Gitiles
Code Review Sign In
gerrit.openfyde.cn / webrtc.googlesource.com / src / fd350d74ee059e3a14efb99610b5e83853fca48b / . / rtc_base / openssladapter.h
blob: fbbd88c981546bb7186d13e6b8540a5bbc93a331 [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]1/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]11#ifndef RTC_BASE_OPENSSLADAPTER_H_
12#define RTC_BASE_OPENSSLADAPTER_H_
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]13
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]14#include <map>
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]15#include <string>
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]16#include "rtc_base/buffer.h"
17#include "rtc_base/messagehandler.h"
18#include "rtc_base/messagequeue.h"
19#include "rtc_base/opensslidentity.h"
20#include "rtc_base/ssladapter.h"
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]21
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]22typedef struct ssl_st SSL;
23typedef struct ssl_ctx_st SSL_CTX;
24typedef struct x509_store_ctx_st X509_STORE_CTX;
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]25typedef struct ssl_session_st SSL_SESSION;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]26
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]27namespace rtc {
28
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]29class OpenSSLAdapterFactory;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]30
31class OpenSSLAdapter : public SSLAdapter, public MessageHandler {
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]32 public:
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]33 static bool InitializeSSL(VerificationCallback callback);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]34 static bool CleanupSSL();
35
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]36 explicit OpenSSLAdapter(AsyncSocket* socket,
37 OpenSSLAdapterFactory* factory = nullptr);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]38 ~OpenSSLAdapter() override;
39
Diogo Real1dca9d52017-08-29 12:18:32 -0700[diff] [blame]40 void SetIgnoreBadCert(bool ignore) override;
41 void SetAlpnProtocols(const std::vector<std::string>& protos) override;
Diogo Real7bd1f1b2017-09-08 12:50:41 -0700[diff] [blame]42 void SetEllipticCurves(const std::vector<std::string>& curves) override;
Diogo Real1dca9d52017-08-29 12:18:32 -0700[diff] [blame]43
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]44 void SetMode(SSLMode mode) override;
Steve Anton786de702017-08-17 15:15:46 -0700[diff] [blame]45 void SetIdentity(SSLIdentity* identity) override;
46 void SetRole(SSLRole role) override;
47 AsyncSocket* Accept(SocketAddress* paddr) override;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]48 int StartSSL(const char* hostname, bool restartable) override;
49 int Send(const void* pv, size_t cb) override;
50 int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override;
51 int Recv(void* pv, size_t cb, int64_t* timestamp) override;
52 int RecvFrom(void* pv,
53 size_t cb,
54 SocketAddress* paddr,
55 int64_t* timestamp) override;
56 int Close() override;
57
58 // Note that the socket returns ST_CONNECTING while SSL is being negotiated.
59 ConnState GetState() const override;
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]60 bool IsResumedSession() override;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]61
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]62 // Creates a new SSL_CTX object, configured for client-to-server usage
63 // with SSLMode |mode|, and if |enable_cache| is true, with support for
64 // storing successful sessions so that they can be later resumed.
65 // OpenSSLAdapterFactory will call this method to create its own internal
66 // SSL_CTX, and OpenSSLAdapter will also call this when used without a
67 // factory.
68 static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]69
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]70 protected:
71 void OnConnectEvent(AsyncSocket* socket) override;
72 void OnReadEvent(AsyncSocket* socket) override;
73 void OnWriteEvent(AsyncSocket* socket) override;
74 void OnCloseEvent(AsyncSocket* socket, int err) override;
75
76 private:
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]77 enum SSLState {
78 SSL_NONE, SSL_WAIT, SSL_CONNECTING, SSL_CONNECTED, SSL_ERROR
79 };
80
81 enum { MSG_TIMEOUT };
82
83 int BeginSSL();
84 int ContinueSSL();
85 void Error(const char* context, int err, bool signal = true);
86 void Cleanup();
87
88 // Return value and arguments have the same meanings as for Send; |error| is
89 // an output parameter filled with the result of SSL_get_error.
