1*d9f75844SAndroid Build Coastguard Worker /* 2*d9f75844SAndroid Build Coastguard Worker * Copyright 2004 The WebRTC Project Authors. All rights reserved. 3*d9f75844SAndroid Build Coastguard Worker * 4*d9f75844SAndroid Build Coastguard Worker * Use of this source code is governed by a BSD-style license 5*d9f75844SAndroid Build Coastguard Worker * that can be found in the LICENSE file in the root of the source 6*d9f75844SAndroid Build Coastguard Worker * tree. An additional intellectual property rights grant can be found 7*d9f75844SAndroid Build Coastguard Worker * in the file PATENTS. All contributing project authors may 8*d9f75844SAndroid Build Coastguard Worker * be found in the AUTHORS file in the root of the source tree. 9*d9f75844SAndroid Build Coastguard Worker */ 10*d9f75844SAndroid Build Coastguard Worker 11*d9f75844SAndroid Build Coastguard Worker #ifndef RTC_BASE_OPENSSL_ADAPTER_H_ 12*d9f75844SAndroid Build Coastguard Worker #define RTC_BASE_OPENSSL_ADAPTER_H_ 13*d9f75844SAndroid Build Coastguard Worker 14*d9f75844SAndroid Build Coastguard Worker #include <openssl/ossl_typ.h> 15*d9f75844SAndroid Build Coastguard Worker #include <stddef.h> 16*d9f75844SAndroid Build Coastguard Worker #include <stdint.h> 17*d9f75844SAndroid Build Coastguard Worker 18*d9f75844SAndroid Build Coastguard Worker #include <memory> 19*d9f75844SAndroid Build Coastguard Worker #include <string> 20*d9f75844SAndroid Build Coastguard Worker #include <vector> 21*d9f75844SAndroid Build Coastguard Worker 22*d9f75844SAndroid Build Coastguard Worker #include "absl/strings/string_view.h" 23*d9f75844SAndroid Build Coastguard Worker #include "api/task_queue/pending_task_safety_flag.h" 24*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/buffer.h" 25*d9f75844SAndroid Build Coastguard Worker #ifdef OPENSSL_IS_BORINGSSL 26*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/boringssl_identity.h" 27*d9f75844SAndroid Build Coastguard Worker #else 28*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/openssl_identity.h" 29*d9f75844SAndroid Build Coastguard Worker #endif 30*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/openssl_session_cache.h" 31*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/socket.h" 32*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/socket_address.h" 33*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/ssl_adapter.h" 34*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/ssl_certificate.h" 35*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/ssl_identity.h" 36*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/ssl_stream_adapter.h" 37*d9f75844SAndroid Build Coastguard Worker 38*d9f75844SAndroid Build Coastguard Worker namespace rtc { 39*d9f75844SAndroid Build Coastguard Worker 40*d9f75844SAndroid Build Coastguard Worker namespace webrtc_openssl_adapter_internal { 41*d9f75844SAndroid Build Coastguard Worker 42*d9f75844SAndroid Build Coastguard Worker // Local definition, since absl::StrJoin is not allow-listed. Declared in header 43*d9f75844SAndroid Build Coastguard Worker // file only for unittests. 44*d9f75844SAndroid Build Coastguard Worker std::string StrJoin(const std::vector<std::string>& list, char delimiter); 45*d9f75844SAndroid Build Coastguard Worker 46*d9f75844SAndroid Build Coastguard Worker } // namespace webrtc_openssl_adapter_internal 47*d9f75844SAndroid Build Coastguard Worker 48*d9f75844SAndroid Build Coastguard Worker class OpenSSLAdapter final : public SSLAdapter { 49*d9f75844SAndroid Build Coastguard Worker public: 50*d9f75844SAndroid Build Coastguard Worker static bool InitializeSSL(); 51*d9f75844SAndroid Build Coastguard Worker static bool CleanupSSL(); 52*d9f75844SAndroid Build Coastguard Worker 53*d9f75844SAndroid Build Coastguard Worker // Creating an OpenSSLAdapter requires a socket to bind to, an optional 54*d9f75844SAndroid Build Coastguard Worker // session cache if you wish to improve performance by caching sessions for 55*d9f75844SAndroid Build Coastguard Worker // hostnames you have previously connected to and an optional 56*d9f75844SAndroid Build Coastguard Worker // SSLCertificateVerifier which can override any existing trusted roots to 57*d9f75844SAndroid Build Coastguard Worker // validate a peer certificate. The cache and verifier are effectively 58*d9f75844SAndroid Build Coastguard Worker // immutable after the the SSL connection starts. 