Blame - rtc_base/openssl_adapter.cc - webrtc.googlesource.com/src

blob: 2c931184c219c417d539acb7a2fc9586169880b7 [file] [log] [blame]

henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	1	/*
				2	* Copyright 2008 The WebRTC Project Authors. All rights reserved.
				3	*
				4	* Use of this source code is governed by a BSD-style license
				5	* that can be found in the LICENSE file in the root of the source
				6	* tree. An additional intellectual property rights grant can be found
				7	* in the file PATENTS. All contributing project authors may
				8	* be found in the AUTHORS file in the root of the source tree.
				9	*/
				10
Steve Anton	10542f2	2019-01-11 09:11:00 -0800	[diff] [blame]	11	#include "rtc_base/openssl_adapter.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	12
Yves Gerey	988cc08	2018-10-23 12:03:01 +0200	[diff] [blame]	13	#include <errno.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	14	#include <openssl/bio.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	15	#include <openssl/err.h>
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	16	#include <openssl/rand.h>
henrike@webrtc.org	d5a0506	2014-06-30 20:38:56 +0000	[diff] [blame]	17	#include <openssl/x509.h>
Yves Gerey	988cc08	2018-10-23 12:03:01 +0200	[diff] [blame]	18	#include <string.h>
				19	#include <time.h>
				20
				21	#include "absl/memory/memory.h"
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	22	#include "rtc_base/checks.h"
Yves Gerey	988cc08	2018-10-23 12:03:01 +0200	[diff] [blame]	23	#include "rtc_base/location.h"
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	24	#include "rtc_base/logging.h"
Karl Wiberg	e40468b	2017-11-22 10:42:26 +0100	[diff] [blame]	25	#include "rtc_base/numerics/safe_conversions.h"
Jonas Olsson	a4d8737	2019-07-05 19:08:33 +0200	[diff] [blame]	26	#include "rtc_base/openssl.h"
Steve Anton	10542f2	2019-01-11 09:11:00 -0800	[diff] [blame]	27	#include "rtc_base/openssl_certificate.h"
				28	#include "rtc_base/openssl_utility.h"
				29	#include "rtc_base/string_encode.h"
Mirko Bonadei	92ea95e	2017-09-15 06:47:31 +0200	[diff] [blame]	30	#include "rtc_base/thread.h"
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	31
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	32	//////////////////////////////////////////////////////////////////////
				33	// SocketBIO
				34	//////////////////////////////////////////////////////////////////////
				35
				36	static int socket_write(BIO* h, const char* buf, int num);
				37	static int socket_read(BIO* h, char* buf, int size);
				38	static int socket_puts(BIO* h, const char* str);
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	39	static long socket_ctrl(BIO* h, int cmd, long arg1, void* arg2); // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	40	static int socket_new(BIO* h);
				41	static int socket_free(BIO* data);
				42
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	43	static BIO_METHOD* BIO_socket_method() {
				44	static BIO_METHOD* methods = [] {
				45	BIO_METHOD* methods = BIO_meth_new(BIO_TYPE_BIO, "socket");
				46	BIO_meth_set_write(methods, socket_write);
				47	BIO_meth_set_read(methods, socket_read);
				48	BIO_meth_set_puts(methods, socket_puts);
				49	BIO_meth_set_ctrl(methods, socket_ctrl);
				50	BIO_meth_set_create(methods, socket_new);
				51	BIO_meth_set_destroy(methods, socket_free);
				52	return methods;
				53	}();
				54	return methods;
				55	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	56
henrike@webrtc.org	c50bf7c	2014-05-14 18:24:13 +0000	[diff] [blame]	57	static BIO* BIO_new_socket(rtc::AsyncSocket* socket) {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	58	BIO* ret = BIO_new(BIO_socket_method());
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	59	if (ret == nullptr) {
				60	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	61	}
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	62	BIO_set_data(ret, socket);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	63	return ret;
				64	}
				65
				66	static int socket_new(BIO* b) {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	67	BIO_set_shutdown(b, 0);
				68	BIO_set_init(b, 1);
				69	BIO_set_data(b, 0);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	70	return 1;
				71	}
				72
				73	static int socket_free(BIO* b) {
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	74	if (b == nullptr)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	75	return 0;
				76	return 1;
				77	}
				78
				79	static int socket_read(BIO* b, char* out, int outl) {
				80	if (!out)
				81	return -1;
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	82	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	83	BIO_clear_retry_flags(b);
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	84	int result = socket->Recv(out, outl, nullptr);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	85	if (result > 0) {
				86	return result;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	87	} else if (socket->IsBlocking()) {
				88	BIO_set_retry_read(b);
				89	}
				90	return -1;
				91	}
				92
				93	static int socket_write(BIO* b, const char* in, int inl) {
				94	if (!in)
				95	return -1;
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	96	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(BIO_get_data(b));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	97	BIO_clear_retry_flags(b);
				98	int result = socket->Send(in, inl);
				99	if (result > 0) {
				100	return result;
				101	} else if (socket->IsBlocking()) {
				102	BIO_set_retry_write(b);
				103	}
				104	return -1;
				105	}
				106
				107	static int socket_puts(BIO* b, const char* str) {
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09 +0000	[diff] [blame]	108	return socket_write(b, str, rtc::checked_cast<int>(strlen(str)));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	109	}
				110
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	111	static long socket_ctrl(BIO* b, int cmd, long num, void* ptr) { // NOLINT
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	112	switch (cmd) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	113	case BIO_CTRL_RESET:
				114	return 0;
				115	case BIO_CTRL_EOF: {
				116	rtc::AsyncSocket* socket = static_cast<rtc::AsyncSocket*>(ptr);
				117	// 1 means socket closed.
