zqz/platform-external-webrtc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

purge nss files and dependencies

Browse Source 
BUG=webrtc:4497

Review URL: https://codereview.webrtc.org/1313233005

Cr-Commit-Position: refs/heads/master@{#9862}
This commit is contained in:
torbjorng
2015-09-04 08:11:51 -07:00
committed by Commit bot
parent e7a0de773a
commit 5647a2cf3d
17 changed files with 10 additions and 2206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
talk/media/sctp/sctpdataengine_unittest.cc
View File

@ -45,11 +45,6 @@
#include "webrtc/base/ssladapter.h"
#include "webrtc/base/thread.h"
#ifdef HAVE_NSS_SSL_H
// TODO(thorcarpenter): Remove after webrtc switches over to BoringSSL.
#include "webrtc/base/nssstreamadapter.h"
#endif // HAVE_NSS_SSL_H
enum {
MSG_PACKET = 1,
};
@ -223,12 +218,6 @@ class SctpDataMediaChannelTest : public testing::Test,
// usrsctp uses the NSS random number generator on non-Android platforms,
// so we need to initialize SSL.
static void SetUpTestCase() {
#ifdef HAVE_NSS_SSL_H
// TODO(thorcarpenter): Remove after webrtc switches over to BoringSSL.
if (!rtc::NSSContext::InitializeSSL(NULL)) {
LOG(LS_WARNING) << "Unabled to initialize NSS.";
}
#endif // HAVE_NSS_SSL_H
}
virtual void SetUp() {

42
webrtc/base/BUILD.gn
View File

@ -39,14 +39,6 @@ config("openssl_config") {
]
}
config("nss_config") {
defines = [
"SSL_USE_NSS",
"HAVE_NSS_SSL_H",
"SSL_USE_NSS_RNG",
]
}
config("ios_config") {
libs = [
"CFNetwork.framework",
@ -84,15 +76,6 @@ if (is_linux && !build_with_chromium) {
deps = [
"//third_party/boringssl",
]
} else {
deps = [
"//net/third_party/nss/ssl:libssl",
]
public_configs = [
"//net/third_party/nss/ssl:ssl_config",
"//third_party/nss:system_nss_no_ssl_config",
]
}
}
}
@ -495,31 +478,6 @@ static_library("rtc_base") {
"opensslstreamadapter.cc",
"opensslstreamadapter.h",
]
} else {
public_configs += [ ":nss_config" ]
if (rtc_build_ssl) {
if (build_with_chromium) {
deps += [ "//crypto:platform" ]
} else {
deps += [ "//net/third_party/nss/ssl:libssl" ]
if (is_linux) {
deps += [ ":linux_system_ssl" ]
} else {
deps += [
"//third_party/nss:nspr",
"//third_party/nss:nss",
]
}
}
} else {
configs += [ "external_ssl_library" ]
}
sources += [
"nssidentity.cc",
"nssidentity.h",
"nssstreamadapter.cc",
"nssstreamadapter.h",
]
}
if (is_android) {

45
webrtc/base/base.gyp
View File

@ -526,51 +526,6 @@
],
}],
],
}, {
'sources': [
'nssidentity.cc',
'nssidentity.h',
'nssstreamadapter.cc',
'nssstreamadapter.h',
],
'conditions': [
['use_legacy_ssl_defaults!=1', {
'defines': [
'SSL_USE_NSS',
'HAVE_NSS_SSL_H',
'SSL_USE_NSS_RNG',
],
'direct_dependent_settings': {
'defines': [
'SSL_USE_NSS',
'HAVE_NSS_SSL_H',
'SSL_USE_NSS_RNG',
],
},
}],
['build_ssl==1', {
'conditions': [
# On some platforms, the rest of NSS is bundled. On others,
# it's pulled from the system.
['OS == "mac" or OS == "ios"', {
'dependencies': [
'<(DEPTH)/net/third_party/nss/ssl.gyp:libssl',
'<(DEPTH)/third_party/nss/nss.gyp:nspr',
'<(DEPTH)/third_party/nss/nss.gyp:nss',
],
}],
['os_posix == 1 and OS != "mac" and OS != "ios" and OS != "android"', {
'dependencies': [
'<(DEPTH)/build/linux/system.gyp:ssl',
],
}],
],
}, {
'include_dirs': [
'<(ssl_root)',
],
}],
],
}],
['OS == "android"', {
'link_settings': {

8
webrtc/base/helpers.cc
View File

@ -16,14 +16,6 @@
#include "webrtc/base/sslconfig.h"
#if defined(SSL_USE_OPENSSL)
#include <openssl/rand.h>
#elif defined(SSL_USE_NSS_RNG)
// Hack: Define+undefine int64 and uint64 to avoid typedef conflict with NSS.
// TODO(kjellander): Remove when webrtc:4497 is completed.
#define uint64 foo_uint64
#define int64 foo_int64
#include "pk11func.h"
#undef uint64
#undef int64
#else
#if defined(WEBRTC_WIN)
#define WIN32_LEAN_AND_MEAN

