From 1d52d2c24d4d38ad1efd046eb83c8415ea6b8b95 Mon Sep 17 00:00:00 2001 From: Ying Wang Date: Wed, 5 Sep 2018 08:15:18 +0000 Subject: [PATCH] Revert "Add SSLConfig object to IceServer." MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 7f1ffcccce563a086da037334aec2d4faa723edb. Reason for revert: Speculative revert Original change's description: > Add SSLConfig object to IceServer. > > This is being added to allow greater configurability to TLS connections. > tlsAlpnProtocols, tlsEllipticCurves and tlsCertPolicy will be removed from IceServer in a > follow-up CL. > > Bug: webrtc:9662 > Change-Id: I33cb804b02c26c662ed2a28c76f9a9dc2df40f36 > Reviewed-on: https://webrtc-review.googlesource.com/96020 > Commit-Queue: Diogo Real > Reviewed-by: Qingsi Wang > Reviewed-by: Benjamin Wright > Reviewed-by: Steve Anton > Reviewed-by: Sami Kalliomäki > Reviewed-by: Kári Helgason > Cr-Commit-Position: refs/heads/master@{#24559} TBR=steveanton@webrtc.org,sakal@webrtc.org,kthelgason@webrtc.org,juberti@webrtc.org,emadomara@webrtc.org,qingsi@webrtc.org,benwright@webrtc.org,diogor@google.com Change-Id: Iae9fc68b77f743876bda36fc2a04f6d791aae8e2 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: webrtc:9662 Reviewed-on: https://webrtc-review.googlesource.com/98000 Reviewed-by: Ying Wang Commit-Queue: Ying Wang Cr-Commit-Position: refs/heads/master@{#24563} --- api/peerconnectioninterface.h | 10 +- p2p/base/basicpacketsocketfactory.cc | 7 +- p2p/base/packetsocketfactory.h | 7 +- p2p/base/port_unittest.cc | 3 +- p2p/base/portallocator.h | 24 +- p2p/base/testturnserver.h | 7 +- p2p/base/turnport.cc | 74 ++---- p2p/base/turnport.h | 55 +---- p2p/base/turnport_unittest.cc | 19 +- p2p/client/turnportfactory.cc | 17 +- pc/iceserverparsing.cc | 18 +- pc/iceserverparsing_unittest.cc | 8 +- rtc_base/openssladapter.cc | 58 ++--- rtc_base/openssladapter.h | 15 +- rtc_base/ssladapter.cc | 6 - rtc_base/ssladapter.h | 61 +---- rtc_base/ssladapter_unittest.cc | 170 ++------------ sdk/BUILD.gn | 3 - .../api/org/webrtc/PeerConnection.java | 211 +----------------- sdk/android/src/jni/pc/icecandidate.cc | 15 -- sdk/android/src/jni/pc/icecandidate.h | 5 - sdk/android/src/jni/pc/peerconnection.cc | 42 ---- sdk/objc/api/peerconnection/RTCIceServer.h | 33 +-- sdk/objc/api/peerconnection/RTCIceServer.mm | 72 +++--- .../api/peerconnection/RTCSSLConfig+Native.h | 27 --- sdk/objc/api/peerconnection/RTCSSLConfig.h | 56 ----- sdk/objc/api/peerconnection/RTCSSLConfig.mm | 134 ----------- sdk/objc/unittests/RTCIceServerTest.mm | 10 +- 28 files changed, 182 insertions(+), 985 deletions(-) delete mode 100644 sdk/objc/api/peerconnection/RTCSSLConfig+Native.h delete mode 100644 sdk/objc/api/peerconnection/RTCSSLConfig.h delete mode 100644 sdk/objc/api/peerconnection/RTCSSLConfig.mm diff --git a/api/peerconnectioninterface.h b/api/peerconnectioninterface.h index c6e5a25b5b..1c32b69692 100644 --- a/api/peerconnectioninterface.h +++ b/api/peerconnectioninterface.h @@ -112,7 +112,6 @@ #include "rtc_base/rtccertificate.h" #include "rtc_base/rtccertificategenerator.h" #include "rtc_base/socketaddress.h" -#include "rtc_base/ssladapter.h" #include "rtc_base/sslcertificate.h" #include "rtc_base/sslstreamadapter.h" @@ -188,7 +187,6 @@ class PeerConnectionInterface : public rtc::RefCountInterface { kIceConnectionMax, }; - // Deprecated. TODO(diogor, webrtc:9673): Remove from API. // TLS certificate policy. enum TlsCertPolicy { // For TLS based protocols, ensure the connection is secure by not @@ -213,29 +211,23 @@ class PeerConnectionInterface : public rtc::RefCountInterface { std::vector urls; std::string username; std::string password; - // Deprecated. rtc::SSLConfig should be used instead. TlsCertPolicy tls_cert_policy = kTlsCertPolicySecure; // If the URIs in |urls| only contain IP addresses, this field can be used // to indicate the hostname, which may be necessary for TLS (using the SNI // extension). If |urls| itself contains the hostname, this isn't // necessary. std::string hostname; - // Deprecated. rtc::SSLConfig should be used instead. // List of protocols to be used in the TLS ALPN extension. std::vector tls_alpn_protocols; - // Deprecated. rtc::SSLConfig should be used instead. // List of elliptic curves to be used in the TLS elliptic curves extension. std::vector tls_elliptic_curves; - // SSL configuration options for any SSL/TLS connections to this IceServer. - rtc::SSLConfig ssl_config; bool operator==(const IceServer& o) const { return uri == o.uri && urls == o.urls && username == o.username && password == o.password && tls_cert_policy == o.tls_cert_policy && hostname == o.hostname && tls_alpn_protocols == o.tls_alpn_protocols && - tls_elliptic_curves == o.tls_elliptic_curves && - ssl_config == o.ssl_config; + tls_elliptic_curves == o.tls_elliptic_curves; } bool operator!=(const IceServer& o) const { return !(*this == o); } }; diff --git a/p2p/base/basicpacketsocketfactory.cc b/p2p/base/basicpacketsocketfactory.cc index c80a40852f..b7eb8ed1c6 100644 --- a/p2p/base/basicpacketsocketfactory.cc +++ b/p2p/base/basicpacketsocketfactory.cc @@ -157,7 +157,12 @@ AsyncPacketSocket* BasicPacketSocketFactory::CreateClientTcpSocket( return NULL; } - ssl_adapter->SetSSLConfig(tcp_options.ssl_config); + if (tlsOpts & PacketSocketFactory::OPT_TLS_INSECURE) { + ssl_adapter->SetIgnoreBadCert(true); + } + + ssl_adapter->SetAlpnProtocols(tcp_options.tls_alpn_protocols); + ssl_adapter->SetEllipticCurves(tcp_options.tls_elliptic_curves); ssl_adapter->SetCertVerifier(tcp_options.tls_cert_verifier); socket = ssl_adapter; diff --git a/p2p/base/packetsocketfactory.h b/p2p/base/packetsocketfactory.h index bbde1137a2..4667bb1fd7 100644 --- a/p2p/base/packetsocketfactory.h +++ b/p2p/base/packetsocketfactory.h @@ -14,10 +14,8 @@ #include #include -#include "absl/types/optional.h" #include "rtc_base/constructormagic.h" #include "rtc_base/proxyinfo.h" -#include "rtc_base/ssladapter.h" #include "rtc_base/sslcertificate.h" namespace rtc { @@ -28,12 +26,11 @@ struct PacketSocketTcpOptions { ~PacketSocketTcpOptions(); int opts = 0; + std::vector tls_alpn_protocols; + std::vector tls_elliptic_curves; // An optional custom SSL certificate verifier that an API user can provide to // inject their own certificate verification logic. SSLCertificateVerifier* tls_cert_verifier = nullptr; - - // SSL configuration options. - rtc::SSLConfig ssl_config; }; class AsyncPacketSocket; diff --git a/p2p/base/port_unittest.cc b/p2p/base/port_unittest.cc index b2fe9d054b..5aaf315363 100644 --- a/p2p/base/port_unittest.cc +++ b/p2p/base/port_unittest.cc @@ -537,7 +537,8 @@ class PortTest : public testing::Test, public sigslot::has_slots<> { return TurnPort::Create( &main_, socket_factory, MakeNetwork(addr), 0, 0, username_, password_, ProtocolAddress(server_addr, int_proto), kRelayCredentials, 0, - std::string(), nullptr, rtc::SSLConfig(), nullptr); + std::string(), std::vector(), std::vector(), + nullptr, nullptr); } RelayPort* CreateGturnPort(const SocketAddress& addr, ProtocolType int_proto, diff --git a/p2p/base/portallocator.h b/p2p/base/portallocator.h index 356b1f1758..8bd709642c 100644 --- a/p2p/base/portallocator.h +++ b/p2p/base/portallocator.h @@ -20,7 +20,6 @@ #include "p2p/base/portinterface.h" #include "rtc_base/helpers.h" #include "rtc_base/proxyinfo.h" -#include "rtc_base/ssladapter.h" #include "rtc_base/sslcertificate.h" #include "rtc_base/third_party/sigslot/sigslot.h" #include "rtc_base/thread.h" @@ -119,6 +118,17 @@ enum : uint32_t { CF_ALL = 0x7, }; +// TLS certificate policy. +enum class TlsCertPolicy { + // For TLS based protocols, ensure the connection is secure by not + // circumventing certificate validation. + TLS_CERT_POLICY_SECURE, + // For TLS based protocols, disregard security completely by skipping + // certificate validation. This is insecure and should never be used unless + // security is irrelevant in that particular context. + TLS_CERT_POLICY_INSECURE_NO_CHECK, +}; + // TODO(deadbeef): Rename to TurnCredentials (and username to ufrag). struct RelayCredentials { RelayCredentials() {} @@ -134,17 +144,6 @@ struct RelayCredentials { std::string password; }; -// TLS certificate policy. -enum class TlsCertPolicy { - // For TLS based protocols, ensure the connection is secure by not - // circumventing certificate validation. - TLS_CERT_POLICY_SECURE, - // For TLS based protocols, disregard security completely by skipping - // certificate validation. This is insecure and should never be used unless - // security is irrelevant in that particular context. - TLS_CERT_POLICY_INSECURE_NO_CHECK, -}; - typedef std::vector PortList; // TODO(deadbeef): Rename to TurnServerConfig. struct RelayServerConfig { @@ -181,7 +180,6 @@ struct RelayServerConfig { TlsCertPolicy tls_cert_policy = TlsCertPolicy::TLS_CERT_POLICY_SECURE; std::vector tls_alpn_protocols; std::vector tls_elliptic_curves; - rtc::SSLConfig