OLD | NEW |
| (Empty) |
1 /* | |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | |
3 * | |
4 * Use of this source code is governed by a BSD-style license | |
5 * that can be found in the LICENSE file in the root of the source | |
6 * tree. An additional intellectual property rights grant can be found | |
7 * in the file PATENTS. All contributing project authors may | |
8 * be found in the AUTHORS file in the root of the source tree. | |
9 */ | |
10 | |
11 #include "webrtc/base/opensslstreamadapter.h" | |
12 | |
13 #include <openssl/bio.h> | |
14 #include <openssl/crypto.h> | |
15 #include <openssl/err.h> | |
16 #include <openssl/rand.h> | |
17 #include <openssl/tls1.h> | |
18 #include <openssl/x509v3.h> | |
19 #ifndef OPENSSL_IS_BORINGSSL | |
20 #include <openssl/dtls1.h> | |
21 #include <openssl/ssl.h> | |
22 #endif | |
23 | |
24 #include <memory> | |
25 #include <vector> | |
26 | |
27 #include "webrtc/base/checks.h" | |
28 #include "webrtc/base/logging.h" | |
29 #include "webrtc/base/safe_conversions.h" | |
30 #include "webrtc/base/stream.h" | |
31 #include "webrtc/base/openssl.h" | |
32 #include "webrtc/base/openssladapter.h" | |
33 #include "webrtc/base/openssldigest.h" | |
34 #include "webrtc/base/opensslidentity.h" | |
35 #include "webrtc/base/stringutils.h" | |
36 #include "webrtc/base/timeutils.h" | |
37 #include "webrtc/base/thread.h" | |
38 | |
39 namespace { | |
40 bool g_use_time_callback_for_testing = false; | |
41 } | |
42 | |
43 namespace rtc { | |
44 | |
45 #if (OPENSSL_VERSION_NUMBER < 0x10001000L) | |
46 #error "webrtc requires at least OpenSSL version 1.0.1, to support DTLS-SRTP" | |
47 #endif | |
48 | |
49 // SRTP cipher suite table. |internal_name| is used to construct a | |
50 // colon-separated profile strings which is needed by | |
51 // SSL_CTX_set_tlsext_use_srtp(). | |
52 struct SrtpCipherMapEntry { | |
53 const char* internal_name; | |
54 const int id; | |
55 }; | |
56 | |
57 // This isn't elegant, but it's better than an external reference | |
58 static SrtpCipherMapEntry SrtpCipherMap[] = { | |
59 {"SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80}, | |
60 {"SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32}, | |
61 {"SRTP_AEAD_AES_128_GCM", SRTP_AEAD_AES_128_GCM}, | |
62 {"SRTP_AEAD_AES_256_GCM", SRTP_AEAD_AES_256_GCM}, | |
63 {nullptr, 0}}; | |
64 | |
65 #ifdef OPENSSL_IS_BORINGSSL | |
66 // Not used in production code. Actual time should be relative to Jan 1, 1970. | |
67 static void TimeCallbackForTesting(const SSL* ssl, struct timeval* out_clock) { | |
68 int64_t time = TimeNanos(); | |
69 out_clock->tv_sec = time / kNumNanosecsPerSec; | |
70 out_clock->tv_usec = (time % kNumNanosecsPerSec) / kNumNanosecsPerMicrosec; | |
71 } | |
72 #else // #ifdef OPENSSL_IS_BORINGSSL | |
73 | |
74 // Cipher name table. Maps internal OpenSSL cipher ids to the RFC name. | |
75 struct SslCipherMapEntry { | |
76 uint32_t openssl_id; | |
77 const char* rfc_name; | |
78 }; | |
79 | |
80 #define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name} | |
81 #define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name} | |
82 | |
83 // There currently is no method available to get a RFC-compliant name for a | |
84 // cipher suite from BoringSSL, so we need to define the mapping manually here. | |
85 // This should go away once BoringSSL supports "SSL_CIPHER_standard_name" | |
86 // (as available in OpenSSL if compiled with tracing enabled) or a similar | |
87 // method. | |
88 static const SslCipherMapEntry kSslCipherMap[] = { | |
89 // TLS v1.0 ciphersuites from RFC2246. | |
90 DEFINE_CIPHER_ENTRY_SSL3(RSA_RC4_128_SHA), | |
91 {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, | |
92 | |
93 // AES ciphersuites from RFC3268. | |
94 {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"}, | |
95 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"}, | |
96 {TLS1_CK_RSA_WITH_AES_256_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA"}, | |
97 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"}, | |
98 | |
99 // ECC ciphersuites from RFC4492. | |
100 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_RC4_128_SHA), | |
101 {TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, | |
102 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"}, | |
103 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), | |
104 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), | |
105 | |
106 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_RC4_128_SHA), | |
107 {TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, | |
108 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"}, | |
109 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_CBC_SHA), | |
110 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_CBC_SHA), | |
111 | |
112 // TLS v1.2 ciphersuites. | |
113 {TLS1_CK_RSA_WITH_AES_128_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"}, | |
114 {TLS1_CK_RSA_WITH_AES_256_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"}, | |
115 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, | |
116 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"}, | |
117 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |
118 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"}, | |
119 | |
120 // TLS v1.2 GCM ciphersuites from RFC5288. | |
