1 /*
2 * Copyright 2008 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11 #include "rtc_base/openssl_adapter.h"
12
13 #include <errno.h>
14 #include <openssl/bio.h>
15 #include <openssl/err.h>
16
17 #include "absl/strings/string_view.h"
18 #ifdef OPENSSL_IS_BORINGSSL
19 #include <openssl/pool.h>
20 #endif
21 #include <openssl/rand.h>
22 #include <openssl/x509.h>
23 #include <string.h>
24 #include <time.h>
25
26 #include <memory>
27
28 // Use CRYPTO_BUFFER APIs if available and we have no dependency on X509
29 // objects.
30 #if defined(OPENSSL_IS_BORINGSSL) && \
31 defined(WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS)
32 #define WEBRTC_USE_CRYPTO_BUFFER_CALLBACK
33 #endif
34
35 #include "absl/memory/memory.h"
36 #include "api/units/time_delta.h"
37 #include "rtc_base/checks.h"
38 #include "rtc_base/logging.h"
39 #include "rtc_base/numerics/safe_conversions.h"
40 #include "rtc_base/openssl.h"
41 #ifdef OPENSSL_IS_BORINGSSL
42 #include "rtc_base/boringssl_identity.h"
43 #else
44 #include "rtc_base/openssl_identity.h"
45 #endif
46 #include "rtc_base/openssl_utility.h"
47 #include "rtc_base/strings/string_builder.h"
48 #include "rtc_base/thread.h"
49
50 //////////////////////////////////////////////////////////////////////
51 // SocketBIO
52 //////////////////////////////////////////////////////////////////////
53
54 static int socket_write(BIO* h, const char* buf, int num);
55 static int socket_read(BIO* h, char* buf, int size);
56 static int socket_puts(BIO* h, const char* str);
57 static long socket_ctrl(BIO* h, int cmd, long arg1, void* arg2); // NOLINT
58 static int socket_new(BIO* h);
59 static int socket_free(BIO* data);
60
BIO_socket_method()61 static BIO_METHOD* BIO_socket_method() {
62 static BIO_METHOD* methods = [] {
63 BIO_METHOD* methods = BIO_meth_new(BIO_TYPE_BIO, "socket");
64 BIO_meth_set_write(methods, socket_write);
65 BIO_meth_set_read(methods, socket_read);
66 BIO_meth_set_puts(methods, socket_puts);
67 BIO_meth_set_ctrl(methods, socket_ctrl);
68 BIO_meth_set_create(methods, socket_new);
69 BIO_meth_set_destroy(methods, socket_free);
70 return methods;
71 }();
72 return methods;
73 }
74
BIO_new_socket(rtc::Socket * socket)75 static BIO* BIO_new_socket(rtc::Socket* socket) {
76 BIO* ret = BIO_new(BIO_socket_method());
77 if (ret == nullptr) {
78 return nullptr;
79 }
80 BIO_set_data(ret, socket);
81 return ret;
82 }
83
socket_new(BIO * b)84 static int socket_new(BIO* b) {
85 BIO_set_shutdown(b, 0);
86 BIO_set_init(b, 1);
87 BIO_set_data(b, 0);
88 return 1;
89 }
90
socket_free(BIO * b)91 static int socket_free(BIO* b) {
92 if (b == nullptr)
93 return 0;
94 return 1;
95 }
96
socket_read(BIO * b,char * out,int outl)97 static int socket_read(BIO* b, char* out, int outl) {
98 if (!out)
99 return -1;
100 rtc::Socket* socket = static_cast<rtc::Socket*>(BIO_get_data(b));
101 BIO_clear_retry_flags(b);
102 int result = socket->Recv(out, outl, nullptr);
103 if (result > 0) {
104 return result;
105 } else if (socket->IsBlocking()) {
106 BIO_set_retry_read(b);
107 }
108 return -1;
109 }
110
socket_write(BIO * b,const char * in,int inl)111 static int socket_write(BIO* b, const char* in, int inl) {
112 if (!in)
113 return -1;
114 rtc::Socket* socket = static_cast<rtc::Socket*>(BIO_get_data(b));
115 BIO_clear_retry_flags(b);
116 int result = socket->Send(in, inl);
117 if (result > 0) {
118 return result;
119 } else if (socket->IsBlocking()) {
120 BIO_set_retry_write(b);
121 }
122 return -1;
123 }
124
socket_puts(BIO * b,const char * str)125 static int socket_puts(BIO* b, const char* str) {
126 return socket_write(b, str, rtc::checked_cast<int>(strlen(str)));
127 }
128
socket_ctrl(BIO * b,int cmd,long num,void * ptr)129 static long socket_ctrl(BIO* b, int cmd, long num, void* ptr) { // NOLINT
130 switch (cmd) {
131 case BIO_CTRL_RESET:
132 return 0;
133 case BIO_CTRL_EOF: {
134 rtc::Socket* socket = static_cast<rtc::Socket*>(ptr);
135 // 1 means socket closed.
136 return (socket->GetState() == rtc::Socket::CS_CLOSED) ? 1 : 0;
137 }
138 case BIO_CTRL_WPENDING:
139 case BIO_CTRL_PENDING:
140 return 0;
141 case BIO_CTRL_FLUSH:
142 return 1;
143 default:
144 return 0;
145 }
146 }
147
LogSslError()148 static void LogSslError() {
149 // Walk down the error stack to find the SSL error.