				118	return (socket->GetState() == rtc::AsyncSocket::CS_CLOSED) ? 1 : 0;
				119	}
				120	case BIO_CTRL_WPENDING:
				121	case BIO_CTRL_PENDING:
				122	return 0;
				123	case BIO_CTRL_FLUSH:
				124	return 1;
				125	default:
				126	return 0;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	127	}
				128	}
				129
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	130	static void LogSslError() {
				131	// Walk down the error stack to find the SSL error.
				132	uint32_t error_code;
				133	const char* file;
				134	int line;
				135	do {
				136	error_code = ERR_get_error_line(&file, &line);
				137	if (ERR_GET_LIB(error_code) == ERR_LIB_SSL) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	138	RTC_LOG(LS_ERROR) << "ERR_LIB_SSL: " << error_code << ", " << file << ":"
				139	<< line;
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	140	break;
				141	}
				142	} while (error_code != 0);
				143	}
				144
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	145	/////////////////////////////////////////////////////////////////////////////
				146	// OpenSSLAdapter
				147	/////////////////////////////////////////////////////////////////////////////
				148
				149	namespace rtc {
				150
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	151	bool OpenSSLAdapter::InitializeSSL() {
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	152	if (!SSL_library_init())
				153	return false;
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	154	#if !defined(ADDRESS_SANITIZER) \|\| !defined(WEBRTC_MAC) \|\| defined(WEBRTC_IOS)
				155	// Loading the error strings crashes mac_asan. Omit this debugging aid there.
				156	SSL_load_error_strings();
				157	#endif
				158	ERR_load_BIO_strings();
				159	OpenSSL_add_all_algorithms();
				160	RAND_poll();
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	161	return true;
				162	}
				163
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	164	bool OpenSSLAdapter::CleanupSSL() {
Torbjorn Granlund	9adc91d	2016-03-24 14:05:06 +0100	[diff] [blame]	165	return true;
				166	}
				167
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	168	OpenSSLAdapter::OpenSSLAdapter(AsyncSocket* socket,
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	169	OpenSSLSessionCache* ssl_session_cache,
				170	SSLCertificateVerifier* ssl_cert_verifier)
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	171	: SSLAdapter(socket),
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	172	ssl_session_cache_(ssl_session_cache),
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	173	ssl_cert_verifier_(ssl_cert_verifier),
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	174	state_(SSL_NONE),
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	175	role_(SSL_CLIENT),
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	176	ssl_read_needs_write_(false),
				177	ssl_write_needs_read_(false),
				178	restartable_(false),
				179	ssl_(nullptr),
				180	ssl_ctx_(nullptr),
				181	ssl_mode_(SSL_MODE_TLS),
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	182	ignore_bad_cert_(false),
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	183	custom_cert_verifier_status_(false) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	184	// If a factory is used, take a reference on the factory's SSL_CTX.
				185	// Otherwise, we'll create our own later.
				186	// Either way, we'll release our reference via SSL_CTX_free() in Cleanup().
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	187	if (ssl_session_cache_ != nullptr) {
				188	ssl_ctx_ = ssl_session_cache_->GetSSLContext();
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	189	RTC_DCHECK(ssl_ctx_);
				190	// Note: if using OpenSSL, requires version 1.1.0 or later.
