1 /*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11 #if HAVE_CONFIG_H
12 #include "config.h"
13 #endif // HAVE_CONFIG_H
14
15 #if HAVE_OPENSSL_SSL_H
16
17 #include "webrtc/base/opensslstreamadapter.h"
18
19 #include <openssl/bio.h>
20 #include <openssl/crypto.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
23 #include <openssl/tls1.h>
24 #include <openssl/x509v3.h>
25
26 #include <vector>
27
28 #include "webrtc/base/common.h"
29 #include "webrtc/base/logging.h"
30 #include "webrtc/base/safe_conversions.h"
31 #include "webrtc/base/stream.h"
32 #include "webrtc/base/openssl.h"
33 #include "webrtc/base/openssladapter.h"
34 #include "webrtc/base/openssldigest.h"
35 #include "webrtc/base/opensslidentity.h"
36 #include "webrtc/base/stringutils.h"
37 #include "webrtc/base/thread.h"
38
39 namespace rtc {
40
41 #if (OPENSSL_VERSION_NUMBER >= 0x10001000L)
42 #define HAVE_DTLS_SRTP
43 #endif
44
45 #ifdef HAVE_DTLS_SRTP
46 // SRTP cipher suite table. |internal_name| is used to construct a
47 // colon-separated profile strings which is needed by
48 // SSL_CTX_set_tlsext_use_srtp().
49 struct SrtpCipherMapEntry {
50 const char* internal_name;
51 const int id;
52 };
53
54 // This isn't elegant, but it's better than an external reference
55 static SrtpCipherMapEntry SrtpCipherMap[] = {
56 {"SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80},
57 {"SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32},
58 {nullptr, 0}};
59 #endif
60
61 #ifndef OPENSSL_IS_BORINGSSL
62
63 // Cipher name table. Maps internal OpenSSL cipher ids to the RFC name.
64 struct SslCipherMapEntry {
65 uint32_t openssl_id;
66 const char* rfc_name;
67 };
68
69 #define DEFINE_CIPHER_ENTRY_SSL3(name) {SSL3_CK_##name, "TLS_"#name}
70 #define DEFINE_CIPHER_ENTRY_TLS1(name) {TLS1_CK_##name, "TLS_"#name}
71
72 // There currently is no method available to get a RFC-compliant name for a
73 // cipher suite from BoringSSL, so we need to define the mapping manually here.
74 // This should go away once BoringSSL supports "SSL_CIPHER_standard_name"
75 // (as available in OpenSSL if compiled with tracing enabled) or a similar
76 // method.
77 static const SslCipherMapEntry kSslCipherMap[] = {
78 // TLS v1.0 ciphersuites from RFC2246.
79 DEFINE_CIPHER_ENTRY_SSL3(RSA_RC4_128_SHA),
80 {SSL3_CK_RSA_DES_192_CBC3_SHA,
81 "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
82
83 // AES ciphersuites from RFC3268.
84 {TLS1_CK_RSA_WITH_AES_128_SHA,
85 "TLS_RSA_WITH_AES_128_CBC_SHA"},
86 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
87 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"},
88 {TLS1_CK_RSA_WITH_AES_256_SHA,
89 "TLS_RSA_WITH_AES_256_CBC_SHA"},
90 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
91 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
92
93 // ECC ciphersuites from RFC4492.
94 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_RC4_128_SHA),
95 {TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
96 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"},
97 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
98 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
99
100 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_RC4_128_SHA),
101 {TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
102 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"},
103 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_CBC_SHA),
104 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_CBC_SHA),
105
106 // TLS v1.2 ciphersuites.
107 {TLS1_CK_RSA_WITH_AES_128_SHA256,
108 "TLS_RSA_WITH_AES_128_CBC_SHA256"},
109 {TLS1_CK_RSA_WITH_AES_256_SHA256,
110 "TLS_RSA_WITH_AES_256_CBC_SHA256"},
111 {TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
112 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"},
113 {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
114 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"},
115
116 // TLS v1.2 GCM ciphersuites from RFC5288.
117 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_128_GCM_SHA256),
118 DEFINE_CIPHER_ENTRY_TLS1(RSA_WITH_AES_256_GCM_SHA384),
119 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_128_GCM_SHA256),
120 DEFINE_CIPHER_ENTRY_TLS1(DHE_RSA_WITH_AES_256_GCM_SHA384),
121 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_128_GCM_SHA256),
122 DEFINE_CIPHER_ENTRY_TLS1(DH_RSA_WITH_AES_256_GCM_SHA384),
123
124 // ECDH HMAC based ciphersuites from RFC5289.
125 {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
126 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"},
127 {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
128 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"},
129 {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
130 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
131 {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
132 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
133
134 // ECDH GCM based ciphersuites from RFC5289.
135 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
136 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
137 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
138 DEFINE_CIPHER_ENTRY_TLS1(ECDHE_RSA_WITH_AES_256_GCM_SHA384),
139
140 {0, NULL}
141 };
142 #endif // #ifndef OPENSSL_IS_BORINGSSL
143
144 #if defined(_MSC_VER)
145 #pragma warning(push)
146 #pragma warning(disable : 4309)
147 #pragma warning(disable : 4310)
148 #endif // defined(_MSC_VER)
149
150 // Default cipher used between OpenSSL/BoringSSL stream adapters.