150 uint32_t error_code;
151 const char* file;
152 int line;
153 do {
154 error_code = ERR_get_error_line(&file, &line);
155 if (ERR_GET_LIB(error_code) == ERR_LIB_SSL) {
156 RTC_LOG(LS_ERROR) << "ERR_LIB_SSL: " << error_code << ", " << file << ":"
157 << line;
158 break;
159 }
160 } while (error_code != 0);
161 }
162
163 /////////////////////////////////////////////////////////////////////////////
164 // OpenSSLAdapter
165 /////////////////////////////////////////////////////////////////////////////
166
167 namespace rtc {
168
169 using ::webrtc::TimeDelta;
170
171 namespace webrtc_openssl_adapter_internal {
172
173 // Simple O(n^2) implementation is sufficient for current use case.
StrJoin(const std::vector<std::string> & list,char delimiter)174 std::string StrJoin(const std::vector<std::string>& list, char delimiter) {
175 RTC_CHECK(!list.empty());
176 StringBuilder sb;
177 sb << list[0];
178 for (size_t i = 1; i < list.size(); i++) {
179 sb.AppendFormat("%c", delimiter);
180 sb << list[i];
181 }
182 return sb.Release();
183 }
184 } // namespace webrtc_openssl_adapter_internal
185
186 using webrtc_openssl_adapter_internal::StrJoin;
187
InitializeSSL()188 bool OpenSSLAdapter::InitializeSSL() {
189 if (!SSL_library_init())
190 return false;
191 #if !defined(ADDRESS_SANITIZER) || !defined(WEBRTC_MAC) || defined(WEBRTC_IOS)
192 // Loading the error strings crashes mac_asan. Omit this debugging aid there.
193 SSL_load_error_strings();
194 #endif
195 ERR_load_BIO_strings();
196 OpenSSL_add_all_algorithms();
197 RAND_poll();
198 return true;
199 }
200
CleanupSSL()201 bool OpenSSLAdapter::CleanupSSL() {
202 return true;
203 }
204
OpenSSLAdapter(Socket * socket,OpenSSLSessionCache * ssl_session_cache,SSLCertificateVerifier * ssl_cert_verifier)205 OpenSSLAdapter::OpenSSLAdapter(Socket* socket,
206 OpenSSLSessionCache* ssl_session_cache,
207 SSLCertificateVerifier* ssl_cert_verifier)
208 : SSLAdapter(socket),
209 ssl_session_cache_(ssl_session_cache),
210 ssl_cert_verifier_(ssl_cert_verifier),
211 state_(SSL_NONE),
212 role_(SSL_CLIENT),
213 ssl_read_needs_write_(false),
214 ssl_write_needs_read_(false),
215 ssl_(nullptr),
216 ssl_ctx_(nullptr),
217 ssl_mode_(SSL_MODE_TLS),
218 ignore_bad_cert_(false),
219 custom_cert_verifier_status_(false) {
220 // If a factory is used, take a reference on the factory's SSL_CTX.
221 // Otherwise, we'll create our own later.
222 // Either way, we'll release our reference via SSL_CTX_free() in Cleanup().
223 if (ssl_session_cache_ != nullptr) {
224 ssl_ctx_ = ssl_session_cache_->GetSSLContext();
225 RTC_DCHECK(ssl_ctx_);
226 // Note: if using OpenSSL, requires version 1.1.0 or later.
227 SSL_CTX_up_ref(ssl_ctx_);
228 }
229 }
230
~OpenSSLAdapter()231 OpenSSLAdapter::~OpenSSLAdapter() {
232 Cleanup();
233 }
234
SetIgnoreBadCert(bool ignore)235 void OpenSSLAdapter::SetIgnoreBadCert(bool ignore) {
236 ignore_bad_cert_ = ignore;
237 }
238
SetAlpnProtocols(const std::vector<std::string> & protos)239 void OpenSSLAdapter::SetAlpnProtocols(const std::vector<std::string>& protos) {
240 alpn_protocols_ = protos;
241 }
242
SetEllipticCurves(const std::vector<std::string> & curves)243 void OpenSSLAdapter::SetEllipticCurves(const std::vector<std::string>& curves) {
244 elliptic_curves_ = curves;
245 }
246
SetMode(SSLMode mode)247 void OpenSSLAdapter::SetMode(SSLMode mode) {
248 RTC_DCHECK(!ssl_ctx_);
249 RTC_DCHECK(state_ == SSL_NONE);
250 ssl_mode_ = mode;
251 }
252
SetCertVerifier(SSLCertificateVerifier * ssl_cert_verifier)253 void OpenSSLAdapter::SetCertVerifier(
254 SSLCertificateVerifier* ssl_cert_verifier) {
255 RTC_DCHECK(!ssl_ctx_);
256 ssl_cert_verifier_ = ssl_cert_verifier;
257 }
258
SetIdentity(std::unique_ptr<SSLIdentity> identity)259 void OpenSSLAdapter::SetIdentity(std::unique_ptr<SSLIdentity> identity) {
260 RTC_DCHECK(!identity_);
261 #ifdef OPENSSL_IS_BORINGSSL
262 identity_ =
263 absl::WrapUnique(static_cast<BoringSSLIdentity*>(identity.release()));
264 #else
265 identity_ =
266 absl::WrapUnique(static_cast<OpenSSLIdentity*>(identity.release()));
267 #endif
268 }
269
SetRole(SSLRole role)270 void OpenSSLAdapter::SetRole(SSLRole role) {
271 role_ = role;
272 }
273
StartSSL(absl::string_view hostname)274 int OpenSSLAdapter::StartSSL(absl::string_view hostname) {
275 if (state_ != SSL_NONE)
276 return -1;
277
278 ssl_host_name_.assign(hostname.data(), hostname.size());
279
280 if (GetSocket()->GetState() != Socket::CS_CONNECTED) {
281 state_ = SSL_WAIT;
282 return 0;
283 }
284
285 state_ = SSL_CONNECTING;
286 if (int err = BeginSSL()) {
287 Error("BeginSSL", err, false);
288 return err;
289 }
290
291 return 0;
292 }
293
BeginSSL()294 int OpenSSLAdapter::BeginSSL() {
295 RTC_LOG(LS_INFO) << "OpenSSLAdapter::BeginSSL: " << ssl_host_name_;
296 RTC_DCHECK(state_ == SSL_CONNECTING);
297
298 // Cleanup action to deal with on error cleanup a bit cleaner.