581
webrtc/base/nssidentity.cc
View File

@ -1,581 +0,0 @@
/*
* Copyright 2012 The WebRTC Project Authors. All rights reserved.
*
* Use of this source code is governed by a BSD-style license
* that can be found in the LICENSE file in the root of the source
* tree. An additional intellectual property rights grant can be found
* in the file PATENTS. All contributing project authors may
* be found in the AUTHORS file in the root of the source tree.
*/
#include <algorithm>
#include <string>
#include <vector>
#if HAVE_CONFIG_H
#include "config.h"
#endif // HAVE_CONFIG_H
#if HAVE_NSS_SSL_H
#include "webrtc/base/nssidentity.h"
#include "cert.h"
#include "cryptohi.h"
#include "keyhi.h"
#include "nss.h"
#include "pk11pub.h"
#include "sechash.h"
#include "webrtc/base/logging.h"
#include "webrtc/base/helpers.h"
#include "webrtc/base/nssstreamadapter.h"
#include "webrtc/base/safe_conversions.h"
#include "webrtc/base/stringutils.h"
namespace rtc {
// Certificate validity lifetime in seconds.
static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily
// Certificate validity window in seconds.
// This is to compensate for slightly incorrect system clocks.
static const int CERTIFICATE_WINDOW = -60*60*24;
NSSKeyPair::~NSSKeyPair() {
if (privkey_)
SECKEY_DestroyPrivateKey(privkey_);
if (pubkey_)
SECKEY_DestroyPublicKey(pubkey_);
}
NSSKeyPair* NSSKeyPair::Generate(KeyType key_type) {
SECKEYPrivateKey* privkey = nullptr;
SECKEYPublicKey* pubkey = nullptr;
SSLKEAType ssl_kea_type;
if (key_type == KT_RSA) {
PK11RSAGenParams rsa_params;
rsa_params.keySizeInBits = 1024;
rsa_params.pe = 0x010001; // 65537 -- a common RSA public exponent.
privkey = PK11_GenerateKeyPair(
NSSContext::GetSlot(), CKM_RSA_PKCS_KEY_PAIR_GEN, &rsa_params, &pubkey,
PR_FALSE /*permanent*/, PR_FALSE /*sensitive*/, nullptr);
ssl_kea_type = ssl_kea_rsa;
} else if (key_type == KT_ECDSA) {
unsigned char param_buf[12]; // OIDs are small
SECItem ecdsa_params = {siBuffer, param_buf, sizeof(param_buf)};
SECOidData* oid_data = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP256R1);
if (!oid_data || oid_data->oid.len > sizeof(param_buf) - 2) {
LOG(LS_ERROR) << "oid_data incorrect: " << oid_data->oid.len;
return nullptr;
}
ecdsa_params.data[0] = SEC_ASN1_OBJECT_ID;
ecdsa_params.data[1] = oid_data->oid.len;
memcpy(ecdsa_params.data + 2, oid_data->oid.data, oid_data->oid.len);
ecdsa_params.len = oid_data->oid.len + 2;
privkey = PK11_GenerateKeyPair(
NSSContext::GetSlot(), CKM_EC_KEY_PAIR_GEN, &ecdsa_params, &pubkey,
PR_FALSE /*permanent*/, PR_FALSE /*sensitive*/, nullptr);
ssl_kea_type = ssl_kea_ecdh;
} else {
LOG(LS_ERROR) << "Key type requested not understood";
return nullptr;
}
if (!privkey) {
LOG(LS_ERROR) << "Couldn't generate key pair: " << PORT_GetError();
return nullptr;
}
return new NSSKeyPair(privkey, pubkey, ssl_kea_type);
}
// Just make a copy.
NSSKeyPair* NSSKeyPair::GetReference() {
SECKEYPrivateKey* privkey = SECKEY_CopyPrivateKey(privkey_);
if (!privkey)
return nullptr;
SECKEYPublicKey* pubkey = SECKEY_CopyPublicKey(pubkey_);
if (!pubkey) {
SECKEY_DestroyPrivateKey(privkey);
return nullptr;
}
return new NSSKeyPair(privkey, pubkey, ssl_kea_type_);
}
NSSCertificate::NSSCertificate(CERTCertificate* cert)
: certificate_(CERT_DupCertificate(cert)) {
ASSERT(certificate_ != nullptr);
}
static void DeleteCert(SSLCertificate* cert) {
delete cert;
}
NSSCertificate::NSSCertificate(CERTCertList* cert_list) {
// Copy the first cert into certificate_.
CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
certificate_ = CERT_DupCertificate(node->cert);
// Put any remaining certificates into the chain.
node = CERT_LIST_NEXT(node);
std::vector<SSLCertificate*> certs;
for (; !CERT_LIST_END(node, cert_list); node = CERT_LIST_NEXT(node)) {
certs.push_back(new NSSCertificate(node->cert));
}
if (!certs.empty())
chain_.reset(new SSLCertChain(certs));
// The SSLCertChain constructor copies its input, so now we have to delete
// the originals.
std::for_each(certs.begin(), certs.end(), DeleteCert);
}
NSSCertificate::NSSCertificate(CERTCertificate* cert, SSLCertChain* chain)
: certificate_(CERT_DupCertificate(cert)) {
ASSERT(certificate_ != nullptr);
if (chain)
chain_.reset(chain->Copy());
}
NSSCertificate::~NSSCertificate() {
if (certificate_)
CERT_DestroyCertificate(certificate_);
}
NSSCertificate* NSSCertificate::FromPEMString(const std::string& pem_string) {
std::string der;
if (!SSLIdentity::PemToDer(kPemTypeCertificate, pem_string, &der))
return nullptr;
SECItem der_cert;
der_cert.data = reinterpret_cast<unsigned char *>(const_cast<char *>(
der.data()));
der_cert.len = checked_cast<unsigned int>(der.size());
CERTCertificate* cert = CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &der_cert, nullptr, PR_FALSE, PR_TRUE);
if (!cert)
return nullptr;
NSSCertificate* ret = new NSSCertificate(cert);
CERT_DestroyCertificate(cert);
return ret;
}
NSSCertificate* NSSCertificate::GetReference() const {
return new NSSCertificate(certificate_, chain_.get());
}
std::string NSSCertificate::ToPEMString() const {
return SSLIdentity::DerToPem(kPemTypeCertificate,
certificate_->derCert.data,
certificate_->derCert.len);
}
void NSSCertificate::ToDER(Buffer* der_buffer) const {
der_buffer->SetData(certificate_->derCert.data, certificate_->derCert.len);
}
static bool Certifies(CERTCertificate* parent, CERTCertificate* child) {