ssl_config; rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr; }; diff --git a/p2p/base/testturnserver.h b/p2p/base/testturnserver.h index 61a2e10d11..734ca4d972 100644 --- a/p2p/base/testturnserver.h +++ b/p2p/base/testturnserver.h @@ -110,12 +110,7 @@ class TestTurnServer : public TurnAuthInterface { adapter->SetRole(rtc::SSL_SERVER); adapter->SetIdentity( rtc::SSLIdentity::Generate(common_name, rtc::KeyParams())); - rtc::SSLConfig ssl_config; - if (ignore_bad_cert) { - ssl_config.tls_cert_policy = - rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; - } - adapter->SetSSLConfig(ssl_config); + adapter->SetIgnoreBadCert(ignore_bad_cert); socket = adapter; } socket->Bind(int_addr); diff --git a/p2p/base/turnport.cc b/p2p/base/turnport.cc index 4b95a82f37..13c9a4691a 100644 --- a/p2p/base/turnport.cc +++ b/p2p/base/turnport.cc @@ -243,47 +243,8 @@ TurnPort::TurnPort(rtc::Thread* thread, username, password), server_address_(server_address), - tls_cert_verifier_(tls_cert_verifier), - credentials_(credentials), - socket_(NULL), - resolver_(NULL), - error_(0), - request_manager_(thread), - next_channel_number_(TURN_CHANNEL_NUMBER_START), - state_(STATE_CONNECTING), - server_priority_(server_priority), - allocate_mismatch_retries_(0), - turn_customizer_(customizer) { - ssl_config_.tls_alpn_protocols = tls_alpn_protocols; - ssl_config_.tls_elliptic_curves = tls_elliptic_curves; - request_manager_.SignalSendPacket.connect(this, &TurnPort::OnSendStunPacket); - request_manager_.set_origin(origin); -} - -TurnPort::TurnPort(rtc::Thread* thread, - rtc::PacketSocketFactory* factory, - rtc::Network* network, - uint16_t min_port, - uint16_t max_port, - const std::string& username, - const std::string& password, - const ProtocolAddress& server_address, - const RelayCredentials& credentials, - int server_priority, - const std::string& origin, - webrtc::TurnCustomizer* customizer, - const rtc::SSLConfig& ssl_config, - rtc::SSLCertificateVerifier* tls_cert_verifier) - : Port(thread, - RELAY_PORT_TYPE, - factory, - network, - min_port, - max_port, - username, - password), - server_address_(server_address), - ssl_config_(ssl_config), + tls_alpn_protocols_(tls_alpn_protocols), + tls_elliptic_curves_(tls_elliptic_curves), tls_cert_verifier_(tls_cert_verifier), credentials_(credentials), socket_(NULL), @@ -327,20 +288,20 @@ ProtocolType TurnPort::GetProtocol() const { return server_address_.proto; } -void TurnPort::SetTlsCertPolicy(TlsCertPolicy tls_cert_policy) { - switch (tls_cert_policy) { - case TlsCertPolicy::TLS_CERT_POLICY_SECURE: - ssl_config_.tls_cert_policy = rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE; - break; - case TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK: - ssl_config_.tls_cert_policy = - rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; - break; - } +TlsCertPolicy TurnPort::GetTlsCertPolicy() const { + return tls_cert_policy_; } -const rtc::SSLConfig& TurnPort::GetSslConfig() const { - return ssl_config_; +void TurnPort::SetTlsCertPolicy(TlsCertPolicy tls_cert_policy) { + tls_cert_policy_ = tls_cert_policy; +} + +std::vector TurnPort::GetTlsAlpnProtocols() const { + return tls_alpn_protocols_; +} + +std::vector TurnPort::GetTlsEllipticCurves() const { + return tls_elliptic_curves_; } void TurnPort::PrepareAddress() { @@ -400,8 +361,8 @@ bool TurnPort::CreateTurnClientSocket() { // Apply server address TLS and insecure bits to options. if (server_address_.proto == PROTO_TLS) { - if (ssl_config_.tls_cert_policy == - rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK) { + if (tls_cert_policy_ == + TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK) { opts |= rtc::PacketSocketFactory::OPT_TLS_INSECURE; } else { opts |= rtc::PacketSocketFactory::OPT_TLS; @@ -410,8 +371,9 @@ bool TurnPort::CreateTurnClientSocket() { rtc::PacketSocketTcpOptions tcp_options; tcp_options.opts = opts; + tcp_options.tls_alpn_protocols = tls_alpn_protocols_; + tcp_options.tls_elliptic_curves = tls_elliptic_curves_; tcp_options.tls_cert_verifier = tls_cert_verifier_; - tcp_options.ssl_config = ssl_config_; socket_ = socket_factory()->CreateClientTcpSocket( rtc::SocketAddress(Network()->GetBestIP(), 0), server_address_.address, proxy(), user_agent(), tcp_options); diff --git a/p2p/base/turnport.h b/p2p/base/turnport.h index 0d9192f611..5955aafda1 100644 --- a/p2p/base/turnport.h +++ b/p2p/base/turnport.h @@ -22,7 +22,6 @@ #include "p2p/client/basicportallocator.h" #include "rtc_base/asyncinvoker.h" #include "rtc_base/asyncpacketsocket.h" -#include "rtc_base/ssladapter.h" #include "rtc_base/sslcertificate.h" namespace rtc { @@ -67,7 +66,6 @@ class TurnPort : public Port { customizer); } - // Deprecated. TODO(diogor, webrtc:9673): Remove this constructor. // Create a TURN port that will use a new socket, bound to |network| and // using a port in the range between |min_port| and |max_port|. static TurnPort* Create( @@ -86,34 +84,10 @@ class TurnPort : public Port { const std::vector& tls_elliptic_curves, webrtc::TurnCustomizer* customizer, rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr) { - rtc::SSLConfig ssl_config; - ssl_config.tls_alpn_protocols = tls_alpn_protocols; - ssl_config.tls_elliptic_curves = tls_elliptic_curves; return new TurnPort(thread, factory, network, min_port, max_port, username, password, server_address, credentials, server_priority, - origin, customizer, ssl_config, tls_cert_verifier); - } - - // Create a TURN port that will use a new socket, bound to |network| and - // using a port in the range between |min_port| and |max_port|. - static TurnPort* Create( - rtc::Thread* thread, - rtc::PacketSocketFactory* factory, - rtc::Network* network, - uint16_t min_port, - uint16_t max_port, - const std::string& username, // ice username. - const std::string& password, // ice password. - const ProtocolAddress& server_address, - const RelayCredentials& credentials, - int server_priority, - const std::string& origin, - webrtc::TurnCustomizer* customizer, - const rtc::SSLConfig& ssl_config, - rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr) { - return new TurnPort(thread, factory, network, min_port, max_port, username, - password, server_address, credentials, server_priority, - origin, customizer, ssl_config, tls_cert_verifier); + origin, tls_alpn_protocols, tls_elliptic_curves, + customizer, tls_cert_verifier); } ~TurnPort() override; @@ -130,11 +104,11 @@ class TurnPort : public Port { ProtocolType GetProtocol() const override; - // Deprecated. SSLConfig should be used instead. - // TODO(diogor, webrtc:9673): Remove this. + virtual TlsCertPolicy GetTlsCertPolicy() const; virtual void SetTlsCertPolicy(TlsCertPolicy tls_cert_policy); - virtual const rtc::SSLConfig& GetSslConfig() const; + virtual std::vector GetTlsAlpnProtocols() const; + virtual std::vector GetTlsEllipticCurves() const; // Release a TURN allocation by sending a refresh with lifetime 0. // Sets state to STATE_RECEIVEONLY. @@ -246,21 +220,6 @@ class TurnPort : public Port { webrtc::TurnCustomizer* customizer, rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr); - TurnPort(rtc::Thread* thread, - rtc::PacketSocketFactory* factory, - rtc::Network* network, - uint16_t min_port, - uint16_t max_port, - const std::string& username, - const std::string& password, - const ProtocolAddress& server_address, - const RelayCredentials& credentials, - int server_priority, - const std::string& origin, - webrtc::TurnCustomizer* customizer, - const rtc::SSLConfig& ssl_config, - rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr); - // NOTE: This method needs to be accessible for StacPort // return true if entry was created (i.e channel_number consumed). bool CreateOrRefreshEntry(const rtc::SocketAddress& addr, @@ -345,7 +304,9 @@ class TurnPort : public Port { size_t size, bool payload); ProtocolAddress server_address_; - rtc::SSLConfig ssl_config_; + TlsCertPolicy tls_cert_policy_ = TlsCertPolicy::TLS_CERT_POLICY_SECURE; + std::vector tls_alpn_protocols_; + std::vector tls_elliptic_curves_; rtc::SSLCertificateVerifier* tls_cert_verifier_; RelayCredentials credentials_; AttemptedServerSet attempted_server_addresses_; diff --git a/p2p/base/turnport_unittest.cc b/p2p/base/turnport_unittest.cc index 73f469d713..bac35e891c 100644 --- a/p2p/base/turnport_unittest.cc +++ b/p2p/base/turnport_unittest.cc @@ -270,16 +270,21 @@ class TurnPortTest : public testing::Test, const ProtocolAddress& server_address, const std::string& origin) { RelayCredentials credentials(username, password); - rtc::SSLConfig ssl_config; - ssl_config.tls_cert_policy = - rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; - turn_port_.reset(TurnPort::Create(&main_, &socket_factory_, network, 0, 0, - kIceUfrag1, kIcePwd1, server_address, - credentials, 0, origin, - turn_customizer_.get(), ssl_config)); + turn_port_.reset(TurnPort::Create( + &main_, &socket_factory_, network, 