mirror of
https://github.com/mollyim/webrtc.git
synced 2025-05-13 05:40:42 +01:00
abdb470d00
As documented in webrtc:11908 this cleanup is fairly invasive and when a part of a frequently executed code path, can be quite costly in terms of performance overhead. This is currently the case with synchronous calls between threads (Thread) as well with our proxy api classes. With this CL, all code in WebRTC should now either be using MessageHandlerAutoCleanup or calling MessageHandler(false) explicitly. Next steps will be to update external code to either depend on the AutoCleanup variant, or call MessageHandler(false). Changing the proxy classes to use TaskQueue set of concepts instead of MessageHandler. This avoids the perf overhead related to the cleanup above as well as incompatibility with the thread policy checks in Thread that some current external users of the proxies would otherwise run into (if we were to use Thread::Send() for synchronous call). Following this we'll move the cleanup step into the AutoCleanup class and an RTC_DCHECK that all calls to the MessageHandler are setting the flag to false, before eventually removing the flag and make MessageHandler pure virtual. Bug: webrtc:11908 Change-Id: Idf4ff9bcc8438cb8c583777e282005e0bc511c8f Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/183442 Reviewed-by: Artem Titov <titovartem@webrtc.org> Commit-Queue: Tommi <tommi@webrtc.org> Cr-Commit-Position: refs/heads/master@{#32049}
190 lines
7.9 KiB
C++
190 lines
7.9 KiB
C++
/*
|
|
* Copyright 2004 The WebRTC Project Authors. All rights reserved.
|
|
*
|
|
* Use of this source code is governed by a BSD-style license
|
|
* that can be found in the LICENSE file in the root of the source
|
|
* tree. An additional intellectual property rights grant can be found
|
|
* in the file PATENTS. All contributing project authors may
|
|
* be found in the AUTHORS file in the root of the source tree.
|
|
*/
|
|
|
|
#ifndef RTC_BASE_OPENSSL_ADAPTER_H_
|
|
#define RTC_BASE_OPENSSL_ADAPTER_H_
|
|
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
|
|
#include <memory>
|
|
#include <string>
|
|
#include <vector>
|
|
|
|
#include "rtc_base/async_socket.h"
|
|
#include "rtc_base/buffer.h"
|
|
#include "rtc_base/message_handler.h"
|
|
#include "rtc_base/openssl_identity.h"
|
|
#include "rtc_base/openssl_session_cache.h"
|
|
#include "rtc_base/socket.h"
|
|
#include "rtc_base/socket_address.h"
|
|
#include "rtc_base/ssl_adapter.h"
|
|
#include "rtc_base/ssl_certificate.h"
|
|
#include "rtc_base/ssl_identity.h"
|
|
#include "rtc_base/ssl_stream_adapter.h"
|
|
|
|
namespace rtc {
|
|
|
|
class OpenSSLAdapter final : public SSLAdapter,
|
|
public MessageHandlerAutoCleanup {
|
|
public:
|
|
static bool InitializeSSL();
|
|
static bool CleanupSSL();
|
|
|
|
// Creating an OpenSSLAdapter requires a socket to bind to, an optional
|
|
// session cache if you wish to improve performance by caching sessions for
|
|
// hostnames you have previously connected to and an optional
|
|
// SSLCertificateVerifier which can override any existing trusted roots to
|
|
// validate a peer certificate. The cache and verifier are effectively
|
|
// immutable after the the SSL connection starts.
|
|
explicit OpenSSLAdapter(AsyncSocket* socket,
|
|
OpenSSLSessionCache* ssl_session_cache = nullptr,
|
|
SSLCertificateVerifier* ssl_cert_verifier = nullptr);
|
|
~OpenSSLAdapter() override;
|
|
|
|
void SetIgnoreBadCert(bool ignore) override;
|
|
void SetAlpnProtocols(const std::vector<std::string>& protos) override;
|
|
void SetEllipticCurves(const std::vector<std::string>& curves) override;
|
|
void SetMode(SSLMode mode) override;
|
|
void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override;
|
|
void SetIdentity(std::unique_ptr<SSLIdentity> identity) override;
|
|
void SetRole(SSLRole role) override;
|
|
AsyncSocket* Accept(SocketAddress* paddr) override;
|
|
int StartSSL(const char* hostname) override;
|
|
int Send(const void* pv, size_t cb) override;
|
|
int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override;
|
|
int Recv(void* pv, size_t cb, int64_t* timestamp) override;
|
|
int RecvFrom(void* pv,
|
|
size_t cb,
|
|
SocketAddress* paddr,
|
|
int64_t* timestamp) override;
|
|
int Close() override;
|
|
// Note that the socket returns ST_CONNECTING while SSL is being negotiated.
|
|
ConnState GetState() const override;
|
|
bool IsResumedSession() override;
|
|
// Creates a new SSL_CTX object, configured for client-to-server usage
|
|
// with SSLMode |mode|, and if |enable_cache| is true, with support for
|
|
// storing successful sessions so that they can be later resumed.
|
|
// OpenSSLAdapterFactory will call this method to create its own internal
|
|
// SSL_CTX, and OpenSSLAdapter will also call this when used without a
|
|
// factory.
