1 /*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11 #include "rtc_base/openssl_stream_adapter.h"
12
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/err.h>
16 #include <openssl/rand.h>
17 #include <openssl/tls1.h>
18 #include <openssl/x509v3.h>
19 #ifndef OPENSSL_IS_BORINGSSL
20 /* For LibreSSL the definition of SSL_SESSION is in ssl.h it has to go first */
21 #include <openssl/ssl.h>
22 #include <openssl/dtls1.h>
23 #endif
24
25 #include <atomic>
26 #include <memory>
27 #include <utility>
28 #include <vector>
29
30 #include "rtc_base/checks.h"
31 #include "rtc_base/logging.h"
32 #include "rtc_base/numerics/safe_conversions.h"
33 #include "rtc_base/openssl.h"
34 #include "rtc_base/openssl_adapter.h"
35 #include "rtc_base/openssl_digest.h"
36 #ifdef OPENSSL_IS_BORINGSSL
37 #include "rtc_base/boringssl_identity.h"
38 #else
39 #include "rtc_base/openssl_identity.h"
40 #endif
41 #include "rtc_base/openssl_utility.h"
42 #include "rtc_base/ssl_certificate.h"
43 #include "rtc_base/stream.h"
44 #include "rtc_base/task_utils/to_queued_task.h"
45 #include "rtc_base/thread.h"
46 #include "rtc_base/time_utils.h"
47 #include "system_wrappers/include/field_trial.h"
48
49 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
50 #error "webrtc requires at least OpenSSL version 1.1.0, to support DTLS-SRTP"
51 #endif
52
53 // Defines for the TLS Cipher Suite Map.
54 #define DEFINE_CIPHER_ENTRY_SSL3(name) \
55 { SSL3_CK_##name, "TLS_" #name }
56 #define DEFINE_CIPHER_ENTRY_TLS1(name) \
57 { TLS1_CK_##name, "TLS_" #name }
58
59 namespace rtc {
60 namespace {
61 // SRTP cipher suite table. |internal_name| is used to construct a
62 // colon-separated profile strings which is needed by
63 // SSL_CTX_set_tlsext_use_srtp().
64 struct SrtpCipherMapEntry {
65 const char* internal_name;
66 const int id;
67 };
68
69 // Cipher name table. Maps internal OpenSSL cipher ids to the RFC name.
70 struct SslCipherMapEntry {
71 uint32_t openssl_id;
72 const char* rfc_name;
73 };
74
75 // This isn't elegant, but it's better than an external reference
76 constexpr SrtpCipherMapEntry kSrtpCipherMap[] = {
77 {"SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80},
78 {"SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32},
79 {"SRTP_AEAD_AES_128_GCM", SRTP_AEAD_AES_128_GCM},
80 {"SRTP_AEAD_AES_256_GCM", SRTP_AEAD_AES_256_GCM}};
81
82 #ifndef OPENSSL_IS_BORINGSSL
83 // The "SSL_CIPHER_standard_name" function is only available in OpenSSL when
84 // compiled with tracing, so we need to define the mapping manually here.
85 constexpr SslCipherMapEntry kSslCipherMap[] = {
86 // TLS v1.0 ciphersuites from RFC2246.
87 DEFINE_CIPHER_ENTRY_SSL3(RSA_RC4_128_SHA),
88 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
89
90 // AES ciphersuites from RFC3268.
91 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
92 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"},
93 {TLS1_CK_RSA_WITH_AES_256_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA"},
94 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
95
96 // ECC ciphersuites from RFC4492.
97 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_RC4_128_SHA),
98 {TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
99 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"},
100 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
101 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
102
103 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_RC4_128_SHA),
104 {TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
105 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"},
106 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_CBC_SHA),
107 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_CBC_SHA),
108
109 // TLS v1.2 ciphersuites.
110 {TLS1_CK_RSA_WITH_AES_128_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"},
111 {TLS1_CK_RSA_WITH_AES_256_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"},
112 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
113 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"},
114 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
115 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"},
116
117 // TLS v1.2 GCM ciphersuites from RFC5288.
118 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_128_GCM_SHA256),
119 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_256_GCM_SHA384),
120 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_128_GCM_SHA256),
121 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_256_GCM_SHA384),
122 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_128_GCM_SHA256),
123 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_256_GCM_SHA384),
124
125 // ECDH HMAC based ciphersuites from RFC5289.
126 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
127 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"},
128 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
129 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"},
130 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
131 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
132 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
133 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
134
135 // ECDH GCM based ciphersuites from RFC5289.
136 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
137 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
138 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
139 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384),
140
141 {0, nullptr}};
142 #endif // #ifndef OPENSSL_IS_BORINGSSL
143
144 #ifdef OPENSSL_IS_BORINGSSL
145 // Enabled by EnableTimeCallbackForTesting. Should never be set in production
146 // code.
147 bool g_use_time_callback_for_testing = false;
148 // Not used in production code. Actual time should be relative to Jan 1, 1970.
TimeCallbackForTesting(const SSL * ssl,struct timeval * out_clock)149 void TimeCallbackForTesting(const SSL* ssl, struct timeval* out_clock) {
150 int64_t time = TimeNanos();
151 out_clock->tv_sec = time / kNumNanosecsPerSec;
152 out_clock->tv_usec = (time % kNumNanosecsPerSec) / kNumNanosecsPerMicrosec;
153 }
154 #endif
155
156 } // namespace
157
158 //////////////////////////////////////////////////////////////////////
159 // StreamBIO
160 //////////////////////////////////////////////////////////////////////
161
162 static int stream_write(BIO* h, const char* buf, int num);
163 static int stream_read(BIO* h, char* buf, int size);
164 static int stream_puts(BIO* h, const char* str);
165 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2);
166 static int stream_new(BIO* h);
167 static int stream_free(BIO* data);
168
BIO_stream_method()169 static BIO_METHOD* BIO_stream_method() {
170 static BIO_METHOD* method = [] {
171 BIO_METHOD* method = BIO_meth_new(BIO_TYPE_BIO, "stream");
172 BIO_meth_set_write(method, stream_write);
173 BIO_meth_set_read(method, stream_read);
174 BIO_meth_set_puts(method, stream_puts);
175 BIO_meth_set_ctrl(method, stream_ctrl);
176 BIO_meth_set_create(method, stream_new);
177 BIO_meth_set_destroy(method, stream_free);
178 return method;
179 }();
180 return method;
181 }
182
BIO_new_stream(StreamInterface * stream)183 static BIO* BIO_new_stream(StreamInterface* stream) {
184 BIO* ret = BIO_new(BIO_stream_method());
185 if (ret == nullptr) {
186 return nullptr;
187 }
188 BIO_set_data(ret, stream);
189 return ret;
190 }
191
192 // bio methods return 1 (or at least non-zero) on success and 0 on failure.
