2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
15 #endif // HAVE_CONFIG_H
19 #include "webrtc/base/nssstreamadapter.h"
27 #ifdef NSS_SSL_RELATIVE_PATH
32 #include "net/third_party/nss/ssl/ssl.h"
33 #include "net/third_party/nss/ssl/sslerr.h"
34 #include "net/third_party/nss/ssl/sslproto.h"
37 #include "webrtc/base/nssidentity.h"
38 #include "webrtc/base/safe_conversions.h"
39 #include "webrtc/base/thread.h"
43 PRDescIdentity NSSStreamAdapter::nspr_layer_identity = PR_INVALID_IO_LAYER;
45 #define UNIMPLEMENTED \
46 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); \
48 << "Call to unimplemented function "<< __FUNCTION__; ASSERT(false)
50 #ifdef SRTP_AES128_CM_HMAC_SHA1_80
51 #define HAVE_DTLS_SRTP
55 // SRTP cipher suite table
56 struct SrtpCipherMapEntry {
57 const char* external_name;
61 // This isn't elegant, but it's better than an external reference
62 static const SrtpCipherMapEntry kSrtpCipherMap[] = {
63 {"AES_CM_128_HMAC_SHA1_80", SRTP_AES128_CM_HMAC_SHA1_80 },
64 {"AES_CM_128_HMAC_SHA1_32", SRTP_AES128_CM_HMAC_SHA1_32 },
70 // Implementation of NSPR methods
71 static PRStatus StreamClose(PRFileDesc *socket) {
72 ASSERT(!socket->lower);
77 static PRInt32 StreamRead(PRFileDesc *socket, void *buf, PRInt32 length) {
78 StreamInterface *stream = reinterpret_cast<StreamInterface *>(socket->secret);
81 StreamResult result = stream->Read(buf, length, &read, &error);
82 if (result == SR_SUCCESS) {
83 return checked_cast<PRInt32>(read);
86 if (result == SR_EOS) {
90 if (result == SR_BLOCK) {
91 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
95 PR_SetError(PR_UNKNOWN_ERROR, error);
99 static PRInt32 StreamWrite(PRFileDesc *socket, const void *buf,
101 StreamInterface *stream = reinterpret_cast<StreamInterface *>(socket->secret);
104 StreamResult result = stream->Write(buf, length, &written, &error);
105 if (result == SR_SUCCESS) {
106 return checked_cast<PRInt32>(written);
109 if (result == SR_BLOCK) {
111 "NSSStreamAdapter: write to underlying transport would block";
112 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
116 LOG(LS_ERROR) << "Write error";
117 PR_SetError(PR_UNKNOWN_ERROR, error);
121 static PRInt32 StreamAvailable(PRFileDesc *socket) {
126 PRInt64 StreamAvailable64(PRFileDesc *socket) {
131 static PRStatus StreamSync(PRFileDesc *socket) {
136 static PROffset32 StreamSeek(PRFileDesc *socket, PROffset32 offset,
142 static PROffset64 StreamSeek64(PRFileDesc *socket, PROffset64 offset,
148 static PRStatus StreamFileInfo(PRFileDesc *socket, PRFileInfo *info) {
153 static PRStatus StreamFileInfo64(PRFileDesc *socket, PRFileInfo64 *info) {
158 static PRInt32 StreamWritev(PRFileDesc *socket, const PRIOVec *iov,
159 PRInt32 iov_size, PRIntervalTime timeout) {
164 static PRStatus StreamConnect(PRFileDesc *socket, const PRNetAddr *addr,
165 PRIntervalTime timeout) {
170 static PRFileDesc *StreamAccept(PRFileDesc *sd, PRNetAddr *addr,
171 PRIntervalTime timeout) {
176 static PRStatus StreamBind(PRFileDesc *socket, const PRNetAddr *addr) {
181 static PRStatus StreamListen(PRFileDesc *socket, PRIntn depth) {
186 static PRStatus StreamShutdown(PRFileDesc *socket, PRIntn how) {
191 // Note: this is always nonblocking and ignores the timeout.
192 // TODO(ekr@rtfm.com): In future verify that the socket is
193 // actually in non-blocking mode.
194 // This function does not support peek.
195 static PRInt32 StreamRecv(PRFileDesc *socket, void *buf, PRInt32 amount,
196 PRIntn flags, PRIntervalTime to) {
200 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
204 return StreamRead(socket, buf, amount);
207 // Note: this is always nonblocking and assumes a zero timeout.
