Add SSLConfig object to IceServer.
This is a rollforward of https://webrtc-review.googlesource.com/c/src/+/96020,
with the addition of setting the old tlsCertPolicy, tlsAlpnProtocols and
tlsEllipticCurves in the RTCIceServer initializer, for backwards compatibility.
Bug: webrtc:9662
Change-Id: I28706ed4ff5abe3f7f913f105779f0e5412aeac5
Reviewed-on: https://webrtc-review.googlesource.com/98762
Commit-Queue: Diogo Real <diogor@google.com>
Reviewed-by: Sami Kalliomäki <sakal@webrtc.org>
Reviewed-by: Kári Helgason <kthelgason@webrtc.org>
Reviewed-by: Steve Anton <steveanton@webrtc.org>
Reviewed-by: Qingsi Wang <qingsi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#24696}diff --git a/sdk/BUILD.gn b/sdk/BUILD.gn
index 36909e2..4930ad5 100644
--- a/sdk/BUILD.gn
+++ b/sdk/BUILD.gn
@@ -870,6 +870,9 @@
"objc/api/peerconnection/RTCRtpTransceiver.mm",
"objc/api/peerconnection/RTCSSLAdapter.h",
"objc/api/peerconnection/RTCSSLAdapter.mm",
+ "objc/api/peerconnection/RTCSSLConfig+Native.h",
+ "objc/api/peerconnection/RTCSSLConfig.h",
+ "objc/api/peerconnection/RTCSSLConfig.mm",
"objc/api/peerconnection/RTCSessionDescription+Private.h",
"objc/api/peerconnection/RTCSessionDescription.h",
"objc/api/peerconnection/RTCSessionDescription.mm",
@@ -985,6 +988,7 @@
"objc/Framework/Headers/WebRTC/RTCRtpSender.h",
"objc/Framework/Headers/WebRTC/RTCRtpTransceiver.h",
"objc/Framework/Headers/WebRTC/RTCSSLAdapter.h",
+ "objc/Framework/Headers/WebRTC/RTCSSLConfig.h",
"objc/Framework/Headers/WebRTC/RTCSessionDescription.h",
"objc/Framework/Headers/WebRTC/RTCTracing.h",
"objc/Framework/Headers/WebRTC/RTCVideoCapturer.h",
diff --git a/sdk/android/BUILD.gn b/sdk/android/BUILD.gn
index 080684a..1013f0b 100644
--- a/sdk/android/BUILD.gn
+++ b/sdk/android/BUILD.gn
@@ -306,6 +306,7 @@
"api/org/webrtc/RtpSender.java",
"api/org/webrtc/RtpTransceiver.java",
"api/org/webrtc/SSLCertificateVerifier.java",
+ "api/org/webrtc/SslConfig.java",
"api/org/webrtc/SdpObserver.java",
"api/org/webrtc/SessionDescription.java",
"api/org/webrtc/StatsObserver.java",
@@ -648,6 +649,8 @@
"src/jni/pc/sessiondescription.h",
"src/jni/pc/sslcertificateverifierwrapper.cc",
"src/jni/pc/sslcertificateverifierwrapper.h",
+ "src/jni/pc/sslconfig.cc",
+ "src/jni/pc/sslconfig.h",
"src/jni/pc/statsobserver.cc",
"src/jni/pc/statsobserver.h",
"src/jni/pc/turncustomizer.cc",
@@ -1193,6 +1196,7 @@
"api/org/webrtc/SSLCertificateVerifier.java",
"api/org/webrtc/SdpObserver.java",
"api/org/webrtc/SessionDescription.java",
+ "api/org/webrtc/SslConfig.java",
"api/org/webrtc/StatsObserver.java",
"api/org/webrtc/StatsReport.java",
"api/org/webrtc/TurnCustomizer.java",
diff --git a/sdk/android/api/org/webrtc/PeerConnection.java b/sdk/android/api/org/webrtc/PeerConnection.java
index 2f9adcf..2161711 100644
--- a/sdk/android/api/org/webrtc/PeerConnection.java
+++ b/sdk/android/api/org/webrtc/PeerConnection.java
@@ -50,6 +50,7 @@
}
}
+ // TODO(diogor, webrtc:9673): Remove TlsCertPolicy. It's deprecated, in favor of SslConfig.
/** Tracks PeerConnectionInterface::TlsCertPolicy */
public enum TlsCertPolicy {
TLS_CERT_POLICY_SECURE,
@@ -126,7 +127,9 @@
public final List<String> urls;
public final String username;
public final String password;
- public final TlsCertPolicy tlsCertPolicy;
+ // TODO(diogor, webrtc:9673): Remove tlsCertPolicy from this API.
+ // This field will be ignored if tlsCertPolicy is also set in SslConfig.
+ @Deprecated public final TlsCertPolicy tlsCertPolicy;
// If the URIs in |urls| only contain IP addresses, this field can be used
// to indicate the hostname, which may be necessary for TLS (using the SNI
@@ -134,12 +137,18 @@
// necessary.
public final String hostname;
+ // TODO(diogor, webrtc:9673): Remove tlsAlpnProtocols from this API.
// List of protocols to be used in the TLS ALPN extension.
- public final List<String> tlsAlpnProtocols;
+ @Deprecated public final List<String> tlsAlpnProtocols;
+ // TODO(diogor, webrtc:9673): Remove tlsEllipticCurves from this API.
// List of elliptic curves to be used in the TLS elliptic curves extension.
// Only curve names supported by OpenSSL should be used (eg. "P-256","X25519").
