Gitiles
Code Review Sign In
gerrit.openfyde.cn / webrtc.googlesource.com / src / ac9a28827402346702fc97442ffaf3e4e3618fe4 / . / rtc_base / ssl_adapter.h
blob: 8f98141651bd069cbbb515f97ee0f3955dec1c66 [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]1/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
Steve Anton10542f22019-01-11 09:11:00 -0800[diff] [blame]11#ifndef RTC_BASE_SSL_ADAPTER_H_
12#define RTC_BASE_SSL_ADAPTER_H_
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]13
Benjamin Wrightd6f86e82018-05-08 13:12:25 -0700[diff] [blame]14#include <string>
15#include <vector>
16
Steve Anton10542f22019-01-11 09:11:00 -0800[diff] [blame]17#include "rtc_base/async_socket.h"
18#include "rtc_base/ssl_certificate.h"
19#include "rtc_base/ssl_identity.h"
20#include "rtc_base/ssl_stream_adapter.h"
Mirko Bonadei35214fc2019-09-23 14:54:28 +0200[diff] [blame]21#include "rtc_base/system/rtc_export.h"
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]22
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]23namespace rtc {
24
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]25class SSLAdapter;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]26
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]27// Class for creating SSL adapters with shared state, e.g., a session cache,
28// which allows clients to resume SSL sessions to previously-contacted hosts.
29// Clients should create the factory using Create(), set up the factory as
30// needed using SetMode, and then call CreateAdapter to create adapters when
31// needed.
32class SSLAdapterFactory {
33 public:
34 virtual ~SSLAdapterFactory() {}
Benjamin Wrightd6f86e82018-05-08 13:12:25 -0700[diff] [blame]35
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]36 // Specifies whether TLS or DTLS is to be used for the SSL adapters.
37 virtual void SetMode(SSLMode mode) = 0;
Benjamin Wrightd6f86e82018-05-08 13:12:25 -0700[diff] [blame]38
39 // Specify a custom certificate verifier for SSL.
40 virtual void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) = 0;
41
Niels Möllerac9a2882021-10-20 15:25:09 +0200[diff] [blame^]42 // Set the certificate this socket will present to incoming clients.
43 // Takes ownership of `identity`.
44 virtual void SetIdentity(std::unique_ptr<SSLIdentity> identity) = 0;
45
46 // Choose whether the socket acts as a server socket or client socket.
47 virtual void SetRole(SSLRole role) = 0;
48
49 // Methods that control server certificate verification, used in unit tests.
50 // Do not call these methods in production code.
51 virtual void SetIgnoreBadCert(bool ignore) = 0;
52
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]53 // Creates a new SSL adapter, but from a shared context.
Niels Möllerd0b88792021-08-12 10:32:30 +0200[diff] [blame]54 virtual SSLAdapter* CreateAdapter(Socket* socket) = 0;
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]55
Niels Möllerac9a2882021-10-20 15:25:09 +0200[diff] [blame^]56 static std::unique_ptr<SSLAdapterFactory> Create();
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]57};
58
59// Class that abstracts a client-to-server SSL session. It can be created
60// standalone, via SSLAdapter::Create, or through a factory as described above,
61// in which case it will share state with other SSLAdapters created from the
62// same factory.
63// After creation, call StartSSL to initiate the SSL handshake to the server.
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]64class SSLAdapter : public AsyncSocketAdapter {
65 public:
Niels Möllerd0b88792021-08-12 10:32:30 +0200[diff] [blame]66 explicit SSLAdapter(Socket* socket) : AsyncSocketAdapter(socket) {}
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]67
Sergey Silkin9c147dd2018-09-12 10:45:38 +0000[diff] [blame]68 // Methods that control server certificate verification, used in unit tests.
69 // Do not call these methods in production code.
70 // TODO(juberti): Remove the opportunistic encryption mechanism in
71 // BasicPacketSocketFactory that uses this function.
72 virtual void SetIgnoreBadCert(bool ignore) = 0;
73
74 virtual void SetAlpnProtocols(const std::vector<std::string>& protos) = 0;
75 virtual void SetEllipticCurves(const std::vector<std::string>& curves) = 0;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]76
77 // Do DTLS or TLS (default is TLS, if unspecified)
78 virtual void SetMode(SSLMode mode) = 0;
Benjamin Wrightd6f86e82018-05-08 13:12:25 -0700[diff] [blame]79 // Specify a custom certificate verifier for SSL.
80 virtual void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) = 0;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]81
Steve Anton786de702017-08-17 15:15:46 -0700[diff] [blame]82 // Set the certificate this socket will present to incoming clients.
Artem Titov96e3b992021-07-26 16:03:14 +0200[diff] [blame]83 // Takes ownership of `identity`.
Harald Alvestrand8515d5a2020-03-20 22:51:32 +0100[diff] [blame]84 virtual void SetIdentity(std::unique_ptr<SSLIdentity> identity) = 0;
Steve Anton786de702017-08-17 15:15:46 -0700[diff] [blame]85
86 // Choose whether the socket acts as a server socket or client socket.
87 virtual void SetRole(SSLRole role) = 0;
88
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]89 // StartSSL returns 0 if successful.
90 // If StartSSL is called while the socket is closed or connecting, the SSL
91 // negotiation will begin as soon as the socket connects.
Mirko Bonadei2d2c2942020-04-11 00:01:43 +0200[diff] [blame]92 virtual int StartSSL(const char* hostname) = 0;
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]93
94 // When an SSLAdapterFactory is used, an SSLAdapter may be used to resume
95 // a previous SSL session, which results in an abbreviated handshake.
96 // This method, if called after SSL has been established for this adapter,
97 // indicates whether the current session is a resumption of a previous
98 // session.
99 virtual bool IsResumedSession() = 0;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]100
101 // Create the default SSL adapter for this platform. On failure, returns null
Artem Titov96e3b992021-07-26 16:03:14 +0200[diff] [blame]102 // and deletes `socket`. Otherwise, the returned SSLAdapter takes ownership
103 // of `socket`.
Niels Möllerd0b88792021-08-12 10:32:30 +0200[diff] [blame]104 static SSLAdapter* Create(Socket* socket);
Niels Möllerac9a2882021-10-20 15:25:09 +0200[diff] [blame^]105
106 private:
107 // Not supported.
108 int Listen(int backlog) override { RTC_CHECK(false); }
109 Socket* Accept(SocketAddress* paddr) override { RTC_CHECK(false); }
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]110};
111
112///////////////////////////////////////////////////////////////////////////////
113
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]114// Call this on the main thread, before using SSL.
Jiawei Oueb0df082018-02-02 14:51:18 -0800[diff] [blame]115// Call CleanupSSL when finished with SSL.
Mirko Bonadei35214fc2019-09-23 14:54:28 +0200[diff] [blame]116RTC_EXPORT bool InitializeSSL();
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]117
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]118// Call to cleanup additional threads, and also the main thread.
Mirko Bonadei35214fc2019-09-23 14:54:28 +0200[diff] [blame]119RTC_EXPORT bool CleanupSSL();
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]120
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]121} // namespace rtc
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]122
Steve Anton10542f22019-01-11 09:11:00 -0800[diff] [blame]123#endif // RTC_BASE_SSL_ADAPTER_H_