Add TLS TURN tests.
This change extends the TurnPort tests to cover connections to
TURN servers over TLS.
As part of this, the TestTurnServer is extended to support
connections from clients over TLS.
Note that this also fixes the remaining bugs in webrtc:7562
Bug: webrtc:7584
Change-Id: If89ceae49d33417625464b5892d20eee4de7c3b5
Reviewed-on: https://chromium-review.googlesource.com/611520
Commit-Queue: Steve Anton <steveanton@webrtc.org>
Reviewed-by: Peter Thatcher <pthatcher@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#19397}diff --git a/webrtc/rtc_base/openssladapter.cc b/webrtc/rtc_base/openssladapter.cc
index 11473ac..64eb0ab 100644
--- a/webrtc/rtc_base/openssladapter.cc
+++ b/webrtc/rtc_base/openssladapter.cc
@@ -279,6 +279,7 @@
: SSLAdapter(socket),
factory_(factory),
state_(SSL_NONE),
+ role_(SSL_CLIENT),
ssl_read_needs_write_(false),
ssl_write_needs_read_(false),
restartable_(false),
@@ -307,6 +308,30 @@
ssl_mode_ = mode;
}
+void OpenSSLAdapter::SetIdentity(SSLIdentity* identity) {
+ RTC_DCHECK(!identity_);
+ identity_.reset(static_cast<OpenSSLIdentity*>(identity));
+}
+
+void OpenSSLAdapter::SetRole(SSLRole role) {
+ role_ = role;
+}
+
+AsyncSocket* OpenSSLAdapter::Accept(SocketAddress* paddr) {
+ RTC_DCHECK(role_ == SSL_SERVER);
+ AsyncSocket* socket = SSLAdapter::Accept(paddr);
+ if (!socket) {
+ return nullptr;
+ }
+
+ SSLAdapter* adapter = SSLAdapter::Create(socket);
+ adapter->SetIdentity(identity_->GetReference());
+ adapter->SetRole(rtc::SSL_SERVER);
+ adapter->set_ignore_bad_cert(ignore_bad_cert());
+ adapter->StartSSL("", false);
+ return adapter;
+}
+
int OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) {
if (state_ != SSL_NONE)
return -1;
@@ -347,6 +372,12 @@
goto ssl_error;
}
+ if (identity_ && !identity_->ConfigureIdentity(ssl_ctx_)) {
+ SSL_CTX_free(ssl_ctx_);
+ err = -1;
+ goto ssl_error;
+ }
+
bio = BIO_new_socket(socket_);
if (!bio) {
err = -1;
@@ -423,7 +454,7 @@
// Clear the DTLS timer
Thread::Current()->Clear(this, MSG_TIMEOUT);
- int code = SSL_connect(ssl_);
+ int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
switch (SSL_get_error(ssl_, code)) {
case SSL_ERROR_NONE:
if (!SSLPostConnectionCheck(ssl_, ssl_host_name_.c_str())) {
@@ -496,6 +527,7 @@
SSL_CTX_free(ssl_ctx_);
ssl_ctx_ = nullptr;
}
+ identity_.reset();
// Clear the DTLS timer
Thread::Current()->Clear(this, MSG_TIMEOUT);
diff --git a/webrtc/rtc_base/openssladapter.h b/webrtc/rtc_base/openssladapter.h
index 4b49efd..b57ea8f 100644
--- a/webrtc/rtc_base/openssladapter.h
+++ b/webrtc/rtc_base/openssladapter.h
@@ -16,6 +16,7 @@
#include "webrtc/rtc_base/buffer.h"
#include "webrtc/rtc_base/messagehandler.h"
#include "webrtc/rtc_base/messagequeue.h"
+#include "webrtc/rtc_base/opensslidentity.h"
#include "webrtc/rtc_base/ssladapter.h"
typedef struct ssl_st SSL;
@@ -38,6 +39,9 @@
~OpenSSLAdapter() override;
void SetMode(SSLMode mode) override;
+ void SetIdentity(SSLIdentity* identity) override;
+ void SetRole(SSLRole role) override;
+ AsyncSocket* Accept(SocketAddress* paddr) override;
int StartSSL(const char* hostname, bool restartable) override;
int Send(const void* pv, size_t cb) override;
int SendTo(const void* pv, size_t cb, const SocketAddress& addr) override;
@@ -107,6 +111,8 @@
OpenSSLAdapterFactory* factory_;
SSLState state_;
+ std::unique_ptr<OpenSSLIdentity> identity_;
+ SSLRole role_;
bool ssl_read_needs_write_;
bool ssl_write_needs_read_;
// If true, socket will retain SSL configuration after Close.
diff --git a/webrtc/rtc_base/ssladapter.h b/webrtc/rtc_base/ssladapter.h
index 6b12035..87e7deb 100644
--- a/webrtc/rtc_base/ssladapter.h
+++ b/webrtc/rtc_base/ssladapter.h
@@ -53,6 +53,12 @@
// Do DTLS or TLS (default is TLS, if unspecified)
virtual void SetMode(SSLMode mode) = 0;
+ // Set the certificate this socket will present to incoming clients.
+ virtual void SetIdentity(SSLIdentity* identity) = 0;
+
+ // Choose whether the socket acts as a server socket or client socket.
+ virtual void SetRole(SSLRole role) = 0;
+
// StartSSL returns 0 if successful.
// If StartSSL is called while the socket is closed or connecting, the SSL
// negotiation will begin as soon as the socket connects.