121 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_128_GCM_SHA256), | |
122 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_256_GCM_SHA384), | |
123 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_128_GCM_SHA256), | |
124 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_256_GCM_SHA384), | |
125 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_128_GCM_SHA256), | |
126 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_256_GCM_SHA384), | |
127 | |
128 // ECDH HMAC based ciphersuites from RFC5289. | |
129 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, | |
130 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"}, | |
131 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, | |
132 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"}, | |
133 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | |
134 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}, | |
135 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | |
136 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}, | |
137 | |
138 // ECDH GCM based ciphersuites from RFC5289. | |
139 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), | |
140 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), | |
141 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256), | |
142 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384), | |
143 | |
144 {0, nullptr}}; | |
145 #endif // #ifndef OPENSSL_IS_BORINGSSL | |
146 | |
147 #if defined(_MSC_VER) | |
148 #pragma warning(push) | |
149 #pragma warning(disable : 4309) | |
150 #pragma warning(disable : 4310) | |
151 #endif // defined(_MSC_VER) | |
152 | |
153 #if defined(_MSC_VER) | |
154 #pragma warning(pop) | |
155 #endif // defined(_MSC_VER) | |
156 | |
157 ////////////////////////////////////////////////////////////////////// | |
158 // StreamBIO | |
159 ////////////////////////////////////////////////////////////////////// | |
160 | |
161 static int stream_write(BIO* h, const char* buf, int num); | |
162 static int stream_read(BIO* h, char* buf, int size); | |
163 static int stream_puts(BIO* h, const char* str); | |
164 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2); | |
165 static int stream_new(BIO* h); | |
166 static int stream_free(BIO* data); | |
167 | |
168 // TODO(davidben): This should be const once BoringSSL is assumed. | |
169 static BIO_METHOD methods_stream = { | |
170 BIO_TYPE_BIO, "stream", stream_write, stream_read, stream_puts, 0, | |
171 stream_ctrl, stream_new, stream_free, nullptr, | |
172 }; | |
173 | |
174 static BIO_METHOD* BIO_s_stream() { return(&methods_stream); } | |
175 | |
176 static BIO* BIO_new_stream(StreamInterface* stream) { | |
177 BIO* ret = BIO_new(BIO_s_stream()); | |
178 if (ret == nullptr) | |
179 return nullptr; | |
180 ret->ptr = stream; | |
181 return ret; | |
182 } | |
183 | |
184 // bio methods return 1 (or at least non-zero) on success and 0 on failure. | |
185 | |
186 static int stream_new(BIO* b) { | |
187 b->shutdown = 0; | |
188 b->init = 1; | |
189 b->num = 0; // 1 means end-of-stream | |
190 b->ptr = 0; | |
191 return 1; | |
192 } | |
193 | |
194 static int stream_free(BIO* b) { | |
195 if (b == nullptr) | |
196 return 0; | |
197 return 1; | |
198 } | |
199 | |
200 static int stream_read(BIO* b, char* out, int outl) { | |
201 if (!out) | |
202 return -1; | |
203 StreamInterface* stream = static_cast<StreamInterface*>(b->ptr); | |
204 BIO_clear_retry_flags(b); | |
205 size_t read; | |
206 int error; | |
207 StreamResult result = stream->Read(out, outl, &read, &error); | |
208 if (result == SR_SUCCESS) { | |
209 return checked_cast<int>(read); | |
210 } else if (result == SR_EOS) { | |
211 b->num = 1; | |
212 } else if (result == SR_BLOCK) { | |
213 BIO_set_retry_read(b); | |
214 } | |
215 return -1; | |
216 } | |
217 | |
218 static int stream_write(BIO* b, const char* in, int inl) { | |
219 if (!in) | |
220 return -1; | |
221 StreamInterface* stream = static_cast<StreamInterface*>(b->ptr); | |
222 BIO_clear_retry_flags(b); | |
223 size_t written; | |
224 int error; | |
225 StreamResult result = stream->Write(in, inl, &written, &error); | |
226 if (result == SR_SUCCESS) { | |
227 return checked_cast<int>(written); | |
228 } else if (result == SR_BLOCK) { | |
229 BIO_set_retry_write(b); | |
230 } | |
231 return -1; | |
232 } | |
233 | |
234 static int stream_puts(BIO* b, const char* str) { | |
235 return stream_write(b, str, checked_cast<int>(strlen(str))); | |
236 } | |
237 | |
238 static long stream_ctrl(BIO* b, int cmd, long num, void* ptr) { | |
239 switch (cmd) { | |
240 case BIO_CTRL_RESET: | |
241 return 0; | |
242 case BIO_CTRL_EOF: | |
243 return b->num; | |
244 case BIO_CTRL_WPENDING: | |
245 case BIO_CTRL_PENDING: | |
246 return 0; | |
247 case BIO_CTRL_FLUSH: | |
248 return 1; | |
249 case BIO_CTRL_DGRAM_QUERY_MTU: | |
250 // openssl defaults to mtu=256 unless we return something here. | |
251 // The handshake doesn't actually need to send packets above 1k, | |
252 // so this seems like a sensible value that should work in most cases. | |
253 // Webrtc uses the same value for video packets. | |
254 return 1200; | |
255 default: | |
256 return 0; | |
257 } | |
258 } | |
259 | |
260 ///////////////////////////////////////////////////////////////////////////// | |
