1 /*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11 #include "rtc_base/openssl_stream_adapter.h"
12
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/err.h>
16 #include <openssl/rand.h>
17 #include <openssl/tls1.h>
18 #include <openssl/x509v3.h>
19
20 #include "absl/strings/string_view.h"
21 #ifndef OPENSSL_IS_BORINGSSL
22 #include <openssl/dtls1.h>
23 #include <openssl/ssl.h>
24 #endif
25
26 #include <atomic>
27 #include <memory>
28 #include <utility>
29 #include <vector>
30
31 #include "api/array_view.h"
32 #include "rtc_base/checks.h"
33 #include "rtc_base/logging.h"
34 #include "rtc_base/numerics/safe_conversions.h"
35 #include "rtc_base/openssl.h"
36 #include "rtc_base/openssl_adapter.h"
37 #include "rtc_base/openssl_digest.h"
38 #ifdef OPENSSL_IS_BORINGSSL
39 #include "rtc_base/boringssl_identity.h"
40 #else
41 #include "rtc_base/openssl_identity.h"
42 #endif
43 #include "rtc_base/openssl_utility.h"
44 #include "rtc_base/ssl_certificate.h"
45 #include "rtc_base/stream.h"
46 #include "rtc_base/string_encode.h"
47 #include "rtc_base/thread.h"
48 #include "rtc_base/time_utils.h"
49 #include "system_wrappers/include/field_trial.h"
50
51 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
52 #error "webrtc requires at least OpenSSL version 1.1.0, to support DTLS-SRTP"
53 #endif
54
55 // Defines for the TLS Cipher Suite Map.
56 #define DEFINE_CIPHER_ENTRY_SSL3(name) \
57 { SSL3_CK_##name, "TLS_" #name }
58 #define DEFINE_CIPHER_ENTRY_TLS1(name) \
59 { TLS1_CK_##name, "TLS_" #name }
60
61 namespace rtc {
62 namespace {
63 using ::webrtc::SafeTask;
64 // SRTP cipher suite table. `internal_name` is used to construct a
65 // colon-separated profile strings which is needed by
66 // SSL_CTX_set_tlsext_use_srtp().
67 struct SrtpCipherMapEntry {
68 const char* internal_name;
69 const int id;
70 };
71
72 // Cipher name table. Maps internal OpenSSL cipher ids to the RFC name.
73 struct SslCipherMapEntry {
74 uint32_t openssl_id;
75 const char* rfc_name;
76 };
77
78 // This isn't elegant, but it's better than an external reference
79 constexpr SrtpCipherMapEntry kSrtpCipherMap[] = {
80 {"SRTP_AES128_CM_SHA1_80", kSrtpAes128CmSha1_80},
81 {"SRTP_AES128_CM_SHA1_32", kSrtpAes128CmSha1_32},
82 {"SRTP_AEAD_AES_128_GCM", kSrtpAeadAes128Gcm},
83 {"SRTP_AEAD_AES_256_GCM", kSrtpAeadAes256Gcm}};
84
85 #ifndef OPENSSL_IS_BORINGSSL
86 // The "SSL_CIPHER_standard_name" function is only available in OpenSSL when
87 // compiled with tracing, so we need to define the mapping manually here.
88 constexpr SslCipherMapEntry kSslCipherMap[] = {
89 // TLS v1.0 ciphersuites from RFC2246.
90 DEFINE_CIPHER_ENTRY_SSL3(RSA_RC4_128_SHA),
91 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
92
93 // AES ciphersuites from RFC3268.
94 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
95 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"},
96 {TLS1_CK_RSA_WITH_AES_256_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA"},
97 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
98
99 // ECC ciphersuites from RFC4492.
100 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_RC4_128_SHA),
101 {TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
102 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"},
103 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
104 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
105
106 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_RC4_128_SHA),
107 {TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
108 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"},
109 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_CBC_SHA),
110 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_CBC_SHA),
111
112 // TLS v1.2 ciphersuites.
113 {TLS1_CK_RSA_WITH_AES_128_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"},
114 {TLS1_CK_RSA_WITH_AES_256_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"},
115 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
116 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"},
117 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
118 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"},
119
120 // TLS v1.2 GCM ciphersuites from RFC5288.
121 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_128_GCM_SHA256),
122 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_256_GCM_SHA384),
123 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_128_GCM_SHA256),
124 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_256_GCM_SHA384),
125 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_128_GCM_SHA256),
126 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_256_GCM_SHA384),
127
128 // ECDH HMAC based ciphersuites from RFC5289.
129 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
130 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"},
131 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
132 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"},
133 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
134 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
135 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
136 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
137
138 // ECDH GCM based ciphersuites from RFC5289.
139 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
140 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
141 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
142 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384),
143
144 {0, nullptr}};
145 #endif // #ifndef OPENSSL_IS_BORINGSSL
146
147 #ifdef OPENSSL_IS_BORINGSSL
148 // Enabled by EnableTimeCallbackForTesting. Should never be set in production
149 // code.
150 bool g_use_time_callback_for_testing = false;
151 // Not used in production code. Actual time should be relative to Jan 1, 1970.
TimeCallbackForTesting(const SSL * ssl,struct timeval * out_clock)152 void TimeCallbackForTesting(const SSL* ssl, struct timeval* out_clock) {
153 int64_t time = TimeNanos();
154 out_clock->tv_sec = time / kNumNanosecsPerSec;
155 out_clock->tv_usec = (time % kNumNanosecsPerSec) / kNumNanosecsPerMicrosec;
156 }
157 #endif
158
159 } // namespace
160
161 //////////////////////////////////////////////////////////////////////
162 // StreamBIO
163 //////////////////////////////////////////////////////////////////////
164
165 static int stream_write(BIO* h, const char* buf, int num);
166 static int stream_read(BIO* h, char* buf, int size);
167 static int stream_puts(BIO* h, const char* str);
168 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2);
169 static int stream_new(BIO* h);
170 static int stream_free(BIO* data);
171
BIO_stream_method()172 static BIO_METHOD* BIO_stream_method() {
173 static BIO_METHOD* method = [] {
174 BIO_METHOD* method = BIO_meth_new(BIO_TYPE_BIO, "stream");
175 BIO_meth_set_write(method, stream_write);
176 BIO_meth_set_read(method, stream_read);
177 BIO_meth_set_puts(method, stream_puts);
178 BIO_meth_set_ctrl(method, stream_ctrl);
179 BIO_meth_set_create(method, stream_new);
180 BIO_meth_set_destroy(method, stream_free);
181 return method;
182 }();
183 return method;
184 }
185
BIO_new_stream(StreamInterface * stream)186 static BIO* BIO_new_stream(StreamInterface* stream) {
187 BIO* ret = BIO_new(BIO_stream_method());
188 if (ret == nullptr) {
189 return nullptr;
190 }
191 BIO_set_data(ret, stream);
192 return ret;
193 }
194
195 // bio methods return 1 (or at least non-zero) on success and 0 on failure.