0, 0, kIceUfrag1, kIcePwd1, + server_address, credentials, 0, origin, std::vector(), + std::vector(), turn_customizer_.get())); // This TURN port will be the controlling. turn_port_->SetIceRole(ICEROLE_CONTROLLING); ConnectSignals(); + + if (server_address.proto == cricket::PROTO_TLS) { + // The test TURN server has a self-signed certificate so will not pass + // the normal client validation. Instruct the client to ignore certificate + // errors for testing only. + turn_port_->SetTlsCertPolicy( + TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK); + } } void CreateSharedTurnPort(const std::string& username, diff --git a/p2p/client/turnportfactory.cc b/p2p/client/turnportfactory.cc index 68ceff4fa3..6404134c4a 100644 --- a/p2p/client/turnportfactory.cc +++ b/p2p/client/turnportfactory.cc @@ -26,29 +26,20 @@ std::unique_ptr TurnPortFactory::Create( args.username, args.password, *args.server_address, args.config->credentials, args.config->priority, args.origin, args.turn_customizer); + port->SetTlsCertPolicy(args.config->tls_cert_policy); return std::unique_ptr(port); } std::unique_ptr TurnPortFactory::Create(const CreateRelayPortArgs& args, int min_port, int max_port) { - rtc::SSLConfig ssl_config = args.config->ssl_config; - if (!args.config->tls_alpn_protocols.empty()) { - ssl_config.tls_alpn_protocols = args.config->tls_alpn_protocols; - } - if (!args.config->tls_elliptic_curves.empty()) { - ssl_config.tls_elliptic_curves = args.config->tls_elliptic_curves; - } - if (args.config->tls_cert_policy == - TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK) { - ssl_config.tls_cert_policy = - rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; - } TurnPort* port = TurnPort::Create( args.network_thread, args.socket_factory, args.network, min_port, max_port, args.username, args.password, *args.server_address, args.config->credentials, args.config->priority, args.origin, - args.turn_customizer, ssl_config, args.config->tls_cert_verifier); + args.config->tls_alpn_protocols, args.config->tls_elliptic_curves, + args.turn_customizer, args.config->tls_cert_verifier); + port->SetTlsCertPolicy(args.config->tls_cert_policy); return std::unique_ptr(port); } diff --git a/pc/iceserverparsing.cc b/pc/iceserverparsing.cc index 74d1ed2306..806fb3bc21 100644 --- a/pc/iceserverparsing.cc +++ b/pc/iceserverparsing.cc @@ -14,7 +14,6 @@ #include #include "rtc_base/arraysize.h" -#include "rtc_base/ssladapter.h" namespace webrtc { @@ -255,22 +254,13 @@ static RTCErrorType ParseIceServerUrl( } cricket::RelayServerConfig config = cricket::RelayServerConfig( socket_address, username, server.password, turn_transport_type); - - config.ssl_config = server.ssl_config; - if (server.tls_cert_policy == PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck) { - config.ssl_config.tls_cert_policy = - rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; - } - if (!server.ssl_config.tls_alpn_protocols.has_value() && - !server.tls_alpn_protocols.empty()) { - config.ssl_config.tls_alpn_protocols = server.tls_alpn_protocols; - } - if (!server.ssl_config.tls_elliptic_curves.has_value() && - !server.tls_elliptic_curves.empty()) { - config.ssl_config.tls_elliptic_curves = server.tls_elliptic_curves; + config.tls_cert_policy = + cricket::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; } + config.tls_alpn_protocols = server.tls_alpn_protocols; + config.tls_elliptic_curves = server.tls_elliptic_curves; turn_servers->push_back(config); break; diff --git a/pc/iceserverparsing_unittest.cc b/pc/iceserverparsing_unittest.cc index b95f9a5c00..4ec7a891df 100644 --- a/pc/iceserverparsing_unittest.cc +++ b/pc/iceserverparsing_unittest.cc @@ -86,16 +86,16 @@ TEST_F(IceServerParsingTest, ParseStunPrefixes) { EXPECT_EQ(0U, stun_servers_.size()); EXPECT_EQ(1U, turn_servers_.size()); EXPECT_EQ(cricket::PROTO_TLS, turn_servers_[0].ports[0].proto); - EXPECT_TRUE(turn_servers_[0].ssl_config.tls_cert_policy == - rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE); + EXPECT_TRUE(turn_servers_[0].tls_cert_policy == + cricket::TlsCertPolicy::TLS_CERT_POLICY_SECURE); EXPECT_TRUE(ParseUrl( "turns:hostname", "username", "password", PeerConnectionInterface::TlsCertPolicy::kTlsCertPolicyInsecureNoCheck)); EXPECT_EQ(0U, stun_servers_.size()); EXPECT_EQ(1U, turn_servers_.size()); - EXPECT_TRUE(turn_servers_[0].ssl_config.tls_cert_policy == - rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK); + EXPECT_TRUE(turn_servers_[0].tls_cert_policy == + cricket::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK); EXPECT_EQ(cricket::PROTO_TLS, turn_servers_[0].ports[0].proto); // invalid prefixes diff --git a/rtc_base/openssladapter.cc b/rtc_base/openssladapter.cc index 2662b37a97..50284a6719 100644 --- a/rtc_base/openssladapter.cc +++ b/rtc_base/openssladapter.cc @@ -209,6 +209,7 @@ OpenSSLAdapter::OpenSSLAdapter(AsyncSocket* socket, ssl_(nullptr), ssl_ctx_(nullptr), ssl_mode_(SSL_MODE_TLS), + ignore_bad_cert_(false), custom_cert_verifier_status_(false) { // If a factory is used, take a reference on the factory's SSL_CTX. // Otherwise, we'll create our own later. @@ -225,8 +226,16 @@ OpenSSLAdapter::~OpenSSLAdapter() { Cleanup(); } -void OpenSSLAdapter::SetSSLConfig(const SSLConfig& ssl_config) { - ssl_config_ = ssl_config; +void OpenSSLAdapter::SetIgnoreBadCert(bool ignore) { + ignore_bad_cert_ = ignore; +} + +void OpenSSLAdapter::SetAlpnProtocols(const std::vector& protos) { + alpn_protocols_ = protos; +} + +void OpenSSLAdapter::SetEllipticCurves(const std::vector& curves) { + elliptic_curves_ = curves; } void OpenSSLAdapter::SetMode(SSLMode mode) { @@ -260,7 +269,7 @@ AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) { SSLAdapter* adapter = SSLAdapter::Create(socket); adapter->SetIdentity(identity_->GetReference()); adapter->SetRole(rtc::SSL_SERVER); - adapter->SetSSLConfig(ssl_config_); + adapter->SetIgnoreBadCert(ignore_bad_cert_); adapter->StartSSL("", false); return adapter; } @@ -358,28 +367,13 @@ int OpenSSLAdapter::BeginSSL() { } #ifdef OPENSSL_IS_BORINGSSL - // Potentially set a couple common TLS extensions; even though we don't use - // them yet. - if (ssl_config_.enable_ocsp_stapling) { - SSL_enable_ocsp_stapling(ssl_); - } - if (ssl_config_.enable_signed_cert_timestamp) { - SSL_enable_signed_cert_timestamps(ssl_); - } - SSL_CTX_set_grease_enabled(ssl_ctx_, ssl_config_.enable_grease); + // Set a couple common TLS extensions; even though we don't use them yet. + SSL_enable_ocsp_stapling(ssl_); + SSL_enable_signed_cert_timestamps(ssl_); #endif - if (ssl_config_.max_ssl_version.has_value()) { - SSL_set_max_proto_version(ssl_, ssl_config_.max_ssl_version.value()); - } - - if (ssl_config_.enable_tls_channel_id) { - SSL_enable_tls_channel_id(ssl_); - } - - if (ssl_config_.tls_alpn_protocols.has_value()) { - std::string tls_alpn_string = - TransformAlpnProtocols(ssl_config_.tls_alpn_protocols.value()); + if (!alpn_protocols_.empty()) { + std::string tls_alpn_string = TransformAlpnProtocols(alpn_protocols_); if (!tls_alpn_string.empty()) { SSL_set_alpn_protos( ssl_, reinterpret_cast(tls_alpn_string.data()), @@ -387,9 +381,8 @@ int OpenSSLAdapter::BeginSSL() { } } - if (ssl_config_.tls_elliptic_curves.has_value()) { - SSL_set1_curves_list( - ssl_, rtc::join(ssl_config_.tls_elliptic_curves.value(), ':').c_str()); + if (!elliptic_curves_.empty()) { + SSL_set1_curves_list(ssl_, rtc::join(elliptic_curves_, ':').c_str()); } // Now that the initial config is done, transfer ownership of |bio| to the @@ -801,10 +794,10 @@ bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const std::string& host) { openssl::VerifyPeerCertMatchesHost(ssl, host) && (SSL_get_verify_result(ssl) == X509_V_OK || custom_cert_verifier_status_); - if (!is_valid_cert_name && ShouldIgnoreBadCert()) { + if (!is_valid_cert_name && ignore_bad_cert_) { RTC_DLOG(LS_WARNING) << "Other TLS post connection checks failed. " - "TLS cert policy set to ignore bad certs. " - "Overriding name verification failure!"; + "ignore_bad_cert_ set to true. Overriding name " + "verification failure!"; is_valid_cert_name = true; } return is_valid_cert_name; @@ -877,7 +870,7 @@ int OpenSSLAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { } // Should only be used for debugging and development. - if (!ok && stream->ShouldIgnoreBadCert()) { + if (!ok && stream->ignore_bad_cert_) { RTC_DLOG(LS_WARNING) << "Ignoring cert error while verifying cert chain"; ok = 1; } @@ -948,11 +941,6 @@ SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) { return ctx; } -bool OpenSSLAdapter::ShouldIgnoreBadCert() { - return ssl_config_.tls_cert_policy == - TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; -} - std::string TransformAlpnProtocols( const std::vector& alpn_protocols) { // Transforms the alpn_protocols list to the format expected by diff --git a/rtc_base/openssladapter.h