193
stream_new(BIO * b)194 static int stream_new(BIO* b) {
195 BIO_set_shutdown(b, 0);
196 BIO_set_init(b, 1);
197 BIO_set_data(b, 0);
198 return 1;
199 }
200
stream_free(BIO * b)201 static int stream_free(BIO* b) {
202 if (b == nullptr) {
203 return 0;
204 }
205 return 1;
206 }
207
stream_read(BIO * b,char * out,int outl)208 static int stream_read(BIO* b, char* out, int outl) {
209 if (!out) {
210 return -1;
211 }
212 StreamInterface* stream = static_cast<StreamInterface*>(BIO_get_data(b));
213 BIO_clear_retry_flags(b);
214 size_t read;
215 int error;
216 StreamResult result = stream->Read(out, outl, &read, &error);
217 if (result == SR_SUCCESS) {
218 return checked_cast<int>(read);
219 } else if (result == SR_BLOCK) {
220 BIO_set_retry_read(b);
221 }
222 return -1;
223 }
224
stream_write(BIO * b,const char * in,int inl)225 static int stream_write(BIO* b, const char* in, int inl) {
226 if (!in) {
227 return -1;
228 }
229 StreamInterface* stream = static_cast<StreamInterface*>(BIO_get_data(b));
230 BIO_clear_retry_flags(b);
231 size_t written;
232 int error;
233 StreamResult result = stream->Write(in, inl, &written, &error);
234 if (result == SR_SUCCESS) {
235 return checked_cast<int>(written);
236 } else if (result == SR_BLOCK) {
237 BIO_set_retry_write(b);
238 }
239 return -1;
240 }
241
stream_puts(BIO * b,const char * str)242 static int stream_puts(BIO* b, const char* str) {
243 return stream_write(b, str, checked_cast<int>(strlen(str)));
244 }
245
stream_ctrl(BIO * b,int cmd,long num,void * ptr)246 static long stream_ctrl(BIO* b, int cmd, long num, void* ptr) {
247 switch (cmd) {
248 case BIO_CTRL_RESET:
249 return 0;
250 case BIO_CTRL_EOF: {
251 StreamInterface* stream = static_cast<StreamInterface*>(ptr);
252 // 1 means end-of-stream.
253 return (stream->GetState() == SS_CLOSED) ? 1 : 0;
254 }
255 case BIO_CTRL_WPENDING:
256 case BIO_CTRL_PENDING:
257 return 0;
258 case BIO_CTRL_FLUSH:
259 return 1;
260 case BIO_CTRL_DGRAM_QUERY_MTU:
261 // openssl defaults to mtu=256 unless we return something here.
262 // The handshake doesn't actually need to send packets above 1k,
263 // so this seems like a sensible value that should work in most cases.
264 // Webrtc uses the same value for video packets.
265 return 1200;
266 default:
267 return 0;
268 }
269 }
270
271 /////////////////////////////////////////////////////////////////////////////
272 // OpenSSLStreamAdapter
273 /////////////////////////////////////////////////////////////////////////////
274
275 static std::atomic<bool> g_use_legacy_tls_protocols_override(false);
276 static std::atomic<bool> g_allow_legacy_tls_protocols(false);
277
SetAllowLegacyTLSProtocols(const absl::optional<bool> & allow)278 void SetAllowLegacyTLSProtocols(const absl::optional<bool>& allow) {
279 g_use_legacy_tls_protocols_override.store(allow.has_value());
280 if (allow.has_value())
281 g_allow_legacy_tls_protocols.store(allow.value());
282 }
283
ShouldAllowLegacyTLSProtocols()284 bool ShouldAllowLegacyTLSProtocols() {
285 return g_use_legacy_tls_protocols_override.load()
286 ? g_allow_legacy_tls_protocols.load()
287 : webrtc::field_trial::IsEnabled("WebRTC-LegacyTlsProtocols");
288 }
289
OpenSSLStreamAdapter(std::unique_ptr<StreamInterface> stream)290 OpenSSLStreamAdapter::OpenSSLStreamAdapter(
291 std::unique_ptr<StreamInterface> stream)
292 : SSLStreamAdapter(std::move(stream)),
293 owner_(rtc::Thread::Current()),
294 state_(SSL_NONE),
295 role_(SSL_CLIENT),
296 ssl_read_needs_write_(false),
297 ssl_write_needs_read_(false),
298 ssl_(nullptr),
299 ssl_ctx_(nullptr),
300 ssl_mode_(SSL_MODE_TLS),
301 ssl_max_version_(SSL_PROTOCOL_TLS_12),
302 // Default is to support legacy TLS protocols.
303 // This will be changed to default non-support in M82 or M83.
