// Copyright 2015 The Chromium OS Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <brillo/streams/tls_stream.h> #include <algorithm> #include <limits> #include <string> #include <vector> #include <openssl/err.h> #include <openssl/ssl.h> #include <base/bind.h> #include <base/memory/weak_ptr.h> #include <brillo/message_loops/message_loop.h> #include <brillo/secure_blob.h> #include <brillo/streams/openssl_stream_bio.h> #include <brillo/streams/stream_utils.h> #include <brillo/strings/string_utils.h> namespace { // SSL info callback which is called by OpenSSL when we enable logging level of // at least 3. This logs the information about the internal TLS handshake. void TlsInfoCallback(const SSL* /* ssl */, int where, int ret) { std::string reason; std::vector<std::string> info; if (where & SSL_CB_LOOP) info.push_back("loop"); if (where & SSL_CB_EXIT) info.push_back("exit"); if (where & SSL_CB_READ) info.push_back("read"); if (where & SSL_CB_WRITE) info.push_back("write"); if (where & SSL_CB_ALERT) { info.push_back("alert"); reason = ", reason: "; reason += SSL_alert_type_string_long(ret); reason += "/"; reason += SSL_alert_desc_string_long(ret); } if (where & SSL_CB_HANDSHAKE_START) info.push_back("handshake_start"); if (where & SSL_CB_HANDSHAKE_DONE) info.push_back("handshake_done"); VLOG(3) << "TLS progress info: " << brillo::string_utils::Join(",", info) << ", with status: " << ret << reason; } // Static variable to store the index of TlsStream private data in SSL context // used to store custom data for OnCertVerifyResults(). int ssl_ctx_private_data_index = -1; // Default trusted certificate store location. const char kCACertificatePath[] = #ifdef __ANDROID__ "/system/etc/security/cacerts_google"; #else "/usr/share/chromeos-ca-certificates"; #endif } // anonymous namespace namespace brillo { // Helper implementation of TLS stream used to hide most of OpenSSL inner // workings from the users of brillo::TlsStream. class TlsStream::TlsStreamImpl { public: TlsStreamImpl(); ~TlsStreamImpl(); bool Init(StreamPtr socket, const std::string& host, const base::Closure& success_callback, const Stream::ErrorCallback& error_callback, ErrorPtr* error); bool ReadNonBlocking(void* buffer, size_t size_to_read, size_t* size_read, bool* end_of_stream, ErrorPtr* error); bool WriteNonBlocking(const void* buffer, size_t size_to_write, size_t* size_written, ErrorPtr* error); bool Flush(ErrorPtr* error); bool Close(ErrorPtr* error); bool WaitForData(AccessMode mode, const base::Callback<void(AccessMode)>& callback, ErrorPtr* error); bool WaitForDataBlocking(AccessMode in_mode, base::TimeDelta timeout, AccessMode* out_mode, ErrorPtr* error); void CancelPendingAsyncOperations(); private: bool ReportError(ErrorPtr* error, const tracked_objects::Location& location, const std::string& message); void DoHandshake(const base::Closure& success_callback, const Stream::ErrorCallback& error_callback); void RetryHandshake(const base::Closure& success_callback, const Stream::ErrorCallback& error_callback, Stream::AccessMode mode); int OnCertVerifyResults(int ok, X509_STORE_CTX* ctx); static int OnCertVerifyResultsStatic(int ok, X509_STORE_CTX* ctx); StreamPtr socket_; std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)> ctx_{nullptr, SSL_CTX_free}; std::unique_ptr<SSL, decltype(&SSL_free)> ssl_{nullptr, SSL_free}; BIO* stream_bio_{nullptr}; bool need_more_read_{false}; bool need_more_write_{false}; base::WeakPtrFactory<TlsStreamImpl> weak_ptr_factory_{this}; DISALLOW_COPY_AND_ASSIGN(TlsStreamImpl); }; TlsStream::TlsStreamImpl::TlsStreamImpl() { SSL_load_error_strings(); SSL_library_init(); if (ssl_ctx_private_data_index < 0) { ssl_ctx_private_data_index = SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr); } } TlsStream::TlsStreamImpl::~TlsStreamImpl() { ssl_.reset(); ctx_.reset(); } bool TlsStream::TlsStreamImpl::ReadNonBlocking(void* buffer, size_t