- public final List<String> tlsEllipticCurves;
+ // This field will be ignored if tlsEllipticCurves is also set in SslConfig.
+ @Deprecated public final List<String> tlsEllipticCurves;
+
+ // SSL configuration options for any SSL/TLS connections to this IceServer.
+ public final SslConfig sslConfig;
/** Convenience constructor for STUN servers. */
@Deprecated
@@ -161,12 +170,12 @@
public IceServer(String uri, String username, String password, TlsCertPolicy tlsCertPolicy,
String hostname) {
this(uri, Collections.singletonList(uri), username, password, tlsCertPolicy, hostname, null,
- null);
+ null, SslConfig.builder().createSslConfig());
}
private IceServer(String uri, List<String> urls, String username, String password,
TlsCertPolicy tlsCertPolicy, String hostname, List<String> tlsAlpnProtocols,
- List<String> tlsEllipticCurves) {
+ List<String> tlsEllipticCurves, SslConfig sslConfig) {
if (uri == null || urls == null || urls.isEmpty()) {
throw new IllegalArgumentException("uri == null || urls == null || urls.isEmpty()");
}
@@ -192,12 +201,13 @@
this.hostname = hostname;
this.tlsAlpnProtocols = tlsAlpnProtocols;
this.tlsEllipticCurves = tlsEllipticCurves;
+ this.sslConfig = sslConfig;
}
@Override
public String toString() {
return urls + " [" + username + ":" + password + "] [" + tlsCertPolicy + "] [" + hostname
- + "] [" + tlsAlpnProtocols + "] [" + tlsEllipticCurves + "]";
+ + "] [" + tlsAlpnProtocols + "] [" + tlsEllipticCurves + "] [" + sslConfig + "]";
}
public static Builder builder(String uri) {
@@ -216,6 +226,7 @@
private String hostname = "";
private List<String> tlsAlpnProtocols;
private List<String> tlsEllipticCurves;
+ private SslConfig sslConfig = SslConfig.builder().createSslConfig();
private Builder(List<String> urls) {
if (urls == null || urls.isEmpty()) {
@@ -234,6 +245,7 @@
return this;
}
+ @Deprecated
public Builder setTlsCertPolicy(TlsCertPolicy tlsCertPolicy) {
this.tlsCertPolicy = tlsCertPolicy;
return this;
@@ -244,19 +256,26 @@
return this;
}
+ @Deprecated
public Builder setTlsAlpnProtocols(List<String> tlsAlpnProtocols) {
this.tlsAlpnProtocols = tlsAlpnProtocols;
return this;
}
+ @Deprecated
public Builder setTlsEllipticCurves(List<String> tlsEllipticCurves) {
this.tlsEllipticCurves = tlsEllipticCurves;
return this;
}
+ public Builder setSslConfig(SslConfig sslConfig) {
+ this.sslConfig = sslConfig;
+ return this;
+ }
+
public IceServer createIceServer() {
return new IceServer(urls.get(0), urls, username, password, tlsCertPolicy, hostname,
- tlsAlpnProtocols, tlsEllipticCurves);
+ tlsAlpnProtocols, tlsEllipticCurves, sslConfig);
}
}
@@ -298,6 +317,11 @@
List<String> getTlsEllipticCurves() {
return tlsEllipticCurves;
}
+
+ @CalledByNative("IceServer")
+ SslConfig getSslConfig() {
+ return sslConfig;
+ }
}
/** Java version of PeerConnectionInterface.IceTransportsType */
diff --git a/sdk/android/api/org/webrtc/SslConfig.java b/sdk/android/api/org/webrtc/SslConfig.java
new file mode 100644
index 0000000..7a94928
--- /dev/null
+++ b/sdk/android/api/org/webrtc/SslConfig.java
@@ -0,0 +1,204 @@
+/*
+ * Copyright 2018 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+package org.webrtc;
+
+import java.util.Collections;
+import java.util.List;
+import javax.annotation.Nullable;
+
+/**
+ * Java version of rtc::SSLConfig.
+ *
+ * Contains the configuration of any SSL/TLS connections that are initiated by
+ * our client.
+ */
+public class SslConfig {
+ /** Tracks rtc::TlsCertPolicy */
+ public enum TlsCertPolicy {
+ TLS_CERT_POLICY_SECURE,
+ TLS_CERT_POLICY_INSECURE_NO_CHECK,
+ }
+
+ /** Indicates whether to enable OCSP stapling in TLS. */
+ public final boolean enableOcspStapling;
+ /** Indicates whether to enable the signed certificate timestamp extension in TLS. */
+ public final boolean enableSignedCertTimestamp;
+ /** Indicates whether to enable the TLS Channel ID extension. */
+ public final boolean enableTlsChannelId;
+ /** Indicates whether to enable the TLS GREASE extension. */
+ public final boolean enableGrease;
+
+ /** Indicates how to process TURN server certificates */
+ public final TlsCertPolicy tlsCertPolicy;
+
+ /**
+ * Highest supported SSL version, as defined in the supported_versions TLS extension.
+ * If null, the default OpenSSL/BoringSSL max version will be used.
+ */
+ @Nullable public final Integer maxSslVersion;
+
+ /**
+ * List of protocols to be used in the TLS ALPN extension.
+ * If null, the default list of OpenSSL/BoringSSL ALPN protocols will be used.
+ */
+ @Nullable public final List<String> tlsAlpnProtocols;
+
+ /**
+ * List of elliptic curves to be used in the TLS elliptic curves extension.
+ * Only curve names supported by OpenSSL should be used (eg. "P-256","X25519").