261 // OpenSSLStreamAdapter | |
262 ///////////////////////////////////////////////////////////////////////////// | |
263 | |
264 OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream) | |
265 : SSLStreamAdapter(stream), | |
266 state_(SSL_NONE), | |
267 role_(SSL_CLIENT), | |
268 ssl_read_needs_write_(false), | |
269 ssl_write_needs_read_(false), | |
270 ssl_(nullptr), | |
271 ssl_ctx_(nullptr), | |
272 ssl_mode_(SSL_MODE_TLS), | |
273 ssl_max_version_(SSL_PROTOCOL_TLS_12) {} | |
274 | |
275 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() { | |
276 Cleanup(0); | |
277 } | |
278 | |
279 void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) { | |
280 RTC_DCHECK(!identity_); | |
281 identity_.reset(static_cast<OpenSSLIdentity*>(identity)); | |
282 } | |
283 | |
284 void OpenSSLStreamAdapter::SetServerRole(SSLRole role) { | |
285 role_ = role; | |
286 } | |
287 | |
288 std::unique_ptr<SSLCertificate> OpenSSLStreamAdapter::GetPeerCertificate() | |
289 const { | |
290 return peer_certificate_ ? std::unique_ptr<SSLCertificate>( | |
291 peer_certificate_->GetReference()) | |
292 : nullptr; | |
293 } | |
294 | |
295 bool OpenSSLStreamAdapter::SetPeerCertificateDigest( | |
296 const std::string& digest_alg, | |
297 const unsigned char* digest_val, | |
298 size_t digest_len, | |
299 SSLPeerCertificateDigestError* error) { | |
300 RTC_DCHECK(!peer_certificate_verified_); | |
301 RTC_DCHECK(!has_peer_certificate_digest()); | |
302 size_t expected_len; | |
303 if (error) { | |
304 *error = SSLPeerCertificateDigestError::NONE; | |
305 } | |
306 | |
307 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) { | |
308 LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg; | |
309 if (error) { | |
310 *error = SSLPeerCertificateDigestError::UNKNOWN_ALGORITHM; | |
311 } | |
312 return false; | |
313 } | |
314 if (expected_len != digest_len) { | |
315 if (error) { | |
316 *error = SSLPeerCertificateDigestError::INVALID_LENGTH; | |
317 } | |
318 return false; | |
319 } | |
320 | |
321 peer_certificate_digest_value_.SetData(digest_val, digest_len); | |
322 peer_certificate_digest_algorithm_ = digest_alg; | |
323 | |
324 if (!peer_certificate_) { | |
325 // Normal case, where the digest is set before we obtain the certificate | |
326 // from the handshake. | |
327 return true; | |
328 } | |
329 | |
330 if (!VerifyPeerCertificate()) { | |
331 Error("SetPeerCertificateDigest", -1, SSL_AD_BAD_CERTIFICATE, false); | |
332 if (error) { | |
333 *error = SSLPeerCertificateDigestError::VERIFICATION_FAILED; | |
334 } | |
335 return false; | |
336 } | |
337 | |
338 if (state_ == SSL_CONNECTED) { | |
339 // Post the event asynchronously to unwind the stack. The caller | |
340 // of ContinueSSL may be the same object listening for these | |
341 // events and may not be prepared for reentrancy. | |
342 PostEvent(SE_OPEN | SE_READ | SE_WRITE, 0); | |
343 } | |
344 | |
345 return true; | |
346 } | |
347 | |
348 std::string OpenSSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) { | |
349 #ifdef OPENSSL_IS_BORINGSSL | |
350 const SSL_CIPHER* ssl_cipher = SSL_get_cipher_by_value(cipher_suite); | |
351 if (!ssl_cipher) { | |
352 return std::string(); | |
353 } | |
354 char* cipher_name = SSL_CIPHER_get_rfc_name(ssl_cipher); | |
355 std::string rfc_name = std::string(cipher_name); | |
356 OPENSSL_free(cipher_name); | |
357 return rfc_name; | |
358 #else | |
359 for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name; | |
360 ++entry) { | |
361 if (cipher_suite == static_cast<int>(entry->openssl_id)) { | |
362 return entry->rfc_name; | |
363 } | |
364 } | |
365 return std::string(); | |
366 #endif | |
367 } | |
368 | |
369 bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) { | |
370 if (state_ != SSL_CONNECTED) | |
371 return false; | |
372 | |
373 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_); | |
374 if (current_cipher == nullptr) { | |
375 return false; | |
376 } | |
377 | |
378 *cipher_suite = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher)); | |
379 return true; | |
380 } | |
381 | |
382 int OpenSSLStreamAdapter::GetSslVersion() const { | |
383 if (state_ != SSL_CONNECTED) | |
384 return -1; | |
385 | |
386 int ssl_version = SSL_version(ssl_); | |
387 if (ssl_mode_ == SSL_MODE_DTLS) { | |
388 if (ssl_version == DTLS1_VERSION) | |
389 return SSL_PROTOCOL_DTLS_10; | |
390 else if (ssl_version == DTLS1_2_VERSION) | |
391 return SSL_PROTOCOL_DTLS_12; | |
392 } else { | |
393 if (ssl_version == TLS1_VERSION) | |
394 return SSL_PROTOCOL_TLS_10; | |
395 else if (ssl_version == TLS1_1_VERSION) | |
396 return SSL_PROTOCOL_TLS_11; | |
397 else if (ssl_version == TLS1_2_VERSION) | |
398 return SSL_PROTOCOL_TLS_12; | |
399 } | |
400 | |
401 return -1; | |
402 } | |
403 | |
404 // Key Extractor interface | |
405 bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label, | |
406 const uint8_t* context, | |
407 size_t context_len, | |
408 bool use_context, | |
409 uint8_t* result, | |
410 size_t result_len) { | |
411 int i; | |
412 | |
413 i = SSL_export_keying_material(ssl_, result, result_len, label.c_str(), | |
414 label.length(), const_cast<uint8_t*>(context), | |
415 context_len, use_context); | |
416 | |
417 if (i != 1) | |
418 return false; | |