299 EarlyExitCatcher early_exit_catcher(*this);
300
301 // First set up the context. We should either have a factory, with its own
302 // pre-existing context, or be running standalone, in which case we will
303 // need to create one, and specify `false` to disable session caching.
304 if (ssl_session_cache_ == nullptr) {
305 RTC_DCHECK(!ssl_ctx_);
306 ssl_ctx_ = CreateContext(ssl_mode_, false);
307 }
308
309 if (!ssl_ctx_) {
310 return -1;
311 }
312
313 if (identity_ && !identity_->ConfigureIdentity(ssl_ctx_)) {
314 return -1;
315 }
316
317 std::unique_ptr<BIO, decltype(&::BIO_free)> bio{BIO_new_socket(GetSocket()),
318 ::BIO_free};
319 if (!bio) {
320 return -1;
321 }
322
323 ssl_ = SSL_new(ssl_ctx_);
324 if (!ssl_) {
325 return -1;
326 }
327
328 SSL_set_app_data(ssl_, this);
329
330 // SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER allows different buffers to be passed
331 // into SSL_write when a record could only be partially transmitted (and thus
332 // requires another call to SSL_write to finish transmission). This allows us
333 // to copy the data into our own buffer when this occurs, since the original
334 // buffer can't safely be accessed after control exits Send.
335 // TODO(deadbeef): Do we want SSL_MODE_ENABLE_PARTIAL_WRITE? It doesn't
336 // appear Send handles partial writes properly, though maybe we never notice
337 // since we never send more than 16KB at once..
338 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
339 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
340
341 // Enable SNI, if a hostname is supplied.
342 if (!ssl_host_name_.empty()) {
343 SSL_set_tlsext_host_name(ssl_, ssl_host_name_.c_str());
344
345 // Enable session caching, if configured and a hostname is supplied.
346 if (ssl_session_cache_ != nullptr) {
347 SSL_SESSION* cached = ssl_session_cache_->LookupSession(ssl_host_name_);
348 if (cached) {
349 if (SSL_set_session(ssl_, cached) == 0) {
350 RTC_LOG(LS_WARNING) << "Failed to apply SSL session from cache";
351 return -1;
352 }
353
354 RTC_LOG(LS_INFO) << "Attempting to resume SSL session to "
355 << ssl_host_name_;
356 }
357 }
358 }
359
360 #ifdef OPENSSL_IS_BORINGSSL
361 // Set a couple common TLS extensions; even though we don't use them yet.
362 SSL_enable_ocsp_stapling(ssl_);
363 SSL_enable_signed_cert_timestamps(ssl_);
364 #endif
365
366 if (!alpn_protocols_.empty()) {
367 std::string tls_alpn_string = TransformAlpnProtocols(alpn_protocols_);
368 if (!tls_alpn_string.empty()) {
369 SSL_set_alpn_protos(
370 ssl_, reinterpret_cast<const unsigned char*>(tls_alpn_string.data()),
371 rtc::dchecked_cast<unsigned>(tls_alpn_string.size()));
372 }
373 }
374
375 if (!elliptic_curves_.empty()) {
376 SSL_set1_curves_list(ssl_, StrJoin(elliptic_curves_, ':').c_str());
377 }
378
379 // Now that the initial config is done, transfer ownership of `bio` to the
380 // SSL object. If ContinueSSL() fails, the bio will be freed in Cleanup().
381 SSL_set_bio(ssl_, bio.get(), bio.get());
382 bio.release();
383
384 // Do the connect.
385 int err = ContinueSSL();
386 if (err != 0) {
387 return err;
388 }
389 early_exit_catcher.disable();
390 return 0;
391 }
392
ContinueSSL()393 int OpenSSLAdapter::ContinueSSL() {
394 RTC_DCHECK(state_ == SSL_CONNECTING);
395
396 // Clear the DTLS timer
397 timer_.reset();
398
399 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
400 switch (SSL_get_error(ssl_, code)) {
401 case SSL_ERROR_NONE:
402 if (!SSLPostConnectionCheck(ssl_, ssl_host_name_)) {
403 RTC_LOG(LS_ERROR) << "TLS post connection check failed";
404 // make sure we close the socket
405 Cleanup();
406 // The connect failed so return -1 to shut down the socket
407 return -1;
408 }
409
410 state_ = SSL_CONNECTED;
411 AsyncSocketAdapter::OnConnectEvent(this);
412 // TODO(benwright): Refactor this code path.