// TODO(bemasc): Identify stricter validation checks to use here. In the
// context of some future identity standard, it might make sense to check
// the certificates' roles, expiration dates, self-signatures (if
// self-signed), certificate transparency logging, or many other attributes.
// NOTE: Future changes to this validation may reject some previously allowed
// certificate chains. Users should be advised not to deploy chained
// certificates except in controlled environments until the validity
// requirements are finalized.
// Check that the parent's name is the same as the child's claimed issuer.
SECComparison name_status =
CERT_CompareName(&child->issuer, &parent->subject);
if (name_status != SECEqual)
return false;
// Extract the parent's public key, or fail if the key could not be read
// (e.g. certificate is corrupted).
SECKEYPublicKey* parent_key = CERT_ExtractPublicKey(parent);
if (!parent_key)
return false;
// Check that the parent's privkey was actually used to generate the child's
// signature.
SECStatus verified = CERT_VerifySignedDataWithPublicKey(&child->signatureWrap,
parent_key, nullptr);
SECKEY_DestroyPublicKey(parent_key);
return verified == SECSuccess;
}
bool NSSCertificate::IsValidChain(const CERTCertList* cert_list) {
CERTCertListNode* child = CERT_LIST_HEAD(cert_list);
for (CERTCertListNode* parent = CERT_LIST_NEXT(child);
!CERT_LIST_END(parent, cert_list);
child = parent, parent = CERT_LIST_NEXT(parent)) {
if (!Certifies(parent->cert, child->cert))
return false;
}
return true;
}
bool NSSCertificate::GetDigestLength(const std::string& algorithm,
size_t* length) {
const SECHashObject* ho = nullptr;
if (!GetDigestObject(algorithm, &ho))
return false;
*length = ho->length;
return true;
}
bool NSSCertificate::GetSignatureDigestAlgorithm(std::string* algorithm) const {
// The function sec_DecodeSigAlg in NSS provides this mapping functionality.
// Unfortunately it is private, so the functionality must be duplicated here.
// See https://bugzilla.mozilla.org/show_bug.cgi?id=925165 .
SECOidTag sig_alg = SECOID_GetAlgorithmTag(&certificate_->signature);
switch (sig_alg) {
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
*algorithm = DIGEST_MD5;
break;
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
case SEC_OID_MISSI_DSS:
case SEC_OID_MISSI_KEA_DSS:
case SEC_OID_MISSI_KEA_DSS_OLD:
case SEC_OID_MISSI_DSS_OLD:
*algorithm = DIGEST_SHA_1;
break;
case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
*algorithm = DIGEST_SHA_224;
break;
case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
*algorithm = DIGEST_SHA_256;
break;
case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
*algorithm = DIGEST_SHA_384;
break;
case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
*algorithm = DIGEST_SHA_512;
break;
default:
// Unknown algorithm. There are several unhandled options that are less
// common and more complex.
algorithm->clear();
return false;
}
return true;
}
bool NSSCertificate::ComputeDigest(const std::string& algorithm,
unsigned char* digest,
size_t size,
size_t* length) const {
const SECHashObject* ho = nullptr;
if (!GetDigestObject(algorithm, &ho))
return false;
if (size < ho->length) // Sanity check for fit
return false;
SECStatus rv = HASH_HashBuf(ho->type, digest,
certificate_->derCert.data,
certificate_->derCert.len);
if (rv != SECSuccess)
return false;
*length = ho->length;
return true;
}
bool NSSCertificate::GetChain(SSLCertChain** chain) const {
if (!chain_)
return false;
*chain = chain_->Copy();
return true;
}
bool NSSCertificate::Equals(const NSSCertificate* tocompare) const {
if (!certificate_->derCert.len)
return false;
if (!tocompare->certificate_->derCert.len)
return false;
if (certificate_->derCert.len != tocompare->certificate_->derCert.len)
return false;
return memcmp(certificate_->derCert.data,
tocompare->certificate_->derCert.data,
certificate_->derCert.len) == 0;
}
bool NSSCertificate::GetDigestObject(const std::string& algorithm,
const SECHashObject** hop) {
const SECHashObject* ho;
HASH_HashType hash_type;
if (algorithm == DIGEST_SHA_1) {
hash_type = HASH_AlgSHA1;
// HASH_AlgSHA224 is not supported in the chromium linux build system.
#if 0
} else if (algorithm == DIGEST_SHA_224) {
hash_type = HASH_AlgSHA224;
#endif
} else if (algorithm == DIGEST_SHA_256) {
hash_type = HASH_AlgSHA256;
} else if (algorithm == DIGEST_SHA_384) {
hash_type = HASH_AlgSHA384;
} else if (algorithm == DIGEST_SHA_512) {
hash_type = HASH_AlgSHA512;
} else {
return false;
}
ho = HASH_GetHashObject(hash_type);
ASSERT(ho->length >= 20); // Can't happen
*hop = ho;
return true;
}
NSSIdentity::NSSIdentity(NSSKeyPair* keypair, NSSCertificate* cert)
: keypair_(keypair), certificate_(cert) {
}
NSSIdentity* NSSIdentity::GenerateInternal(const SSLIdentityParams& params) {
std::string subject_name_string = "CN=" + params.common_name;
CERTName* subject_name =
CERT_AsciiToName(const_cast<char*>(subject_name_string.c_str()));
NSSIdentity* identity = nullptr;
CERTSubjectPublicKeyInfo* spki = nullptr;
CERTCertificateRequest* certreq = nullptr;
CERTValidity* validity = nullptr;
CERTCertificate* certificate = nullptr;
NSSKeyPair* keypair = NSSKeyPair::Generate(params.key_type);
SECItem inner_der;
SECStatus rv;
PLArenaPool* arena;
SECItem signed_cert;
PRTime now = PR_Now();
PRTime not_before =
now + static_cast<PRTime>(params.not_before) * PR_USEC_PER_SEC;