419 | |
420 return true; | |
421 } | |
422 | |
423 bool OpenSSLStreamAdapter::SetDtlsSrtpCryptoSuites( | |
424 const std::vector<int>& ciphers) { | |
425 std::string internal_ciphers; | |
426 | |
427 if (state_ != SSL_NONE) | |
428 return false; | |
429 | |
430 for (std::vector<int>::const_iterator cipher = ciphers.begin(); | |
431 cipher != ciphers.end(); ++cipher) { | |
432 bool found = false; | |
433 for (SrtpCipherMapEntry* entry = SrtpCipherMap; entry->internal_name; | |
434 ++entry) { | |
435 if (*cipher == entry->id) { | |
436 found = true; | |
437 if (!internal_ciphers.empty()) | |
438 internal_ciphers += ":"; | |
439 internal_ciphers += entry->internal_name; | |
440 break; | |
441 } | |
442 } | |
443 | |
444 if (!found) { | |
445 LOG(LS_ERROR) << "Could not find cipher: " << *cipher; | |
446 return false; | |
447 } | |
448 } | |
449 | |
450 if (internal_ciphers.empty()) | |
451 return false; | |
452 | |
453 srtp_ciphers_ = internal_ciphers; | |
454 return true; | |
455 } | |
456 | |
457 bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) { | |
458 RTC_DCHECK(state_ == SSL_CONNECTED); | |
459 if (state_ != SSL_CONNECTED) | |
460 return false; | |
461 | |
462 const SRTP_PROTECTION_PROFILE *srtp_profile = | |
463 SSL_get_selected_srtp_profile(ssl_); | |
464 | |
465 if (!srtp_profile) | |
466 return false; | |
467 | |
468 *crypto_suite = srtp_profile->id; | |
469 RTC_DCHECK(!SrtpCryptoSuiteToName(*crypto_suite).empty()); | |
470 return true; | |
471 } | |
472 | |
473 bool OpenSSLStreamAdapter::IsTlsConnected() { | |
474 return state_ == SSL_CONNECTED; | |
475 } | |
476 | |
477 int OpenSSLStreamAdapter::StartSSL() { | |
478 if (state_ != SSL_NONE) { | |
479 // Don't allow StartSSL to be called twice. | |
480 return -1; | |
481 } | |
482 | |
483 if (StreamAdapterInterface::GetState() != SS_OPEN) { | |
484 state_ = SSL_WAIT; | |
485 return 0; | |
486 } | |
487 | |
488 state_ = SSL_CONNECTING; | |
489 if (int err = BeginSSL()) { | |
490 Error("BeginSSL", err, 0, false); | |
491 return err; | |
492 } | |
493 | |
494 return 0; | |
495 } | |
496 | |
497 void OpenSSLStreamAdapter::SetMode(SSLMode mode) { | |
498 RTC_DCHECK(state_ == SSL_NONE); | |
499 ssl_mode_ = mode; | |
500 } | |
501 | |
502 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) { | |
503 RTC_DCHECK(ssl_ctx_ == nullptr); | |
504 ssl_max_version_ = version; | |
505 } | |
506 | |
507 void OpenSSLStreamAdapter::SetInitialRetransmissionTimeout( | |
508 int timeout_ms) { | |
509 RTC_DCHECK(ssl_ctx_ == nullptr); | |
510 dtls_handshake_timeout_ms_ = timeout_ms; | |
511 } | |
512 | |
513 // | |
514 // StreamInterface Implementation | |
515 // | |
516 | |
517 StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len, | |
518 size_t* written, int* error) { | |
519 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")"; | |
520 | |
521 switch (state_) { | |
522 case SSL_NONE: | |
523 // pass-through in clear text | |
524 return StreamAdapterInterface::Write(data, data_len, written, error); | |
525 | |
526 case SSL_WAIT: | |
527 case SSL_CONNECTING: | |
528 return SR_BLOCK; | |
529 | |
530 case SSL_CONNECTED: | |
531 if (waiting_to_verify_peer_certificate()) { | |
532 return SR_BLOCK; | |
533 } | |
534 break; | |
535 | |
536 case SSL_ERROR: | |
537 case SSL_CLOSED: | |
538 default: | |
539 if (error) | |
540 *error = ssl_error_code_; | |
541 return SR_ERROR; | |
542 } | |
543 | |
544 // OpenSSL will return an error if we try to write zero bytes | |
545 if (data_len == 0) { | |
546 if (written) | |
547 *written = 0; | |
548 return SR_SUCCESS; | |
549 } | |
550 | |
551 ssl_write_needs_read_ = false; | |
552 | |
553 int code = SSL_write(ssl_, data, checked_cast<int>(data_len)); | |
554 int ssl_error = SSL_get_error(ssl_, code); | |
555 switch (ssl_error) { | |
556 case SSL_ERROR_NONE: | |
557 LOG(LS_VERBOSE) << " -- success"; | |
558 RTC_DCHECK(0 < code && static_cast<unsigned>(code) <= data_len); | |
559 if (written) | |
560 *written = code; | |
561 return SR_SUCCESS; | |
562 case SSL_ERROR_WANT_READ: | |
563 LOG(LS_VERBOSE) << " -- error want read"; | |
564 ssl_write_needs_read_ = true; | |
565 return SR_BLOCK; | |
566 case SSL_ERROR_WANT_WRITE: | |
567 LOG(LS_VERBOSE) << " -- error want write"; | |
568 return SR_BLOCK; | |
569 | |
570 case SSL_ERROR_ZERO_RETURN: | |
571 default: | |
572 Error("SSL_write", (ssl_error ? ssl_error : -1), 0, false); | |
573 if (error) | |
574 *error = ssl_error_code_; | |
575 return SR_ERROR; | |
576 } | |
577 // not reached | |
578 } | |
579 | |
580 StreamResult OpenSSLStreamAdapter::Read(void* data, size_t data_len, | |
581 size_t* read, int* error) { | |
582 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Read(" << data_len << ")"; | |
583 switch (state_) { | |
584 case SSL_NONE: | |
585 // pass-through in clear text | |
586 return StreamAdapterInterface::Read(data, data_len, read, error); | |
587 | |
588 case SSL_WAIT: | |
589 case SSL_CONNECTING: | |
590 return SR_BLOCK; | |
591 | |
592 case SSL_CONNECTED: | |
593 if (waiting_to_verify_peer_certificate()) { | |
594 return SR_BLOCK; | |
595 } | |
596 break; | |
597 | |
598 case SSL_CLOSED: | |
599 return SR_EOS; | |
600 | |
601 case SSL_ERROR: | |
602 default: | |
603 if (error) | |
604 *error = ssl_error_code_; | |
605 return SR_ERROR; | |