size_to_read, size_t* size_read, bool* end_of_stream, ErrorPtr* error) { const size_t max_int = std::numeric_limits<int>::max(); int size_int = static_cast<int>(std::min(size_to_read, max_int)); int ret = SSL_read(ssl_.get(), buffer, size_int); if (ret > 0) { *size_read = static_cast<size_t>(ret); if (end_of_stream) *end_of_stream = false; return true; } int err = SSL_get_error(ssl_.get(), ret); if (err == SSL_ERROR_ZERO_RETURN) { *size_read = 0; if (end_of_stream) *end_of_stream = true; return true; } if (err == SSL_ERROR_WANT_READ) { need_more_read_ = true; } else if (err == SSL_ERROR_WANT_WRITE) { // Writes might be required for SSL_read() because of possible TLS // re-negotiations which can happen at any time. need_more_write_ = true; } else { return ReportError(error, FROM_HERE, "Error reading from TLS socket"); } *size_read = 0; if (end_of_stream) *end_of_stream = false; return true; } bool TlsStream::TlsStreamImpl::WriteNonBlocking(const void* buffer, size_t size_to_write, size_t* size_written, ErrorPtr* error) { const size_t max_int = std::numeric_limits<int>::max(); int size_int = static_cast<int>(std::min(size_to_write, max_int)); int ret = SSL_write(ssl_.get(), buffer, size_int); if (ret > 0) { *size_written = static_cast<size_t>(ret); return true; } int err = SSL_get_error(ssl_.get(), ret); if (err == SSL_ERROR_WANT_READ) { // Reads might be required for SSL_write() because of possible TLS // re-negotiations which can happen at any time. need_more_read_ = true; } else if (err == SSL_ERROR_WANT_WRITE) { need_more_write_ = true; } else { return ReportError(error, FROM_HERE, "Error writing to TLS socket"); } *size_written = 0; return true; } bool TlsStream::TlsStreamImpl::Flush(ErrorPtr* error) { return socket_->FlushBlocking(error); } bool TlsStream::TlsStreamImpl::Close(ErrorPtr* error) { // 2 seconds should be plenty here. const base::TimeDelta kTimeout = base::TimeDelta::FromSeconds(2); // The retry count of 4 below is just arbitrary, to ensure we don't get stuck // here forever. We should rarely need to repeat SSL_shutdown anyway. for (int retry_count = 0; retry_count < 4; retry_count++) { int ret = SSL_shutdown(ssl_.get()); // We really don't care for bi-directional shutdown here. // Just make sure we only send the "close notify" alert to the remote peer. if (ret >= 0) break; int err = SSL_get_error(ssl_.get(), ret); if (err == SSL_ERROR_WANT_READ) { if (!socket_->WaitForDataBlocking(AccessMode::READ, kTimeout, nullptr, error)) { break; } } else if (err == SSL_ERROR_WANT_WRITE) { if (!socket_->WaitForDataBlocking(AccessMode::WRITE, kTimeout, nullptr, error)) { break; } } else { LOG(ERROR) << "SSL_shutdown returned error #" << err; ReportError(error, FROM_HERE, "Failed to shut down TLS socket"); break; } } return socket_->CloseBlocking(error); } bool TlsStream::TlsStreamImpl::WaitForData( AccessMode mode, const base::Callback<void(AccessMode)>& callback, ErrorPtr* error) { bool is_read = stream_utils::IsReadAccessMode(mode); bool is_write = stream_utils::IsWriteAccessMode(mode); is_read |= need_more_read_; is_write |= need_more_write_; need_more_read_ = false; need_more_write_ = false; if (is_read && SSL_pending(ssl_.get()) > 0) { callback.Run(AccessMode::READ); return true; } mode = stream_utils::MakeAccessMode(is_read, is_write); return socket_->WaitForData(mode, callback, error); } bool TlsStream::TlsStreamImpl::WaitForDataBlocking(AccessMode in_mode, base::TimeDelta timeout, AccessMode* out_mode, ErrorPtr* error) { bool is_read = stream_utils::IsReadAccessMode(in_mode); bool is_write = stream_utils::IsWriteAccessMode(in_mode); is_read |= need_more_read_; is_write |= need_more_write_; need_more_read_ = need_more_write_ = false; if (is_read && SSL_pending(ssl_.get()) > 0) { if (out_mode) *out_mode = AccessMode::READ; return true; } in_mode = stream_utils::MakeAccessMode(is_read, is_write); return socket_->WaitForDataBlocking(in_mode, timeout, out_mode, error); } void