413 // Don't let ourselves go away during the callbacks
414 // PRefPtr<OpenSSLAdapter> lock(this);
415 // RTC_LOG(LS_INFO) << " -- onStreamReadable";
416 // AsyncSocketAdapter::OnReadEvent(this);
417 // RTC_LOG(LS_INFO) << " -- onStreamWriteable";
418 // AsyncSocketAdapter::OnWriteEvent(this);
419 break;
420
421 case SSL_ERROR_WANT_READ:
422 RTC_LOG(LS_VERBOSE) << " -- error want read";
423 struct timeval timeout;
424 if (DTLSv1_get_timeout(ssl_, &timeout)) {
425 TimeDelta delay = TimeDelta::Seconds(timeout.tv_sec) +
426 TimeDelta::Micros(timeout.tv_usec);
427 Thread::Current()->PostDelayedTask(
428 SafeTask(timer_.flag(), [this] { OnTimeout(); }), delay);
429 }
430 break;
431
432 case SSL_ERROR_WANT_WRITE:
433 break;
434
435 case SSL_ERROR_ZERO_RETURN:
436 default:
437 RTC_LOG(LS_WARNING) << "ContinueSSL -- error " << code;
438 return (code != 0) ? code : -1;
439 }
440
441 return 0;
442 }
443
Error(absl::string_view context,int err,bool signal)444 void OpenSSLAdapter::Error(absl::string_view context, int err, bool signal) {
445 RTC_LOG(LS_WARNING) << "OpenSSLAdapter::Error(" << context << ", " << err
446 << ")";
447 state_ = SSL_ERROR;
448 SetError(err);
449 if (signal) {
450 AsyncSocketAdapter::OnCloseEvent(this, err);
451 }
452 }
453
Cleanup()454 void OpenSSLAdapter::Cleanup() {
455 RTC_LOG(LS_INFO) << "OpenSSLAdapter::Cleanup";
456
457 state_ = SSL_NONE;
458 ssl_read_needs_write_ = false;
459 ssl_write_needs_read_ = false;
460 custom_cert_verifier_status_ = false;
461 pending_data_.Clear();
462
463 if (ssl_) {
464 SSL_free(ssl_);
465 ssl_ = nullptr;
466 }
467
468 if (ssl_ctx_) {
469 SSL_CTX_free(ssl_ctx_);
470 ssl_ctx_ = nullptr;
471 }
472 identity_.reset();
473
474 // Clear the DTLS timer
475 timer_.reset();
476 }
477
DoSslWrite(const void * pv,size_t cb,int * error)478 int OpenSSLAdapter::DoSslWrite(const void* pv, size_t cb, int* error) {
479 // If we have pending data (that was previously only partially written by
480 // SSL_write), we shouldn't be attempting to write anything else.
481 RTC_DCHECK(pending_data_.empty() || pv == pending_data_.data());
482 RTC_DCHECK(error != nullptr);
483
484 ssl_write_needs_read_ = false;
485 int ret = SSL_write(ssl_, pv, checked_cast<int>(cb));
486 *error = SSL_get_error(ssl_, ret);
487 switch (*error) {
488 case SSL_ERROR_NONE:
489 // Success!
490 return ret;
491 case SSL_ERROR_WANT_READ:
492 RTC_LOG(LS_INFO) << " -- error want read";
493 ssl_write_needs_read_ = true;
494 SetError(EWOULDBLOCK);
495 break;
496 case SSL_ERROR_WANT_WRITE:
497 RTC_LOG(LS_INFO) << " -- error want write";
498 SetError(EWOULDBLOCK);
499 break;
500 case SSL_ERROR_ZERO_RETURN:
501 SetError(EWOULDBLOCK);
502 // do we need to signal closure?
503 break;
504 case SSL_ERROR_SSL:
505 LogSslError();
506 Error("SSL_write", ret ? ret : -1, false);
507 break;
508 default:
509 Error("SSL_write", ret ? ret : -1, false);
510 break;
511 }
512
513 return SOCKET_ERROR;
514 }
515
516 ///////////////////////////////////////////////////////////////////////////////
517 // Socket Implementation
518 ///////////////////////////////////////////////////////////////////////////////
519
Send(const void * pv,size_t cb)520 int OpenSSLAdapter::Send(const void* pv, size_t cb) {
521 switch (state_) {
522 case SSL_NONE:
523 return AsyncSocketAdapter::Send(pv, cb);
524 case SSL_WAIT:
525 case SSL_CONNECTING:
526 SetError(ENOTCONN);
527 return SOCKET_ERROR;
528 case SSL_CONNECTED:
529 break;
530 case SSL_ERROR:
531 default:
532 return SOCKET_ERROR;
533 }
534
535 int ret;
536 int error;
537
538 if (!pending_data_.empty()) {
539 ret = DoSslWrite(pending_data_.data(), pending_data_.size(), &error);
540 if (ret != static_cast<int>(pending_data_.size())) {
541 // We couldn't finish sending the pending data, so we definitely can't
542 // send any more data. Return with an EWOULDBLOCK error.
543 SetError(EWOULDBLOCK);
544 return SOCKET_ERROR;
545 }
546 // We completed sending the data previously passed into SSL_write! Now
547 // we're allowed to send more data.
548 pending_data_.Clear();
549 }
550
551 // OpenSSL will return an error if we try to write zero bytes
552 if (cb == 0) {
553 return 0;
554 }
555
556 ret = DoSslWrite(pv, cb, &error);
557
558 // If SSL_write fails with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, this
559 // means the underlying socket is blocked on reading or (more typically)
560 // writing. When this happens, OpenSSL requires that the next call to
561 // SSL_write uses the same arguments (though, with
562 // SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, the actual buffer pointer may be
563 // different).
564 //
565 // However, after Send exits, we will have lost access to data the user of
566 // this class is trying to send, and there's no guarantee that the user of
567 // this class will call Send with the same arguements when it fails. So, we
568 // buffer the data ourselves. When we know the underlying socket is writable
569 // again from OnWriteEvent (or if Send is called again before that happens),
570 // we'll retry sending this buffered data.
571 if (error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE) {
572 // Shouldn't be able to get to this point if we already have pending data.