PRTime not_after =
now + static_cast<PRTime>(params.not_after) * PR_USEC_PER_SEC;
inner_der.len = 0;
inner_der.data = nullptr;
if (!keypair) {
LOG(LS_ERROR) << "Couldn't generate key pair";
goto fail;
}
if (!subject_name) {
LOG(LS_ERROR) << "Couldn't convert subject name " << subject_name;
goto fail;
}
spki = SECKEY_CreateSubjectPublicKeyInfo(keypair->pubkey());
if (!spki) {
LOG(LS_ERROR) << "Couldn't create SPKI";
goto fail;
}
certreq = CERT_CreateCertificateRequest(subject_name, spki, nullptr);
if (!certreq) {
LOG(LS_ERROR) << "Couldn't create certificate signing request";
goto fail;
}
validity = CERT_CreateValidity(not_before, not_after);
if (!validity) {
LOG(LS_ERROR) << "Couldn't create validity";
goto fail;
}
unsigned long serial;
// Note: This serial in principle could collide, but it's unlikely
rv = PK11_GenerateRandom(reinterpret_cast<unsigned char *>(&serial),
sizeof(serial));
if (rv != SECSuccess) {
LOG(LS_ERROR) << "Couldn't generate random serial";
goto fail;
}
certificate = CERT_CreateCertificate(serial, subject_name, validity, certreq);
if (!certificate) {
LOG(LS_ERROR) << "Couldn't create certificate";
goto fail;
}
arena = certificate->arena;
SECOidTag sec_oid;
if (params.key_type == KT_RSA) {
sec_oid = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
} else if (params.key_type == KT_ECDSA) {
sec_oid = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
} else {
// We should not arrive here since NSSKeyPair::Generate would have failed.
// Play it safe in order to accomodate code changes.
LOG(LS_ERROR) << "Key type requested not understood";
goto fail;
}
rv = SECOID_SetAlgorithmID(arena, &certificate->signature, sec_oid, nullptr);
if (rv != SECSuccess) {
LOG(LS_ERROR) << "Couldn't set hashing algorithm";
goto fail;
}
// Set version to X509v3.
*(certificate->version.data) = 2;
certificate->version.len = 1;
if (!SEC_ASN1EncodeItem(arena, &inner_der, certificate,
SEC_ASN1_GET(CERT_CertificateTemplate))) {
LOG(LS_ERROR) << "Couldn't encode certificate";
goto fail;
}
rv = SEC_DerSignData(arena, &signed_cert, inner_der.data, inner_der.len,
keypair->privkey(), sec_oid);
if (rv != SECSuccess) {
LOG(LS_ERROR) << "Couldn't sign certificate";
goto fail;
}
certificate->derCert = signed_cert;
identity = new NSSIdentity(keypair, new NSSCertificate(certificate));
goto done;
fail:
delete keypair;
done:
if (certificate) CERT_DestroyCertificate(certificate);
if (subject_name) CERT_DestroyName(subject_name);
if (spki) SECKEY_DestroySubjectPublicKeyInfo(spki);
if (certreq) CERT_DestroyCertificateRequest(certreq);
if (validity) CERT_DestroyValidity(validity);
return identity;
}
NSSIdentity* NSSIdentity::Generate(const std::string& common_name,
KeyType key_type) {
SSLIdentityParams params;
params.common_name = common_name;
params.not_before = CERTIFICATE_WINDOW;
params.not_after = CERTIFICATE_LIFETIME;
params.key_type = key_type;
return GenerateInternal(params);
}
NSSIdentity* NSSIdentity::GenerateForTest(const SSLIdentityParams& params) {
return GenerateInternal(params);
}
SSLIdentity* NSSIdentity::FromPEMStrings(const std::string& private_key,
const std::string& certificate) {
std::string private_key_der;
if (!SSLIdentity::PemToDer(
kPemTypeRsaPrivateKey, private_key, &private_key_der))
return nullptr;
SECItem private_key_item;
private_key_item.data = reinterpret_cast<unsigned char *>(
const_cast<char *>(private_key_der.c_str()));
private_key_item.len = checked_cast<unsigned int>(private_key_der.size());
const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT |
KU_DIGITAL_SIGNATURE;
SECKEYPrivateKey* privkey = nullptr;
SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
NSSContext::GetSlot(), &private_key_item, nullptr, nullptr, PR_FALSE,
PR_FALSE, key_usage, &privkey, nullptr);
if (rv != SECSuccess) {
LOG(LS_ERROR) << "Couldn't import private key";
return nullptr;
}
SECKEYPublicKey* pubkey = SECKEY_ConvertToPublicKey(privkey);
if (rv != SECSuccess) {
SECKEY_DestroyPrivateKey(privkey);
LOG(LS_ERROR) << "Couldn't convert private key to public key";
return nullptr;
}
SSLKEAType ssl_kea_type;
if (rtc::starts_with(private_key.c_str(),
"-----BEGIN RSA PRIVATE KEY-----")) {
ssl_kea_type = ssl_kea_rsa;
} else {
// We might want to check more key types here. But since we're moving to
// Open/BoringSSL, don't bother. Besides, this will likely be correct for
// any future key type, causing a test to do more harm than good.
ssl_kea_type = ssl_kea_ecdh;
}
// Assign to a scoped_ptr so we don't leak on error.
scoped_ptr<NSSKeyPair> keypair(new NSSKeyPair(privkey, pubkey, ssl_kea_type));
scoped_ptr<NSSCertificate> cert(NSSCertificate::FromPEMString(certificate));
if (!cert) {
LOG(LS_ERROR) << "Couldn't parse certificate";
return nullptr;
}
// TODO(ekr@rtfm.com): Check the public key against the certificate.
return new NSSIdentity(keypair.release(), cert.release());
}
NSSIdentity::~NSSIdentity() {
LOG(LS_INFO) << "Destroying NSS identity";
}
NSSIdentity* NSSIdentity::GetReference() const {
NSSKeyPair* keypair = keypair_->GetReference();
if (!keypair)
return nullptr;
NSSCertificate* certificate = certificate_->GetReference();
if (!certificate) {
delete keypair;
return nullptr;
}
return new NSSIdentity(keypair, certificate);
}
NSSCertificate &NSSIdentity::certificate() const {
return *certificate_;
}
} // rtc namespace
#endif // HAVE_NSS_SSL_H

