blob: 3d1760721f1f55c136306b7fb5f371453fb92ff4 [file] [log] [blame]
/*
* Copyright 2004 The WebRTC Project Authors. All rights reserved.
*
* Use of this source code is governed by a BSD-style license
* that can be found in the LICENSE file in the root of the source
* tree. An additional intellectual property rights grant can be found
* in the file PATENTS. All contributing project authors may
* be found in the AUTHORS file in the root of the source tree.
*/
#if HAVE_CONFIG_H
#include "config.h"
#endif // HAVE_CONFIG_H
#if HAVE_OPENSSL_SSL_H
#include "webrtc/base/opensslstreamadapter.h"
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/tls1.h>
#include <openssl/x509v3.h>
#include <vector>
#include "webrtc/base/common.h"
#include "webrtc/base/logging.h"
#include "webrtc/base/safe_conversions.h"
#include "webrtc/base/stream.h"
#include "webrtc/base/openssl.h"
#include "webrtc/base/openssladapter.h"
#include "webrtc/base/openssldigest.h"
#include "webrtc/base/opensslidentity.h"
#include "webrtc/base/stringutils.h"
#include "webrtc/base/thread.h"
namespace rtc {
#if (OPENSSL_VERSION_NUMBER >= 0x10001000L)
#define HAVE_DTLS_SRTP
#endif
#ifdef HAVE_DTLS_SRTP
// SRTP cipher suite table
struct SrtpCipherMapEntry {
const char* external_name;
const char* internal_name;
};
// This isn't elegant, but it's better than an external reference
static SrtpCipherMapEntry SrtpCipherMap[] = {
{"AES_CM_128_HMAC_SHA1_80", "SRTP_AES128_CM_SHA1_80"},
{"AES_CM_128_HMAC_SHA1_32", "SRTP_AES128_CM_SHA1_32"},
{NULL, NULL}
};
#endif
#ifndef OPENSSL_IS_BORINGSSL
// Cipher name table. Maps internal OpenSSL cipher ids to the RFC name.
struct SslCipherMapEntry {
uint32_t openssl_id;
const char* rfc_name;
};
#define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name}
#define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name}
// There currently is no method available to get a RFC-compliant name for a
// cipher suite from BoringSSL, so we need to define the mapping manually here.
// This should go away once BoringSSL supports "SSL_CIPHER_standard_name"
// (as available in OpenSSL if compiled with tracing enabled) or a similar
// method.
static const SslCipherMapEntry kSslCipherMap[] = {
// TLS v1.0 ciphersuites from RFC2246.
DEFINE_CIPHER_ENTRY_SSL3(RSA_RC4_128_SHA),
{SSL3_CK_RSA_DES_192_CBC3_SHA,
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
// AES ciphersuites from RFC3268.
{TLS1_CK_RSA_WITH_AES_128_SHA,
"TLS_RSA_WITH_AES_128_CBC_SHA"},
{TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"},
{TLS1_CK_RSA_WITH_AES_256_SHA,
"TLS_RSA_WITH_AES_256_CBC_SHA"},
{TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
// ECC ciphersuites from RFC4492.
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_RC4_128_SHA),
{TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"},
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_RC4_128_SHA),
{TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"},
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_CBC_SHA),
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_CBC_SHA),
// TLS v1.2 ciphersuites.
{TLS1_CK_RSA_WITH_AES_128_SHA256,
"TLS_RSA_WITH_AES_128_CBC_SHA256"},
{TLS1_CK_RSA_WITH_AES_256_SHA256,
"TLS_RSA_WITH_AES_256_CBC_SHA256"},
{TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"},
{TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"},
// TLS v1.2 GCM ciphersuites from RFC5288.
DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_128_GCM_SHA256),
DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_256_GCM_SHA384),
DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_128_GCM_SHA256),
DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_256_GCM_SHA384),
DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_128_GCM_SHA256),
DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_256_GCM_SHA384),
// ECDH HMAC based ciphersuites from RFC5289.
{TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"},
{TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"},
{TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
{TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
// ECDH GCM based ciphersuites from RFC5289.
