Change the default behaviour rtc_builtin_ssl_root_certificates.
Instead of defining a pre-processor macro when someone wants to include built-in ssl roots certs, this CL switches the default and assumes everyone prefer to include built-in ssl roots certs. If built-in ssl roots certs are not needed because they are injected in the PeerConnection it will be possible to define a pre-processor macro (WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS) to remove them. In a GN build it is possible to tell GN to define the macro by setting rtc_builtin_ssl_root_certificates to false in "gn args". Bug: webrtc:9332 Change-Id: Icc3f2caeddca6899cbc5974f21b480d75d15556f Reviewed-on: https://webrtc-review.googlesource.com/94147 Reviewed-by: Karl Wiberg <kwiberg@webrtc.org> Reviewed-by: Benjamin Wright <benwright@webrtc.org> Commit-Queue: Mirko Bonadei <mbonadei@webrtc.org> Cr-Commit-Position: refs/heads/master@{#24302}
This commit is contained in:
Mirko Bonadei
committed by
Commit Bot
Commit Bot
parent
6f2f073028
commit
b889a20968
4
BUILD.gn
4
BUILD.gn
@ -92,6 +92,10 @@ config("common_inherited_config") {
|
||||
defines += [ "WEBRTC_MOZILLA_BUILD" ]
|
||||
}
|
||||
|
||||
if (!rtc_builtin_ssl_root_certificates) {
|
||||
defines += [ "WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS" ]
|
||||
}
|
||||
|
||||
# Some tests need to declare their own trace event handlers. If this define is
|
||||
# not set, the first time TRACE_EVENT_* is called it will store the return
|
||||
# value for the current handler in an static variable, so that subsequent
|
||||
|
||||
@ -871,10 +871,6 @@ rtc_static_library("rtc_base_generic") {
|
||||
configs += [ ":external_ssl_library" ]
|
||||
}
|
||||
|
||||
if (rtc_builtin_ssl_root_certificates) {
|
||||
defines += [ "WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES" ]
|
||||
}
|
||||
|
||||
if (is_android) {
|
||||
sources += [
|
||||
"ifaddrs-android.cc",
|
||||
@ -1309,9 +1305,6 @@ if (rtc_include_tests) {
|
||||
} else {
|
||||
configs += [ ":external_ssl_library" ]
|
||||
}
|
||||
if (rtc_builtin_ssl_root_certificates) {
|
||||
defines += [ "WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES" ]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -907,14 +907,14 @@ SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES
|
||||
#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
if (!openssl::LoadBuiltinSSLRootCertificates(ctx)) {
|
||||
RTC_LOG(LS_ERROR) << "SSL_CTX creation failed: Failed to load any trusted "
|
||||
"ssl root certificates.";
|
||||
SSL_CTX_free(ctx);
|
||||
return nullptr;
|
||||
}
|
||||
#endif // WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES
|
||||
#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
|
||||
#if !defined(NDEBUG)
|
||||
SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
|
||||
|
||||
@ -36,9 +36,9 @@
|
||||
#include "rtc_base/openssldigest.h"
|
||||
#include "rtc_base/opensslidentity.h"
|
||||
#include "rtc_base/opensslutility.h"
|
||||
#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES
|
||||
#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
#include "rtc_base/sslroots.h"
|
||||
#endif
|
||||
#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
|
||||
namespace rtc {
|
||||
|
||||
|
||||
@ -33,9 +33,9 @@
|
||||
#include "rtc_base/numerics/safe_conversions.h"
|
||||
#include "rtc_base/openssl.h"
|
||||
#include "rtc_base/opensslcertificate.h"
|
||||
#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES
|
||||
#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
#include "rtc_base/sslroots.h"
|
||||
#endif // WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES
|
||||
#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
|
||||
namespace rtc {
|
||||
namespace openssl {
|
||||
@ -110,7 +110,7 @@ void LogSSLErrors(const std::string& prefix) {
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES
|
||||
#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
bool LoadBuiltinSSLRootCertificates(SSL_CTX* ctx) {
|
||||
int count_of_added_certs = 0;
|
||||
for (size_t i = 0; i < arraysize(kSSLCertCertificateList); i++) {
|
||||
@ -130,7 +130,7 @@ bool LoadBuiltinSSLRootCertificates(SSL_CTX* ctx) {
|
||||
}
|
||||
return count_of_added_certs > 0;
|
||||
}
|
||||
#endif // WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES
|
||||
#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
|
||||
} // namespace openssl
|
||||
} // namespace rtc
|
||||
|
||||
@ -28,12 +28,12 @@ bool VerifyPeerCertMatchesHost(SSL* ssl, const std::string& host);
|
||||
// prefix can be provided for context.
|
||||
void LogSSLErrors(const std::string& prefix);
|
||||
|
||||
#ifdef WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES
|
||||
#ifndef WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
// Attempt to add the certificates from the loader into the SSL_CTX. False is
|
||||
// returned only if there are no certificates returned from the loader or none
|
||||
// of them can be added to the TrustStore for the provided context.
|
||||
bool LoadBuiltinSSLRootCertificates(SSL_CTX* ssl_ctx);
|
||||
#endif // WEBRTC_BUILT_IN_SSL_ROOT_CERTIFICATES
|
||||
#endif // WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS
|
||||
|
||||
} // namespace openssl
|
||||
} // namespace rtc
|
||||
|
||||
Reference in New Issue
Block a user