143
webrtc/base/nssidentity.h
View File

@ -1,143 +0,0 @@
/*
* Copyright 2004 The WebRTC Project Authors. All rights reserved.
*
* Use of this source code is governed by a BSD-style license
* that can be found in the LICENSE file in the root of the source
* tree. An additional intellectual property rights grant can be found
* in the file PATENTS. All contributing project authors may
* be found in the AUTHORS file in the root of the source tree.
*/
#ifndef WEBRTC_BASE_NSSIDENTITY_H_
#define WEBRTC_BASE_NSSIDENTITY_H_
#include <string>
// Hack: Define+undefine int64 and uint64 to avoid typedef conflict with NSS.
// TODO(kjellander): Remove when webrtc:4497 is completed.
#define uint64 foo_uint64
#define int64 foo_int64
#include "cert.h"
#undef uint64
#undef int64
#include "nspr.h"
#include "hasht.h"
#include "keythi.h"
#ifdef NSS_SSL_RELATIVE_PATH
#include "ssl.h"
#else
#include "net/third_party/nss/ssl/ssl.h"
#endif
#include "webrtc/base/common.h"
#include "webrtc/base/logging.h"
#include "webrtc/base/scoped_ptr.h"
#include "webrtc/base/sslidentity.h"
namespace rtc {
class NSSKeyPair {
public:
NSSKeyPair(SECKEYPrivateKey* privkey, SECKEYPublicKey* pubkey)
: privkey_(privkey), pubkey_(pubkey), ssl_kea_type_(ssl_kea_null) {}
NSSKeyPair(SECKEYPrivateKey* privkey,
SECKEYPublicKey* pubkey,
SSLKEAType ssl_kea_type)
: privkey_(privkey), pubkey_(pubkey), ssl_kea_type_(ssl_kea_type) {}
~NSSKeyPair();
// Generate a 1024-bit RSA key pair.
static NSSKeyPair* Generate(KeyType key_type);
NSSKeyPair* GetReference();
SECKEYPrivateKey* privkey() const { return privkey_; }
SECKEYPublicKey * pubkey() const { return pubkey_; }
SSLKEAType ssl_kea_type() const { return ssl_kea_type_; }
private:
SECKEYPrivateKey* privkey_;
SECKEYPublicKey* pubkey_;
SSLKEAType ssl_kea_type_;
DISALLOW_COPY_AND_ASSIGN(NSSKeyPair);
};
class NSSCertificate : public SSLCertificate {
public:
static NSSCertificate* FromPEMString(const std::string& pem_string);
// The caller retains ownership of the argument to all the constructors,
// and the constructor makes a copy.
explicit NSSCertificate(CERTCertificate* cert);
explicit NSSCertificate(CERTCertList* cert_list);
~NSSCertificate() override;
NSSCertificate* GetReference() const override;
std::string ToPEMString() const override;
void ToDER(Buffer* der_buffer) const override;
bool GetSignatureDigestAlgorithm(std::string* algorithm) const override;
bool ComputeDigest(const std::string& algorithm,
unsigned char* digest,
size_t size,
size_t* length) const override;
bool GetChain(SSLCertChain** chain) const override;
CERTCertificate* certificate() { return certificate_; }
// Performs minimal checks to determine if the list is a valid chain. This
// only checks that each certificate certifies the preceding certificate,
// and ignores many other certificate features such as expiration dates.
static bool IsValidChain(const CERTCertList* cert_list);
// Helper function to get the length of a digest
static bool GetDigestLength(const std::string& algorithm, size_t* length);
// Comparison. Only the certificate itself is considered, not the chain.
bool Equals(const NSSCertificate* tocompare) const;
private:
NSSCertificate(CERTCertificate* cert, SSLCertChain* chain);
static bool GetDigestObject(const std::string& algorithm,
const SECHashObject** hash_object);
CERTCertificate* certificate_;
scoped_ptr<SSLCertChain> chain_;
DISALLOW_COPY_AND_ASSIGN(NSSCertificate);
};
// Represents a SSL key pair and certificate for NSS.
class NSSIdentity : public SSLIdentity {
public:
static NSSIdentity* Generate(const std::string& common_name,
KeyType key_type);
static NSSIdentity* GenerateForTest(const SSLIdentityParams& params);
static SSLIdentity* FromPEMStrings(const std::string& private_key,
const std::string& certificate);
~NSSIdentity() override;
NSSIdentity* GetReference() const override;
NSSCertificate& certificate() const override;
NSSKeyPair* keypair() const { return keypair_.get(); }
private:
NSSIdentity(NSSKeyPair* keypair, NSSCertificate* cert);
static NSSIdentity* GenerateInternal(const SSLIdentityParams& params);
rtc::scoped_ptr<NSSKeyPair> keypair_;
rtc::scoped_ptr<NSSCertificate> certificate_;
DISALLOW_COPY_AND_ASSIGN(NSSIdentity);
};
} // namespace rtc
#endif // WEBRTC_BASE_NSSIDENTITY_H_

