| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2008 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2008 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 268 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 279 : SSLAdapter(socket), | 279 : SSLAdapter(socket), |
| 280 factory_(factory), | 280 factory_(factory), |
| 281 state_(SSL_NONE), | 281 state_(SSL_NONE), |
| 282 role_(SSL_CLIENT), | 282 role_(SSL_CLIENT), |
| 283 ssl_read_needs_write_(false), | 283 ssl_read_needs_write_(false), |
| 284 ssl_write_needs_read_(false), | 284 ssl_write_needs_read_(false), |
| 285 restartable_(false), | 285 restartable_(false), |
| 286 ssl_(nullptr), | 286 ssl_(nullptr), |
| 287 ssl_ctx_(nullptr), | 287 ssl_ctx_(nullptr), |
| 288 ssl_mode_(SSL_MODE_TLS), | 288 ssl_mode_(SSL_MODE_TLS), |
| 289 ignore_bad_cert_(false), |
| 289 custom_verification_succeeded_(false) { | 290 custom_verification_succeeded_(false) { |
| 290 // If a factory is used, take a reference on the factory's SSL_CTX. | 291 // If a factory is used, take a reference on the factory's SSL_CTX. |
| 291 // Otherwise, we'll create our own later. | 292 // Otherwise, we'll create our own later. |
| 292 // Either way, we'll release our reference via SSL_CTX_free() in Cleanup(). | 293 // Either way, we'll release our reference via SSL_CTX_free() in Cleanup(). |
| 293 if (factory_) { | 294 if (factory_) { |
| 294 ssl_ctx_ = factory_->ssl_ctx(); | 295 ssl_ctx_ = factory_->ssl_ctx(); |
| 295 RTC_DCHECK(ssl_ctx_); | 296 RTC_DCHECK(ssl_ctx_); |
| 296 // Note: if using OpenSSL, requires version 1.1.0 or later. | 297 // Note: if using OpenSSL, requires version 1.1.0 or later. |
| 297 SSL_CTX_up_ref(ssl_ctx_); | 298 SSL_CTX_up_ref(ssl_ctx_); |
| 298 } | 299 } |
| 299 } | 300 } |
| 300 | 301 |
| 301 OpenSSLAdapter::~OpenSSLAdapter() { | 302 OpenSSLAdapter::~OpenSSLAdapter() { |
| 302 Cleanup(); | 303 Cleanup(); |
| 303 } | 304 } |
| 304 | 305 |
| 305 void OpenSSLAdapter::SetMode(SSLMode mode) { | 306 void OpenSSLAdapter::SetIgnoreBadCert(bool ignore) { |
| 307 ignore_bad_cert_ = ignore; |
| 308 } |
| 309 |
| 310 void OpenSSLAdapter::SetAlpnProtocols(const std::vector<std::string>& protos) { |
| 311 alpn_protocols_ = protos; |
| 312 } |
| 313 |
| 314 void |
| 315 OpenSSLAdapter::SetMode(SSLMode mode) { |
| 306 RTC_DCHECK(!ssl_ctx_); | 316 RTC_DCHECK(!ssl_ctx_); |
| 307 RTC_DCHECK(state_ == SSL_NONE); | 317 RTC_DCHECK(state_ == SSL_NONE); |
| 308 ssl_mode_ = mode; | 318 ssl_mode_ = mode; |
| 309 } | 319 } |
| 310 | 320 |
| 311 void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) { | 321 void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) { |
| 312 RTC_DCHECK(!identity_); | 322 RTC_DCHECK(!identity_); |
| 313 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); | 323 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); |
| 314 } | 324 } |
| 315 | 325 |
| 316 void OpenSSLAdapter::SetRole(SSLRole role) { | 326 void OpenSSLAdapter::SetRole(SSLRole role) { |
| 317 role_ = role; | 327 role_ = role; |
| 318 } | 328 } |
| 319 | 329 |
| 320 AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) { | 330 AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) { |
| 321 RTC_DCHECK(role_ == SSL_SERVER); | 331 RTC_DCHECK(role_ == SSL_SERVER); |
| 322 AsyncSocket* socket = SSLAdapter::Accept(paddr); | 332 AsyncSocket* socket = SSLAdapter::Accept(paddr); |
| 323 if (!socket) { | 333 if (!socket) { |
| 324 return nullptr; | 334 return nullptr; |
| 325 } | 335 } |
| 326 | 336 |
| 327 SSLAdapter* adapter = SSLAdapter::Create(socket); | 337 SSLAdapter* adapter = SSLAdapter::Create(socket); |
| 328 adapter->SetIdentity(identity_->GetReference()); | 338 adapter->SetIdentity(identity_->GetReference()); |
| 329 adapter->SetRole(rtc::SSL_SERVER); | 339 adapter->SetRole(rtc::SSL_SERVER); |
| 330 adapter->set_ignore_bad_cert(ignore_bad_cert()); | 340 adapter->SetIgnoreBadCert(ignore_bad_cert_); |
| 331 adapter->StartSSL("", false); | 341 adapter->StartSSL("", false); |
| 332 return adapter; | 342 return adapter; |
| 333 } | 343 } |
| 334 | 344 |
| 335 int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) { | 345 int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) { |