304 support_legacy_tls_protocols_flag_(ShouldAllowLegacyTLSProtocols()) {}
305
~OpenSSLStreamAdapter()306 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() {
307 timeout_task_.Stop();
308 Cleanup(0);
309 }
310
SetIdentity(std::unique_ptr<SSLIdentity> identity)311 void OpenSSLStreamAdapter::SetIdentity(std::unique_ptr<SSLIdentity> identity) {
312 RTC_DCHECK(!identity_);
313 #ifdef OPENSSL_IS_BORINGSSL
314 identity_.reset(static_cast<BoringSSLIdentity*>(identity.release()));
315 #else
316 identity_.reset(static_cast<OpenSSLIdentity*>(identity.release()));
317 #endif
318 }
319
GetIdentityForTesting() const320 SSLIdentity* OpenSSLStreamAdapter::GetIdentityForTesting() const {
321 return identity_.get();
322 }
323
SetServerRole(SSLRole role)324 void OpenSSLStreamAdapter::SetServerRole(SSLRole role) {
325 role_ = role;
326 }
327
SetPeerCertificateDigest(const std::string & digest_alg,const unsigned char * digest_val,size_t digest_len,SSLPeerCertificateDigestError * error)328 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(
329 const std::string& digest_alg,
330 const unsigned char* digest_val,
331 size_t digest_len,
332 SSLPeerCertificateDigestError* error) {
333 RTC_DCHECK(!peer_certificate_verified_);
334 RTC_DCHECK(!HasPeerCertificateDigest());
335 size_t expected_len;
336 if (error) {
337 *error = SSLPeerCertificateDigestError::NONE;
338 }
339
340 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) {
341 RTC_LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg;
342 if (error) {
343 *error = SSLPeerCertificateDigestError::UNKNOWN_ALGORITHM;
344 }
345 return false;
346 }
347 if (expected_len != digest_len) {
348 if (error) {
349 *error = SSLPeerCertificateDigestError::INVALID_LENGTH;
350 }
351 return false;
352 }
353
354 peer_certificate_digest_value_.SetData(digest_val, digest_len);
355 peer_certificate_digest_algorithm_ = digest_alg;
356
357 if (!peer_cert_chain_) {
358 // Normal case, where the digest is set before we obtain the certificate
359 // from the handshake.
360 return true;
361 }
362
363 if (!VerifyPeerCertificate()) {
364 Error("SetPeerCertificateDigest", -1, SSL_AD_BAD_CERTIFICATE, false);
365 if (error) {
366 *error = SSLPeerCertificateDigestError::VERIFICATION_FAILED;
367 }
368 return false;
369 }
370
371 if (state_ == SSL_CONNECTED) {
372 // Post the event asynchronously to unwind the stack. The caller
373 // of ContinueSSL may be the same object listening for these
374 // events and may not be prepared for reentrancy.
375 PostEvent(SE_OPEN | SE_READ | SE_WRITE, 0);
376 }
377
378 return true;
379 }
380
SslCipherSuiteToName(int cipher_suite)381 std::string OpenSSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) {
382 #ifdef OPENSSL_IS_BORINGSSL
383 const SSL_CIPHER* ssl_cipher = SSL_get_cipher_by_value(cipher_suite);
384 if (!ssl_cipher) {
385 return std::string();
386 }
387 return SSL_CIPHER_standard_name(ssl_cipher);
388 #else
389 for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name;
390 ++entry) {
391 if (cipher_suite == static_cast<int>(entry->openssl_id)) {
392 return entry->rfc_name;
393 }
394 }
395 return std::string();
396 #endif
397 }
398
GetSslCipherSuite(int * cipher_suite)399 bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) {
400 if (state_ != SSL_CONNECTED) {
401 return false;
402 }
403
404 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_);
405 if (current_cipher == nullptr) {
406 return false;
407 }
408
409 *cipher_suite = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher));
410 return true;
411 }
412
GetSslVersion() const413 SSLProtocolVersion OpenSSLStreamAdapter::GetSslVersion() const {
414 if (state_ != SSL_CONNECTED) {
415 return SSL_PROTOCOL_NOT_GIVEN;
416 }
417
418 int ssl_version = SSL_version(ssl_);
419 if (ssl_mode_ == SSL_MODE_DTLS) {
420 if (ssl_version == DTLS1_VERSION) {
421 return SSL_PROTOCOL_DTLS_10;
422 /*
423 * LibreSSL does not support DTLS 1.2 yet:
424 * https://github.com/libressl-portable/portable/issues/380
425 */
426 #ifndef LIBRESSL_VERSION_NUMBER
427 } else if (ssl_version == DTLS1_2_VERSION) {
428 return SSL_PROTOCOL_DTLS_12;
429 #endif
430 }
431 } else {
432 if (ssl_version == TLS1_VERSION) {
433 return SSL_PROTOCOL_TLS_10;
434 } else if (ssl_version == TLS1_1_VERSION) {
435 return SSL_PROTOCOL_TLS_11;
436 } else if (ssl_version == TLS1_2_VERSION) {
437 return SSL_PROTOCOL_TLS_12;
438 }
439 }
440
441 return SSL_PROTOCOL_NOT_GIVEN;
442 }
443
GetSslVersionBytes(int * version) const444 bool OpenSSLStreamAdapter::GetSslVersionBytes(int* version) const {
445 if (state_ != SSL_CONNECTED) {
446 return false;
447 }
448 *version = SSL_version(ssl_);
449 return true;
450 }
451
452 // Key Extractor interface
ExportKeyingMaterial(const std::string & label,const uint8_t * context,size_t context_len,bool use_context,uint8_t * result,size_t result_len)453 bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label,
454 const uint8_t* context,
455 size_t context_len,
456 bool use_context,
457 uint8_t* result,
458 size_t result_len) {
459 if (SSL_export_keying_material(ssl_, result, result_len, label.c_str(),
460 label.length(), const_cast<uint8_t*>(context),
461 context_len, use_context) != 1) {
462 return false;
463 }
464 return true;
465 }
466
SetDtlsSrtpCryptoSuites(const std::vector<int> & ciphers)467 bool OpenSSLStreamAdapter::SetDtlsSrtpCryptoSuites(
468 const std::vector<int>& ciphers) {
469 if (state_ != SSL_NONE) {
470 return false;
471 }
472
473 std::string internal_ciphers;
474 for (const int cipher : ciphers) {
475 bool found = false;
476 for (const auto& entry : kSrtpCipherMap) {
477 if (cipher == entry.id) {
478 found = true;
479 if (!internal_ciphers.empty()) {
480 internal_ciphers += ":";
481 }
482 internal_ciphers += entry.internal_name;
483 break;
484 }
485 }
486
487 if (!found) {
488 RTC_LOG(LS_ERROR) << "Could not find cipher: " << cipher;
489 return false;
490 }
491 }
492
493 if (internal_ciphers.empty()) {
494 return false;
495 }
496
497 srtp_ciphers_ = internal_ciphers;
498 return true;
499 }
500
GetDtlsSrtpCryptoSuite(int * crypto_suite)501 bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) {
502 RTC_DCHECK(state_ == SSL_CONNECTED);
503 if (state_ != SSL_CONNECTED) {
504 return false;
505 }
506
507 const SRTP_PROTECTION_PROFILE* srtp_profile =
508 SSL_get_selected_srtp_profile(ssl_);
509
510 if (!srtp_profile) {
511 return false;
512 }
513
514 *crypto_suite = srtp_profile->id;
515 RTC_DCHECK(!SrtpCryptoSuiteToName(*crypto_suite).empty());
516 return true;
517 }
518
IsTlsConnected()519 bool OpenSSLStreamAdapter::IsTlsConnected() {
520 return state_ == SSL_CONNECTED;
521 }
522
StartSSL()523 int OpenSSLStreamAdapter::StartSSL() {
524 // Don't allow StartSSL to be called twice.
