blob: da484ad3bfd1e5a244b179f40d97117d41faedad [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
Steve Anton10542f22019-01-11 09:11:00 -080011#include "rtc_base/openssl_stream_adapter.h"
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000012
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/err.h>
16#include <openssl/rand.h>
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +000017#include <openssl/tls1.h>
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000018#include <openssl/x509v3.h>
Ali Tofigh7fa90572022-03-17 15:47:49 +010019
20#include "absl/strings/string_view.h"
torbjorngaad67802016-04-07 08:55:28 -070021#ifndef OPENSSL_IS_BORINGSSL
22#include <openssl/dtls1.h>
ssarohabbfed522016-12-11 18:42:07 -080023#include <openssl/ssl.h>
torbjorngaad67802016-04-07 08:55:28 -070024#endif
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000025
Guido Urdaneta14bba6e2020-09-25 16:00:51 +020026#include <atomic>
jbauch555604a2016-04-26 03:13:22 -070027#include <memory>
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -070028#include <utility>
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000029#include <vector>
30
Mirko Bonadei92ea95e2017-09-15 06:47:31 +020031#include "rtc_base/checks.h"
32#include "rtc_base/logging.h"
Karl Wiberge40468b2017-11-22 10:42:26 +010033#include "rtc_base/numerics/safe_conversions.h"
Mirko Bonadei92ea95e2017-09-15 06:47:31 +020034#include "rtc_base/openssl.h"
Steve Anton10542f22019-01-11 09:11:00 -080035#include "rtc_base/openssl_adapter.h"
36#include "rtc_base/openssl_digest.h"
Taylor Brandstetter165c6182020-12-10 16:23:03 -080037#ifdef OPENSSL_IS_BORINGSSL
38#include "rtc_base/boringssl_identity.h"
39#else
Steve Anton10542f22019-01-11 09:11:00 -080040#include "rtc_base/openssl_identity.h"
Taylor Brandstetter165c6182020-12-10 16:23:03 -080041#endif
42#include "rtc_base/openssl_utility.h"
Steve Anton10542f22019-01-11 09:11:00 -080043#include "rtc_base/ssl_certificate.h"
Mirko Bonadei92ea95e2017-09-15 06:47:31 +020044#include "rtc_base/stream.h"
Philipp Hancke117e6922022-06-17 14:14:55 +020045#include "rtc_base/string_encode.h"
Mirko Bonadei92ea95e2017-09-15 06:47:31 +020046#include "rtc_base/thread.h"
Steve Anton10542f22019-01-11 09:11:00 -080047#include "rtc_base/time_utils.h"
Harald Alvestrand13799132020-03-09 19:39:36 +010048#include "system_wrappers/include/field_trial.h"
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000049
Jiawei Oua9c94d52018-01-30 23:05:07 -080050#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
51#error "webrtc requires at least OpenSSL version 1.1.0, to support DTLS-SRTP"
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +010052#endif
53
Benjamin Wright8e98c602019-02-28 17:25:01 -080054// Defines for the TLS Cipher Suite Map.
55#define DEFINE_CIPHER_ENTRY_SSL3(name) \
56 { SSL3_CK_##name, "TLS_" #name }
57#define DEFINE_CIPHER_ENTRY_TLS1(name) \
58 { TLS1_CK_##name, "TLS_" #name }
59
60namespace rtc {
61namespace {
Danil Chapovalov5286dcf2022-07-18 17:04:56 +020062using ::webrtc::SafeTask;
Artem Titov96e3b992021-07-26 16:03:14 +020063// SRTP cipher suite table. `internal_name` is used to construct a
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -080064// colon-separated profile strings which is needed by
65// SSL_CTX_set_tlsext_use_srtp().
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000066struct SrtpCipherMapEntry {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000067 const char* internal_name;
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -080068 const int id;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +000069};
70
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +010071// Cipher name table. Maps internal OpenSSL cipher ids to the RFC name.
72struct SslCipherMapEntry {
73 uint32_t openssl_id;
74 const char* rfc_name;
75};
76
Benjamin Wright8e98c602019-02-28 17:25:01 -080077// This isn't elegant, but it's better than an external reference
78constexpr SrtpCipherMapEntry kSrtpCipherMap[] = {
Mirko Bonadei7750d802021-07-26 17:27:42 +020079 {"SRTP_AES128_CM_SHA1_80", kSrtpAes128CmSha1_80},
80 {"SRTP_AES128_CM_SHA1_32", kSrtpAes128CmSha1_32},
81 {"SRTP_AEAD_AES_128_GCM", kSrtpAeadAes128Gcm},
82 {"SRTP_AEAD_AES_256_GCM", kSrtpAeadAes256Gcm}};
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +010083
Benjamin Wright8e98c602019-02-28 17:25:01 -080084#ifndef OPENSSL_IS_BORINGSSL
David Benjamin3c1f05d2017-12-01 17:28:03 -050085// The "SSL_CIPHER_standard_name" function is only available in OpenSSL when
86// compiled with tracing, so we need to define the mapping manually here.
Benjamin Wright8e98c602019-02-28 17:25:01 -080087constexpr SslCipherMapEntry kSslCipherMap[] = {
deadbeef37f5ecf2017-02-27 14:06:41 -080088 // TLS v1.0 ciphersuites from RFC2246.
89 DEFINE_CIPHER_ENTRY_SSL3(RSA_RC4_128_SHA),
90 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +010091
deadbeef37f5ecf2017-02-27 14:06:41 -080092 // AES ciphersuites from RFC3268.
93 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
94 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"},
95 {TLS1_CK_RSA_WITH_AES_256_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA"},
96 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +010097
deadbeef37f5ecf2017-02-27 14:06:41 -080098 // ECC ciphersuites from RFC4492.
99 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_RC4_128_SHA),
100 {TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
101 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"},
102 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
103 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100104
deadbeef37f5ecf2017-02-27 14:06:41 -0800105 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_RC4_128_SHA),
106 {TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
107 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"},
108 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_CBC_SHA),
109 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_CBC_SHA),
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100110
deadbeef37f5ecf2017-02-27 14:06:41 -0800111 // TLS v1.2 ciphersuites.
112 {TLS1_CK_RSA_WITH_AES_128_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"},
113 {TLS1_CK_RSA_WITH_AES_256_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"},
114 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
115 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"},
116 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
117 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"},
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100118
deadbeef37f5ecf2017-02-27 14:06:41 -0800119 // TLS v1.2 GCM ciphersuites from RFC5288.
120 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_128_GCM_SHA256),
121 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_256_GCM_SHA384),
122 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_128_GCM_SHA256),
123 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_256_GCM_SHA384),
124 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_128_GCM_SHA256),
125 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_256_GCM_SHA384),
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100126
deadbeef37f5ecf2017-02-27 14:06:41 -0800127 // ECDH HMAC based ciphersuites from RFC5289.
128 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
129 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"},
130 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
131 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"},
132 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
133 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
134 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
135 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100136
deadbeef37f5ecf2017-02-27 14:06:41 -0800137 // ECDH GCM based ciphersuites from RFC5289.
138 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
139 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
140 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
141 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384),
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100142
deadbeef37f5ecf2017-02-27 14:06:41 -0800143 {0, nullptr}};
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100144#endif // #ifndef OPENSSL_IS_BORINGSSL
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000145
Benjamin Wright8e98c602019-02-28 17:25:01 -0800146#ifdef OPENSSL_IS_BORINGSSL
147// Enabled by EnableTimeCallbackForTesting. Should never be set in production
148// code.
149bool g_use_time_callback_for_testing = false;
150// Not used in production code. Actual time should be relative to Jan 1, 1970.
