zqz/platform-external-webrtc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enable SNI in ssl adapter.

Browse Source 
Bug: webrtc:6973
Change-Id: I13d28cf41c586880bd7fea523005233921794cdf
Reviewed-on: https://chromium-review.googlesource.com/523024
Reviewed-by: Zeke Chin <tkchin@webrtc.org>
Reviewed-by: Sami Kalliomäki <sakal@webrtc.org>
Reviewed-by: Justin Uberti <juberti@chromium.org>
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Commit-Queue: Emad Omara <emadomara@google.com>
Cr-Commit-Position: refs/heads/master@{#18640}
This commit is contained in:
Emad Omara
2017-06-16 15:43:11 -07:00
committed by Commit Bot
parent 43b39de0ca
commit dab1d2d34e
10 changed files with 152 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
webrtc/api/peerconnectioninterface.h
View File

@ -180,15 +180,24 @@ class PeerConnectionInterface : public rtc::RefCountInterface {
struct IceServer { struct IceServer {
// TODO(jbauch): Remove uri when all code using it has switched to urls. // TODO(jbauch): Remove uri when all code using it has switched to urls.
// List of URIs associated with this server. Valid formats are described
// in RFC7064 and RFC7065, and more may be added in the future. The "host"
// part of the URI may contain either an IP address or a hostname.
std::string uri; std::string uri;
std::vector<std::string> urls; std::vector<std::string> urls;
std::string username; std::string username;
std::string password; std::string password;
TlsCertPolicy tls_cert_policy = kTlsCertPolicySecure; TlsCertPolicy tls_cert_policy = kTlsCertPolicySecure;
// If the URIs in |urls| only contain IP addresses, this field can be used
// to indicate the hostname, which may be necessary for TLS (using the SNI
// extension). If |urls| itself contains the hostname, this isn't
// necessary.
std::string hostname;
bool operator==(const IceServer& o) const { bool operator==(const IceServer& o) const {
return uri == o.uri && urls == o.urls && username == o.username && return uri == o.uri && urls == o.urls && username == o.username &&
password == o.password && tls_cert_policy == o.tls_cert_policy; password == o.password && tls_cert_policy == o.tls_cert_policy &&
hostname == o.hostname;
} }
bool operator!=(const IceServer& o) const { return !(*this == o); } bool operator!=(const IceServer& o) const { return !(*this == o); }
}; };

5
webrtc/base/openssladapter.cc
View File

@ -360,6 +360,11 @@ OpenSSLAdapter::BeginSSL() {
SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
// Enable SNI.
if (!ssl_host_name_.empty()) {
SSL_set_tlsext_host_name(ssl_, ssl_host_name_.c_str());
}
// the SSL object owns the bio now // the SSL object owns the bio now
bio = nullptr; bio = nullptr;

15
webrtc/p2p/base/portallocator.h
View File

@ -138,14 +138,23 @@ typedef std::vector<ProtocolAddress> PortList;
struct RelayServerConfig { struct RelayServerConfig {
RelayServerConfig(RelayType type) : type(type) {} RelayServerConfig(RelayType type) : type(type) {}
RelayServerConfig(const rtc::SocketAddress& address,
const std::string& username,
const std::string& password,
ProtocolType proto)
: type(RELAY_TURN), credentials(username, password) {
ports.push_back(ProtocolAddress(address, proto));
}
RelayServerConfig(const std::string& address, RelayServerConfig(const std::string& address,
int port, int port,
const std::string& username, const std::string& username,
const std::string& password, const std::string& password,
ProtocolType proto) ProtocolType proto)
: type(RELAY_TURN), credentials(username, password) { : RelayServerConfig(rtc::SocketAddress(address, port),
ports.push_back(ProtocolAddress(rtc::SocketAddress(address, port), proto)); username,
} password,
proto) {}
// Legacy constructor where "secure" and PROTO_TCP implies PROTO_TLS. // Legacy constructor where "secure" and PROTO_TCP implies PROTO_TLS.
RelayServerConfig(const std::string& address, RelayServerConfig(const std::string& address,