59*d9f75844SAndroid Build Coastguard Worker explicit OpenSSLAdapter(Socket* socket, 60*d9f75844SAndroid Build Coastguard Worker OpenSSLSessionCache* ssl_session_cache = nullptr, 61*d9f75844SAndroid Build Coastguard Worker SSLCertificateVerifier* ssl_cert_verifier = nullptr); 62*d9f75844SAndroid Build Coastguard Worker ~OpenSSLAdapter() override; 63*d9f75844SAndroid Build Coastguard Worker 64*d9f75844SAndroid Build Coastguard Worker void SetIgnoreBadCert(bool ignore) override; 65*d9f75844SAndroid Build Coastguard Worker void SetAlpnProtocols(const std::vector<std::string>& protos) override; 66*d9f75844SAndroid Build Coastguard Worker void SetEllipticCurves(const std::vector<std::string>& curves) override; 67*d9f75844SAndroid Build Coastguard Worker void SetMode(SSLMode mode) override; 68*d9f75844SAndroid Build Coastguard Worker void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override; 69*d9f75844SAndroid Build Coastguard Worker void SetIdentity(std::unique_ptr<SSLIdentity> identity) override; 70*d9f75844SAndroid Build Coastguard Worker void SetRole(SSLRole role) override; 71*d9f75844SAndroid Build Coastguard Worker int StartSSL(absl::string_view hostname) override; 72*d9f75844SAndroid Build Coastguard Worker int Send(const void* pv, size_t cb) override; 73*d9f75844SAndroid Build Coastguard Worker int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override; 74*d9f75844SAndroid Build Coastguard Worker int Recv(void* pv, size_t cb, int64_t* timestamp) override; 75*d9f75844SAndroid Build Coastguard Worker int RecvFrom(void* pv, 76*d9f75844SAndroid Build Coastguard Worker size_t cb, 77*d9f75844SAndroid Build Coastguard Worker SocketAddress* paddr, 78*d9f75844SAndroid Build Coastguard Worker int64_t* timestamp) override; 79*d9f75844SAndroid Build Coastguard Worker int Close() override; 80*d9f75844SAndroid Build Coastguard Worker // Note that the socket returns ST_CONNECTING while SSL is being negotiated. 81*d9f75844SAndroid Build Coastguard Worker ConnState GetState() const override; 82*d9f75844SAndroid Build Coastguard Worker bool IsResumedSession() override; 83*d9f75844SAndroid Build Coastguard Worker // Creates a new SSL_CTX object, configured for client-to-server usage 84*d9f75844SAndroid Build Coastguard Worker // with SSLMode `mode`, and if `enable_cache` is true, with support for 85*d9f75844SAndroid Build Coastguard Worker // storing successful sessions so that they can be later resumed. 86*d9f75844SAndroid Build Coastguard Worker // OpenSSLAdapterFactory will call this method to create its own internal 87*d9f75844SAndroid Build Coastguard Worker // SSL_CTX, and OpenSSLAdapter will also call this when used without a 88*d9f75844SAndroid Build Coastguard Worker // factory. 89*d9f75844SAndroid Build Coastguard Worker static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache); 90*d9f75844SAndroid Build Coastguard Worker 91*d9f75844SAndroid Build Coastguard Worker protected: 92*d9f75844SAndroid Build Coastguard Worker void OnConnectEvent(Socket* socket) override; 93*d9f75844SAndroid Build Coastguard Worker void OnReadEvent(Socket* socket) override; 94*d9f75844SAndroid Build Coastguard Worker void OnWriteEvent(Socket* socket) override; 95*d9f75844SAndroid Build Coastguard Worker void OnCloseEvent(Socket* socket, int err) override; 96*d9f75844SAndroid Build Coastguard Worker 97*d9f75844SAndroid Build Coastguard Worker private: 98*d9f75844SAndroid Build Coastguard Worker class EarlyExitCatcher { 99*d9f75844SAndroid Build Coastguard Worker public: 100*d9f75844SAndroid Build Coastguard Worker EarlyExitCatcher(OpenSSLAdapter& adapter_ptr); 101*d9f75844SAndroid Build Coastguard Worker void disable(); 102*d9f75844SAndroid Build Coastguard Worker ~EarlyExitCatcher(); 103*d9f75844SAndroid Build Coastguard Worker 104*d9f75844SAndroid Build Coastguard Worker private: 105*d9f75844SAndroid Build Coastguard Worker bool disabled_ = false; 106*d9f75844SAndroid Build Coastguard Worker OpenSSLAdapter& adapter_ptr_; 107*d9f75844SAndroid Build Coastguard Worker }; 108*d9f75844SAndroid Build Coastguard Worker enum SSLState { 109*d9f75844SAndroid Build Coastguard Worker SSL_NONE, 110*d9f75844SAndroid Build Coastguard Worker SSL_WAIT, 111*d9f75844SAndroid Build Coastguard Worker SSL_CONNECTING, 112*d9f75844SAndroid Build Coastguard Worker SSL_CONNECTED, 113*d9f75844SAndroid Build Coastguard Worker SSL_ERROR 114*d9f75844SAndroid Build Coastguard Worker }; 115*d9f75844SAndroid Build Coastguard Worker 116*d9f75844SAndroid Build Coastguard Worker int BeginSSL(); 117*d9f75844SAndroid Build Coastguard Worker int ContinueSSL(); 118*d9f75844SAndroid Build Coastguard Worker void Error(absl::string_view context, int err, bool signal = true); 119*d9f75844SAndroid Build Coastguard Worker void Cleanup(); 120*d9f75844SAndroid Build Coastguard Worker void OnTimeout(); 121*d9f75844SAndroid Build Coastguard Worker 122*d9f75844SAndroid Build Coastguard Worker // Return value and arguments have the same meanings as for Send; `error` is 123*d9f75844SAndroid Build Coastguard Worker // an output parameter filled with the result of SSL_get_error. 124*d9f75844SAndroid Build Coastguard Worker int DoSslWrite(const void* pv, size_t cb, int* error); 125*d9f75844SAndroid Build Coastguard Worker bool SSLPostConnectionCheck(SSL* ssl, absl::string_view host); 126*d9f75844SAndroid Build Coastguard Worker 127*d9f75844SAndroid Build Coastguard Worker #if !defined(NDEBUG) 128*d9f75844SAndroid Build Coastguard Worker // In debug builds, logs info about the state of the SSL connection. 129*d9f75844SAndroid Build Coastguard Worker static void SSLInfoCallback(const SSL* ssl, int where, int ret); 130*d9f75844SAndroid Build Coastguard Worker #endif 131*d9f75844SAndroid Build Coastguard Worker 132*d9f75844SAndroid Build Coastguard Worker #if defined(OPENSSL_IS_BORINGSSL) && \ 133*d9f75844SAndroid Build Coastguard Worker defined(WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS) 134*d9f75844SAndroid Build Coastguard Worker static enum ssl_verify_result_t SSLVerifyCallback(SSL* ssl, 135*d9f75844SAndroid Build Coastguard Worker uint8_t* out_alert); 136*d9f75844SAndroid Build Coastguard Worker enum ssl_verify_result_t SSLVerifyInternal(SSL* ssl, uint8_t* out_alert); 137*d9f75844SAndroid Build Coastguard Worker #else 138*d9f75844SAndroid Build Coastguard Worker static int SSLVerifyCallback(int ok, X509_STORE_CTX* store); 139*d9f75844SAndroid Build Coastguard Worker // Call a custom verifier, if installed. 140*d9f75844SAndroid Build Coastguard Worker // Returns 1 on success, `status_on_error` on error or verification failure. 141*d9f75844SAndroid Build Coastguard Worker int SSLVerifyInternal(int status_on_error, SSL* ssl, X509_STORE_CTX* store); 142*d9f75844SAndroid Build Coastguard Worker #endif 143*d9f75844SAndroid Build Coastguard Worker friend class OpenSSLStreamAdapter; // for custom_verify_callback_; 144*d9f75844SAndroid Build Coastguard Worker 145*d9f75844SAndroid Build Coastguard Worker // If the SSL_CTX was created with `enable_cache` set to true, this callback 146*d9f75844SAndroid Build Coastguard Worker // will be called when a SSL session has been successfully established, 147*d9f75844SAndroid Build Coastguard Worker // to allow its SSL_SESSION* to be cached for later resumption. 148*d9f75844SAndroid Build Coastguard Worker static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session); 149*d9f75844SAndroid Build Coastguard Worker 150*d9f75844SAndroid Build Coastguard Worker // Optional SSL Shared session cache to improve performance. 151*d9f75844SAndroid Build Coastguard Worker OpenSSLSessionCache* ssl_session_cache_ = nullptr; 152*d9f75844SAndroid Build Coastguard Worker // Optional SSL Certificate verifier which can be set by a third party. 