606 } | |
607 | |
608 // Don't trust OpenSSL with zero byte reads | |
609 if (data_len == 0) { | |
610 if (read) | |
611 *read = 0; | |
612 return SR_SUCCESS; | |
613 } | |
614 | |
615 ssl_read_needs_write_ = false; | |
616 | |
617 int code = SSL_read(ssl_, data, checked_cast<int>(data_len)); | |
618 int ssl_error = SSL_get_error(ssl_, code); | |
619 switch (ssl_error) { | |
620 case SSL_ERROR_NONE: | |
621 LOG(LS_VERBOSE) << " -- success"; | |
622 RTC_DCHECK(0 < code && static_cast<unsigned>(code) <= data_len); | |
623 if (read) | |
624 *read = code; | |
625 | |
626 if (ssl_mode_ == SSL_MODE_DTLS) { | |
627 // Enforce atomic reads -- this is a short read | |
628 unsigned int pending = SSL_pending(ssl_); | |
629 | |
630 if (pending) { | |
631 LOG(LS_INFO) << " -- short DTLS read. flushing"; | |
632 FlushInput(pending); | |
633 if (error) | |
634 *error = SSE_MSG_TRUNC; | |
635 return SR_ERROR; | |
636 } | |
637 } | |
638 return SR_SUCCESS; | |
639 case SSL_ERROR_WANT_READ: | |
640 LOG(LS_VERBOSE) << " -- error want read"; | |
641 return SR_BLOCK; | |
642 case SSL_ERROR_WANT_WRITE: | |
643 LOG(LS_VERBOSE) << " -- error want write"; | |
644 ssl_read_needs_write_ = true; | |
645 return SR_BLOCK; | |
646 case SSL_ERROR_ZERO_RETURN: | |
647 LOG(LS_VERBOSE) << " -- remote side closed"; | |
648 Close(); | |
649 return SR_EOS; | |
650 break; | |
651 default: | |
652 LOG(LS_VERBOSE) << " -- error " << code; | |
653 Error("SSL_read", (ssl_error ? ssl_error : -1), 0, false); | |
654 if (error) | |
655 *error = ssl_error_code_; | |
656 return SR_ERROR; | |
657 } | |
658 // not reached | |
659 } | |
660 | |
661 void OpenSSLStreamAdapter::FlushInput(unsigned int left) { | |
662 unsigned char buf[2048]; | |
663 | |
664 while (left) { | |
665 // This should always succeed | |
666 int toread = (sizeof(buf) < left) ? sizeof(buf) : left; | |
667 int code = SSL_read(ssl_, buf, toread); | |
668 | |
669 int ssl_error = SSL_get_error(ssl_, code); | |
670 RTC_DCHECK(ssl_error == SSL_ERROR_NONE); | |
671 | |
672 if (ssl_error != SSL_ERROR_NONE) { | |
673 LOG(LS_VERBOSE) << " -- error " << code; | |
674 Error("SSL_read", (ssl_error ? ssl_error : -1), 0, false); | |
675 return; | |
676 } | |
677 | |
678 LOG(LS_VERBOSE) << " -- flushed " << code << " bytes"; | |
679 left -= code; | |
680 } | |
681 } | |
682 | |
683 void OpenSSLStreamAdapter::Close() { | |
684 Cleanup(0); | |
685 RTC_DCHECK(state_ == SSL_CLOSED || state_ == SSL_ERROR); | |
686 // When we're closed at SSL layer, also close the stream level which | |
687 // performs necessary clean up. Otherwise, a new incoming packet after | |
688 // this could overflow the stream buffer. | |
689 StreamAdapterInterface::Close(); | |
690 } | |
691 | |
692 StreamState OpenSSLStreamAdapter::GetState() const { | |
693 switch (state_) { | |
694 case SSL_WAIT: | |
695 case SSL_CONNECTING: | |
696 return SS_OPENING; | |
697 case SSL_CONNECTED: | |
698 if (waiting_to_verify_peer_certificate()) { | |
699 return SS_OPENING; | |
700 } | |
701 return SS_OPEN; | |
702 default: | |
703 return SS_CLOSED; | |
704 }; | |
705 // not reached | |
706 } | |
707 | |
708 void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream, int events, | |
709 int err) { | |
710 int events_to_signal = 0; | |
711 int signal_error = 0; | |
712 RTC_DCHECK(stream == this->stream()); | |
713 if ((events & SE_OPEN)) { | |
714 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent SE_OPEN"; | |
715 if (state_ != SSL_WAIT) { | |
716 RTC_DCHECK(state_ == SSL_NONE); | |
717 events_to_signal |= SE_OPEN; | |
718 } else { | |
719 state_ = SSL_CONNECTING; | |
720 if (int err = BeginSSL()) { | |
721 Error("BeginSSL", err, 0, true); | |
722 return; | |
723 } | |
724 } | |
725 } | |
726 if ((events & (SE_READ|SE_WRITE))) { | |
727 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent" | |
728 << ((events & SE_READ) ? " SE_READ" : "") | |
729 << ((events & SE_WRITE) ? " SE_WRITE" : ""); | |
730 if (state_ == SSL_NONE) { | |
731 events_to_signal |= events & (SE_READ|SE_WRITE); | |
732 } else if (state_ == SSL_CONNECTING) { | |
733 if (int err = ContinueSSL()) { | |
734 Error("ContinueSSL", err, 0, true); | |
735 return; | |
736 } | |
737 } else if (state_ == SSL_CONNECTED) { | |
738 if (((events & SE_READ) && ssl_write_needs_read_) || | |
739 (events & SE_WRITE)) { | |
740 LOG(LS_VERBOSE) << " -- onStreamWriteable"; | |
741 events_to_signal |= SE_WRITE; | |
742 } | |
743 if (((events & SE_WRITE) && ssl_read_needs_write_) || | |
744 (events & SE_READ)) { | |
745 LOG(LS_VERBOSE) << " -- onStreamReadable"; | |
746 events_to_signal |= SE_READ; | |
747 } | |
748 } | |
749 } | |
750 if ((events & SE_CLOSE)) { | |
751 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent(SE_CLOSE, " << err << ")"; | |
752 Cleanup(0); | |
753 events_to_signal |= SE_CLOSE; | |
754 // SE_CLOSE is the only event that uses the final parameter to OnEvent(). | |
755 RTC_DCHECK(signal_error == 0); | |
756 signal_error = err; | |
757 } | |
758 if (events_to_signal) | |
759 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error); | |
760 } | |
761 | |
762 int OpenSSLStreamAdapter::BeginSSL() { | |
763 RTC_DCHECK(state_ == SSL_CONNECTING); | |
764 // The underlying stream has opened. | |
765 LOG(LS_INFO) << "BeginSSL with peer."; | |