				191	SSL_CTX_up_ref(ssl_ctx_);
				192	}
				193	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	194
				195	OpenSSLAdapter::~OpenSSLAdapter() {
				196	Cleanup();
				197	}
				198
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	199	void OpenSSLAdapter::SetIgnoreBadCert(bool ignore) {
				200	ignore_bad_cert_ = ignore;
				201	}
				202
				203	void OpenSSLAdapter::SetAlpnProtocols(const std::vector<std::string>& protos) {
				204	alpn_protocols_ = protos;
				205	}
				206
				207	void OpenSSLAdapter::SetEllipticCurves(const std::vector<std::string>& curves) {
				208	elliptic_curves_ = curves;
Diogo Real	7bd1f1b	2017-09-08 12:50:41 -0700	[diff] [blame]	209	}
				210
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	211	void OpenSSLAdapter::SetMode(SSLMode mode) {
				212	RTC_DCHECK(!ssl_ctx_);
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	213	RTC_DCHECK(state_ == SSL_NONE);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	214	ssl_mode_ = mode;
				215	}
				216
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	217	void OpenSSLAdapter::SetCertVerifier(
				218	SSLCertificateVerifier* ssl_cert_verifier) {
				219	RTC_DCHECK(!ssl_ctx_);
				220	ssl_cert_verifier_ = ssl_cert_verifier;
				221	}
				222
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	223	void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) {
				224	RTC_DCHECK(!identity_);
				225	identity_.reset(static_cast<OpenSSLIdentity*>(identity));
				226	}
				227
				228	void OpenSSLAdapter::SetRole(SSLRole role) {
				229	role_ = role;
				230	}
				231
				232	AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) {
				233	RTC_DCHECK(role_ == SSL_SERVER);
				234	AsyncSocket* socket = SSLAdapter::Accept(paddr);
				235	if (!socket) {
				236	return nullptr;
				237	}
				238
				239	SSLAdapter* adapter = SSLAdapter::Create(socket);
				240	adapter->SetIdentity(identity_->GetReference());
				241	adapter->SetRole(rtc::SSL_SERVER);
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	242	adapter->SetIgnoreBadCert(ignore_bad_cert_);
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	243	adapter->StartSSL("", false);
				244	return adapter;
				245	}
				246
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	247	int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	248	if (state_ != SSL_NONE)
				249	return -1;
				250
				251	ssl_host_name_ = hostname;
				252	restartable_ = restartable;
				253
				254	if (socket_->GetState() != Socket::CS_CONNECTED) {
				255	state_ = SSL_WAIT;
				256	return 0;
				257	}
				258
				259	state_ = SSL_CONNECTING;
				260	if (int err = BeginSSL()) {
				261	Error("BeginSSL", err, false);
				262	return err;
				263	}
				264
				265	return 0;
				266	}
				267
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	268	int OpenSSLAdapter::BeginSSL() {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	269	RTC_LOG(LS_INFO) << "OpenSSLAdapter::BeginSSL: " << ssl_host_name_;
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	270	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	271
				272	int err = 0;
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	273	BIO* bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	274
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	275	// First set up the context. We should either have a factory, with its own
				276	// pre-existing context, or be running standalone, in which case we will
				277	// need to create one, and specify \|false\| to disable session caching.
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	278	if (ssl_session_cache_ == nullptr) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	279	RTC_DCHECK(!ssl_ctx_);
				280	ssl_ctx_ = CreateContext(ssl_mode_, false);
				281	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	282
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	283	if (!ssl_ctx_) {
				284	err = -1;
				285	goto ssl_error;
				286	}
				287
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	288	if (identity_ && !identity_->ConfigureIdentity(ssl_ctx_)) {
				289	SSL_CTX_free(ssl_ctx_);
				290	err = -1;
				291	goto ssl_error;
				292	}
				293
Peter Boström	0b518bf	2016-01-27 12:35:40 +0100	[diff] [blame]	294	bio = BIO_new_socket(socket_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	295	if (!bio) {
				296	err = -1;
				297	goto ssl_error;
				298	}
				299
				300	ssl_ = SSL_new(ssl_ctx_);
				301	if (!ssl_) {
				302	err = -1;
				303	goto ssl_error;
				304	}
				305
				306	SSL_set_app_data(ssl_, this);
				307
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	308	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER allows different buffers to be passed
				309	// into SSL_write when a record could only be partially transmitted (and thus
				310	// requires another call to SSL_write to finish transmission). This allows us
				311	// to copy the data into our own buffer when this occurs, since the original
				312	// buffer can't safely be accessed after control exits Send.
				313	// TODO(deadbeef): Do we want SSL_MODE_ENABLE_PARTIAL_WRITE? It doesn't
				314	// appear Send handles partial writes properly, though maybe we never notice
				315	// since we never send more than 16KB at once..
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	316	SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE \|
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	317	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	318
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	319	// Enable SNI, if a hostname is supplied.
Emad Omara	dab1d2d	2017-06-16 15:43:11 -0700	[diff] [blame]	320	if (!ssl_host_name_.empty()) {
				321	SSL_set_tlsext_host_name(ssl_, ssl_host_name_.c_str());
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	322
				323	// Enable session caching, if configured and a hostname is supplied.
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	324	if (ssl_session_cache_ != nullptr) {
				325	SSL_SESSION* cached = ssl_session_cache_->LookupSession(ssl_host_name_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	326	if (cached) {
				327	if (SSL_set_session(ssl_, cached) == 0) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	328	RTC_LOG(LS_WARNING) << "Failed to apply SSL session from cache";
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	329	err = -1;
				330	goto ssl_error;
				331	}
				332
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	333	RTC_LOG(LS_INFO) << "Attempting to resume SSL session to "
				334	<< ssl_host_name_;
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	335	}
				336	}
Emad Omara	dab1d2d	2017-06-16 15:43:11 -0700	[diff] [blame]	337	}
				338
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	339	#ifdef OPENSSL_IS_BORINGSSL
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	340	// Set a couple common TLS extensions; even though we don't use them yet.
				341	SSL_enable_ocsp_stapling(ssl_);
				342	SSL_enable_signed_cert_timestamps(ssl_);
Jiawei Ou	eb0df08	2018-02-02 14:51:18 -0800	[diff] [blame]	343	#endif
Emad Omara	cb79d23	2017-07-20 16:34:34 -0700	[diff] [blame]	344
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	345	if (!alpn_protocols_.empty()) {
				346	std::string tls_alpn_string = TransformAlpnProtocols(alpn_protocols_);
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	347	if (!tls_alpn_string.empty()) {
				348	SSL_set_alpn_protos(
				349	ssl_, reinterpret_cast<const unsigned char*>(tls_alpn_string.data()),
Mirko Bonadei	a041f92	2018-05-23 10:22:36 +0200	[diff] [blame]	350	rtc::dchecked_cast<unsigned>(tls_alpn_string.size()));
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	351	}
				352	}
				353
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	354	if (!elliptic_curves_.empty()) {
				355	SSL_set1_curves_list(ssl_, rtc::join(elliptic_curves_, ':').c_str());
Diogo Real	7bd1f1b	2017-09-08 12:50:41 -0700	[diff] [blame]	356	}
				357
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	358	// Now that the initial config is done, transfer ownership of \|bio\| to the
				359	// SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup().