196
stream_new(BIO * b)197 static int stream_new(BIO* b) {
198 BIO_set_shutdown(b, 0);
199 BIO_set_init(b, 1);
200 BIO_set_data(b, 0);
201 return 1;
202 }
203
stream_free(BIO * b)204 static int stream_free(BIO* b) {
205 if (b == nullptr) {
206 return 0;
207 }
208 return 1;
209 }
210
stream_read(BIO * b,char * out,int outl)211 static int stream_read(BIO* b, char* out, int outl) {
212 if (!out) {
213 return -1;
214 }
215 StreamInterface* stream = static_cast<StreamInterface*>(BIO_get_data(b));
216 BIO_clear_retry_flags(b);
217 size_t read;
218 int error;
219 StreamResult result = stream->Read(
220 rtc::MakeArrayView(reinterpret_cast<uint8_t*>(out), outl), read, error);
221 if (result == SR_SUCCESS) {
222 return checked_cast<int>(read);
223 } else if (result == SR_BLOCK) {
224 BIO_set_retry_read(b);
225 }
226 return -1;
227 }
228
stream_write(BIO * b,const char * in,int inl)229 static int stream_write(BIO* b, const char* in, int inl) {
230 if (!in) {
231 return -1;
232 }
233 StreamInterface* stream = static_cast<StreamInterface*>(BIO_get_data(b));
234 BIO_clear_retry_flags(b);
235 size_t written;
236 int error;
237 StreamResult result = stream->Write(
238 rtc::MakeArrayView(reinterpret_cast<const uint8_t*>(in), inl), written,
239 error);
240 if (result == SR_SUCCESS) {
241 return checked_cast<int>(written);
242 } else if (result == SR_BLOCK) {
243 BIO_set_retry_write(b);
244 }
245 return -1;
246 }
247
stream_puts(BIO * b,const char * str)248 static int stream_puts(BIO* b, const char* str) {
249 return stream_write(b, str, checked_cast<int>(strlen(str)));
250 }
251
stream_ctrl(BIO * b,int cmd,long num,void * ptr)252 static long stream_ctrl(BIO* b, int cmd, long num, void* ptr) {
253 switch (cmd) {
254 case BIO_CTRL_RESET:
255 return 0;
256 case BIO_CTRL_EOF: {
257 StreamInterface* stream = static_cast<StreamInterface*>(ptr);
258 // 1 means end-of-stream.
259 return (stream->GetState() == SS_CLOSED) ? 1 : 0;
260 }
261 case BIO_CTRL_WPENDING:
262 case BIO_CTRL_PENDING:
263 return 0;
264 case BIO_CTRL_FLUSH:
265 return 1;
266 case BIO_CTRL_DGRAM_QUERY_MTU:
267 // openssl defaults to mtu=256 unless we return something here.
268 // The handshake doesn't actually need to send packets above 1k,
269 // so this seems like a sensible value that should work in most cases.
270 // Webrtc uses the same value for video packets.
271 return 1200;
272 default:
273 return 0;
274 }
275 }
276
277 /////////////////////////////////////////////////////////////////////////////
278 // OpenSSLStreamAdapter
279 /////////////////////////////////////////////////////////////////////////////
280
281 static std::atomic<bool> g_use_legacy_tls_protocols_override(false);
282 static std::atomic<bool> g_allow_legacy_tls_protocols(false);
283
SetAllowLegacyTLSProtocols(const absl::optional<bool> & allow)284 void SetAllowLegacyTLSProtocols(const absl::optional<bool>& allow) {
285 g_use_legacy_tls_protocols_override.store(allow.has_value());
286 if (allow.has_value())
287 g_allow_legacy_tls_protocols.store(allow.value());
288 }
289
ShouldAllowLegacyTLSProtocols()290 bool ShouldAllowLegacyTLSProtocols() {
291 return g_use_legacy_tls_protocols_override.load()
292 ? g_allow_legacy_tls_protocols.load()
293 : webrtc::field_trial::IsEnabled("WebRTC-LegacyTlsProtocols");
294 }
295
OpenSSLStreamAdapter(std::unique_ptr<StreamInterface> stream)296 OpenSSLStreamAdapter::OpenSSLStreamAdapter(
297 std::unique_ptr<StreamInterface> stream)
298 : stream_(std::move(stream)),
299 owner_(rtc::Thread::Current()),
300 state_(SSL_NONE),
301 role_(SSL_CLIENT),
302 ssl_read_needs_write_(false),
303 ssl_write_needs_read_(false),
304 ssl_(nullptr),
305 ssl_ctx_(nullptr),
306 ssl_mode_(SSL_MODE_TLS),
307 ssl_max_version_(SSL_PROTOCOL_TLS_12),
308 // Default is to support legacy TLS protocols.
309 // This will be changed to default non-support in M82 or M83.