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384),
{0, NULL}
};
#endif // #ifndef OPENSSL_IS_BORINGSSL
// Default cipher used between OpenSSL/BoringSSL stream adapters.
// This needs to be updated when the default of the SSL library changes.
static const char kDefaultSslCipher10[] =
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
static const char kDefaultSslEcCipher10[] =
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
#ifdef OPENSSL_IS_BORINGSSL
static const char kDefaultSslCipher12[] =
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
static const char kDefaultSslEcCipher12[] =
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
// Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable.
static const char kDefaultSslCipher12NoAesGcm[] =
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256";
static const char kDefaultSslEcCipher12NoAesGcm[] =
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256";
#else // !OPENSSL_IS_BORINGSSL
// OpenSSL sorts differently than BoringSSL, so the default cipher doesn't
// change between TLS 1.0 and TLS 1.2 with the current setup.
static const char kDefaultSslCipher12[] =
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
static const char kDefaultSslEcCipher12[] =
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
#endif
//////////////////////////////////////////////////////////////////////
// StreamBIO
//////////////////////////////////////////////////////////////////////
static int stream_write(BIO* h, const char* buf, int num);
static int stream_read(BIO* h, char* buf, int size);
static int stream_puts(BIO* h, const char* str);
static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2);
static int stream_new(BIO* h);
static int stream_free(BIO* data);
// TODO(davidben): This should be const once BoringSSL is assumed.
static BIO_METHOD methods_stream = {
BIO_TYPE_BIO,
"stream",
stream_write,
stream_read,
stream_puts,
0,
stream_ctrl,
stream_new,
stream_free,
NULL,
};
static BIO_METHOD* BIO_s_stream() { return(&methods_stream); }
static BIO* BIO_new_stream(StreamInterface* stream) {
BIO* ret = BIO_new(BIO_s_stream());
if (ret == NULL)
return NULL;
ret->ptr = stream;
return ret;
}
// bio methods return 1 (or at least non-zero) on success and 0 on failure.
static int stream_new(BIO* b) {
b->shutdown = 0;
b->init = 1;
b->num = 0; // 1 means end-of-stream
b->ptr = 0;
return 1;
}
static int stream_free(BIO* b) {
if (b == NULL)
return 0;
return 1;
}
static int stream_read(BIO* b, char* out, int outl) {
if (!out)
return -1;
StreamInterface* stream = static_cast<StreamInterface*>(b->ptr);
BIO_clear_retry_flags(b);
size_t read;
int error;
StreamResult result = stream->Read(out, outl, &read, &error);
if (result == SR_SUCCESS) {
return checked_cast<int>(read);
} else if (result == SR_EOS) {
b->num = 1;
} else if (result == SR_BLOCK) {
BIO_set_retry_read(b);
}
return -1;
}
static int stream_write(BIO* b, const char* in, int inl) {
if (!in)
return -1;
StreamInterface* stream = static_cast<StreamInterface*>(b->ptr);
BIO_clear_retry_flags(b);
size_t written;
int error;
StreamResult result = stream->Write(in, inl, &written, &error);
if (result == SR_SUCCESS) {
return checked_cast<int>(written);
} else if (result == SR_BLOCK) {
BIO_set_retry_write(b);
}
return -1;
}
static int stream_puts(BIO* b, const char* str) {
return stream_write(b, str, checked_cast<int>(strlen(str)));
}
static long stream_ctrl(BIO* b, int cmd, long num, void* ptr) {
RTC_UNUSED(num);
RTC_UNUSED(ptr);
switch (cmd) {
case BIO_CTRL_RESET:
return 0;
case BIO_CTRL_EOF:
return b->num;
case BIO_CTRL_WPENDING:
case BIO_CTRL_PENDING:
return 0;
case BIO_CTRL_FLUSH:
return 1;
case BIO_CTRL_DGRAM_QUERY_MTU:
// openssl defaults to mtu=256 unless we return something here.
// The handshake doesn't actually need to send packets above 1k,
// so this seems like a sensible value that should work in most cases.