90 int DoSslWrite(const void* pv, size_t cb, int* error);
91
92 void OnMessage(Message* msg) override;
93
Benjamin Wright9201d1a2018-04-05 12:12:26 -0700[diff] [blame]94 bool SSLPostConnectionCheck(SSL* ssl, const std::string& host);
95
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]96#if !defined(NDEBUG)
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]97 // In debug builds, logs info about the state of the SSL connection.
98 static void SSLInfoCallback(const SSL* ssl, int where, int ret);
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]99#endif
100 static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
101 static VerificationCallback custom_verify_callback_;
102 friend class OpenSSLStreamAdapter; // for custom_verify_callback_;
103
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]104 // If the SSL_CTX was created with |enable_cache| set to true, this callback
105 // will be called when a SSL session has been successfully established,
106 // to allow its SSL_SESSION* to be cached for later resumption.
107 static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session);
108
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]109 static bool ConfigureTrustedRootCertificates(SSL_CTX* ctx);
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]110
111 // Parent object that maintains shared state.
112 // Can be null if state sharing is not needed.
113 OpenSSLAdapterFactory* factory_;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]114
115 SSLState state_;
Steve Anton786de702017-08-17 15:15:46 -0700[diff] [blame]116 std::unique_ptr<OpenSSLIdentity> identity_;
117 SSLRole role_;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]118 bool ssl_read_needs_write_;
119 bool ssl_write_needs_read_;
120 // If true, socket will retain SSL configuration after Close.
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]121 // TODO(juberti): Remove this unused flag.
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]122 bool restartable_;
123
124 // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which
125 // means we need to keep retrying with *the same exact data* until it
126 // succeeds. Afterwards it will be cleared.
127 Buffer pending_data_;
128
129 SSL* ssl_;
130 SSL_CTX* ssl_ctx_;
131 std::string ssl_host_name_;
132 // Do DTLS or not
133 SSLMode ssl_mode_;
Diogo Real1dca9d52017-08-29 12:18:32 -0700[diff] [blame]134 // If true, the server certificate need not match the configured hostname.
135 bool ignore_bad_cert_;
136 // List of protocols to be used in the TLS ALPN extension.
137 std::vector<std::string> alpn_protocols_;
Diogo Real7bd1f1b2017-09-08 12:50:41 -0700[diff] [blame]138 // List of elliptic curves to be used in the TLS elliptic curves extension.
139 std::vector<std::string> elliptic_curves_;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]140
141 bool custom_verification_succeeded_;
142};
143
Diogo Real1dca9d52017-08-29 12:18:32 -0700[diff] [blame]144std::string TransformAlpnProtocols(const std::vector<std::string>& protos);
145
146/////////////////////////////////////////////////////////////////////////////
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]147class OpenSSLAdapterFactory : public SSLAdapterFactory {
148 public:
149 OpenSSLAdapterFactory();
150 ~OpenSSLAdapterFactory() override;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]151
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]152 void SetMode(SSLMode mode) override;
153 OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override;
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]154 static OpenSSLAdapterFactory* Create();
Henrik Kjellanderc0362762017-06-29 08:03:04 +0200[diff] [blame]155
Justin Uberti1d445502017-08-14 17:04:34 -0700[diff] [blame]156 private:
157 SSL_CTX* ssl_ctx() { return ssl_ctx_; }
158 // Looks up a session by hostname. The returned SSL_SESSION is not up_refed.
159 SSL_SESSION* LookupSession(const std::string& hostname);
160 // Adds a session to the cache, and up_refs it. Any existing session with the
161 // same hostname is replaced.
162 void AddSession(const std::string& hostname, SSL_SESSION* session);
163 friend class OpenSSLAdapter;
164
165 SSLMode ssl_mode_;
166 // Holds the shared SSL_CTX for all created adapters.
167 SSL_CTX* ssl_ctx_;
168 // Map of hostnames to SSL_SESSIONs; holds references to the SSL_SESSIONs,
169 // which are cleaned up when the factory is destroyed.
170 // TODO(juberti): Add LRU eviction to keep the cache from growing forever.
171 std::map<std::string, SSL_SESSION*> sessions_;
172};
173
174} // namespace rtc
175
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]176#endif // RTC_BASE_OPENSSLADAPTER_H_