310 support_legacy_tls_protocols_flag_(ShouldAllowLegacyTLSProtocols()) {
311 stream_->SignalEvent.connect(this, &OpenSSLStreamAdapter::OnEvent);
312 }
313
~OpenSSLStreamAdapter()314 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() {
315 timeout_task_.Stop();
316 Cleanup(0);
317 }
318
SetIdentity(std::unique_ptr<SSLIdentity> identity)319 void OpenSSLStreamAdapter::SetIdentity(std::unique_ptr<SSLIdentity> identity) {
320 RTC_DCHECK(!identity_);
321 #ifdef OPENSSL_IS_BORINGSSL
322 identity_.reset(static_cast<BoringSSLIdentity*>(identity.release()));
323 #else
324 identity_.reset(static_cast<OpenSSLIdentity*>(identity.release()));
325 #endif
326 }
327
GetIdentityForTesting() const328 SSLIdentity* OpenSSLStreamAdapter::GetIdentityForTesting() const {
329 return identity_.get();
330 }
331
SetServerRole(SSLRole role)332 void OpenSSLStreamAdapter::SetServerRole(SSLRole role) {
333 role_ = role;
334 }
335
SetPeerCertificateDigest(absl::string_view digest_alg,const unsigned char * digest_val,size_t digest_len,SSLPeerCertificateDigestError * error)336 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(
337 absl::string_view digest_alg,
338 const unsigned char* digest_val,
339 size_t digest_len,
340 SSLPeerCertificateDigestError* error) {
341 RTC_DCHECK(!peer_certificate_verified_);
342 RTC_DCHECK(!HasPeerCertificateDigest());
343 size_t expected_len;
344 if (error) {
345 *error = SSLPeerCertificateDigestError::NONE;
346 }
347
348 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) {
349 RTC_LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg;
350 if (error) {
351 *error = SSLPeerCertificateDigestError::UNKNOWN_ALGORITHM;
352 }
353 return false;
354 }
355 if (expected_len != digest_len) {
356 if (error) {
357 *error = SSLPeerCertificateDigestError::INVALID_LENGTH;
358 }
359 return false;
360 }
361
362 peer_certificate_digest_value_.SetData(digest_val, digest_len);
363 peer_certificate_digest_algorithm_ = std::string(digest_alg);
364
365 if (!peer_cert_chain_) {
366 // Normal case, where the digest is set before we obtain the certificate
367 // from the handshake.
368 return true;
369 }
370
371 if (!VerifyPeerCertificate()) {
372 Error("SetPeerCertificateDigest", -1, SSL_AD_BAD_CERTIFICATE, false);
373 if (error) {
374 *error = SSLPeerCertificateDigestError::VERIFICATION_FAILED;
375 }
376 return false;
377 }
378
379 if (state_ == SSL_CONNECTED) {
380 // Post the event asynchronously to unwind the stack. The caller
381 // of ContinueSSL may be the same object listening for these
382 // events and may not be prepared for reentrancy.
383 PostEvent(SE_OPEN | SE_READ | SE_WRITE, 0);
384 }
385
386 return true;
387 }
388
SslCipherSuiteToName(int cipher_suite)389 std::string OpenSSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) {
390 #ifdef OPENSSL_IS_BORINGSSL
391 const SSL_CIPHER* ssl_cipher = SSL_get_cipher_by_value(cipher_suite);
392 if (!ssl_cipher) {
393 return std::string();
394 }
395 return SSL_CIPHER_standard_name(ssl_cipher);
396 #else
397 const int openssl_cipher_id = 0x03000000L | cipher_suite;
398 for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name;
399 ++entry) {
400 if (openssl_cipher_id == static_cast<int>(entry->openssl_id)) {
401 return entry->rfc_name;
402 }
403 }
404 return std::string();
405 #endif
406 }
407
GetSslCipherSuite(int * cipher_suite)408 bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) {
409 if (state_ != SSL_CONNECTED) {
410 return false;
411 }
412
413 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_);
414 if (current_cipher == nullptr) {
415 return false;
416 }
417
418 *cipher_suite = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher));
419 return true;
420 }
421
GetSslVersion() const422 SSLProtocolVersion OpenSSLStreamAdapter::GetSslVersion() const {
423 if (state_ != SSL_CONNECTED) {
424 return SSL_PROTOCOL_NOT_GIVEN;
425 }
426
427 int ssl_version = SSL_version(ssl_);
428 if (ssl_mode_ == SSL_MODE_DTLS) {
429 if (ssl_version == DTLS1_VERSION) {
430 return SSL_PROTOCOL_DTLS_10;
431 } else if (ssl_version == DTLS1_2_VERSION) {
432 return SSL_PROTOCOL_DTLS_12;
433 }
434 } else {
435 if (ssl_version == TLS1_VERSION) {
436 return SSL_PROTOCOL_TLS_10;
437 } else if (ssl_version == TLS1_1_VERSION) {
438 return SSL_PROTOCOL_TLS_11;
439 } else if (ssl_version == TLS1_2_VERSION) {
440 return SSL_PROTOCOL_TLS_12;
441 }
442 }
443
444 return SSL_PROTOCOL_NOT_GIVEN;
445 }
446
GetSslVersionBytes(int * version) const447 bool OpenSSLStreamAdapter::GetSslVersionBytes(int* version) const {
448 if (state_ != SSL_CONNECTED) {
449 return false;
450 }
451 *version = SSL_version(ssl_);
452 return true;
453 }
454
455 // Key Extractor interface
ExportKeyingMaterial(absl::string_view label,const uint8_t * context,size_t context_len,bool use_context,uint8_t * result,size_t result_len)456 bool OpenSSLStreamAdapter::ExportKeyingMaterial(absl::string_view label,
457 const uint8_t* context,
458 size_t context_len,
459 bool use_context,
460 uint8_t* result,
461 size_t result_len) {
462 if (SSL_export_keying_material(ssl_, result, result_len, label.data(),
463 label.length(), context, context_len,
464 use_context) != 1) {
465 return false;
466 }
467 return true;
468 }
469
SetDtlsSrtpCryptoSuites(const std::vector<int> & ciphers)470 bool OpenSSLStreamAdapter::SetDtlsSrtpCryptoSuites(
471 const std::vector<int>& ciphers) {
472 if (state_ != SSL_NONE) {
473 return false;
474 }
475
476 std::string internal_ciphers;
477 for (const int cipher : ciphers) {
478 bool found = false;
479 for (const auto& entry : kSrtpCipherMap) {
480 if (cipher == entry.id) {
481 found = true;
482 if (!internal_ciphers.empty()) {
483 internal_ciphers += ":";
484 }
485 internal_ciphers += entry.internal_name;
486 break;
487 }
488 }
489
490 if (!found) {
491 RTC_LOG(LS_ERROR) << "Could not find cipher: " << cipher;
492 return false;
493 }
494 }
495
496 if (internal_ciphers.empty()) {
497 return false;
498 }
499
500 srtp_ciphers_ = internal_ciphers;
501 return true;
502 }
503
GetDtlsSrtpCryptoSuite(int * crypto_suite)504 bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) {
505 RTC_DCHECK(state_ == SSL_CONNECTED);
506 if (state_ != SSL_CONNECTED) {
507 return false;
508 }
509
510 const SRTP_PROTECTION_PROFILE* srtp_profile =
511 SSL_get_selected_srtp_profile(ssl_);
512
513 if (!srtp_profile) {
514 return false;
515 }
516
517 *crypto_suite = srtp_profile->id;
518 RTC_DCHECK(!SrtpCryptoSuiteToName(*crypto_suite).empty());
519 return true;
520 }
521
IsTlsConnected()522 bool OpenSSLStreamAdapter::IsTlsConnected() {
523 return state_ == SSL_CONNECTED;
524 }
525
StartSSL()526 int OpenSSLStreamAdapter::StartSSL() {
527 // Don't allow StartSSL to be called twice.
