONNECTING;
				704	return state;
				705	}
				706
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	707	bool OpenSSLAdapter::IsResumedSession() {
				708	return (ssl_ && SSL_session_reused(ssl_) == 1);
				709	}
				710
				711	void OpenSSLAdapter::OnMessage(Message* msg) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	712	if (MSG_TIMEOUT == msg->message_id) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	713	RTC_LOG(LS_INFO) << "DTLS timeout expired";
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	714	DTLSv1_handle_timeout(ssl_);
				715	ContinueSSL();
				716	}
				717	}
				718
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	719	void OpenSSLAdapter::OnConnectEvent(AsyncSocket* socket) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	720	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnConnectEvent";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	721	if (state_ != SSL_WAIT) {
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	722	RTC_DCHECK(state_ == SSL_NONE);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	723	AsyncSocketAdapter::OnConnectEvent(socket);
				724	return;
				725	}
				726
				727	state_ = SSL_CONNECTING;
				728	if (int err = BeginSSL()) {
				729	AsyncSocketAdapter::OnCloseEvent(socket, err);
				730	}
				731	}
				732
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	733	void OpenSSLAdapter::OnReadEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	734	if (state_ == SSL_NONE) {
				735	AsyncSocketAdapter::OnReadEvent(socket);
				736	return;
				737	}
				738
				739	if (state_ == SSL_CONNECTING) {
				740	if (int err = ContinueSSL()) {
				741	Error("ContinueSSL", err);
				742	}
				743	return;
				744	}
				745
				746	if (state_ != SSL_CONNECTED)
				747	return;
				748
				749	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	750	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	751	if (ssl_write_needs_read_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	752	AsyncSocketAdapter::OnWriteEvent(socket);
				753	}
				754
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	755	AsyncSocketAdapter::OnReadEvent(socket);
				756	}
				757
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	758	void OpenSSLAdapter::OnWriteEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	759	if (state_ == SSL_NONE) {
				760	AsyncSocketAdapter::OnWriteEvent(socket);
				761	return;
				762	}
				763
				764	if (state_ == SSL_CONNECTING) {
				765	if (int err = ContinueSSL()) {
				766	Error("ContinueSSL", err);
				767	}
				768	return;
				769	}
				770
				771	if (state_ != SSL_CONNECTED)
				772	return;
				773
				774	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	775	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	776
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	777	if (ssl_read_needs_write_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	778	AsyncSocketAdapter::OnReadEvent(socket);
				779	}
				780
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	781	// If a previous SSL_write failed due to the underlying socket being blocked,
				782	// this will attempt finishing the write operation.
				783	if (!pending_data_.empty()) {
				784	int error;
				785	if (DoSslWrite(pending_data_.data(), pending_data_.size(), &error) ==
				786	static_cast<int>(pending_data_.size())) {
				787	pending_data_.Clear();
				788	}
				789	}
				790
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	791	AsyncSocketAdapter::OnWriteEvent(socket);
				792	}
				793
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	794	void OpenSSLAdapter::OnCloseEvent(AsyncSocket* socket, int err) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	795	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnCloseEvent(" << err << ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	796	AsyncSocketAdapter::OnCloseEvent(socket, err);
				797	}
				798
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	799	bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const std::string& host) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	800	bool is_valid_cert_name =
				801	openssl::VerifyPeerCertMatchesHost(ssl, host) &&
				802	(SSL_get_verify_result(ssl) == X509_V_OK \|\| custom_cert_verifier_status_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	803
Diogo Real	4f08543	2018-09-11 16:00:22 -0700	[diff] [blame]	804	if (!is_valid_cert_name && ShouldIgnoreBadCert()) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	805	RTC_DLOG(LS_WARNING) << "Other TLS post connection checks failed. "
Diogo Real	4f08543	2018-09-11 16:00:22 -0700	[diff] [blame]	806	"TLS cert policy set to ignore bad certs. "
				807	"Overriding name verification failure!";
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	808	is_valid_cert_name = true;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	809	}
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	810	return is_valid_cert_name;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	811	}
				812
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	813	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	814
				815	// We only use this for tracing and so it is only needed in debug mode
				816
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	817	void OpenSSLAdapter::SSLInfoCallback(const SSL* s, int where, int ret) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	818	const char* str = "undefined";
