OLD | NEW |
1 /* | 1 /* |
2 * Copyright 2008 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2008 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
(...skipping 268 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
279 : SSLAdapter(socket), | 279 : SSLAdapter(socket), |
280 factory_(factory), | 280 factory_(factory), |
281 state_(SSL_NONE), | 281 state_(SSL_NONE), |
282 role_(SSL_CLIENT), | 282 role_(SSL_CLIENT), |
283 ssl_read_needs_write_(false), | 283 ssl_read_needs_write_(false), |
284 ssl_write_needs_read_(false), | 284 ssl_write_needs_read_(false), |
285 restartable_(false), | 285 restartable_(false), |
286 ssl_(nullptr), | 286 ssl_(nullptr), |
287 ssl_ctx_(nullptr), | 287 ssl_ctx_(nullptr), |
288 ssl_mode_(SSL_MODE_TLS), | 288 ssl_mode_(SSL_MODE_TLS), |
| 289 ignore_bad_cert_(false), |
289 custom_verification_succeeded_(false) { | 290 custom_verification_succeeded_(false) { |
290 // If a factory is used, take a reference on the factory's SSL_CTX. | 291 // If a factory is used, take a reference on the factory's SSL_CTX. |
291 // Otherwise, we'll create our own later. | 292 // Otherwise, we'll create our own later. |
292 // Either way, we'll release our reference via SSL_CTX_free() in Cleanup(). | 293 // Either way, we'll release our reference via SSL_CTX_free() in Cleanup(). |
293 if (factory_) { | 294 if (factory_) { |
294 ssl_ctx_ = factory_->ssl_ctx(); | 295 ssl_ctx_ = factory_->ssl_ctx(); |
295 RTC_DCHECK(ssl_ctx_); | 296 RTC_DCHECK(ssl_ctx_); |
296 // Note: if using OpenSSL, requires version 1.1.0 or later. | 297 // Note: if using OpenSSL, requires version 1.1.0 or later. |
297 SSL_CTX_up_ref(ssl_ctx_); | 298 SSL_CTX_up_ref(ssl_ctx_); |
298 } | 299 } |
299 } | 300 } |
300 | 301 |
301 OpenSSLAdapter::~OpenSSLAdapter() { | 302 OpenSSLAdapter::~OpenSSLAdapter() { |
302 Cleanup(); | 303 Cleanup(); |
303 } | 304 } |
304 | 305 |
305 void OpenSSLAdapter::SetMode(SSLMode mode) { | 306 void OpenSSLAdapter::SetIgnoreBadCert(bool ignore) { |
| 307 ignore_bad_cert_ = ignore; |
| 308 } |
| 309 |
| 310 void OpenSSLAdapter::SetAlpnProtocols(const std::vector<std::string>& protos) { |
| 311 alpn_protocols_ = protos; |
| 312 } |
| 313 |
| 314 void |
| 315 OpenSSLAdapter::SetMode(SSLMode mode) { |
306 RTC_DCHECK(!ssl_ctx_); | 316 RTC_DCHECK(!ssl_ctx_); |
307 RTC_DCHECK(state_ == SSL_NONE); | 317 RTC_DCHECK(state_ == SSL_NONE); |
308 ssl_mode_ = mode; | 318 ssl_mode_ = mode; |
309 } | 319 } |
310 | 320 |
311 void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) { | 321 void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) { |
312 RTC_DCHECK(!identity_); | 322 RTC_DCHECK(!identity_); |
313 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); | 323 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); |
314 } | 324 } |
315 | 325 |
316 void OpenSSLAdapter::SetRole(SSLRole role) { | 326 void OpenSSLAdapter::SetRole(SSLRole role) { |
317 role_ = role; | 327 role_ = role; |
318 } | 328 } |
319 | 329 |
320 AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) { | 330 AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) { |
321 RTC_DCHECK(role_ == SSL_SERVER); | 331 RTC_DCHECK(role_ == SSL_SERVER); |
322 AsyncSocket* socket = SSLAdapter::Accept(paddr); | 332 AsyncSocket* socket = SSLAdapter::Accept(paddr); |
323 if (!socket) { | 333 if (!socket) { |
324 return nullptr; | 334 return nullptr; |
325 } | 335 } |
326 | 336 |
327 SSLAdapter* adapter = SSLAdapter::Create(socket); | 337 SSLAdapter* adapter = SSLAdapter::Create(socket); |
328 adapter->SetIdentity(identity_->GetReference()); | 338 adapter->SetIdentity(identity_->GetReference()); |
329 adapter->SetRole(rtc::SSL_SERVER); | 339 adapter->SetRole(rtc::SSL_SERVER); |
330 adapter->set_ignore_bad_cert(ignore_bad_cert()); | 340 adapter->SetIgnoreBadCert(ignore_bad_cert_); |
331 adapter->StartSSL("", false); | 341 adapter->StartSSL("", false); |
332 return adapter; | 342 return adapter; |
333 } | 343 } |
334 | 344 |
335 int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) { | 345 int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) { |