19
webrtc/pc/iceserverparsing.cc
View File

@ -233,8 +233,25 @@ static RTCErrorType ParseIceServerUrl(
// or credential are ommitted; this is the native equivalent. // or credential are ommitted; this is the native equivalent.
return RTCErrorType::INVALID_PARAMETER; return RTCErrorType::INVALID_PARAMETER;
} }
// If the hostname field is not empty, then the server address must be
// the resolved IP for that host, the hostname is needed later for TLS
// handshake (SNI and Certificate verification).
const std::string& hostname =
server.hostname.empty() ? address : server.hostname;
rtc::SocketAddress socket_address(hostname, port);
if (!server.hostname.empty()) {
rtc::IPAddress ip;
if (!IPFromString(address, &ip)) {
// When hostname is set, the server address must be a
// resolved ip address.
LOG(LS_ERROR) << "IceServer has hostname field set, but URI does not "
"contain an IP address.";
return RTCErrorType::INVALID_PARAMETER;
}
socket_address.SetResolvedIP(ip);
}
cricket::RelayServerConfig config = cricket::RelayServerConfig( cricket::RelayServerConfig config = cricket::RelayServerConfig(
address, port, username, server.password, turn_transport_type); socket_address, username, server.password, turn_transport_type);
if (server.tls_cert_policy == if (server.tls_cert_policy ==
PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck) { PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck) {
config.tls_cert_policy = config.tls_cert_policy =

21
webrtc/pc/iceserverparsing_unittest.cc
View File

@ -40,6 +40,14 @@ class IceServerParsingTest : public testing::Test {
const std::string& username, const std::string& username,
const std::string& password, const std::string& password,
PeerConnectionInterface::TlsCertPolicy tls_certificate_policy) { PeerConnectionInterface::TlsCertPolicy tls_certificate_policy) {
return ParseUrl(url, username, password, tls_certificate_policy, "");
}
bool ParseUrl(const std::string& url,
const std::string& username,
const std::string& password,
PeerConnectionInterface::TlsCertPolicy tls_certificate_policy,
const std::string& hostname) {
stun_servers_.clear(); stun_servers_.clear();
turn_servers_.clear(); turn_servers_.clear();
PeerConnectionInterface::IceServers servers; PeerConnectionInterface::IceServers servers;
@ -48,6 +56,7 @@ class IceServerParsingTest : public testing::Test {
server.username = username; server.username = username;
server.password = password; server.password = password;
server.tls_cert_policy = tls_certificate_policy; server.tls_cert_policy = tls_certificate_policy;
server.hostname = hostname;
servers.push_back(server); servers.push_back(server);
return webrtc::ParseIceServers(servers, &stun_servers_, &turn_servers_) == return webrtc::ParseIceServers(servers, &stun_servers_, &turn_servers_) ==
webrtc::RTCErrorType::NONE; webrtc::RTCErrorType::NONE;
@ -148,6 +157,18 @@ TEST_F(IceServerParsingTest, ParseHostnameAndPort) {
EXPECT_EQ("hostname", stun_servers_.begin()->hostname()); EXPECT_EQ("hostname", stun_servers_.begin()->hostname());
EXPECT_EQ(3478, stun_servers_.begin()->port()); EXPECT_EQ(3478, stun_servers_.begin()->port());
// Both TURN IP and host exist
EXPECT_TRUE(
ParseUrl("turn:1.2.3.4:1234", "username", "password",
PeerConnectionInterface::TlsCertPolicy::kTlsCertPolicySecure,
"hostname"));
EXPECT_EQ(1U, turn_servers_.size());
rtc::SocketAddress address = turn_servers_[0].ports[0].address;
EXPECT_EQ("hostname", address.hostname());
EXPECT_EQ(1234, address.port());
EXPECT_FALSE(address.IsUnresolvedIP());
EXPECT_EQ("1.2.3.4", address.ipaddr().ToString());
// Try some invalid hostname:port strings. // Try some invalid hostname:port strings.
EXPECT_FALSE(ParseUrl("stun:hostname:99a99")); EXPECT_FALSE(ParseUrl("stun:hostname:99a99"));
EXPECT_FALSE(ParseUrl("stun:hostname:-1")); EXPECT_FALSE(ParseUrl("stun:hostname:-1"));