1127
webrtc/base/nssstreamadapter.cc
View File

File diff suppressed because it is too large Load Diff

125
webrtc/base/nssstreamadapter.h
View File

@ -1,125 +0,0 @@
/*
* Copyright 2004 The WebRTC Project Authors. All rights reserved.
*
* Use of this source code is governed by a BSD-style license
* that can be found in the LICENSE file in the root of the source
* tree. An additional intellectual property rights grant can be found
* in the file PATENTS. All contributing project authors may
* be found in the AUTHORS file in the root of the source tree.
*/
#ifndef WEBRTC_BASE_NSSSTREAMADAPTER_H_
#define WEBRTC_BASE_NSSSTREAMADAPTER_H_
#include <string>
#include <vector>
// Hack: Define+undefine int64 and uint64 to avoid typedef conflict with NSS.
// TODO(kjellander): Remove when webrtc:4497 is completed.
#define uint64 foo_uint64
#define int64 foo_int64
#include "nspr.h"
#undef uint64
#undef int64
#include "nss.h"
#include "secmodt.h"
#include "webrtc/base/buffer.h"
#include "webrtc/base/criticalsection.h"
#include "webrtc/base/nssidentity.h"
#include "webrtc/base/ssladapter.h"
#include "webrtc/base/sslstreamadapter.h"
#include "webrtc/base/sslstreamadapterhelper.h"
namespace rtc {
// Singleton
class NSSContext {
public:
explicit NSSContext(PK11SlotInfo* slot) : slot_(slot) {}
~NSSContext() {
}
static PK11SlotInfo *GetSlot() {
return Instance() ? Instance()->slot_: NULL;
}
static NSSContext *Instance();
static bool InitializeSSL(VerificationCallback callback);
static bool InitializeSSLThread();
static bool CleanupSSL();
private:
PK11SlotInfo *slot_; // The PKCS-11 slot
static GlobalLockPod lock; // To protect the global context
static NSSContext *global_nss_context; // The global context
};
class NSSStreamAdapter : public SSLStreamAdapterHelper {
public:
explicit NSSStreamAdapter(StreamInterface* stream);
~NSSStreamAdapter() override;
bool Init();
StreamResult Read(void* data,
size_t data_len,
size_t* read,
int* error) override;
StreamResult Write(const void* data,
size_t data_len,
size_t* written,
int* error) override;
void OnMessage(Message* msg) override;
bool GetSslCipher(std::string* cipher) override;
// Key Extractor interface
bool ExportKeyingMaterial(const std::string& label,
const uint8* context,
size_t context_len,
bool use_context,
uint8* result,
size_t result_len) override;
// DTLS-SRTP interface
bool SetDtlsSrtpCiphers(const std::vector<std::string>& ciphers) override;
bool GetDtlsSrtpCipher(std::string* cipher) override;
// Capabilities interfaces
static bool HaveDtls();
static bool HaveDtlsSrtp();
static bool HaveExporter();
static std::string GetDefaultSslCipher(SSLProtocolVersion version,
KeyType key_type);
protected:
// Override SSLStreamAdapter
void OnEvent(StreamInterface* stream, int events, int err) override;
// Override SSLStreamAdapterHelper
int BeginSSL() override;
void Cleanup() override;
bool GetDigestLength(const std::string& algorithm, size_t* length) override;
private:
int ContinueSSL();
static SECStatus AuthCertificateHook(void *arg, PRFileDesc *fd,
PRBool checksig, PRBool isServer);
static SECStatus GetClientAuthDataHook(void *arg, PRFileDesc *fd,
CERTDistNames *caNames,
CERTCertificate **pRetCert,
SECKEYPrivateKey **pRetKey);
PRFileDesc *ssl_fd_; // NSS's SSL file descriptor
static bool initialized; // Was InitializeSSL() called?
bool cert_ok_; // Did we get and check a cert
std::vector<PRUint16> srtp_ciphers_; // SRTP cipher list
static PRDescIdentity nspr_layer_identity; // The NSPR layer identity
};
} // namespace rtc
#endif // WEBRTC_BASE_NSSSTREAMADAPTER_H_

2
webrtc/base/opensslstreamadapter.cc
View File

@ -1041,7 +1041,7 @@ int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
// the digest.
//
// TODO(jiayl): Verify the chain is a proper chain and report the chain to
// |stream->peer_certificate_|, like what NSS does.
// |stream->peer_certificate_|.
if (depth > 0) {
LOG(LS_INFO) << "Ignored chained certificate at depth " << depth;
return 1;