336 if (state_ != SSL_NONE) | 346 if (state_ != SSL_NONE) |
337 return -1; | 347 return -1; |
338 | 348 |
339 ssl_host_name_ = hostname; | 349 ssl_host_name_ = hostname; |
340 restartable_ = restartable; | 350 restartable_ = restartable; |
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
417 goto ssl_error; | 427 goto ssl_error; |
418 } | 428 } |
419 | 429 |
420 LOG(LS_INFO) << "Attempting to resume SSL session to " | 430 LOG(LS_INFO) << "Attempting to resume SSL session to " |
421 << ssl_host_name_; | 431 << ssl_host_name_; |
422 } | 432 } |
423 } | 433 } |
424 } | 434 } |
425 | 435 |
426 // Set a couple common TLS extensions; even though we don't use them yet. | 436 // Set a couple common TLS extensions; even though we don't use them yet. |
427 // TODO(emadomara) Add ALPN extension. | |
428 SSL_enable_ocsp_stapling(ssl_); | 437 SSL_enable_ocsp_stapling(ssl_); |
429 SSL_enable_signed_cert_timestamps(ssl_); | 438 SSL_enable_signed_cert_timestamps(ssl_); |
430 | 439 |
| 440 if (!alpn_protocols_.empty()) { |
| 441 std::string tls_alpn_string = TransformAlpnProtocols(alpn_protocols_); |
| 442 if (!tls_alpn_string.empty()) { |
| 443 SSL_set_alpn_protos(ssl_, |
| 444 reinterpret_cast<const unsigned char *>(tls_alpn_string.data()), |
| 445 tls_alpn_string.size()); |
| 446 } |
| 447 } |
| 448 |
431 // Now that the initial config is done, transfer ownership of |bio| to the | 449 // Now that the initial config is done, transfer ownership of |bio| to the |
432 // SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup(). | 450 // SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup(). |
433 SSL_set_bio(ssl_, bio, bio); | 451 SSL_set_bio(ssl_, bio, bio); |
434 bio = nullptr; | 452 bio = nullptr; |
435 | 453 |
436 // Do the connect. | 454 // Do the connect. |
437 err = ContinueSSL(); | 455 err = ContinueSSL(); |
438 if (err != 0) | 456 if (err != 0) |
439 goto ssl_error; | 457 goto ssl_error; |
440 | 458 |
(...skipping 479 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
920 if (!ok && ignore_bad_cert) { | 938 if (!ok && ignore_bad_cert) { |
921 LOG(LS_WARNING) << "TLS certificate check FAILED. " | 939 LOG(LS_WARNING) << "TLS certificate check FAILED. " |
922 << "Allowing connection anyway."; | 940 << "Allowing connection anyway."; |
923 ok = true; | 941 ok = true; |
924 } | 942 } |
925 | 943 |
926 return ok; | 944 return ok; |
927 } | 945 } |
928 | 946 |
929 bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const char* host) { | 947 bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const char* host) { |
930 bool ok = VerifyServerName(ssl, host, ignore_bad_cert()); | 948 bool ok = VerifyServerName(ssl, host, ignore_bad_cert_); |
931 | 949 |
932 if (ok) { | 950 if (ok) { |
933 ok = (SSL_get_verify_result(ssl) == X509_V_OK || | 951 ok = (SSL_get_verify_result(ssl) == X509_V_OK || |
934 custom_verification_succeeded_); | 952 custom_verification_succeeded_); |
935 } | 953 } |
936 | 954 |
937 if (!ok && ignore_bad_cert()) { | 955 if (!ok && ignore_bad_cert_) { |
938 LOG(LS_INFO) << "Other TLS post connection checks failed."; | 956 LOG(LS_INFO) << "Other TLS post connection checks failed."; |
939 ok = true; | 957 ok = true; |
940 } | 958 } |
941 | 959 |
942 return ok; | 960 return ok; |
943 } | 961 } |
944 | 962 |
945 #if !defined(NDEBUG) | 963 #if !defined(NDEBUG) |
946 | 964 |
947 // We only use this for tracing and so it is only needed in debug mode | 965 // We only use this for tracing and so it is only needed in debug mode |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1002 void* cert = | 1020 void* cert = |
1003 reinterpret_cast<void*>(X509_STORE_CTX_get_current_cert(store)); | 1021 reinterpret_cast<void*>(X509_STORE_CTX_get_current_cert(store)); |
1004 if (custom_verify_callback_(cert)) { | 1022 if (custom_verify_callback_(cert)) { |
1005 stream->custom_verification_succeeded_ = true; | 1023 stream->custom_verification_succeeded_ = true; |
