Gitiles
Code Review Sign In
gerrit.openfyde.cn / webrtc.googlesource.com / src / dbbb33cd0094ff4f24b42f3087d0587cd070ee0c / . / rtc_base / openssladapter.h
blob: 2d0474e85778713a618b9f752eccc24f30a97066 [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]1/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]11#ifndef RTC_BASE_OPENSSLADAPTER_H_
12#define RTC_BASE_OPENSSLADAPTER_H_
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]13
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]14#include <map>
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]15#include <string>
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]16#include "rtc_base/buffer.h"
17#include "rtc_base/messagehandler.h"
18#include "rtc_base/messagequeue.h"
19#include "rtc_base/opensslidentity.h"
20#include "rtc_base/ssladapter.h"
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]21
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]22typedef struct ssl_st SSL;
23typedef struct ssl_ctx_st SSL_CTX;
24typedef struct x509_store_ctx_st X509_STORE_CTX;
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]25typedef struct ssl_session_st SSL_SESSION;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]26
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]27namespace rtc {
28
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]29class OpenSSLAdapterFactory;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]30
31class OpenSSLAdapter : public SSLAdapter, public MessageHandler {
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]32 public:
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]33 static bool InitializeSSL(VerificationCallback callback);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]34 static bool CleanupSSL();
35
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]36 explicit OpenSSLAdapter(AsyncSocket* socket,
37 OpenSSLAdapterFactory* factory = nullptr);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]38 ~OpenSSLAdapter() override;
39
Diogo Real1dca9d52017-08-29 12:18:32 -0700[diff] [blame]40 void SetIgnoreBadCert(bool ignore) override;
41 void SetAlpnProtocols(const std::vector<std::string>& protos) override;
Diogo Real7bd1f1b2017-09-08 12:50:41 -0700[diff] [blame]42 void SetEllipticCurves(const std::vector<std::string>& curves) override;
Diogo Real1dca9d52017-08-29 12:18:32 -0700[diff] [blame]43
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]44 void SetMode(SSLMode mode) override;
Steve Anton786de702017-08-17 15:15:46 -0700[diff] [blame]45 void SetIdentity(SSLIdentity* identity) override;
46 void SetRole(SSLRole role) override;
47 AsyncSocket* Accept(SocketAddress* paddr) override;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]48 int StartSSL(const char* hostname, bool restartable) override;
49 int Send(const void* pv, size_t cb) override;
50 int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override;
51 int Recv(void* pv, size_t cb, int64_t* timestamp) override;
52 int RecvFrom(void* pv,
53 size_t cb,
54 SocketAddress* paddr,
55 int64_t* timestamp) override;
56 int Close() override;
57
58 // Note that the socket returns ST_CONNECTING while SSL is being negotiated.
59 ConnState GetState() const override;
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]60 bool IsResumedSession() override;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]61
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]62 // Creates a new SSL_CTX object, configured for client-to-server usage
63 // with SSLMode |mode|, and if |enable_cache| is true, with support for
64 // storing successful sessions so that they can be later resumed.
65 // OpenSSLAdapterFactory will call this method to create its own internal
66 // SSL_CTX, and OpenSSLAdapter will also call this when used without a
67 // factory.
68 static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]69
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]70 protected:
71 void OnConnectEvent(AsyncSocket* socket) override;
72 void OnReadEvent(AsyncSocket* socket) override;
73 void OnWriteEvent(AsyncSocket* socket) override;
74 void OnCloseEvent(AsyncSocket* socket, int err) override;
75
76 private:
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]77 enum SSLState {
78 SSL_NONE, SSL_WAIT, SSL_CONNECTING, SSL_CONNECTED, SSL_ERROR
79 };
80
81 enum { MSG_TIMEOUT };
82
83 int BeginSSL();
84 int ContinueSSL();
85 void Error(const char* context, int err, bool signal = true);
86 void Cleanup();
87
88 // Return value and arguments have the same meanings as for Send; |error| is
89 // an output parameter filled with the result of SSL_get_error.