151 // This needs to be updated when the default of the SSL library changes.
152 // static_cast<uint16_t> causes build warnings on windows platform.
153 static int kDefaultSslCipher10 =
154 static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA);
155 static int kDefaultSslEcCipher10 =
156 static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
157 #ifdef OPENSSL_IS_BORINGSSL
158 static int kDefaultSslCipher12 =
159 static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
160 static int kDefaultSslEcCipher12 =
161 static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
162 // Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable.
163 // TODO(davidben): Switch to the standardized CHACHA20_POLY1305 variant when
164 // available.
165 static int kDefaultSslCipher12NoAesGcm =
166 static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD);
167 static int kDefaultSslEcCipher12NoAesGcm =
168 static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD);
169 #else // !OPENSSL_IS_BORINGSSL
170 // OpenSSL sorts differently than BoringSSL, so the default cipher doesn't
171 // change between TLS 1.0 and TLS 1.2 with the current setup.
172 static int kDefaultSslCipher12 =
173 static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA);
174 static int kDefaultSslEcCipher12 =
175 static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
176 #endif
177
178 #if defined(_MSC_VER)
179 #pragma warning(pop)
180 #endif // defined(_MSC_VER)
181
182 //////////////////////////////////////////////////////////////////////
183 // StreamBIO
184 //////////////////////////////////////////////////////////////////////
185
186 static int stream_write(BIO* h, const char* buf, int num);
187 static int stream_read(BIO* h, char* buf, int size);
188 static int stream_puts(BIO* h, const char* str);
189 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2);
190 static int stream_new(BIO* h);
191 static int stream_free(BIO* data);
192
193 // TODO(davidben): This should be const once BoringSSL is assumed.
194 static BIO_METHOD methods_stream = {
195 BIO_TYPE_BIO,
196 "stream",
197 stream_write,
198 stream_read,
199 stream_puts,
200 0,
201 stream_ctrl,
202 stream_new,
203 stream_free,
204 NULL,
205 };
206
BIO_s_stream()207 static BIO_METHOD* BIO_s_stream() { return(&methods_stream); }
208
BIO_new_stream(StreamInterface * stream)209 static BIO* BIO_new_stream(StreamInterface* stream) {
210 BIO* ret = BIO_new(BIO_s_stream());
211 if (ret == NULL)
212 return NULL;
213 ret->ptr = stream;
214 return ret;
215 }
216
217 // bio methods return 1 (or at least non-zero) on success and 0 on failure.
218
stream_new(BIO * b)219 static int stream_new(BIO* b) {
220 b->shutdown = 0;
221 b->init = 1;
222 b->num = 0; // 1 means end-of-stream
223 b->ptr = 0;
224 return 1;
225 }
226
stream_free(BIO * b)227 static int stream_free(BIO* b) {
228 if (b == NULL)
229 return 0;
230 return 1;
231 }
232
stream_read(BIO * b,char * out,int outl)233 static int stream_read(BIO* b, char* out, int outl) {
234 if (!out)
235 return -1;
236 StreamInterface* stream = static_cast<StreamInterface*>(b->ptr);
237 BIO_clear_retry_flags(b);
238 size_t read;
239 int error;
240 StreamResult result = stream->Read(out, outl, &read, &error);
241 if (result == SR_SUCCESS) {
242 return checked_cast<int>(read);
243 } else if (result == SR_EOS) {
244 b->num = 1;
245 } else if (result == SR_BLOCK) {
246 BIO_set_retry_read(b);
247 }
248 return -1;
249 }
250
stream_write(BIO * b,const char * in,int inl)251 static int stream_write(BIO* b, const char* in, int inl) {
252 if (!in)
253 return -1;
254 StreamInterface* stream = static_cast<StreamInterface*>(b->ptr);
255 BIO_clear_retry_flags(b);
256 size_t written;
257 int error;
258 StreamResult result = stream->Write(in, inl, &written, &error);
259 if (result == SR_SUCCESS) {
260 return checked_cast<int>(written);
261 } else if (result == SR_BLOCK) {
262 BIO_set_retry_write(b);
263 }
264 return -1;
265 }
266
stream_puts(BIO * b,const char * str)267 static int stream_puts(BIO* b, const char* str) {
268 return stream_write(b, str, checked_cast<int>(strlen(str)));
269 }
270
stream_ctrl(BIO * b,int cmd,long num,void * ptr)271 static long stream_ctrl(BIO* b, int cmd, long num, void* ptr) {
272 RTC_UNUSED(num);
273 RTC_UNUSED(ptr);
274
275 switch (cmd) {
276 case BIO_CTRL_RESET:
277 return 0;
278 case BIO_CTRL_EOF:
279 return b->num;
280 case BIO_CTRL_WPENDING:
281 case BIO_CTRL_PENDING:
282 return 0;
283 case BIO_CTRL_FLUSH:
284 return 1;
285 case BIO_CTRL_DGRAM_QUERY_MTU:
286 // openssl defaults to mtu=256 unless we return something here.
287 // The handshake doesn't actually need to send packets above 1k,
288 // so this seems like a sensible value that should work in most cases.