TlsStream::TlsStreamImpl::CancelPendingAsyncOperations() { socket_->CancelPendingAsyncOperations(); weak_ptr_factory_.InvalidateWeakPtrs(); } bool TlsStream::TlsStreamImpl::ReportError( ErrorPtr* error, const tracked_objects::Location& location, const std::string& message) { const char* file = nullptr; int line = 0; const char* data = 0; int flags = 0; while (auto errnum = ERR_get_error_line_data(&file, &line, &data, &flags)) { char buf[256]; ERR_error_string_n(errnum, buf, sizeof(buf)); tracked_objects::Location ssl_location{"Unknown", file, line, nullptr}; std::string ssl_message = buf; if (flags & ERR_TXT_STRING) { ssl_message += ": "; ssl_message += data; } Error::AddTo(error, ssl_location, "openssl", std::to_string(errnum), ssl_message); } Error::AddTo(error, location, "tls_stream", "failed", message); return false; } int TlsStream::TlsStreamImpl::OnCertVerifyResults(int ok, X509_STORE_CTX* ctx) { // OpenSSL already performs a comprehensive check of the certificate chain // (using X509_verify_cert() function) and calls back with the result of its // verification. // |ok| is set to 1 if the verification passed and 0 if an error was detected. // Here we can perform some additional checks if we need to, or simply log // the issues found. // For now, just log an error if it occurred. if (!ok) { LOG(ERROR) << "Server certificate validation failed: " << X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)); } return ok; } int TlsStream::TlsStreamImpl::OnCertVerifyResultsStatic(int ok, X509_STORE_CTX* ctx) { // Obtain the pointer to the instance of TlsStream::TlsStreamImpl from the // SSL CTX object referenced by |ctx|. SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data( ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); SSL_CTX* ssl_ctx = ssl ? SSL_get_SSL_CTX(ssl) : nullptr; TlsStream::TlsStreamImpl* self = nullptr; if (ssl_ctx) { self = static_cast<TlsStream::TlsStreamImpl*>(SSL_CTX_get_ex_data( ssl_ctx, ssl_ctx_private_data_index)); } return self ? self->OnCertVerifyResults(ok, ctx) : ok; } bool TlsStream::TlsStreamImpl::Init(StreamPtr socket, const std::string& host, const base::Closure& success_callback, const Stream::ErrorCallback& error_callback, ErrorPtr* error) { ctx_.reset(SSL_CTX_new(TLSv1_2_client_method())); if (!ctx_) return ReportError(error, FROM_HERE, "Cannot create SSL_CTX"); // Top cipher suites supported by both Google GFEs and OpenSSL (in server // preferred order). int res = SSL_CTX_set_cipher_list(ctx_.get(), "ECDHE-ECDSA-AES128-GCM-SHA256:" "ECDHE-ECDSA-AES256-GCM-SHA384:" "ECDHE-RSA-AES128-GCM-SHA256:" "ECDHE-RSA-AES256-GCM-SHA384"); if (res != 1) return ReportError(error, FROM_HERE, "Cannot set the cipher list"); res = SSL_CTX_load_verify_locations(ctx_.get(), nullptr, kCACertificatePath); if (res != 1) { return ReportError(error, FROM_HERE, "Failed to specify trusted certificate location"); } // Store a pointer to "this" into SSL_CTX instance. SSL_CTX_set_ex_data(ctx_.get(), ssl_ctx_private_data_index, this); // Ask OpenSSL to validate the server host from the certificate to match // the expected host name we are given: X509_VERIFY_PARAM* param = SSL_CTX_get0_param(ctx_.get()); X509_VERIFY_PARAM_set1_host(param, host.c_str(), host.size()); SSL_CTX_set_verify(ctx_.get(), SSL_VERIFY_PEER, &TlsStreamImpl::OnCertVerifyResultsStatic); socket_ = std::move(socket); ssl_.reset(SSL_new(ctx_.get())); // Enable TLS progress callback if VLOG level is >=3. if (VLOG_IS_ON(3)) SSL_set_info_callback(ssl_.get(), TlsInfoCallback); stream_bio_ = BIO_new_stream(socket_.get()); SSL_set_bio(ssl_.get(), stream_bio_, stream_bio_); SSL_set_connect_state(ssl_.get()); // We might have no message loop (e.g. we are in unit tests). if (MessageLoop::ThreadHasCurrent()) { MessageLoop::current()->PostTask( FROM_HERE, base::Bind(&TlsStreamImpl::DoHandshake, weak_ptr_factory_.GetWeakPtr(), success_callback, error_callback)); } else { DoHandshake(success_callback, error_callback); } return true; } void TlsStream::TlsStreamImpl::RetryHandshake( const base::Closure& success_callback, const Stream::ErrorCallback& error_callback, Stream::AccessMode /* mode */) { VLOG(1) << "Retrying TLS handshake"; DoHandshake(success_callback, error_callback); } void TlsStream::TlsStreamImpl::DoHandshake( const base::Closure& success_callback, const Stream::ErrorCallback& error_callback) { VLOG(1) << "Begin TLS handshake"; int res = SSL_do_handshake(ssl_.get()); if (res == 1) { VLOG(1) << "Handshake successful"; success_callback.Run(); return; } ErrorPtr error; int err = SSL_get_error(ssl_.get(), res); if (err == SSL_ERROR_WANT_READ) { VLOG(1) << "Waiting for read data..."; bool ok = socket_->WaitForData( Stream::AccessMode::READ, base::Bind(&TlsStreamImpl::RetryHandshake, weak_ptr_factory_.GetWeakPtr(), success_callback, error_callback), &error); if (ok) return; } else if (err == SSL_ERROR_WANT_WRITE) { VLOG(1) << "Waiting for write data..."; bool ok = socket_->WaitForData( Stream::AccessMode::WRITE, base::Bind(&TlsStreamImpl::RetryHandshake, weak_ptr_factory_.GetWeakPtr(), success_callback, error_callback), &error); if (ok) return; } else { ReportError(&error, FROM_HERE, "TLS handshake failed."); } error_callback.Run(error.get()); } ///////////////////////////////////////////////////////////////////////////// TlsStream::TlsStream(std::unique_ptr<TlsStreamImpl> impl) : impl_{std::move(impl)} {} TlsStream::~TlsStream() { if (impl_) { impl_->Close(nullptr); } } void TlsStream::Connect(StreamPtr socket, const std::string& host, const base::Callback<void(StreamPtr)>& success_callback, const Stream::ErrorCallback& error_callback) { std::unique_ptr<TlsStreamImpl> impl{new TlsStreamImpl}; std::unique_ptr<TlsStream> stream{new TlsStream{std::move(impl)}}; TlsStreamImpl* pimpl = stream->impl_.get(); ErrorPtr error; bool success = pimpl->Init(std::move(socket), host, base::Bind(success_callback, base::Passed(std::move(stream))), error_callback, &error); if (!success) error_callback.Run(error.get()); } bool TlsStream::IsOpen() const { return impl_ ? true : false; } bool TlsStream::SetSizeBlocking(uint64_t /* size */, ErrorPtr* error) { return stream_utils::ErrorOperationNotSupported(FROM_HERE, error); } bool TlsStream::Seek(int64_t /* offset */, Whence /* whence */, uint64_t* /* new_position*/, ErrorPtr* error) { return stream_utils::ErrorOperationNotSupported(FROM_HERE, error); } bool TlsStream::ReadNonBlocking(void* buffer, size_t size_to_read, size_t* size_read, bool* end_of_stream, ErrorPtr* error) { if (!impl_) return stream_utils::ErrorStreamClosed(FROM_HERE, error); return impl_->ReadNonBlocking(buffer, size_to_read, size_read, end_of_stream, error); } bool TlsStream::WriteNonBlocking(const void* buffer, size_t size_to_write, size_t* size_written, ErrorPtr* error) { if (!impl_) return stream_utils::ErrorStreamClosed(FROM_HERE, error); return impl_->WriteNonBlocking(buffer, size_to_write, size_written, error); } bool TlsStream::FlushBlocking(ErrorPtr* error) { if (!impl_) return stream_utils::ErrorStreamClosed(FROM_HERE, error); return impl_->Flush(error); } bool TlsStream::CloseBlocking(ErrorPtr* error) { if (impl_ && !impl_->Close(error)) return false; impl_.reset(); return true; } bool TlsStream::WaitForData(AccessMode mode, const base::Callback<void(AccessMode)>& callback, ErrorPtr* error) { if (!impl_) return stream_utils::ErrorStreamClosed(FROM_HERE, error); return impl_->WaitForData(mode, callback, error); } bool TlsStream::WaitForDataBlocking(AccessMode in_mode, base::TimeDelta timeout, AccessMode* out_mode, ErrorPtr* error) { if (!impl_) return stream_utils::ErrorStreamClosed(FROM_HERE, error); return impl_->WaitForDataBlocking(in_mode, timeout, out_mode, error); } void TlsStream::CancelPendingAsyncOperations() { if (impl_) impl_->CancelPendingAsyncOperations(); Stream::CancelPendingAsyncOperations(); } } // namespace brillo