18
webrtc/sdk/android/api/org/webrtc/PeerConnection.java
View File

@ -96,11 +96,20 @@ public class PeerConnection {
/** Java version of PeerConnectionInterface.IceServer. */ /** Java version of PeerConnectionInterface.IceServer. */
public static class IceServer { public static class IceServer {
// List of URIs associated with this server. Valid formats are described
// in RFC7064 and RFC7065, and more may be added in the future. The "host"
// part of the URI may contain either an IP address or a hostname.
public final String uri; public final String uri;
public final String username; public final String username;
public final String password; public final String password;
public final TlsCertPolicy tlsCertPolicy; public final TlsCertPolicy tlsCertPolicy;
// If the URIs in |urls| only contain IP addresses, this field can be used
// to indicate the hostname, which may be necessary for TLS (using the SNI
// extension). If |urls| itself contains the hostname, this isn't
// necessary.
public final String hostname;
/** Convenience constructor for STUN servers. */ /** Convenience constructor for STUN servers. */
public IceServer(String uri) { public IceServer(String uri) {
this(uri, "", ""); this(uri, "", "");
@ -111,14 +120,21 @@ public class PeerConnection {
} }
public IceServer(String uri, String username, String password, TlsCertPolicy tlsCertPolicy) { public IceServer(String uri, String username, String password, TlsCertPolicy tlsCertPolicy) {
this(uri, username, password, tlsCertPolicy, "");
}
public IceServer(String uri, String username, String password, TlsCertPolicy tlsCertPolicy,
String hostname) {
this.uri = uri; this.uri = uri;
this.username = username; this.username = username;
this.password = password; this.password = password;
this.tlsCertPolicy = tlsCertPolicy; this.tlsCertPolicy = tlsCertPolicy;
this.hostname = hostname;
} }
public String toString() { public String toString() {
return uri + " [" + username + ":" + password + "] [" + tlsCertPolicy + "]"; return uri + " [" + username + ":" + password + "] [" + tlsCertPolicy + "] [" + hostname
+ "]";
} }
} }

5
webrtc/sdk/android/src/jni/peerconnection_jni.cc
View File

@ -1703,6 +1703,8 @@ static void JavaIceServersToJsepIceServers(
"Lorg/webrtc/PeerConnection$TlsCertPolicy;"); "Lorg/webrtc/PeerConnection$TlsCertPolicy;");
jobject j_ice_server_tls_cert_policy = jobject j_ice_server_tls_cert_policy =
GetObjectField(jni, j_ice_server, j_ice_server_tls_cert_policy_id); GetObjectField(jni, j_ice_server, j_ice_server_tls_cert_policy_id);
jfieldID j_ice_server_hostname_id =
GetFieldID(jni, j_ice_server_class, "hostname", "Ljava/lang/String;");
jstring uri = reinterpret_cast<jstring>( jstring uri = reinterpret_cast<jstring>(
GetObjectField(jni, j_ice_server, j_ice_server_uri_id)); GetObjectField(jni, j_ice_server, j_ice_server_uri_id));
jstring username = reinterpret_cast<jstring>( jstring username = reinterpret_cast<jstring>(
@ -1711,11 +1713,14 @@ static void JavaIceServersToJsepIceServers(
GetObjectField(jni, j_ice_server, j_ice_server_password_id)); GetObjectField(jni, j_ice_server, j_ice_server_password_id));
PeerConnectionInterface::TlsCertPolicy tls_cert_policy = PeerConnectionInterface::TlsCertPolicy tls_cert_policy =
JavaTlsCertPolicyTypeToNativeType(jni, j_ice_server_tls_cert_policy); JavaTlsCertPolicyTypeToNativeType(jni, j_ice_server_tls_cert_policy);
jstring hostname = reinterpret_cast<jstring>(
GetObjectField(jni, j_ice_server, j_ice_server_hostname_id));
PeerConnectionInterface::IceServer server; PeerConnectionInterface::IceServer server;
server.uri = JavaToStdString(jni, uri); server.uri = JavaToStdString(jni, uri);
server.username = JavaToStdString(jni, username); server.username = JavaToStdString(jni, username);
server.password = JavaToStdString(jni, password); server.password = JavaToStdString(jni, password);
server.tls_cert_policy = tls_cert_policy; server.tls_cert_policy = tls_cert_policy;
server.hostname = JavaToStdString(jni, hostname);
ice_servers->push_back(server); ice_servers->push_back(server);
} }
} }

