Issue #1991 - Support TURN TLS Support in WebRTC

Backport of Mozilla bug 1056934
author: Basilisk-Dev <basiliskdev@protonmail.com> 2022-08-20 14:21:43 -0400
committer: Basilisk-Dev <basiliskdev@protonmail.com> 2022-08-20 14:21:43 -0400
commit: d49569ca0d6869de9e60026efa893c45770c86ae (patch)
tree: 1f2340890a8ff7a5d15fd9b0e6090c5d987cd01d /dom
parent: 544366e3010ea16601ff363a2f41df5f84f77d47 (diff)
download: uxp-d49569ca0d6869de9e60026efa893c45770c86ae.tar.gz
5 files changed, 108 insertions, 4 deletions
diff --git a/dom/media/tests/mochitest/addTurnsSelfsignedCert.js b/dom/media/tests/mochitest/addTurnsSelfsignedCert.js
new file mode 100644
index 0000000000..cad3d04465
--- /dev/null
+++ b/dom/media/tests/mochitest/addTurnsSelfsignedCert.js
@@ -0,0 +1,26 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+var { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+
+// This is only usable from the parent process, even for doing simple stuff like
+// serializing a cert.
+var gCertMaker = Cc["@mozilla.org/security/x509certdb;1"].
+              getService(Ci.nsIX509CertDB);
+
+var gCertOverrides = Cc["@mozilla.org/security/certoverride;1"].
+              getService(Ci.nsICertOverrideService);
+
+
+addMessageListener('add-turns-certs', certs => {
+  var port = 5349;
+  certs.forEach(certDescription => {
+    var cert = gCertMaker.constructX509FromBase64(certDescription.cert);
+    gCertOverrides.rememberValidityOverride(certDescription.hostname, port,
+        cert, Ci.nsICertOverrideService.ERROR_UNTRUSTED, false);
+  });
+  sendAsyncMessage('certs-added');
+});
diff --git a/dom/media/tests/mochitest/mochitest.ini b/dom/media/tests/mochitest/mochitest.ini
index 22006ffa2f..948d938a30 100644
--- a/dom/media/tests/mochitest/mochitest.ini
+++ b/dom/media/tests/mochitest/mochitest.ini
@@ -13,6 +13,7 @@ support-files =
   blacksilence.js
   turnConfig.js
   sdpUtils.js
+  addTurnsSelfsignedCert.js
   !/dom/canvas/test/captureStream_common.js
   !/dom/canvas/test/webgl-mochitest/webgl-util.js
   !/dom/media/test/manifest.js
@@ -98,6 +99,8 @@ skip-if = toolkit == 'android' # websockets don't work on android (bug 1266217)
 skip-if = toolkit == 'android' # websockets don't work on android (bug 1266217)
 [test_peerConnection_basicAudioNATRelayTCP.html]
 skip-if = toolkit == 'android' # websockets don't work on android (bug 1266217)
+[test_peerConnection_basicAudioNATRelayTLS.html]
+skip-if = true # need pyopenssl on builders, see bug 1323439
 [test_peerConnection_basicAudioRequireEOC.html]
 skip-if = (android_version == '18' && debug) # android(Bug 1189784, timeouts on 4.3 emulator)
 [test_peerConnection_basicAudioPcmaPcmuOnly.html]
diff --git a/dom/media/tests/mochitest/pc.js b/dom/media/tests/mochitest/pc.js
index a9383358f9..2e9c7c63f1 100644
--- a/dom/media/tests/mochitest/pc.js
+++ b/dom/media/tests/mochitest/pc.js
@@ -1822,6 +1822,33 @@ function createHTML(options) {
 var iceServerWebsocket;
 var iceServersArray = [];
 
+var addTurnsSelfsignedCerts = () => {
+  var gUrl = SimpleTest.getTestFileURL('addTurnsSelfsignedCert.js');
+  var gScript = SpecialPowers.loadChromeScript(gUrl);
+  var certs = [];
+  // If the ICE server is running TURNS, and includes a "cert" attribute in
+  // its JSON, we set up an override that will forgive things like
+  // self-signed for it.
+  iceServersArray.forEach(iceServer => {
+    if (iceServer.hasOwnProperty("cert")) {
+      iceServer.urls.forEach(url => {
+        if (url.startsWith("turns:")) {
+          // Assumes no port or params!
+          certs.push({"cert": iceServer.cert, "hostname": url.substr(6)});
+        }
+      });
+    }
+  });
+
+  return new Promise((resolve, reject) => {
+    gScript.addMessageListener('certs-added', () => {
+      resolve();
+    });
+
+    gScript.sendAsyncMessage('add-turns-certs', certs);
+  });
+};
+
 var setupIceServerConfig = useIceServer => {
   // We disable ICE support for HTTP proxy when using a TURN server, because
   // mochitest uses a fake HTTP proxy to serve content, which will eat our STUN
@@ -1863,7 +1890,8 @@ var setupIceServerConfig = useIceServer => {
 