153*d9f75844SAndroid Build Coastguard Worker SSLCertificateVerifier* ssl_cert_verifier_ = nullptr; 154*d9f75844SAndroid Build Coastguard Worker // The current connection state of the (d)TLS connection. 155*d9f75844SAndroid Build Coastguard Worker SSLState state_; 156*d9f75844SAndroid Build Coastguard Worker 157*d9f75844SAndroid Build Coastguard Worker #ifdef OPENSSL_IS_BORINGSSL 158*d9f75844SAndroid Build Coastguard Worker std::unique_ptr<BoringSSLIdentity> identity_; 159*d9f75844SAndroid Build Coastguard Worker #else 160*d9f75844SAndroid Build Coastguard Worker std::unique_ptr<OpenSSLIdentity> identity_; 161*d9f75844SAndroid Build Coastguard Worker #endif 162*d9f75844SAndroid Build Coastguard Worker // Indicates whethere this is a client or a server. 163*d9f75844SAndroid Build Coastguard Worker SSLRole role_; 164*d9f75844SAndroid Build Coastguard Worker bool ssl_read_needs_write_; 165*d9f75844SAndroid Build Coastguard Worker bool ssl_write_needs_read_; 166*d9f75844SAndroid Build Coastguard Worker // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which 167*d9f75844SAndroid Build Coastguard Worker // means we need to keep retrying with *the same exact data* until it 168*d9f75844SAndroid Build Coastguard Worker // succeeds. Afterwards it will be cleared. 169*d9f75844SAndroid Build Coastguard Worker Buffer pending_data_; 170*d9f75844SAndroid Build Coastguard Worker SSL* ssl_; 171*d9f75844SAndroid Build Coastguard Worker // Holds the SSL context, which may be shared if an session cache is provided. 172*d9f75844SAndroid Build Coastguard Worker SSL_CTX* ssl_ctx_; 173*d9f75844SAndroid Build Coastguard Worker // Hostname of server that is being connected, used for SNI. 174*d9f75844SAndroid Build Coastguard Worker std::string ssl_host_name_; 175*d9f75844SAndroid Build Coastguard Worker // Set the adapter to DTLS or TLS mode before creating the context. 176*d9f75844SAndroid Build Coastguard Worker SSLMode ssl_mode_; 177*d9f75844SAndroid Build Coastguard Worker // If true, the server certificate need not match the configured hostname. 178*d9f75844SAndroid Build Coastguard Worker bool ignore_bad_cert_; 179*d9f75844SAndroid Build Coastguard Worker // List of protocols to be used in the TLS ALPN extension. 180*d9f75844SAndroid Build Coastguard Worker std::vector<std::string> alpn_protocols_; 181*d9f75844SAndroid Build Coastguard Worker // List of elliptic curves to be used in the TLS elliptic curves extension. 182*d9f75844SAndroid Build Coastguard Worker std::vector<std::string> elliptic_curves_; 183*d9f75844SAndroid Build Coastguard Worker // Holds the result of the call to run of the ssl_cert_verify_->Verify() 184*d9f75844SAndroid Build Coastguard Worker bool custom_cert_verifier_status_; 185*d9f75844SAndroid Build Coastguard Worker // Flag to cancel pending timeout task. 186*d9f75844SAndroid Build Coastguard Worker webrtc::ScopedTaskSafety timer_; 187*d9f75844SAndroid Build Coastguard Worker }; 188*d9f75844SAndroid Build Coastguard Worker 189*d9f75844SAndroid Build Coastguard Worker // The OpenSSLAdapterFactory is responsbile for creating multiple new 190*d9f75844SAndroid Build Coastguard Worker // OpenSSLAdapters with a shared SSL_CTX and a shared SSL_SESSION cache. The 191*d9f75844SAndroid Build Coastguard Worker // SSL_SESSION cache allows existing SSL_SESSIONS to be reused instead of 192*d9f75844SAndroid Build Coastguard Worker // recreating them leading to a significant performance improvement. 193*d9f75844SAndroid Build Coastguard Worker class OpenSSLAdapterFactory : public SSLAdapterFactory { 194*d9f75844SAndroid Build Coastguard Worker public: 195*d9f75844SAndroid Build Coastguard Worker OpenSSLAdapterFactory(); 196*d9f75844SAndroid Build Coastguard Worker ~OpenSSLAdapterFactory() override; 197*d9f75844SAndroid Build Coastguard Worker // Set the SSL Mode to use with this factory. This should only be set before 198*d9f75844SAndroid Build Coastguard Worker // the first adapter is created with the factory. If it is called after it 199*d9f75844SAndroid Build Coastguard Worker // will DCHECK. 