164 lines
5.8 KiB
C++
164 lines
5.8 KiB
C++
/*
|
|
* Copyright 2012 The WebRTC Project Authors. All rights reserved.
|
|
*
|
|
* Use of this source code is governed by a BSD-style license
|
|
* that can be found in the LICENSE file in the root of the source
|
|
* tree. An additional intellectual property rights grant can be found
|
|
* in the file PATENTS. All contributing project authors may
|
|
* be found in the AUTHORS file in the root of the source tree.
|
|
*/
|
|
|
|
#ifndef WEBRTC_P2P_BASE_DTLSTRANSPORT_H_
|
|
#define WEBRTC_P2P_BASE_DTLSTRANSPORT_H_
|
|
|
|
#include <memory>
|
|
|
|
#include "webrtc/p2p/base/dtlstransportchannel.h"
|
|
#include "webrtc/p2p/base/transport.h"
|
|
|
|
namespace rtc {
|
|
class SSLIdentity;
|
|
}
|
|
|
|
namespace cricket {
|
|
|
|
class PortAllocator;
|
|
|
|
// Base should be a descendant of cricket::Transport and have a constructor
|
|
// that takes a transport name and PortAllocator.
|
|
//
|
|
// Everything in this class should be called on the worker thread.
|
|
template<class Base>
|
|
class DtlsTransport : public Base {
|
|
public:
|
|
DtlsTransport(const std::string& name,
|
|
PortAllocator* allocator,
|
|
const rtc::scoped_refptr<rtc::RTCCertificate>& certificate)
|
|
: Base(name, allocator),
|
|
certificate_(certificate),
|
|
secure_role_(rtc::SSL_CLIENT),
|
|
ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_12) {}
|
|
|
|
~DtlsTransport() {
|
|
Base::DestroyAllChannels();
|
|
}
|
|
|
|
void SetLocalCertificate(
|
|
const rtc::scoped_refptr<rtc::RTCCertificate>& certificate) override {
|
|
certificate_ = certificate;
|
|
}
|
|
bool GetLocalCertificate(
|
|
rtc::scoped_refptr<rtc::RTCCertificate>* certificate) override {
|
|
if (!certificate_)
|
|
return false;
|
|
|
|
*certificate = certificate_;
|
|
return true;
|
|
}
|
|
|
|
bool SetSslMaxProtocolVersion(rtc::SSLProtocolVersion version) override {
|
|
ssl_max_version_ = version;
|
|
return true;
|
|
}
|
|
|
|
bool ApplyLocalTransportDescription(TransportChannelImpl* channel,
|
|
std::string* error_desc) override {
|
|
rtc::SSLFingerprint* local_fp =
|
|
Base::local_description()->identity_fingerprint.get();
|
|
|
|
if (!local_fp) {
|
|
certificate_ = nullptr;
|
|
} else if (!Base::VerifyCertificateFingerprint(certificate_.get(), local_fp,
|
|
error_desc)) {
|
|
return false;
|
|
}
|
|
|
|
if (!channel->SetLocalCertificate(certificate_)) {
|
|
return BadTransportDescription("Failed to set local identity.",
|
|
error_desc);
|
|
}
|
|
|
|
// Apply the description in the base class.
|
|
return Base::ApplyLocalTransportDescription(channel, error_desc);
|
|
}
|
|
|
|
bool NegotiateTransportDescription(ContentAction local_role,
|
|
std::string* error_desc) override {
|
|
if (!Base::local_description() || !Base::remote_description()) {
|
|
const std::string msg = "Local and Remote description must be set before "
|
|
"transport descriptions are negotiated";
|
|
return BadTransportDescription(msg, error_desc);
|
|
}
|
|
rtc::SSLFingerprint* local_fp =
|
|
Base::local_description()->identity_fingerprint.get();
|
|
rtc::SSLFingerprint* remote_fp =
|
|
Base::remote_description()->identity_fingerprint.get();
|
|
if (remote_fp && local_fp) {
|
|
remote_fingerprint_.reset(new rtc::SSLFingerprint(*remote_fp));
|
|
if (!Base::NegotiateRole(local_role, &secure_role_, error_desc)) {
|
|
return false;
|
|
}
|
|
} else if (local_fp && (local_role == CA_ANSWER)) {
|
|
return BadTransportDescription(
|
|
"Local fingerprint supplied when caller didn't offer DTLS.",
|
|
error_desc);
|
|
} else {
|
|
// We are not doing DTLS
|
|
remote_fingerprint_.reset(new rtc::SSLFingerprint("", nullptr, 0));
|
|
}
|
|
// Now run the negotiation for the base class.
|
|
return Base::NegotiateTransportDescription(local_role, error_desc);
|
|
}
|
|
|
|
DtlsTransportChannelWrapper* CreateTransportChannel(int component) override {
|
|
DtlsTransportChannelWrapper* channel = new DtlsTransportChannelWrapper(
|
|
Base::CreateTransportChannel(component));
|
|
channel->SetSslMaxProtocolVersion(ssl_max_version_);
|
|
return channel;
|
|
}
|
|
|
|
void DestroyTransportChannel(TransportChannelImpl* channel) override {
|
|
// Kind of ugly, but this lets us do the exact inverse of the create.
|
|
DtlsTransportChannelWrapper* dtls_channel =
|
|
static_cast<DtlsTransportChannelWrapper*>(channel);
|
|
TransportChannelImpl* base_channel = dtls_channel->channel();
|
|
delete dtls_channel;
|
|
Base::DestroyTransportChannel(base_channel);
|
|
}
|
|
|
|
bool GetSslRole(rtc::SSLRole* ssl_role) const override {
|
|
ASSERT(ssl_role != NULL);
|
|
*ssl_role = secure_role_;
|
|
return true;
|
|
}
|
|
|
|
private:
|
|
bool ApplyNegotiatedTransportDescription(TransportChannelImpl* channel,
|
|
std::string* error_desc) override {
|
|
// Set ssl role. Role must be set before fingerprint is applied, which
|
|
// initiates DTLS setup.
|
|
if (!channel->SetSslRole(secure_role_)) {
|
|
return BadTransportDescription("Failed to set ssl role for the channel.",
|
|
error_desc);
|
|
}
|
|
// Apply remote fingerprint.
|
|
if (!channel->SetRemoteFingerprint(remote_fingerprint_->algorithm,
|
|
reinterpret_cast<const uint8_t*>(
|
|
remote_fingerprint_->digest.data()),
|
|
remote_fingerprint_->digest.size())) {
|
|
return BadTransportDescription("Failed to apply remote fingerprint.",
|
|
error_desc);
|
|
}
|
|
return Base::ApplyNegotiatedTransportDescription(channel, error_desc);
|
|
}
|
|
|
|
rtc::scoped_refptr<rtc::RTCCertificate> certificate_;
|
|
rtc::SSLRole secure_role_;
|
|
rtc::SSLProtocolVersion ssl_max_version_;
|
|
std::unique_ptr<rtc::SSLFingerprint> remote_fingerprint_;
|
|
};
|
|
|
|
} // namespace cricket
|
|
|
|
#endif // WEBRTC_P2P_BASE_DTLSTRANSPORT_H_
|