525 if (state_ != SSL_NONE) {
526 return -1;
527 }
528
529 if (StreamAdapterInterface::GetState() != SS_OPEN) {
530 state_ = SSL_WAIT;
531 return 0;
532 }
533
534 state_ = SSL_CONNECTING;
535 if (int err = BeginSSL()) {
536 Error("BeginSSL", err, 0, false);
537 return err;
538 }
539
540 return 0;
541 }
542
SetMode(SSLMode mode)543 void OpenSSLStreamAdapter::SetMode(SSLMode mode) {
544 RTC_DCHECK(state_ == SSL_NONE);
545 ssl_mode_ = mode;
546 }
547
SetMaxProtocolVersion(SSLProtocolVersion version)548 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) {
549 RTC_DCHECK(ssl_ctx_ == nullptr);
550 ssl_max_version_ = version;
551 }
552
SetInitialRetransmissionTimeout(int timeout_ms)553 void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout(int timeout_ms) {
554 RTC_DCHECK(ssl_ctx_ == nullptr);
555 dtls_handshake_timeout_ms_ = timeout_ms;
556 }
557
558 //
559 // StreamInterface Implementation
560 //
561
Write(const void * data,size_t data_len,size_t * written,int * error)562 StreamResult OpenSSLStreamAdapter::Write(const void* data,
563 size_t data_len,
564 size_t* written,
565 int* error) {
566 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")";
567
568 switch (state_) {
569 case SSL_NONE:
570 // pass-through in clear text
571 return StreamAdapterInterface::Write(data, data_len, written, error);
572
573 case SSL_WAIT:
574 case SSL_CONNECTING:
575 return SR_BLOCK;
576
577 case SSL_CONNECTED:
578 if (WaitingToVerifyPeerCertificate()) {
579 return SR_BLOCK;
580 }
581 break;
582
583 case SSL_ERROR:
584 case SSL_CLOSED:
585 default:
586 if (error) {
587 *error = ssl_error_code_;
588 }
589 return SR_ERROR;
590 }
591
592 // OpenSSL will return an error if we try to write zero bytes
593 if (data_len == 0) {
594 if (written) {
595 *written = 0;
596 }
597 return SR_SUCCESS;
598 }
599
600 ssl_write_needs_read_ = false;
601
602 int code = SSL_write(ssl_, data, checked_cast<int>(data_len));
603 int ssl_error = SSL_get_error(ssl_, code);
604 switch (ssl_error) {
605 case SSL_ERROR_NONE:
606 RTC_DLOG(LS_VERBOSE) << " -- success";
607 RTC_DCHECK_GT(code, 0);
608 RTC_DCHECK_LE(code, data_len);
609 if (written)
610 *written = code;
611 return SR_SUCCESS;
612 case SSL_ERROR_WANT_READ:
613 RTC_DLOG(LS_VERBOSE) << " -- error want read";
614 ssl_write_needs_read_ = true;
615 return SR_BLOCK;
616 case SSL_ERROR_WANT_WRITE:
617 RTC_DLOG(LS_VERBOSE) << " -- error want write";
618 return SR_BLOCK;
619
620 case SSL_ERROR_ZERO_RETURN:
621 default:
622 Error("SSL_write", (ssl_error ? ssl_error : -1), 0, false);
623 if (error) {
624 *error = ssl_error_code_;
625 }
626 return SR_ERROR;
627 }
628 // not reached
629 }
630
Read(void * data,size_t data_len,size_t * read,int * error)631 StreamResult OpenSSLStreamAdapter::Read(void* data,
632 size_t data_len,
633 size_t* read,
634 int* error) {
635 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Read(" << data_len << ")";
636 switch (state_) {
637 case SSL_NONE:
638 // pass-through in clear text
639 return StreamAdapterInterface::Read(data, data_len, read, error);
640 case SSL_WAIT:
641 case SSL_CONNECTING:
642 return SR_BLOCK;
643 case SSL_CONNECTED:
644 if (WaitingToVerifyPeerCertificate()) {
645 return SR_BLOCK;
646 }
647 break;
648 case SSL_CLOSED:
649 return SR_EOS;
650 case SSL_ERROR:
651 default:
652 if (error) {
653 *error = ssl_error_code_;
654 }
655 return SR_ERROR;
656 }
657
658 // Don't trust OpenSSL with zero byte reads
659 if (data_len == 0) {
660 if (read) {
661 *read = 0;
662 }
663 return SR_SUCCESS;
664 }
665
666 ssl_read_needs_write_ = false;
667
668 const int code = SSL_read(ssl_, data, checked_cast<int>(data_len));
669 const int ssl_error = SSL_get_error(ssl_, code);
670
671 switch (ssl_error) {
672 case SSL_ERROR_NONE:
673 RTC_DLOG(LS_VERBOSE) << " -- success";
674 RTC_DCHECK_GT(code, 0);
675 RTC_DCHECK_LE(code, data_len);
676 if (read) {
677 *read = code;
678 }
679
680 if (ssl_mode_ == SSL_MODE_DTLS) {
681 // Enforce atomic reads -- this is a short read
682 unsigned int pending = SSL_pending(ssl_);
683
684 if (pending) {
685 RTC_DLOG(LS_INFO) << " -- short DTLS read. flushing";
686 FlushInput(pending);
687 if (error) {
688 *error = SSE_MSG_TRUNC;
689 }
690 return SR_ERROR;
691 }
692 }
693 return SR_SUCCESS;
694 case SSL_ERROR_WANT_READ:
695 RTC_DLOG(LS_VERBOSE) << " -- error want read";
696 return SR_BLOCK;
697 case SSL_ERROR_WANT_WRITE:
698 RTC_DLOG(LS_VERBOSE) << " -- error want write";
699 ssl_read_needs_write_ = true;
700 return SR_BLOCK;