				819	int w = where & ~SSL_ST_MASK;
				820	if (w & SSL_ST_CONNECT) {
				821	str = "SSL_connect";
				822	} else if (w & SSL_ST_ACCEPT) {
				823	str = "SSL_accept";
				824	}
				825	if (where & SSL_CB_LOOP) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	826	RTC_DLOG(LS_INFO) << str << ":" << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	827	} else if (where & SSL_CB_ALERT) {
				828	str = (where & SSL_CB_READ) ? "read" : "write";
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	829	RTC_DLOG(LS_INFO) << "SSL3 alert " << str << ":"
				830	<< SSL_alert_type_string_long(ret) << ":"
				831	<< SSL_alert_desc_string_long(ret);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	832	} else if (where & SSL_CB_EXIT) {
				833	if (ret == 0) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	834	RTC_DLOG(LS_INFO) << str << ":failed in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	835	} else if (ret < 0) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	836	RTC_DLOG(LS_INFO) << str << ":error in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	837	}
				838	}
				839	}
				840
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	841	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	842
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	843	int OpenSSLAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	844	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	845	if (!ok) {
				846	char data[256];
				847	X509* cert = X509_STORE_CTX_get_current_cert(store);
				848	int depth = X509_STORE_CTX_get_error_depth(store);
				849	int err = X509_STORE_CTX_get_error(store);
				850
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	851	RTC_DLOG(LS_INFO) << "Error with certificate at depth: " << depth;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	852	X509_NAME_oneline(X509_get_issuer_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	853	RTC_DLOG(LS_INFO) << " issuer = " << data;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	854	X509_NAME_oneline(X509_get_subject_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	855	RTC_DLOG(LS_INFO) << " subject = " << data;
				856	RTC_DLOG(LS_INFO) << " err = " << err << ":"
				857	<< X509_verify_cert_error_string(err);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	858	}
				859	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	860	// Get our stream pointer from the store
				861	SSL* ssl = reinterpret_cast<SSL*>(
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	862	X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	863
				864	OpenSSLAdapter* stream =
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	865	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	866
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	867	if (!ok && stream->ssl_cert_verifier_ != nullptr) {
				868	RTC_LOG(LS_INFO) << "Invoking SSL Verify Callback.";
				869	const OpenSSLCertificate cert(X509_STORE_CTX_get_current_cert(store));
				870	if (stream->ssl_cert_verifier_->Verify(cert)) {
				871	stream->custom_cert_verifier_status_ = true;
				872	RTC_LOG(LS_INFO) << "Validated certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	873	ok = true;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	874	} else {
				875	RTC_LOG(LS_INFO) << "Failed to verify certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	876	}
				877	}
				878
				879	// Should only be used for debugging and development.
Diogo Real	4f08543	2018-09-11 16:00:22 -0700	[diff] [blame]	880	if (!ok && stream->ShouldIgnoreBadCert()) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	881	RTC_DLOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	882	ok = 1;
				883	}
				884
				885	return ok;
				886	}
				887
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	888	int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) {
				889	OpenSSLAdapter* stream =
				890	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	891	RTC_DCHECK(stream->ssl_session_cache_);
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	892	RTC_LOG(LS_INFO) << "Caching SSL session for " << stream->ssl_host_name_;
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	893	stream->ssl_session_cache_->AddSession(stream->ssl_host_name_, session);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	894	return 1; // We've taken ownership of the session; OpenSSL shouldn't free it.
				895	}
				896
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	897	SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	898	// Use (D)TLS 1.2.
				899	// Note: BoringSSL supports a range of versions by setting max/min version
				900	// (Default V1.0 to V1.2). However (D)TLSv1_2_client_method functions used
				901	// below in OpenSSL only support V1.2.
				902	SSL_CTX* ctx = nullptr;
				903	#ifdef OPENSSL_IS_BORINGSSL
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	904	ctx = SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	905	#else
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	906	ctx = SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLSv1_2_client_method()
				907	: TLSv1_2_client_method());
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	908	#endif // OPENSSL_IS_BORINGSSL
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	909	if (ctx == nullptr) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	910	unsigned long error = ERR_get_error(); // NOLINT: type used by OpenSSL.