+ * If null, the default list of OpenSSL/BoringSSL curves will be used.
+ */
+ @Nullable public final List<String> tlsEllipticCurves;
+
+ private SslConfig(boolean enableOcspStapling, boolean enableSignedCertTimestamp,
+ boolean enableTlsChannelId, boolean enableGrease, TlsCertPolicy tlsCertPolicy,
+ Integer maxSslVersion, List<String> tlsAlpnProtocols, List<String> tlsEllipticCurves) {
+ this.enableOcspStapling = enableOcspStapling;
+ this.enableSignedCertTimestamp = enableSignedCertTimestamp;
+ this.enableTlsChannelId = enableTlsChannelId;
+ this.enableGrease = enableGrease;
+ this.tlsCertPolicy = tlsCertPolicy;
+ this.maxSslVersion = maxSslVersion;
+ if (tlsAlpnProtocols != null) {
+ this.tlsAlpnProtocols = Collections.unmodifiableList(tlsAlpnProtocols);
+ } else {
+ this.tlsAlpnProtocols = null;
+ }
+ if (tlsEllipticCurves != null) {
+ this.tlsEllipticCurves = Collections.unmodifiableList(tlsEllipticCurves);
+ } else {
+ this.tlsEllipticCurves = null;
+ }
+ }
+
+ @Override
+ public String toString() {
+ return "[enableOcspStapling=" + enableOcspStapling + "] [enableSignedCertTimestamp="
+ + enableSignedCertTimestamp + "] [enableTlsChannelId=" + enableTlsChannelId
+ + "] [enableGrease=" + enableGrease + "] [tlsCertPolicy=" + tlsCertPolicy
+ + "] [maxSslVersion=" + maxSslVersion + "] [tlsAlpnProtocols=" + tlsAlpnProtocols
+ + "] [tlsEllipticCurves=" + tlsEllipticCurves + "]";
+ }
+
+ public static Builder builder() {
+ return new Builder();
+ }
+
+ public static class Builder {
+ private boolean enableOcspStapling;
+ private boolean enableSignedCertTimestamp;
+ private boolean enableTlsChannelId;
+ private boolean enableGrease;
+ private TlsCertPolicy tlsCertPolicy;
+ @Nullable private Integer maxSslVersion;
+ @Nullable private List<String> tlsAlpnProtocols;
+ @Nullable private List<String> tlsEllipticCurves;
+
+ private Builder() {
+ this.enableOcspStapling = true;
+ this.enableSignedCertTimestamp = true;
+ this.enableTlsChannelId = false;
+ this.enableGrease = false;
+ this.tlsCertPolicy = TlsCertPolicy.TLS_CERT_POLICY_SECURE;
+ this.maxSslVersion = null;
+ this.tlsAlpnProtocols = null;
+ this.tlsEllipticCurves = null;
+ }
+
+ public Builder setEnableOcspStapling(boolean enableOcspStapling) {
+ this.enableOcspStapling = enableOcspStapling;
+ return this;
+ }
+
+ public Builder setEnableSignedCertTimestamp(boolean enableSignedCertTimestamp) {
+ this.enableSignedCertTimestamp = enableSignedCertTimestamp;
+ return this;
+ }
+
+ public Builder setEnableTlsChannelId(boolean enableTlsChannelId) {
+ this.enableTlsChannelId = enableTlsChannelId;
+ return this;
+ }
+
+ public Builder setEnableGrease(boolean enableGrease) {
+ this.enableGrease = enableGrease;
+ return this;
+ }
+
+ public Builder setTlsCertPolicy(TlsCertPolicy tlsCertPolicy) {
+ this.tlsCertPolicy = tlsCertPolicy;
+ return this;
+ }
+
+ public Builder setMaxSslVersion(int maxSslVersion) {
+ this.maxSslVersion = maxSslVersion;
+ return this;
+ }
+
+ public Builder setTlsAlpnProtocols(List<String> tlsAlpnProtocols) {
+ this.tlsAlpnProtocols = tlsAlpnProtocols;
+ return this;
+ }
+
+ public Builder setTlsEllipticCurves(List<String> tlsEllipticCurves) {
+ this.tlsEllipticCurves = tlsEllipticCurves;
+ return this;
+ }
+
+ public SslConfig createSslConfig() {
+ return new SslConfig(enableOcspStapling, enableSignedCertTimestamp, enableTlsChannelId,
+ enableGrease, tlsCertPolicy, maxSslVersion, tlsAlpnProtocols, tlsEllipticCurves);
+ }
+ }
+
+ @CalledByNative
+ boolean getEnableOcspStapling() {
+ return enableOcspStapling;
+ }
+
+ @CalledByNative
+ boolean getEnableSignedCertTimestamp() {
+ return enableSignedCertTimestamp;
+ }
+
+ @CalledByNative
+ boolean getEnableTlsChannelId() {
+ return enableTlsChannelId;
+ }
+
+ @CalledByNative
+ boolean getEnableGrease() {
+ return enableGrease;
+ }
+
+ @CalledByNative
+ TlsCertPolicy getTlsCertPolicy() {
+ return tlsCertPolicy;
+ }
+
+ @Nullable