				360	SSL_set_bio(ssl_, bio, bio);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	361	bio = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	362
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	363	// Do the connect.
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	364	err = ContinueSSL();
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	365	if (err != 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	366	goto ssl_error;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	367	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	368
				369	return err;
				370
				371	ssl_error:
				372	Cleanup();
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	373	if (bio) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	374	BIO_free(bio);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	375	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	376
				377	return err;
				378	}
				379
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	380	int OpenSSLAdapter::ContinueSSL() {
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	381	RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	382
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	383	// Clear the DTLS timer
				384	Thread::Current()->Clear(this, MSG_TIMEOUT);
				385
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	386	int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	387	switch (SSL_get_error(ssl_, code)) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	388	case SSL_ERROR_NONE:
				389	if (!SSLPostConnectionCheck(ssl_, ssl_host_name_)) {
				390	RTC_LOG(LS_ERROR) << "TLS post connection check failed";
				391	// make sure we close the socket
				392	Cleanup();
				393	// The connect failed so return -1 to shut down the socket
				394	return -1;
				395	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	396
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	397	state_ = SSL_CONNECTED;
				398	AsyncSocketAdapter::OnConnectEvent(this);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	399	// TODO(benwright): Refactor this code path.
				400	// Don't let ourselves go away during the callbacks
				401	// PRefPtr<OpenSSLAdapter> lock(this);
				402	// RTC_LOG(LS_INFO) << " -- onStreamReadable";
				403	// AsyncSocketAdapter::OnReadEvent(this);
				404	// RTC_LOG(LS_INFO) << " -- onStreamWriteable";
				405	// AsyncSocketAdapter::OnWriteEvent(this);
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	406	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	407
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	408	case SSL_ERROR_WANT_READ:
				409	RTC_LOG(LS_VERBOSE) << " -- error want read";
				410	struct timeval timeout;
				411	if (DTLSv1_get_timeout(ssl_, &timeout)) {
				412	int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	413
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	414	Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this, MSG_TIMEOUT,
				415	0);
				416	}
				417	break;
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	418
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	419	case SSL_ERROR_WANT_WRITE:
				420	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	421
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	422	case SSL_ERROR_ZERO_RETURN:
				423	default:
				424	RTC_LOG(LS_WARNING) << "ContinueSSL -- error " << code;
				425	return (code != 0) ? code : -1;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	426	}
				427
				428	return 0;
				429	}
				430
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	431	void OpenSSLAdapter::Error(const char* context, int err, bool signal) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	432	RTC_LOG(LS_WARNING) << "OpenSSLAdapter::Error(" << context << ", " << err
				433	<< ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	434	state_ = SSL_ERROR;
				435	SetError(err);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	436	if (signal) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	437	AsyncSocketAdapter::OnCloseEvent(this, err);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	438	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	439	}
				440
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	441	void OpenSSLAdapter::Cleanup() {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	442	RTC_LOG(LS_INFO) << "OpenSSLAdapter::Cleanup";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	443
				444	state_ = SSL_NONE;
				445	ssl_read_needs_write_ = false;
				446	ssl_write_needs_read_ = false;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	447	custom_cert_verifier_status_ = false;
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	448	pending_data_.Clear();
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	449
				450	if (ssl_) {
				451	SSL_free(ssl_);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	452	ssl_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	453	}
				454
				455	if (ssl_ctx_) {
				456	SSL_CTX_free(ssl_ctx_);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	457	ssl_ctx_ = nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	458	}
Steve Anton	786de70	2017-08-17 15:15:46 -0700	[diff] [blame]	459	identity_.reset();
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	460
				461	// Clear the DTLS timer
				462	Thread::Current()->Clear(this, MSG_TIMEOUT);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	463	}
				464
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	465	int OpenSSLAdapter::DoSslWrite(const void* pv, size_t cb, int* error) {
				466	// If we have pending data (that was previously only partially written by
				467	// SSL_write), we shouldn't be attempting to write anything else.
				468	RTC_DCHECK(pending_data_.empty() \|\| pv == pending_data_.data());
				469	RTC_DCHECK(error != nullptr);
				470
				471	ssl_write_needs_read_ = false;
				472	int ret = SSL_write(ssl_, pv, checked_cast<int>(cb));
				473	*error = SSL_get_error(ssl_, ret);
				474	switch (*error) {
				475	case SSL_ERROR_NONE:
				476	// Success!