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	911	RTC_LOG(LS_WARNING) << "SSL_CTX creation failed: " << '"'
				912	<< ERR_reason_error_string(error) << "\" "
				913	<< "(error=" << error << ')';
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	914	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	915	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	916
Mirko Bonadei	b889a20	2018-08-15 11:41:27 +0200	[diff] [blame]	917	#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	918	if (!openssl::LoadBuiltinSSLRootCertificates(ctx)) {
				919	RTC_LOG(LS_ERROR) << "SSL_CTX creation failed: Failed to load any trusted "
				920	"ssl root certificates.";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	921	SSL_CTX_free(ctx);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	922	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	923	}
Mirko Bonadei	b889a20	2018-08-15 11:41:27 +0200	[diff] [blame]	924	#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	925
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	926	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	927	SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
				928	#endif
				929
				930	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
				931	SSL_CTX_set_verify_depth(ctx, 4);
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	932	// Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
				933	// (note that SHA256 and SHA384 only select legacy CBC ciphers).
				934	// Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
				935	// CBC-mode ECDSA ciphers.
				936	SSL_CTX_set_cipher_list(
				937	ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5");
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	938
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	939	if (mode == SSL_MODE_DTLS) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	940	SSL_CTX_set_read_ahead(ctx, 1);
				941	}
				942
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	943	if (enable_cache) {
				944	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
				945	SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback);
				946	}
				947
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	948	return ctx;
				949	}
				950
Diogo Real	4f08543	2018-09-11 16:00:22 -0700	[diff] [blame]	951	bool OpenSSLAdapter::ShouldIgnoreBadCert() {
				952	return ssl_config_.tls_cert_policy ==
				953	TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
				954	}
				955
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	956	std::string TransformAlpnProtocols(
				957	const std::vector<std::string>& alpn_protocols) {
				958	// Transforms the alpn_protocols list to the format expected by
				959	// Open/BoringSSL. This requires joining the protocols into a single string
				960	// and prepending a character with the size of the protocol string before
				961	// each protocol.
				962	std::string transformed_alpn;
				963	for (const std::string& proto : alpn_protocols) {
				964	if (proto.size() == 0 \|\| proto.size() > 0xFF) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	965	RTC_LOG(LS_ERROR) << "OpenSSLAdapter::Error("
				966	<< "TransformAlpnProtocols received proto with size "
				967	<< proto.size() << ")";
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	968	return "";
				969	}
				970	transformed_alpn += static_cast<char>(proto.size());
				971	transformed_alpn += proto;
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	972	RTC_LOG(LS_VERBOSE) << "TransformAlpnProtocols: Adding proto: " << proto;
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	973	}
				974	return transformed_alpn;
				975	}
				976
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	977	//////////////////////////////////////////////////////////////////////
				978	// OpenSSLAdapterFactory
				979	//////////////////////////////////////////////////////////////////////
				980
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	981	OpenSSLAdapterFactory::OpenSSLAdapterFactory() = default;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	982
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	983	OpenSSLAdapterFactory::~OpenSSLAdapterFactory() = default;
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	984
				985	void OpenSSLAdapterFactory::SetMode(SSLMode mode) {
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	986	RTC_DCHECK(!ssl_session_cache_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	987	ssl_mode_ = mode;
				988	}
				989
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	990	void OpenSSLAdapterFactory::SetCertVerifier(
				991	SSLCertificateVerifier* ssl_cert_verifier) {
				992	RTC_DCHECK(!ssl_session_cache_);
				993	ssl_cert_verifier_ = ssl_cert_verifier;
				994	}
				995
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	996	OpenSSLAdapter* OpenSSLAdapterFactory::CreateAdapter(AsyncSocket* socket) {
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	997	if (ssl_session_cache_ == nullptr) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	998	SSL_CTX* ssl_ctx = OpenSSLAdapter::CreateContext(ssl_mode_, true);
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	999	if (ssl_ctx == nullptr) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	1000	return nullptr;
				1001	}
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	1002	// The OpenSSLSessionCache will upref the ssl_ctx.
Karl Wiberg	918f50c	2018-07-05 11:40:33 +0200	[diff] [blame]	1003	ssl_session_cache_ =
				1004	absl::make_unique<OpenSSLSessionCache>(ssl_mode_, ssl_ctx);
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	1005	SSL_CTX_free(ssl_ctx);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	1006	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	1007	return new OpenSSLAdapter(socket, ssl_session_cache_.get(),
				1008	ssl_cert_verifier_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	1009	}
				1010
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	1011	} // namespace rtc