701 case SSL_ERROR_ZERO_RETURN:
702 RTC_DLOG(LS_VERBOSE) << " -- remote side closed";
703 Close();
704 return SR_EOS;
705 default:
706 Error("SSL_read", (ssl_error ? ssl_error : -1), 0, false);
707 if (error) {
708 *error = ssl_error_code_;
709 }
710 return SR_ERROR;
711 }
712 // not reached
713 }
714
FlushInput(unsigned int left)715 void OpenSSLStreamAdapter::FlushInput(unsigned int left) {
716 unsigned char buf[2048];
717
718 while (left) {
719 // This should always succeed
720 const int toread = (sizeof(buf) < left) ? sizeof(buf) : left;
721 const int code = SSL_read(ssl_, buf, toread);
722
723 const int ssl_error = SSL_get_error(ssl_, code);
724 RTC_DCHECK(ssl_error == SSL_ERROR_NONE);
725
726 if (ssl_error != SSL_ERROR_NONE) {
727 RTC_DLOG(LS_VERBOSE) << " -- error " << code;
728 Error("SSL_read", (ssl_error ? ssl_error : -1), 0, false);
729 return;
730 }
731
732 RTC_DLOG(LS_VERBOSE) << " -- flushed " << code << " bytes";
733 left -= code;
734 }
735 }
736
Close()737 void OpenSSLStreamAdapter::Close() {
738 Cleanup(0);
739 RTC_DCHECK(state_ == SSL_CLOSED || state_ == SSL_ERROR);
740 // When we're closed at SSL layer, also close the stream level which
741 // performs necessary clean up. Otherwise, a new incoming packet after
742 // this could overflow the stream buffer.
743 StreamAdapterInterface::Close();
744 }
745
GetState() const746 StreamState OpenSSLStreamAdapter::GetState() const {
747 switch (state_) {
748 case SSL_WAIT:
749 case SSL_CONNECTING:
750 return SS_OPENING;
751 case SSL_CONNECTED:
752 if (WaitingToVerifyPeerCertificate()) {
753 return SS_OPENING;
754 }
755 return SS_OPEN;
756 default:
757 return SS_CLOSED;
758 }
759 // not reached
760 }
761
OnEvent(StreamInterface * stream,int events,int err)762 void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream,
763 int events,
764 int err) {
765 int events_to_signal = 0;
766 int signal_error = 0;
767 RTC_DCHECK(stream == this->stream());
768
769 if ((events & SE_OPEN)) {
770 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent SE_OPEN";
771 if (state_ != SSL_WAIT) {
772 RTC_DCHECK(state_ == SSL_NONE);
773 events_to_signal |= SE_OPEN;
774 } else {
775 state_ = SSL_CONNECTING;
776 if (int err = BeginSSL()) {
777 Error("BeginSSL", err, 0, true);
778 return;
779 }
780 }
781 }
782
783 if ((events & (SE_READ | SE_WRITE))) {
784 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent"
785 << ((events & SE_READ) ? " SE_READ" : "")
786 << ((events & SE_WRITE) ? " SE_WRITE" : "");
787 if (state_ == SSL_NONE) {
788 events_to_signal |= events & (SE_READ | SE_WRITE);
789 } else if (state_ == SSL_CONNECTING) {
790 if (int err = ContinueSSL()) {
791 Error("ContinueSSL", err, 0, true);
792 return;
793 }
794 } else if (state_ == SSL_CONNECTED) {
795 if (((events & SE_READ) && ssl_write_needs_read_) ||
796 (events & SE_WRITE)) {
797 RTC_DLOG(LS_VERBOSE) << " -- onStreamWriteable";
798 events_to_signal |= SE_WRITE;
799 }
800 if (((events & SE_WRITE) && ssl_read_needs_write_) ||
801 (events & SE_READ)) {
802 RTC_DLOG(LS_VERBOSE) << " -- onStreamReadable";
803 events_to_signal |= SE_READ;
804 }
805 }
806 }
807
808 if ((events & SE_CLOSE)) {
809 RTC_DLOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent(SE_CLOSE, " << err
810 << ")";
811 Cleanup(0);
812 events_to_signal |= SE_CLOSE;
813 // SE_CLOSE is the only event that uses the final parameter to OnEvent().
814 RTC_DCHECK(signal_error == 0);
815 signal_error = err;
816 }
817
818 if (events_to_signal) {
819 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error);
820 }
821 }
822
PostEvent(int events,int err)823 void OpenSSLStreamAdapter::PostEvent(int events, int err) {
824 owner_->PostTask(webrtc::ToQueuedTask(
825 task_safety_, [this, events, err]() { SignalEvent(this, events, err); }));
826 }
827
SetTimeout(int delay_ms)828 void OpenSSLStreamAdapter::SetTimeout(int delay_ms) {
829 // We need to accept 0 delay here as well as >0 delay, because
830 // DTLSv1_get_timeout seems to frequently return 0 ms.
831 RTC_DCHECK_GE(delay_ms, 0);
832 RTC_DCHECK(!timeout_task_.Running());
833
834 timeout_task_ = webrtc::RepeatingTaskHandle::DelayedStart(
835 owner_, webrtc::TimeDelta::Millis(delay_ms),
836 [flag = task_safety_.flag(), this]() {
837 if (flag->alive()) {
838 RTC_DLOG(LS_INFO) << "DTLS timeout expired";
839 timeout_task_.Stop();
840 DTLSv1_handle_timeout(ssl_);
841 ContinueSSL();
842 } else {
843 RTC_NOTREACHED();
844 }
845 // This callback will never run again (stopped above).