151void TimeCallbackForTesting(const SSL* ssl, struct timeval* out_clock) {
152 int64_t time = TimeNanos();
153 out_clock->tv_sec = time / kNumNanosecsPerSec;
154 out_clock->tv_usec = (time % kNumNanosecsPerSec) / kNumNanosecsPerMicrosec;
155}
156#endif
Guo-wei Shieh456696a2015-09-30 21:48:54 -0700157
Benjamin Wright8e98c602019-02-28 17:25:01 -0800158} // namespace
Guo-wei Shieh456696a2015-09-30 21:48:54 -0700159
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000160//////////////////////////////////////////////////////////////////////
161// StreamBIO
162//////////////////////////////////////////////////////////////////////
163
164static int stream_write(BIO* h, const char* buf, int num);
165static int stream_read(BIO* h, char* buf, int size);
166static int stream_puts(BIO* h, const char* str);
167static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2);
168static int stream_new(BIO* h);
169static int stream_free(BIO* data);
170
Jiawei Oueb0df082018-02-02 14:51:18 -0800171static BIO_METHOD* BIO_stream_method() {
172 static BIO_METHOD* method = [] {
173 BIO_METHOD* method = BIO_meth_new(BIO_TYPE_BIO, "stream");
174 BIO_meth_set_write(method, stream_write);
175 BIO_meth_set_read(method, stream_read);
176 BIO_meth_set_puts(method, stream_puts);
177 BIO_meth_set_ctrl(method, stream_ctrl);
178 BIO_meth_set_create(method, stream_new);
179 BIO_meth_set_destroy(method, stream_free);
180 return method;
181 }();
182 return method;
183}
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000184
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000185static BIO* BIO_new_stream(StreamInterface* stream) {
Jiawei Oueb0df082018-02-02 14:51:18 -0800186 BIO* ret = BIO_new(BIO_stream_method());
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700187 if (ret == nullptr) {
deadbeef37f5ecf2017-02-27 14:06:41 -0800188 return nullptr;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700189 }
Jiawei Oueb0df082018-02-02 14:51:18 -0800190 BIO_set_data(ret, stream);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000191 return ret;
192}
193
194// bio methods return 1 (or at least non-zero) on success and 0 on failure.
195
196static int stream_new(BIO* b) {
Jiawei Oueb0df082018-02-02 14:51:18 -0800197 BIO_set_shutdown(b, 0);
198 BIO_set_init(b, 1);
199 BIO_set_data(b, 0);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000200 return 1;
201}
202
203static int stream_free(BIO* b) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700204 if (b == nullptr) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000205 return 0;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700206 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000207 return 1;
208}
209
210static int stream_read(BIO* b, char* out, int outl) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700211 if (!out) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000212 return -1;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700213 }
Jiawei Oueb0df082018-02-02 14:51:18 -0800214 StreamInterface* stream = static_cast<StreamInterface*>(BIO_get_data(b));
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000215 BIO_clear_retry_flags(b);
216 size_t read;
217 int error;
218 StreamResult result = stream->Read(out, outl, &read, &error);
219 if (result == SR_SUCCESS) {
henrike@webrtc.orgd89b69a2014-11-06 17:23:09 +0000220 return checked_cast<int>(read);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000221 } else if (result == SR_BLOCK) {
222 BIO_set_retry_read(b);
223 }
224 return -1;
225}
226
227static int stream_write(BIO* b, const char* in, int inl) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700228 if (!in) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000229 return -1;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700230 }
Jiawei Oueb0df082018-02-02 14:51:18 -0800231 StreamInterface* stream = static_cast<StreamInterface*>(BIO_get_data(b));
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000232 BIO_clear_retry_flags(b);
233 size_t written;
234 int error;
235 StreamResult result = stream->Write(in, inl, &written, &error);
236 if (result == SR_SUCCESS) {
henrike@webrtc.orgd89b69a2014-11-06 17:23:09 +0000237 return checked_cast<int>(written);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000238 } else if (result == SR_BLOCK) {
239 BIO_set_retry_write(b);
240 }
241 return -1;
242}
243
244static int stream_puts(BIO* b, const char* str) {
henrike@webrtc.orgd89b69a2014-11-06 17:23:09 +0000245 return stream_write(b, str, checked_cast<int>(strlen(str)));
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000246}
247
248static long stream_ctrl(BIO* b, int cmd, long num, void* ptr) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000249 switch (cmd) {
250 case BIO_CTRL_RESET:
251 return 0;
Jiawei Ou018dd6e2018-01-30 12:13:48 -0800252 case BIO_CTRL_EOF: {
253 StreamInterface* stream = static_cast<StreamInterface*>(ptr);
254 // 1 means end-of-stream.
255 return (stream->GetState() == SS_CLOSED) ? 1 : 0;
256 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000257 case BIO_CTRL_WPENDING:
258 case BIO_CTRL_PENDING:
259 return 0;
260 case BIO_CTRL_FLUSH:
261 return 1;
Henrik Lundinf4baca52015-06-10 09:45:58 +0200262 case BIO_CTRL_DGRAM_QUERY_MTU:
263 // openssl defaults to mtu=256 unless we return something here.
264 // The handshake doesn't actually need to send packets above 1k,
265 // so this seems like a sensible value that should work in most cases.
266 // Webrtc uses the same value for video packets.
267 return 1200;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000268 default:
269 return 0;
270 }
271}
272
273/////////////////////////////////////////////////////////////////////////////
274// OpenSSLStreamAdapter
275/////////////////////////////////////////////////////////////////////////////
276
Guido Urdaneta14bba6e2020-09-25 16:00:51 +0200277static std::atomic<bool> g_use_legacy_tls_protocols_override(false);
278static std::atomic<bool> g_allow_legacy_tls_protocols(false);
279
280void SetAllowLegacyTLSProtocols(const absl::optional<bool>& allow) {
281 g_use_legacy_tls_protocols_override.store(allow.has_value());
282 if (allow.has_value())
283 g_allow_legacy_tls_protocols.store(allow.value());
284}
285
286bool ShouldAllowLegacyTLSProtocols() {
287 return g_use_legacy_tls_protocols_override.load()
288 ? g_allow_legacy_tls_protocols.load()
Guido Urdanetaae2e8642020-10-26 09:55:26 +0100289 : webrtc::field_trial::IsEnabled("WebRTC-LegacyTlsProtocols");
Guido Urdaneta14bba6e2020-09-25 16:00:51 +0200290}
291
Harald Alvestrand8515d5a2020-03-20 22:51:32 +0100292OpenSSLStreamAdapter::OpenSSLStreamAdapter(
293 std::unique_ptr<StreamInterface> stream)
Niels Möller0131a4d2021-04-16 09:16:21 +0200294 : stream_(std::move(stream)),
Tommi04482982020-10-05 12:43:53 +0000295 owner_(rtc::Thread::Current()),
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000296 state_(SSL_NONE),
297 role_(SSL_CLIENT),
Guo-wei Shieha7446d22016-01-11 15:27:03 -0800298 ssl_read_needs_write_(false),
299 ssl_write_needs_read_(false),
deadbeef37f5ecf2017-02-27 14:06:41 -0800300 ssl_(nullptr),
301 ssl_ctx_(nullptr),
Joachim Bauch831c5582015-05-20 12:48:41 +0200302 ssl_mode_(SSL_MODE_TLS),
Harald Alvestrand13799132020-03-09 19:39:36 +0100303 ssl_max_version_(SSL_PROTOCOL_TLS_12),
304 // Default is to support legacy TLS protocols.
305 // This will be changed to default non-support in M82 or M83.