289 // Webrtc uses the same value for video packets.
290 return 1200;
291 default:
292 return 0;
293 }
294 }
295
296 /////////////////////////////////////////////////////////////////////////////
297 // OpenSSLStreamAdapter
298 /////////////////////////////////////////////////////////////////////////////
299
OpenSSLStreamAdapter(StreamInterface * stream)300 OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream)
301 : SSLStreamAdapter(stream),
302 state_(SSL_NONE),
303 role_(SSL_CLIENT),
304 ssl_read_needs_write_(false),
305 ssl_write_needs_read_(false),
306 ssl_(NULL),
307 ssl_ctx_(NULL),
308 custom_verification_succeeded_(false),
309 ssl_mode_(SSL_MODE_TLS),
310 ssl_max_version_(SSL_PROTOCOL_TLS_12) {}
311
~OpenSSLStreamAdapter()312 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() {
313 Cleanup();
314 }
315
SetIdentity(SSLIdentity * identity)316 void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) {
317 ASSERT(!identity_);
318 identity_.reset(static_cast<OpenSSLIdentity*>(identity));
319 }
320
SetServerRole(SSLRole role)321 void OpenSSLStreamAdapter::SetServerRole(SSLRole role) {
322 role_ = role;
323 }
324
GetPeerCertificate(SSLCertificate ** cert) const325 bool OpenSSLStreamAdapter::GetPeerCertificate(SSLCertificate** cert) const {
326 if (!peer_certificate_)
327 return false;
328
329 *cert = peer_certificate_->GetReference();
330 return true;
331 }
332
SetPeerCertificateDigest(const std::string & digest_alg,const unsigned char * digest_val,size_t digest_len)333 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string
334 &digest_alg,
335 const unsigned char*
336 digest_val,
337 size_t digest_len) {
338 ASSERT(!peer_certificate_);
339 ASSERT(peer_certificate_digest_algorithm_.size() == 0);
340 ASSERT(ssl_server_name_.empty());
341 size_t expected_len;
342
343 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) {
344 LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg;
345 return false;
346 }
347 if (expected_len != digest_len)
348 return false;
349
350 peer_certificate_digest_value_.SetData(digest_val, digest_len);
351 peer_certificate_digest_algorithm_ = digest_alg;
352
353 return true;
354 }
355
SslCipherSuiteToName(int cipher_suite)356 std::string OpenSSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) {
357 #ifdef OPENSSL_IS_BORINGSSL
358 const SSL_CIPHER* ssl_cipher = SSL_get_cipher_by_value(cipher_suite);
359 if (!ssl_cipher) {
360 return std::string();
361 }
362 char* cipher_name = SSL_CIPHER_get_rfc_name(ssl_cipher);
363 std::string rfc_name = std::string(cipher_name);
364 OPENSSL_free(cipher_name);
365 return rfc_name;
366 #else
367 for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name;
368 ++entry) {
369 if (cipher_suite == static_cast<int>(entry->openssl_id)) {
370 return entry->rfc_name;
371 }
372 }
373 return std::string();
374 #endif
375 }
376
GetSslCipherSuite(int * cipher_suite)377 bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) {
378 if (state_ != SSL_CONNECTED)
379 return false;
380
381 const SSL_CIPHER* current_cipher = SSL_get_current_cipher(ssl_);
382 if (current_cipher == NULL) {
383 return false;
384 }
385
386 *cipher_suite = static_cast<uint16_t>(SSL_CIPHER_get_id(current_cipher));
387 return true;
388 }
389
390 // Key Extractor interface
ExportKeyingMaterial(const std::string & label,const uint8_t * context,size_t context_len,bool use_context,uint8_t * result,size_t result_len)391 bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label,
392 const uint8_t* context,
393 size_t context_len,
394 bool use_context,
395 uint8_t* result,
396 size_t result_len) {
397 #ifdef HAVE_DTLS_SRTP
398 int i;
399
400 i = SSL_export_keying_material(ssl_, result, result_len, label.c_str(),
401 label.length(), const_cast<uint8_t*>(context),
402 context_len, use_context);
403
404 if (i != 1)
405 return false;
406
407 return true;
408 #else
409 return false;
410 #endif
411 }
412
SetDtlsSrtpCryptoSuites(const std::vector<int> & ciphers)413 bool OpenSSLStreamAdapter::SetDtlsSrtpCryptoSuites(
414 const std::vector<int>& ciphers) {
415 #ifdef HAVE_DTLS_SRTP
416 std::string internal_ciphers;
417
418 if (state_ != SSL_NONE)
419 return false;
420
421 for (std::vector<int>::const_iterator cipher = ciphers.begin();
422 cipher != ciphers.end(); ++cipher) {
423 bool found = false;
424 for (SrtpCipherMapEntry* entry = SrtpCipherMap; entry->internal_name;
425 ++entry) {
426 if (*cipher == entry->id) {
427 found = true;
428 if (!internal_ciphers.empty())
429 internal_ciphers += ":";
430 internal_ciphers += entry->internal_name;
431 break;
432 }
433 }
434
435 if (!found) {
436 LOG(LS_ERROR) << "Could not find cipher: " << *cipher;
437 return false;
438 }
439 }
440
441 if (internal_ciphers.empty())
442 return false;
443
444 srtp_ciphers_ = internal_ciphers;
445 return true;
446 #else
447 return false;
448 #endif
449 }
450
GetDtlsSrtpCryptoSuite(int * crypto_suite)451 bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) {
452 #ifdef HAVE_DTLS_SRTP
453 ASSERT(state_ == SSL_CONNECTED);
454 if (state_ != SSL_CONNECTED)
455 return false;
456
457 const SRTP_PROTECTION_PROFILE *srtp_profile =
458 SSL_get_selected_srtp_profile(ssl_);
459
460 if (!srtp_profile)
461 return false;
462
463 *crypto_suite = srtp_profile->id;
464 ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty());
465 return true;
466 #else
467 return false;
468 #endif
469 }
470
StartSSLWithServer(const char * server_name)471 int OpenSSLStreamAdapter::StartSSLWithServer(const char* server_name) {
472 ASSERT(server_name != NULL && server_name[0] != '\0');
473 ssl_server_name_ = server_name;
474 return StartSSL();
475 }
476
StartSSLWithPeer()477 int OpenSSLStreamAdapter::StartSSLWithPeer() {
478 ASSERT(ssl_server_name_.empty());
479 // It is permitted to specify peer_certificate_ only later.