|
|
static SSL_CTX* CreateContext(SSLMode mode, bool enable_cache);
|
|
|
|
protected:
|
|
void OnConnectEvent(AsyncSocket* socket) override;
|
|
void OnReadEvent(AsyncSocket* socket) override;
|
|
void OnWriteEvent(AsyncSocket* socket) override;
|
|
void OnCloseEvent(AsyncSocket* socket, int err) override;
|
|
|
|
private:
|
|
enum SSLState {
|
|
SSL_NONE,
|
|
SSL_WAIT,
|
|
SSL_CONNECTING,
|
|
SSL_CONNECTED,
|
|
SSL_ERROR
|
|
};
|
|
|
|
enum { MSG_TIMEOUT };
|
|
|
|
int BeginSSL();
|
|
int ContinueSSL();
|
|
void Error(const char* context, int err, bool signal = true);
|
|
void Cleanup();
|
|
|
|
// Return value and arguments have the same meanings as for Send; |error| is
|
|
// an output parameter filled with the result of SSL_get_error.
|
|
int DoSslWrite(const void* pv, size_t cb, int* error);
|
|
void OnMessage(Message* msg) override;
|
|
bool SSLPostConnectionCheck(SSL* ssl, const std::string& host);
|
|
|
|
#if !defined(NDEBUG)
|
|
// In debug builds, logs info about the state of the SSL connection.
|
|
static void SSLInfoCallback(const SSL* ssl, int where, int ret);
|
|
#endif
|
|
static int SSLVerifyCallback(int ok, X509_STORE_CTX* store);
|
|
friend class OpenSSLStreamAdapter; // for custom_verify_callback_;
|
|
|
|
// If the SSL_CTX was created with |enable_cache| set to true, this callback
|
|
// will be called when a SSL session has been successfully established,
|
|
// to allow its SSL_SESSION* to be cached for later resumption.
|
|
static int NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session);
|
|
|
|
// Optional SSL Shared session cache to improve performance.
|
|
OpenSSLSessionCache* ssl_session_cache_ = nullptr;
|
|
// Optional SSL Certificate verifier which can be set by a third party.
|
|
SSLCertificateVerifier* ssl_cert_verifier_ = nullptr;
|
|
// The current connection state of the (d)TLS connection.
|
|
SSLState state_;
|
|
std::unique_ptr<OpenSSLIdentity> identity_;
|
|
// Indicates whethere this is a client or a server.
|
|
SSLRole role_;
|
|
bool ssl_read_needs_write_;
|
|
bool ssl_write_needs_read_;
|
|
// This buffer is used if SSL_write fails with SSL_ERROR_WANT_WRITE, which
|
|
// means we need to keep retrying with *the same exact data* until it
|
|
// succeeds. Afterwards it will be cleared.
|
|
Buffer pending_data_;
|
|
SSL* ssl_;
|
|
// Holds the SSL context, which may be shared if an session cache is provided.
|
|
SSL_CTX* ssl_ctx_;
|
|
// Hostname of server that is being connected, used for SNI.
|
|
std::string ssl_host_name_;
|
|
// Set the adapter to DTLS or TLS mode before creating the context.
|
|
SSLMode ssl_mode_;
|
|
// If true, the server certificate need not match the configured hostname.
|
|
bool ignore_bad_cert_;
|
|
// List of protocols to be used in the TLS ALPN extension.
|
|
std::vector<std::string> alpn_protocols_;
|
|
// List of elliptic curves to be used in the TLS elliptic curves extension.
|
|
std::vector<std::string> elliptic_curves_;
|
|
// Holds the result of the call to run of the ssl_cert_verify_->Verify()
|
|
bool custom_cert_verifier_status_;
|
|
};
|
|
|
|
// The OpenSSLAdapterFactory is responsbile for creating multiple new
|
|
// OpenSSLAdapters with a shared SSL_CTX and a shared SSL_SESSION cache. The
|
|
// SSL_SESSION cache allows existing SSL_SESSIONS to be reused instead of
|
|
// recreating them leading to a significant performance improvement.
|
|
class OpenSSLAdapterFactory : public SSLAdapterFactory {
|
|
public:
|
|
OpenSSLAdapterFactory();
|
|
~OpenSSLAdapterFactory() override;
|
|
// Set the SSL Mode to use with this factory. This should only be set before
|
|
// the first adapter is created with the factory. If it is called after it
|
|
// will DCHECK.
|
|
void SetMode(SSLMode mode) override;
|
|
// Set a custom certificate verifier to be passed down to each instance
|
|
// created with this factory. This should only ever be set before the first
|
|
// call to the factory and cannot be changed after the fact.
|
|
void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override;
|
|
// Constructs a new socket using the shared OpenSSLSessionCache. This means
|
|
// existing SSLSessions already in the cache will be reused instead of
|
|
// re-created for improved performance.
|
|
OpenSSLAdapter* CreateAdapter(AsyncSocket* socket) override;
|
|
|
|
private:
|
|
// Holds the SSLMode (DTLS,TLS) that will be used to set the session cache.
|
|
SSLMode ssl_mode_ = SSL_MODE_TLS;
|
|
// Holds a cache of existing SSL Sessions.
|
|
std::unique_ptr<OpenSSLSessionCache> ssl_session_cache_;
|
|
// Provides an optional custom callback for verifying SSL certificates, this
|
|
// in currently only used for TLS-TURN connections.
|
|
SSLCertificateVerifier* ssl_cert_verifier_ = nullptr;
|
|
// TODO(benwright): Remove this when context is moved to OpenSSLCommon.
|
|
// Hold a friend class to the OpenSSLAdapter to retrieve the context.
|
|
friend class OpenSSLAdapter;
|
|
};
|
|
|
|
std::string TransformAlpnProtocols(const std::vector<std::string>& protos);
|
|
|
|
} // namespace rtc
|
|
|
|
#endif // RTC_BASE_OPENSSL_ADAPTER_H_
|