Niels Möller0131a4d2021-04-16 09:16:21 +0200306 support_legacy_tls_protocols_flag_(ShouldAllowLegacyTLSProtocols()) {
307 stream_->SignalEvent.connect(this, &OpenSSLStreamAdapter::OnEvent);
308}
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000309
310OpenSSLStreamAdapter::~OpenSSLStreamAdapter() {
Tommi04482982020-10-05 12:43:53 +0000311 timeout_task_.Stop();
deadbeef89824f62016-09-30 11:55:43 -0700312 Cleanup(0);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000313}
314
Harald Alvestrand8515d5a2020-03-20 22:51:32 +0100315void OpenSSLStreamAdapter::SetIdentity(std::unique_ptr<SSLIdentity> identity) {
deadbeef89824f62016-09-30 11:55:43 -0700316 RTC_DCHECK(!identity_);
Taylor Brandstetter165c6182020-12-10 16:23:03 -0800317#ifdef OPENSSL_IS_BORINGSSL
318 identity_.reset(static_cast<BoringSSLIdentity*>(identity.release()));
319#else
Harald Alvestrand8515d5a2020-03-20 22:51:32 +0100320 identity_.reset(static_cast<OpenSSLIdentity*>(identity.release()));
Taylor Brandstetter165c6182020-12-10 16:23:03 -0800321#endif
Harald Alvestrand8515d5a2020-03-20 22:51:32 +0100322}
323
Taylor Brandstetter165c6182020-12-10 16:23:03 -0800324SSLIdentity* OpenSSLStreamAdapter::GetIdentityForTesting() const {
Harald Alvestrand8515d5a2020-03-20 22:51:32 +0100325 return identity_.get();
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000326}
327
328void OpenSSLStreamAdapter::SetServerRole(SSLRole role) {
329 role_ = role;
330}
331
deadbeef89824f62016-09-30 11:55:43 -0700332bool OpenSSLStreamAdapter::SetPeerCertificateDigest(
Ali Tofigh7fa90572022-03-17 15:47:49 +0100333 absl::string_view digest_alg,
deadbeef89824f62016-09-30 11:55:43 -0700334 const unsigned char* digest_val,
335 size_t digest_len,
336 SSLPeerCertificateDigestError* error) {
337 RTC_DCHECK(!peer_certificate_verified_);
Benjamin Wright5d355542018-10-26 17:57:00 -0700338 RTC_DCHECK(!HasPeerCertificateDigest());
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000339 size_t expected_len;
deadbeef89824f62016-09-30 11:55:43 -0700340 if (error) {
341 *error = SSLPeerCertificateDigestError::NONE;
342 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000343
344 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) {
Mirko Bonadei675513b2017-11-09 11:09:25 +0100345 RTC_LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg;
deadbeef89824f62016-09-30 11:55:43 -0700346 if (error) {
347 *error = SSLPeerCertificateDigestError::UNKNOWN_ALGORITHM;
348 }
deadbeef81f6f4f2016-09-19 17:20:52 -0700349 return false;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000350 }
deadbeef89824f62016-09-30 11:55:43 -0700351 if (expected_len != digest_len) {
352 if (error) {
353 *error = SSLPeerCertificateDigestError::INVALID_LENGTH;
354 }
deadbeef81f6f4f2016-09-19 17:20:52 -0700355 return false;
deadbeef89824f62016-09-30 11:55:43 -0700356 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000357
358 peer_certificate_digest_value_.SetData(digest_val, digest_len);
Ali Tofigh7fa90572022-03-17 15:47:49 +0100359 peer_certificate_digest_algorithm_ = std::string(digest_alg);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000360
Taylor Brandstetterc3928662018-02-23 13:04:51 -0800361 if (!peer_cert_chain_) {
deadbeef89824f62016-09-30 11:55:43 -0700362 // Normal case, where the digest is set before we obtain the certificate
363 // from the handshake.
364 return true;
365 }
366
367 if (!VerifyPeerCertificate()) {
368 Error("SetPeerCertificateDigest", -1, SSL_AD_BAD_CERTIFICATE, false);
369 if (error) {
370 *error = SSLPeerCertificateDigestError::VERIFICATION_FAILED;
371 }
372 return false;
373 }
374
375 if (state_ == SSL_CONNECTED) {
376 // Post the event asynchronously to unwind the stack. The caller
377 // of ContinueSSL may be the same object listening for these
378 // events and may not be prepared for reentrancy.
379 PostEvent(SE_OPEN | SE_READ | SE_WRITE, 0);
380 }
381
deadbeef81f6f4f2016-09-19 17:20:52 -0700382 return true;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000383}
384
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -0800385std::string OpenSSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) {
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100386#ifdef OPENSSL_IS_BORINGSSL
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -0800387 const SSL_CIPHER* ssl_cipher = SSL_get_cipher_by_value(cipher_suite);
Guo-wei Shieh456696a2015-09-30 21:48:54 -0700388 if (!ssl_cipher) {
389 return std::string();
390 }
David Benjamina8f73762017-09-28 15:49:42 -0400391 return SSL_CIPHER_standard_name(ssl_cipher);
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100392#else
393 for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name;
394 ++entry) {
395 if (cipher_suite == static_cast<int>(entry->openssl_id)) {
396 return entry->rfc_name;
397 }
398 }
399 return std::string();
400#endif
Guo-wei Shieh456696a2015-09-30 21:48:54 -0700401}
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000402
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -0800403bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700404 if (state_ != SSL_CONNECTED) {
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000405 return false;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700406 }
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000407
408 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_);
deadbeef37f5ecf2017-02-27 14:06:41 -0800409 if (current_cipher == nullptr) {
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000410 return false;
411 }
412
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -0800413 *cipher_suite = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher));
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000414 return true;
415}
416
Harald Alvestrand5cb78072019-10-28 09:51:17 +0100417SSLProtocolVersion OpenSSLStreamAdapter::GetSslVersion() const {
Benjamin Wright8e98c602019-02-28 17:25:01 -0800418 if (state_ != SSL_CONNECTED) {
Harald Alvestrand5cb78072019-10-28 09:51:17 +0100419 return SSL_PROTOCOL_NOT_GIVEN;
Benjamin Wright8e98c602019-02-28 17:25:01 -0800420 }
torbjorng43166b82016-03-11 00:06:47 -0800421
422 int ssl_version = SSL_version(ssl_);
423 if (ssl_mode_ == SSL_MODE_DTLS) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700424 if (ssl_version == DTLS1_VERSION) {
torbjorng43166b82016-03-11 00:06:47 -0800425 return SSL_PROTOCOL_DTLS_10;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700426 } else if (ssl_version == DTLS1_2_VERSION) {
torbjorng43166b82016-03-11 00:06:47 -0800427 return SSL_PROTOCOL_DTLS_12;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700428 }
torbjorng43166b82016-03-11 00:06:47 -0800429 } else {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700430 if (ssl_version == TLS1_VERSION) {
torbjorng43166b82016-03-11 00:06:47 -0800431 return SSL_PROTOCOL_TLS_10;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700432 } else if (ssl_version == TLS1_1_VERSION) {
torbjorng43166b82016-03-11 00:06:47 -0800433 return SSL_PROTOCOL_TLS_11;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700434 } else if (ssl_version == TLS1_2_VERSION) {
torbjorng43166b82016-03-11 00:06:47 -0800435 return SSL_PROTOCOL_TLS_12;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700436 }
torbjorng43166b82016-03-11 00:06:47 -0800437 }
438
Harald Alvestrand5cb78072019-10-28 09:51:17 +0100439 return SSL_PROTOCOL_NOT_GIVEN;
440}
441
442bool OpenSSLStreamAdapter::GetSslVersionBytes(int* version) const {
443 if (state_ != SSL_CONNECTED) {
444 return false;
445 }
446 *version = SSL_version(ssl_);
447 return true;
torbjorng43166b82016-03-11 00:06:47 -0800448}
449
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000450// Key Extractor interface
Ali Tofigh7fa90572022-03-17 15:47:49 +0100451bool OpenSSLStreamAdapter::ExportKeyingMaterial(absl::string_view label,
Peter Boström0c4e06b2015-10-07 12:23:21 +0200452 const uint8_t* context,
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000453 size_t context_len,
454 bool use_context,
Peter Boström0c4e06b2015-10-07 12:23:21 +0200455 uint8_t* result,
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000456 size_t result_len) {
Ali Tofigh7fa90572022-03-17 15:47:49 +0100457 if (SSL_export_keying_material(ssl_, result, result_len, label.data(),
458 label.length(), context, context_len,
459 use_context) != 1) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000460 return false;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700461 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000462 return true;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000463}
464
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -0800465bool OpenSSLStreamAdapter::SetDtlsSrtpCryptoSuites(
466 const std::vector<int>& ciphers) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700467 if (state_ != SSL_NONE) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000468 return false;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700469 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000470
Benjamin Wright8e98c602019-02-28 17:25:01 -0800471 std::string internal_ciphers;
472 for (const int cipher : ciphers) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000473 bool found = false;
Benjamin Wright8e98c602019-02-28 17:25:01 -0800474 for (const auto& entry : kSrtpCipherMap) {
475 if (cipher == entry.id) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000476 found = true;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700477 if (!internal_ciphers.empty()) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000478 internal_ciphers += ":";
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700479 }
Benjamin Wright8e98c602019-02-28 17:25:01 -0800480 internal_ciphers += entry.internal_name;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000481 break;
482 }
483 }
484
485 if (!found) {
Benjamin Wright8e98c602019-02-28 17:25:01 -0800486 RTC_LOG(LS_ERROR) << "Could not find cipher: " << cipher;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000487 return false;
488 }
489 }
490
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700491 if (internal_ciphers.empty()) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000492 return false;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700493 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000494
495 srtp_ciphers_ = internal_ciphers;
496 return true;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000497}
498
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -0800499bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) {
deadbeef89824f62016-09-30 11:55:43 -0700500 RTC_DCHECK(state_ == SSL_CONNECTED);
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700501 if (state_ != SSL_CONNECTED) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000502 return false;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700503 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000504
Yves Gerey665174f2018-06-19 15:03:05 +0200505 const SRTP_PROTECTION_PROFILE* srtp_profile =
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000506 SSL_get_selected_srtp_profile(ssl_);
507
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700508 if (!srtp_profile) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000509 return false;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700510 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000511
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -0800512 *crypto_suite = srtp_profile->id;
deadbeef89824f62016-09-30 11:55:43 -0700513 RTC_DCHECK(!SrtpCryptoSuiteToName(*crypto_suite).empty());
Guo-wei Shieh521ed7b2015-11-18 19:41:53 -0800514 return true;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000515}
516
deadbeef89824f62016-09-30 11:55:43 -0700517bool OpenSSLStreamAdapter::IsTlsConnected() {
518 return state_ == SSL_CONNECTED;
519}
520
Taylor Brandstetterc8762a82016-08-11 12:01:49 -0700521int OpenSSLStreamAdapter::StartSSL() {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700522 // Don't allow StartSSL to be called twice.