480 return StartSSL();
481 }
482
SetMode(SSLMode mode)483 void OpenSSLStreamAdapter::SetMode(SSLMode mode) {
484 ASSERT(state_ == SSL_NONE);
485 ssl_mode_ = mode;
486 }
487
SetMaxProtocolVersion(SSLProtocolVersion version)488 void OpenSSLStreamAdapter::SetMaxProtocolVersion(SSLProtocolVersion version) {
489 ASSERT(ssl_ctx_ == NULL);
490 ssl_max_version_ = version;
491 }
492
493 //
494 // StreamInterface Implementation
495 //
496
Write(const void * data,size_t data_len,size_t * written,int * error)497 StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len,
498 size_t* written, int* error) {
499 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")";
500
501 switch (state_) {
502 case SSL_NONE:
503 // pass-through in clear text
504 return StreamAdapterInterface::Write(data, data_len, written, error);
505
506 case SSL_WAIT:
507 case SSL_CONNECTING:
508 return SR_BLOCK;
509
510 case SSL_CONNECTED:
511 break;
512
513 case SSL_ERROR:
514 case SSL_CLOSED:
515 default:
516 if (error)
517 *error = ssl_error_code_;
518 return SR_ERROR;
519 }
520
521 // OpenSSL will return an error if we try to write zero bytes
522 if (data_len == 0) {
523 if (written)
524 *written = 0;
525 return SR_SUCCESS;
526 }
527
528 ssl_write_needs_read_ = false;
529
530 int code = SSL_write(ssl_, data, checked_cast<int>(data_len));
531 int ssl_error = SSL_get_error(ssl_, code);
532 switch (ssl_error) {
533 case SSL_ERROR_NONE:
534 LOG(LS_VERBOSE) << " -- success";
535 ASSERT(0 < code && static_cast<unsigned>(code) <= data_len);
536 if (written)
537 *written = code;
538 return SR_SUCCESS;
539 case SSL_ERROR_WANT_READ:
540 LOG(LS_VERBOSE) << " -- error want read";
541 ssl_write_needs_read_ = true;
542 return SR_BLOCK;
543 case SSL_ERROR_WANT_WRITE:
544 LOG(LS_VERBOSE) << " -- error want write";
545 return SR_BLOCK;
546
547 case SSL_ERROR_ZERO_RETURN:
548 default:
549 Error("SSL_write", (ssl_error ? ssl_error : -1), false);
550 if (error)
551 *error = ssl_error_code_;
552 return SR_ERROR;
553 }
554 // not reached
555 }
556
Read(void * data,size_t data_len,size_t * read,int * error)557 StreamResult OpenSSLStreamAdapter::Read(void* data, size_t data_len,
558 size_t* read, int* error) {
559 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Read(" << data_len << ")";
560 switch (state_) {
561 case SSL_NONE:
562 // pass-through in clear text
563 return StreamAdapterInterface::Read(data, data_len, read, error);
564
565 case SSL_WAIT:
566 case SSL_CONNECTING:
567 return SR_BLOCK;
568
569 case SSL_CONNECTED:
570 break;
571
572 case SSL_CLOSED:
573 return SR_EOS;
574
575 case SSL_ERROR:
576 default:
577 if (error)
578 *error = ssl_error_code_;
579 return SR_ERROR;
580 }
581
582 // Don't trust OpenSSL with zero byte reads
583 if (data_len == 0) {
584 if (read)
585 *read = 0;
586 return SR_SUCCESS;
587 }
588
589 ssl_read_needs_write_ = false;
590
591 int code = SSL_read(ssl_, data, checked_cast<int>(data_len));
592 int ssl_error = SSL_get_error(ssl_, code);
593 switch (ssl_error) {
594 case SSL_ERROR_NONE:
595 LOG(LS_VERBOSE) << " -- success";
596 ASSERT(0 < code && static_cast<unsigned>(code) <= data_len);
597 if (read)
598 *read = code;
599
600 if (ssl_mode_ == SSL_MODE_DTLS) {
601 // Enforce atomic reads -- this is a short read
602 unsigned int pending = SSL_pending(ssl_);
603
604 if (pending) {
605 LOG(LS_INFO) << " -- short DTLS read. flushing";
606 FlushInput(pending);
607 if (error)
608 *error = SSE_MSG_TRUNC;
609 return SR_ERROR;
610 }
611 }
612 return SR_SUCCESS;
613 case SSL_ERROR_WANT_READ:
614 LOG(LS_VERBOSE) << " -- error want read";
615 return SR_BLOCK;
616 case SSL_ERROR_WANT_WRITE:
617 LOG(LS_VERBOSE) << " -- error want write";
618 ssl_read_needs_write_ = true;
619 return SR_BLOCK;
620 case SSL_ERROR_ZERO_RETURN:
621 LOG(LS_VERBOSE) << " -- remote side closed";
622 return SR_EOS;
623 break;
624 default:
625 LOG(LS_VERBOSE) << " -- error " << code;
626 Error("SSL_read", (ssl_error ? ssl_error : -1), false);
627 if (error)
628 *error = ssl_error_code_;
629 return SR_ERROR;
630 }
631 // not reached
632 }
633
FlushInput(unsigned int left)634 void OpenSSLStreamAdapter::FlushInput(unsigned int left) {
635 unsigned char buf[2048];
636
637 while (left) {
638 // This should always succeed
639 int toread = (sizeof(buf) < left) ? sizeof(buf) : left;
640 int code = SSL_read(ssl_, buf, toread);
641
642 int ssl_error = SSL_get_error(ssl_, code);
643 ASSERT(ssl_error == SSL_ERROR_NONE);
644
645 if (ssl_error != SSL_ERROR_NONE) {
646 LOG(LS_VERBOSE) << " -- error " << code;
647 Error("SSL_read", (ssl_error ? ssl_error : -1), false);
648 return;
649 }
650
651 LOG(LS_VERBOSE) << " -- flushed " << code << " bytes";
652 left -= code;
653 }
654 }
655
Close()656 void OpenSSLStreamAdapter::Close() {
657 Cleanup();
658 ASSERT(state_ == SSL_CLOSED || state_ == SSL_ERROR);
659 StreamAdapterInterface::Close();
660 }
661
GetState() const662 StreamState OpenSSLStreamAdapter::GetState() const {
663 switch (state_) {
664 case SSL_WAIT:
665 case SSL_CONNECTING:
666 return SS_OPENING;
667 case SSL_CONNECTED:
668 return SS_OPEN;
669 default:
670 return SS_CLOSED;
671 };
672 // not reached
673 }
674
OnEvent(StreamInterface * stream,int events,int err)675 void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream, int events,
676 int err) {
677 int events_to_signal = 0;
678 int signal_error = 0;
679 ASSERT(stream == this->stream());
680 if ((events & SE_OPEN)) {
681 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent SE_OPEN";
682 if (state_ != SSL_WAIT) {
683 ASSERT(state_ == SSL_NONE);
684 events_to_signal |= SE_OPEN;
685 } else {
686 state_ = SSL_CONNECTING;
687 if (int err = BeginSSL()) {
688 Error("BeginSSL", err, true);
689 return;
690 }
691 }
692 }
693 if ((events & (SE_READ|SE_WRITE))) {
694 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent"
695 << ((events & SE_READ) ? " SE_READ" : "")
696 << ((events & SE_WRITE) ? " SE_WRITE" : "");
697 if (state_ == SSL_NONE) {
698 events_to_signal |= events & (SE_READ|SE_WRITE);
699 } else if (state_ == SSL_CONNECTING) {
700 if (int err = ContinueSSL()) {
701 Error("ContinueSSL", err, true);
702 return;
703 }
704 } else if (state_ == SSL_CONNECTED) {
705 if (((events & SE_READ) && ssl_write_needs_read_) ||
706 (events & SE_WRITE)) {
707 LOG(LS_VERBOSE) << " -- onStreamWriteable";
708 events_to_signal |= SE_WRITE;
709 }
710 if (((events & SE_WRITE) && ssl_read_needs_write_) ||
711 (events & SE_READ)) {
712 LOG(LS_VERBOSE) << " -- onStreamReadable";
713 events_to_signal |= SE_READ;
714 }
715 }
716 }
717 if ((events & SE_CLOSE)) {
718 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent(SE_CLOSE, " << err << ")";
719 Cleanup();
720 events_to_signal |= SE_CLOSE;
721 // SE_CLOSE is the only event that uses the final parameter to OnEvent().
722 ASSERT(signal_error == 0);
723 signal_error = err;
724 }
725 if (events_to_signal)
726 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error);
727 }
728
StartSSL()729 int OpenSSLStreamAdapter::StartSSL() {
730 ASSERT(state_ == SSL_NONE);
731
732 if (StreamAdapterInterface::GetState() != SS_OPEN) {
733 state_ = SSL_WAIT;
734 return 0;
735 }
736
737 state_ = SSL_CONNECTING;
738 if (int err = BeginSSL()) {
739 Error("BeginSSL", err, false);
740 return err;
741 }
742
743 return 0;
744 }
745
BeginSSL()746 int OpenSSLStreamAdapter::BeginSSL() {
747 ASSERT(state_ == SSL_CONNECTING);
748 // The underlying stream has open. If we are in peer-to-peer mode
749 // then a peer certificate must have been specified by now.