// Webrtc uses the same value for video packets.
return 1200;
default:
return 0;
}
}
/////////////////////////////////////////////////////////////////////////////
// OpenSSLStreamAdapter
/////////////////////////////////////////////////////////////////////////////
OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream)
: SSLStreamAdapter(stream),
state_(SSL_NONE),
role_(SSL_CLIENT),
ssl_read_needs_write_(false), ssl_write_needs_read_(false),
ssl_(NULL), ssl_ctx_(NULL),
custom_verification_succeeded_(false),
ssl_mode_(SSL_MODE_TLS),
ssl_max_version_(SSL_PROTOCOL_TLS_11) {
}
OpenSSLStreamAdapter::~OpenSSLStreamAdapter() {
Cleanup();
}
void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) {
ASSERT(!identity_);
identity_.reset(static_cast<OpenSSLIdentity*>(identity));
}
void OpenSSLStreamAdapter::SetServerRole(SSLRole role) {
role_ = role;
}
bool OpenSSLStreamAdapter::GetPeerCertificate(SSLCertificate** cert) const {
if (!peer_certificate_)
return false;
*cert = peer_certificate_->GetReference();
return true;
}
bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string
&digest_alg,
const unsigned char*
digest_val,
size_t digest_len) {
ASSERT(!peer_certificate_);
ASSERT(peer_certificate_digest_algorithm_.size() == 0);
ASSERT(ssl_server_name_.empty());
size_t expected_len;
if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) {
LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg;
return false;
}
if (expected_len != digest_len)
return false;
peer_certificate_digest_value_.SetData(digest_val, digest_len);
peer_certificate_digest_algorithm_ = digest_alg;
return true;
}
#ifndef OPENSSL_IS_BORINGSSL
const char* OpenSSLStreamAdapter::GetRfcSslCipherName(
const SSL_CIPHER* cipher) {
ASSERT(cipher != NULL);
for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name;
++entry) {
if (cipher->id == entry->openssl_id) {
return entry->rfc_name;
}
}
return NULL;
}
#endif
bool OpenSSLStreamAdapter::GetSslCipher(std::string* cipher) {
if (state_ != SSL_CONNECTED)
return false;
const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_);
if (current_cipher == NULL) {
return false;
}
#ifdef OPENSSL_IS_BORINGSSL
char* cipher_name = SSL_CIPHER_get_rfc_name(current_cipher);
#else
const char* cipher_name = GetRfcSslCipherName(current_cipher);
#endif
if (cipher_name == NULL) {
return false;
}
*cipher = cipher_name;
#ifdef OPENSSL_IS_BORINGSSL
OPENSSL_free(cipher_name);
#endif
return true;
}
// Key Extractor interface
bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label,
const uint8* context,
size_t context_len,
bool use_context,
uint8* result,
size_t result_len) {
#ifdef HAVE_DTLS_SRTP
int i;
i = SSL_export_keying_material(ssl_, result, result_len,
label.c_str(), label.length(),
const_cast<uint8 *>(context),
context_len, use_context);
if (i != 1)
return false;
return true;
#else
return false;
#endif
}
bool OpenSSLStreamAdapter::SetDtlsSrtpCiphers(
const std::vector<std::string>& ciphers) {
#ifdef HAVE_DTLS_SRTP
std::string internal_ciphers;
if (state_ != SSL_NONE)
return false;
for (std::vector<std::string>::const_iterator cipher = ciphers.begin();
cipher != ciphers.end(); ++cipher) {
bool found = false;
for (SrtpCipherMapEntry *entry = SrtpCipherMap; entry->internal_name;
++entry) {
if (*cipher == entry->external_name) {
found = true;
if (!internal_ciphers.empty())
internal_ciphers += ":";
internal_ciphers += entry->internal_name;
break;
}
}
if (!found) {
LOG(LS_ERROR) << "Could not find cipher: " << *cipher;
return false;
}
}
if (internal_ciphers.empty())
return false;
srtp_ciphers_ = internal_ciphers;
return true;
#else
return false;
#endif
}
bool OpenSSLStreamAdapter::GetDtlsSrtpCipher(std::string* cipher) {
#ifdef HAVE_DTLS_SRTP
ASSERT(state_ == SSL_CONNECTED);
if (state_ != SSL_CONNECTED)
return false;
const SRTP_PROTECTION_PROFILE *srtp_profile =
SSL_get_selected_srtp_profile(ssl_);
if (!srtp_profile)
return false;
for (SrtpCipherMapEntry *entry = SrtpCipherMap;
entry->internal_name; ++entry) {
if (!strcmp(entry->internal_name, srtp_profile->name)) {
*cipher = entry->external_name;
return true;
}
}
ASSERT(false); // This should never happen
return false;
#else
return false;
#endif
}
int OpenSSLStreamAdapter::StartSSLWithServer(const char* server_name) {
ASSERT(server_name != NULL && server_name[0] != '\0');
ssl_server_name_ = server_name;
return StartSSL();
}
int OpenSSLStreamAdapter::StartSSLWithPeer() {
ASSERT(ssl_server_name_.empty());
// It is permitted to specify peer_certificate_ only later.