24
webrtc/base/ssladapter.cc
View File

@ -24,11 +24,7 @@
#include "openssladapter.h"
#elif SSL_USE_NSS // && !SSL_USE_CHANNEL && !SSL_USE_OPENSSL
#include "nssstreamadapter.h"
#endif // SSL_USE_OPENSSL && !SSL_USE_SCHANNEL && !SSL_USE_NSS
#endif // SSL_USE_OPENSSL && !SSL_USE_SCHANNEL
///////////////////////////////////////////////////////////////////////////////
@ -62,21 +58,7 @@ bool CleanupSSL() {
return OpenSSLAdapter::CleanupSSL();
}
#elif SSL_USE_NSS // !SSL_USE_OPENSSL
bool InitializeSSL(VerificationCallback callback) {
return NSSContext::InitializeSSL(callback);
}
bool InitializeSSLThread() {
return NSSContext::InitializeSSLThread();
}
bool CleanupSSL() {
return NSSContext::CleanupSSL();
}
#else // !SSL_USE_OPENSSL && !SSL_USE_NSS
#else // !SSL_USE_OPENSSL
bool InitializeSSL(VerificationCallback callback) {
return true;
@ -90,7 +72,7 @@ bool CleanupSSL() {
return true;
}
#endif // !SSL_USE_OPENSSL && !SSL_USE_NSS
#endif // !SSL_USE_OPENSSL
///////////////////////////////////////////////////////////////////////////////

5
webrtc/base/sslconfig.h
View File

@ -13,8 +13,7 @@
// If no preference has been indicated, default to SChannel on Windows and
// OpenSSL everywhere else, if it is available.
#if !defined(SSL_USE_SCHANNEL) && !defined(SSL_USE_OPENSSL) && \
!defined(SSL_USE_NSS)
#if !defined(SSL_USE_SCHANNEL) && !defined(SSL_USE_OPENSSL)
#if defined(WEBRTC_WIN)
#define SSL_USE_SCHANNEL 1
@ -23,8 +22,6 @@
#if defined(HAVE_OPENSSL_SSL_H)
#define SSL_USE_OPENSSL 1
#elif defined(HAVE_NSS_SSL_H)
#define SSL_USE_NSS 1
#endif
#endif // !defined(WEBRTC_WIN)

26
webrtc/base/sslidentity.cc
View File

@ -27,10 +27,6 @@
#include "webrtc/base/opensslidentity.h"
#elif SSL_USE_NSS // !SSL_USE_SCHANNEL && !SSL_USE_OPENSSL
#include "webrtc/base/nssidentity.h"
#endif // SSL_USE_SCHANNEL
namespace rtc {
@ -143,27 +139,7 @@ SSLIdentity* SSLIdentity::FromPEMStrings(const std::string& private_key,
return OpenSSLIdentity::FromPEMStrings(private_key, certificate);
}
#elif SSL_USE_NSS // !SSL_USE_OPENSSL && !SSL_USE_SCHANNEL
SSLCertificate* SSLCertificate::FromPEMString(const std::string& pem_string) {
return NSSCertificate::FromPEMString(pem_string);
}
SSLIdentity* SSLIdentity::Generate(const std::string& common_name,
KeyType key_type) {
return NSSIdentity::Generate(common_name, key_type);
}
SSLIdentity* SSLIdentity::GenerateForTest(const SSLIdentityParams& params) {
return NSSIdentity::GenerateForTest(params);
}
SSLIdentity* SSLIdentity::FromPEMStrings(const std::string& private_key,
const std::string& certificate) {
return NSSIdentity::FromPEMStrings(private_key, certificate);
}
#else // !SSL_USE_OPENSSL && !SSL_USE_SCHANNEL && !SSL_USE_NSS
#else // !SSL_USE_OPENSSL && !SSL_USE_SCHANNEL
#error "No SSL implementation"

14
webrtc/base/sslidentity_unittest.cc
View File

@ -185,11 +185,7 @@ TEST_F(SSLIdentityTest, FixedDigestSHA1) {
}
// HASH_AlgSHA224 is not supported in the chromium linux build.
#if SSL_USE_NSS
TEST_F(SSLIdentityTest, DISABLED_FixedDigestSHA224) {
#else
TEST_F(SSLIdentityTest, FixedDigestSHA224) {
#endif
TestDigestForFixedCert(rtc::DIGEST_SHA_224, 28, kTestCertSha224);
}
@ -206,11 +202,7 @@ TEST_F(SSLIdentityTest, FixedDigestSHA512) {
}
// HASH_AlgSHA224 is not supported in the chromium linux build.
#if SSL_USE_NSS
TEST_F(SSLIdentityTest, DISABLED_DigestSHA224) {
#else
TEST_F(SSLIdentityTest, DigestSHA224) {
#endif
TestDigestForGeneratedCert(rtc::DIGEST_SHA_224, 28);
}
@ -264,11 +256,6 @@ TEST_F(SSLIdentityTest, FromPEMStringsRSA) {
EXPECT_EQ(kCERT_PEM, identity->certificate().ToPEMString());
}
#if SSL_USE_OPENSSL
// This will not work on NSS as PK11_ImportDERPrivateKeyInfoAndReturnKey is not
// ready for EC keys. Furthermore, NSSIdentity::FromPEMStrings is currently
// hardwired for RSA (the header matching via kPemTypeRsaPrivateKey needs
// trivial generalization).
TEST_F(SSLIdentityTest, FromPEMStringsEC) {
static const char kRSA_PRIVATE_KEY_PEM[] =
"-----BEGIN EC PRIVATE KEY-----\n"
@ -295,7 +282,6 @@ TEST_F(SSLIdentityTest, FromPEMStringsEC) {
EXPECT_TRUE(identity);
EXPECT_EQ(kCERT_PEM, identity->certificate().ToPEMString());
}
#endif
TEST_F(SSLIdentityTest, PemDerConversion) {
std::string der;