29
webrtc/sdk/objc/Framework/Classes/PeerConnection/RTCIceServer.mm
View File

@ -18,6 +18,7 @@
@synthesize username = _username; @synthesize username = _username;
@synthesize credential = _credential; @synthesize credential = _credential;
@synthesize tlsCertPolicy = _tlsCertPolicy; @synthesize tlsCertPolicy = _tlsCertPolicy;
@synthesize hostname = _hostname;
- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings { - (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings {
return [self initWithURLStrings:urlStrings return [self initWithURLStrings:urlStrings
@ -38,21 +39,36 @@
username:(NSString *)username username:(NSString *)username
credential:(NSString *)credential credential:(NSString *)credential
tlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy { tlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy {
return [self initWithURLStrings:urlStrings
username:username
credential:credential
tlsCertPolicy:RTCTlsCertPolicySecure
hostname:nil];
}
- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings
username:(NSString *)username
credential:(NSString *)credential
tlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy
hostname:(NSString *)hostname {
NSParameterAssert(urlStrings.count); NSParameterAssert(urlStrings.count);
if (self = [super init]) { if (self = [super init]) {
_urlStrings = [[NSArray alloc] initWithArray:urlStrings copyItems:YES]; _urlStrings = [[NSArray alloc] initWithArray:urlStrings copyItems:YES];
_username = [username copy]; _username = [username copy];
_credential = [credential copy]; _credential = [credential copy];
_tlsCertPolicy = tlsCertPolicy; _tlsCertPolicy = tlsCertPolicy;
_hostname = [hostname copy];
} }
return self; return self;
} }
- (NSString *)description { - (NSString *)description {
return return [NSString stringWithFormat:@"RTCIceServer:\n%@\n%@\n%@\n%@\n%@",
[NSString stringWithFormat:@"RTCIceServer:\n%@\n%@\n%@\n%@", _urlStrings, _urlStrings,
_username, _credential, _username,
[self stringForTlsCertPolicy:_tlsCertPolicy]]; _credential,
[self stringForTlsCertPolicy:_tlsCertPolicy],
_hostname];
} }
#pragma mark - Private #pragma mark - Private
@ -71,6 +87,7 @@
iceServer.username = [NSString stdStringForString:_username]; iceServer.username = [NSString stdStringForString:_username];
iceServer.password = [NSString stdStringForString:_credential]; iceServer.password = [NSString stdStringForString:_credential];
iceServer.hostname = [NSString stdStringForString:_hostname];
[_urlStrings enumerateObjectsUsingBlock:^(NSString *url, [_urlStrings enumerateObjectsUsingBlock:^(NSString *url,
NSUInteger idx, NSUInteger idx,
@ -100,6 +117,7 @@
} }
NSString *username = [NSString stringForStdString:nativeServer.username]; NSString *username = [NSString stringForStdString:nativeServer.username];
NSString *credential = [NSString stringForStdString:nativeServer.password]; NSString *credential = [NSString stringForStdString:nativeServer.password];
NSString *hostname = [NSString stringForStdString:nativeServer.hostname];
RTCTlsCertPolicy tlsCertPolicy; RTCTlsCertPolicy tlsCertPolicy;
switch (nativeServer.tls_cert_policy) { switch (nativeServer.tls_cert_policy) {
@ -114,7 +132,8 @@
self = [self initWithURLStrings:urls self = [self initWithURLStrings:urls
username:username username:username
credential:credential credential:credential
tlsCertPolicy:tlsCertPolicy]; tlsCertPolicy:tlsCertPolicy
hostname:hostname];
return self; return self;
} }