846 return webrtc::TimeDelta::PlusInfinity();
847 });
848 }
849
BeginSSL()850 int OpenSSLStreamAdapter::BeginSSL() {
851 RTC_DCHECK(state_ == SSL_CONNECTING);
852 // The underlying stream has opened.
853 RTC_DLOG(LS_INFO) << "BeginSSL with peer.";
854
855 BIO* bio = nullptr;
856
857 // First set up the context.
858 RTC_DCHECK(ssl_ctx_ == nullptr);
859 ssl_ctx_ = SetupSSLContext();
860 if (!ssl_ctx_) {
861 return -1;
862 }
863
864 bio = BIO_new_stream(static_cast<StreamInterface*>(stream()));
865 if (!bio) {
866 return -1;
867 }
868
869 ssl_ = SSL_new(ssl_ctx_);
870 if (!ssl_) {
871 BIO_free(bio);
872 return -1;
873 }
874
875 SSL_set_app_data(ssl_, this);
876
877 SSL_set_bio(ssl_, bio, bio); // the SSL object owns the bio now.
878 if (ssl_mode_ == SSL_MODE_DTLS) {
879 #ifdef OPENSSL_IS_BORINGSSL
880 DTLSv1_set_initial_timeout_duration(ssl_, dtls_handshake_timeout_ms_);
881 #else
882 // Enable read-ahead for DTLS so whole packets are read from internal BIO
883 // before parsing. This is done internally by BoringSSL for DTLS.
884 SSL_set_read_ahead(ssl_, 1);
885 #endif
886 }
887
888 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
889 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
890
891 // Do the connect
892 return ContinueSSL();
893 }
894
ContinueSSL()895 int OpenSSLStreamAdapter::ContinueSSL() {
896 RTC_DLOG(LS_VERBOSE) << "ContinueSSL";
897 RTC_DCHECK(state_ == SSL_CONNECTING);
898
899 // Clear the DTLS timer
900 timeout_task_.Stop();
901
902 const int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
903 const int ssl_error = SSL_get_error(ssl_, code);
904
905 switch (ssl_error) {
906 case SSL_ERROR_NONE:
907 RTC_DLOG(LS_VERBOSE) << " -- success";
908 // By this point, OpenSSL should have given us a certificate, or errored
909 // out if one was missing.
910 RTC_DCHECK(peer_cert_chain_ || !GetClientAuthEnabled());
911
912 state_ = SSL_CONNECTED;
913 if (!WaitingToVerifyPeerCertificate()) {
914 // We have everything we need to start the connection, so signal
915 // SE_OPEN. If we need a client certificate fingerprint and don't have
916 // it yet, we'll instead signal SE_OPEN in SetPeerCertificateDigest.
917 //
918 // TODO(deadbeef): Post this event asynchronously to unwind the stack.
919 // The caller of ContinueSSL may be the same object listening for these
920 // events and may not be prepared for reentrancy.
921 // PostEvent(SE_OPEN | SE_READ | SE_WRITE, 0);
922 StreamAdapterInterface::OnEvent(stream(), SE_OPEN | SE_READ | SE_WRITE,
923 0);
924 }
925 break;
926
927 case SSL_ERROR_WANT_READ: {
928 RTC_DLOG(LS_VERBOSE) << " -- error want read";
929 struct timeval timeout;
930 if (DTLSv1_get_timeout(ssl_, &timeout)) {
931 int delay = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
932 SetTimeout(delay);
933 }
934 } break;
935
936 case SSL_ERROR_WANT_WRITE:
937 RTC_DLOG(LS_VERBOSE) << " -- error want write";
938 break;
939
940 case SSL_ERROR_ZERO_RETURN:
941 default:
942 SSLHandshakeError ssl_handshake_err = SSLHandshakeError::UNKNOWN;
943 int err_code = ERR_peek_last_error();
944 if (err_code != 0 && ERR_GET_REASON(err_code) == SSL_R_NO_SHARED_CIPHER) {
945 ssl_handshake_err = SSLHandshakeError::INCOMPATIBLE_CIPHERSUITE;
946 }
947 RTC_DLOG(LS_VERBOSE) << " -- error " << code << ", " << err_code << ", "
948 << ERR_GET_REASON(err_code);
949 SignalSSLHandshakeError(ssl_handshake_err);
950 return (ssl_error != 0) ? ssl_error : -1;
951 }
952
953 return 0;
954 }
955
Error(const char * context,int err,uint8_t alert,bool signal)956 void OpenSSLStreamAdapter::Error(const char* context,
957 int err,
958 uint8_t alert,
959 bool signal) {
960 RTC_LOG(LS_WARNING) << "OpenSSLStreamAdapter::Error(" << context << ", "
961 << err << ", " << static_cast<int>(alert) << ")";
962 state_ = SSL_ERROR;
963 ssl_error_code_ = err;
964 Cleanup(alert);
965 if (signal) {
966 StreamAdapterInterface::OnEvent(stream(), SE_CLOSE, err);
967 }
968 }
969
Cleanup(uint8_t alert)970 void OpenSSLStreamAdapter::Cleanup(uint8_t alert) {
971 RTC_DLOG(LS_INFO) << "Cleanup";
972
973 if (state_ != SSL_ERROR) {
974 state_ = SSL_CLOSED;
975 ssl_error_code_ = 0;
976 }
977
978 if (ssl_) {
979 int ret;
980 // SSL_send_fatal_alert is only available in BoringSSL.