return StartSSL();
}
void OpenSSLStreamAdapter::SetMode(SSLMode mode) {
ASSERT(state_ == SSL_NONE);
ssl_mode_ = mode;
}
void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) {
ASSERT(ssl_ctx_ == NULL);
ssl_max_version_ = version;
}
//
// StreamInterface Implementation
//
StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len,
size_t* written, int* error) {
LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")";
switch (state_) {
case SSL_NONE:
// pass-through in clear text
return StreamAdapterInterface::Write(data, data_len, written, error);
case SSL_WAIT:
case SSL_CONNECTING:
return SR_BLOCK;
case SSL_CONNECTED:
break;
case SSL_ERROR:
case SSL_CLOSED:
default:
if (error)
*error = ssl_error_code_;
return SR_ERROR;
}
// OpenSSL will return an error if we try to write zero bytes
if (data_len == 0) {
if (written)
*written = 0;
return SR_SUCCESS;
}
ssl_write_needs_read_ = false;
int code = SSL_write(ssl_, data, checked_cast<int>(data_len));
int ssl_error = SSL_get_error(ssl_, code);
switch (ssl_error) {
case SSL_ERROR_NONE:
LOG(LS_VERBOSE) << " -- success";
ASSERT(0 < code && static_cast<unsigned>(code) <= data_len);
if (written)
*written = code;
return SR_SUCCESS;
case SSL_ERROR_WANT_READ:
LOG(LS_VERBOSE) << " -- error want read";
ssl_write_needs_read_ = true;
return SR_BLOCK;
case SSL_ERROR_WANT_WRITE:
LOG(LS_VERBOSE) << " -- error want write";
return SR_BLOCK;
case SSL_ERROR_ZERO_RETURN:
default:
Error("SSL_write", (ssl_error ? ssl_error : -1), false);
if (error)
*error = ssl_error_code_;
return SR_ERROR;
}
// not reached
}
StreamResult OpenSSLStreamAdapter::Read(void* data, size_t data_len,
size_t* read, int* error) {
LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Read(" << data_len << ")";
switch (state_) {
case SSL_NONE:
// pass-through in clear text
return StreamAdapterInterface::Read(data, data_len, read, error);
case SSL_WAIT:
case SSL_CONNECTING:
return SR_BLOCK;
case SSL_CONNECTED:
break;
case SSL_CLOSED:
return SR_EOS;
case SSL_ERROR:
default:
if (error)
*error = ssl_error_code_;
return SR_ERROR;
}
// Don't trust OpenSSL with zero byte reads
if (data_len == 0) {
if (read)
*read = 0;
return SR_SUCCESS;
}
ssl_read_needs_write_ = false;
int code = SSL_read(ssl_, data, checked_cast<int>(data_len));
int ssl_error = SSL_get_error(ssl_, code);
switch (ssl_error) {
case SSL_ERROR_NONE:
LOG(LS_VERBOSE) << " -- success";
ASSERT(0 < code && static_cast<unsigned>(code) <= data_len);
if (read)
*read = code;
if (ssl_mode_ == SSL_MODE_DTLS) {
// Enforce atomic reads -- this is a short read
unsigned int pending = SSL_pending(ssl_);
if (pending) {
LOG(LS_INFO) << " -- short DTLS read. flushing";
FlushInput(pending);
if (error)
*error = SSE_MSG_TRUNC;
return SR_ERROR;
}
}
return SR_SUCCESS;
case SSL_ERROR_WANT_READ:
LOG(LS_VERBOSE) << " -- error want read";
return SR_BLOCK;
case SSL_ERROR_WANT_WRITE:
LOG(LS_VERBOSE) << " -- error want write";
ssl_read_needs_write_ = true;
return SR_BLOCK;
case SSL_ERROR_ZERO_RETURN:
LOG(LS_VERBOSE) << " -- remote side closed";
return SR_EOS;