573 RTC_DCHECK(pending_data_.empty());
574 RTC_LOG(LS_WARNING)
575 << "SSL_write couldn't write to the underlying socket; buffering data.";
576 pending_data_.SetData(static_cast<const uint8_t*>(pv), cb);
577 // Since we're taking responsibility for sending this data, return its full
578 // size. The user of this class can consider it sent.
579 return rtc::dchecked_cast<int>(cb);
580 }
581 return ret;
582 }
583
SendTo(const void * pv,size_t cb,const SocketAddress & addr)584 int OpenSSLAdapter::SendTo(const void* pv,
585 size_t cb,
586 const SocketAddress& addr) {
587 if (GetSocket()->GetState() == Socket::CS_CONNECTED &&
588 addr == GetSocket()->GetRemoteAddress()) {
589 return Send(pv, cb);
590 }
591
592 SetError(ENOTCONN);
593 return SOCKET_ERROR;
594 }
595
Recv(void * pv,size_t cb,int64_t * timestamp)596 int OpenSSLAdapter::Recv(void* pv, size_t cb, int64_t* timestamp) {
597 switch (state_) {
598 case SSL_NONE:
599 return AsyncSocketAdapter::Recv(pv, cb, timestamp);
600 case SSL_WAIT:
601 case SSL_CONNECTING:
602 SetError(ENOTCONN);
603 return SOCKET_ERROR;
604 case SSL_CONNECTED:
605 break;
606 case SSL_ERROR:
607 default:
608 return SOCKET_ERROR;
609 }
610
611 // Don't trust OpenSSL with zero byte reads
612 if (cb == 0) {
613 return 0;
614 }
615
616 ssl_read_needs_write_ = false;
617 int code = SSL_read(ssl_, pv, checked_cast<int>(cb));
618 int error = SSL_get_error(ssl_, code);
619
620 switch (error) {
621 case SSL_ERROR_NONE:
622 return code;
623 case SSL_ERROR_WANT_READ:
624 SetError(EWOULDBLOCK);
625 break;
626 case SSL_ERROR_WANT_WRITE:
627 ssl_read_needs_write_ = true;
628 SetError(EWOULDBLOCK);
629 break;
630 case SSL_ERROR_ZERO_RETURN:
631 SetError(EWOULDBLOCK);
632 // do we need to signal closure?
633 break;
634 case SSL_ERROR_SSL:
635 LogSslError();
636 Error("SSL_read", (code ? code : -1), false);
637 break;
638 default:
639 Error("SSL_read", (code ? code : -1), false);
640 break;
641 }
642 return SOCKET_ERROR;
643 }
644
RecvFrom(void * pv,size_t cb,SocketAddress * paddr,int64_t * timestamp)645 int OpenSSLAdapter::RecvFrom(void* pv,
646 size_t cb,
647 SocketAddress* paddr,
648 int64_t* timestamp) {
649 if (GetSocket()->GetState() == Socket::CS_CONNECTED) {
650 int ret = Recv(pv, cb, timestamp);
651 *paddr = GetRemoteAddress();
652 return ret;
653 }
654
655 SetError(ENOTCONN);
656 return SOCKET_ERROR;
657 }
658
Close()659 int OpenSSLAdapter::Close() {
660 Cleanup();
661 state_ = SSL_NONE;
662 return AsyncSocketAdapter::Close();
663 }
664
GetState() const665 Socket::ConnState OpenSSLAdapter::GetState() const {
666 ConnState state = GetSocket()->GetState();
667 if ((state == CS_CONNECTED) &&
668 ((state_ == SSL_WAIT) || (state_ == SSL_CONNECTING))) {
669 state = CS_CONNECTING;
670 }
671 return state;
672 }
673
IsResumedSession()674 bool OpenSSLAdapter::IsResumedSession() {
675 return (ssl_ && SSL_session_reused(ssl_) == 1);
676 }
677
OnTimeout()678 void OpenSSLAdapter::OnTimeout() {
679 RTC_LOG(LS_INFO) << "DTLS timeout expired";
680 DTLSv1_handle_timeout(ssl_);
681 ContinueSSL();
682 }
683
OnConnectEvent(Socket * socket)684 void OpenSSLAdapter::OnConnectEvent(Socket* socket) {
685 RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnConnectEvent";
686 if (state_ != SSL_WAIT) {
687 RTC_DCHECK(state_ == SSL_NONE);
688 AsyncSocketAdapter::OnConnectEvent(socket);
689 return;
690 }
691
692 state_ = SSL_CONNECTING;
693 if (int err = BeginSSL()) {
694 AsyncSocketAdapter::OnCloseEvent(socket, err);
695 }
696 }
697
OnReadEvent(Socket * socket)698 void OpenSSLAdapter::OnReadEvent(Socket* socket) {
699 if (state_ == SSL_NONE) {
700 AsyncSocketAdapter::OnReadEvent(socket);
701 return;
702 }
703
704 if (state_ == SSL_CONNECTING) {
705 if (int err = ContinueSSL()) {
706 Error("ContinueSSL", err);
707 }
708 return;
709 }
710
711 if (state_ != SSL_CONNECTED) {
712 return;
713 }
714
715 // Don't let ourselves go away during the callbacks
716 // PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
717 if (ssl_write_needs_read_) {
718 AsyncSocketAdapter::OnWriteEvent(socket);
719 }
720
721 AsyncSocketAdapter::OnReadEvent(socket);
722 }
723
OnWriteEvent(Socket * socket)724 void OpenSSLAdapter::OnWriteEvent(Socket* socket) {
725 if (state_ == SSL_NONE) {
726 AsyncSocketAdapter::OnWriteEvent(socket);
727 return;
728 }
729
730 if (state_ == SSL_CONNECTING) {
731 if (int err = ContinueSSL()) {
732 Error("ContinueSSL", err);
733 }
734 return;
735 }
736
737 if (state_ != SSL_CONNECTED) {
738 return;
739 }
740
741 // Don't let ourselves go away during the callbacks
742 // PRefPtr<OpenSSLAdapter> lock(this); // TODO(benwright): fix this
743
744 if (ssl_read_needs_write_) {
745 AsyncSocketAdapter::OnReadEvent(socket);
746 }
747
748 // If a previous SSL_write failed due to the underlying socket being blocked,
749 // this will attempt finishing the write operation.