766 | |
767 BIO* bio = nullptr; | |
768 | |
769 // First set up the context. | |
770 RTC_DCHECK(ssl_ctx_ == nullptr); | |
771 ssl_ctx_ = SetupSSLContext(); | |
772 if (!ssl_ctx_) | |
773 return -1; | |
774 | |
775 bio = BIO_new_stream(static_cast<StreamInterface*>(stream())); | |
776 if (!bio) | |
777 return -1; | |
778 | |
779 ssl_ = SSL_new(ssl_ctx_); | |
780 if (!ssl_) { | |
781 BIO_free(bio); | |
782 return -1; | |
783 } | |
784 | |
785 SSL_set_app_data(ssl_, this); | |
786 | |
787 SSL_set_bio(ssl_, bio, bio); // the SSL object owns the bio now. | |
788 if (ssl_mode_ == SSL_MODE_DTLS) { | |
789 #ifdef OPENSSL_IS_BORINGSSL | |
790 DTLSv1_set_initial_timeout_duration(ssl_, dtls_handshake_timeout_ms_); | |
791 #else | |
792 // Enable read-ahead for DTLS so whole packets are read from internal BIO | |
793 // before parsing. This is done internally by BoringSSL for DTLS. | |
794 SSL_set_read_ahead(ssl_, 1); | |
795 #endif | |
796 } | |
797 | |
798 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | | |
799 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | |
800 | |
801 #if !defined(OPENSSL_IS_BORINGSSL) | |
802 // Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot | |
803 // negotiate them when acting as the server. Use NIST's P-256 which is | |
804 // commonly supported. BoringSSL doesn't need explicit configuration and has | |
805 // a reasonable default set. | |
806 EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | |
807 if (ecdh == nullptr) | |
808 return -1; | |
809 SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE); | |
810 SSL_set_tmp_ecdh(ssl_, ecdh); | |
811 EC_KEY_free(ecdh); | |
812 #endif | |
813 | |
814 // Do the connect | |
815 return ContinueSSL(); | |
816 } | |
817 | |
818 int OpenSSLStreamAdapter::ContinueSSL() { | |
819 LOG(LS_VERBOSE) << "ContinueSSL"; | |
820 RTC_DCHECK(state_ == SSL_CONNECTING); | |
821 | |
822 // Clear the DTLS timer | |
823 Thread::Current()->Clear(this, MSG_TIMEOUT); | |
824 | |
825 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_); | |
826 int ssl_error; | |
827 switch (ssl_error = SSL_get_error(ssl_, code)) { | |
828 case SSL_ERROR_NONE: | |
829 LOG(LS_VERBOSE) << " -- success"; | |
830 // By this point, OpenSSL should have given us a certificate, or errored | |
831 // out if one was missing. | |
832 RTC_DCHECK(peer_certificate_ || !client_auth_enabled()); | |
833 | |
834 state_ = SSL_CONNECTED; | |
835 if (!waiting_to_verify_peer_certificate()) { | |
836 // We have everything we need to start the connection, so signal | |
837 // SE_OPEN. If we need a client certificate fingerprint and don't have | |
838 // it yet, we'll instead signal SE_OPEN in SetPeerCertificateDigest. | |
839 // | |
840 // TODO(deadbeef): Post this event asynchronously to unwind the stack. | |
841 // The caller of ContinueSSL may be the same object listening for these | |
842 // events and may not be prepared for reentrancy. | |
843 // PostEvent(SE_OPEN | SE_READ | SE_WRITE, 0); | |
844 StreamAdapterInterface::OnEvent(stream(), SE_OPEN | SE_READ | SE_WRITE, | |
845 0); | |
846 } | |
847 break; | |
848 | |
849 case SSL_ERROR_WANT_READ: { | |
850 LOG(LS_VERBOSE) << " -- error want read"; | |
851 struct timeval timeout; | |
852 if (DTLSv1_get_timeout(ssl_, &timeout)) { | |
853 int delay = timeout.tv_sec * 1000 + timeout.tv_usec/1000; | |
854 | |
855 Thread::Current()->PostDelayed(RTC_FROM_HERE, delay, this, | |
856 MSG_TIMEOUT, 0); | |
857 } | |
858 } | |
859 break; | |
860 | |
861 case SSL_ERROR_WANT_WRITE: | |
862 LOG(LS_VERBOSE) << " -- error want write"; | |
863 break; | |
864 | |
865 case SSL_ERROR_ZERO_RETURN: | |
866 default: | |
867 LOG(LS_VERBOSE) << " -- error " << code; | |
868 SSLHandshakeError ssl_handshake_err = SSLHandshakeError::UNKNOWN; | |
869 int err_code = ERR_peek_last_error(); | |
870 if (err_code != 0 && ERR_GET_REASON(err_code) == SSL_R_NO_SHARED_CIPHER) { | |
871 ssl_handshake_err = SSLHandshakeError::INCOMPATIBLE_CIPHERSUITE; | |
872 } | |
873 SignalSSLHandshakeError(ssl_handshake_err); | |
874 return (ssl_error != 0) ? ssl_error : -1; | |
875 } | |
876 | |
877 return 0; | |
878 } | |
879 | |
880 void OpenSSLStreamAdapter::Error(const char* context, | |
881 int err, | |
882 uint8_t alert, | |
883 bool signal) { | |
884 LOG(LS_WARNING) << "OpenSSLStreamAdapter::Error(" << context << ", " << err | |
885 << ", " << static_cast<int>(alert) << ")"; | |
886 state_ = SSL_ERROR; | |
887 ssl_error_code_ = err; | |
888 Cleanup(alert); | |
889 if (signal) | |
890 StreamAdapterInterface::OnEvent(stream(), SE_CLOSE, err); | |
891 } | |
892 | |
893 void OpenSSLStreamAdapter::Cleanup(uint8_t alert) { | |
894 LOG(LS_INFO) << "Cleanup"; | |
895 | |
896 if (state_ != SSL_ERROR) { | |
897 state_ = SSL_CLOSED; | |
898 ssl_error_code_ = 0; | |
899 } | |
900 | |
901 if (ssl_) { | |
902 int ret; | |
903 // SSL_send_fatal_alert is only available in BoringSSL. | |
904 #ifdef OPENSSL_IS_BORINGSSL | |
905 if (alert) { | |
906 ret = SSL_send_fatal_alert(ssl_, alert); | |
907 if (ret < 0) { | |
908 LOG(LS_WARNING) << "SSL_send_fatal_alert failed, error = " | |
909 << SSL_get_error(ssl_, ret); | |
910 } | |
911 } else { | |
912 #endif | |
913 ret = SSL_shutdown(ssl_); | |
914 if (ret < 0) { | |
915 LOG(LS_WARNING) << "SSL_shutdown failed, error = " | |