break;
default:
LOG(LS_VERBOSE) << " -- error " << code;
Error("SSL_read", (ssl_error ? ssl_error : -1), false);
if (error)
*error = ssl_error_code_;
return SR_ERROR;
}
// not reached
}
void OpenSSLStreamAdapter::FlushInput(unsigned int left) {
unsigned char buf[2048];
while (left) {
// This should always succeed
int toread = (sizeof(buf) < left) ? sizeof(buf) : left;
int code = SSL_read(ssl_, buf, toread);
int ssl_error = SSL_get_error(ssl_, code);
ASSERT(ssl_error == SSL_ERROR_NONE);
if (ssl_error != SSL_ERROR_NONE) {
LOG(LS_VERBOSE) << " -- error " << code;
Error("SSL_read", (ssl_error ? ssl_error : -1), false);
return;
}
LOG(LS_VERBOSE) << " -- flushed " << code << " bytes";
left -= code;
}
}
void OpenSSLStreamAdapter::Close() {
Cleanup();
ASSERT(state_ == SSL_CLOSED || state_ == SSL_ERROR);
StreamAdapterInterface::Close();
}
StreamState OpenSSLStreamAdapter::GetState() const {
switch (state_) {
case SSL_WAIT:
case SSL_CONNECTING:
return SS_OPENING;
case SSL_CONNECTED:
return SS_OPEN;
default:
return SS_CLOSED;
};
// not reached
}
void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream, int events,
int err) {
int events_to_signal = 0;
int signal_error = 0;
ASSERT(stream == this->stream());
if ((events & SE_OPEN)) {
LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent SE_OPEN";
if (state_ != SSL_WAIT) {
ASSERT(state_ == SSL_NONE);
events_to_signal |= SE_OPEN;
} else {
state_ = SSL_CONNECTING;
if (int err = BeginSSL()) {
Error("BeginSSL", err, true);
return;
}
}
}
if ((events & (SE_READ|SE_WRITE))) {
LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent"
<< ((events & SE_READ) ? " SE_READ" : "")
<< ((events & SE_WRITE) ? " SE_WRITE" : "");
if (state_ == SSL_NONE) {
events_to_signal |= events & (SE_READ|SE_WRITE);
} else if (state_ == SSL_CONNECTING) {
if (int err = ContinueSSL()) {
Error("ContinueSSL", err, true);
return;
}
} else if (state_ == SSL_CONNECTED) {
if (((events & SE_READ) && ssl_write_needs_read_) ||
(events & SE_WRITE)) {
LOG(LS_VERBOSE) << " -- onStreamWriteable";
events_to_signal |= SE_WRITE;
}
if (((events & SE_WRITE) && ssl_read_needs_write_) ||
(events & SE_READ)) {
LOG(LS_VERBOSE) << " -- onStreamReadable";
events_to_signal |= SE_READ;
}
}
}
if ((events & SE_CLOSE)) {
LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent(SE_CLOSE, " << err << ")";
Cleanup();
events_to_signal |= SE_CLOSE;
// SE_CLOSE is the only event that uses the final parameter to OnEvent().
ASSERT(signal_error == 0);
signal_error = err;
}
if (events_to_signal)
StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error);
}
int OpenSSLStreamAdapter::StartSSL() {
ASSERT(state_ == SSL_NONE);
if (StreamAdapterInterface::GetState() != SS_OPEN) {
state_ = SSL_WAIT;
return 0;
}
state_ = SSL_CONNECTING;
if (int err = BeginSSL()) {
Error("BeginSSL", err, false);
return err;
}
return 0;
}
int OpenSSLStreamAdapter::BeginSSL() {
ASSERT(state_ == SSL_CONNECTING);
// The underlying stream has open. If we are in peer-to-peer mode
// then a peer certificate must have been specified by now.