981 #ifdef OPENSSL_IS_BORINGSSL
982 if (alert) {
983 ret = SSL_send_fatal_alert(ssl_, alert);
984 if (ret < 0) {
985 RTC_LOG(LS_WARNING) << "SSL_send_fatal_alert failed, error = "
986 << SSL_get_error(ssl_, ret);
987 }
988 } else {
989 #endif
990 ret = SSL_shutdown(ssl_);
991 if (ret < 0) {
992 RTC_LOG(LS_WARNING)
993 << "SSL_shutdown failed, error = " << SSL_get_error(ssl_, ret);
994 }
995 #ifdef OPENSSL_IS_BORINGSSL
996 }
997 #endif
998 SSL_free(ssl_);
999 ssl_ = nullptr;
1000 }
1001 if (ssl_ctx_) {
1002 SSL_CTX_free(ssl_ctx_);
1003 ssl_ctx_ = nullptr;
1004 }
1005 identity_.reset();
1006 peer_cert_chain_.reset();
1007
1008 // Clear the DTLS timer
1009 timeout_task_.Stop();
1010 }
1011
SetupSSLContext()1012 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
1013 #ifdef OPENSSL_IS_BORINGSSL
1014 // If X509 objects aren't used, we can use these methods to avoid
1015 // linking the sizable crypto/x509 code, using CRYPTO_BUFFER instead.
1016 SSL_CTX* ctx =
1017 SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_with_buffers_method()
1018 : TLS_with_buffers_method());
1019 #else
1020 SSL_CTX* ctx =
1021 SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
1022 int sslmin, sslmax;
1023 #endif
1024 if (ctx == nullptr) {
1025 return nullptr;
1026 }
1027
1028 if (support_legacy_tls_protocols_flag_) {
1029 // TODO(https://bugs.webrtc.org/10261): Completely remove this branch in
1030 // M84.
1031 sslmin = ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION;
1032 switch (ssl_max_version_) {
1033 case SSL_PROTOCOL_TLS_10:
1034 sslmax = ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION;
1035 break;
1036 case SSL_PROTOCOL_TLS_11:
1037 sslmax = ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_1_VERSION;
1038 break;
1039 case SSL_PROTOCOL_TLS_12:
1040 default:
1041 /* LibreSSL does not support DTLS12 */
1042 #ifndef LIBRESSL_VERSION_NUMBER
1043 sslmax = ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION;
1044 #else
1045 /* We disallow DTLS1.2 in LibreSSL by returning a null ctx */
1046 RTC_LOG(LS_ERROR) << "LibreSSL does not support DTLS1.2";
1047 SSL_CTX_free(ctx);
1048 return nullptr;
1049 #endif
1050 break;
1051 }
1052 } else {
1053
1054 #ifndef LIBRESSL_VERSION_NUMBER
1055 // TODO(https://bugs.webrtc.org/10261): Make this the default in M84.
1056 sslmin = ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION;
1057 sslmax = ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION;
1058 #else
1059 /* We disallow DTLS1.2 in LibreSSL by returning a null ctx */
1060 RTC_LOG(LS_ERROR) << "LibreSSL does not support DTLS1.2";
1061 SSL_CTX_free(ctx);
1062 return nullptr;
1063 #endif
1064 }
1065
1066 SSL_CTX_set_min_proto_version(ctx, sslmin);
1067 SSL_CTX_set_max_proto_version(ctx, sslmax);
1068
1069 #ifdef OPENSSL_IS_BORINGSSL
1070 // SSL_CTX_set_current_time_cb is only supported in BoringSSL.
1071 if (g_use_time_callback_for_testing) {
1072 SSL_CTX_set_current_time_cb(ctx, &TimeCallbackForTesting);
1073 }
1074 SSL_CTX_set0_buffer_pool(ctx, openssl::GetBufferPool());
1075 #endif
1076
1077 if (identity_ && !identity_->ConfigureIdentity(ctx)) {
1078 SSL_CTX_free(ctx);
1079 return nullptr;
1080 }
1081
1082 #if !defined(NDEBUG)
1083 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback);
1084 #endif
1085
1086 int mode = SSL_VERIFY_PEER;
1087 if (GetClientAuthEnabled()) {
1088 // Require a certificate from the client.
1089 // Note: Normally this is always true in production, but it may be disabled
1090 // for testing purposes (e.g. SSLAdapter unit tests).
1091 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1092 }
1093
1094 // Configure a custom certificate verification callback to check the peer
1095 // certificate digest.
1096 #ifdef OPENSSL_IS_BORINGSSL
1097 // Use CRYPTO_BUFFER version of the callback if building with BoringSSL.
1098 SSL_CTX_set_custom_verify(ctx, mode, SSLVerifyCallback);
1099 #else
1100 // Note the second argument to SSL_CTX_set_verify is to override individual
1101 // errors in the default verification logic, which is not what we want here.
1102 SSL_CTX_set_verify(ctx, mode, nullptr);
1103 SSL_CTX_set_cert_verify_callback(ctx, SSLVerifyCallback, nullptr);
1104 #endif
1105
1106 // Select list of available ciphers. Note that !SHA256 and !SHA384 only
1107 // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites
1108 // with SHA256 or SHA384 as the handshake hash.
1109 // This matches the list of SSLClientSocketOpenSSL in Chromium.
1110 SSL_CTX_set_cipher_list(
1111 ctx, "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");
1112
1113 if (!srtp_ciphers_.empty()) {
1114 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) {
1115 SSL_CTX_free(ctx);
1116 return nullptr;
1117 }
1118 }
1119
1120 return ctx;
1121 }
1122
VerifyPeerCertificate()1123 bool OpenSSLStreamAdapter::VerifyPeerCertificate() {
1124 if (!HasPeerCertificateDigest() || !peer_cert_chain_ ||
1125 !peer_cert_chain_->GetSize()) {
1126 RTC_LOG(LS_WARNING) << "Missing digest or peer certificate.";
1127 return false;
1128 }
1129
1130 unsigned char digest[EVP_MAX_MD_SIZE];
1131 size_t digest_length;
1132 if (!peer_cert_chain_->Get(0).ComputeDigest(
1133 peer_certificate_digest_algorithm_, digest, sizeof(digest),
1134 &digest_length)) {
1135 RTC_LOG(LS_WARNING) << "Failed to compute peer cert digest.";
1136 return false;
1137 }
1138
1139 Buffer computed_digest(digest, digest_length);
1140 if (computed_digest != peer_certificate_digest_value_) {
1141 RTC_LOG(LS_WARNING)
1142 << "Rejected peer certificate due to mismatched digest.";
1143 return false;
1144 }
1145 // Ignore any verification error if the digest matches, since there is no
1146 // value in checking the validity of a self-signed cert issued by untrusted
1147 // sources.