+ @CalledByNative
+ Integer getMaxSslVersion() {
+ return maxSslVersion;
+ }
+
+ @Nullable
+ @CalledByNative
+ List<String> getTlsAlpnProtocols() {
+ return tlsAlpnProtocols;
+ }
+
+ @Nullable
+ @CalledByNative
+ List<String> getTlsEllipticCurves() {
+ return tlsEllipticCurves;
+ }
+}
diff --git a/sdk/android/src/jni/pc/peerconnection.cc b/sdk/android/src/jni/pc/peerconnection.cc
index 79da797..1d9f945 100644
--- a/sdk/android/src/jni/pc/peerconnection.cc
+++ b/sdk/android/src/jni/pc/peerconnection.cc
@@ -51,6 +51,7 @@
#include "sdk/android/src/jni/pc/rtpsender.h"
#include "sdk/android/src/jni/pc/sdpobserver.h"
#include "sdk/android/src/jni/pc/sessiondescription.h"
+#include "sdk/android/src/jni/pc/sslconfig.h"
#include "sdk/android/src/jni/pc/statsobserver.h"
#include "sdk/android/src/jni/pc/turncustomizer.h"
@@ -87,6 +88,8 @@
Java_IceServer_getTlsAlpnProtocols(jni, j_ice_server);
ScopedJavaLocalRef<jobject> tls_elliptic_curves =
Java_IceServer_getTlsEllipticCurves(jni, j_ice_server);
+ ScopedJavaLocalRef<jobject> ssl_config =
+ Java_IceServer_getSslConfig(jni, j_ice_server);
PeerConnectionInterface::IceServer server;
server.urls = JavaListToNativeVector<std::string, jstring>(
jni, urls, &JavaToNativeString);
@@ -98,6 +101,7 @@
jni, tls_alpn_protocols, &JavaToNativeString);
server.tls_elliptic_curves = JavaListToNativeVector<std::string, jstring>(
jni, tls_elliptic_curves, &JavaToNativeString);
+ server.ssl_config = JavaToNativeSslConfig(jni, ssl_config);
ice_servers.push_back(server);
}
return ice_servers;
diff --git a/sdk/android/src/jni/pc/sslconfig.cc b/sdk/android/src/jni/pc/sslconfig.cc
new file mode 100644
index 0000000..678f49a
--- /dev/null
+++ b/sdk/android/src/jni/pc/sslconfig.cc
@@ -0,0 +1,78 @@
+
+/*
+ * Copyright 2018 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "sdk/android/src/jni/pc/sslconfig.h"
+
+#include <string>
+
+#include "rtc_base/ssladapter.h"
+#include "sdk/android/generated_peerconnection_jni/jni/SslConfig_jni.h"
+#include "sdk/android/native_api/jni/java_types.h"
+#include "sdk/android/src/jni/jni_helpers.h"
+
+namespace webrtc {
+namespace jni {
+
+rtc::TlsCertPolicy JavaToNativeRtcTlsCertPolicy(
+ JNIEnv* jni,
+ const JavaRef<jobject>& j_ssl_config_tls_cert_policy) {
+ std::string enum_name = GetJavaEnumName(jni, j_ssl_config_tls_cert_policy);
+
+ if (enum_name == "TLS_CERT_POLICY_SECURE")
+ return rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE;
+
+ if (enum_name == "TLS_CERT_POLICY_INSECURE_NO_CHECK")
+ return rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
+
+ RTC_NOTREACHED();
+ return rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE;
+}
+
+rtc::SSLConfig JavaToNativeSslConfig(JNIEnv* jni,
+ const JavaRef<jobject>& j_ssl_config) {
+ rtc::SSLConfig ssl_config;
+ ssl_config.enable_ocsp_stapling =
+ Java_SslConfig_getEnableOcspStapling(jni, j_ssl_config);
+ ssl_config.enable_signed_cert_timestamp =
+ Java_SslConfig_getEnableSignedCertTimestamp(jni, j_ssl_config);
+ ssl_config.enable_tls_channel_id =
+ Java_SslConfig_getEnableTlsChannelId(jni, j_ssl_config);
+ ssl_config.enable_grease = Java_SslConfig_getEnableGrease(jni, j_ssl_config);
+
+ ScopedJavaLocalRef<jobject> j_ssl_config_max_ssl_version =
+ Java_SslConfig_getMaxSslVersion(jni, j_ssl_config);
+ ssl_config.max_ssl_version =
+ JavaToNativeOptionalInt(jni, j_ssl_config_max_ssl_version);
+
+ ScopedJavaLocalRef<jobject> j_ssl_config_tls_cert_policy =
+ Java_SslConfig_getTlsCertPolicy(jni, j_ssl_config);
+ ssl_config.tls_cert_policy =
+ JavaToNativeRtcTlsCertPolicy(jni, j_ssl_config_tls_cert_policy);
+
+ ScopedJavaLocalRef<jobject> j_ssl_config_tls_alpn_protocols =
+ Java_SslConfig_getTlsAlpnProtocols(jni, j_ssl_config);
+ if (!IsNull(jni, j_ssl_config_tls_alpn_protocols)) {
+ ssl_config.tls_alpn_protocols =
+ JavaListToNativeVector<std::string, jstring>(
+ jni, j_ssl_config_tls_alpn_protocols, &JavaToNativeString);
+ }