b/rtc_base/openssladapter.h index 9455f0f200..50a7c0845c 100644 --- a/rtc_base/openssladapter.h +++ b/rtc_base/openssladapter.h @@ -45,7 +45,9 @@ class OpenSSLAdapter : public SSLAdapter, public MessageHandler { SSLCertificateVerifier* ssl_cert_verifier = nullptr); ~OpenSSLAdapter() override; - void SetSSLConfig(const SSLConfig& ssl_config) override; + void SetIgnoreBadCert(bool ignore) override; + void SetAlpnProtocols(const std::vector& protos) override; + void SetEllipticCurves(const std::vector& curves) override; void SetMode(SSLMode mode) override; void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override; void SetIdentity(SSLIdentity* identity) override; @@ -93,9 +95,6 @@ class OpenSSLAdapter : public SSLAdapter, public MessageHandler { void Error(const char* context, int err, bool signal = true); void Cleanup(); - // If true, the server certificate need not match the configured hostname. - bool ShouldIgnoreBadCert(); - // Return value and arguments have the same meanings as for Send; |error| is // an output parameter filled with the result of SSL_get_error. int DoSslWrite(const void* pv, size_t cb, int* error); @@ -139,8 +138,12 @@ class OpenSSLAdapter : public SSLAdapter, public MessageHandler { std::string ssl_host_name_; // Set the adapter to DTLS or TLS mode before creating the context. SSLMode ssl_mode_; - // SSL configuration for this session. - SSLConfig ssl_config_; + // If true, the server certificate need not match the configured hostname. + bool ignore_bad_cert_; + // List of protocols to be used in the TLS ALPN extension. + std::vector alpn_protocols_; + // List of elliptic curves to be used in the TLS elliptic curves extension. + std::vector elliptic_curves_; // Holds the result of the call to run of the ssl_cert_verify_->Verify() bool custom_cert_verifier_status_; }; diff --git a/rtc_base/ssladapter.cc b/rtc_base/ssladapter.cc index debbd65f94..e091f00520 100644 --- a/rtc_base/ssladapter.cc +++ b/rtc_base/ssladapter.cc @@ -16,12 +16,6 @@ namespace rtc { -SSLConfig::SSLConfig() = default; -SSLConfig::SSLConfig(const SSLConfig&) = default; -SSLConfig::~SSLConfig() = default; - -/////////////////////////////////////////////////////////////////////////////// - SSLAdapterFactory* SSLAdapterFactory::Create() { return new OpenSSLAdapterFactory(); } diff --git a/rtc_base/ssladapter.h b/rtc_base/ssladapter.h index 33f008ca43..4843d264fc 100644 --- a/rtc_base/ssladapter.h +++ b/rtc_base/ssladapter.h @@ -22,57 +22,6 @@ namespace rtc { class SSLAdapter; -// TLS certificate policy. -enum class TlsCertPolicy { - // For TLS based protocols, ensure the connection is secure by not - // circumventing certificate validation. - TLS_CERT_POLICY_SECURE, - // For TLS based protocols, disregard security completely by skipping - // certificate validation. This is insecure and should never be used unless - // security is irrelevant in that particular context. - // Do not set to this value in production code. - // TODO(juberti): Remove the opportunistic encryption mechanism in - // BasicPacketSocketFactory that uses this value. - TLS_CERT_POLICY_INSECURE_NO_CHECK, -}; - -// SSL configuration options. -struct SSLConfig final { - SSLConfig(); - SSLConfig(const SSLConfig&); - ~SSLConfig(); - - bool operator==(const SSLConfig& o) const { - return enable_ocsp_stapling == o.enable_ocsp_stapling && - enable_signed_cert_timestamp == o.enable_signed_cert_timestamp && - enable_tls_channel_id == o.enable_tls_channel_id && - enable_grease == o.enable_grease && - max_ssl_version == o.max_ssl_version && - tls_alpn_protocols == o.tls_alpn_protocols && - tls_elliptic_curves == o.tls_elliptic_curves; - } - bool operator!=(const SSLConfig& o) const { return !(*this == o); } - - // If true, enables the (unused) OCSP stapling TLS extension. - bool enable_ocsp_stapling = true; - // If true, enables the (unused) signed certificate timestamp TLS extension. - bool enable_signed_cert_timestamp = true; - // If true, enables the (unused) channel ID TLS extension. - bool enable_tls_channel_id = false; - // If true, enables the (unused) GREASE TLS extension. - bool enable_grease = false; - // Indicates how to process incoming certificates. - TlsCertPolicy tls_cert_policy = TlsCertPolicy::TLS_CERT_POLICY_SECURE; - // If set, indicates the highest supported SSL version. - absl::optional max_ssl_version; - // If set, indicates the list of protocols to be used in the TLS ALPN - // extension. - absl::optional> tls_alpn_protocols; - // If set, indicates the list of curves to be used in the TLS elliptic curves - // extension. - absl::optional> tls_elliptic_curves; -}; - // Class for creating SSL adapters with shared state, e.g., a session cache, // which allows clients to resume SSL sessions to previously-contacted hosts. // Clients should create the factory using Create(), set up the factory as @@ -103,8 +52,14 @@ class SSLAdapter : public AsyncSocketAdapter { public: explicit SSLAdapter(AsyncSocket* socket) : AsyncSocketAdapter(socket) {} - // Sets the SSL configuration for this session. - virtual void SetSSLConfig(const SSLConfig& ssl_config) = 0; + // Methods that control server certificate verification, used in unit tests. + // Do not call these methods in production code. + // TODO(juberti): Remove the opportunistic encryption mechanism in + // BasicPacketSocketFactory that uses this function. + virtual void SetIgnoreBadCert(bool ignore) = 0; + + virtual void SetAlpnProtocols(const std::vector& protos) = 0; + virtual void SetEllipticCurves(const std::vector& curves) = 0; // Do DTLS or TLS (default is TLS, if unspecified) virtual void SetMode(SSLMode mode) = 0; diff --git a/rtc_base/ssladapter_unittest.cc b/rtc_base/ssladapter_unittest.cc index 130cf1f08e..ec532b1c44 100644 --- a/rtc_base/ssladapter_unittest.cc +++ b/rtc_base/ssladapter_unittest.cc @@ -67,9 +67,7 @@ class SSLAdapterTestDummyClient : public sigslot::has_slots<> { // Ignore any certificate errors for the purpose of testing. // Note: We do this only because we don't have a real certificate. // NEVER USE THIS IN PRODUCTION CODE! - ssl_config_.tls_cert_policy = - rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; - ssl_adapter_->SetSSLConfig(ssl_config_); + ssl_adapter_->SetIgnoreBadCert(true); ssl_adapter_->SignalReadEvent.connect( this, &SSLAdapterTestDummyClient::OnSSLAdapterReadEvent); @@ -77,52 +75,22 @@ class SSLAdapterTestDummyClient : public sigslot::has_slots<> { this, &SSLAdapterTestDummyClient::OnSSLAdapterCloseEvent); } - void SetTlsCertPolicy(rtc::TlsCertPolicy tls_cert_policy) { - ssl_config_.tls_cert_policy = tls_cert_policy; - ssl_adapter_->SetSSLConfig(ssl_config_); - } - - void SetEnableOcspStapling(bool enable_ocsp_stapling) { - ssl_config_.enable_ocsp_stapling = enable_ocsp_stapling; - ssl_adapter_->SetSSLConfig(ssl_config_); - } - - void SetEnableSignedCertTimestamp(bool enable_signed_cert_timestamp) { - ssl_config_.enable_signed_cert_timestamp = enable_signed_cert_timestamp; - ssl_adapter_->SetSSLConfig(ssl_config_); - } - - void SetEnableTlsChannelId(bool enable_tls_channel_id) { - ssl_config_.enable_tls_channel_id = enable_tls_channel_id; - ssl_adapter_->SetSSLConfig(ssl_config_); - } - - void SetEnableGrease(bool enable_grease) { - ssl_config_.enable_grease = enable_grease; - ssl_adapter_->SetSSLConfig(ssl_config_); - } - - void SetMaxSslVersion(const absl::optional& max_ssl_version) { - ssl_config_.max_ssl_version = max_ssl_version; - ssl_adapter_->SetSSLConfig(ssl_config_); - } - - void SetAlpnProtocols( - const absl::optional>& tls_alpn_protocols) { - ssl_config_.tls_alpn_protocols = tls_alpn_protocols; - ssl_adapter_->SetSSLConfig(ssl_config_); - } - - void SetEllipticCurves( - const absl::optional>& tls_elliptic_curves) { - ssl_config_.tls_elliptic_curves = tls_elliptic_curves; - ssl_adapter_->SetSSLConfig(ssl_config_); + void SetIgnoreBadCert(bool ignore_bad_cert) { + ssl_adapter_->SetIgnoreBadCert(ignore_bad_cert); } void SetCertVerifier(rtc::SSLCertificateVerifier* ssl_cert_verifier) { ssl_adapter_->SetCertVerifier(ssl_cert_verifier); } + void SetAlpnProtocols(const std::vector& protos) { + ssl_adapter_->SetAlpnProtocols(protos); + } + + void SetEllipticCurves(const std::vector& curves) { + ssl_adapter_->SetEllipticCurves(curves); + } + rtc::SocketAddress GetAddress() const { return ssl_adapter_->GetLocalAddress(); } @@ -186,8 +154,6 @@ class SSLAdapterTestDummyClient : public sigslot::has_slots<> { std::unique_ptr ssl_adapter_; - rtc::SSLConfig ssl_config_; - std::string data_; }; @@ -339,51 +305,29 @@ class SSLAdapterTestBase : public testing::Test, public sigslot::has_slots<> { void SetHandshakeWait(int wait) { handshake_wait_ = wait; } - void SetTlsCertPolicy(rtc::TlsCertPolicy tls_cert_policy) { - client_->SetTlsCertPolicy(tls_cert_policy); - } - - void SetEnableOcspStapling(bool enable_ocsp_stapling) { - client_->SetEnableOcspStapling(enable_ocsp_stapling); - } - - void