1 /* 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. 3 * 4 * Use of this source code is governed by a BSD-style license 5 * that can be found in the LICENSE file in the root of the source 6 * tree. An additional intellectual property rights grant can be found 7 * in the file PATENTS. All contributing project authors may 8 * be found in the AUTHORS file in the root of the source tree. 9 */ 10 11 #ifndef RTC_BASE_SSL_ADAPTER_H_ 12 #define RTC_BASE_SSL_ADAPTER_H_ 13 14 #include <string> 15 #include <vector> 16 17 #include "absl/strings/string_view.h" 18 #include "rtc_base/async_socket.h" 19 #include "rtc_base/ssl_certificate.h" 20 #include "rtc_base/ssl_identity.h" 21 #include "rtc_base/ssl_stream_adapter.h" 22 #include "rtc_base/system/rtc_export.h" 23 24 namespace rtc { 25 26 class SSLAdapter; 27 28 // Class for creating SSL adapters with shared state, e.g., a session cache, 29 // which allows clients to resume SSL sessions to previously-contacted hosts. 30 // Clients should create the factory using Create(), set up the factory as 31 // needed using SetMode, and then call CreateAdapter to create adapters when 32 // needed. 33 class SSLAdapterFactory { 34 public: ~SSLAdapterFactory()35 virtual ~SSLAdapterFactory() {} 36 37 // Specifies whether TLS or DTLS is to be used for the SSL adapters. 38 virtual void SetMode(SSLMode mode) = 0; 39 40 // Specify a custom certificate verifier for SSL. 41 virtual void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) = 0; 42 43 // Set the certificate this socket will present to incoming clients. 44 // Takes ownership of `identity`. 45 virtual void SetIdentity(std::unique_ptr<SSLIdentity> identity) = 0; 46 47 // Choose whether the socket acts as a server socket or client socket. 48 virtual void SetRole(SSLRole role) = 0; 49 50 // Methods that control server certificate verification, used in unit tests. 51 // Do not call these methods in production code. 52 virtual void SetIgnoreBadCert(bool ignore) = 0; 53 54 // Creates a new SSL adapter, but from a shared context. 55 virtual SSLAdapter* CreateAdapter(Socket* socket) = 0; 56 57 static std::unique_ptr<SSLAdapterFactory> Create(); 58 }; 59 60 // Class that abstracts a client-to-server SSL session. It can be created 61 // standalone, via SSLAdapter::Create, or through a factory as described above, 62 // in which case it will share state with other SSLAdapters created from the 63 // same factory. 64 // After creation, call StartSSL to initiate the SSL handshake to the server. 65 class SSLAdapter : public AsyncSocketAdapter { 66 public: SSLAdapter(Socket * socket)67 explicit SSLAdapter(Socket* socket) : AsyncSocketAdapter(socket) {} 68 69 // Methods that control server certificate verification, used in unit tests. 70 // Do not call these methods in production code. 71 // TODO(juberti): Remove the opportunistic encryption mechanism in 72 // BasicPacketSocketFactory that uses this function. 73 virtual void SetIgnoreBadCert(bool ignore) = 0; 74 75 virtual void SetAlpnProtocols(const std::vector<std::string>& protos) = 0; 76 virtual void SetEllipticCurves(const std::vector<std::string>& curves) = 0; 77 78 // Do DTLS or TLS (default is TLS, if unspecified) 79 virtual void SetMode(SSLMode mode) = 0; 80 // Specify a custom certificate verifier for SSL. 81 virtual void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) = 0; 82 83 // Set the certificate this socket will present to incoming clients. 84 // Takes ownership of `identity`. 85 virtual void SetIdentity(std::unique_ptr<SSLIdentity> identity) = 0; 86 87 // Choose whether the socket acts as a server socket or client socket. 88 virtual void SetRole(SSLRole role) = 0; 89 90 // StartSSL returns 0 if successful. 91 // If StartSSL is called while the socket is closed or connecting, the SSL 92 // negotiation will begin as soon as the socket connects. 93 virtual int StartSSL(absl::string_view hostname) = 0; 94 95 // When an SSLAdapterFactory is used, an SSLAdapter may be used to resume 96 // a previous SSL session, which results in an abbreviated handshake. 97 // This method, if called after SSL has been established for this adapter, 98 // indicates whether the current session is a resumption of a previous 99 // session. 100 virtual bool IsResumedSession() = 0; 101 102 // Create the default SSL adapter for this platform. On failure, returns null 103 // and deletes `socket`. Otherwise, the returned SSLAdapter takes ownership 104 // of `socket`. 105 static SSLAdapter* Create(Socket* socket); 106 107 private: 108 // Not supported. Listen(int backlog)109 int Listen(int backlog) override { RTC_CHECK(false); } Accept(SocketAddress * paddr)110 Socket* Accept(SocketAddress* paddr) override { RTC_CHECK(false); } 111 }; 112 113 /////////////////////////////////////////////////////////////////////////////// 114 115 // Call this on the main thread, before using SSL. 116 // Call CleanupSSL when finished with SSL. 117 RTC_EXPORT bool InitializeSSL(); 118 119 // Call to cleanup additional threads, and also the main thread. 120 RTC_EXPORT bool CleanupSSL(); 121 122 } // namespace rtc 123 124 #endif // RTC_BASE_SSL_ADAPTER_H_ 125