ASSERT(!ssl_server_name_.empty() ||
!peer_certificate_digest_algorithm_.empty());
LOG(LS_INFO) << "BeginSSL: "
<< (!ssl_server_name_.empty() ? ssl_server_name_ :
"with peer");
BIO* bio = NULL;
// First set up the context
ASSERT(ssl_ctx_ == NULL);
ssl_ctx_ = SetupSSLContext();
if (!ssl_ctx_)
return -1;
bio = BIO_new_stream(static_cast<StreamInterface*>(stream()));
if (!bio)
return -1;
ssl_ = SSL_new(ssl_ctx_);
if (!ssl_) {
BIO_free(bio);
return -1;
}
SSL_set_app_data(ssl_, this);
SSL_set_bio(ssl_, bio, bio); // the SSL object owns the bio now.
#ifndef OPENSSL_IS_BORINGSSL
if (ssl_mode_ == SSL_MODE_DTLS) {
// Enable read-ahead for DTLS so whole packets are read from internal BIO
// before parsing. This is done internally by BoringSSL for DTLS.
SSL_set_read_ahead(ssl_, 1);
}
#endif
SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
// Specify an ECDH group for ECDHE ciphers, otherwise they cannot be
// negotiated when acting as the server. Use NIST's P-256 which is commonly
// supported.
EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh == NULL)
return -1;
SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE);
SSL_set_tmp_ecdh(ssl_, ecdh);
EC_KEY_free(ecdh);
// Do the connect
return ContinueSSL();
}
int OpenSSLStreamAdapter::ContinueSSL() {
LOG(LS_VERBOSE) << "ContinueSSL";
ASSERT(state_ == SSL_CONNECTING);
// Clear the DTLS timer
Thread::Current()->Clear(this, MSG_TIMEOUT);
int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
int ssl_error;
switch (ssl_error = SSL_get_error(ssl_, code)) {
case SSL_ERROR_NONE:
LOG(LS_VERBOSE) << " -- success";
if (!SSLPostConnectionCheck(ssl_, ssl_server_name_.c_str(), NULL,
peer_certificate_digest_algorithm_)) {
LOG(LS_ERROR) << "TLS post connection check failed";
return -1;
}
state_ = SSL_CONNECTED;
StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0);
break;
case SSL_ERROR_WANT_READ: {
LOG(LS_VERBOSE) << " -- error want read";
struct timeval timeout;
if (DTLSv1_get_timeout(ssl_, &timeout)) {
int delay = timeout.tv_sec * 1000 + timeout.tv_usec/1000;
Thread::Current()->PostDelayed(delay, this, MSG_TIMEOUT, 0);
}
}
break;
case SSL_ERROR_WANT_WRITE:
LOG(LS_VERBOSE) << " -- error want write";
break;
case SSL_ERROR_ZERO_RETURN:
default:
LOG(LS_VERBOSE) << " -- error " << code;
return (ssl_error != 0) ? ssl_error : -1;
}
return 0;
}
void OpenSSLStreamAdapter::Error(const char* context, int err, bool signal) {
LOG(LS_WARNING) << "OpenSSLStreamAdapter::Error("
<< context << ", " << err << ")";
state_ = SSL_ERROR;
ssl_error_code_ = err;
Cleanup();
if (signal)
StreamAdapterInterface::OnEvent(stream(), SE_CLOSE, err);
}
void OpenSSLStreamAdapter::Cleanup() {
LOG(LS_INFO) << "Cleanup";
if (state_ != SSL_ERROR) {
state_ = SSL_CLOSED;
ssl_error_code_ = 0;
}
if (ssl_) {
int ret = SSL_shutdown(ssl_);
if (ret < 0) {
LOG(LS_WARNING) << "SSL_shutdown failed, error = "
<< SSL_get_error(ssl_, ret);
}
SSL_free(ssl_);
ssl_ = NULL;
}
if (ssl_ctx_) {
SSL_CTX_free(ssl_ctx_);
ssl_ctx_ = NULL;
}
identity_.reset();
peer_certificate_.reset();
// Clear the DTLS timer
Thread::Current()->Clear(this, MSG_TIMEOUT);
}
void OpenSSLStreamAdapter::OnMessage(Message* msg) {
// Process our own messages and then pass others to the superclass
if (MSG_TIMEOUT == msg->message_id) {
LOG(LS_INFO) << "DTLS timeout expired";
DTLSv1_handle_timeout(ssl_);
ContinueSSL();
} else {
StreamInterface::OnMessage(msg);
}
}
SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
SSL_CTX *ctx = NULL;
#ifdef OPENSSL_IS_BORINGSSL
ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ?
