Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1af48588 authored by Yifan Hong's avatar Yifan Hong
Browse files

binder: combine TLS context objects.

This change creates RpcTransportCtxTls as the base class
of the server and client context classes. RpcTransportCtxTls
implements both addTrustedCertificate and getCertificate. This
is so that server and client can verify each other.

Test: binderRpcTest
Bug: 195166979
Bug: 196422181
Change-Id: I9b3b1ffd346bf8a93c2a5b38871295a8bc4c68ce
parent 87a379ce
Loading
Loading
Loading
Loading
+36 −53
Original line number Original line Diff line number Diff line
@@ -449,65 +449,34 @@ bool setFdAndDoHandshake(Ssl* ssl, android::base::borrowed_fd fd, FdTrigger* fdT
    }
    }
}
}


class RpcTransportCtxTlsServer : public RpcTransportCtx {
class RpcTransportCtxTls : public RpcTransportCtx {
public:
public:
    static std::unique_ptr<RpcTransportCtxTlsServer> create();
    template <typename Impl,
    std::unique_ptr<RpcTransport> newTransport(android::base::unique_fd acceptedFd,
              typename = std::enable_if_t<std::is_base_of_v<RpcTransportCtxTls, Impl>>>
    static std::unique_ptr<RpcTransportCtxTls> create();
    std::unique_ptr<RpcTransport> newTransport(android::base::unique_fd fd,
                                               FdTrigger* fdTrigger) const override;
                                               FdTrigger* fdTrigger) const override;


private:
protected:
    virtual void preHandshake(Ssl* ssl) const = 0;
    bssl::UniquePtr<SSL_CTX> mCtx;
    bssl::UniquePtr<SSL_CTX> mCtx;
};
};


std::unique_ptr<RpcTransportCtxTlsServer> RpcTransportCtxTlsServer::create() {
// Common implementation for creating server and client contexts. The child class, |Impl|, is
// provided as a template argument so that this function can initialize an |Impl| object.
template <typename Impl, typename>
std::unique_ptr<RpcTransportCtxTls> RpcTransportCtxTls::create() {
    bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
    bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
    TEST_AND_RETURN(nullptr, ctx != nullptr);
    TEST_AND_RETURN(nullptr, ctx != nullptr);


    // Server use self-signing cert
    auto evp_pkey = makeKeyPairForSelfSignedCert();
    auto evp_pkey = makeKeyPairForSelfSignedCert();
    TEST_AND_RETURN(nullptr, evp_pkey != nullptr);
    TEST_AND_RETURN(nullptr, evp_pkey != nullptr);
    auto cert = makeSelfSignedCert(evp_pkey.get(), kCertValidDays);
    auto cert = makeSelfSignedCert(evp_pkey.get(), kCertValidDays);
    TEST_AND_RETURN(nullptr, cert != nullptr);
    TEST_AND_RETURN(nullptr, cert != nullptr);
    TEST_AND_RETURN(nullptr, SSL_CTX_use_PrivateKey(ctx.get(), evp_pkey.get()));
    TEST_AND_RETURN(nullptr, SSL_CTX_use_PrivateKey(ctx.get(), evp_pkey.get()));
    TEST_AND_RETURN(nullptr, SSL_CTX_use_certificate(ctx.get(), cert.get()));
    TEST_AND_RETURN(nullptr, SSL_CTX_use_certificate(ctx.get(), cert.get()));
    // Require at least TLS 1.3
    TEST_AND_RETURN(nullptr, SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));

    if constexpr (SHOULD_LOG_TLS_DETAIL) { // NOLINT
        SSL_CTX_set_info_callback(ctx.get(), sslDebugLog);
    }

    auto rpcTransportTlsServerCtx = std::make_unique<RpcTransportCtxTlsServer>();
    rpcTransportTlsServerCtx->mCtx = std::move(ctx);
    return rpcTransportTlsServerCtx;
}

std::unique_ptr<RpcTransport> RpcTransportCtxTlsServer::newTransport(
        android::base::unique_fd acceptedFd, FdTrigger* fdTrigger) const {
    bssl::UniquePtr<SSL> ssl(SSL_new(mCtx.get()));
    TEST_AND_RETURN(nullptr, ssl != nullptr);
    Ssl wrapped(std::move(ssl));

    wrapped.call(SSL_set_accept_state).errorQueue.clear();
    TEST_AND_RETURN(nullptr, setFdAndDoHandshake(&wrapped, acceptedFd, fdTrigger));
    return std::make_unique<RpcTransportTls>(std::move(acceptedFd), std::move(wrapped));
}

class RpcTransportCtxTlsClient : public RpcTransportCtx {
public:
    static std::unique_ptr<RpcTransportCtxTlsClient> create();
    std::unique_ptr<RpcTransport> newTransport(android::base::unique_fd connectedFd,
                                               FdTrigger* fdTrigger) const override;

private:
    bssl::UniquePtr<SSL_CTX> mCtx;
};

std::unique_ptr<RpcTransportCtxTlsClient> RpcTransportCtxTlsClient::create() {
    bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
    TEST_AND_RETURN(nullptr, ctx != nullptr);