750 if (!pending_data_.empty()) {
751 int error;
752 if (DoSslWrite(pending_data_.data(), pending_data_.size(), &error) ==
753 static_cast<int>(pending_data_.size())) {
754 pending_data_.Clear();
755 }
756 }
757
758 AsyncSocketAdapter::OnWriteEvent(socket);
759 }
760
OnCloseEvent(Socket * socket,int err)761 void OpenSSLAdapter::OnCloseEvent(Socket* socket, int err) {
762 RTC_LOG(LS_INFO) << "OpenSSLAdapter::OnCloseEvent(" << err << ")";
763 AsyncSocketAdapter::OnCloseEvent(socket, err);
764 }
765
SSLPostConnectionCheck(SSL * ssl,absl::string_view host)766 bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, absl::string_view host) {
767 bool is_valid_cert_name =
768 openssl::VerifyPeerCertMatchesHost(ssl, host) &&
769 (SSL_get_verify_result(ssl) == X509_V_OK || custom_cert_verifier_status_);
770
771 if (!is_valid_cert_name && ignore_bad_cert_) {
772 RTC_DLOG(LS_WARNING) << "Other TLS post connection checks failed. "
773 "ignore_bad_cert_ set to true. Overriding name "
774 "verification failure!";
775 is_valid_cert_name = true;
776 }
777 return is_valid_cert_name;
778 }
779
780 #if !defined(NDEBUG)
781
782 // We only use this for tracing and so it is only needed in debug mode
783
SSLInfoCallback(const SSL * s,int where,int ret)784 void OpenSSLAdapter::SSLInfoCallback(const SSL* s, int where, int ret) {
785 const char* str = "undefined";
786 int w = where & ~SSL_ST_MASK;
787 if (w & SSL_ST_CONNECT) {
788 str = "SSL_connect";
789 } else if (w & SSL_ST_ACCEPT) {
790 str = "SSL_accept";
791 }
792 if (where & SSL_CB_LOOP) {
793 RTC_DLOG(LS_VERBOSE) << str << ":" << SSL_state_string_long(s);
794 } else if (where & SSL_CB_ALERT) {
795 str = (where & SSL_CB_READ) ? "read" : "write";
796 RTC_DLOG(LS_INFO) << "SSL3 alert " << str << ":"
797 << SSL_alert_type_string_long(ret) << ":"
798 << SSL_alert_desc_string_long(ret);
799 } else if (where & SSL_CB_EXIT) {
800 if (ret == 0) {
801 RTC_DLOG(LS_INFO) << str << ":failed in " << SSL_state_string_long(s);
802 } else if (ret < 0) {
803 RTC_DLOG(LS_INFO) << str << ":error in " << SSL_state_string_long(s);
804 }
805 }
806 }
807
808 #endif
809
810 #ifdef WEBRTC_USE_CRYPTO_BUFFER_CALLBACK
811 // static
SSLVerifyCallback(SSL * ssl,uint8_t * out_alert)812 enum ssl_verify_result_t OpenSSLAdapter::SSLVerifyCallback(SSL* ssl,
813 uint8_t* out_alert) {
814 // Get our stream pointer from the SSL context.
815 OpenSSLAdapter* stream =
816 reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
817
818 ssl_verify_result_t ret = stream->SSLVerifyInternal(ssl, out_alert);
819
820 // Should only be used for debugging and development.
821 if (ret != ssl_verify_ok && stream->ignore_bad_cert_) {
822 RTC_DLOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
823 return ssl_verify_ok;
824 }
825
826 return ret;
827 }
828
SSLVerifyInternal(SSL * ssl,uint8_t * out_alert)829 enum ssl_verify_result_t OpenSSLAdapter::SSLVerifyInternal(SSL* ssl,
830 uint8_t* out_alert) {
831 if (ssl_cert_verifier_ == nullptr) {
832 RTC_LOG(LS_WARNING) << "Built-in trusted root certificates disabled but no "
833 "SSL verify callback provided.";
834 return ssl_verify_invalid;
835 }
836
837 RTC_LOG(LS_INFO) << "Invoking SSL Verify Callback.";
838 const STACK_OF(CRYPTO_BUFFER)* chain = SSL_get0_peer_certificates(ssl);
839 if (sk_CRYPTO_BUFFER_num(chain) == 0) {
840 RTC_LOG(LS_ERROR) << "Peer certificate chain empty?";
841 return ssl_verify_invalid;
842 }
843
844 BoringSSLCertificate cert(bssl::UpRef(sk_CRYPTO_BUFFER_value(chain, 0)));
845 if (!ssl_cert_verifier_->Verify(cert)) {
846 RTC_LOG(LS_WARNING) << "Failed to verify certificate using custom callback";
847 return ssl_verify_invalid;
848 }
849
850 custom_cert_verifier_status_ = true;
851 RTC_LOG(LS_INFO) << "Validated certificate using custom callback";
852 return ssl_verify_ok;
853 }
854 #else // WEBRTC_USE_CRYPTO_BUFFER_CALLBACK
SSLVerifyCallback(int status,X509_STORE_CTX * store)855 int OpenSSLAdapter::SSLVerifyCallback(int status, X509_STORE_CTX* store) {
856 // Get our stream pointer from the store
857 SSL* ssl = reinterpret_cast<SSL*>(
858 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
859
860 OpenSSLAdapter* stream =
861 reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
862 // Update status with the custom verifier.