DTLS_method() : TLS_method());
// Version limiting for BoringSSL will be done below.
#else
const SSL_METHOD* method;
switch (ssl_max_version_) {
case SSL_PROTOCOL_TLS_10:
case SSL_PROTOCOL_TLS_11:
// OpenSSL doesn't support setting min/max versions, so we always use
// (D)TLS 1.0 if a max. version below the max. available is requested.
if (ssl_mode_ == SSL_MODE_DTLS) {
if (role_ == SSL_CLIENT) {
method = DTLSv1_client_method();
} else {
method = DTLSv1_server_method();
}
} else {
if (role_ == SSL_CLIENT) {
method = TLSv1_client_method();
} else {
method = TLSv1_server_method();
}
}
break;
case SSL_PROTOCOL_TLS_12:
default:
if (ssl_mode_ == SSL_MODE_DTLS) {
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
// DTLS 1.2 only available starting from OpenSSL 1.0.2
if (role_ == SSL_CLIENT) {
method = DTLS_client_method();
} else {
method = DTLS_server_method();
}
#else
if (role_ == SSL_CLIENT) {
method = DTLSv1_client_method();
} else {
method = DTLSv1_server_method();
}
#endif
} else {
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
// New API only available starting from OpenSSL 1.1.0
if (role_ == SSL_CLIENT) {
method = TLS_client_method();
} else {
method = TLS_server_method();
}
#else
if (role_ == SSL_CLIENT) {
method = SSLv23_client_method();
} else {
method = SSLv23_server_method();
}
#endif
}
break;
}
ctx = SSL_CTX_new(method);
#endif // OPENSSL_IS_BORINGSSL
if (ctx == NULL)
return NULL;
#ifdef OPENSSL_IS_BORINGSSL
SSL_CTX_set_min_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
DTLS1_VERSION : TLS1_VERSION);
switch (ssl_max_version_) {
case SSL_PROTOCOL_TLS_10:
SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
DTLS1_VERSION : TLS1_VERSION);
break;
case SSL_PROTOCOL_TLS_11:
SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
DTLS1_VERSION : TLS1_1_VERSION);
break;
case SSL_PROTOCOL_TLS_12:
default:
SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
DTLS1_2_VERSION : TLS1_2_VERSION);
break;
}
#endif
if (identity_ && !identity_->ConfigureIdentity(ctx)) {
SSL_CTX_free(ctx);
return NULL;
}
#ifdef _DEBUG
SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback);
#endif
int mode = SSL_VERIFY_PEER;
if (client_auth_enabled()) {
// Require a certificate from the client.
// Note: Normally this is always true in production, but it may be disabled
// for testing purposes (e.g. SSLAdapter unit tests).
mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
}
SSL_CTX_set_verify(ctx, mode, SSLVerifyCallback);
SSL_CTX_set_verify_depth(ctx, 4);
// Select list of available ciphers. Note that !SHA256 and !SHA384 only
// remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites
// with SHA256 or SHA384 as the handshake hash.
// This matches the list of SSLClientSocketOpenSSL in Chromium.
SSL_CTX_set_cipher_list(ctx,
"DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");
#ifdef HAVE_DTLS_SRTP
if (!srtp_ciphers_.empty()) {
if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) {
SSL_CTX_free(ctx);
return NULL;
}
}
#endif
return ctx;
}
int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
// Get our SSL structure from the store
SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(
store,
SSL_get_ex_data_X509_STORE_CTX_idx()));
OpenSSLStreamAdapter* stream =
reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
if (stream->peer_certificate_digest_algorithm_.empty()) {
return 0;
}
X509* cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
// For now We ignore the parent certificates and verify the leaf against
// the digest.