750 ASSERT(!ssl_server_name_.empty() ||
751 !peer_certificate_digest_algorithm_.empty());
752 LOG(LS_INFO) << "BeginSSL: "
753 << (!ssl_server_name_.empty() ? ssl_server_name_ :
754 "with peer");
755
756 BIO* bio = NULL;
757
758 // First set up the context
759 ASSERT(ssl_ctx_ == NULL);
760 ssl_ctx_ = SetupSSLContext();
761 if (!ssl_ctx_)
762 return -1;
763
764 bio = BIO_new_stream(static_cast<StreamInterface*>(stream()));
765 if (!bio)
766 return -1;
767
768 ssl_ = SSL_new(ssl_ctx_);
769 if (!ssl_) {
770 BIO_free(bio);
771 return -1;
772 }
773
774 SSL_set_app_data(ssl_, this);
775
776 SSL_set_bio(ssl_, bio, bio); // the SSL object owns the bio now.
777 #ifndef OPENSSL_IS_BORINGSSL
778 if (ssl_mode_ == SSL_MODE_DTLS) {
779 // Enable read-ahead for DTLS so whole packets are read from internal BIO
780 // before parsing. This is done internally by BoringSSL for DTLS.
781 SSL_set_read_ahead(ssl_, 1);
782 }
783 #endif
784
785 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
786 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
787
788 // Specify an ECDH group for ECDHE ciphers, otherwise they cannot be
789 // negotiated when acting as the server. Use NIST's P-256 which is commonly
790 // supported.
791 EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
792 if (ecdh == NULL)
793 return -1;
794 SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE);
795 SSL_set_tmp_ecdh(ssl_, ecdh);
796 EC_KEY_free(ecdh);
797
798 // Do the connect
799 return ContinueSSL();
800 }
801
ContinueSSL()802 int OpenSSLStreamAdapter::ContinueSSL() {
803 LOG(LS_VERBOSE) << "ContinueSSL";
804 ASSERT(state_ == SSL_CONNECTING);
805
806 // Clear the DTLS timer
807 Thread::Current()->Clear(this, MSG_TIMEOUT);
808
809 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
810 int ssl_error;
811 switch (ssl_error = SSL_get_error(ssl_, code)) {
812 case SSL_ERROR_NONE:
813 LOG(LS_VERBOSE) << " -- success";
814
815 if (!SSLPostConnectionCheck(ssl_, ssl_server_name_.c_str(), NULL,
816 peer_certificate_digest_algorithm_)) {
817 LOG(LS_ERROR) << "TLS post connection check failed";
818 return -1;
819 }
820
821 state_ = SSL_CONNECTED;
822 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0);
823 break;
824
825 case SSL_ERROR_WANT_READ: {
826 LOG(LS_VERBOSE) << " -- error want read";
827 struct timeval timeout;
828 if (DTLSv1_get_timeout(ssl_, &timeout)) {
829 int delay = timeout.tv_sec * 1000 + timeout.tv_usec/1000;
830
831 Thread::Current()->PostDelayed(delay, this, MSG_TIMEOUT, 0);
832 }
833 }
834 break;
835
836 case SSL_ERROR_WANT_WRITE:
837 LOG(LS_VERBOSE) << " -- error want write";
838 break;
839
840 case SSL_ERROR_ZERO_RETURN:
841 default:
842 LOG(LS_VERBOSE) << " -- error " << code;
843 return (ssl_error != 0) ? ssl_error : -1;
844 }
845
846 return 0;
847 }
848
Error(const char * context,int err,bool signal)849 void OpenSSLStreamAdapter::Error(const char* context, int err, bool signal) {
850 LOG(LS_WARNING) << "OpenSSLStreamAdapter::Error("
851 << context << ", " << err << ")";
852 state_ = SSL_ERROR;
853 ssl_error_code_ = err;
854 Cleanup();
855 if (signal)
856 StreamAdapterInterface::OnEvent(stream(), SE_CLOSE, err);
857 }
858
Cleanup()859 void OpenSSLStreamAdapter::Cleanup() {
860 LOG(LS_INFO) << "Cleanup";
861
862 if (state_ != SSL_ERROR) {
863 state_ = SSL_CLOSED;
864 ssl_error_code_ = 0;
865 }
866
867 if (ssl_) {
868 int ret = SSL_shutdown(ssl_);
869 if (ret < 0) {
870 LOG(LS_WARNING) << "SSL_shutdown failed, error = "
871 << SSL_get_error(ssl_, ret);
872 }
873
874 SSL_free(ssl_);
875 ssl_ = NULL;
876 }
877 if (ssl_ctx_) {
878 SSL_CTX_free(ssl_ctx_);
879 ssl_ctx_ = NULL;
880 }
881 identity_.reset();
882 peer_certificate_.reset();
883
884 // Clear the DTLS timer
885 Thread::Current()->Clear(this, MSG_TIMEOUT);
886 }
887
888
OnMessage(Message * msg)889 void OpenSSLStreamAdapter::OnMessage(Message* msg) {
890 // Process our own messages and then pass others to the superclass
891 if (MSG_TIMEOUT == msg->message_id) {
892 LOG(LS_INFO) << "DTLS timeout expired";
893 DTLSv1_handle_timeout(ssl_);
894 ContinueSSL();
895 } else {
896 StreamInterface::OnMessage(msg);
897 }
898 }
899
SetupSSLContext()900 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
901 SSL_CTX *ctx = NULL;
902
903 #ifdef OPENSSL_IS_BORINGSSL
904 ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ?