863 // Status is unchanged if verification fails.
864 status = stream->SSLVerifyInternal(status, ssl, store);
865
866 // Should only be used for debugging and development.
867 if (!status && stream->ignore_bad_cert_) {
868 RTC_DLOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
869 return 1;
870 }
871
872 return status;
873 }
874
SSLVerifyInternal(int previous_status,SSL * ssl,X509_STORE_CTX * store)875 int OpenSSLAdapter::SSLVerifyInternal(int previous_status,
876 SSL* ssl,
877 X509_STORE_CTX* store) {
878 #if !defined(NDEBUG)
879 if (!previous_status) {
880 char data[256];
881 X509* cert = X509_STORE_CTX_get_current_cert(store);
882 int depth = X509_STORE_CTX_get_error_depth(store);
883 int err = X509_STORE_CTX_get_error(store);
884
885 RTC_DLOG(LS_INFO) << "Error with certificate at depth: " << depth;
886 X509_NAME_oneline(X509_get_issuer_name(cert), data, sizeof(data));
887 RTC_DLOG(LS_INFO) << " issuer = " << data;
888 X509_NAME_oneline(X509_get_subject_name(cert), data, sizeof(data));
889 RTC_DLOG(LS_INFO) << " subject = " << data;
890 RTC_DLOG(LS_INFO) << " err = " << err << ":"
891 << X509_verify_cert_error_string(err);
892 }
893 #endif
894 // `ssl_cert_verifier_` is used to override errors; if there is no error
895 // there is no reason to call it.
896 if (previous_status || ssl_cert_verifier_ == nullptr) {
897 return previous_status;
898 }
899
900 RTC_LOG(LS_INFO) << "Invoking SSL Verify Callback.";
901 #ifdef OPENSSL_IS_BORINGSSL
902 // Convert X509 to CRYPTO_BUFFER.
903 uint8_t* data = nullptr;
904 int length = i2d_X509(X509_STORE_CTX_get_current_cert(store), &data);
905 if (length < 0) {
906 RTC_LOG(LS_ERROR) << "Failed to encode X509.";
907 return previous_status;
908 }
909 bssl::UniquePtr<uint8_t> owned_data(data);
910 bssl::UniquePtr<CRYPTO_BUFFER> crypto_buffer(
911 CRYPTO_BUFFER_new(data, length, openssl::GetBufferPool()));
912 if (!crypto_buffer) {
913 RTC_LOG(LS_ERROR) << "Failed to allocate CRYPTO_BUFFER.";
914 return previous_status;
915 }
916 const BoringSSLCertificate cert(std::move(crypto_buffer));
917 #else
918 const OpenSSLCertificate cert(X509_STORE_CTX_get_current_cert(store));
919 #endif
920 if (!ssl_cert_verifier_->Verify(cert)) {
921 RTC_LOG(LS_INFO) << "Failed to verify certificate using custom callback";
922 return previous_status;
923 }
924
925 custom_cert_verifier_status_ = true;
926 RTC_LOG(LS_INFO) << "Validated certificate using custom callback";
927 return 1;
928 }
929 #endif // !defined(WEBRTC_USE_CRYPTO_BUFFER_CALLBACK)
930
NewSSLSessionCallback(SSL * ssl,SSL_SESSION * session)931 int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) {
932 OpenSSLAdapter* stream =
933 reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
934 RTC_DCHECK(stream->ssl_session_cache_);
935 RTC_LOG(LS_INFO) << "Caching SSL session for " << stream->ssl_host_name_;
936 stream->ssl_session_cache_->AddSession(stream->ssl_host_name_, session);
937 return 1; // We've taken ownership of the session; OpenSSL shouldn't free it.
938 }
939
CreateContext(SSLMode mode,bool enable_cache)940 SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
941 #ifdef WEBRTC_USE_CRYPTO_BUFFER_CALLBACK
942 // If X509 objects aren't used, we can use these methods to avoid
943 // linking the sizable crypto/x509 code.
944 SSL_CTX* ctx = SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_with_buffers_method()
945 : TLS_with_buffers_method());
946 #else
947 SSL_CTX* ctx =
948 SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
949 #endif
950 if (ctx == nullptr) {
951 unsigned long error = ERR_get_error(); // NOLINT: type used by OpenSSL.
952 RTC_LOG(LS_WARNING) << "SSL_CTX creation failed: " << '"'
953 << ERR_reason_error_string(error)
954 << "\" "
955 "(error="
956 << error << ')';
957 return nullptr;
958 }
959
960 #ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
961 if (!openssl::LoadBuiltinSSLRootCertificates(ctx)) {
962 RTC_LOG(LS_ERROR) << "SSL_CTX creation failed: Failed to load any trusted "
963 "ssl root certificates.";
964 SSL_CTX_free(ctx);
965 return nullptr;
966 }
967 #endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
968
969 #if !defined(NDEBUG)
970 SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
971 #endif
972
973 #ifdef OPENSSL_IS_BORINGSSL
974 SSL_CTX_set0_buffer_pool(ctx, openssl::GetBufferPool());
975 #endif
976
977 #ifdef WEBRTC_USE_CRYPTO_BUFFER_CALLBACK
978 SSL_CTX_set_custom_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
979 #else
980 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
981 // Verify certificate chains up to a depth of 4. This is not
982 // needed for DTLS-SRTP which uses self-signed certificates
983 // (so the depth is 0) but is required to support TURN/TLS.