+ ScopedJavaLocalRef<jobject> j_ssl_config_tls_elliptic_curves =
+ Java_SslConfig_getTlsEllipticCurves(jni, j_ssl_config);
+ if (!IsNull(jni, j_ssl_config_tls_elliptic_curves)) {
+ ssl_config.tls_elliptic_curves =
+ JavaListToNativeVector<std::string, jstring>(
+ jni, j_ssl_config_tls_elliptic_curves, &JavaToNativeString);
+ }
+ return ssl_config;
+}
+
+} // namespace jni
+} // namespace webrtc
diff --git a/sdk/android/src/jni/pc/sslconfig.h b/sdk/android/src/jni/pc/sslconfig.h
new file mode 100644
index 0000000..38de114
--- /dev/null
+++ b/sdk/android/src/jni/pc/sslconfig.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2018 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#ifndef SDK_ANDROID_SRC_JNI_PC_SSLCONFIG_H_
+#define SDK_ANDROID_SRC_JNI_PC_SSLCONFIG_H_
+
+#include "api/peerconnectioninterface.h"
+#include "sdk/android/native_api/jni/scoped_java_ref.h"
+
+namespace webrtc {
+namespace jni {
+
+rtc::TlsCertPolicy JavaToNativeRtcTlsCertPolicy(
+ JNIEnv* jni,
+ const JavaRef<jobject>& j_ssl_config_tls_cert_policy);
+
+rtc::SSLConfig JavaToNativeSslConfig(JNIEnv* env,
+ const JavaRef<jobject>& j_ssl_config);
+
+} // namespace jni
+} // namespace webrtc
+
+#endif // SDK_ANDROID_SRC_JNI_PC_SSLCONFIG_H_
diff --git a/sdk/objc/Framework/Headers/WebRTC/RTCSSLConfig.h b/sdk/objc/Framework/Headers/WebRTC/RTCSSLConfig.h
new file mode 100644
index 0000000..b572522
--- /dev/null
+++ b/sdk/objc/Framework/Headers/WebRTC/RTCSSLConfig.h
@@ -0,0 +1,11 @@
+/*
+ * Copyright 2018 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#import "api/peerconnection/RTCSSLConfig.h"
diff --git a/sdk/objc/api/peerconnection/RTCIceServer.h b/sdk/objc/api/peerconnection/RTCIceServer.h
index c2def04..a9760c7 100644
--- a/sdk/objc/api/peerconnection/RTCIceServer.h
+++ b/sdk/objc/api/peerconnection/RTCIceServer.h
@@ -11,11 +11,7 @@
#import <Foundation/Foundation.h>
#import "RTCMacros.h"
-
-typedef NS_ENUM(NSUInteger, RTCTlsCertPolicy) {
- RTCTlsCertPolicySecure,
- RTCTlsCertPolicyInsecureNoCheck
-};
+#import "RTCSSLConfig.h"
NS_ASSUME_NONNULL_BEGIN
@@ -32,7 +28,8 @@
@property(nonatomic, readonly, nullable) NSString *credential;
/**
- * TLS certificate policy to use if this RTCIceServer object is a TURN server.
+ Deprecated. TODO(diogor, webrtc:9673): Remove from API.
+ TLS certificate policy to use if this RTCIceServer object is a TURN server.
*/
@property(nonatomic, readonly) RTCTlsCertPolicy tlsCertPolicy;
@@ -43,15 +40,24 @@
*/
@property(nonatomic, readonly, nullable) NSString *hostname;
-/** List of protocols to be used in the TLS ALPN extension. */
+/**
+ Deprecated. TODO(diogor, webrtc:9673): Remove from API.
+ List of protocols to be used in the TLS ALPN extension.
+ This field will be ignored if also set in RTCSSLConfig.
+ */
@property(nonatomic, readonly) NSArray<NSString *> *tlsAlpnProtocols;
/**
+ Deprecated. TODO(diogor, webrtc:9673): Remove from API.
List elliptic curves to be used in the TLS elliptic curves extension.
Only curve names supported by OpenSSL should be used (eg. "P-256","X25519").
+ This field will be ignored if also set in RTCSSLConfig.
*/
@property(nonatomic, readonly) NSArray<NSString *> *tlsEllipticCurves;
+/** SSL configuration options for any SSL/TLS connections to this IceServer. */
+@property(nonatomic, readonly) RTCSSLConfig *sslConfig;
+
- (nonnull instancetype)init NS_UNAVAILABLE;
/** Convenience initializer for a server with no authentication (e.g. STUN). */
@@ -106,8 +112,17 @@
tlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy
hostname:(nullable NSString *)hostname
tlsAlpnProtocols:(nullable NSArray<NSString *> *)tlsAlpnProtocols
- tlsEllipticCurves:(nullable NSArray<NSString *> *)tlsEllipticCurves
- NS_DESIGNATED_INITIALIZER;
+ tlsEllipticCurves:(nullable NSArray<NSString *> *)tlsEllipticCurves;
+
+/**
+ * Initialize an RTCIceServer with its associated URLs, optional
+ * username, optional credential, hostname and SSL config.