deadbeef89824f62016-09-30 11:55:43 -0700523 if (state_ != SSL_NONE) {
deadbeef89824f62016-09-30 11:55:43 -0700524 return -1;
525 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000526
Niels Möller0131a4d2021-04-16 09:16:21 +0200527 if (stream_->GetState() != SS_OPEN) {
Taylor Brandstetterc8762a82016-08-11 12:01:49 -0700528 state_ = SSL_WAIT;
529 return 0;
530 }
531
532 state_ = SSL_CONNECTING;
533 if (int err = BeginSSL()) {
deadbeef89824f62016-09-30 11:55:43 -0700534 Error("BeginSSL", err, 0, false);
Taylor Brandstetterc8762a82016-08-11 12:01:49 -0700535 return err;
536 }
537
538 return 0;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000539}
540
541void OpenSSLStreamAdapter::SetMode(SSLMode mode) {
deadbeef89824f62016-09-30 11:55:43 -0700542 RTC_DCHECK(state_ == SSL_NONE);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000543 ssl_mode_ = mode;
544}
545
Joachim Bauch831c5582015-05-20 12:48:41 +0200546void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) {
deadbeef37f5ecf2017-02-27 14:06:41 -0800547 RTC_DCHECK(ssl_ctx_ == nullptr);
Joachim Bauch831c5582015-05-20 12:48:41 +0200548 ssl_max_version_ = version;
549}
550
Yves Gerey665174f2018-06-19 15:03:05 +0200551void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout(int timeout_ms) {
deadbeef37f5ecf2017-02-27 14:06:41 -0800552 RTC_DCHECK(ssl_ctx_ == nullptr);
skvladd0309122017-02-02 17:18:37 -0800553 dtls_handshake_timeout_ms_ = timeout_ms;
554}
555
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000556//
557// StreamInterface Implementation
558//
559
Yves Gerey665174f2018-06-19 15:03:05 +0200560StreamResult OpenSSLStreamAdapter::Write(const void* data,
561 size_t data_len,
562 size_t* written,
563 int* error) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200564 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000565
566 switch (state_) {
Yves Gerey665174f2018-06-19 15:03:05 +0200567 case SSL_NONE:
568 // pass-through in clear text
Niels Möller0131a4d2021-04-16 09:16:21 +0200569 return stream_->Write(data, data_len, written, error);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000570
Yves Gerey665174f2018-06-19 15:03:05 +0200571 case SSL_WAIT:
572 case SSL_CONNECTING:
deadbeef89824f62016-09-30 11:55:43 -0700573 return SR_BLOCK;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000574
Yves Gerey665174f2018-06-19 15:03:05 +0200575 case SSL_CONNECTED:
Benjamin Wright5d355542018-10-26 17:57:00 -0700576 if (WaitingToVerifyPeerCertificate()) {
Yves Gerey665174f2018-06-19 15:03:05 +0200577 return SR_BLOCK;
578 }
579 break;
580
581 case SSL_ERROR:
582 case SSL_CLOSED:
583 default:
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700584 if (error) {
Yves Gerey665174f2018-06-19 15:03:05 +0200585 *error = ssl_error_code_;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700586 }
Yves Gerey665174f2018-06-19 15:03:05 +0200587 return SR_ERROR;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000588 }
589
590 // OpenSSL will return an error if we try to write zero bytes
591 if (data_len == 0) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700592 if (written) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000593 *written = 0;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700594 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000595 return SR_SUCCESS;
596 }
597
598 ssl_write_needs_read_ = false;
599
henrike@webrtc.orgd89b69a2014-11-06 17:23:09 +0000600 int code = SSL_write(ssl_, data, checked_cast<int>(data_len));
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000601 int ssl_error = SSL_get_error(ssl_, code);
602 switch (ssl_error) {
Yves Gerey665174f2018-06-19 15:03:05 +0200603 case SSL_ERROR_NONE:
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200604 RTC_DLOG(LS_VERBOSE) << " -- success";
Yves Gerey665174f2018-06-19 15:03:05 +0200605 RTC_DCHECK_GT(code, 0);
606 RTC_DCHECK_LE(code, data_len);
607 if (written)
608 *written = code;
609 return SR_SUCCESS;
610 case SSL_ERROR_WANT_READ:
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200611 RTC_DLOG(LS_VERBOSE) << " -- error want read";
Yves Gerey665174f2018-06-19 15:03:05 +0200612 ssl_write_needs_read_ = true;
613 return SR_BLOCK;
614 case SSL_ERROR_WANT_WRITE:
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200615 RTC_DLOG(LS_VERBOSE) << " -- error want write";
Yves Gerey665174f2018-06-19 15:03:05 +0200616 return SR_BLOCK;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000617
Yves Gerey665174f2018-06-19 15:03:05 +0200618 case SSL_ERROR_ZERO_RETURN:
619 default:
620 Error("SSL_write", (ssl_error ? ssl_error : -1), 0, false);
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700621 if (error) {
Yves Gerey665174f2018-06-19 15:03:05 +0200622 *error = ssl_error_code_;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700623 }
Yves Gerey665174f2018-06-19 15:03:05 +0200624 return SR_ERROR;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000625 }
626 // not reached
627}
628
Yves Gerey665174f2018-06-19 15:03:05 +0200629StreamResult OpenSSLStreamAdapter::Read(void* data,
630 size_t data_len,
631 size_t* read,
632 int* error) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200633 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Read(" << data_len << ")";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000634 switch (state_) {
635 case SSL_NONE:
636 // pass-through in clear text
Niels Möller0131a4d2021-04-16 09:16:21 +0200637 return stream_->Read(data, data_len, read, error);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000638 case SSL_WAIT:
639 case SSL_CONNECTING:
640 return SR_BLOCK;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000641 case SSL_CONNECTED:
Benjamin Wright5d355542018-10-26 17:57:00 -0700642 if (WaitingToVerifyPeerCertificate()) {
deadbeef89824f62016-09-30 11:55:43 -0700643 return SR_BLOCK;
644 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000645 break;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000646 case SSL_CLOSED:
647 return SR_EOS;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000648 case SSL_ERROR:
649 default:
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700650 if (error) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000651 *error = ssl_error_code_;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700652 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000653 return SR_ERROR;
654 }
655
656 // Don't trust OpenSSL with zero byte reads
657 if (data_len == 0) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700658 if (read) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000659 *read = 0;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700660 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000661 return SR_SUCCESS;
662 }
663
664 ssl_read_needs_write_ = false;
665
Benjamin Wrightf54e30b2019-02-26 17:33:50 -0800666 const int code = SSL_read(ssl_, data, checked_cast<int>(data_len));
667 const int ssl_error = SSL_get_error(ssl_, code);
668
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000669 switch (ssl_error) {
670 case SSL_ERROR_NONE:
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200671 RTC_DLOG(LS_VERBOSE) << " -- success";
kwibergee89e782017-08-09 17:22:01 -0700672 RTC_DCHECK_GT(code, 0);
673 RTC_DCHECK_LE(code, data_len);
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700674 if (read) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000675 *read = code;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700676 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000677
678 if (ssl_mode_ == SSL_MODE_DTLS) {
679 // Enforce atomic reads -- this is a short read
680 unsigned int pending = SSL_pending(ssl_);
681
682 if (pending) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200683 RTC_DLOG(LS_INFO) << " -- short DTLS read. flushing";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000684 FlushInput(pending);
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700685 if (error) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000686 *error = SSE_MSG_TRUNC;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700687 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000688 return SR_ERROR;
689 }
690 }
691 return SR_SUCCESS;
692 case SSL_ERROR_WANT_READ:
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200693 RTC_DLOG(LS_VERBOSE) << " -- error want read";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000694 return SR_BLOCK;
695 case SSL_ERROR_WANT_WRITE:
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200696 RTC_DLOG(LS_VERBOSE) << " -- error want write";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000697 ssl_read_needs_write_ = true;
698 return SR_BLOCK;
699 case SSL_ERROR_ZERO_RETURN:
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200700 RTC_DLOG(LS_VERBOSE) << " -- remote side closed";
deadbeef89824f62016-09-30 11:55:43 -0700701 Close();
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000702 return SR_EOS;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000703 default:
deadbeef89824f62016-09-30 11:55:43 -0700704 Error("SSL_read", (ssl_error ? ssl_error : -1), 0, false);
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700705 if (error) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000706 *error = ssl_error_code_;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700707 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000708 return SR_ERROR;
709 }
710 // not reached
711}
712
713void OpenSSLStreamAdapter::FlushInput(unsigned int left) {
714 unsigned char buf[2048];
715
716 while (left) {
717 // This should always succeed
Benjamin Wrightf54e30b2019-02-26 17:33:50 -0800718 const int toread = (sizeof(buf) < left) ? sizeof(buf) : left;
719 const int code = SSL_read(ssl_, buf, toread);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000720
Benjamin Wrightf54e30b2019-02-26 17:33:50 -0800721 const int ssl_error = SSL_get_error(ssl_, code);
deadbeef89824f62016-09-30 11:55:43 -0700722 RTC_DCHECK(ssl_error == SSL_ERROR_NONE);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000723
724 if (ssl_error != SSL_ERROR_NONE) {
Jonas Olssonaddc3802018-02-01 09:53:06 +0100725 RTC_DLOG(LS_VERBOSE) << " -- error " << code;
deadbeef89824f62016-09-30 11:55:43 -0700726 Error("SSL_read", (ssl_error ? ssl_error : -1), 0, false);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000727 return;
728 }
729
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200730 RTC_DLOG(LS_VERBOSE) << " -- flushed " << code << " bytes";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000731 left -= code;
732 }
733}
734
735void OpenSSLStreamAdapter::Close() {
deadbeef89824f62016-09-30 11:55:43 -0700736 Cleanup(0);
737 RTC_DCHECK(state_ == SSL_CLOSED || state_ == SSL_ERROR);
738 // When we're closed at SSL layer, also close the stream level which
739 // performs necessary clean up. Otherwise, a new incoming packet after
740 // this could overflow the stream buffer.