528 if (state_ != SSL_NONE) {
529 return -1;
530 }
531
532 if (stream_->GetState() != SS_OPEN) {
533 state_ = SSL_WAIT;
534 return 0;
535 }
536
537 state_ = SSL_CONNECTING;
538 if (int err = BeginSSL()) {
539 Error("BeginSSL", err, 0, false);
540 return err;
541 }
542
543 return 0;
544 }
545
SetMode(SSLMode mode)546 void OpenSSLStreamAdapter::SetMode(SSLMode mode) {
547 RTC_DCHECK(state_ == SSL_NONE);
548 ssl_mode_ = mode;
549 }
550
SetMaxProtocolVersion(SSLProtocolVersion version)551 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) {
552 RTC_DCHECK(ssl_ctx_ == nullptr);
553 ssl_max_version_ = version;
554 }
555
SetInitialRetransmissionTimeout(int timeout_ms)556 void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout(int timeout_ms) {
557 RTC_DCHECK(ssl_ctx_ == nullptr);
558 dtls_handshake_timeout_ms_ = timeout_ms;
559 }
560
561 //
562 // StreamInterface Implementation
563 //
Write(rtc::ArrayView<const uint8_t> data,size_t & written,int & error)564 StreamResult OpenSSLStreamAdapter::Write(rtc::ArrayView<const uint8_t> data,
565 size_t& written,
566 int& error) {
567 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data.size() << ")";
568
569 switch (state_) {
570 case SSL_NONE:
571 // pass-through in clear text
572 return stream_->Write(data, written, error);
573
574 case SSL_WAIT:
575 case SSL_CONNECTING:
576 return SR_BLOCK;
577
578 case SSL_CONNECTED:
579 if (WaitingToVerifyPeerCertificate()) {
580 return SR_BLOCK;
581 }
582 break;
583
584 case SSL_ERROR:
585 case SSL_CLOSED:
586 default:
587 error = ssl_error_code_;
588 return SR_ERROR;
589 }
590
591 // OpenSSL will return an error if we try to write zero bytes
592 if (data.size() == 0) {
593 written = 0;
594 return SR_SUCCESS;
595 }
596
597 ssl_write_needs_read_ = false;
598
599 int code = SSL_write(ssl_, data.data(), checked_cast<int>(data.size()));
600 int ssl_error = SSL_get_error(ssl_, code);
601 switch (ssl_error) {
602 case SSL_ERROR_NONE:
603 RTC_DLOG(LS_VERBOSE) << " -- success";
604 RTC_DCHECK_GT(code, 0);
605 RTC_DCHECK_LE(code, data.size());
606 written = code;
607 return SR_SUCCESS;
608 case SSL_ERROR_WANT_READ:
609 RTC_DLOG(LS_VERBOSE) << " -- error want read";
610 ssl_write_needs_read_ = true;
611 return SR_BLOCK;
612 case SSL_ERROR_WANT_WRITE:
613 RTC_DLOG(LS_VERBOSE) << " -- error want write";
614 return SR_BLOCK;
615
616 case SSL_ERROR_ZERO_RETURN:
617 default:
618 Error("SSL_write", (ssl_error ? ssl_error : -1), 0, false);
619 error = ssl_error_code_;
620 return SR_ERROR;
621 }
622 // not reached
623 }
624
Read(rtc::ArrayView<uint8_t> data,size_t & read,int & error)625 StreamResult OpenSSLStreamAdapter::Read(rtc::ArrayView<uint8_t> data,
626 size_t& read,
627 int& error) {
628 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Read(" << data.size() << ")";
629 switch (state_) {
630 case SSL_NONE:
631 // pass-through in clear text
632 return stream_->Read(data, read, error);
633 case SSL_WAIT:
634 case SSL_CONNECTING:
635 return SR_BLOCK;
636 case SSL_CONNECTED:
637 if (WaitingToVerifyPeerCertificate()) {
638 return SR_BLOCK;
639 }
640 break;
641 case SSL_CLOSED:
642 return SR_EOS;
643 case SSL_ERROR:
644 default:
645 error = ssl_error_code_;
646 return SR_ERROR;
647 }
648
649 // Don't trust OpenSSL with zero byte reads
650 if (data.size() == 0) {
651 read = 0;
652 return SR_SUCCESS;
653 }
654
655 ssl_read_needs_write_ = false;
656
657 const int code = SSL_read(ssl_, data.data(), checked_cast<int>(data.size()));
658 const int ssl_error = SSL_get_error(ssl_, code);
659
660 switch (ssl_error) {
661 case SSL_ERROR_NONE:
662 RTC_DLOG(LS_VERBOSE) << " -- success";
663 RTC_DCHECK_GT(code, 0);
664 RTC_DCHECK_LE(code, data.size());
665 read = code;
666
667 if (ssl_mode_ == SSL_MODE_DTLS) {
668 // Enforce atomic reads -- this is a short read
669 unsigned int pending = SSL_pending(ssl_);
670
671 if (pending) {
672 RTC_DLOG(LS_INFO) << " -- short DTLS read. flushing";
673 FlushInput(pending);
674 error = SSE_MSG_TRUNC;
675 return SR_ERROR;
676 }
677 }
678 return SR_SUCCESS;
679 case SSL_ERROR_WANT_READ:
680 RTC_DLOG(LS_VERBOSE) << " -- error want read";
681 return SR_BLOCK;
682 case SSL_ERROR_WANT_WRITE:
683 RTC_DLOG(LS_VERBOSE) << " -- error want write";
684 ssl_read_needs_write_ = true;
685 return SR_BLOCK;
686 case SSL_ERROR_ZERO_RETURN:
687 RTC_DLOG(LS_VERBOSE) << " -- remote side closed";
688 Close();
689 return SR_EOS;
690 default:
691 Error("SSL_read", (ssl_error ? ssl_error : -1), 0, false);
692 error = ssl_error_code_;
693 return SR_ERROR;
694 }
695 // not reached
696 }
697
FlushInput(unsigned int left)698 void OpenSSLStreamAdapter::FlushInput(unsigned int left) {
699 unsigned char buf[2048];
700
701 while (left) {
702 // This should always succeed
703 const int toread = (sizeof(buf) < left) ? sizeof(buf) : left;
704 const int code = SSL_read(ssl_, buf, toread);
705
706 const int ssl_error = SSL_get_error(ssl_, code);
707 RTC_DCHECK(ssl_error == SSL_ERROR_NONE);
708
709 if (ssl_error != SSL_ERROR_NONE) {
710 RTC_DLOG(LS_VERBOSE) << " -- error " << code;
711 Error("SSL_read", (ssl_error ? ssl_error : -1), 0, false);
712 return;
713 }
714
715 RTC_DLOG(LS_VERBOSE) << " -- flushed " << code << " bytes";
716 left -= code;
717 }
718 }
719
Close()720 void OpenSSLStreamAdapter::Close() {
721 Cleanup(0);
722 RTC_DCHECK(state_ == SSL_CLOSED || state_ == SSL_ERROR);
723 // When we're closed at SSL layer, also close the stream level which
724 // performs necessary clean up. Otherwise, a new incoming packet after
725 // this could overflow the stream buffer.
726 stream_->Close();
727 }
728
GetState() const729 StreamState OpenSSLStreamAdapter::GetState() const {
730 switch (state_) {
731 case SSL_WAIT:
732 case SSL_CONNECTING:
733 return SS_OPENING;
734 case SSL_CONNECTED:
735 if (WaitingToVerifyPeerCertificate()) {
736 return SS_OPENING;
737 }
738 return SS_OPEN;
739 default:
740 return SS_CLOSED;
741 }
742 // not reached
743 }
744
OnEvent(StreamInterface * stream,int events,int err)745 void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream,
746 int events,
747 int err) {
748 int events_to_signal = 0;
749 int signal_error = 0;
750 RTC_DCHECK(stream == stream_.get());
751
752 if ((events & SE_OPEN)) {
753 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent SE_OPEN";
754 if (state_ != SSL_WAIT) {
755 RTC_DCHECK(state_ == SSL_NONE);
756 events_to_signal |= SE_OPEN;
757 } else {
758 state_ = SSL_CONNECTING;
759 if (int err = BeginSSL()) {
760 Error("BeginSSL", err, 0, true);
761 return;
762 }
763 }
764 }
765
766 if ((events & (SE_READ | SE_WRITE))) {
767 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent"
768 << ((events & SE_READ) ? " SE_READ" : "")
769 << ((events & SE_WRITE) ? " SE_WRITE" : "");
770 if (state_ == SSL_NONE) {
771 events_to_signal |= events & (SE_READ | SE_WRITE);
772 } else if (state_ == SSL_CONNECTING) {
773 if (int err = ContinueSSL()) {
774 Error("ContinueSSL", err, 0, true);
775 return;
776 }
777 } else if (state_ == SSL_CONNECTED) {
778 if (((events & SE_READ) && ssl_write_needs_read_) ||
779 (events & SE_WRITE)) {
780 RTC_DLOG(LS_VERBOSE) << " -- onStreamWriteable";
781 events_to_signal |= SE_WRITE;
782 }
783 if (((events & SE_WRITE) && ssl_read_needs_write_) ||
784 (events & SE_READ)) {
785 RTC_DLOG(LS_VERBOSE) << " -- onStreamReadable";
786 events_to_signal |= SE_READ;
787 }
788 }
789 }
790
791 if ((events & SE_CLOSE)) {
792 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent(SE_CLOSE, " << err
793 << ")";
794 Cleanup(0);
795 events_to_signal |= SE_CLOSE;
796 // SE_CLOSE is the only event that uses the final parameter to OnEvent().
797 RTC_DCHECK(signal_error == 0);
798 signal_error = err;
799 }
800
801 if (events_to_signal) {
802 // Note that the adapter presents itself as the origin of the stream events,
803 // since users of the adapter may not recognize the adapted object.
804 SignalEvent(this, events_to_signal, signal_error);
805 }
806 }
807
PostEvent(int events,int err)808 void OpenSSLStreamAdapter::PostEvent(int events, int err) {
809 owner_->PostTask(SafeTask(task_safety_.flag(), [this, events, err]() {
810 SignalEvent(this, events, err);
811 }));
812 }
813
SetTimeout(int delay_ms)814 void OpenSSLStreamAdapter::SetTimeout(int delay_ms) {
815 // We need to accept 0 delay here as well as >0 delay, because
816 // DTLSv1_get_timeout seems to frequently return 0 ms.