    // TODO(b/195166979): server should send certificate in a different channel, and client
    // TODO(b/195166979): peer should send certificate in a different channel, and this class
    //  should verify it here.
    //  should verify it here.
    SSL_CTX_set_custom_verify(ctx.get(), SSL_VERIFY_PEER,
    SSL_CTX_set_custom_verify(ctx.get(), SSL_VERIFY_PEER,
                              [](SSL*, uint8_t*) -> ssl_verify_result_t { return ssl_verify_ok; });
                              [](SSL*, uint8_t*) -> ssl_verify_result_t { return ssl_verify_ok; });
@@ -519,30 +488,44 @@ std::unique_ptr<RpcTransportCtxTlsClient> RpcTransportCtxTlsClient::create() {
        SSL_CTX_set_info_callback(ctx.get(), sslDebugLog);
        SSL_CTX_set_info_callback(ctx.get(), sslDebugLog);
    }
    }


    auto rpcTransportTlsClientCtx = std::make_unique<RpcTransportCtxTlsClient>();
    auto ret = std::make_unique<Impl>();
    rpcTransportTlsClientCtx->mCtx = std::move(ctx);
    ret->mCtx = std::move(ctx);
    return rpcTransportTlsClientCtx;
    return ret;
}
}


std::unique_ptr<RpcTransport> RpcTransportCtxTlsClient::newTransport(
std::unique_ptr<RpcTransport> RpcTransportCtxTls::newTransport(android::base::unique_fd fd,
        android::base::unique_fd connectedFd, FdTrigger* fdTrigger) const {
                                                               FdTrigger* fdTrigger) const {
    bssl::UniquePtr<SSL> ssl(SSL_new(mCtx.get()));
    bssl::UniquePtr<SSL> ssl(SSL_new(mCtx.get()));
    TEST_AND_RETURN(nullptr, ssl != nullptr);
    TEST_AND_RETURN(nullptr, ssl != nullptr);
    Ssl wrapped(std::move(ssl));
    Ssl wrapped(std::move(ssl));


    wrapped.call(SSL_set_connect_state).errorQueue.clear();
    preHandshake(&wrapped);
    TEST_AND_RETURN(nullptr, setFdAndDoHandshake(&wrapped, connectedFd, fdTrigger));
    TEST_AND_RETURN(nullptr, setFdAndDoHandshake(&wrapped, fd, fdTrigger));
    return std::make_unique<RpcTransportTls>(std::move(connectedFd), std::move(wrapped));
    return std::make_unique<RpcTransportTls>(std::move(fd), std::move(wrapped));
}

class RpcTransportCtxTlsServer : public RpcTransportCtxTls {
protected:
    void preHandshake(Ssl* ssl) const override {
        ssl->call(SSL_set_accept_state).errorQueue.clear();
    }
    }
};

class RpcTransportCtxTlsClient : public RpcTransportCtxTls {
protected:
    void preHandshake(Ssl* ssl) const override {
        ssl->call(SSL_set_connect_state).errorQueue.clear();
    }
};


} // namespace
} // namespace


std::unique_ptr<RpcTransportCtx> RpcTransportCtxFactoryTls::newServerCtx() const {
std::unique_ptr<RpcTransportCtx> RpcTransportCtxFactoryTls::newServerCtx() const {
    return android::RpcTransportCtxTlsServer::create();
    return android::RpcTransportCtxTls::create<RpcTransportCtxTlsServer>();
}
}


std::unique_ptr<RpcTransportCtx> RpcTransportCtxFactoryTls::newClientCtx() const {
std::unique_ptr<RpcTransportCtx> RpcTransportCtxFactoryTls::newClientCtx() const {
    return android::RpcTransportCtxTlsClient::create();
    return android::RpcTransportCtxTls::create<RpcTransportCtxTlsClient>();
}
}


const char* RpcTransportCtxFactoryTls::toCString() const {
const char* RpcTransportCtxFactoryTls::toCString() const {