				477	return ret;
				478	case SSL_ERROR_WANT_READ:
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	479	RTC_LOG(LS_INFO) << " -- error want read";
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	480	ssl_write_needs_read_ = true;
				481	SetError(EWOULDBLOCK);
				482	break;
				483	case SSL_ERROR_WANT_WRITE:
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	484	RTC_LOG(LS_INFO) << " -- error want write";
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	485	SetError(EWOULDBLOCK);
				486	break;
				487	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	488	SetError(EWOULDBLOCK);
				489	// do we need to signal closure?
				490	break;
				491	case SSL_ERROR_SSL:
				492	LogSslError();
				493	Error("SSL_write", ret ? ret : -1, false);
				494	break;
				495	default:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	496	Error("SSL_write", ret ? ret : -1, false);
				497	break;
				498	}
				499
				500	return SOCKET_ERROR;
				501	}
				502
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	503	///////////////////////////////////////////////////////////////////////////////
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	504	// AsyncSocket Implementation
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	505	///////////////////////////////////////////////////////////////////////////////
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	506
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	507	int OpenSSLAdapter::Send(const void* pv, size_t cb) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	508	switch (state_) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	509	case SSL_NONE:
				510	return AsyncSocketAdapter::Send(pv, cb);
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	511	case SSL_WAIT:
				512	case SSL_CONNECTING:
				513	SetError(ENOTCONN);
				514	return SOCKET_ERROR;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	515	case SSL_CONNECTED:
				516	break;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	517	case SSL_ERROR:
				518	default:
				519	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	520	}
				521
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	522	int ret;
				523	int error;
				524
				525	if (!pending_data_.empty()) {
				526	ret = DoSslWrite(pending_data_.data(), pending_data_.size(), &error);
				527	if (ret != static_cast<int>(pending_data_.size())) {
				528	// We couldn't finish sending the pending data, so we definitely can't
				529	// send any more data. Return with an EWOULDBLOCK error.
				530	SetError(EWOULDBLOCK);
				531	return SOCKET_ERROR;
				532	}
				533	// We completed sending the data previously passed into SSL_write! Now
				534	// we're allowed to send more data.
				535	pending_data_.Clear();
				536	}
				537
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	538	// OpenSSL will return an error if we try to write zero bytes
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	539	if (cb == 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	540	return 0;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	541	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	542
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	543	ret = DoSslWrite(pv, cb, &error);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	544
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	545	// If SSL_write fails with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, this
				546	// means the underlying socket is blocked on reading or (more typically)
				547	// writing. When this happens, OpenSSL requires that the next call to
				548	// SSL_write uses the same arguments (though, with
				549	// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, the actual buffer pointer may be
				550	// different).
				551	//
				552	// However, after Send exits, we will have lost access to data the user of
				553	// this class is trying to send, and there's no guarantee that the user of
				554	// this class will call Send with the same arguements when it fails. So, we
				555	// buffer the data ourselves. When we know the underlying socket is writable
				556	// again from OnWriteEvent (or if Send is called again before that happens),
				557	// we'll retry sending this buffered data.
deadbeef	e5dce2b	2017-06-02 11:52:06 -0700	[diff] [blame]	558	if (error == SSL_ERROR_WANT_READ \|\| error == SSL_ERROR_WANT_WRITE) {
				559	// Shouldn't be able to get to this point if we already have pending data.
				560	RTC_DCHECK(pending_data_.empty());
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	561	RTC_LOG(LS_WARNING)
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	562	<< "SSL_write couldn't write to the underlying socket; buffering data.";
				563	pending_data_.SetData(static_cast<const uint8_t*>(pv), cb);
				564	// Since we're taking responsibility for sending this data, return its full
				565	// size. The user of this class can consider it sent.
Mirko Bonadei	a041f92	2018-05-23 10:22:36 +0200	[diff] [blame]	566	return rtc::dchecked_cast<int>(cb);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	567	}
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	568	return ret;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	569	}
				570
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	571	int OpenSSLAdapter::SendTo(const void* pv,
				572	size_t cb,
				573	const SocketAddress& addr) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	574	if (socket_->GetState() == Socket::CS_CONNECTED &&
				575	addr == socket_->GetRemoteAddress()) {
				576	return Send(pv, cb);
				577	}
				578
				579	SetError(ENOTCONN);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	580	return SOCKET_ERROR;
				581	}
				582
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	583	int OpenSSLAdapter::Recv(void* pv, size_t cb, int64_t* timestamp) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	584	switch (state_) {
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	585	case SSL_NONE:
				586	return AsyncSocketAdapter::Recv(pv, cb, timestamp);
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	587	case SSL_WAIT:
				588	case SSL_CONNECTING:
				589	SetError(ENOTCONN);
				590	return SOCKET_ERROR;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	591	case SSL_CONNECTED:
				592	break;
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	593	case SSL_ERROR:
				594	default:
				595	return SOCKET_ERROR;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	596	}
				597
				598	// Don't trust OpenSSL with zero byte reads
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	599	if (cb == 0) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	600	return 0;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	601	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	602
				603	ssl_read_needs_write_ = false;
henrike@webrtc.org	d89b69a	2014-11-06 17:23:09 +0000	[diff] [blame]	604	int code = SSL_read(ssl_, pv, checked_cast<int>(cb));
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	605	int error = SSL_get_error(ssl_, code);
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	606
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	607	switch (error) {
				608	case SSL_ERROR_NONE:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	609	return code;
				610	case SSL_ERROR_WANT_READ:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	611	SetError(EWOULDBLOCK);
				612	break;
				613	case SSL_ERROR_WANT_WRITE:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	614	ssl_read_needs_write_ = true;
				615	SetError(EWOULDBLOCK);
				616	break;
				617	case SSL_ERROR_ZERO_RETURN:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	618	SetError(EWOULDBLOCK);
				619	// do we need to signal closure?
