Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 245 insertions, 0 deletions

diff --git a/third_party/libwebrtc/rtc_base/openssl_adapter.h b/third_party/libwebrtc/rtc_base/openssl_adapter.h
new file mode 100644
index 0000000000..558a04077a
--- /dev/null
+++ b/third_party/libwebrtc/rtc_base/openssl_adapter.h
@@ -0,0 +1,245 @@
+/*
+ *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#ifndef RTC_BASE_OPENSSL_ADAPTER_H_
+#define RTC_BASE_OPENSSL_ADAPTER_H_
+
+#include <openssl/ossl_typ.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "absl/strings/string_view.h"
+#include "api/task_queue/pending_task_safety_flag.h"
+#include "rtc_base/buffer.h"
+#ifdef OPENSSL_IS_BORINGSSL
+#include "rtc_base/boringssl_identity.h"
+#else
+#include "rtc_base/openssl_identity.h"
+#endif
+#include "rtc_base/openssl_session_cache.h"
+#include "rtc_base/socket.h"
+#include "rtc_base/socket_address.h"
+#include "rtc_base/ssl_adapter.h"
+#include "rtc_base/ssl_certificate.h"
+#include "rtc_base/ssl_identity.h"
+#include "rtc_base/ssl_stream_adapter.h"
+
+namespace rtc {
+
+namespace webrtc_openssl_adapter_internal {
+
+// Local definition, since absl::StrJoin is not allow-listed. Declared in header
+// file only for unittests.
+std::string StrJoin(const std::vector<std::string>& list, char delimiter);
+
+}  // namespace webrtc_openssl_adapter_internal
+
+class OpenSSLAdapter final : public SSLAdapter {
+ public:
+  static bool InitializeSSL();
+  static bool CleanupSSL();
+
+  // Creating an OpenSSLAdapter requires a socket to bind to, an optional
+  // session cache if you wish to improve performance by caching sessions for
+  // hostnames you have previously connected to and an optional
+  // SSLCertificateVerifier which can override any existing trusted roots to
+  // validate a peer certificate. The cache and verifier are effectively
+  // immutable after the the SSL connection starts.
+  explicit OpenSSLAdapter(Socket* socket,
+                          OpenSSLSessionCache* ssl_session_cache = nullptr,
+                          SSLCertificateVerifier* ssl_cert_verifier = nullptr);
+  ~OpenSSLAdapter() override;
+
+  void SetIgnoreBadCert(bool ignore) override;
+  void SetAlpnProtocols(const std::vector<std::string>& protos) override;
+  void SetEllipticCurves(const std::vector<std::string>& curves) override;
+  void SetMode(SSLMode mode) override;
+  void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override;
+  void SetIdentity(std::unique_ptr<SSLIdentity> identity) override;
+  void SetRole(SSLRole role) override;
+  int StartSSL(absl::string_view hostname) override;
+  int Send(const void* pv, size_t cb) override;
+  int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override;
+  int Recv(void* pv, size_t cb, int64_t* timestamp) override;
+  int RecvFrom(void* pv,
+               size_t cb,
+               SocketAddress* paddr,
+               int64_t* timestamp) override;
+  int Close() override;
+  // Note that the socket returns ST_CONNECTING while SSL is being negotiated.
+  ConnState GetState() const override;
+  bool IsResumedSession() override;
+  // Creates a new SSL_CTX object, configured for client-to-server usage
+  // with SSLMode `mode`, and if `enable_cache` is true, with support for
+  // storing successful sessions so that they can be later resumed.
+  // OpenSSLAdapterFactory will call this method to create its own internal
+  // SSL_CTX, and OpenSSLAdapter will also call this when used without a
+  // factory.
+  static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache);
+
+ protected:
+  void OnConnectEvent(Socket* socket) override;
+  void OnReadEvent(Socket* socket) override;
+  void OnWriteEvent(Socket* socket) override;
+  void OnCloseEvent(Socket* socket, int err) override;
+
+ private:
+  class EarlyExitCatcher {
+   public:
+    EarlyExitCatcher(OpenSSLAdapter& adapter_ptr);
+    void disable();
+    ~EarlyExitCatcher();
+
+   private:
+    bool disabled_ = false;
+    OpenSSLAdapter& adapter_ptr_;
+  };
+  enum SSLState {
+    SSL_NONE,
+    SSL_WAIT,
+    SSL_CONNECTING,
+    SSL_CONNECTED,
+    SSL_ERROR
+  };
+
+  int BeginSSL();
+  int ContinueSSL();
+  void Error(absl::string_view context, int err, bool signal = true);
+  void Cleanup();
+  void OnTimeout();
+
+  // Return value and arguments have the same meanings as for Send; `error` is
+  // an output parameter filled with the result of SSL_get_error.
+  int DoSslWrite(const void* pv, size_t cb, int* error);
+  bool SSLPostConnectionCheck(SSL* ssl, absl::string_view host);
+
+  // Logs info about the state of the SSL connection.
+  static void SSLInfoCallback(const SSL* ssl, int where, int ret);
+
+#if defined(OPENSSL_IS_BORINGSSL) && \
+    defined(WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS)
+  static enum ssl_verify_result_t SSLVerifyCallback(SSL* ssl,
+                                                    uint8_t* out_alert);
+  enum ssl_verify_result_t SSLVerifyInternal(SSL* ssl, uint8_t* out_alert);
+#else
+  static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
+  // Call a custom verifier, if installed.