916 << SSL_get_error(ssl_, ret); | |
917 } | |
918 #ifdef OPENSSL_IS_BORINGSSL | |
919 } | |
920 #endif | |
921 SSL_free(ssl_); | |
922 ssl_ = nullptr; | |
923 } | |
924 if (ssl_ctx_) { | |
925 SSL_CTX_free(ssl_ctx_); | |
926 ssl_ctx_ = nullptr; | |
927 } | |
928 identity_.reset(); | |
929 peer_certificate_.reset(); | |
930 | |
931 // Clear the DTLS timer | |
932 Thread::Current()->Clear(this, MSG_TIMEOUT); | |
933 } | |
934 | |
935 | |
936 void OpenSSLStreamAdapter::OnMessage(Message* msg) { | |
937 // Process our own messages and then pass others to the superclass | |
938 if (MSG_TIMEOUT == msg->message_id) { | |
939 LOG(LS_INFO) << "DTLS timeout expired"; | |
940 DTLSv1_handle_timeout(ssl_); | |
941 ContinueSSL(); | |
942 } else { | |
943 StreamInterface::OnMessage(msg); | |
944 } | |
945 } | |
946 | |
947 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { | |
948 SSL_CTX* ctx = nullptr; | |
949 | |
950 #ifdef OPENSSL_IS_BORINGSSL | |
951 ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? | |
952 DTLS_method() : TLS_method()); | |
953 // Version limiting for BoringSSL will be done below. | |
954 #else | |
955 const SSL_METHOD* method; | |
956 switch (ssl_max_version_) { | |
957 case SSL_PROTOCOL_TLS_10: | |
958 case SSL_PROTOCOL_TLS_11: | |
959 // OpenSSL doesn't support setting min/max versions, so we always use | |
960 // (D)TLS 1.0 if a max. version below the max. available is requested. | |
961 if (ssl_mode_ == SSL_MODE_DTLS) { | |
962 if (role_ == SSL_CLIENT) { | |
963 method = DTLSv1_client_method(); | |
964 } else { | |
965 method = DTLSv1_server_method(); | |
966 } | |
967 } else { | |
968 if (role_ == SSL_CLIENT) { | |
969 method = TLSv1_client_method(); | |
970 } else { | |
971 method = TLSv1_server_method(); | |
972 } | |
973 } | |
974 break; | |
975 case SSL_PROTOCOL_TLS_12: | |
976 default: | |
977 if (ssl_mode_ == SSL_MODE_DTLS) { | |
978 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) | |
979 // DTLS 1.2 only available starting from OpenSSL 1.0.2 | |
980 if (role_ == SSL_CLIENT) { | |
981 method = DTLS_client_method(); | |
982 } else { | |
983 method = DTLS_server_method(); | |
984 } | |
985 #else | |
986 if (role_ == SSL_CLIENT) { | |
987 method = DTLSv1_client_method(); | |
988 } else { | |
989 method = DTLSv1_server_method(); | |
990 } | |
991 #endif | |
992 } else { | |
993 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) | |
994 // New API only available starting from OpenSSL 1.1.0 | |
995 if (role_ == SSL_CLIENT) { | |
996 method = TLS_client_method(); | |
997 } else { | |
998 method = TLS_server_method(); | |
999 } | |
1000 #else | |
1001 if (role_ == SSL_CLIENT) { | |
1002 method = SSLv23_client_method(); | |
1003 } else { | |
1004 method = SSLv23_server_method(); | |
1005 } | |
1006 #endif | |
1007 } | |
1008 break; | |
1009 } | |
1010 ctx = SSL_CTX_new(method); | |
1011 #endif // OPENSSL_IS_BORINGSSL | |
1012 | |
1013 if (ctx == nullptr) | |
1014 return nullptr; | |
1015 | |
1016 #ifdef OPENSSL_IS_BORINGSSL | |
1017 SSL_CTX_set_min_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | |
1018 DTLS1_VERSION : TLS1_VERSION); | |
1019 switch (ssl_max_version_) { | |
1020 case SSL_PROTOCOL_TLS_10: | |
1021 SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | |
1022 DTLS1_VERSION : TLS1_VERSION); | |
1023 break; | |
1024 case SSL_PROTOCOL_TLS_11: | |
1025 SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | |
1026 DTLS1_VERSION : TLS1_1_VERSION); | |
1027 break; | |
1028 case SSL_PROTOCOL_TLS_12: | |
1029 default: | |
1030 SSL_CTX_set_max_proto_version(ctx, ssl_mode_ == SSL_MODE_DTLS ? | |
1031 DTLS1_2_VERSION : TLS1_2_VERSION); | |
1032 break; | |
1033 } | |
1034 if (g_use_time_callback_for_testing) { | |
1035 SSL_CTX_set_current_time_cb(ctx, &TimeCallbackForTesting); | |
1036 } | |
1037 #endif | |
1038 | |
1039 if (identity_ && !identity_->ConfigureIdentity(ctx)) { | |
1040 SSL_CTX_free(ctx); | |
1041 return nullptr; | |
1042 } | |
1043 | |
1044 #if !defined(NDEBUG) | |
1045 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback); | |
1046 #endif | |
1047 | |
1048 int mode = SSL_VERIFY_PEER; | |
1049 if (client_auth_enabled()) { | |
1050 // Require a certificate from the client. | |
1051 // Note: Normally this is always true in production, but it may be disabled | |
1052 // for testing purposes (e.g. SSLAdapter unit tests). | |
1053 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | |
1054 } | |
1055 | |
1056 SSL_CTX_set_verify(ctx, mode, SSLVerifyCallback); | |
1057 SSL_CTX_set_verify_depth(ctx, 4); | |
1058 // Select list of available ciphers. Note that !SHA256 and !SHA384 only | |
1059 // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites | |
1060 // with SHA256 or SHA384 as the handshake hash. | |
1061 // This matches the list of SSLClientSocketOpenSSL in Chromium. | |
1062 SSL_CTX_set_cipher_list( | |
1063 ctx, "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"); | |
1064 | |
1065 if (!srtp_ciphers_.empty()) { | |
1066 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) { | |
1067 SSL_CTX_free(ctx); | |
1068 return nullptr; | |
1069 } | |
1070 } | |
1071 | |
1072 return ctx; | |
1073 } | |
1074 | |
1075 bool OpenSSLStreamAdapter::VerifyPeerCertificate() { | |