1006 LOG(LS_INFO) << "validated certificate using custom callback"; | 1024 LOG(LS_INFO) << "validated certificate using custom callback"; |
1007 ok = true; | 1025 ok = true; |
1008 } | 1026 } |
1009 } | 1027 } |
1010 | 1028 |
1011 // Should only be used for debugging and development. | 1029 // Should only be used for debugging and development. |
1012 if (!ok && stream->ignore_bad_cert()) { | 1030 if (!ok && stream->ignore_bad_cert_) { |
1013 LOG(LS_WARNING) << "Ignoring cert error while verifying cert chain"; | 1031 LOG(LS_WARNING) << "Ignoring cert error while verifying cert chain"; |
1014 ok = 1; | 1032 ok = 1; |
1015 } | 1033 } |
1016 | 1034 |
1017 return ok; | 1035 return ok; |
1018 } | 1036 } |
1019 | 1037 |
1020 int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) { | 1038 int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) { |
1021 OpenSSLAdapter* stream = | 1039 OpenSSLAdapter* stream = |
1022 reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl)); | 1040 reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl)); |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1089 } | 1107 } |
1090 | 1108 |
1091 if (enable_cache) { | 1109 if (enable_cache) { |
1092 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); | 1110 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); |
1093 SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback); | 1111 SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback); |
1094 } | 1112 } |
1095 | 1113 |
1096 return ctx; | 1114 return ctx; |
1097 } | 1115 } |
1098 | 1116 |
| 1117 std::string TransformAlpnProtocols( |
| 1118 const std::vector<std::string>& alpn_protocols) { |
| 1119 // Transforms the alpn_protocols list to the format expected by |
| 1120 // Open/BoringSSL. This requires joining the protocols into a single string |
| 1121 // and prepending a character with the size of the protocol string before |
| 1122 // each protocol. |
| 1123 std::string transformed_alpn; |
| 1124 for (const std::string& proto : alpn_protocols) { |
| 1125 if (proto.size() == 0 || proto.size() > 0xFF) { |
| 1126 LOG(LS_ERROR) << "OpenSSLAdapter::Error(" |
| 1127 << "TransformAlpnProtocols received proto with size " |
| 1128 << proto.size() << ")"; |
| 1129 return ""; |
| 1130 } |
| 1131 transformed_alpn += static_cast<char>(proto.size()); |
| 1132 transformed_alpn += proto; |
| 1133 LOG(LS_VERBOSE) << "TransformAlpnProtocols: Adding proto: " << proto; |
| 1134 } |
| 1135 return transformed_alpn; |
| 1136 } |
| 1137 |
1099 ////////////////////////////////////////////////////////////////////// | 1138 ////////////////////////////////////////////////////////////////////// |
1100 // OpenSSLAdapterFactory | 1139 // OpenSSLAdapterFactory |
1101 ////////////////////////////////////////////////////////////////////// | 1140 ////////////////////////////////////////////////////////////////////// |
1102 | 1141 |
1103 OpenSSLAdapterFactory::OpenSSLAdapterFactory() | 1142 OpenSSLAdapterFactory::OpenSSLAdapterFactory() |
1104 : ssl_mode_(SSL_MODE_TLS), ssl_ctx_(nullptr) {} | 1143 : ssl_mode_(SSL_MODE_TLS), ssl_ctx_(nullptr) {} |
1105 | 1144 |
1106 OpenSSLAdapterFactory::~OpenSSLAdapterFactory() { | 1145 OpenSSLAdapterFactory::~OpenSSLAdapterFactory() { |
1107 for (auto it : sessions_) { | 1146 for (auto it : sessions_) { |
1108 SSL_SESSION_free(it.second); | 1147 SSL_SESSION_free(it.second); |
(...skipping 24 matching lines...) Expand all Loading... |
1133 } | 1172 } |
1134 | 1173 |
1135 void OpenSSLAdapterFactory::AddSession(const std::string& hostname, | 1174 void OpenSSLAdapterFactory::AddSession(const std::string& hostname, |
1136 SSL_SESSION* new_session) { | 1175 SSL_SESSION* new_session) { |
1137 SSL_SESSION* old_session = LookupSession(hostname); | 1176 SSL_SESSION* old_session = LookupSession(hostname); |
1138 SSL_SESSION_free(old_session); | 1177 SSL_SESSION_free(old_session); |
1139 sessions_[hostname] = new_session; | 1178 sessions_[hostname] = new_session; |
1140 } | 1179 } |
1141 | 1180 |
1142 } // namespace rtc | 1181 } // namespace rtc |
OLD | NEW |