26
webrtc/base/sslstreamadapter.cc
View File

@ -23,11 +23,7 @@
#include "webrtc/base/opensslstreamadapter.h"
#elif SSL_USE_NSS // && !SSL_USE_SCHANNEL && !SSL_USE_OPENSSL
#include "webrtc/base/nssstreamadapter.h"
#endif // !SSL_USE_OPENSSL && !SSL_USE_SCHANNEL && !SSL_USE_NSS
#endif // !SSL_USE_OPENSSL && !SSL_USE_SCHANNEL
///////////////////////////////////////////////////////////////////////////////
@ -38,9 +34,7 @@ SSLStreamAdapter* SSLStreamAdapter::Create(StreamInterface* stream) {
return NULL;
#elif SSL_USE_OPENSSL // !SSL_USE_SCHANNEL
return new OpenSSLStreamAdapter(stream);
#elif SSL_USE_NSS // !SSL_USE_SCHANNEL && !SSL_USE_OPENSSL
return new NSSStreamAdapter(stream);
#else // !SSL_USE_SCHANNEL && !SSL_USE_OPENSSL && !SSL_USE_NSS
#else // !SSL_USE_SCHANNEL && !SSL_USE_OPENSSL
return NULL;
#endif
}
@ -90,21 +84,7 @@ std::string SSLStreamAdapter::GetDefaultSslCipher(SSLProtocolVersion version,
KeyType key_type) {
return OpenSSLStreamAdapter::GetDefaultSslCipher(version, key_type);
}
#elif SSL_USE_NSS
bool SSLStreamAdapter::HaveDtls() {
return NSSStreamAdapter::HaveDtls();
}
bool SSLStreamAdapter::HaveDtlsSrtp() {
return NSSStreamAdapter::HaveDtlsSrtp();
}
bool SSLStreamAdapter::HaveExporter() {
return NSSStreamAdapter::HaveExporter();
}
std::string SSLStreamAdapter::GetDefaultSslCipher(SSLProtocolVersion version,
KeyType key_type) {
return NSSStreamAdapter::GetDefaultSslCipher(version, key_type);
}
#endif // !SSL_USE_SCHANNEL && !SSL_USE_OPENSSL && !SSL_USE_NSS
#endif // !SSL_USE_SCHANNEL && !SSL_USE_OPENSSL
///////////////////////////////////////////////////////////////////////////////

18
webrtc/base/sslstreamadapter_unittest.cc
View File

@ -701,24 +701,6 @@ class SSLStreamAdapterTestDTLSFromPEMStrings : public SSLStreamAdapterTestDTLS {
// Basic tests: TLS
// Test that we cannot read/write if we have not yet handshaked.
// This test only applies to NSS because OpenSSL has passthrough
// semantics for I/O before the handshake is started.
#if SSL_USE_NSS
TEST_P(SSLStreamAdapterTestTLS, TestNoReadWriteBeforeConnect) {
rtc::StreamResult rv;
char block[kBlockSize];
size_t dummy;
rv = client_ssl_->Write(block, sizeof(block), &dummy, NULL);
ASSERT_EQ(rtc::SR_BLOCK, rv);
rv = client_ssl_->Read(block, sizeof(block), &dummy, NULL);
ASSERT_EQ(rtc::SR_BLOCK, rv);
}
#endif
// Test that we can make a handshake work
TEST_P(SSLStreamAdapterTestTLS, TestTLSConnect) {
TestHandshake();

2
webrtc/base/sslstreamadapterhelper.h
View File

@ -23,7 +23,7 @@ namespace rtc {
// SSLStreamAdapterHelper : A stream adapter which implements much
// of the logic that is common between the known implementations
// (NSS and OpenSSL)
// (OpenSSL and previously NSS)
class SSLStreamAdapterHelper : public SSLStreamAdapter {
public:
explicit SSLStreamAdapterHelper(StreamInterface* stream);

17
webrtc/build/sanitizers/lsan_suppressions_webrtc.cc
View File

@ -31,23 +31,6 @@ char kLSanDefaultSuppressions[] =
// Leaks in Nvidia's libGL.
"leak:libGL.so\n"
// TODO(earthdok): revisit NSS suppressions after the switch to BoringSSL
// NSS leaks in CertDatabaseNSSTest tests. http://crbug.com/51988
"leak:net::NSSCertDatabase::ImportFromPKCS12\n"
"leak:net::NSSCertDatabase::ListCerts\n"
"leak:net::NSSCertDatabase::DeleteCertAndKey\n"
"leak:crypto::ScopedTestNSSDB::ScopedTestNSSDB\n"
// Another leak due to not shutting down NSS properly. http://crbug.com/124445
"leak:error_get_my_stack\n"
// The NSS suppressions above will not fire when the fast stack unwinder is
// used, because it can't unwind through NSS libraries. Apply blanket
// suppressions for now.
"leak:libnssutil3\n"
"leak:libnspr4\n"
"leak:libnss3\n"
"leak:libplds4\n"
"leak:libnssckbi\n"
// XRandR has several one time leaks.
"leak:libxrandr\n"