//
// TODO(jiayl): Verify the chain is a proper chain and report the chain to
// |stream->peer_certificate_|, like what NSS does.
if (depth > 0) {
LOG(LS_INFO) << "Ignored chained certificate at depth " << depth;
return 1;
}
unsigned char digest[EVP_MAX_MD_SIZE];
size_t digest_length;
if (!OpenSSLCertificate::ComputeDigest(
cert,
stream->peer_certificate_digest_algorithm_,
digest, sizeof(digest),
&digest_length)) {
LOG(LS_WARNING) << "Failed to compute peer cert digest.";
return 0;
}
Buffer computed_digest(digest, digest_length);
if (computed_digest != stream->peer_certificate_digest_value_) {
LOG(LS_WARNING) << "Rejected peer certificate due to mismatched digest.";
return 0;
}
// Ignore any verification error if the digest matches, since there is no
// value in checking the validity of a self-signed cert issued by untrusted
// sources.
LOG(LS_INFO) << "Accepted peer certificate.";
// Record the peer's certificate.
stream->peer_certificate_.reset(new OpenSSLCertificate(cert));
return 1;
}
// This code is taken from the "Network Security with OpenSSL"
// sample in chapter 5
bool OpenSSLStreamAdapter::SSLPostConnectionCheck(SSL* ssl,
const char* server_name,
const X509* peer_cert,
const std::string
&peer_digest) {
ASSERT(server_name != NULL);
bool ok;
if (server_name[0] != '\0') { // traditional mode
ok = OpenSSLAdapter::VerifyServerName(ssl, server_name, ignore_bad_cert());
if (ok) {
ok = (SSL_get_verify_result(ssl) == X509_V_OK ||
custom_verification_succeeded_);
}
} else { // peer-to-peer mode
ASSERT((peer_cert != NULL) || (!peer_digest.empty()));
// no server name validation
ok = true;
}
if (!ok && ignore_bad_cert()) {
LOG(LS_ERROR) << "SSL_get_verify_result(ssl) = "
<< SSL_get_verify_result(ssl);
LOG(LS_INFO) << "Other TLS post connection checks failed.";
ok = true;
}
return ok;
}
bool OpenSSLStreamAdapter::HaveDtls() {
return true;
}
bool OpenSSLStreamAdapter::HaveDtlsSrtp() {
#ifdef HAVE_DTLS_SRTP
return true;
#else
return false;
#endif
}
bool OpenSSLStreamAdapter::HaveExporter() {
#ifdef HAVE_DTLS_SRTP
return true;
#else
return false;
#endif
}
std::string OpenSSLStreamAdapter::GetDefaultSslCipher(
SSLProtocolVersion version,
KeyType key_type) {
if (key_type == KT_RSA) {
switch (version) {
case SSL_PROTOCOL_TLS_10:
case SSL_PROTOCOL_TLS_11:
return kDefaultSslCipher10;
case SSL_PROTOCOL_TLS_12:
default:
#ifdef OPENSSL_IS_BORINGSSL
if (EVP_has_aes_hardware()) {
return kDefaultSslCipher12;
} else {
return kDefaultSslCipher12NoAesGcm;
}
#else // !OPENSSL_IS_BORINGSSL
return kDefaultSslCipher12;
#endif
}
} else if (key_type == KT_ECDSA) {
switch (version) {
case SSL_PROTOCOL_TLS_10:
case SSL_PROTOCOL_TLS_11:
return kDefaultSslEcCipher10;
case SSL_PROTOCOL_TLS_12:
default:
#ifdef OPENSSL_IS_BORINGSSL
if (EVP_has_aes_hardware()) {
return kDefaultSslEcCipher12;
} else {
return kDefaultSslEcCipher12NoAesGcm;
}
#else // !OPENSSL_IS_BORINGSSL
return kDefaultSslEcCipher12;
#endif
}
} else {
return std::string();
}
}
} // namespace rtc
#endif // HAVE_OPENSSL_SSL_H