SetEnableSignedCertTimestamp(bool enable_signed_cert_timestamp) { - client_->SetEnableSignedCertTimestamp(enable_signed_cert_timestamp); - } - - void SetEnableTlsChannelId(bool enable_tls_channel_id) { - client_->SetEnableTlsChannelId(enable_tls_channel_id); - } - - void SetEnableGrease(bool enable_grease) { - client_->SetEnableGrease(enable_grease); - } - - void SetMaxSslVersion(const absl::optional& max_ssl_version) { - client_->SetMaxSslVersion(max_ssl_version); - } - - void SetAlpnProtocols( - const absl::optional>& tls_alpn_protocols) { - client_->SetAlpnProtocols(tls_alpn_protocols); - } - - void SetEllipticCurves( - const absl::optional>& tls_elliptic_curves) { - client_->SetEllipticCurves(tls_elliptic_curves); + void SetIgnoreBadCert(bool ignore_bad_cert) { + client_->SetIgnoreBadCert(ignore_bad_cert); } void SetCertVerifier(rtc::SSLCertificateVerifier* ssl_cert_verifier) { client_->SetCertVerifier(ssl_cert_verifier); } + void SetAlpnProtocols(const std::vector& protos) { + client_->SetAlpnProtocols(protos); + } + + void SetEllipticCurves(const std::vector& curves) { + client_->SetEllipticCurves(curves); + } + void SetMockCertVerifier(bool return_value) { auto mock_verifier = absl::make_unique(); EXPECT_CALL(*mock_verifier, Verify(_)).WillRepeatedly(Return(return_value)); cert_verifier_ = std::unique_ptr(std::move(mock_verifier)); - SetTlsCertPolicy(rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE); + SetIgnoreBadCert(false); SetCertVerifier(cert_verifier_.get()); } @@ -581,76 +525,6 @@ TEST_F(SSLAdapterTestTLS_ECDSA, TestTLSTransferCustomCertVerifier) { TestTransfer("Hello, world!"); } -// Test transfer with OCSP stapling enabled -TEST_F(SSLAdapterTestTLS_ECDSA, TestOcspStaplingEnabled) { - SetEnableOcspStapling(true); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - -// Test transfer with OCSP stapling disabled -TEST_F(SSLAdapterTestTLS_ECDSA, TestOcspStaplingDisabled) { - SetEnableOcspStapling(false); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - -// test transfer with signed cert timestamp enabled -TEST_F(SSLAdapterTestTLS_ECDSA, TestSignedCertTimestampEnabled) { - SetEnableSignedCertTimestamp(true); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - -// Test transfer with signed cert timestamp disabled -TEST_F(SSLAdapterTestTLS_ECDSA, TestSignedCertTimestampDisabled) { - SetEnableSignedCertTimestamp(false); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - -// Test transfer with TLS channel ID enabled -TEST_F(SSLAdapterTestTLS_ECDSA, TestTLSChannelIdEnabled) { - SetEnableTlsChannelId(true); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - -// Test transfer with TLS channel ID disabled -TEST_F(SSLAdapterTestTLS_ECDSA, TestTLSChannelIdDisabled) { - SetEnableTlsChannelId(false); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - -// Test transfer with GREASE enabled -TEST_F(SSLAdapterTestTLS_ECDSA, TestGreaseEnabled) { - SetEnableGrease(true); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - -// Test transfer with GREASE disabled -TEST_F(SSLAdapterTestTLS_ECDSA, TestGreaseDisabled) { - SetEnableGrease(false); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - -// Test transfer with TLS1_3. -TEST_F(SSLAdapterTestTLS_ECDSA, TestMaxSSLVersionTLS1_3) { - SetMaxSslVersion(0x0304 /* TLS1_3 */); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - -// Test transfer with TLS1_2. -TEST_F(SSLAdapterTestTLS_ECDSA, TestMaxSSLVersionTLS1_2) { - SetMaxSslVersion(0x0303 /* TLS1_2 */); - TestHandshake(true); - TestTransfer("Hello, world!"); -} - // Test transfer using ALPN with protos as h2 and http/1.1 TEST_F(SSLAdapterTestTLS_ECDSA, TestTLSALPN) { std::vector alpn_protos{"h2", "http/1.1"}; diff --git a/sdk/BUILD.gn b/sdk/BUILD.gn index 191e08250f..8a58a20b04 100644 --- a/sdk/BUILD.gn +++ b/sdk/BUILD.gn @@ -865,9 +865,6 @@ if (is_ios || is_mac) { "objc/api/peerconnection/RTCRtpTransceiver.mm", "objc/api/peerconnection/RTCSSLAdapter.h", "objc/api/peerconnection/RTCSSLAdapter.mm", - "objc/api/peerconnection/RTCSSLConfig+Native.h", - "objc/api/peerconnection/RTCSSLConfig.h", - "objc/api/peerconnection/RTCSSLConfig.mm", "objc/api/peerconnection/RTCSessionDescription+Private.h", "objc/api/peerconnection/RTCSessionDescription.h", "objc/api/peerconnection/RTCSessionDescription.mm", diff --git a/sdk/android/api/org/webrtc/PeerConnection.java b/sdk/android/api/org/webrtc/PeerConnection.java index d2a61e0780..2f9adcf962 100644 --- a/sdk/android/api/org/webrtc/PeerConnection.java +++ b/sdk/android/api/org/webrtc/PeerConnection.java @@ -71,180 +71,6 @@ public class PeerConnection { } } - /** - * Java version of PeerConnectionInterface::SSLConfig. - * - * Contains the configuration of any SSL/TLS connections that are initiated by - * our client. - */ - public static class SslConfig { - /** Indicates whether to enable OCSP stapling in TLS. */ - public final boolean enableOcspStapling; - /** Indicates whether to enable the signed certificate timestamp extension in TLS. */ - public final boolean enableSignedCertTimestamp; - /** Indicates whether to enable the TLS Channel ID extension. */ - public final boolean enableTlsChannelId; - /** Indicates whether to enable the TLS GREASE extension. */ - public final boolean enableGrease; - - /** Indicates how to process TURN server certificates */ - public final TlsCertPolicy tlsCertPolicy; - - /** - * Highest supported SSL version, as defined in the supported_versions TLS extension. - * If null, the default OpenSSL/BoringSSL max version will be used. - */ - @Nullable public final Integer maxSslVersion; - - /** - * List of protocols to be used in the TLS ALPN extension. - * If null, the default list of OpenSSL/BoringSSL ALPN protocols will be used. - */ - @Nullable public final List tlsAlpnProtocols; - - /** - * List of elliptic curves to be used in the TLS elliptic curves extension. - * Only curve names supported by OpenSSL should be used (eg. "P-256","X25519"). - * If null, the default list of OpenSSL/BoringSSL curves will be used. - */ - @Nullable public final List tlsEllipticCurves; - - private SslConfig(boolean enableOcspStapling, boolean enableSignedCertTimestamp, - boolean enableTlsChannelId, boolean enableGrease, TlsCertPolicy tlsCertPolicy, - Integer maxSslVersion, List tlsAlpnProtocols, List tlsEllipticCurves) { - this.enableOcspStapling = enableOcspStapling; - this.enableSignedCertTimestamp = enableSignedCertTimestamp; - this.enableTlsChannelId = enableTlsChannelId; - this.enableGrease = enableGrease; - this.tlsCertPolicy = tlsCertPolicy; - this.maxSslVersion = maxSslVersion; - if (tlsAlpnProtocols != null) { - this.tlsAlpnProtocols = Collections.unmodifiableList(tlsAlpnProtocols); - } else { - this.tlsAlpnProtocols = null; - } - if (tlsEllipticCurves != null) { - this.tlsEllipticCurves = Collections.unmodifiableList(tlsEllipticCurves); - } else { - this.tlsEllipticCurves = null; - } - } - - @Override - public String toString() { - return "[enableOcspStapling=" + enableOcspStapling + "] [enableSignedCertTimestamp=" - + enableSignedCertTimestamp + "] [enableTlsChannelId=" + enableTlsChannelId - + "] [enableGrease=" + enableGrease + "] [tlsCertPolicy=" + tlsCertPolicy - + "] [maxSslVersion=" + maxSslVersion + "] [tlsAlpnProtocols=" + tlsAlpnProtocols - + "] [tlsEllipticCurves=" + tlsEllipticCurves + "]"; - } - - public static Builder builder() { - return new Builder(); - } - - public static class Builder { - private boolean enableOcspStapling = true; - private boolean enableSignedCertTimestamp = true; - private boolean enableTlsChannelId = false; - private boolean enableGrease = false; - private TlsCertPolicy tlsCertPolicy = TlsCertPolicy.TLS_CERT_POLICY_SECURE; - @Nullable private Integer maxSslVersion = null; - @Nullable private List tlsAlpnProtocols = null; - @Nullable private List tlsEllipticCurves = null; - - private Builder() {} - - public Builder setEnableOcspStapling(boolean enableOcspStapling) { - this.enableOcspStapling = enableOcspStapling; - return this; - } - - public Builder setEnableSignedCertTimestamp(boolean enableSignedCertTimestamp) { - this.enableSignedCertTimestamp = enableSignedCertTimestamp; - return this; - } - - public Builder setEnableTlsChannelId(boolean enableTlsChannelId) { - this.enableTlsChannelId = enableTlsChannelId; - return this; - } - - public Builder setEnableGrease(boolean enableGrease) { - this.enableGrease = enableGrease; - return this; - } - - public Builder setTlsCertPolicy(TlsCertPolicy tlsCertPolicy) { - this.tlsCertPolicy = tlsCertPolicy; - return this; - } - - public Builder setMaxSslVersion(int maxSslVersion) { - this.maxSslVersion = maxSslVersion; - return this; - } - - public Builder setTlsAlpnProtocols(List tlsAlpnProtocols) { - this.tlsAlpnProtocols = tlsAlpnProtocols; - return this; - } - - public Builder setTlsEllipticCurves(List tlsEllipticCurves) { - this.tlsEllipticCurves = tlsEllipticCurves; - return this; - } - - public SslConfig createSslConfig() { - return new SslConfig(enableOcspStapling, enableSignedCertTimestamp, enableTlsChannelId, - enableGrease, tlsCertPolicy, maxSslVersion, tlsAlpnProtocols, tlsEllipticCurves); - } - } - - @CalledByNative("SslConfig") - boolean getEnableOcspStapling() { - return enableOcspStapling; - } - - @CalledByNative("SslConfig") - boolean getEnableSignedCertTimestamp() { - return enableSignedCertTimestamp; - } - - @CalledByNative("SslConfig") - boolean getEnableTlsChannelId() { - return enableTlsChannelId; - } - - @CalledByNative("SslConfig") - boolean getEnableGrease() { - return enableGrease; - } - - @CalledByNative("SslConfig") - TlsCertPolicy getTlsCertPolicy() { - return tlsCertPolicy; - } - - @Nullable - @CalledByNative("SslConfig") - Integer getMaxSslVersion() { - return maxSslVersion; - } - - @Nullable - @CalledByNative("SslConfig") - List getTlsAlpnProtocols() { - return tlsAlpnProtocols; - } - - @Nullable - @CalledByNative("SslConfig") - List getTlsEllipticCurves() { - return tlsEllipticCurves; - } - } - /** Java version of PeerConnectionObserver. */ public static interface Observer { /** Triggered when the SignalingState changes. */ @@ -300,9 +126,7 @@ public class PeerConnection { public final List urls; public final String username; public final String password; - // TODO(diogor, webrtc:9673): Remove tlsCertPolicy from this API. - // This field will be ignored if tlsCertPolicy is also set in SslConfig. - @Deprecated public final TlsCertPolicy tlsCertPolicy; + public final TlsCertPolicy tlsCertPolicy; // If the URIs in |urls| only contain IP addresses, this field can be used // to indicate the hostname, which may be necessary for TLS (using the SNI @@ -310,18 +134,12 @@ public class PeerConnection { // necessary. public final String hostname; - // TODO(diogor, webrtc:9673): Remove tlsAlpnProtocols from this API. // List of protocols to be used in the TLS ALPN extension. - @Deprecated public final List tlsAlpnProtocols; + public final List tlsAlpnProtocols; - // TODO(diogor, webrtc:9673): Remove tlsEllipticCurves from this API. // List of elliptic curves to be used in the TLS elliptic curves extension. // Only curve names supported by OpenSSL should be used (eg. "P-256","X25519"). - // This field will be ignored if tlsEllipticCurves is also set in SslConfig. - @Deprecated public final List tlsEllipticCurves; - - // SSL configuration options for any SSL/TLS connections to this IceServer. - public final SslConfig sslConfig; + public final List tlsEllipticCurves; /** Convenience constructor for STUN servers. */ @Deprecated @@ -343,12 +161,12 @@ public class PeerConnection { public IceServer(String uri, String username, String password, TlsCertPolicy tlsCertPolicy, String hostname) { this(uri, Collections.singletonList(uri), username, password, tlsCertPolicy, hostname, null, - null, SslConfig.builder().createSslConfig()); + null); } private IceServer(String uri, List urls, String username, String password, TlsCertPolicy tlsCertPolicy, String hostname, List tlsAlpnProtocols, - List tlsEllipticCurves, SslConfig sslConfig) { + List tlsEllipticCurves) { if (uri == null || urls == null || urls.isEmpty()) { throw new IllegalArgumentException("uri == null || urls == null || urls.isEmpty()"); } @@ -374,13 +192,12 @@ public class PeerConnection { this.hostname = hostname; this.tlsAlpnProtocols = tlsAlpnProtocols; this.tlsEllipticCurves = tlsEllipticCurves; - this.sslConfig = sslConfig; } @Override public String toString() { return urls + " [" + username + ":" + password + "] [" + tlsCertPolicy + "] [" + hostname - + "] [" + tlsAlpnProtocols + "] [" + tlsEllipticCurves + "] [" + sslConfig + "]"; + + "] [" + tlsAlpnProtocols + "] [" + tlsEllipticCurves + "]"; } public static Builder builder(String uri) { @@ -399,7 +216,6 @@ public class PeerConnection { private String hostname = ""; private List tlsAlpnProtocols; private List tlsEllipticCurves; - private SslConfig sslConfig = SslConfig.builder().createSslConfig(); private Builder(List urls) { if (urls == null || urls.isEmpty()) { @@ -418,7 +234,6 @@ public class PeerConnection { return this; } - @Deprecated public Builder setTlsCertPolicy(TlsCertPolicy tlsCertPolicy) { this.tlsCertPolicy = tlsCertPolicy; return this; @@ -429,26 +244,19 @@ public class PeerConnection { return this; } - @Deprecated public Builder setTlsAlpnProtocols(List tlsAlpnProtocols) { this.tlsAlpnProtocols = tlsAlpnProtocols; return this; } - @Deprecated public Builder setTlsEllipticCurves(List tlsEllipticCurves) { this.tlsEllipticCurves = tlsEllipticCurves; return this; } - public Builder setSslConfig(SslConfig sslConfig) { - this.sslConfig = sslConfig; - return this; - } - public IceServer createIceServer() { return new IceServer(urls.get(0), urls, username, password, tlsCertPolicy, hostname, - tlsAlpnProtocols, tlsEllipticCurves, sslConfig); + tlsAlpnProtocols, tlsEllipticCurves); } } @@ -490,11 +298,6 @@ public class PeerConnection { List getTlsEllipticCurves() { return tlsEllipticCurves; } - - @CalledByNative("IceServer") - SslConfig getSslConfig() { - return sslConfig; - } } /** Java version of PeerConnectionInterface.IceTransportsType */ diff --git a/sdk/android/src/jni/pc/icecandidate.cc b/sdk/android/src/jni/pc/icecandidate.cc index bb7e99562c..b9d66a4679 100644 --- a/sdk/android/src/jni/pc/icecandidate.cc +++ b/sdk/android/src/jni/pc/icecandidate.cc @@ -207,21 +207,6 @@ PeerConnectionInterface::TlsCertPolicy JavaToNativeTlsCertPolicy( return PeerConnectionInterface::kTlsCertPolicySecure; } -rtc::TlsCertPolicy JavaToNativeRtcTlsCertPolicy( - JNIEnv* jni, - const JavaRef& j_ssl_config_tls_cert_policy) { - std::string enum_name = GetJavaEnumName(jni, j_ssl_config_tls_cert_policy); - - if (enum_name == "TLS_CERT_POLICY_SECURE") - return rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE; - - if (enum_name == "TLS_CERT_POLICY_INSECURE_NO_CHECK") - return rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; - - RTC_CHECK(false) << "Unexpected TlsCertPolicy enum_name " << enum_name; - return rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE; -} - absl::optional JavaToNativeNetworkPreference( JNIEnv* jni, const JavaRef& j_network_preference) { diff --git a/sdk/android/src/jni/pc/icecandidate.h b/sdk/android/src/jni/pc/icecandidate.h index 38aa359d9b..662b649ba6 100644 --- a/sdk/android/src/jni/pc/icecandidate.h +++ b/sdk/android/src/jni/pc/icecandidate.h @@ -18,7 +18,6 @@ #include "api/jsepicecandidate.h" #include "api/peerconnectioninterface.h" #include "api/rtpparameters.h" -#include "rtc_base/ssladapter.h" #include "rtc_base/sslidentity.h" #include "sdk/android/src/jni/jni_helpers.h" @@ -76,10 +75,6 @@ PeerConnectionInterface::TlsCertPolicy JavaToNativeTlsCertPolicy( JNIEnv* jni, const JavaRef& j_ice_server_tls_cert_policy); -rtc::TlsCertPolicy JavaToNativeRtcTlsCertPolicy( - JNIEnv* jni, - const JavaRef& j_ssl_config_tls_cert_policy); - absl::optional JavaToNativeNetworkPreference( JNIEnv* jni, const JavaRef& j_network_preference); diff --git a/sdk/android/src/jni/pc/peerconnection.cc b/sdk/android/src/jni/pc/peerconnection.cc index ea631def97..79da797e38 100644 --- a/sdk/android/src/jni/pc/peerconnection.cc +++ b/sdk/android/src/jni/pc/peerconnection.cc @@ -40,7 +40,6 @@ #include "api/rtptransceiverinterface.h" #include "rtc_base/checks.h" #include "rtc_base/logging.h" -#include "rtc_base/ssladapter.h" #include "sdk/android/generated_peerconnection_jni/jni/PeerConnection_jni.h" #include "sdk/android/native_api/jni/java_types.h" #include "sdk/android/src/jni/jni_helpers.h" @@ -67,44 +66,6 @@ PeerConnectionInterface* ExtractNativePC(JNIEnv* jni, ->pc(); } -rtc::SSLConfig JavaToNativeSslConfig(JNIEnv* jni, - const JavaRef& j_ssl_config) { - rtc::SSLConfig ssl_config; - ssl_config.enable_ocsp_stapling = - Java_SslConfig_getEnableOcspStapling(jni, j_ssl_config); - ssl_config.enable_signed_cert_timestamp = - Java_SslConfig_getEnableSignedCertTimestamp(jni, j_ssl_config); - ssl_config.enable_tls_channel_id = - Java_SslConfig_getEnableTlsChannelId(jni, j_ssl_config); - ssl_config.enable_grease = Java_SslConfig_getEnableGrease(jni, j_ssl_config); - - ScopedJavaLocalRef j_ssl_config_max_ssl_version = - Java_SslConfig_getMaxSslVersion(jni, j_ssl_config); - ssl_config.max_ssl_version = - JavaToNativeOptionalInt(jni, j_ssl_config_max_ssl_version); - - ScopedJavaLocalRef j_ssl_config_tls_cert_policy = - Java_SslConfig_getTlsCertPolicy(jni, j_ssl_config); - ssl_config.tls_cert_policy = - JavaToNativeRtcTlsCertPolicy(jni, j_ssl_config_tls_cert_policy); - - ScopedJavaLocalRef j_ssl_config_tls_alpn_protocols = - Java_SslConfig_getTlsAlpnProtocols(jni, j_ssl_config); - if (!IsNull(jni, j_ssl_config_tls_alpn_protocols)) { - ssl_config.tls_alpn_protocols = - JavaListToNativeVector( - jni, j_ssl_config_tls_alpn_protocols, &JavaToNativeString); - } - ScopedJavaLocalRef