From b889a20968ab688672624e6ea538a98b50904dca Mon Sep 17 00:00:00 2001 From: Mirko Bonadei Date: Wed, 15 Aug 2018 11:41:27 +0200 Subject: [PATCH] Change the default behaviour rtc_builtin_ssl_root_certificates. Instead of defining a pre-processor macro when someone wants to include built-in ssl roots certs, this CL switches the default and assumes everyone prefer to include built-in ssl roots certs. If built-in ssl roots certs are not needed because they are injected in the PeerConnection it will be possible to define a pre-processor macro (WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS) to remove them. In a GN build it is possible to tell GN to define the macro by setting rtc_builtin_ssl_root_certificates to false in "gn args". Bug: webrtc:9332 Change-Id: Icc3f2caeddca6899cbc5974f21b480d75d15556f Reviewed-on: https://webrtc-review.googlesource.com/94147 Reviewed-by: Karl Wiberg Reviewed-by: Benjamin Wright Commit-Queue: Mirko Bonadei Cr-Commit-Position: refs/heads/master@{#24302} --- BUILD.gn | 4 ++++ rtc_base/BUILD.gn | 7 ------- rtc_base/openssladapter.cc | 4 ++-- rtc_base/opensslcertificate.cc | 4 ++-- rtc_base/opensslutility.cc | 8 ++++---- rtc_base/opensslutility.h | 4 ++-- 6 files changed, 14 insertions(+), 17 deletions(-) diff --git a/BUILD.gn b/BUILD.gn index 2e3c91aaac..b3afa76fc2 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -92,6 +92,10 @@ config("common_inherited_config") { defines += [ "WEBRTC_MOZILLA_BUILD" ] } + if (!rtc_builtin_ssl_root_certificates) { + defines += [ "WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS" ] + } + # Some tests need to declare their own trace event handlers. If this define is # not set, the first time TRACE_EVENT_* is called it will store the return # value for the current handler in an static variable, so that subsequent diff --git a/rtc_base/BUILD.gn b/rtc_base/BUILD.gn index cc4d0bc58e..c076b21fdf 100644 --- a/rtc_base/BUILD.gn +++ b/rtc_base/BUILD.gn @@ -871,10 +871,6 @@ rtc_static_library("rtc_base_generic") { configs += [ ":external_ssl_library" ] } - if (rtc_builtin_ssl_root_certificates) { - defines += [ "WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES" ] - } - if (is_android) { sources += [ "ifaddrs-android.cc", @@ -1309,9 +1305,6 @@ if (rtc_include_tests) { } else { configs += [ ":external_ssl_library" ] } - if (rtc_builtin_ssl_root_certificates) { - defines += [ "WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES" ] - } } } diff --git a/rtc_base/openssladapter.cc b/rtc_base/openssladapter.cc index 05de6d0778..50284a6719 100644 --- a/rtc_base/openssladapter.cc +++ b/rtc_base/openssladapter.cc @@ -907,14 +907,14 @@ SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) { return nullptr; } -#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES +#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS if (!openssl::LoadBuiltinSSLRootCertificates(ctx)) { RTC_LOG(LS_ERROR) << "SSL_CTX creation failed: Failed to load any trusted " "ssl root certificates."; SSL_CTX_free(ctx); return nullptr; } -#endif // WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES +#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS #if !defined(NDEBUG) SSL_CTX_set_info_callback(ctx, SSLInfoCallback); diff --git a/rtc_base/opensslcertificate.cc b/rtc_base/opensslcertificate.cc index 15fc303803..ed67a8938e 100644 --- a/rtc_base/opensslcertificate.cc +++ b/rtc_base/opensslcertificate.cc @@ -36,9 +36,9 @@ #include "rtc_base/openssldigest.h" #include "rtc_base/opensslidentity.h" #include "rtc_base/opensslutility.h" -#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES +#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS #include "rtc_base/sslroots.h" -#endif +#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS namespace rtc { diff --git a/rtc_base/opensslutility.cc b/rtc_base/opensslutility.cc index bf6832c5e6..46f4547436 100644 --- a/rtc_base/opensslutility.cc +++ b/rtc_base/opensslutility.cc @@ -33,9 +33,9 @@ #include "rtc_base/numerics/safe_conversions.h" #include "rtc_base/openssl.h" #include "rtc_base/opensslcertificate.h" -#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES +#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS #include "rtc_base/sslroots.h" -#endif // WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES +#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS namespace rtc { namespace openssl { @@ -110,7 +110,7 @@ void LogSSLErrors(const std::string& prefix) { } } -#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES +#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS bool LoadBuiltinSSLRootCertificates(SSL_CTX* ctx) { int count_of_added_certs = 0; for (size_t i = 0; i < arraysize(kSSLCertCertificateList); i++) { @@ -130,7 +130,7 @@ bool LoadBuiltinSSLRootCertificates(SSL_CTX* ctx) { } return count_of_added_certs > 0; } -#endif // WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES +#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS } // namespace openssl } // namespace rtc diff --git a/rtc_base/opensslutility.h b/rtc_base/opensslutility.h index f579f505f8..7cb38b5b52 100644 --- a/rtc_base/opensslutility.h +++ b/rtc_base/opensslutility.h @@ -28,12 +28,12 @@ bool VerifyPeerCertMatchesHost(SSL* ssl, const std::string& host); // prefix can be provided for context. void LogSSLErrors(const std::string& prefix); -#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES +#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS // Attempt to add the certificates from the loader into the SSL_CTX. False is // returned only if there are no certificates returned from the loader or none // of them can be added to the TrustStore for the provided context. bool LoadBuiltinSSLRootCertificates(SSL_CTX* ssl_ctx); -#endif // WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES +#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS } // namespace openssl } // namespace rtc