				620	break;
				621	case SSL_ERROR_SSL:
				622	LogSslError();
				623	Error("SSL_read", (code ? code : -1), false);
				624	break;
				625	default:
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	626	Error("SSL_read", (code ? code : -1), false);
				627	break;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	628	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	629	return SOCKET_ERROR;
				630	}
				631
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	632	int OpenSSLAdapter::RecvFrom(void* pv,
				633	size_t cb,
				634	SocketAddress* paddr,
				635	int64_t* timestamp) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	636	if (socket_->GetState() == Socket::CS_CONNECTED) {
Stefan Holmer	9131efd	2016-05-23 18:19:26 +0200	[diff] [blame]	637	int ret = Recv(pv, cb, timestamp);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	638	*paddr = GetRemoteAddress();
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	639	return ret;
				640	}
				641
				642	SetError(ENOTCONN);
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	643	return SOCKET_ERROR;
				644	}
				645
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	646	int OpenSSLAdapter::Close() {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	647	Cleanup();
				648	state_ = restartable_ ? SSL_WAIT : SSL_NONE;
				649	return AsyncSocketAdapter::Close();
				650	}
				651
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	652	Socket::ConnState OpenSSLAdapter::GetState() const {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	653	ConnState state = socket_->GetState();
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	654	if ((state == CS_CONNECTED) &&
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	655	((state_ == SSL_WAIT) \|\| (state_ == SSL_CONNECTING))) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	656	state = CS_CONNECTING;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	657	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	658	return state;
				659	}
				660
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	661	bool OpenSSLAdapter::IsResumedSession() {
				662	return (ssl_ && SSL_session_reused(ssl_) == 1);
				663	}
				664
				665	void OpenSSLAdapter::OnMessage(Message* msg) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	666	if (MSG_TIMEOUT == msg->message_id) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	667	RTC_LOG(LS_INFO) << "DTLS timeout expired";
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	668	DTLSv1_handle_timeout(ssl_);
				669	ContinueSSL();
				670	}
				671	}
				672
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	673	void OpenSSLAdapter::OnConnectEvent(AsyncSocket* socket) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	674	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnConnectEvent";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	675	if (state_ != SSL_WAIT) {
nisse	ede5da4	2017-01-12 05:15:36 -0800	[diff] [blame]	676	RTC_DCHECK(state_ == SSL_NONE);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	677	AsyncSocketAdapter::OnConnectEvent(socket);
				678	return;
				679	}
				680
				681	state_ = SSL_CONNECTING;
				682	if (int err = BeginSSL()) {
				683	AsyncSocketAdapter::OnCloseEvent(socket, err);
				684	}
				685	}
				686
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	687	void OpenSSLAdapter::OnReadEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	688	if (state_ == SSL_NONE) {
				689	AsyncSocketAdapter::OnReadEvent(socket);
				690	return;
				691	}
				692
				693	if (state_ == SSL_CONNECTING) {
				694	if (int err = ContinueSSL()) {
				695	Error("ContinueSSL", err);
				696	}
				697	return;
				698	}
				699
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	700	if (state_ != SSL_CONNECTED) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	701	return;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	702	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	703
				704	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	705	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	706	if (ssl_write_needs_read_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	707	AsyncSocketAdapter::OnWriteEvent(socket);
				708	}
				709
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	710	AsyncSocketAdapter::OnReadEvent(socket);
				711	}
				712
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	713	void OpenSSLAdapter::OnWriteEvent(AsyncSocket* socket) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	714	if (state_ == SSL_NONE) {
				715	AsyncSocketAdapter::OnWriteEvent(socket);
				716	return;
				717	}
				718
				719	if (state_ == SSL_CONNECTING) {
				720	if (int err = ContinueSSL()) {
				721	Error("ContinueSSL", err);
				722	}
				723	return;
				724	}
				725
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	726	if (state_ != SSL_CONNECTED) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	727	return;
Benjamin Wright	243cabe	2018-10-16 01:55:28 -0700	[diff] [blame]	728	}
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	729
				730	// Don't let ourselves go away during the callbacks
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	731	// PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	732
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	733	if (ssl_read_needs_write_) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	734	AsyncSocketAdapter::OnReadEvent(socket);
				735	}
				736
deadbeef	ed3b986	2017-06-02 10:33:16 -0700	[diff] [blame]	737	// If a previous SSL_write failed due to the underlying socket being blocked,
				738	// this will attempt finishing the write operation.