+ */
+- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings
+ username:(nullable NSString *)username
+ credential:(nullable NSString *)credential
+ hostname:(nullable NSString *)hostname
+ sslConfig:(RTCSSLConfig *)sslConfig NS_DESIGNATED_INITIALIZER;
@end
diff --git a/sdk/objc/api/peerconnection/RTCIceServer.mm b/sdk/objc/api/peerconnection/RTCIceServer.mm
index 2138e4c..d03fd81 100644
--- a/sdk/objc/api/peerconnection/RTCIceServer.mm
+++ b/sdk/objc/api/peerconnection/RTCIceServer.mm
@@ -9,6 +9,7 @@
*/
#import "RTCIceServer+Private.h"
+#import "RTCSSLConfig+Native.h"
#import "helpers/NSString+StdString.h"
@@ -21,6 +22,7 @@
@synthesize hostname = _hostname;
@synthesize tlsAlpnProtocols = _tlsAlpnProtocols;
@synthesize tlsEllipticCurves = _tlsEllipticCurves;
+@synthesize sslConfig = _sslConfig;
- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings {
return [self initWithURLStrings:urlStrings
@@ -83,28 +85,50 @@
hostname:(NSString *)hostname
tlsAlpnProtocols:(NSArray<NSString *> *)tlsAlpnProtocols
tlsEllipticCurves:(NSArray<NSString *> *)tlsEllipticCurves {
+ RTCSSLConfig *sslConfig = [[RTCSSLConfig alloc] init];
+ sslConfig.tlsCertPolicy = tlsCertPolicy;
+ sslConfig.tlsALPNProtocols = [[NSArray alloc] initWithArray:tlsAlpnProtocols copyItems:YES];
+ sslConfig.tlsEllipticCurves = [[NSArray alloc] initWithArray:tlsEllipticCurves copyItems:YES];
+ return [self initWithURLStrings:urlStrings
+ username:username
+ credential:credential
+ hostname:hostname
+ sslConfig:sslConfig];
+}
+
+- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings
+ username:(NSString *)username
+ credential:(NSString *)credential
+ hostname:(NSString *)hostname
+ sslConfig:(RTCSSLConfig *)sslConfig {
NSParameterAssert(urlStrings.count);
if (self = [super init]) {
_urlStrings = [[NSArray alloc] initWithArray:urlStrings copyItems:YES];
_username = [username copy];
_credential = [credential copy];
- _tlsCertPolicy = tlsCertPolicy;
_hostname = [hostname copy];
- _tlsAlpnProtocols = [[NSArray alloc] initWithArray:tlsAlpnProtocols copyItems:YES];
- _tlsEllipticCurves = [[NSArray alloc] initWithArray:tlsEllipticCurves copyItems:YES];
+ _sslConfig = sslConfig;
+
+ // TODO(diogor, webrtc:9673): Remove these duplicate assignments.
+ _tlsCertPolicy = sslConfig.tlsCertPolicy;
+ if (sslConfig.tlsALPNProtocols) {
+ _tlsAlpnProtocols = [[NSArray alloc] initWithArray:sslConfig.tlsALPNProtocols copyItems:YES];
+ }
+ if (sslConfig.tlsEllipticCurves) {
+ _tlsEllipticCurves =
+ [[NSArray alloc] initWithArray:sslConfig.tlsEllipticCurves copyItems:YES];
+ }
}
return self;
}
- (NSString *)description {
- return [NSString stringWithFormat:@"RTCIceServer:\n%@\n%@\n%@\n%@\n%@\n%@\n%@",
+ return [NSString stringWithFormat:@"RTCIceServer:\n%@\n%@\n%@\n%@\n%@",
_urlStrings,
_username,
_credential,
- [self stringForTlsCertPolicy:_tlsCertPolicy],
_hostname,
- _tlsAlpnProtocols,
- _tlsEllipticCurves];
+ _sslConfig];
}
#pragma mark - Private
@@ -149,6 +173,8 @@
webrtc::PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck;
break;
}
+
+ iceServer.ssl_config = [_sslConfig nativeConfig];
return iceServer;
}
@@ -162,34 +188,38 @@
NSString *username = [NSString stringForStdString:nativeServer.username];
NSString *credential = [NSString stringForStdString:nativeServer.password];
NSString *hostname = [NSString stringForStdString:nativeServer.hostname];
- NSMutableArray *tlsAlpnProtocols =
- [NSMutableArray arrayWithCapacity:nativeServer.tls_alpn_protocols.size()];
- for (auto const &proto : nativeServer.tls_alpn_protocols) {
- [tlsAlpnProtocols addObject:[NSString stringForStdString:proto]];
- }
- NSMutableArray *tlsEllipticCurves =
- [NSMutableArray arrayWithCapacity:nativeServer.tls_elliptic_curves.size()];
- for (auto const &curve : nativeServer.tls_elliptic_curves) {
- [tlsEllipticCurves addObject:[NSString stringForStdString:curve]];
- }
- RTCTlsCertPolicy tlsCertPolicy;
+ RTCSSLConfig *sslConfig = [[RTCSSLConfig alloc] initWithNativeConfig:nativeServer.ssl_config];
- switch (nativeServer.tls_cert_policy) {
- case webrtc::PeerConnectionInterface::kTlsCertPolicySecure:
- tlsCertPolicy = RTCTlsCertPolicySecure;
- break;
- case webrtc::PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck:
- tlsCertPolicy = RTCTlsCertPolicyInsecureNoCheck;
- break;
+ if (!nativeServer.ssl_config.tls_alpn_protocols.has_value() &&
+ !nativeServer.tls_alpn_protocols.empty()) {
+ NSMutableArray *tlsALPNProtocols =
+ [NSMutableArray arrayWithCapacity:nativeServer.tls_alpn_protocols.size()];
+ for (auto const &proto : nativeServer.tls_alpn_protocols) {
+ [tlsALPNProtocols addObject:[NSString stringForStdString:proto]];