200*d9f75844SAndroid Build Coastguard Worker void SetMode(SSLMode mode) override; 201*d9f75844SAndroid Build Coastguard Worker 202*d9f75844SAndroid Build Coastguard Worker // Set a custom certificate verifier to be passed down to each instance 203*d9f75844SAndroid Build Coastguard Worker // created with this factory. This should only ever be set before the first 204*d9f75844SAndroid Build Coastguard Worker // call to the factory and cannot be changed after the fact. 205*d9f75844SAndroid Build Coastguard Worker void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override; 206*d9f75844SAndroid Build Coastguard Worker 207*d9f75844SAndroid Build Coastguard Worker void SetIdentity(std::unique_ptr<SSLIdentity> identity) override; 208*d9f75844SAndroid Build Coastguard Worker 209*d9f75844SAndroid Build Coastguard Worker // Choose whether the socket acts as a server socket or client socket. 210*d9f75844SAndroid Build Coastguard Worker void SetRole(SSLRole role) override; 211*d9f75844SAndroid Build Coastguard Worker 212*d9f75844SAndroid Build Coastguard Worker // Methods that control server certificate verification, used in unit tests. 213*d9f75844SAndroid Build Coastguard Worker // Do not call these methods in production code. 214*d9f75844SAndroid Build Coastguard Worker void SetIgnoreBadCert(bool ignore) override; 215*d9f75844SAndroid Build Coastguard Worker 216*d9f75844SAndroid Build Coastguard Worker // Constructs a new socket using the shared OpenSSLSessionCache. This means 217*d9f75844SAndroid Build Coastguard Worker // existing SSLSessions already in the cache will be reused instead of 218*d9f75844SAndroid Build Coastguard Worker // re-created for improved performance. 219*d9f75844SAndroid Build Coastguard Worker OpenSSLAdapter* CreateAdapter(Socket* socket) override; 220*d9f75844SAndroid Build Coastguard Worker 221*d9f75844SAndroid Build Coastguard Worker private: 222*d9f75844SAndroid Build Coastguard Worker // Holds the SSLMode (DTLS,TLS) that will be used to set the session cache. 223*d9f75844SAndroid Build Coastguard Worker SSLMode ssl_mode_ = SSL_MODE_TLS; 224*d9f75844SAndroid Build Coastguard Worker SSLRole ssl_role_ = SSL_CLIENT; 225*d9f75844SAndroid Build Coastguard Worker bool ignore_bad_cert_ = false; 226*d9f75844SAndroid Build Coastguard Worker 227*d9f75844SAndroid Build Coastguard Worker std::unique_ptr<SSLIdentity> identity_; 228*d9f75844SAndroid Build Coastguard Worker 229*d9f75844SAndroid Build Coastguard Worker // Holds a cache of existing SSL Sessions. 230*d9f75844SAndroid Build Coastguard Worker std::unique_ptr<OpenSSLSessionCache> ssl_session_cache_; 231*d9f75844SAndroid Build Coastguard Worker // Provides an optional custom callback for verifying SSL certificates, this 232*d9f75844SAndroid Build Coastguard Worker // in currently only used for TLS-TURN connections. 233*d9f75844SAndroid Build Coastguard Worker SSLCertificateVerifier* ssl_cert_verifier_ = nullptr; 234*d9f75844SAndroid Build Coastguard Worker // TODO(benwright): Remove this when context is moved to OpenSSLCommon. 235*d9f75844SAndroid Build Coastguard Worker // Hold a friend class to the OpenSSLAdapter to retrieve the context. 236*d9f75844SAndroid Build Coastguard Worker friend class OpenSSLAdapter; 237*d9f75844SAndroid Build Coastguard Worker }; 238*d9f75844SAndroid Build Coastguard Worker 239*d9f75844SAndroid Build Coastguard Worker // The EarlyExitCatcher is responsible for calling OpenSSLAdapter::Cleanup on 240*d9f75844SAndroid Build Coastguard Worker // destruction. By doing this we have scoped cleanup which can be disabled if 241*d9f75844SAndroid Build Coastguard Worker // there were no errors, aka early exits. 242*d9f75844SAndroid Build Coastguard Worker 243*d9f75844SAndroid Build Coastguard Worker std::string TransformAlpnProtocols(const std::vector<std::string>& protos); 244*d9f75844SAndroid Build Coastguard Worker 245*d9f75844SAndroid Build Coastguard Worker } // namespace rtc 246*d9f75844SAndroid Build Coastguard Worker 247*d9f75844SAndroid Build Coastguard Worker #endif // RTC_BASE_OPENSSL_ADAPTER_H_ 248