				739	if (!pending_data_.empty()) {
				740	int error;
				741	if (DoSslWrite(pending_data_.data(), pending_data_.size(), &error) ==
				742	static_cast<int>(pending_data_.size())) {
				743	pending_data_.Clear();
				744	}
				745	}
				746
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	747	AsyncSocketAdapter::OnWriteEvent(socket);
				748	}
				749
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	750	void OpenSSLAdapter::OnCloseEvent(AsyncSocket* socket, int err) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	751	RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnCloseEvent(" << err << ")";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	752	AsyncSocketAdapter::OnCloseEvent(socket, err);
				753	}
				754
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	755	bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const std::string& host) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	756	bool is_valid_cert_name =
				757	openssl::VerifyPeerCertMatchesHost(ssl, host) &&
				758	(SSL_get_verify_result(ssl) == X509_V_OK \|\| custom_cert_verifier_status_);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	759
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	760	if (!is_valid_cert_name && ignore_bad_cert_) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	761	RTC_DLOG(LS_WARNING) << "Other TLS post connection checks failed. "
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	762	"ignore_bad_cert_ set to true. Overriding name "
				763	"verification failure!";
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	764	is_valid_cert_name = true;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	765	}
Benjamin Wright	9201d1a	2018-04-05 12:12:26 -0700	[diff] [blame]	766	return is_valid_cert_name;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	767	}
				768
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	769	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	770
				771	// We only use this for tracing and so it is only needed in debug mode
				772
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	773	void OpenSSLAdapter::SSLInfoCallback(const SSL* s, int where, int ret) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	774	const char* str = "undefined";
				775	int w = where & ~SSL_ST_MASK;
				776	if (w & SSL_ST_CONNECT) {
				777	str = "SSL_connect";
				778	} else if (w & SSL_ST_ACCEPT) {
				779	str = "SSL_accept";
				780	}
				781	if (where & SSL_CB_LOOP) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	782	RTC_DLOG(LS_INFO) << str << ":" << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	783	} else if (where & SSL_CB_ALERT) {
				784	str = (where & SSL_CB_READ) ? "read" : "write";
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	785	RTC_DLOG(LS_INFO) << "SSL3 alert " << str << ":"
				786	<< SSL_alert_type_string_long(ret) << ":"
				787	<< SSL_alert_desc_string_long(ret);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	788	} else if (where & SSL_CB_EXIT) {
				789	if (ret == 0) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	790	RTC_DLOG(LS_INFO) << str << ":failed in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	791	} else if (ret < 0) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	792	RTC_DLOG(LS_INFO) << str << ":error in " << SSL_state_string_long(s);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	793	}
				794	}
				795	}
				796
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	797	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	798
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	799	int OpenSSLAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	800	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	801	if (!ok) {
				802	char data[256];
				803	X509* cert = X509_STORE_CTX_get_current_cert(store);
				804	int depth = X509_STORE_CTX_get_error_depth(store);
				805	int err = X509_STORE_CTX_get_error(store);
				806
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	807	RTC_DLOG(LS_INFO) << "Error with certificate at depth: " << depth;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	808	X509_NAME_oneline(X509_get_issuer_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	809	RTC_DLOG(LS_INFO) << " issuer = " << data;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	810	X509_NAME_oneline(X509_get_subject_name(cert), data, sizeof(data));
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	811	RTC_DLOG(LS_INFO) << " subject = " << data;
				812	RTC_DLOG(LS_INFO) << " err = " << err << ":"
				813	<< X509_verify_cert_error_string(err);
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	814	}
				815	#endif
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	816	// Get our stream pointer from the store
				817	SSL* ssl = reinterpret_cast<SSL*>(
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	818	X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	819
				820	OpenSSLAdapter* stream =
Yves Gerey	665174f	2018-06-19 15:03:05 +0200	[diff] [blame]	821	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	822
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	823	if (!ok && stream->ssl_cert_verifier_ != nullptr) {
				824	RTC_LOG(LS_INFO) << "Invoking SSL Verify Callback.";
				825	const OpenSSLCertificate cert(X509_STORE_CTX_get_current_cert(store));
				826	if (stream->ssl_cert_verifier_->Verify(cert)) {
				827	stream->custom_cert_verifier_status_ = true;
				828	RTC_LOG(LS_INFO) << "Validated certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	829	ok = true;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	830	} else {
				831	RTC_LOG(LS_INFO) << "Failed to verify certificate using custom callback";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	832	}
				833	}
				834
				835	// Should only be used for debugging and development.
Sergey Silkin	9c147dd	2018-09-12 10:45:38 +0000	[diff] [blame]	836	if (!ok && stream->ignore_bad_cert_) {
Jonas Olsson	addc380	2018-02-01 09:53:06 +0100	[diff] [blame]	837	RTC_DLOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	838	ok = 1;
				839	}
				840
				841	return ok;
				842	}
				843
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	844	int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) {
				845	OpenSSLAdapter* stream =
				846	reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	847	RTC_DCHECK(stream->ssl_session_cache_);
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	848	RTC_LOG(LS_INFO) << "Caching SSL session for " << stream->ssl_host_name_;
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	849	stream->ssl_session_cache_->AddSession(stream->ssl_host_name_, session);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	850	return 1; // We've taken ownership of the session; OpenSSL shouldn't free it.
				851	}
				852
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	853	SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
David Benjamin	170a4b3	2019-01-30 09:46:16 -0600	[diff] [blame]	854	SSL_CTX* ctx =
				855	SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	856	if (ctx == nullptr) {
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	857	unsigned long error = ERR_get_error(); // NOLINT: type used by OpenSSL.