Niels Möller0131a4d2021-04-16 09:16:21 +0200741 stream_->Close();
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000742}
743
744StreamState OpenSSLStreamAdapter::GetState() const {
745 switch (state_) {
746 case SSL_WAIT:
747 case SSL_CONNECTING:
748 return SS_OPENING;
749 case SSL_CONNECTED:
Benjamin Wright5d355542018-10-26 17:57:00 -0700750 if (WaitingToVerifyPeerCertificate()) {
deadbeef89824f62016-09-30 11:55:43 -0700751 return SS_OPENING;
752 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000753 return SS_OPEN;
754 default:
755 return SS_CLOSED;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700756 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000757 // not reached
758}
759
Yves Gerey665174f2018-06-19 15:03:05 +0200760void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream,
761 int events,
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000762 int err) {
763 int events_to_signal = 0;
764 int signal_error = 0;
Niels Möller0131a4d2021-04-16 09:16:21 +0200765 RTC_DCHECK(stream == stream_.get());
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700766
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000767 if ((events & SE_OPEN)) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200768 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent SE_OPEN";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000769 if (state_ != SSL_WAIT) {
deadbeef89824f62016-09-30 11:55:43 -0700770 RTC_DCHECK(state_ == SSL_NONE);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000771 events_to_signal |= SE_OPEN;
772 } else {
773 state_ = SSL_CONNECTING;
774 if (int err = BeginSSL()) {
deadbeef89824f62016-09-30 11:55:43 -0700775 Error("BeginSSL", err, 0, true);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000776 return;
777 }
778 }
779 }
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700780
Yves Gerey665174f2018-06-19 15:03:05 +0200781 if ((events & (SE_READ | SE_WRITE))) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200782 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent"
783 << ((events & SE_READ) ? " SE_READ" : "")
784 << ((events & SE_WRITE) ? " SE_WRITE" : "");
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000785 if (state_ == SSL_NONE) {
Yves Gerey665174f2018-06-19 15:03:05 +0200786 events_to_signal |= events & (SE_READ | SE_WRITE);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000787 } else if (state_ == SSL_CONNECTING) {
788 if (int err = ContinueSSL()) {
deadbeef89824f62016-09-30 11:55:43 -0700789 Error("ContinueSSL", err, 0, true);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000790 return;
791 }
792 } else if (state_ == SSL_CONNECTED) {
793 if (((events & SE_READ) && ssl_write_needs_read_) ||
794 (events & SE_WRITE)) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200795 RTC_DLOG(LS_VERBOSE) << " -- onStreamWriteable";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000796 events_to_signal |= SE_WRITE;
797 }
798 if (((events & SE_WRITE) && ssl_read_needs_write_) ||
799 (events & SE_READ)) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200800 RTC_DLOG(LS_VERBOSE) << " -- onStreamReadable";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000801 events_to_signal |= SE_READ;
802 }
803 }
804 }
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700805
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000806 if ((events & SE_CLOSE)) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200807 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent(SE_CLOSE, " << err
808 << ")";
deadbeef89824f62016-09-30 11:55:43 -0700809 Cleanup(0);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000810 events_to_signal |= SE_CLOSE;
811 // SE_CLOSE is the only event that uses the final parameter to OnEvent().
deadbeef89824f62016-09-30 11:55:43 -0700812 RTC_DCHECK(signal_error == 0);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000813 signal_error = err;
814 }
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700815
816 if (events_to_signal) {
Niels Möller0131a4d2021-04-16 09:16:21 +0200817 // Note that the adapter presents itself as the origin of the stream events,
818 // since users of the adapter may not recognize the adapted object.
819 SignalEvent(this, events_to_signal, signal_error);
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700820 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000821}
822
Tommi04482982020-10-05 12:43:53 +0000823void OpenSSLStreamAdapter::PostEvent(int events, int err) {
Danil Chapovalov5286dcf2022-07-18 17:04:56 +0200824 owner_->PostTask(SafeTask(task_safety_.flag(), [this, events, err]() {
825 SignalEvent(this, events, err);
826 }));
Tommi04482982020-10-05 12:43:53 +0000827}
828
829void OpenSSLStreamAdapter::SetTimeout(int delay_ms) {
830 // We need to accept 0 delay here as well as >0 delay, because
831 // DTLSv1_get_timeout seems to frequently return 0 ms.
832 RTC_DCHECK_GE(delay_ms, 0);
833 RTC_DCHECK(!timeout_task_.Running());
834
835 timeout_task_ = webrtc::RepeatingTaskHandle::DelayedStart(
836 owner_, webrtc::TimeDelta::Millis(delay_ms),
837 [flag = task_safety_.flag(), this]() {
838 if (flag->alive()) {
839 RTC_DLOG(LS_INFO) << "DTLS timeout expired";
840 timeout_task_.Stop();
Jonas Oreland808f4942021-06-16 13:42:20 +0200841 int res = DTLSv1_handle_timeout(ssl_);
842 if (res > 0) {
843 RTC_LOG(LS_INFO) << "DTLS retransmission";
844 } else if (res < 0) {
845 RTC_LOG(LS_INFO) << "DTLSv1_handle_timeout() return -1";
Philipp Hancke9c83d9d2022-04-28 19:01:28 +0200846 Error("DTLSv1_handle_timeout", res, -1, true);
847 return webrtc::TimeDelta::PlusInfinity();
Jonas Oreland808f4942021-06-16 13:42:20 +0200848 }
Tommi04482982020-10-05 12:43:53 +0000849 ContinueSSL();
850 } else {
Artem Titovd3251962021-11-15 16:57:07 +0100851 RTC_DCHECK_NOTREACHED();
Tommi04482982020-10-05 12:43:53 +0000852 }
853 // This callback will never run again (stopped above).
854 return webrtc::TimeDelta::PlusInfinity();
855 });
856}
857
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000858int OpenSSLStreamAdapter::BeginSSL() {
deadbeef89824f62016-09-30 11:55:43 -0700859 RTC_DCHECK(state_ == SSL_CONNECTING);
Taylor Brandstetterc8762a82016-08-11 12:01:49 -0700860 // The underlying stream has opened.