j_ssl_config_tls_elliptic_curves = - Java_SslConfig_getTlsEllipticCurves(jni, j_ssl_config); - if (!IsNull(jni, j_ssl_config_tls_elliptic_curves)) { - ssl_config.tls_elliptic_curves = - JavaListToNativeVector( - jni, j_ssl_config_tls_elliptic_curves, &JavaToNativeString); - } - return ssl_config; -} - PeerConnectionInterface::IceServers JavaToNativeIceServers( JNIEnv* jni, const JavaRef& j_ice_servers) { @@ -126,8 +87,6 @@ PeerConnectionInterface::IceServers JavaToNativeIceServers( Java_IceServer_getTlsAlpnProtocols(jni, j_ice_server); ScopedJavaLocalRef tls_elliptic_curves = Java_IceServer_getTlsEllipticCurves(jni, j_ice_server); - ScopedJavaLocalRef ssl_config = - Java_IceServer_getSslConfig(jni, j_ice_server); PeerConnectionInterface::IceServer server; server.urls = JavaListToNativeVector( jni, urls, &JavaToNativeString); @@ -139,7 +98,6 @@ PeerConnectionInterface::IceServers JavaToNativeIceServers( jni, tls_alpn_protocols, &JavaToNativeString); server.tls_elliptic_curves = JavaListToNativeVector( jni, tls_elliptic_curves, &JavaToNativeString); - server.ssl_config = JavaToNativeSslConfig(jni, ssl_config); ice_servers.push_back(server); } return ice_servers; diff --git a/sdk/objc/api/peerconnection/RTCIceServer.h b/sdk/objc/api/peerconnection/RTCIceServer.h index a9760c7e54..c2def045a9 100644 --- a/sdk/objc/api/peerconnection/RTCIceServer.h +++ b/sdk/objc/api/peerconnection/RTCIceServer.h @@ -11,7 +11,11 @@ #import #import "RTCMacros.h" -#import "RTCSSLConfig.h" + +typedef NS_ENUM(NSUInteger, RTCTlsCertPolicy) { + RTCTlsCertPolicySecure, + RTCTlsCertPolicyInsecureNoCheck +}; NS_ASSUME_NONNULL_BEGIN @@ -28,8 +32,7 @@ RTC_EXPORT @property(nonatomic, readonly, nullable) NSString *credential; /** - Deprecated. TODO(diogor, webrtc:9673): Remove from API. - TLS certificate policy to use if this RTCIceServer object is a TURN server. + * TLS certificate policy to use if this RTCIceServer object is a TURN server. */ @property(nonatomic, readonly) RTCTlsCertPolicy tlsCertPolicy; @@ -40,24 +43,15 @@ RTC_EXPORT */ @property(nonatomic, readonly, nullable) NSString *hostname; -/** - Deprecated. TODO(diogor, webrtc:9673): Remove from API. - List of protocols to be used in the TLS ALPN extension. - This field will be ignored if also set in RTCSSLConfig. - */ +/** List of protocols to be used in the TLS ALPN extension. */ @property(nonatomic, readonly) NSArray *tlsAlpnProtocols; /** - Deprecated. TODO(diogor, webrtc:9673): Remove from API. List elliptic curves to be used in the TLS elliptic curves extension. Only curve names supported by OpenSSL should be used (eg. "P-256","X25519"). - This field will be ignored if also set in RTCSSLConfig. */ @property(nonatomic, readonly) NSArray *tlsEllipticCurves; -/** SSL configuration options for any SSL/TLS connections to this IceServer. */ -@property(nonatomic, readonly) RTCSSLConfig *sslConfig; - - (nonnull instancetype)init NS_UNAVAILABLE; /** Convenience initializer for a server with no authentication (e.g. STUN). */ @@ -112,17 +106,8 @@ RTC_EXPORT tlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy hostname:(nullable NSString *)hostname tlsAlpnProtocols:(nullable NSArray *)tlsAlpnProtocols - tlsEllipticCurves:(nullable NSArray *)tlsEllipticCurves; - -/** - * Initialize an RTCIceServer with its associated URLs, optional - * username, optional credential, hostname and SSL config. - */ -- (instancetype)initWithURLStrings:(NSArray *)urlStrings - username:(nullable NSString *)username - credential:(nullable NSString *)credential - hostname:(nullable NSString *)hostname - sslConfig:(RTCSSLConfig *)sslConfig NS_DESIGNATED_INITIALIZER; + tlsEllipticCurves:(nullable NSArray *)tlsEllipticCurves + NS_DESIGNATED_INITIALIZER; @end diff --git a/sdk/objc/api/peerconnection/RTCIceServer.mm b/sdk/objc/api/peerconnection/RTCIceServer.mm index 1e0d170c79..2138e4c16a 100644 --- a/sdk/objc/api/peerconnection/RTCIceServer.mm +++ b/sdk/objc/api/peerconnection/RTCIceServer.mm @@ -9,7 +9,6 @@ */ #import "RTCIceServer+Private.h" -#import "RTCSSLConfig+Native.h" #import "helpers/NSString+StdString.h" @@ -22,7 +21,6 @@ @synthesize hostname = _hostname; @synthesize tlsAlpnProtocols = _tlsAlpnProtocols; @synthesize tlsEllipticCurves = _tlsEllipticCurves; -@synthesize sslConfig = _sslConfig; - (instancetype)initWithURLStrings:(NSArray *)urlStrings { return [self initWithURLStrings:urlStrings @@ -85,40 +83,28 @@ hostname:(NSString *)hostname tlsAlpnProtocols:(NSArray *)tlsAlpnProtocols tlsEllipticCurves:(NSArray *)tlsEllipticCurves { - RTCSSLConfig *sslConfig = [[RTCSSLConfig alloc] init]; - sslConfig.tlsCertPolicy = tlsCertPolicy; - sslConfig.tlsALPNProtocols = [[NSArray alloc] initWithArray:tlsAlpnProtocols copyItems:YES]; - sslConfig.tlsEllipticCurves = [[NSArray alloc] initWithArray:tlsEllipticCurves copyItems:YES]; - return [self initWithURLStrings:urlStrings - username:username - credential:credential - hostname:hostname - sslConfig:sslConfig]; -} - -- (instancetype)initWithURLStrings:(NSArray *)urlStrings - username:(NSString *)username - credential:(NSString *)credential - hostname:(NSString *)hostname - sslConfig:(RTCSSLConfig *)sslConfig { NSParameterAssert(urlStrings.count); if (self = [super init]) { _urlStrings = [[NSArray alloc] initWithArray:urlStrings copyItems:YES]; _username = [username copy]; _credential = [credential copy]; + _tlsCertPolicy = tlsCertPolicy; _hostname = [hostname copy]; - _sslConfig = sslConfig; + _tlsAlpnProtocols = [[NSArray alloc] initWithArray:tlsAlpnProtocols copyItems:YES]; + _tlsEllipticCurves = [[NSArray alloc] initWithArray:tlsEllipticCurves copyItems:YES]; } return self; } - (NSString *)description { - return [NSString stringWithFormat:@"RTCIceServer:\n%@\n%@\n%@\n%@\n%@", + return [NSString stringWithFormat:@"RTCIceServer:\n%@\n%@\n%@\n%@\n%@\n%@\n%@", _urlStrings, _username, _credential, + [self stringForTlsCertPolicy:_tlsCertPolicy], _hostname, - _sslConfig]; + _tlsAlpnProtocols, + _tlsEllipticCurves]; } #pragma mark - Private @@ -163,8 +149,6 @@ webrtc::PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck; break; } - - iceServer.ssl_config = [_sslConfig nativeConfig]; return iceServer; } @@ -178,38 +162,34 @@ NSString *username = [NSString stringForStdString:nativeServer.username]; NSString *credential = [NSString stringForStdString:nativeServer.password]; NSString *hostname = [NSString stringForStdString:nativeServer.hostname]; - RTCSSLConfig *sslConfig = [[RTCSSLConfig alloc] initWithNativeConfig:nativeServer.ssl_config]; - - if (!nativeServer.ssl_config.tls_alpn_protocols.has_value() && - !nativeServer.tls_alpn_protocols.empty()) { - NSMutableArray *tlsALPNProtocols = - [NSMutableArray arrayWithCapacity:nativeServer.tls_alpn_protocols.size()]; - for (auto const &proto : nativeServer.tls_alpn_protocols) { - [tlsALPNProtocols addObject:[NSString stringForStdString:proto]]; - } - sslConfig.tlsALPNProtocols = tlsALPNProtocols; + NSMutableArray *tlsAlpnProtocols = + [NSMutableArray arrayWithCapacity:nativeServer.tls_alpn_protocols.size()]; + for (auto const &proto : nativeServer.tls_alpn_protocols) { + [tlsAlpnProtocols addObject:[NSString stringForStdString:proto]]; } - - if (!nativeServer.ssl_config.tls_elliptic_curves.has_value() && - !nativeServer.tls_elliptic_curves.empty()) { - NSMutableArray *tlsEllipticCurves = - [NSMutableArray arrayWithCapacity:nativeServer.tls_elliptic_curves.size()]; - for (auto const &curve : nativeServer.tls_elliptic_curves) { - [tlsEllipticCurves addObject:[NSString stringForStdString:curve]]; - } - sslConfig.tlsEllipticCurves = tlsEllipticCurves; + NSMutableArray *tlsEllipticCurves = + [NSMutableArray arrayWithCapacity:nativeServer.tls_elliptic_curves.size()]; + for (auto const &curve : nativeServer.tls_elliptic_curves) { + [tlsEllipticCurves addObject:[NSString stringForStdString:curve]]; } + RTCTlsCertPolicy tlsCertPolicy; - if (nativeServer.tls_cert_policy == - webrtc::PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck) { - sslConfig.tlsCertPolicy = RTCTlsCertPolicyInsecureNoCheck; + switch (nativeServer.tls_cert_policy) { + case webrtc::PeerConnectionInterface::kTlsCertPolicySecure: + tlsCertPolicy = RTCTlsCertPolicySecure; + break; + case webrtc::PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck: + tlsCertPolicy = RTCTlsCertPolicyInsecureNoCheck; + break; } self = [self initWithURLStrings:urls username:username credential:credential + tlsCertPolicy:tlsCertPolicy hostname:hostname - sslConfig:sslConfig]; + tlsAlpnProtocols:tlsAlpnProtocols + tlsEllipticCurves:tlsEllipticCurves]; return self; } diff --git a/sdk/objc/api/peerconnection/RTCSSLConfig+Native.h b/sdk/objc/api/peerconnection/RTCSSLConfig+Native.h deleted file mode 100644 index 7a38edc272..0000000000 --- a/sdk/objc/api/peerconnection/RTCSSLConfig+Native.h +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright 2018 The WebRTC project authors. All Rights Reserved. - * - * Use of this source code is governed by a BSD-style license - * that can be found in the LICENSE file in the root of the source - * tree. An additional intellectual property rights grant can be found - * in the file PATENTS. All contributing project authors may - * be found in the AUTHORS file in the root of the source tree. - */ - -#import "RTCSSLConfig.h" - -#include "api/peerconnectioninterface.h" -#include "rtc_base/ssladapter.h" - -NS_ASSUME_NONNULL_BEGIN - -@interface RTCSSLConfig (Native) - -- (rtc::SSLConfig)nativeConfig; - -/** Initialize an RTCSSLConfig from a native SSLConfig. */ -- (instancetype)initWithNativeConfig:(const rtc::SSLConfig &)config; - -@end - -NS_ASSUME_NONNULL_END diff --git a/sdk/objc/api/peerconnection/RTCSSLConfig.h b/sdk/objc/api/peerconnection/RTCSSLConfig.h deleted file mode 100644 index 54216091d8..0000000000 --- a/sdk/objc/api/peerconnection/RTCSSLConfig.