905 DTLS_method() : TLS_method());
906 // Version limiting for BoringSSL will be done below.
907 #else
908 const SSL_METHOD* method;
909 switch (ssl_max_version_) {
910 case SSL_PROTOCOL_TLS_10:
911 case SSL_PROTOCOL_TLS_11:
912 // OpenSSL doesn't support setting min/max versions, so we always use
913 // (D)TLS 1.0 if a max. version below the max. available is requested.
914 if (ssl_mode_ == SSL_MODE_DTLS) {
915 if (role_ == SSL_CLIENT) {
916 method = DTLSv1_client_method();
917 } else {
918 method = DTLSv1_server_method();
919 }
920 } else {
921 if (role_ == SSL_CLIENT) {
922 method = TLSv1_client_method();
923 } else {
924 method = TLSv1_server_method();
925 }
926 }
927 break;
928 case SSL_PROTOCOL_TLS_12:
929 default:
930 if (ssl_mode_ == SSL_MODE_DTLS) {
931 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
932 // DTLS 1.2 only available starting from OpenSSL 1.0.2
933 if (role_ == SSL_CLIENT) {
934 method = DTLS_client_method();
935 } else {
936 method = DTLS_server_method();
937 }
938 #else
939 if (role_ == SSL_CLIENT) {
940 method = DTLSv1_client_method();
941 } else {
942 method = DTLSv1_server_method();
943 }
944 #endif
945 } else {
946 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
947 // New API only available starting from OpenSSL 1.1.0
948 if (role_ == SSL_CLIENT) {
949 method = TLS_client_method();
950 } else {
951 method = TLS_server_method();
952 }
953 #else
954 if (role_ == SSL_CLIENT) {
955 method = SSLv23_client_method();
956 } else {
957 method = SSLv23_server_method();
958 }
959 #endif
960 }
961 break;
962 }
963 ctx = SSL_CTX_new(method);
964 #endif // OPENSSL_IS_BORINGSSL
965
966 if (ctx == NULL)
967 return NULL;
968
969 #ifdef OPENSSL_IS_BORINGSSL
970 SSL_CTX_set_min_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
971 DTLS1_VERSION : TLS1_VERSION);
972 switch (ssl_max_version_) {
973 case SSL_PROTOCOL_TLS_10:
974 SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
975 DTLS1_VERSION : TLS1_VERSION);
976 break;
977 case SSL_PROTOCOL_TLS_11:
978 SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
979 DTLS1_VERSION : TLS1_1_VERSION);
980 break;
981 case SSL_PROTOCOL_TLS_12:
982 default:
983 SSL_CTX_set_max_version(ctx, ssl_mode_ == SSL_MODE_DTLS ?
984 DTLS1_2_VERSION : TLS1_2_VERSION);
985 break;
986 }
987 #endif
988
989 if (identity_ && !identity_->ConfigureIdentity(ctx)) {
990 SSL_CTX_free(ctx);
991 return NULL;
992 }
993
994 #if !defined(NDEBUG)
995 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback);
996 #endif
997
998 int mode = SSL_VERIFY_PEER;
999 if (client_auth_enabled()) {
1000 // Require a certificate from the client.
1001 // Note: Normally this is always true in production, but it may be disabled
1002 // for testing purposes (e.g. SSLAdapter unit tests).
1003 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1004 }
1005
1006 SSL_CTX_set_verify(ctx, mode, SSLVerifyCallback);
1007 SSL_CTX_set_verify_depth(ctx, 4);
1008 // Select list of available ciphers. Note that !SHA256 and !SHA384 only
1009 // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites
1010 // with SHA256 or SHA384 as the handshake hash.
1011 // This matches the list of SSLClientSocketOpenSSL in Chromium.
1012 SSL_CTX_set_cipher_list(ctx,
1013 "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");
1014
1015 #ifdef HAVE_DTLS_SRTP
1016 if (!srtp_ciphers_.empty()) {
1017 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) {
1018 SSL_CTX_free(ctx);
1019 return NULL;
1020 }
1021 }
1022 #endif
1023
1024 return ctx;
1025 }
1026
SSLVerifyCallback(int ok,X509_STORE_CTX * store)1027 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
1028 // Get our SSL structure from the store
1029 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(
1030 store,
1031 SSL_get_ex_data_X509_STORE_CTX_idx()));
1032 OpenSSLStreamAdapter* stream =
1033 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
1034
1035 if (stream->peer_certificate_digest_algorithm_.empty()) {
1036 return 0;
1037 }
1038 X509* cert = X509_STORE_CTX_get_current_cert(store);
1039 int depth = X509_STORE_CTX_get_error_depth(store);
1040
1041 // For now We ignore the parent certificates and verify the leaf against
1042 // the digest.