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	858	RTC_LOG(LS_WARNING) << "SSL_CTX creation failed: " << '"'
				859	<< ERR_reason_error_string(error) << "\" "
				860	<< "(error=" << error << ')';
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	861	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	862	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	863
Mirko Bonadei	b889a20	2018-08-15 11:41:27 +0200	[diff] [blame]	864	#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	865	if (!openssl::LoadBuiltinSSLRootCertificates(ctx)) {
				866	RTC_LOG(LS_ERROR) << "SSL_CTX creation failed: Failed to load any trusted "
				867	"ssl root certificates.";
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	868	SSL_CTX_free(ctx);
deadbeef	37f5ecf	2017-02-27 14:06:41 -0800	[diff] [blame]	869	return nullptr;
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	870	}
Mirko Bonadei	b889a20	2018-08-15 11:41:27 +0200	[diff] [blame]	871	#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	872
tfarina	a41ab93	2015-10-30 16:08:48 -0700	[diff] [blame]	873	#if !defined(NDEBUG)
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	874	SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
				875	#endif
				876
				877	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
				878	SSL_CTX_set_verify_depth(ctx, 4);
Emad Omara	c6de0c9	2017-06-21 16:40:56 -0700	[diff] [blame]	879	// Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
				880	// (note that SHA256 and SHA384 only select legacy CBC ciphers).
				881	// Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
				882	// CBC-mode ECDSA ciphers.
				883	SSL_CTX_set_cipher_list(
				884	ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5");
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	885
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	886	if (mode == SSL_MODE_DTLS) {
pthatcher@webrtc.org	a9b1ec0	2014-12-29 23:00:14 +0000	[diff] [blame]	887	SSL_CTX_set_read_ahead(ctx, 1);
				888	}
				889
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	890	if (enable_cache) {
				891	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
				892	SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback);
				893	}
				894
henrike@webrtc.org	f048872	2014-05-13 18:00:26 +0000	[diff] [blame]	895	return ctx;
				896	}
				897
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	898	std::string TransformAlpnProtocols(
				899	const std::vector<std::string>& alpn_protocols) {
				900	// Transforms the alpn_protocols list to the format expected by
				901	// Open/BoringSSL. This requires joining the protocols into a single string
				902	// and prepending a character with the size of the protocol string before
				903	// each protocol.
				904	std::string transformed_alpn;
				905	for (const std::string& proto : alpn_protocols) {
				906	if (proto.size() == 0 \|\| proto.size() > 0xFF) {
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	907	RTC_LOG(LS_ERROR) << "OpenSSLAdapter::Error("
				908	<< "TransformAlpnProtocols received proto with size "
				909	<< proto.size() << ")";
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	910	return "";
				911	}
				912	transformed_alpn += static_cast<char>(proto.size());
				913	transformed_alpn += proto;
Mirko Bonadei	675513b	2017-11-09 11:09:25 +0100	[diff] [blame]	914	RTC_LOG(LS_VERBOSE) << "TransformAlpnProtocols: Adding proto: " << proto;
Diogo Real	1dca9d5	2017-08-29 12:18:32 -0700	[diff] [blame]	915	}
				916	return transformed_alpn;
				917	}
				918
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	919	//////////////////////////////////////////////////////////////////////
				920	// OpenSSLAdapterFactory
				921	//////////////////////////////////////////////////////////////////////
				922
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	923	OpenSSLAdapterFactory::OpenSSLAdapterFactory() = default;
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	924
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	925	OpenSSLAdapterFactory::~OpenSSLAdapterFactory() = default;
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	926
				927	void OpenSSLAdapterFactory::SetMode(SSLMode mode) {
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	928	RTC_DCHECK(!ssl_session_cache_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	929	ssl_mode_ = mode;
				930	}
				931
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	932	void OpenSSLAdapterFactory::SetCertVerifier(
				933	SSLCertificateVerifier* ssl_cert_verifier) {
				934	RTC_DCHECK(!ssl_session_cache_);
				935	ssl_cert_verifier_ = ssl_cert_verifier;
				936	}
				937
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	938	OpenSSLAdapter* OpenSSLAdapterFactory::CreateAdapter(AsyncSocket* socket) {
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	939	if (ssl_session_cache_ == nullptr) {
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	940	SSL_CTX* ssl_ctx = OpenSSLAdapter::CreateContext(ssl_mode_, true);
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	941	if (ssl_ctx == nullptr) {
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	942	return nullptr;
				943	}
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	944	// The OpenSSLSessionCache will upref the ssl_ctx.
Karl Wiberg	918f50c	2018-07-05 11:40:33 +0200	[diff] [blame]	945	ssl_session_cache_ =
				946	absl::make_unique<OpenSSLSessionCache>(ssl_mode_, ssl_ctx);
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	947	SSL_CTX_free(ssl_ctx);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	948	}
Benjamin Wright	d6f86e8	2018-05-08 13:12:25 -0700	[diff] [blame]	949	return new OpenSSLAdapter(socket, ssl_session_cache_.get(),
				950	ssl_cert_verifier_);
Justin Uberti	1d44550	2017-08-14 17:04:34 -0700	[diff] [blame]	951	}
				952
Benjamin Wright	19aab2e	2018-04-05 15:39:06 -0700	[diff] [blame]	953	} // namespace rtc