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200861 RTC_DLOG(LS_INFO) << "BeginSSL with peer.";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000862
deadbeef37f5ecf2017-02-27 14:06:41 -0800863 BIO* bio = nullptr;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000864
Taylor Brandstetterc8762a82016-08-11 12:01:49 -0700865 // First set up the context.
deadbeef37f5ecf2017-02-27 14:06:41 -0800866 RTC_DCHECK(ssl_ctx_ == nullptr);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000867 ssl_ctx_ = SetupSSLContext();
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700868 if (!ssl_ctx_) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000869 return -1;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700870 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000871
Niels Möller0131a4d2021-04-16 09:16:21 +0200872 bio = BIO_new_stream(stream_.get());
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700873 if (!bio) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000874 return -1;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700875 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000876
877 ssl_ = SSL_new(ssl_ctx_);
878 if (!ssl_) {
879 BIO_free(bio);
880 return -1;
881 }
882
883 SSL_set_app_data(ssl_, this);
884
885 SSL_set_bio(ssl_, bio, bio); // the SSL object owns the bio now.
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100886 if (ssl_mode_ == SSL_MODE_DTLS) {
Taylor Brandstetter4f0dfbd2016-06-15 17:15:23 -0700887#ifdef OPENSSL_IS_BORINGSSL
skvladd0309122017-02-02 17:18:37 -0800888 DTLSv1_set_initial_timeout_duration(ssl_, dtls_handshake_timeout_ms_);
Taylor Brandstetter4f0dfbd2016-06-15 17:15:23 -0700889#else
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +0100890 // Enable read-ahead for DTLS so whole packets are read from internal BIO
891 // before parsing. This is done internally by BoringSSL for DTLS.
892 SSL_set_read_ahead(ssl_, 1);
philipel49c08692016-05-24 01:49:43 -0700893#endif
Taylor Brandstetter4f0dfbd2016-06-15 17:15:23 -0700894 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000895
896 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
Yves Gerey665174f2018-06-19 15:03:05 +0200897 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000898
899 // Do the connect
900 return ContinueSSL();
901}
902
903int OpenSSLStreamAdapter::ContinueSSL() {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200904 RTC_DLOG(LS_VERBOSE) << "ContinueSSL";
deadbeef89824f62016-09-30 11:55:43 -0700905 RTC_DCHECK(state_ == SSL_CONNECTING);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000906
907 // Clear the DTLS timer
Tommi04482982020-10-05 12:43:53 +0000908 timeout_task_.Stop();
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000909
Benjamin Wrightf54e30b2019-02-26 17:33:50 -0800910 const int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
911 const int ssl_error = SSL_get_error(ssl_, code);
912
913 switch (ssl_error) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000914 case SSL_ERROR_NONE:
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200915 RTC_DLOG(LS_VERBOSE) << " -- success";
deadbeef89824f62016-09-30 11:55:43 -0700916 // By this point, OpenSSL should have given us a certificate, or errored
917 // out if one was missing.
Benjamin Wrightb19b4972018-10-25 10:46:49 -0700918 RTC_DCHECK(peer_cert_chain_ || !GetClientAuthEnabled());
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000919
920 state_ = SSL_CONNECTED;
Benjamin Wright5d355542018-10-26 17:57:00 -0700921 if (!WaitingToVerifyPeerCertificate()) {
deadbeef89824f62016-09-30 11:55:43 -0700922 // We have everything we need to start the connection, so signal
923 // SE_OPEN. If we need a client certificate fingerprint and don't have
924 // it yet, we'll instead signal SE_OPEN in SetPeerCertificateDigest.
925 //
Taylor Brandstetterfe69a742016-09-30 17:34:32 -0700926 // TODO(deadbeef): Post this event asynchronously to unwind the stack.
927 // The caller of ContinueSSL may be the same object listening for these
928 // events and may not be prepared for reentrancy.
929 // PostEvent(SE_OPEN | SE_READ | SE_WRITE, 0);
Niels Möller0131a4d2021-04-16 09:16:21 +0200930 SignalEvent(this, SE_OPEN | SE_READ | SE_WRITE, 0);
deadbeef89824f62016-09-30 11:55:43 -0700931 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000932 break;
933
934 case SSL_ERROR_WANT_READ: {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200935 RTC_DLOG(LS_VERBOSE) << " -- error want read";
Mirko Bonadei675513b2017-11-09 11:09:25 +0100936 struct timeval timeout;
937 if (DTLSv1_get_timeout(ssl_, &timeout)) {
938 int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
Tommi04482982020-10-05 12:43:53 +0000939 SetTimeout(delay);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000940 }
Yves Gerey665174f2018-06-19 15:03:05 +0200941 } break;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000942
943 case SSL_ERROR_WANT_WRITE:
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200944 RTC_DLOG(LS_VERBOSE) << " -- error want write";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000945 break;
946
947 case SSL_ERROR_ZERO_RETURN:
948 default:
zhihuangd82eee02016-08-26 11:25:05 -0700949 SSLHandshakeError ssl_handshake_err = SSLHandshakeError::UNKNOWN;
950 int err_code = ERR_peek_last_error();
951 if (err_code != 0 && ERR_GET_REASON(err_code) == SSL_R_NO_SHARED_CIPHER) {
952 ssl_handshake_err = SSLHandshakeError::INCOMPATIBLE_CIPHERSUITE;
953 }
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200954 RTC_DLOG(LS_VERBOSE) << " -- error " << code << ", " << err_code << ", "
955 << ERR_GET_REASON(err_code);
Sam Zackrissonb298f742020-10-06 11:40:30 +0000956 SignalSSLHandshakeError(ssl_handshake_err);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000957 return (ssl_error != 0) ? ssl_error : -1;
958 }
959
960 return 0;
961}
962
Ali Tofigh2ab914c2022-04-13 12:55:15 +0200963void OpenSSLStreamAdapter::Error(absl::string_view context,
deadbeef89824f62016-09-30 11:55:43 -0700964 int err,
965 uint8_t alert,
966 bool signal) {
Mirko Bonadei675513b2017-11-09 11:09:25 +0100967 RTC_LOG(LS_WARNING) << "OpenSSLStreamAdapter::Error(" << context << ", "
968 << err << ", " << static_cast<int>(alert) << ")";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000969 state_ = SSL_ERROR;
970 ssl_error_code_ = err;
deadbeef89824f62016-09-30 11:55:43 -0700971 Cleanup(alert);
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700972 if (signal) {
Niels Möller0131a4d2021-04-16 09:16:21 +0200973 SignalEvent(this, SE_CLOSE, err);
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -0700974 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000975}
976
deadbeef89824f62016-09-30 11:55:43 -0700977void OpenSSLStreamAdapter::Cleanup(uint8_t alert) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +0200978 RTC_DLOG(LS_INFO) << "Cleanup";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000979
980 if (state_ != SSL_ERROR) {
981 state_ = SSL_CLOSED;
982 ssl_error_code_ = 0;
983 }
984
985 if (ssl_) {
deadbeef89824f62016-09-30 11:55:43 -0700986 int ret;
987// SSL_send_fatal_alert is only available in BoringSSL.
988#ifdef OPENSSL_IS_BORINGSSL
989 if (alert) {
990 ret = SSL_send_fatal_alert(ssl_, alert);
991 if (ret < 0) {
Mirko Bonadei675513b2017-11-09 11:09:25 +0100992 RTC_LOG(LS_WARNING) << "SSL_send_fatal_alert failed, error = "
993 << SSL_get_error(ssl_, ret);
deadbeef89824f62016-09-30 11:55:43 -0700994 }
995 } else {
996#endif
997 ret = SSL_shutdown(ssl_);
998 if (ret < 0) {
Mirko Bonadei675513b2017-11-09 11:09:25 +0100999 RTC_LOG(LS_WARNING)
1000 << "SSL_shutdown failed, error = " << SSL_get_error(ssl_, ret);
deadbeef89824f62016-09-30 11:55:43 -07001001 }
1002#ifdef OPENSSL_IS_BORINGSSL
jiayl@webrtc.orgf1d751c2014-09-25 16:38:46 +00001003 }
deadbeef89824f62016-09-30 11:55:43 -07001004#endif
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001005 SSL_free(ssl_);
deadbeef37f5ecf2017-02-27 14:06:41 -08001006 ssl_ = nullptr;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001007 }
1008 if (ssl_ctx_) {
1009 SSL_CTX_free(ssl_ctx_);
deadbeef37f5ecf2017-02-27 14:06:41 -08001010 ssl_ctx_ = nullptr;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001011 }
1012 identity_.reset();
Taylor Brandstetterc3928662018-02-23 13:04:51 -08001013 peer_cert_chain_.reset();
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001014
1015 // Clear the DTLS timer
Tommi04482982020-10-05 12:43:53 +00001016 timeout_task_.Stop();
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001017}
1018
1019SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
Taylor Brandstetter165c6182020-12-10 16:23:03 -08001020#ifdef OPENSSL_IS_BORINGSSL
1021 // If X509 objects aren't used, we can use these methods to avoid
1022 // linking the sizable crypto/x509 code, using CRYPTO_BUFFER instead.