+ }
+ sslConfig.tlsALPNProtocols = tlsALPNProtocols;
+ }
+
+ if (!nativeServer.ssl_config.tls_elliptic_curves.has_value() &&
+ !nativeServer.tls_elliptic_curves.empty()) {
+ NSMutableArray *tlsEllipticCurves =
+ [NSMutableArray arrayWithCapacity:nativeServer.tls_elliptic_curves.size()];
+ for (auto const &curve : nativeServer.tls_elliptic_curves) {
+ [tlsEllipticCurves addObject:[NSString stringForStdString:curve]];
+ }
+ sslConfig.tlsEllipticCurves = tlsEllipticCurves;
+ }
+
+ if (nativeServer.tls_cert_policy ==
+ webrtc::PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck) {
+ sslConfig.tlsCertPolicy = RTCTlsCertPolicyInsecureNoCheck;
}
self = [self initWithURLStrings:urls
username:username
credential:credential
- tlsCertPolicy:tlsCertPolicy
hostname:hostname
- tlsAlpnProtocols:tlsAlpnProtocols
- tlsEllipticCurves:tlsEllipticCurves];
+ sslConfig:sslConfig];
return self;
}
diff --git a/sdk/objc/api/peerconnection/RTCSSLConfig+Native.h b/sdk/objc/api/peerconnection/RTCSSLConfig+Native.h
new file mode 100644
index 0000000..7a38edc
--- /dev/null
+++ b/sdk/objc/api/peerconnection/RTCSSLConfig+Native.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2018 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#import "RTCSSLConfig.h"
+
+#include "api/peerconnectioninterface.h"
+#include "rtc_base/ssladapter.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface RTCSSLConfig (Native)
+
+- (rtc::SSLConfig)nativeConfig;
+
+/** Initialize an RTCSSLConfig from a native SSLConfig. */
+- (instancetype)initWithNativeConfig:(const rtc::SSLConfig &)config;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/sdk/objc/api/peerconnection/RTCSSLConfig.h b/sdk/objc/api/peerconnection/RTCSSLConfig.h
new file mode 100644
index 0000000..5421609
--- /dev/null
+++ b/sdk/objc/api/peerconnection/RTCSSLConfig.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2018 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#import <Foundation/Foundation.h>
+
+#import <WebRTC/RTCMacros.h>
+
+typedef NS_ENUM(NSUInteger, RTCTlsCertPolicy) {
+ RTCTlsCertPolicySecure,
+ RTCTlsCertPolicyInsecureNoCheck
+};
+
+NS_ASSUME_NONNULL_BEGIN
+
+RTC_EXPORT
+@interface RTCSSLConfig : NSObject
+
+/** Indicates whether to enable OCSP stapling in TLS. */
+@property(nonatomic) BOOL enableOCSPStapling;
+
+/** Indicates whether to enable the signed certificate timestamp extension in TLS. */
+@property(nonatomic) BOOL enableSignedCertTimestamp;
+
+/** Indicates whether to enable the TLS Channel ID extension. */
+@property(nonatomic) BOOL enableTlsChannelId;
+
+/** Indicates whether to enable the TLS GREASE extension. */
+@property(nonatomic) BOOL enableGrease;
+
+/** Indicates how to process TURN server certificates */
+@property(nonatomic) RTCTlsCertPolicy tlsCertPolicy;
+
+/** Highest supported SSL version, as defined in the supported_versions TLS extension. */
+@property(nonatomic, nullable) NSNumber *maxSSLVersion;
+
+/** List of protocols to be used in the TLS ALPN extension. */
+@property(nonatomic, copy, nullable) NSArray<NSString *> *tlsALPNProtocols;
+
+/**
+ List of elliptic curves to be used in the TLS elliptic curves extension.
+ Only curve names supported by OpenSSL should be used (eg. "P-256","X25519").
+ */
+@property(nonatomic, copy, nullable) NSArray<NSString *> *tlsEllipticCurves;
+
+- (instancetype)init;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/sdk/objc/api/peerconnection/RTCSSLConfig.mm b/sdk/objc/api/peerconnection/RTCSSLConfig.mm
new file mode 100644
index 0000000..60ff47c
--- /dev/null
+++ b/sdk/objc/api/peerconnection/RTCSSLConfig.mm
@@ -0,0 +1,134 @@
+/*
+ * Copyright 2018 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#import "RTCSSLConfig+Native.h"
+
+#import "helpers/NSString+StdString.h"
+
+@implementation RTCSSLConfig
+
+@synthesize enableOCSPStapling = _enableOCSPStapling;
+@synthesize enableSignedCertTimestamp = _enableSignedCertTimestamp;
+@synthesize enableTlsChannelId = _enableTlsChannelId;
+@synthesize enableGrease = _enableGrease;
+@synthesize tlsCertPolicy = _tlsCertPolicy;
+@synthesize maxSSLVersion = _maxSSLVersion;
+@synthesize tlsALPNProtocols = _tlsALPNProtocols;
+@synthesize tlsEllipticCurves = _tlsEllipticCurves;
+
+- (instancetype)init {
+ // Copy defaults
+ rtc::SSLConfig config;
+ return [self initWithNativeConfig:config];
+}
+
+- (instancetype)initWithNativeConfig:(const rtc::SSLConfig &)config {
+ if (self = [super init]) {
+ _enableOCSPStapling = config.enable_ocsp_stapling;
+ _enableSignedCertTimestamp = config.enable_signed_cert_timestamp;
+ _enableTlsChannelId = config.enable_tls_channel_id;