18
webrtc/sdk/objc/Framework/Headers/WebRTC/RTCIceServer.h
View File

@ -36,6 +36,13 @@ RTC_EXPORT
*/ */
@property(nonatomic, readonly) RTCTlsCertPolicy tlsCertPolicy; @property(nonatomic, readonly) RTCTlsCertPolicy tlsCertPolicy;
/**
If the URIs in |urls| only contain IP addresses, this field can be used
to indicate the hostname, which may be necessary for TLS (using the SNI
extension). If |urls| itself contains the hostname, this isn't necessary.
*/
@property(nonatomic, readonly, nullable) NSString *hostname;
- (nonnull instancetype)init NS_UNAVAILABLE; - (nonnull instancetype)init NS_UNAVAILABLE;
/** Convenience initializer for a server with no authentication (e.g. STUN). */ /** Convenience initializer for a server with no authentication (e.g. STUN). */
@ -53,11 +60,20 @@ RTC_EXPORT
* Initialize an RTCIceServer with its associated URLs, optional username, * Initialize an RTCIceServer with its associated URLs, optional username,
* optional credential, and TLS cert policy. * optional credential, and TLS cert policy.
*/ */
- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings
username:(nullable NSString *)username
credential:(nullable NSString *)credential
tlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy;
/**
* Initialize an RTCIceServer with its associated URLs, optional username,
* optional credential, TLS cert policy and hostname.
*/
- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings - (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings
username:(nullable NSString *)username username:(nullable NSString *)username
credential:(nullable NSString *)credential credential:(nullable NSString *)credential
tlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy tlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy
NS_DESIGNATED_INITIALIZER; hostname:(nullable NSString *)hostname NS_DESIGNATED_INITIALIZER;
@end @end

23
webrtc/sdk/objc/Framework/UnitTests/RTCIceServerTest.mm
View File

@ -62,11 +62,26 @@
EXPECT_EQ("credential", iceStruct.password); EXPECT_EQ("credential", iceStruct.password);
} }
- (void)testHostname {
RTCIceServer *server = [[RTCIceServer alloc] initWithURLStrings:@[ @"turn1:turn1.example.net" ]
username:@"username"
credential:@"credential"
tlsCertPolicy:RTCTlsCertPolicySecure
hostname:@"hostname"];
webrtc::PeerConnectionInterface::IceServer iceStruct = server.nativeServer;
EXPECT_EQ(1u, iceStruct.urls.size());
EXPECT_EQ("turn1:turn1.example.net", iceStruct.urls.front());
EXPECT_EQ("username", iceStruct.username);
EXPECT_EQ("credential", iceStruct.password);
EXPECT_EQ("hostname", iceStruct.hostname);
}
- (void)testInitFromNativeServer { - (void)testInitFromNativeServer {
webrtc::PeerConnectionInterface::IceServer nativeServer; webrtc::PeerConnectionInterface::IceServer nativeServer;
nativeServer.username = "username"; nativeServer.username = "username";
nativeServer.password = "password"; nativeServer.password = "password";
nativeServer.urls.push_back("stun:stun.example.net"); nativeServer.urls.push_back("stun:stun.example.net");
nativeServer.hostname = "hostname";
RTCIceServer *iceServer = RTCIceServer *iceServer =
[[RTCIceServer alloc] initWithNativeServer:nativeServer]; [[RTCIceServer alloc] initWithNativeServer:nativeServer];
@ -75,6 +90,7 @@
[NSString stdStringForString:iceServer.urlStrings.firstObject]); [NSString stdStringForString:iceServer.urlStrings.firstObject]);
EXPECT_EQ("username", [NSString stdStringForString:iceServer.username]); EXPECT_EQ("username", [NSString stdStringForString:iceServer.username]);
EXPECT_EQ("password", [NSString stdStringForString:iceServer.credential]); EXPECT_EQ("password", [NSString stdStringForString:iceServer.credential]);
EXPECT_EQ("hostname", [NSString stdStringForString:iceServer.hostname]);
} }
@end @end
@ -100,6 +116,13 @@ TEST(RTCIceServerTest, PasswordCredentialTest) {
} }
} }
TEST(RTCIceServerTest, HostnameTest) {
@autoreleasepool {
RTCIceServerTest *test = [[RTCIceServerTest alloc] init];
[test testHostname];
}
}
TEST(RTCIceServerTest, InitFromNativeServerTest) { TEST(RTCIceServerTest, InitFromNativeServerTest) {
@autoreleasepool { @autoreleasepool {
RTCIceServerTest *test = [[RTCIceServerTest alloc] init]; RTCIceServerTest *test = [[RTCIceServerTest alloc] init];