1023 SSL_CTX* ctx =
1024 SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_with_buffers_method()
1025 : TLS_with_buffers_method());
1026#else
David Benjamin170a4b32019-01-30 09:46:16 -06001027 SSL_CTX* ctx =
1028 SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
Taylor Brandstetter165c6182020-12-10 16:23:03 -08001029#endif
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001030 if (ctx == nullptr) {
deadbeef37f5ecf2017-02-27 14:06:41 -08001031 return nullptr;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001032 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001033
Harald Alvestrand13799132020-03-09 19:39:36 +01001034 if (support_legacy_tls_protocols_flag_) {
1035 // TODO(https://bugs.webrtc.org/10261): Completely remove this branch in
1036 // M84.
1037 SSL_CTX_set_min_proto_version(
1038 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
1039 switch (ssl_max_version_) {
1040 case SSL_PROTOCOL_TLS_10:
1041 SSL_CTX_set_max_proto_version(
1042 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
1043 break;
1044 case SSL_PROTOCOL_TLS_11:
1045 SSL_CTX_set_max_proto_version(
1046 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_1_VERSION);
1047 break;
1048 case SSL_PROTOCOL_TLS_12:
1049 default:
1050 SSL_CTX_set_max_proto_version(
1051 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
1052 break;
1053 }
1054 } else {
1055 // TODO(https://bugs.webrtc.org/10261): Make this the default in M84.
1056 SSL_CTX_set_min_proto_version(
1057 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
1058 SSL_CTX_set_max_proto_version(
1059 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
Joachim Bauch831c5582015-05-20 12:48:41 +02001060 }
Harald Alvestrand13799132020-03-09 19:39:36 +01001061
David Benjamin170a4b32019-01-30 09:46:16 -06001062#ifdef OPENSSL_IS_BORINGSSL
1063 // SSL_CTX_set_current_time_cb is only supported in BoringSSL.
deadbeef6cf94a02016-11-28 17:38:34 -08001064 if (g_use_time_callback_for_testing) {
1065 SSL_CTX_set_current_time_cb(ctx, &TimeCallbackForTesting);
1066 }
Taylor Brandstetter165c6182020-12-10 16:23:03 -08001067 SSL_CTX_set0_buffer_pool(ctx, openssl::GetBufferPool());
Torbjorn Granlund9adc91d2016-03-24 14:05:06 +01001068#endif
Joachim Bauch831c5582015-05-20 12:48:41 +02001069
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001070 if (identity_ && !identity_->ConfigureIdentity(ctx)) {
1071 SSL_CTX_free(ctx);
deadbeef37f5ecf2017-02-27 14:06:41 -08001072 return nullptr;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001073 }
1074
tfarinaa41ab932015-10-30 16:08:48 -07001075#if !defined(NDEBUG)
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001076 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback);
1077#endif
1078
tkchin@webrtc.orgc569a492014-09-23 05:56:44 +00001079 int mode = SSL_VERIFY_PEER;
Benjamin Wrightb19b4972018-10-25 10:46:49 -07001080 if (GetClientAuthEnabled()) {
tkchin@webrtc.orgc569a492014-09-23 05:56:44 +00001081 // Require a certificate from the client.
1082 // Note: Normally this is always true in production, but it may be disabled
1083 // for testing purposes (e.g. SSLAdapter unit tests).
1084 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1085 }
1086
David Benjamindc246562017-09-29 12:14:08 -04001087 // Configure a custom certificate verification callback to check the peer
Taylor Brandstetter165c6182020-12-10 16:23:03 -08001088 // certificate digest.
1089#ifdef OPENSSL_IS_BORINGSSL
1090 // Use CRYPTO_BUFFER version of the callback if building with BoringSSL.
1091 SSL_CTX_set_custom_verify(ctx, mode, SSLVerifyCallback);
1092#else
1093 // Note the second argument to SSL_CTX_set_verify is to override individual
1094 // errors in the default verification logic, which is not what we want here.
David Benjamindc246562017-09-29 12:14:08 -04001095 SSL_CTX_set_verify(ctx, mode, nullptr);
1096 SSL_CTX_set_cert_verify_callback(ctx, SSLVerifyCallback, nullptr);
Taylor Brandstetter165c6182020-12-10 16:23:03 -08001097#endif
David Benjamindc246562017-09-29 12:14:08 -04001098
Joachim Bauch831c5582015-05-20 12:48:41 +02001099 // Select list of available ciphers. Note that !SHA256 and !SHA384 only
1100 // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites
1101 // with SHA256 or SHA384 as the handshake hash.
David Benjamin7a46cc52021-08-17 16:56:20 -04001102 // This matches the list of SSLClientSocketImpl in Chromium.
deadbeef37f5ecf2017-02-27 14:06:41 -08001103 SSL_CTX_set_cipher_list(
David Benjamin7a46cc52021-08-17 16:56:20 -04001104 ctx,
1105 "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK:!3DES");
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001106
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001107 if (!srtp_ciphers_.empty()) {
1108 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) {
1109 SSL_CTX_free(ctx);
deadbeef37f5ecf2017-02-27 14:06:41 -08001110 return nullptr;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001111 }
1112 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001113
1114 return ctx;
1115}
1116
deadbeef89824f62016-09-30 11:55:43 -07001117bool OpenSSLStreamAdapter::VerifyPeerCertificate() {
Benjamin Wright5d355542018-10-26 17:57:00 -07001118 if (!HasPeerCertificateDigest() || !peer_cert_chain_ ||
Taylor Brandstetterc3928662018-02-23 13:04:51 -08001119 !peer_cert_chain_->GetSize()) {
Mirko Bonadei675513b2017-11-09 11:09:25 +01001120 RTC_LOG(LS_WARNING) << "Missing digest or peer certificate.";
deadbeef89824f62016-09-30 11:55:43 -07001121 return false;
1122 }
deadbeef81f6f4f2016-09-19 17:20:52 -07001123
deadbeef89824f62016-09-30 11:55:43 -07001124 unsigned char digest[EVP_MAX_MD_SIZE];
1125 size_t digest_length;
Taylor Brandstetter165c6182020-12-10 16:23:03 -08001126 if (!peer_cert_chain_->Get(0).ComputeDigest(
1127 peer_certificate_digest_algorithm_, digest, sizeof(digest),
1128 &digest_length)) {
Mirko Bonadei675513b2017-11-09 11:09:25 +01001129 RTC_LOG(LS_WARNING) << "Failed to compute peer cert digest.";
deadbeef89824f62016-09-30 11:55:43 -07001130 return false;
1131 }
1132
1133 Buffer computed_digest(digest, digest_length);
1134 if (computed_digest != peer_certificate_digest_value_) {
Mirko Bonadei675513b2017-11-09 11:09:25 +01001135 RTC_LOG(LS_WARNING)
Philipp Hancke117e6922022-06-17 14:14:55 +02001136 << "Rejected peer certificate due to mismatched digest using "
1137 << peer_certificate_digest_algorithm_ << ". Expected "
1138 << rtc::hex_encode_with_delimiter(peer_certificate_digest_value_, ':')
1139 << " got " << rtc::hex_encode_with_delimiter(computed_digest, ':');
jbauchf8f457b2017-03-09 16:24:57 -08001140 return false;
deadbeef81f6f4f2016-09-19 17:20:52 -07001141 }
deadbeef89824f62016-09-30 11:55:43 -07001142 // Ignore any verification error if the digest matches, since there is no
1143 // value in checking the validity of a self-signed cert issued by untrusted
1144 // sources.