+ _enableGrease = config.enable_grease;
+
+ switch (config.tls_cert_policy) {
+ case rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE:
+ _tlsCertPolicy = RTCTlsCertPolicySecure;
+ break;
+ case rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK:
+ _tlsCertPolicy = RTCTlsCertPolicyInsecureNoCheck;
+ break;
+ }
+
+ if (config.max_ssl_version) {
+ _maxSSLVersion = [NSNumber numberWithInt:*config.max_ssl_version];
+ }
+ if (config.tls_alpn_protocols) {
+ NSMutableArray *tlsALPNProtocols =
+ [NSMutableArray arrayWithCapacity:config.tls_alpn_protocols.value().size()];
+ for (auto const &proto : config.tls_alpn_protocols.value()) {
+ [tlsALPNProtocols addObject:[NSString stringForStdString:proto]];
+ }
+ _tlsALPNProtocols = tlsALPNProtocols;
+ }
+ if (config.tls_elliptic_curves) {
+ NSMutableArray *tlsEllipticCurves =
+ [NSMutableArray arrayWithCapacity:config.tls_elliptic_curves.value().size()];
+ for (auto const &curve : config.tls_elliptic_curves.value()) {
+ [tlsEllipticCurves addObject:[NSString stringForStdString:curve]];
+ }
+ _tlsEllipticCurves = tlsEllipticCurves;
+ }
+ }
+ return self;
+}
+
+- (NSString *)description {
+ return [NSString stringWithFormat:@"RTCSSLConfig:\n%d\n%d\n%d\n%d\n%@\n%@\n%@\n%@",
+ _enableOCSPStapling,
+ _enableSignedCertTimestamp,
+ _enableTlsChannelId,
+ _enableGrease,
+ [self stringForTlsCertPolicy:_tlsCertPolicy],
+ _maxSSLVersion,
+ _tlsALPNProtocols,
+ _tlsEllipticCurves];
+}
+
+#pragma mark - Private
+
+- (NSString *)stringForTlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy {
+ switch (tlsCertPolicy) {
+ case RTCTlsCertPolicySecure:
+ return @"RTCTlsCertPolicySecure";
+ case RTCTlsCertPolicyInsecureNoCheck:
+ return @"RTCTlsCertPolicyInsecureNoCheck";
+ }
+}
+
+- (rtc::SSLConfig)nativeConfig {
+ __block rtc::SSLConfig sslConfig;
+
+ sslConfig.enable_ocsp_stapling = _enableOCSPStapling;
+ sslConfig.enable_signed_cert_timestamp = _enableSignedCertTimestamp;
+ sslConfig.enable_tls_channel_id = _enableTlsChannelId;
+ sslConfig.enable_grease = _enableGrease;
+
+ switch (_tlsCertPolicy) {
+ case RTCTlsCertPolicySecure:
+ sslConfig.tls_cert_policy = rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE;
+ break;
+ case RTCTlsCertPolicyInsecureNoCheck:
+ sslConfig.tls_cert_policy = rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
+ break;
+ }
+
+ if (_maxSSLVersion != nil) {
+ sslConfig.max_ssl_version = absl::optional<int>(_maxSSLVersion.intValue);
+ }
+
+ if (_tlsALPNProtocols != nil) {
+ __block std::vector<std::string> alpn_protocols;
+ [_tlsALPNProtocols enumerateObjectsUsingBlock:^(NSString *proto, NSUInteger idx, BOOL *stop) {
+ alpn_protocols.push_back(proto.stdString);
+ }];
+ sslConfig.tls_alpn_protocols = absl::optional<std::vector<std::string>>(alpn_protocols);
+ }
+
+ if (_tlsEllipticCurves != nil) {
+ __block std::vector<std::string> elliptic_curves;
+ [_tlsEllipticCurves enumerateObjectsUsingBlock:^(NSString *curve, NSUInteger idx, BOOL *stop) {
+ elliptic_curves.push_back(curve.stdString);
+ }];
+ sslConfig.tls_elliptic_curves = absl::optional<std::vector<std::string>>(elliptic_curves);
+ }
+
+ return sslConfig;
+}
+
+@end
diff --git a/sdk/objc/unittests/RTCIceServerTest.mm b/sdk/objc/unittests/RTCIceServerTest.mm
index 8ef5195..7659196 100644
--- a/sdk/objc/unittests/RTCIceServerTest.mm
+++ b/sdk/objc/unittests/RTCIceServerTest.mm
@@ -89,7 +89,7 @@
EXPECT_EQ("username", iceStruct.username);
EXPECT_EQ("credential", iceStruct.password);
EXPECT_EQ("hostname", iceStruct.hostname);
- EXPECT_EQ(2u, iceStruct.tls_alpn_protocols.size());
+ EXPECT_EQ(2u, iceStruct.ssl_config.tls_alpn_protocols.value().size());
}
- (void)testTlsEllipticCurves {
@@ -106,8 +106,8 @@
EXPECT_EQ("username", iceStruct.username);
EXPECT_EQ("credential", iceStruct.password);
EXPECT_EQ("hostname", iceStruct.hostname);
- EXPECT_EQ(2u, iceStruct.tls_alpn_protocols.size());
- EXPECT_EQ(2u, iceStruct.tls_elliptic_curves.size());
+ EXPECT_EQ(2u, iceStruct.ssl_config.tls_alpn_protocols.value().size());
+ EXPECT_EQ(2u, iceStruct.ssl_config.tls_elliptic_curves.value().size());
}
- (void)testInitFromNativeServer {
@@ -129,8 +129,8 @@
EXPECT_EQ("username", [NSString stdStringForString:iceServer.username]);
EXPECT_EQ("password", [NSString stdStringForString:iceServer.credential]);
EXPECT_EQ("hostname", [NSString stdStringForString:iceServer.hostname]);
- EXPECT_EQ(2u, iceServer.tlsAlpnProtocols.count);
- EXPECT_EQ(2u, iceServer.tlsEllipticCurves.count);
+ EXPECT_EQ(2u, iceServer.sslConfig.tlsALPNProtocols.count);
+ EXPECT_EQ(2u, iceServer.sslConfig.tlsEllipticCurves.count);
}
@end