   return enableHttpProxy(false)
     .then(spawnIceServer)
-    .then(iceServersStr => { iceServersArray = JSON.parse(iceServersStr); });
+    .then(iceServersStr => { iceServersArray = JSON.parse(iceServersStr); })
+    .then(addTurnsSelfsignedCerts);
 };
 
 function runNetworkTest(testFunction, fixtureOptions) {
diff --git a/dom/media/tests/mochitest/test_peerConnection_basicAudioNATRelayTLS.html b/dom/media/tests/mochitest/test_peerConnection_basicAudioNATRelayTLS.html
new file mode 100644
index 0000000000..c295955d81
--- /dev/null
+++ b/dom/media/tests/mochitest/test_peerConnection_basicAudioNATRelayTLS.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <script type="application/javascript" src="pc.js"></script>
+</head>
+<body>
+<pre id="test">
+<script type="application/javascript">
+  createHTML({
+    bug: "1231975",
+    title: "Basic audio-only peer connection with port dependent NAT that blocks STUN"
+  });
+
+  var test;
+  runNetworkTest(options => {
+    SpecialPowers.pushPrefEnv(
+      {
+        'set': [
+          ['media.peerconnection.nat_simulator.filtering_type', 'PORT_DEPENDENT'],
+          ['media.peerconnection.nat_simulator.mapping_type', 'PORT_DEPENDENT'],
+          ['media.peerconnection.nat_simulator.block_udp', true],
+          ['media.peerconnection.nat_simulator.block_tcp', true]
+        ]
+      }, function (options) {
+        options = options || {};
+        options.expectedLocalCandidateType = "relayed-tcp";
+        options.expectedRemoteCandidateType = "relayed-tcp";
+        // No reason to wait for gathering to complete like the other NAT tests,
+        // since relayed-tcp is the only thing that can work.
+        test = new PeerConnectionTest(options);
+        test.setMediaConstraints([{audio: true}], [{audio: true}]);
+        test.run();
+      })
+  }, { useIceServer: true });
+</script>
+</pre>
+</body>
+</html>
diff --git a/dom/network/TCPSocketParent.cpp b/dom/network/TCPSocketParent.cpp
index 313d13f759..27d4d057e7 100644
--- a/dom/network/TCPSocketParent.cpp
+++ b/dom/network/TCPSocketParent.cpp
@@ -167,9 +167,18 @@ TCPSocketParent::RecvOpenBind(const nsCString& aRemoteHost,
   }
 
   nsCOMPtr<nsISocketTransport> socketTransport;
-  rv = sts->CreateTransport(nullptr, 0,
-                            aRemoteHost, aRemotePort,
-                            nullptr, getter_AddRefs(socketTransport));
+  if (aUseSSL) {
+    const char* socketTypes[1];
+    socketTypes[0] = "ssl";
+    rv = sts->CreateTransport(socketTypes, 1,
+                              aRemoteHost, aRemotePort,
+                              nullptr, getter_AddRefs(socketTransport));
+  } else {
+    rv = sts->CreateTransport(nullptr, 0,
+                              aRemoteHost, aRemotePort,
+                              nullptr, getter_AddRefs(socketTransport));
+  }
+
   if (NS_FAILED(rv)) {
     FireInteralError(this, __LINE__);
     return true;
author	Basilisk-Dev <basiliskdev@protonmail.com>	2022-08-20 14:21:43 -0400
committer	Basilisk-Dev <basiliskdev@protonmail.com>	2022-08-20 14:21:43 -0400
commit	d49569ca0d6869de9e60026efa893c45770c86ae (patch)
tree	1f2340890a8ff7a5d15fd9b0e6090c5d987cd01d /dom
parent	544366e3010ea16601ff363a2f41df5f84f77d47 (diff)
download	uxp-d49569ca0d6869de9e60026efa893c45770c86ae.tar.gz