817 RTC_DCHECK_GE(delay_ms, 0);
818 RTC_DCHECK(!timeout_task_.Running());
819
820 timeout_task_ = webrtc::RepeatingTaskHandle::DelayedStart(
821 owner_, webrtc::TimeDelta::Millis(delay_ms),
822 [flag = task_safety_.flag(), this]() {
823 if (flag->alive()) {
824 RTC_DLOG(LS_INFO) << "DTLS timeout expired";
825 timeout_task_.Stop();
826 int res = DTLSv1_handle_timeout(ssl_);
827 if (res > 0) {
828 RTC_LOG(LS_INFO) << "DTLS retransmission";
829 } else if (res < 0) {
830 RTC_LOG(LS_INFO) << "DTLSv1_handle_timeout() return -1";
831 Error("DTLSv1_handle_timeout", res, -1, true);
832 return webrtc::TimeDelta::PlusInfinity();
833 }
834 ContinueSSL();
835 } else {
836 RTC_DCHECK_NOTREACHED();
837 }
838 // This callback will never run again (stopped above).
839 return webrtc::TimeDelta::PlusInfinity();
840 });
841 }
842
BeginSSL()843 int OpenSSLStreamAdapter::BeginSSL() {
844 RTC_DCHECK(state_ == SSL_CONNECTING);
845 // The underlying stream has opened.
846 RTC_DLOG(LS_INFO) << "BeginSSL with peer.";
847
848 BIO* bio = nullptr;
849
850 // First set up the context.
851 RTC_DCHECK(ssl_ctx_ == nullptr);
852 ssl_ctx_ = SetupSSLContext();
853 if (!ssl_ctx_) {
854 return -1;
855 }
856
857 bio = BIO_new_stream(stream_.get());
858 if (!bio) {
859 return -1;
860 }
861
862 ssl_ = SSL_new(ssl_ctx_);
863 if (!ssl_) {
864 BIO_free(bio);
865 return -1;
866 }
867
868 SSL_set_app_data(ssl_, this);
869
870 SSL_set_bio(ssl_, bio, bio); // the SSL object owns the bio now.
871 if (ssl_mode_ == SSL_MODE_DTLS) {
872 #ifdef OPENSSL_IS_BORINGSSL
873 DTLSv1_set_initial_timeout_duration(ssl_, dtls_handshake_timeout_ms_);
874 #else
875 // Enable read-ahead for DTLS so whole packets are read from internal BIO
876 // before parsing. This is done internally by BoringSSL for DTLS.
877 SSL_set_read_ahead(ssl_, 1);
878 #endif
879 }
880
881 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
882 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
883
884 // Do the connect
885 return ContinueSSL();
886 }
887
ContinueSSL()888 int OpenSSLStreamAdapter::ContinueSSL() {
889 RTC_DLOG(LS_VERBOSE) << "ContinueSSL";
890 RTC_DCHECK(state_ == SSL_CONNECTING);
891
892 // Clear the DTLS timer
893 timeout_task_.Stop();
894
895 const int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
896 const int ssl_error = SSL_get_error(ssl_, code);
897
898 switch (ssl_error) {
899 case SSL_ERROR_NONE:
900 RTC_DLOG(LS_VERBOSE) << " -- success";
901 // By this point, OpenSSL should have given us a certificate, or errored
902 // out if one was missing.
903 RTC_DCHECK(peer_cert_chain_ || !GetClientAuthEnabled());
904
905 state_ = SSL_CONNECTED;
906 if (!WaitingToVerifyPeerCertificate()) {
907 // We have everything we need to start the connection, so signal
908 // SE_OPEN. If we need a client certificate fingerprint and don't have
909 // it yet, we'll instead signal SE_OPEN in SetPeerCertificateDigest.
910 //
911 // TODO(deadbeef): Post this event asynchronously to unwind the stack.
912 // The caller of ContinueSSL may be the same object listening for these
913 // events and may not be prepared for reentrancy.
914 // PostEvent(SE_OPEN | SE_READ | SE_WRITE, 0);
915 SignalEvent(this, SE_OPEN | SE_READ | SE_WRITE, 0);
916 }
917 break;
918
919 case SSL_ERROR_WANT_READ: {
920 RTC_DLOG(LS_VERBOSE) << " -- error want read";
921 struct timeval timeout;
922 if (DTLSv1_get_timeout(ssl_, &timeout)) {
923 int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
924 SetTimeout(delay);
925 }
926 } break;
927
928 case SSL_ERROR_WANT_WRITE:
929 RTC_DLOG(LS_VERBOSE) << " -- error want write";
930 break;
931
932 case SSL_ERROR_ZERO_RETURN:
933 default:
934 SSLHandshakeError ssl_handshake_err = SSLHandshakeError::UNKNOWN;
935 int err_code = ERR_peek_last_error();
936 if (err_code != 0 && ERR_GET_REASON(err_code) == SSL_R_NO_SHARED_CIPHER) {
937 ssl_handshake_err = SSLHandshakeError::INCOMPATIBLE_CIPHERSUITE;
938 }
939 RTC_DLOG(LS_VERBOSE) << " -- error " << code << ", " << err_code << ", "
940 << ERR_GET_REASON(err_code);
941 SignalSSLHandshakeError(ssl_handshake_err);
942 return (ssl_error != 0) ? ssl_error : -1;
943 }
944
945 return 0;
946 }
947
Error(absl::string_view context,int err,uint8_t alert,bool signal)948 void OpenSSLStreamAdapter::Error(absl::string_view context,
949 int err,
950 uint8_t alert,
951 bool signal) {
952 RTC_LOG(LS_WARNING) << "OpenSSLStreamAdapter::Error(" << context << ", "
953 << err << ", " << static_cast<int>(alert) << ")";
954 state_ = SSL_ERROR;
955 ssl_error_code_ = err;
956 Cleanup(alert);
957 if (signal) {
958 SignalEvent(this, SE_CLOSE, err);
959 }
960 }
961
Cleanup(uint8_t alert)962 void OpenSSLStreamAdapter::Cleanup(uint8_t alert) {
963 RTC_DLOG(LS_INFO) << "Cleanup";
964
965 if (state_ != SSL_ERROR) {
966 state_ = SSL_CLOSED;
967 ssl_error_code_ = 0;
968 }
969
970 if (ssl_) {
971 int ret;
972 // SSL_send_fatal_alert is only available in BoringSSL.