| 336 if (state_ != SSL_NONE) | 346 if (state_ != SSL_NONE) |
| 337 return -1; | 347 return -1; |
| 338 | 348 |
| 339 ssl_host_name_ = hostname; | 349 ssl_host_name_ = hostname; |
| 340 restartable_ = restartable; | 350 restartable_ = restartable; |
| (...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 417 goto ssl_error; | 427 goto ssl_error; |
| 418 } | 428 } |
| 419 | 429 |
| 420 LOG(LS_INFO) << "Attempting to resume SSL session to " | 430 LOG(LS_INFO) << "Attempting to resume SSL session to " |
| 421 << ssl_host_name_; | 431 << ssl_host_name_; |
| 422 } | 432 } |
| 423 } | 433 } |
| 424 } | 434 } |
| 425 | 435 |
| 426 // Set a couple common TLS extensions; even though we don't use them yet. | 436 // Set a couple common TLS extensions; even though we don't use them yet. |
| 427 // TODO(emadomara) Add ALPN extension. | |
| 428 SSL_enable_ocsp_stapling(ssl_); | 437 SSL_enable_ocsp_stapling(ssl_); |
| 429 SSL_enable_signed_cert_timestamps(ssl_); | 438 SSL_enable_signed_cert_timestamps(ssl_); |
| 430 | 439 |
| 440 if (!alpn_protocols_.empty()) { |
| 441 std::string tls_alpn_string = TransformAlpnProtocols(alpn_protocols_); |
| 442 if (!tls_alpn_string.empty()) { |
| 443 SSL_set_alpn_protos(ssl_, |
| 444 reinterpret_cast<const unsigned char *>(tls_alpn_string.data()), |
| 445 tls_alpn_string.size()); |
| 446 } |
| 447 } |
| 448 |
| 431 // Now that the initial config is done, transfer ownership of |bio| to the | 449 // Now that the initial config is done, transfer ownership of |bio| to the |
| 432 // SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup(). | 450 // SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup(). |
| 433 SSL_set_bio(ssl_, bio, bio); | 451 SSL_set_bio(ssl_, bio, bio); |
| 434 bio = nullptr; | 452 bio = nullptr; |
| 435 | 453 |
| 436 // Do the connect. | 454 // Do the connect. |
| 437 err = ContinueSSL(); | 455 err = ContinueSSL(); |
| 438 if (err != 0) | 456 if (err != 0) |
| 439 goto ssl_error; | 457 goto ssl_error; |
| 440 | 458 |
| (...skipping 479 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 920 if (!ok && ignore_bad_cert) { | 938 if (!ok && ignore_bad_cert) { |
| 921 LOG(LS_WARNING) << "TLS certificate check FAILED. " | 939 LOG(LS_WARNING) << "TLS certificate check FAILED. " |
| 922 << "Allowing connection anyway."; | 940 << "Allowing connection anyway."; |
| 923 ok = true; | 941 ok = true; |
| 924 } | 942 } |
| 925 | 943 |
| 926 return ok; | 944 return ok; |
| 927 } | 945 } |
| 928 | 946 |
| 929 bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const char* host) { | 947 bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const char* host) { |
| 930 bool ok = VerifyServerName(ssl, host, ignore_bad_cert()); | 948 bool ok = VerifyServerName(ssl, host, ignore_bad_cert_); |
| 931 | 949 |
| 932 if (ok) { | 950 if (ok) { |
| 933 ok = (SSL_get_verify_result(ssl) == X509_V_OK || | 951 ok = (SSL_get_verify_result(ssl) == X509_V_OK || |
| 934 custom_verification_succeeded_); | 952 custom_verification_succeeded_); |
| 935 } | 953 } |
| 936 | 954 |
| 937 if (!ok && ignore_bad_cert()) { | 955 if (!ok && ignore_bad_cert_) { |
| 938 LOG(LS_INFO) << "Other TLS post connection checks failed."; | 956 LOG(LS_INFO) << "Other TLS post connection checks failed."; |
| 939 ok = true; | 957 ok = true; |
| 940 } | 958 } |
| 941 | 959 |
| 942 return ok; | 960 return ok; |
| 943 } | 961 } |
| 944 | 962 |
| 945 #if !defined(NDEBUG) | 963 #if !defined(NDEBUG) |
| 946 | 964 |
| 947 // We only use this for tracing and so it is only needed in debug mode | 965 // We only use this for tracing and so it is only needed in debug mode |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1002 void* cert = | 1020 void* cert = |
| 1003 reinterpret_cast<void*>(X509_STORE_CTX_get_current_cert(store)); | 1021 reinterpret_cast<void*>(X509_STORE_CTX_get_current_cert(store)); |
| 1004 if (custom_verify_callback_(cert)) { | 1022 if (custom_verify_callback_(cert)) { |
| 1005 stream->custom_verification_succeeded_ = true; | 1023 stream->custom_verification_succeeded_ = true; |
| 1006 LOG(LS_INFO) << "validated certificate using custom callback"; | 1024 LOG(LS_INFO) << "validated certificate using custom callback"; |