208 // This function does not support peek.
209 static PRInt32 StreamSend(PRFileDesc *socket, const void *buf,
210 PRInt32 amount, PRIntn flags,
214 return StreamWrite(socket, buf, amount);
217 static PRInt32 StreamRecvfrom(PRFileDesc *socket, void *buf,
218 PRInt32 amount, PRIntn flags,
219 PRNetAddr *addr, PRIntervalTime to) {
224 static PRInt32 StreamSendto(PRFileDesc *socket, const void *buf,
225 PRInt32 amount, PRIntn flags,
226 const PRNetAddr *addr, PRIntervalTime to) {
231 static PRInt16 StreamPoll(PRFileDesc *socket, PRInt16 in_flags,
232 PRInt16 *out_flags) {
237 static PRInt32 StreamAcceptRead(PRFileDesc *sd, PRFileDesc **nd,
239 void *buf, PRInt32 amount, PRIntervalTime t) {
244 static PRInt32 StreamTransmitFile(PRFileDesc *sd, PRFileDesc *socket,
245 const void *headers, PRInt32 hlen,
246 PRTransmitFileFlags flags, PRIntervalTime t) {
251 static PRStatus StreamGetPeerName(PRFileDesc *socket, PRNetAddr *addr) {
252 // TODO(ekr@rtfm.com): Modify to return unique names for each channel
253 // somehow, as opposed to always the same static address. The current
254 // implementation messes up the session cache, which is why it's off
256 addr->inet.family = PR_AF_INET;
263 static PRStatus StreamGetSockName(PRFileDesc *socket, PRNetAddr *addr) {
268 static PRStatus StreamGetSockOption(PRFileDesc *socket, PRSocketOptionData *opt) {
269 switch (opt->option) {
270 case PR_SockOpt_Nonblocking:
271 opt->value.non_blocking = PR_TRUE;
281 // Imitate setting socket options. These are mostly noops.
282 static PRStatus StreamSetSockOption(PRFileDesc *socket,
283 const PRSocketOptionData *opt) {
284 switch (opt->option) {
285 case PR_SockOpt_Nonblocking:
287 case PR_SockOpt_NoDelay:
297 static PRInt32 StreamSendfile(PRFileDesc *out, PRSendFileData *in,
298 PRTransmitFileFlags flags, PRIntervalTime to) {
303 static PRStatus StreamConnectContinue(PRFileDesc *socket, PRInt16 flags) {
308 static PRIntn StreamReserved(PRFileDesc *socket) {
313 static const struct PRIOMethods nss_methods = {
345 StreamConnectContinue,
352 NSSStreamAdapter::NSSStreamAdapter(StreamInterface *stream)
353 : SSLStreamAdapterHelper(stream),
358 bool NSSStreamAdapter::Init() {
359 if (nspr_layer_identity == PR_INVALID_IO_LAYER) {
360 nspr_layer_identity = PR_GetUniqueIdentity("nssstreamadapter");
362 PRFileDesc *pr_fd = PR_CreateIOLayerStub(nspr_layer_identity, &nss_methods);
365 pr_fd->secret = reinterpret_cast<PRFilePrivate *>(stream());
368 if (ssl_mode_ == SSL_MODE_DTLS) {
369 ssl_fd = DTLS_ImportFD(NULL, pr_fd);
371 ssl_fd = SSL_ImportFD(NULL, pr_fd);
373 ASSERT(ssl_fd != NULL); // This should never happen
381 rv = SSL_OptionSet(ssl_fd, SSL_SECURITY, PR_TRUE);
382 if (rv != SECSuccess) {
383 LOG(LS_ERROR) << "Error enabling security on SSL Socket";
388 rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_SSL2, PR_FALSE);
389 if (rv != SECSuccess) {
390 LOG(LS_ERROR) << "Error disabling SSL2";
395 // TODO(ekr@rtfm.com): restore this when I have the caching
397 rv = SSL_OptionSet(ssl_fd, SSL_NO_CACHE, PR_TRUE);
398 if (rv != SECSuccess) {
399 LOG(LS_ERROR) << "Error disabling cache";
403 // Disable session tickets.
404 rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_SESSION_TICKETS, PR_FALSE);
405 if (rv != SECSuccess) {
406 LOG(LS_ERROR) << "Error enabling tickets";
410 // Disable renegotiation.