973 #ifdef OPENSSL_IS_BORINGSSL
974 if (alert) {
975 ret = SSL_send_fatal_alert(ssl_, alert);
976 if (ret < 0) {
977 RTC_LOG(LS_WARNING) << "SSL_send_fatal_alert failed, error = "
978 << SSL_get_error(ssl_, ret);
979 }
980 } else {
981 #endif
982 ret = SSL_shutdown(ssl_);
983 if (ret < 0) {
984 RTC_LOG(LS_WARNING)
985 << "SSL_shutdown failed, error = " << SSL_get_error(ssl_, ret);
986 }
987 #ifdef OPENSSL_IS_BORINGSSL
988 }
989 #endif
990 SSL_free(ssl_);
991 ssl_ = nullptr;
992 }
993 if (ssl_ctx_) {
994 SSL_CTX_free(ssl_ctx_);
995 ssl_ctx_ = nullptr;
996 }
997 identity_.reset();
998 peer_cert_chain_.reset();
999
1000 // Clear the DTLS timer
1001 timeout_task_.Stop();
1002 }
1003
SetupSSLContext()1004 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
1005 #ifdef OPENSSL_IS_BORINGSSL
1006 // If X509 objects aren't used, we can use these methods to avoid
1007 // linking the sizable crypto/x509 code, using CRYPTO_BUFFER instead.
1008 SSL_CTX* ctx =
1009 SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_with_buffers_method()
1010 : TLS_with_buffers_method());
1011 #else
1012 SSL_CTX* ctx =
1013 SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
1014 #endif
1015 if (ctx == nullptr) {
1016 return nullptr;
1017 }
1018
1019 if (support_legacy_tls_protocols_flag_) {
1020 // TODO(https://bugs.webrtc.org/10261): Completely remove this branch in
1021 // M84.
1022 SSL_CTX_set_min_proto_version(
1023 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
1024 switch (ssl_max_version_) {
1025 case SSL_PROTOCOL_TLS_10:
1026 SSL_CTX_set_max_proto_version(
1027 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
1028 break;
1029 case SSL_PROTOCOL_TLS_11:
1030 SSL_CTX_set_max_proto_version(
1031 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_1_VERSION);
1032 break;
1033 case SSL_PROTOCOL_TLS_12:
1034 default:
1035 SSL_CTX_set_max_proto_version(
1036 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
1037 break;
1038 }
1039 } else {
1040 // TODO(https://bugs.webrtc.org/10261): Make this the default in M84.
1041 SSL_CTX_set_min_proto_version(
1042 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
1043 SSL_CTX_set_max_proto_version(
1044 ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
1045 }
1046
1047 #ifdef OPENSSL_IS_BORINGSSL
1048 // SSL_CTX_set_current_time_cb is only supported in BoringSSL.
1049 if (g_use_time_callback_for_testing) {
1050 SSL_CTX_set_current_time_cb(ctx, &TimeCallbackForTesting);
1051 }
1052 SSL_CTX_set0_buffer_pool(ctx, openssl::GetBufferPool());
1053 #endif
1054
1055 if (identity_ && !identity_->ConfigureIdentity(ctx)) {
1056 SSL_CTX_free(ctx);
1057 return nullptr;
1058 }
1059
1060 #if !defined(NDEBUG)
1061 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback);
1062 #endif
1063
1064 int mode = SSL_VERIFY_PEER;
1065 if (GetClientAuthEnabled()) {
1066 // Require a certificate from the client.
1067 // Note: Normally this is always true in production, but it may be disabled
1068 // for testing purposes (e.g. SSLAdapter unit tests).
1069 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1070 }
1071
1072 // Configure a custom certificate verification callback to check the peer
1073 // certificate digest.
1074 #ifdef OPENSSL_IS_BORINGSSL
1075 // Use CRYPTO_BUFFER version of the callback if building with BoringSSL.
1076 SSL_CTX_set_custom_verify(ctx, mode, SSLVerifyCallback);
1077 #else
1078 // Note the second argument to SSL_CTX_set_verify is to override individual
1079 // errors in the default verification logic, which is not what we want here.
1080 SSL_CTX_set_verify(ctx, mode, nullptr);
1081 SSL_CTX_set_cert_verify_callback(ctx, SSLVerifyCallback, nullptr);
1082 #endif
1083
1084 // Select list of available ciphers. Note that !SHA256 and !SHA384 only
1085 // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites
1086 // with SHA256 or SHA384 as the handshake hash.
1087 // This matches the list of SSLClientSocketImpl in Chromium.
1088 SSL_CTX_set_cipher_list(
1089 ctx,
1090 "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK:!3DES");
1091
1092 if (!srtp_ciphers_.empty()) {
1093 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) {
1094 SSL_CTX_free(ctx);
1095 return nullptr;
1096 }
1097 }
1098
1099 return ctx;
1100 }
1101
VerifyPeerCertificate()1102 bool OpenSSLStreamAdapter::VerifyPeerCertificate() {
1103 if (!HasPeerCertificateDigest() || !peer_cert_chain_ ||
1104 !peer_cert_chain_->GetSize()) {
1105 RTC_LOG(LS_WARNING) << "Missing digest or peer certificate.";
1106 return false;
1107 }
1108
1109 unsigned char digest[EVP_MAX_MD_SIZE];
1110 size_t digest_length;
1111 if (!peer_cert_chain_->Get(0).ComputeDigest(
1112 peer_certificate_digest_algorithm_, digest, sizeof(digest),
1113 &digest_length)) {
1114 RTC_LOG(LS_WARNING) << "Failed to compute peer cert digest.";
1115 return false;
1116 }
1117
1118 Buffer computed_digest(digest, digest_length);
1119 if (computed_digest != peer_certificate_digest_value_) {
1120 RTC_LOG(LS_WARNING)
1121 << "Rejected peer certificate due to mismatched digest using "
1122 << peer_certificate_digest_algorithm_ << ". Expected "
1123 << rtc::hex_encode_with_delimiter(peer_certificate_digest_value_, ':')
1124 << " got " << rtc::hex_encode_with_delimiter(computed_digest, ':');
1125 return false;
1126 }
1127 // Ignore any verification error if the digest matches, since there is no
1128 // value in checking the validity of a self-signed cert issued by untrusted
1129 // sources.