1076 if (!has_peer_certificate_digest() || !peer_certificate_) { | |
1077 LOG(LS_WARNING) << "Missing digest or peer certificate."; | |
1078 return false; | |
1079 } | |
1080 | |
1081 unsigned char digest[EVP_MAX_MD_SIZE]; | |
1082 size_t digest_length; | |
1083 if (!OpenSSLCertificate::ComputeDigest( | |
1084 peer_certificate_->x509(), peer_certificate_digest_algorithm_, digest, | |
1085 sizeof(digest), &digest_length)) { | |
1086 LOG(LS_WARNING) << "Failed to compute peer cert digest."; | |
1087 return false; | |
1088 } | |
1089 | |
1090 Buffer computed_digest(digest, digest_length); | |
1091 if (computed_digest != peer_certificate_digest_value_) { | |
1092 LOG(LS_WARNING) << "Rejected peer certificate due to mismatched digest."; | |
1093 return false; | |
1094 } | |
1095 // Ignore any verification error if the digest matches, since there is no | |
1096 // value in checking the validity of a self-signed cert issued by untrusted | |
1097 // sources. | |
1098 LOG(LS_INFO) << "Accepted peer certificate."; | |
1099 peer_certificate_verified_ = true; | |
1100 return true; | |
1101 } | |
1102 | |
1103 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { | |
1104 // Get our SSL structure from the store | |
1105 SSL* ssl = reinterpret_cast<SSL*>( | |
1106 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx())); | |
1107 X509* cert = X509_STORE_CTX_get_current_cert(store); | |
1108 int depth = X509_STORE_CTX_get_error_depth(store); | |
1109 | |
1110 // For now we ignore the parent certificates and verify the leaf against | |
1111 // the digest. | |
1112 // | |
1113 // TODO(jiayl): Verify the chain is a proper chain and report the chain to | |
1114 // |stream->peer_certificate_|. | |
1115 if (depth > 0) { | |
1116 LOG(LS_INFO) << "Ignored chained certificate at depth " << depth; | |
1117 return 1; | |
1118 } | |
1119 | |
1120 OpenSSLStreamAdapter* stream = | |
1121 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl)); | |
1122 | |
1123 // Record the peer's certificate. | |
1124 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); | |
1125 | |
1126 // If the peer certificate digest isn't known yet, we'll wait to verify | |
1127 // until it's known, and for now just return a success status. | |
1128 if (stream->peer_certificate_digest_algorithm_.empty()) { | |
1129 LOG(LS_INFO) << "Waiting to verify certificate until digest is known."; | |
1130 return 1; | |
1131 } | |
1132 | |
1133 return stream->VerifyPeerCertificate(); | |
1134 } | |
1135 | |
1136 bool OpenSSLStreamAdapter::IsBoringSsl() { | |
1137 #ifdef OPENSSL_IS_BORINGSSL | |
1138 return true; | |
1139 #else | |
1140 return false; | |
1141 #endif | |
1142 } | |
1143 | |
1144 #define CDEF(X) \ | |
1145 { static_cast<uint16_t>(TLS1_CK_##X & 0xffff), "TLS_" #X } | |
1146 | |
1147 struct cipher_list { | |
1148 uint16_t cipher; | |
1149 const char* cipher_str; | |
1150 }; | |
1151 | |
1152 // TODO(torbjorng): Perhaps add more cipher suites to these lists. | |
1153 static const cipher_list OK_RSA_ciphers[] = { | |
1154 CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA), | |
1155 CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA), | |
1156 CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256), | |
1157 #ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256 | |
1158 CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256), | |
1159 #endif | |
1160 #ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | |
1161 CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), | |
1162 #endif | |
1163 }; | |
1164 | |
1165 static const cipher_list OK_ECDSA_ciphers[] = { | |
1166 CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), | |
1167 CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), | |
1168 CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), | |
1169 #ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256 | |
1170 CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256), | |
1171 #endif | |
1172 #ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | |
1173 CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), | |
1174 #endif | |
1175 }; | |
1176 #undef CDEF | |
1177 | |
1178 bool OpenSSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) { | |
1179 if (key_type == KT_RSA) { | |
1180 for (const cipher_list& c : OK_RSA_ciphers) { | |
1181 if (cipher == c.cipher) | |
1182 return true; | |
1183 } | |
1184 } | |
1185 | |
1186 if (key_type == KT_ECDSA) { | |
1187 for (const cipher_list& c : OK_ECDSA_ciphers) { | |
1188 if (cipher == c.cipher) | |
1189 return true; | |
1190 } | |
1191 } | |
1192 | |
1193 return false; | |
1194 } | |
1195 | |
1196 bool OpenSSLStreamAdapter::IsAcceptableCipher(const std::string& cipher, | |
1197 KeyType key_type) { | |
1198 if (key_type == KT_RSA) { | |
1199 for (const cipher_list& c : OK_RSA_ciphers) { | |
1200 if (cipher == c.cipher_str) | |
1201 return true; | |
1202 } | |
1203 } | |
1204 | |
1205 if (key_type == KT_ECDSA) { | |
1206 for (const cipher_list& c : OK_ECDSA_ciphers) { | |
1207 if (cipher == c.cipher_str) | |
1208 return true; | |
1209 } | |
1210 } | |
1211 | |
1212 return false; | |
1213 } | |
1214 | |
1215 void OpenSSLStreamAdapter::enable_time_callback_for_testing() { | |
1216 g_use_time_callback_for_testing = true; | |
1217 } | |
1218 | |
1219 } // namespace rtc | |
OLD | NEW |