| 1007 ok = true; | 1025 ok = true; |
| 1008 } | 1026 } |
| 1009 } | 1027 } |
| 1010 | 1028 |
| 1011 // Should only be used for debugging and development. | 1029 // Should only be used for debugging and development. |
| 1012 if (!ok && stream->ignore_bad_cert()) { | 1030 if (!ok && stream->ignore_bad_cert_) { |
| 1013 LOG(LS_WARNING) << "Ignoring cert error while verifying cert chain"; | 1031 LOG(LS_WARNING) << "Ignoring cert error while verifying cert chain"; |
| 1014 ok = 1; | 1032 ok = 1; |
| 1015 } | 1033 } |
| 1016 | 1034 |
| 1017 return ok; | 1035 return ok; |
| 1018 } | 1036 } |
| 1019 | 1037 |
| 1020 int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) { | 1038 int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) { |
| 1021 OpenSSLAdapter* stream = | 1039 OpenSSLAdapter* stream = |
| 1022 reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl)); | 1040 reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl)); |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1089 } | 1107 } |
| 1090 | 1108 |
| 1091 if (enable_cache) { | 1109 if (enable_cache) { |
| 1092 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); | 1110 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); |
| 1093 SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback); | 1111 SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback); |
| 1094 } | 1112 } |
| 1095 | 1113 |
| 1096 return ctx; | 1114 return ctx; |
| 1097 } | 1115 } |
| 1098 | 1116 |
| 1117 std::string TransformAlpnProtocols( |
| 1118 const std::vector<std::string>& alpn_protocols) { |
| 1119 // Transforms the alpn_protocols list to the format expected by |
| 1120 // Open/BoringSSL. This requires joining the protocols into a single string |
| 1121 // and prepending a character with the size of the protocol string before |
| 1122 // each protocol. |
| 1123 std::string transformed_alpn; |
| 1124 for (const std::string& proto : alpn_protocols) { |
| 1125 if (proto.size() == 0 || proto.size() > 0xFF) { |
| 1126 LOG(LS_ERROR) << "OpenSSLAdapter::Error(" |
| 1127 << "TransformAlpnProtocols received proto with size " |
| 1128 << proto.size() << ")"; |
| 1129 return ""; |
| 1130 } |
| 1131 transformed_alpn += static_cast<char>(proto.size()); |
| 1132 transformed_alpn += proto; |
| 1133 LOG(LS_VERBOSE) << "TransformAlpnProtocols: Adding proto: " << proto; |
| 1134 } |
| 1135 return transformed_alpn; |
| 1136 } |
| 1137 |
| 1099 ////////////////////////////////////////////////////////////////////// | 1138 ////////////////////////////////////////////////////////////////////// |
| 1100 // OpenSSLAdapterFactory | 1139 // OpenSSLAdapterFactory |
| 1101 ////////////////////////////////////////////////////////////////////// | 1140 ////////////////////////////////////////////////////////////////////// |
| 1102 | 1141 |
| 1103 OpenSSLAdapterFactory::OpenSSLAdapterFactory() | 1142 OpenSSLAdapterFactory::OpenSSLAdapterFactory() |
| 1104 : ssl_mode_(SSL_MODE_TLS), ssl_ctx_(nullptr) {} | 1143 : ssl_mode_(SSL_MODE_TLS), ssl_ctx_(nullptr) {} |
| 1105 | 1144 |
| 1106 OpenSSLAdapterFactory::~OpenSSLAdapterFactory() { | 1145 OpenSSLAdapterFactory::~OpenSSLAdapterFactory() { |
| 1107 for (auto it : sessions_) { | 1146 for (auto it : sessions_) { |
| 1108 SSL_SESSION_free(it.second); | 1147 SSL_SESSION_free(it.second); |
| (...skipping 24 matching lines...) Expand all Loading... |
| 1133 } | 1172 } |
| 1134 | 1173 |
| 1135 void OpenSSLAdapterFactory::AddSession(const std::string& hostname, | 1174 void OpenSSLAdapterFactory::AddSession(const std::string& hostname, |
| 1136 SSL_SESSION* new_session) { | 1175 SSL_SESSION* new_session) { |
| 1137 SSL_SESSION* old_session = LookupSession(hostname); | 1176 SSL_SESSION* old_session = LookupSession(hostname); |
| 1138 SSL_SESSION_free(old_session); | 1177 SSL_SESSION_free(old_session); |
| 1139 sessions_[hostname] = new_session; | 1178 sessions_[hostname] = new_session; |
| 1140 } | 1179 } |
| 1141 | 1180 |
| 1142 } // namespace rtc | 1181 } // namespace rtc |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2993403002:
Support a user-provided string for the TLS ALPN extension.