1130 RTC_DLOG(LS_INFO) << "Accepted peer certificate.";
1131 peer_certificate_verified_ = true;
1132 return true;
1133 }
1134
GetPeerSSLCertChain() const1135 std::unique_ptr<SSLCertChain> OpenSSLStreamAdapter::GetPeerSSLCertChain()
1136 const {
1137 return peer_cert_chain_ ? peer_cert_chain_->Clone() : nullptr;
1138 }
1139
1140 #ifdef OPENSSL_IS_BORINGSSL
SSLVerifyCallback(SSL * ssl,uint8_t * out_alert)1141 enum ssl_verify_result_t OpenSSLStreamAdapter::SSLVerifyCallback(
1142 SSL* ssl,
1143 uint8_t* out_alert) {
1144 // Get our OpenSSLStreamAdapter from the context.
1145 OpenSSLStreamAdapter* stream =
1146 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
1147 const STACK_OF(CRYPTO_BUFFER)* chain = SSL_get0_peer_certificates(ssl);
1148 // Creates certificate chain.
1149 std::vector<std::unique_ptr<SSLCertificate>> cert_chain;
1150 for (CRYPTO_BUFFER* cert : chain) {
1151 cert_chain.emplace_back(new BoringSSLCertificate(bssl::UpRef(cert)));
1152 }
1153 stream->peer_cert_chain_.reset(new SSLCertChain(std::move(cert_chain)));
1154
1155 // If the peer certificate digest isn't known yet, we'll wait to verify
1156 // until it's known, and for now just return a success status.
1157 if (stream->peer_certificate_digest_algorithm_.empty()) {
1158 RTC_LOG(LS_INFO) << "Waiting to verify certificate until digest is known.";
1159 // TODO(deadbeef): Use ssl_verify_retry?
1160 return ssl_verify_ok;
1161 }
1162
1163 if (!stream->VerifyPeerCertificate()) {
1164 return ssl_verify_invalid;
1165 }
1166
1167 return ssl_verify_ok;
1168 }
1169 #else // OPENSSL_IS_BORINGSSL
SSLVerifyCallback(X509_STORE_CTX * store,void * arg)1170 int OpenSSLStreamAdapter::SSLVerifyCallback(X509_STORE_CTX* store, void* arg) {
1171 // Get our SSL structure and OpenSSLStreamAdapter from the store.
1172 SSL* ssl = reinterpret_cast<SSL*>(
1173 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
1174 OpenSSLStreamAdapter* stream =
1175 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
1176
1177 // Record the peer's certificate.
1178 X509* cert = X509_STORE_CTX_get0_cert(store);
1179 stream->peer_cert_chain_.reset(
1180 new SSLCertChain(std::make_unique<OpenSSLCertificate>(cert)));
1181
1182 // If the peer certificate digest isn't known yet, we'll wait to verify
1183 // until it's known, and for now just return a success status.
1184 if (stream->peer_certificate_digest_algorithm_.empty()) {
1185 RTC_DLOG(LS_INFO) << "Waiting to verify certificate until digest is known.";
1186 return 1;
1187 }
1188
1189 if (!stream->VerifyPeerCertificate()) {
1190 X509_STORE_CTX_set_error(store, X509_V_ERR_CERT_REJECTED);
1191 return 0;
1192 }
1193
1194 return 1;
1195 }
1196 #endif // !OPENSSL_IS_BORINGSSL
1197
IsBoringSsl()1198 bool OpenSSLStreamAdapter::IsBoringSsl() {
1199 #ifdef OPENSSL_IS_BORINGSSL
1200 return true;
1201 #else
1202 return false;
1203 #endif
1204 }
1205
1206 #define CDEF(X) \
1207 { static_cast<uint16_t>(TLS1_CK_##X & 0xffff), "TLS_" #X }
1208
1209 struct cipher_list {
1210 uint16_t cipher;
1211 const char* cipher_str;
1212 };
1213
1214 // TODO(torbjorng): Perhaps add more cipher suites to these lists.
1215 static const cipher_list OK_RSA_ciphers[] = {
1216 CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA),
1217 CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA),
1218 CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
1219 #ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256
1220 CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256),
1221 #endif
1222 #ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
1223 CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
1224 #endif
1225 };
1226
1227 static const cipher_list OK_ECDSA_ciphers[] = {
1228 CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
1229 CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
1230 CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
1231 #ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
1232 CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256),
1233 #endif
1234 #ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
1235 CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
1236 #endif
1237 };
1238 #undef CDEF
1239
IsAcceptableCipher(int cipher,KeyType key_type)1240 bool OpenSSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) {
1241 if (key_type == KT_RSA) {
1242 for (const cipher_list& c : OK_RSA_ciphers) {
1243 if (cipher == c.cipher) {
1244 return true;
1245 }
1246 }
1247 }
1248
1249 if (key_type == KT_ECDSA) {
1250 for (const cipher_list& c : OK_ECDSA_ciphers) {
1251 if (cipher == c.cipher) {
1252 return true;
1253 }
1254 }
1255 }
1256
1257 return false;
1258 }
1259
IsAcceptableCipher(absl::string_view cipher,KeyType key_type)1260 bool OpenSSLStreamAdapter::IsAcceptableCipher(absl::string_view cipher,
1261 KeyType key_type) {
1262 if (key_type == KT_RSA) {
1263 for (const cipher_list& c : OK_RSA_ciphers) {
1264 if (cipher == c.cipher_str) {
1265 return true;
1266 }
1267 }
1268 }
1269
1270 if (key_type == KT_ECDSA) {
1271 for (const cipher_list& c : OK_ECDSA_ciphers) {
1272 if (cipher == c.cipher_str) {
1273 return true;
1274 }
1275 }
1276 }
1277
1278 return false;
1279 }
1280
EnableTimeCallbackForTesting()1281 void OpenSSLStreamAdapter::EnableTimeCallbackForTesting() {
1282 #ifdef OPENSSL_IS_BORINGSSL
1283 g_use_time_callback_for_testing = true;
1284 #endif
1285 }
1286
1287 } // namespace rtc
1288