984 SSL_CTX_set_verify_depth(ctx, 4);
985 #endif
986 // Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
987 // (note that SHA256 and SHA384 only select legacy CBC ciphers).
988 // Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
989 // CBC-mode ECDSA ciphers. Finally, disable 3DES.
990 SSL_CTX_set_cipher_list(
991 ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5:!3DES");
992
993 if (mode == SSL_MODE_DTLS) {
994 SSL_CTX_set_read_ahead(ctx, 1);
995 }
996
997 if (enable_cache) {
998 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
999 SSL_CTX_sess_set_new_cb(ctx, &OpenSSLAdapter::NewSSLSessionCallback);
1000 }
1001
1002 return ctx;
1003 }
1004
TransformAlpnProtocols(const std::vector<std::string> & alpn_protocols)1005 std::string TransformAlpnProtocols(
1006 const std::vector<std::string>& alpn_protocols) {
1007 // Transforms the alpn_protocols list to the format expected by
1008 // Open/BoringSSL. This requires joining the protocols into a single string
1009 // and prepending a character with the size of the protocol string before
1010 // each protocol.
1011 std::string transformed_alpn;
1012 for (const std::string& proto : alpn_protocols) {
1013 if (proto.size() == 0 || proto.size() > 0xFF) {
1014 RTC_LOG(LS_ERROR) << "OpenSSLAdapter::Error("
1015 "TransformAlpnProtocols received proto with size "
1016 << proto.size() << ")";
1017 return "";
1018 }
1019 transformed_alpn += static_cast<char>(proto.size());
1020 transformed_alpn += proto;
1021 RTC_LOG(LS_VERBOSE) << "TransformAlpnProtocols: Adding proto: " << proto;
1022 }
1023 return transformed_alpn;
1024 }
1025
1026 //////////////////////////////////////////////////////////////////////
1027 // OpenSSLAdapterFactory
1028 //////////////////////////////////////////////////////////////////////
1029
1030 OpenSSLAdapterFactory::OpenSSLAdapterFactory() = default;
1031
1032 OpenSSLAdapterFactory::~OpenSSLAdapterFactory() = default;
1033
SetMode(SSLMode mode)1034 void OpenSSLAdapterFactory::SetMode(SSLMode mode) {
1035 RTC_DCHECK(!ssl_session_cache_);
1036 ssl_mode_ = mode;
1037 }
1038
SetCertVerifier(SSLCertificateVerifier * ssl_cert_verifier)1039 void OpenSSLAdapterFactory::SetCertVerifier(
1040 SSLCertificateVerifier* ssl_cert_verifier) {
1041 RTC_DCHECK(!ssl_session_cache_);
1042 ssl_cert_verifier_ = ssl_cert_verifier;
1043 }
1044
SetIdentity(std::unique_ptr<SSLIdentity> identity)1045 void OpenSSLAdapterFactory::SetIdentity(std::unique_ptr<SSLIdentity> identity) {
1046 RTC_DCHECK(!ssl_session_cache_);
1047 identity_ = std::move(identity);
1048 }
1049
SetRole(SSLRole role)1050 void OpenSSLAdapterFactory::SetRole(SSLRole role) {
1051 RTC_DCHECK(!ssl_session_cache_);
1052 ssl_role_ = role;
1053 }
1054
SetIgnoreBadCert(bool ignore)1055 void OpenSSLAdapterFactory::SetIgnoreBadCert(bool ignore) {
1056 RTC_DCHECK(!ssl_session_cache_);
1057 ignore_bad_cert_ = ignore;
1058 }
1059
CreateAdapter(Socket * socket)1060 OpenSSLAdapter* OpenSSLAdapterFactory::CreateAdapter(Socket* socket) {
1061 if (ssl_session_cache_ == nullptr) {
1062 SSL_CTX* ssl_ctx = OpenSSLAdapter::CreateContext(ssl_mode_, true);
1063 if (ssl_ctx == nullptr) {
1064 return nullptr;
1065 }
1066 // The OpenSSLSessionCache will upref the ssl_ctx.
1067 ssl_session_cache_ =
1068 std::make_unique<OpenSSLSessionCache>(ssl_mode_, ssl_ctx);
1069 SSL_CTX_free(ssl_ctx);
1070 }
1071 OpenSSLAdapter* ssl_adapter =
1072 new OpenSSLAdapter(socket, ssl_session_cache_.get(), ssl_cert_verifier_);
1073 ssl_adapter->SetRole(ssl_role_);
1074 ssl_adapter->SetIgnoreBadCert(ignore_bad_cert_);
1075 if (identity_) {
1076 ssl_adapter->SetIdentity(identity_->Clone());
1077 }
1078 return ssl_adapter;
1079 }
1080
EarlyExitCatcher(OpenSSLAdapter & adapter_ptr)1081 OpenSSLAdapter::EarlyExitCatcher::EarlyExitCatcher(OpenSSLAdapter& adapter_ptr)
1082 : adapter_ptr_(adapter_ptr) {}
1083
disable()1084 void OpenSSLAdapter::EarlyExitCatcher::disable() {
1085 disabled_ = true;
1086 }
1087
~EarlyExitCatcher()1088 OpenSSLAdapter::EarlyExitCatcher::~EarlyExitCatcher() {
1089 if (!disabled_) {
1090 adapter_ptr_.Cleanup();
1091 }
1092 }
1093
1094 } // namespace rtc
1095