1043 //
1044 // TODO(jiayl): Verify the chain is a proper chain and report the chain to
1045 // |stream->peer_certificate_|.
1046 if (depth > 0) {
1047 LOG(LS_INFO) << "Ignored chained certificate at depth " << depth;
1048 return 1;
1049 }
1050
1051 unsigned char digest[EVP_MAX_MD_SIZE];
1052 size_t digest_length;
1053 if (!OpenSSLCertificate::ComputeDigest(
1054 cert,
1055 stream->peer_certificate_digest_algorithm_,
1056 digest, sizeof(digest),
1057 &digest_length)) {
1058 LOG(LS_WARNING) << "Failed to compute peer cert digest.";
1059 return 0;
1060 }
1061
1062 Buffer computed_digest(digest, digest_length);
1063 if (computed_digest != stream->peer_certificate_digest_value_) {
1064 LOG(LS_WARNING) << "Rejected peer certificate due to mismatched digest.";
1065 return 0;
1066 }
1067 // Ignore any verification error if the digest matches, since there is no
1068 // value in checking the validity of a self-signed cert issued by untrusted
1069 // sources.
1070 LOG(LS_INFO) << "Accepted peer certificate.";
1071
1072 // Record the peer's certificate.
1073 stream->peer_certificate_.reset(new OpenSSLCertificate(cert));
1074 return 1;
1075 }
1076
1077 // This code is taken from the "Network Security with OpenSSL"
1078 // sample in chapter 5
SSLPostConnectionCheck(SSL * ssl,const char * server_name,const X509 * peer_cert,const std::string & peer_digest)1079 bool OpenSSLStreamAdapter::SSLPostConnectionCheck(SSL* ssl,
1080 const char* server_name,
1081 const X509* peer_cert,
1082 const std::string
1083 &peer_digest) {
1084 ASSERT(server_name != NULL);
1085 bool ok;
1086 if (server_name[0] != '\0') { // traditional mode
1087 ok = OpenSSLAdapter::VerifyServerName(ssl, server_name, ignore_bad_cert());
1088
1089 if (ok) {
1090 ok = (SSL_get_verify_result(ssl) == X509_V_OK ||
1091 custom_verification_succeeded_);
1092 }
1093 } else { // peer-to-peer mode
1094 ASSERT((peer_cert != NULL) || (!peer_digest.empty()));
1095 // no server name validation
1096 ok = true;
1097 }
1098
1099 if (!ok && ignore_bad_cert()) {
1100 LOG(LS_ERROR) << "SSL_get_verify_result(ssl) = "
1101 << SSL_get_verify_result(ssl);
1102 LOG(LS_INFO) << "Other TLS post connection checks failed.";
1103 ok = true;
1104 }
1105
1106 return ok;
1107 }
1108
HaveDtls()1109 bool OpenSSLStreamAdapter::HaveDtls() {
1110 return true;
1111 }
1112
HaveDtlsSrtp()1113 bool OpenSSLStreamAdapter::HaveDtlsSrtp() {
1114 #ifdef HAVE_DTLS_SRTP
1115 return true;
1116 #else
1117 return false;
1118 #endif
1119 }
1120
HaveExporter()1121 bool OpenSSLStreamAdapter::HaveExporter() {
1122 #ifdef HAVE_DTLS_SRTP
1123 return true;
1124 #else
1125 return false;
1126 #endif
1127 }
1128
GetDefaultSslCipherForTest(SSLProtocolVersion version,KeyType key_type)1129 int OpenSSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version,
1130 KeyType key_type) {
1131 if (key_type == KT_RSA) {
1132 switch (version) {
1133 case SSL_PROTOCOL_TLS_10:
1134 case SSL_PROTOCOL_TLS_11:
1135 return kDefaultSslCipher10;
1136 case SSL_PROTOCOL_TLS_12:
1137 default:
1138 #ifdef OPENSSL_IS_BORINGSSL
1139 if (EVP_has_aes_hardware()) {
1140 return kDefaultSslCipher12;
1141 } else {
1142 return kDefaultSslCipher12NoAesGcm;
1143 }
1144 #else // !OPENSSL_IS_BORINGSSL
1145 return kDefaultSslCipher12;
1146 #endif
1147 }
1148 } else if (key_type == KT_ECDSA) {
1149 switch (version) {
1150 case SSL_PROTOCOL_TLS_10:
1151 case SSL_PROTOCOL_TLS_11:
1152 return kDefaultSslEcCipher10;
1153 case SSL_PROTOCOL_TLS_12:
1154 default:
1155 #ifdef OPENSSL_IS_BORINGSSL
1156 if (EVP_has_aes_hardware()) {
1157 return kDefaultSslEcCipher12;
1158 } else {
1159 return kDefaultSslEcCipher12NoAesGcm;
1160 }
1161 #else // !OPENSSL_IS_BORINGSSL
1162 return kDefaultSslEcCipher12;
1163 #endif
1164 }
1165 } else {
1166 RTC_NOTREACHED();
1167 return kDefaultSslEcCipher12;
1168 }
1169 }
1170
1171 } // namespace rtc
1172
1173 #endif // HAVE_OPENSSL_SSL_H
1174