Tomas Gunnarssond48ff452020-10-02 18:28:46 +02001145 RTC_DLOG(LS_INFO) << "Accepted peer certificate.";
deadbeef89824f62016-09-30 11:55:43 -07001146 peer_certificate_verified_ = true;
1147 return true;
1148}
1149
Jian Cui0a8798b2017-11-16 16:58:02 -08001150std::unique_ptr<SSLCertChain> OpenSSLStreamAdapter::GetPeerSSLCertChain()
1151 const {
Steve Antonf25303e2018-10-16 15:23:31 -07001152 return peer_cert_chain_ ? peer_cert_chain_->Clone() : nullptr;
Jian Cui0a8798b2017-11-16 16:58:02 -08001153}
1154
Taylor Brandstetter165c6182020-12-10 16:23:03 -08001155#ifdef OPENSSL_IS_BORINGSSL
1156enum ssl_verify_result_t OpenSSLStreamAdapter::SSLVerifyCallback(
1157 SSL* ssl,
1158 uint8_t* out_alert) {
1159 // Get our OpenSSLStreamAdapter from the context.
1160 OpenSSLStreamAdapter* stream =
1161 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
1162 const STACK_OF(CRYPTO_BUFFER)* chain = SSL_get0_peer_certificates(ssl);
1163 // Creates certificate chain.
1164 std::vector<std::unique_ptr<SSLCertificate>> cert_chain;
1165 for (CRYPTO_BUFFER* cert : chain) {
1166 cert_chain.emplace_back(new BoringSSLCertificate(bssl::UpRef(cert)));
1167 }
1168 stream->peer_cert_chain_.reset(new SSLCertChain(std::move(cert_chain)));
1169
1170 // If the peer certificate digest isn't known yet, we'll wait to verify
1171 // until it's known, and for now just return a success status.
1172 if (stream->peer_certificate_digest_algorithm_.empty()) {
1173 RTC_LOG(LS_INFO) << "Waiting to verify certificate until digest is known.";
1174 // TODO(deadbeef): Use ssl_verify_retry?
1175 return ssl_verify_ok;
1176 }
1177
1178 if (!stream->VerifyPeerCertificate()) {
1179 return ssl_verify_invalid;
1180 }
1181
1182 return ssl_verify_ok;
1183}
1184#else // OPENSSL_IS_BORINGSSL
David Benjamindc246562017-09-29 12:14:08 -04001185int OpenSSLStreamAdapter::SSLVerifyCallback(X509_STORE_CTX* store, void* arg) {
1186 // Get our SSL structure and OpenSSLStreamAdapter from the store.
deadbeef89824f62016-09-30 11:55:43 -07001187 SSL* ssl = reinterpret_cast<SSL*>(
1188 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
deadbeef89824f62016-09-30 11:55:43 -07001189 OpenSSLStreamAdapter* stream =
1190 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
henrike@webrtc.org4e5f65a2014-06-05 20:40:11 +00001191
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001192 // Record the peer's certificate.
Jiawei Ou9d4e8402018-05-23 15:44:20 -07001193 X509* cert = X509_STORE_CTX_get0_cert(store);
Taylor Brandstetterc3928662018-02-23 13:04:51 -08001194 stream->peer_cert_chain_.reset(
Mirko Bonadei317a1f02019-09-17 17:06:18 +02001195 new SSLCertChain(std::make_unique<OpenSSLCertificate>(cert)));
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001196
deadbeef89824f62016-09-30 11:55:43 -07001197 // If the peer certificate digest isn't known yet, we'll wait to verify
1198 // until it's known, and for now just return a success status.
1199 if (stream->peer_certificate_digest_algorithm_.empty()) {
Tomas Gunnarssond48ff452020-10-02 18:28:46 +02001200 RTC_DLOG(LS_INFO) << "Waiting to verify certificate until digest is known.";
deadbeef89824f62016-09-30 11:55:43 -07001201 return 1;
1202 }
1203
David Benjamindc246562017-09-29 12:14:08 -04001204 if (!stream->VerifyPeerCertificate()) {
1205 X509_STORE_CTX_set_error(store, X509_V_ERR_CERT_REJECTED);
1206 return 0;
1207 }
1208
1209 return 1;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001210}
Taylor Brandstetter165c6182020-12-10 16:23:03 -08001211#endif // !OPENSSL_IS_BORINGSSL
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001212
Taylor Brandstetter4f0dfbd2016-06-15 17:15:23 -07001213bool OpenSSLStreamAdapter::IsBoringSsl() {
1214#ifdef OPENSSL_IS_BORINGSSL
1215 return true;
1216#else
1217 return false;
1218#endif
1219}
1220
torbjorng43166b82016-03-11 00:06:47 -08001221#define CDEF(X) \
1222 { static_cast<uint16_t>(TLS1_CK_##X & 0xffff), "TLS_" #X }
1223
1224struct cipher_list {
1225 uint16_t cipher;
1226 const char* cipher_str;
1227};
1228
1229// TODO(torbjorng): Perhaps add more cipher suites to these lists.
1230static const cipher_list OK_RSA_ciphers[] = {
Yves Gerey665174f2018-06-19 15:03:05 +02001231 CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA),
1232 CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA),
1233 CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
torbjorng43166b82016-03-11 00:06:47 -08001234#ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256
Yves Gerey665174f2018-06-19 15:03:05 +02001235 CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256),
torbjorng43166b82016-03-11 00:06:47 -08001236#endif
torbjorngaad67802016-04-07 08:55:28 -07001237#ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Yves Gerey665174f2018-06-19 15:03:05 +02001238 CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
torbjorngaad67802016-04-07 08:55:28 -07001239#endif
torbjorng43166b82016-03-11 00:06:47 -08001240};
1241
1242static const cipher_list OK_ECDSA_ciphers[] = {
Yves Gerey665174f2018-06-19 15:03:05 +02001243 CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
1244 CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
1245 CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
torbjorng43166b82016-03-11 00:06:47 -08001246#ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
Yves Gerey665174f2018-06-19 15:03:05 +02001247 CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256),
torbjorng43166b82016-03-11 00:06:47 -08001248#endif
torbjorngaad67802016-04-07 08:55:28 -07001249#ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Yves Gerey665174f2018-06-19 15:03:05 +02001250 CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
torbjorngaad67802016-04-07 08:55:28 -07001251#endif
torbjorng43166b82016-03-11 00:06:47 -08001252};
1253#undef CDEF
1254
1255bool OpenSSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) {
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +02001256 if (key_type == KT_RSA) {
torbjorng43166b82016-03-11 00:06:47 -08001257 for (const cipher_list& c : OK_RSA_ciphers) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001258 if (cipher == c.cipher) {
torbjorng43166b82016-03-11 00:06:47 -08001259 return true;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001260 }
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +02001261 }
Joachim Bauch831c5582015-05-20 12:48:41 +02001262 }
torbjorng43166b82016-03-11 00:06:47 -08001263
1264 if (key_type == KT_ECDSA) {
1265 for (const cipher_list& c : OK_ECDSA_ciphers) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001266 if (cipher == c.cipher) {
torbjorng43166b82016-03-11 00:06:47 -08001267 return true;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001268 }
torbjorng43166b82016-03-11 00:06:47 -08001269 }
1270 }
1271
1272 return false;
1273}
1274
Ali Tofigh7fa90572022-03-17 15:47:49 +01001275bool OpenSSLStreamAdapter::IsAcceptableCipher(absl::string_view cipher,
torbjorng43166b82016-03-11 00:06:47 -08001276 KeyType key_type) {
1277 if (key_type == KT_RSA) {
1278 for (const cipher_list& c : OK_RSA_ciphers) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001279 if (cipher == c.cipher_str) {
torbjorng43166b82016-03-11 00:06:47 -08001280 return true;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001281 }
torbjorng43166b82016-03-11 00:06:47 -08001282 }
1283 }
1284
1285 if (key_type == KT_ECDSA) {
1286 for (const cipher_list& c : OK_ECDSA_ciphers) {
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001287 if (cipher == c.cipher_str) {
torbjorng43166b82016-03-11 00:06:47 -08001288 return true;
Benjamin Wrightd4d5f8a2018-10-15 11:19:39 -07001289 }
torbjorng43166b82016-03-11 00:06:47 -08001290 }
1291 }
1292
1293 return false;
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +00001294}
1295
Benjamin Wrightb19b4972018-10-25 10:46:49 -07001296void OpenSSLStreamAdapter::EnableTimeCallbackForTesting() {
Joachim Reiersen637bed52019-04-25 10:41:35 -07001297#ifdef OPENSSL_IS_BORINGSSL
deadbeef6cf94a02016-11-28 17:38:34 -08001298 g_use_time_callback_for_testing = true;
Joachim Reiersen637bed52019-04-25 10:41:35 -07001299#endif
deadbeef6cf94a02016-11-28 17:38:34 -08001300}
1301
henrike@webrtc.orgf0488722014-05-13 18:00:26 +00001302} // namespace rtc