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright 2018 The WebRTC project authors. All Rights Reserved. - * - * Use of this source code is governed by a BSD-style license - * that can be found in the LICENSE file in the root of the source - * tree. An additional intellectual property rights grant can be found - * in the file PATENTS. All contributing project authors may - * be found in the AUTHORS file in the root of the source tree. - */ - -#import - -#import - -typedef NS_ENUM(NSUInteger, RTCTlsCertPolicy) { - RTCTlsCertPolicySecure, - RTCTlsCertPolicyInsecureNoCheck -}; - -NS_ASSUME_NONNULL_BEGIN - -RTC_EXPORT -@interface RTCSSLConfig : NSObject - -/** Indicates whether to enable OCSP stapling in TLS. */ -@property(nonatomic) BOOL enableOCSPStapling; - -/** Indicates whether to enable the signed certificate timestamp extension in TLS. */ -@property(nonatomic) BOOL enableSignedCertTimestamp; - -/** Indicates whether to enable the TLS Channel ID extension. */ -@property(nonatomic) BOOL enableTlsChannelId; - -/** Indicates whether to enable the TLS GREASE extension. */ -@property(nonatomic) BOOL enableGrease; - -/** Indicates how to process TURN server certificates */ -@property(nonatomic) RTCTlsCertPolicy tlsCertPolicy; - -/** Highest supported SSL version, as defined in the supported_versions TLS extension. */ -@property(nonatomic, nullable) NSNumber *maxSSLVersion; - -/** List of protocols to be used in the TLS ALPN extension. */ -@property(nonatomic, copy, nullable) NSArray *tlsALPNProtocols; - -/** - List of elliptic curves to be used in the TLS elliptic curves extension. - Only curve names supported by OpenSSL should be used (eg. "P-256","X25519"). - */ -@property(nonatomic, copy, nullable) NSArray *tlsEllipticCurves; - -- (instancetype)init; - -@end - -NS_ASSUME_NONNULL_END diff --git a/sdk/objc/api/peerconnection/RTCSSLConfig.mm b/sdk/objc/api/peerconnection/RTCSSLConfig.mm deleted file mode 100644 index 60ff47cfd2..0000000000 --- a/sdk/objc/api/peerconnection/RTCSSLConfig.mm +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright 2018 The WebRTC project authors. All Rights Reserved. - * - * Use of this source code is governed by a BSD-style license - * that can be found in the LICENSE file in the root of the source - * tree. An additional intellectual property rights grant can be found - * in the file PATENTS. All contributing project authors may - * be found in the AUTHORS file in the root of the source tree. - */ - -#import "RTCSSLConfig+Native.h" - -#import "helpers/NSString+StdString.h" - -@implementation RTCSSLConfig - -@synthesize enableOCSPStapling = _enableOCSPStapling; -@synthesize enableSignedCertTimestamp = _enableSignedCertTimestamp; -@synthesize enableTlsChannelId = _enableTlsChannelId; -@synthesize enableGrease = _enableGrease; -@synthesize tlsCertPolicy = _tlsCertPolicy; -@synthesize maxSSLVersion = _maxSSLVersion; -@synthesize tlsALPNProtocols = _tlsALPNProtocols; -@synthesize tlsEllipticCurves = _tlsEllipticCurves; - -- (instancetype)init { - // Copy defaults - rtc::SSLConfig config; - return [self initWithNativeConfig:config]; -} - -- (instancetype)initWithNativeConfig:(const rtc::SSLConfig &)config { - if (self = [super init]) { - _enableOCSPStapling = config.enable_ocsp_stapling; - _enableSignedCertTimestamp = config.enable_signed_cert_timestamp; - _enableTlsChannelId = config.enable_tls_channel_id; - _enableGrease = config.enable_grease; - - switch (config.tls_cert_policy) { - case rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE: - _tlsCertPolicy = RTCTlsCertPolicySecure; - break; - case rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK: - _tlsCertPolicy = RTCTlsCertPolicyInsecureNoCheck; - break; - } - - if (config.max_ssl_version) { - _maxSSLVersion = [NSNumber numberWithInt:*config.max_ssl_version]; - } - if (config.tls_alpn_protocols) { - NSMutableArray *tlsALPNProtocols = - [NSMutableArray arrayWithCapacity:config.tls_alpn_protocols.value().size()]; - for (auto const &proto : config.tls_alpn_protocols.value()) { - [tlsALPNProtocols addObject:[NSString stringForStdString:proto]]; - } - _tlsALPNProtocols = tlsALPNProtocols; - } - if (config.tls_elliptic_curves) { - NSMutableArray *tlsEllipticCurves = - [NSMutableArray arrayWithCapacity:config.tls_elliptic_curves.value().size()]; - for (auto const &curve : config.tls_elliptic_curves.value()) { - [tlsEllipticCurves addObject:[NSString stringForStdString:curve]]; - } - _tlsEllipticCurves = tlsEllipticCurves; - } - } - return self; -} - -- (NSString *)description { - return [NSString stringWithFormat:@"RTCSSLConfig:\n%d\n%d\n%d\n%d\n%@\n%@\n%@\n%@", - _enableOCSPStapling, - _enableSignedCertTimestamp, - _enableTlsChannelId, - _enableGrease, - [self stringForTlsCertPolicy:_tlsCertPolicy], - _maxSSLVersion, - _tlsALPNProtocols, - _tlsEllipticCurves]; -} - -#pragma mark - Private - -- (NSString *)stringForTlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy { - switch (tlsCertPolicy) { - case RTCTlsCertPolicySecure: - return @"RTCTlsCertPolicySecure"; - case RTCTlsCertPolicyInsecureNoCheck: - return @"RTCTlsCertPolicyInsecureNoCheck"; - } -} - -- (rtc::SSLConfig)nativeConfig { - __block rtc::SSLConfig sslConfig; - - sslConfig.enable_ocsp_stapling = _enableOCSPStapling; - sslConfig.enable_signed_cert_timestamp = _enableSignedCertTimestamp; - sslConfig.enable_tls_channel_id = _enableTlsChannelId; - sslConfig.enable_grease = _enableGrease; - - switch (_tlsCertPolicy) { - case RTCTlsCertPolicySecure: - sslConfig.tls_cert_policy = rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE; - break; - case RTCTlsCertPolicyInsecureNoCheck: - sslConfig.tls_cert_policy = rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK; - break; - } - - if (_maxSSLVersion != nil) { - sslConfig.max_ssl_version = absl::optional(_maxSSLVersion.intValue); - } - - if (_tlsALPNProtocols != nil) { - __block std::vector alpn_protocols; - [_tlsALPNProtocols enumerateObjectsUsingBlock:^(NSString *proto, NSUInteger idx, BOOL *stop) { - alpn_protocols.push_back(proto.stdString); - }]; - sslConfig.tls_alpn_protocols = absl::optional>(alpn_protocols); - } - - if (_tlsEllipticCurves != nil) { - __block std::vector elliptic_curves; - [_tlsEllipticCurves enumerateObjectsUsingBlock:^(NSString *curve, NSUInteger idx, BOOL *stop) { - elliptic_curves.push_back(curve.stdString); - }]; - sslConfig.tls_elliptic_curves = absl::optional>(elliptic_curves); - } - - return sslConfig; -} - -@end diff --git a/sdk/objc/unittests/RTCIceServerTest.mm b/sdk/objc/unittests/RTCIceServerTest.mm index 7659196139..8ef5195b95 100644 --- a/sdk/objc/unittests/RTCIceServerTest.mm +++ b/sdk/objc/unittests/RTCIceServerTest.mm @@ -89,7 +89,7 @@ EXPECT_EQ("username", iceStruct.username); EXPECT_EQ("credential", iceStruct.password); EXPECT_EQ("hostname", iceStruct.hostname); - EXPECT_EQ(2u, iceStruct.ssl_config.tls_alpn_protocols.value().size()); + EXPECT_EQ(2u, iceStruct.tls_alpn_protocols.size()); } - (void)testTlsEllipticCurves { @@ -106,8 +106,8 @@ EXPECT_EQ("username", iceStruct.username); EXPECT_EQ("credential", iceStruct.password); EXPECT_EQ("hostname", iceStruct.hostname); - EXPECT_EQ(2u, iceStruct.ssl_config.tls_alpn_protocols.value().size()); - EXPECT_EQ(2u, iceStruct.ssl_config.tls_elliptic_curves.value().size()); + EXPECT_EQ(2u, iceStruct.tls_alpn_protocols.size()); + EXPECT_EQ(2u, iceStruct.tls_elliptic_curves.size()); } - (void)testInitFromNativeServer { @@ -129,8 +129,8 @@ EXPECT_EQ("username", [NSString stdStringForString:iceServer.username]); EXPECT_EQ("password", [NSString stdStringForString:iceServer.credential]); EXPECT_EQ("hostname", [NSString stdStringForString:iceServer.hostname]); - EXPECT_EQ(2u, iceServer.sslConfig.tlsALPNProtocols.count); - EXPECT_EQ(2u, iceServer.sslConfig.tlsEllipticCurves.count); + EXPECT_EQ(2u, iceServer.tlsAlpnProtocols.count); + EXPECT_EQ(2u, iceServer.tlsEllipticCurves.count); } @end