90 int DoSslWrite(const void* pv, size_t cb, int* error);
91
92 void OnMessage(Message* msg) override;
93
94 static bool VerifyServerName(SSL* ssl, const char* host,
95 bool ignore_bad_cert);
96 bool SSLPostConnectionCheck(SSL* ssl, const char* host);
97#if !defined(NDEBUG)
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]98 // In debug builds, logs info about the state of the SSL connection.
99 static void SSLInfoCallback(const SSL* ssl, int where, int ret);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]100#endif
101 static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
102 static VerificationCallback custom_verify_callback_;
103 friend class OpenSSLStreamAdapter; // for custom_verify_callback_;
104
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]105 // If the SSL_CTX was created with |enable_cache| set to true, this callback
106 // will be called when a SSL session has been successfully established,
107 // to allow its SSL_SESSION* to be cached for later resumption.
108 static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session);
109
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]110 static bool ConfigureTrustedRootCertificates(SSL_CTX* ctx);
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]111
112 // Parent object that maintains shared state.
113 // Can be null if state sharing is not needed.
114 OpenSSLAdapterFactory* factory_;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]115
116 SSLState state_;
Steve Anton786de702017-08-17 15:15:46 -0700[diff] [blame]117 std::unique_ptr<OpenSSLIdentity> identity_;
118 SSLRole role_;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]119 bool ssl_read_needs_write_;
120 bool ssl_write_needs_read_;
121 // If true, socket will retain SSL configuration after Close.
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]122 // TODO(juberti): Remove this unused flag.
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]123 bool restartable_;
124
125 // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which
126 // means we need to keep retrying with *the same exact data* until it
127 // succeeds. Afterwards it will be cleared.
128 Buffer pending_data_;
129
130 SSL* ssl_;
131 SSL_CTX* ssl_ctx_;
132 std::string ssl_host_name_;
133 // Do DTLS or not
134 SSLMode ssl_mode_;
Diogo Real1dca9d52017-08-29 12:18:32 -0700[diff] [blame]135 // If true, the server certificate need not match the configured hostname.
136 bool ignore_bad_cert_;
137 // List of protocols to be used in the TLS ALPN extension.
138 std::vector<std::string> alpn_protocols_;
Diogo Real7bd1f1b2017-09-08 12:50:41 -0700[diff] [blame]139 // List of elliptic curves to be used in the TLS elliptic curves extension.
140 std::vector<std::string> elliptic_curves_;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]141
142 bool custom_verification_succeeded_;
143};
144
Diogo Real1dca9d52017-08-29 12:18:32 -0700[diff] [blame]145std::string TransformAlpnProtocols(const std::vector<std::string>& protos);
146
147/////////////////////////////////////////////////////////////////////////////
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]148class OpenSSLAdapterFactory : public SSLAdapterFactory {
149 public:
150 OpenSSLAdapterFactory();
151 ~OpenSSLAdapterFactory() override;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]152
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]153 void SetMode(SSLMode mode) override;
154 OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]155
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]156 static OpenSSLAdapterFactory* Create();
Henrik Kjellanderc0362762017-06-29 08:03:04 +0200[diff] [blame]157
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]158 private:
159 SSL_CTX* ssl_ctx() { return ssl_ctx_; }
160 // Looks up a session by hostname. The returned SSL_SESSION is not up_refed.
161 SSL_SESSION* LookupSession(const std::string& hostname);
162 // Adds a session to the cache, and up_refs it. Any existing session with the
163 // same hostname is replaced.
164 void AddSession(const std::string& hostname, SSL_SESSION* session);
165 friend class OpenSSLAdapter;
166
167 SSLMode ssl_mode_;
168 // Holds the shared SSL_CTX for all created adapters.
169 SSL_CTX* ssl_ctx_;
170 // Map of hostnames to SSL_SESSIONs; holds references to the SSL_SESSIONs,
171 // which are cleaned up when the factory is destroyed.
172 // TODO(juberti): Add LRU eviction to keep the cache from growing forever.
173 std::map<std::string, SSL_SESSION*> sessions_;
174};
175
176} // namespace rtc
177
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]178#endif // RTC_BASE_OPENSSLADAPTER_H_