Add disabled certificate check support to IceServer PeerConnection API.
Refactor "OPT_SSLTCP" renaming it to "OPT_TLS_FAKE", making it clear
that it's not actually some kind of SSL over TCP. Also making it clear
that it's mutually exclusive with OPT_TLS.
Add "OPT_TLS_INSECURE" that implements the new certificate-check
disabled TLS mode, which is also mutually exclusive with the other
TLS options.
PortAllocator: Add a new TLS policy enum TlsCertPolicy which defines
the new insecure mode and added it as a RelayCredentials member.
TurnPort: Add new TLS policy member with appropriate getter and setter
to avoid constructor bloat. Initialize it from the RelayCredentials
after the TurnPort is created.
Expose the new feature in the PeerConnection API via
IceServer.tls_certificate_policy as well as via the Android JNI
PeerConnection API.
For security reasons we ensure that:
1) The policy is always explicitly initialized to secure.
2) API users have to explicitly integrate with the feature to
use it, and will otherwise get no change in behavior.
3) The feature is not immediately exposed in non-native
contexts. For example, disabling of certificate validation
is not implemented via URI parsing since this would
immediately allow it to be used from a web page.
BUG=webrtc:6840
Review-Url: https://codereview.webrtc.org/2557803002
Cr-Commit-Position: refs/heads/master@{#15670}
diff --git a/webrtc/api/peerconnection_unittest.cc b/webrtc/api/peerconnection_unittest.cc
index b213ecb..4876b40 100644
--- a/webrtc/api/peerconnection_unittest.cc
+++ b/webrtc/api/peerconnection_unittest.cc
@@ -40,6 +40,7 @@
#include "webrtc/base/virtualsocketserver.h"
#include "webrtc/media/engine/fakewebrtcvideoengine.h"
#include "webrtc/p2p/base/p2pconstants.h"
+#include "webrtc/p2p/base/portinterface.h"
#include "webrtc/p2p/base/sessiondescription.h"
#include "webrtc/p2p/base/testturnserver.h"
#include "webrtc/p2p/client/basicportallocator.h"
@@ -2619,11 +2620,21 @@
bool ParseUrl(const std::string& url,
const std::string& username,
const std::string& password) {
+ return ParseUrl(
+ url, username, password,
+ PeerConnectionInterface::TlsCertPolicy::kTlsCertPolicySecure);
+ }
+
+ bool ParseUrl(const std::string& url,
+ const std::string& username,
+ const std::string& password,
+ PeerConnectionInterface::TlsCertPolicy tls_certificate_policy) {
PeerConnectionInterface::IceServers servers;
PeerConnectionInterface::IceServer server;
server.urls.push_back(url);
server.username = username;
server.password = password;
+ server.tls_cert_policy = tls_certificate_policy;
servers.push_back(server);
return webrtc::ParseIceServers(servers, &stun_servers_, &turn_servers_);
}
@@ -2655,6 +2666,18 @@
EXPECT_EQ(0U, stun_servers_.size());
EXPECT_EQ(1U, turn_servers_.size());
EXPECT_EQ(cricket::PROTO_TLS, turn_servers_[0].ports[0].proto);
+ EXPECT_TRUE(turn_servers_[0].tls_cert_policy ==
+ cricket::TlsCertPolicy::TLS_CERT_POLICY_SECURE);
+ turn_servers_.clear();
+
+ EXPECT_TRUE(ParseUrl(
+ "turns:hostname", "", "",
+ PeerConnectionInterface::TlsCertPolicy::kTlsCertPolicyInsecureNoCheck));
+ EXPECT_EQ(0U, stun_servers_.size());
+ EXPECT_EQ(1U, turn_servers_.size());
+ EXPECT_TRUE(turn_servers_[0].tls_cert_policy ==
+ cricket::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK);
+ EXPECT_EQ(cricket::PROTO_TLS, turn_servers_[0].ports[0].proto);
turn_servers_.clear();
// invalid prefixes