1148 RTC_DLOG(LS_INFO) << "Accepted peer certificate.";
1149 peer_certificate_verified_ = true;
1150 return true;
1151 }
1152
GetPeerSSLCertChain() const1153 std::unique_ptr<SSLCertChain> OpenSSLStreamAdapter::GetPeerSSLCertChain()
1154 const {
1155 return peer_cert_chain_ ? peer_cert_chain_->Clone() : nullptr;
1156 }
1157
1158 #ifdef OPENSSL_IS_BORINGSSL
SSLVerifyCallback(SSL * ssl,uint8_t * out_alert)1159 enum ssl_verify_result_t OpenSSLStreamAdapter::SSLVerifyCallback(
1160 SSL* ssl,
1161 uint8_t* out_alert) {
1162 // Get our OpenSSLStreamAdapter from the context.
1163 OpenSSLStreamAdapter* stream =
1164 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
1165 const STACK_OF(CRYPTO_BUFFER)* chain = SSL_get0_peer_certificates(ssl);
1166 // Creates certificate chain.
1167 std::vector<std::unique_ptr<SSLCertificate>> cert_chain;
1168 for (CRYPTO_BUFFER* cert : chain) {
1169 cert_chain.emplace_back(new BoringSSLCertificate(bssl::UpRef(cert)));
1170 }
1171 stream->peer_cert_chain_.reset(new SSLCertChain(std::move(cert_chain)));
1172
1173 // If the peer certificate digest isn't known yet, we'll wait to verify
1174 // until it's known, and for now just return a success status.
1175 if (stream->peer_certificate_digest_algorithm_.empty()) {
1176 RTC_LOG(LS_INFO) << "Waiting to verify certificate until digest is known.";
1177 // TODO(deadbeef): Use ssl_verify_retry?
1178 return ssl_verify_ok;
1179 }
1180
1181 if (!stream->VerifyPeerCertificate()) {
1182 return ssl_verify_invalid;
1183 }
1184
1185 return ssl_verify_ok;
1186 }
1187 #else // OPENSSL_IS_BORINGSSL
SSLVerifyCallback(X509_STORE_CTX * store,void * arg)1188 int OpenSSLStreamAdapter::SSLVerifyCallback(X509_STORE_CTX* store, void* arg) {
1189 // Get our SSL structure and OpenSSLStreamAdapter from the store.
1190 SSL* ssl = reinterpret_cast<SSL*>(
1191 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
1192 OpenSSLStreamAdapter* stream =
1193 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
1194
1195 // Record the peer's certificate.
1196 X509* cert = X509_STORE_CTX_get0_cert(store);
1197 stream->peer_cert_chain_.reset(
1198 new SSLCertChain(std::make_unique<OpenSSLCertificate>(cert)));
1199
1200 // If the peer certificate digest isn't known yet, we'll wait to verify
1201 // until it's known, and for now just return a success status.
1202 if (stream->peer_certificate_digest_algorithm_.empty()) {
1203 RTC_DLOG(LS_INFO) << "Waiting to verify certificate until digest is known.";
1204 return 1;
1205 }
1206
1207 if (!stream->VerifyPeerCertificate()) {
1208 X509_STORE_CTX_set_error(store, X509_V_ERR_CERT_REJECTED);
1209 return 0;
1210 }
1211
1212 return 1;
1213 }
1214 #endif // !OPENSSL_IS_BORINGSSL
1215
IsBoringSsl()1216 bool OpenSSLStreamAdapter::IsBoringSsl() {
1217 #ifdef OPENSSL_IS_BORINGSSL
1218 return true;
1219 #else
1220 return false;
1221 #endif
1222 }
1223
1224 #define CDEF(X) \
1225 { static_cast<uint16_t>(TLS1_CK_##X & 0xffff), "TLS_" #X }
1226
1227 struct cipher_list {
1228 uint16_t cipher;
1229 const char* cipher_str;
1230 };
1231
1232 // TODO(torbjorng): Perhaps add more cipher suites to these lists.
1233 static const cipher_list OK_RSA_ciphers[] = {
1234 CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA),
1235 CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA),
1236 CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
1237 #ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256
1238 CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256),
1239 #endif
1240 #ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
1241 CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
1242 #endif
1243 };
1244
1245 static const cipher_list OK_ECDSA_ciphers[] = {
1246 CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
1247 CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
1248 CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
1249 #ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
1250 CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256),
1251 #endif
1252 #ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
1253 CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
1254 #endif
1255 };
1256 #undef CDEF
1257
IsAcceptableCipher(int cipher,KeyType key_type)1258 bool OpenSSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) {
1259 if (key_type == KT_RSA) {
1260 for (const cipher_list& c : OK_RSA_ciphers) {
1261 if (cipher == c.cipher) {
1262 return true;
1263 }
1264 }
1265 }
1266
1267 if (key_type == KT_ECDSA) {
1268 for (const cipher_list& c : OK_ECDSA_ciphers) {
1269 if (cipher == c.cipher) {
1270 return true;
1271 }
1272 }
1273 }
1274
1275 return false;
1276 }
1277
IsAcceptableCipher(const std::string & cipher,KeyType key_type)1278 bool OpenSSLStreamAdapter::IsAcceptableCipher(const std::string& cipher,
1279 KeyType key_type) {
1280 if (key_type == KT_RSA) {
1281 for (const cipher_list& c : OK_RSA_ciphers) {
1282 if (cipher == c.cipher_str) {
1283 return true;
1284 }
1285 }
1286 }
1287
1288 if (key_type == KT_ECDSA) {
1289 for (const cipher_list& c : OK_ECDSA_ciphers) {
1290 if (cipher == c.cipher_str) {
1291 return true;
1292 }
1293 }
1294 }
1295
1296 return false;
1297 }
1298
EnableTimeCallbackForTesting()1299 void OpenSSLStreamAdapter::EnableTimeCallbackForTesting() {
1300 #ifdef OPENSSL_IS_BORINGSSL
1301 g_use_time_callback_for_testing = true;
1302 #endif
1303 }
1304
1305 } // namespace rtc
1306