+  // Returns 1 on success, `status_on_error` on error or verification failure.
+  int SSLVerifyInternal(int status_on_error, SSL* ssl, X509_STORE_CTX* store);
+#endif
+  friend class OpenSSLStreamAdapter;  // for custom_verify_callback_;
+
+  // If the SSL_CTX was created with `enable_cache` set to true, this callback
+  // will be called when a SSL session has been successfully established,
+  // to allow its SSL_SESSION* to be cached for later resumption.
+  static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session);
+
+  // Optional SSL Shared session cache to improve performance.
+  OpenSSLSessionCache* ssl_session_cache_ = nullptr;
+  // Optional SSL Certificate verifier which can be set by a third party.
+  SSLCertificateVerifier* ssl_cert_verifier_ = nullptr;
+  // The current connection state of the (d)TLS connection.
+  SSLState state_;
+
+#ifdef OPENSSL_IS_BORINGSSL
+  std::unique_ptr<BoringSSLIdentity> identity_;
+#else
+  std::unique_ptr<OpenSSLIdentity> identity_;
+#endif
+  // Indicates whethere this is a client or a server.
+  SSLRole role_;
+  bool ssl_read_needs_write_;
+  bool ssl_write_needs_read_;
+  // This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which
+  // means we need to keep retrying with *the same exact data* until it
+  // succeeds. Afterwards it will be cleared.
+  Buffer pending_data_;
+  SSL* ssl_;
+  // Holds the SSL context, which may be shared if an session cache is provided.
+  SSL_CTX* ssl_ctx_;
+  // Hostname of server that is being connected, used for SNI.
+  std::string ssl_host_name_;
+  // Set the adapter to DTLS or TLS mode before creating the context.
+  SSLMode ssl_mode_;
+  // If true, the server certificate need not match the configured hostname.
+  bool ignore_bad_cert_;
+  // List of protocols to be used in the TLS ALPN extension.
+  std::vector<std::string> alpn_protocols_;
+  // List of elliptic curves to be used in the TLS elliptic curves extension.
+  std::vector<std::string> elliptic_curves_;
+  // Holds the result of the call to run of the ssl_cert_verify_->Verify()
+  bool custom_cert_verifier_status_;
+  // Flag to cancel pending timeout task.
+  webrtc::ScopedTaskSafety timer_;
+};
+
+// The OpenSSLAdapterFactory is responsbile for creating multiple new
+// OpenSSLAdapters with a shared SSL_CTX and a shared SSL_SESSION cache. The
+// SSL_SESSION cache allows existing SSL_SESSIONS to be reused instead of
+// recreating them leading to a significant performance improvement.
+class OpenSSLAdapterFactory : public SSLAdapterFactory {
+ public:
+  OpenSSLAdapterFactory();
+  ~OpenSSLAdapterFactory() override;
+  // Set the SSL Mode to use with this factory. This should only be set before
+  // the first adapter is created with the factory. If it is called after it
+  // will DCHECK.
+  void SetMode(SSLMode mode) override;
+
+  // Set a custom certificate verifier to be passed down to each instance
+  // created with this factory. This should only ever be set before the first
+  // call to the factory and cannot be changed after the fact.
+  void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override;
+
+  void SetIdentity(std::unique_ptr<SSLIdentity> identity) override;
+
+  // Choose whether the socket acts as a server socket or client socket.
+  void SetRole(SSLRole role) override;
+
+  // Methods that control server certificate verification, used in unit tests.
+  // Do not call these methods in production code.
+  void SetIgnoreBadCert(bool ignore) override;
+
+  // Constructs a new socket using the shared OpenSSLSessionCache. This means
+  // existing SSLSessions already in the cache will be reused instead of
+  // re-created for improved performance.
+  OpenSSLAdapter* CreateAdapter(Socket* socket) override;
+
+ private:
+  // Holds the SSLMode (DTLS,TLS) that will be used to set the session cache.
+  SSLMode ssl_mode_ = SSL_MODE_TLS;
+  SSLRole ssl_role_ = SSL_CLIENT;
+  bool ignore_bad_cert_ = false;
+
+  std::unique_ptr<SSLIdentity> identity_;
+
+  // Holds a cache of existing SSL Sessions.
+  std::unique_ptr<OpenSSLSessionCache> ssl_session_cache_;
+  // Provides an optional custom callback for verifying SSL certificates, this
+  // in currently only used for TLS-TURN connections.
+  SSLCertificateVerifier* ssl_cert_verifier_ = nullptr;
+  // TODO(benwright): Remove this when context is moved to OpenSSLCommon.
+  // Hold a friend class to the OpenSSLAdapter to retrieve the context.
+  friend class OpenSSLAdapter;
+};
+
+// The EarlyExitCatcher is responsible for calling OpenSSLAdapter::Cleanup on
+// destruction. By doing this we have scoped cleanup which can be disabled if
+// there were no errors, aka early exits.
+
+std::string TransformAlpnProtocols(const std::vector<std::string>& protos);
+
+}  // namespace rtc
+
+#endif  // RTC_BASE_OPENSSL_ADAPTER_H_