411 rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_RENEGOTIATION,
412 SSL_RENEGOTIATE_NEVER);
413 if (rv != SECSuccess) {
414 LOG(LS_ERROR) << "Error disabling renegotiation";
418 // Disable false start.
419 rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_FALSE_START, PR_FALSE);
420 if (rv != SECSuccess) {
421 LOG(LS_ERROR) << "Error disabling false start";
430 NSSStreamAdapter::~NSSStreamAdapter() {
436 int NSSStreamAdapter::BeginSSL() {
440 Error("Init", -1, false);
444 ASSERT(state_ == SSL_CONNECTING);
445 // The underlying stream has been opened. If we are in peer-to-peer mode
446 // then a peer certificate must have been specified by now.
447 ASSERT(!ssl_server_name_.empty() ||
448 peer_certificate_.get() != NULL ||
449 !peer_certificate_digest_algorithm_.empty());
450 LOG(LS_INFO) << "BeginSSL: "
451 << (!ssl_server_name_.empty() ? ssl_server_name_ :
454 if (role_ == SSL_CLIENT) {
455 LOG(LS_INFO) << "BeginSSL: as client";
457 rv = SSL_GetClientAuthDataHook(ssl_fd_, GetClientAuthDataHook,
459 if (rv != SECSuccess) {
460 Error("BeginSSL", -1, false);
464 LOG(LS_INFO) << "BeginSSL: as server";
465 NSSIdentity *identity;
467 if (identity_.get()) {
468 identity = static_cast<NSSIdentity *>(identity_.get());
470 LOG(LS_ERROR) << "Can't be an SSL server without an identity";
471 Error("BeginSSL", -1, false);
474 rv = SSL_ConfigSecureServer(ssl_fd_, identity->certificate().certificate(),
475 identity->keypair()->privkey(),
477 if (rv != SECSuccess) {
478 Error("BeginSSL", -1, false);
482 // Insist on a certificate from the client
483 rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE);
484 if (rv != SECSuccess) {
485 Error("BeginSSL", -1, false);
489 // TODO(juberti): Check for client_auth_enabled()
491 rv = SSL_OptionSet(ssl_fd_, SSL_REQUIRE_CERTIFICATE, PR_TRUE);
492 if (rv != SECSuccess) {
493 Error("BeginSSL", -1, false);
498 // Set the version range.
499 SSLVersionRange vrange;
500 vrange.min = (ssl_mode_ == SSL_MODE_DTLS) ?
501 SSL_LIBRARY_VERSION_TLS_1_1 :
502 SSL_LIBRARY_VERSION_TLS_1_0;
503 vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
505 rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
506 if (rv != SECSuccess) {
507 Error("BeginSSL", -1, false);
512 #ifdef HAVE_DTLS_SRTP
513 if (!srtp_ciphers_.empty()) {
514 rv = SSL_SetSRTPCiphers(
515 ssl_fd_, &srtp_ciphers_[0],
516 checked_cast<unsigned int>(srtp_ciphers_.size()));
517 if (rv != SECSuccess) {
518 Error("BeginSSL", -1, false);
524 // Certificate validation
525 rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
526 if (rv != SECSuccess) {
527 Error("BeginSSL", -1, false);
531 // Now start the handshake
532 rv = SSL_ResetHandshake(ssl_fd_, role_ == SSL_SERVER ? PR_TRUE : PR_FALSE);
533 if (rv != SECSuccess) {
534 Error("BeginSSL", -1, false);
538 return ContinueSSL();
541 int NSSStreamAdapter::ContinueSSL() {
542 LOG(LS_INFO) << "ContinueSSL";
543 ASSERT(state_ == SSL_CONNECTING);
545 // Clear the DTLS timer
546 Thread::Current()->Clear(this, MSG_DTLS_TIMEOUT);
548 SECStatus rv = SSL_ForceHandshake(ssl_fd_);
550 if (rv == SECSuccess) {
551 LOG(LS_INFO) << "Handshake complete";
555 Error("ContinueSSL", -1, true);
559 state_ = SSL_CONNECTED;
560 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0);
564 PRInt32 err = PR_GetError();
566 case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
567 if (ssl_mode_ != SSL_MODE_DTLS) {
568 Error("ContinueSSL", -1, true);
571 LOG(LS_INFO) << "Malformed DTLS message. Ignoring.";
574 case PR_WOULD_BLOCK_ERROR:
575 LOG(LS_INFO) << "Would have blocked";
576 if (ssl_mode_ == SSL_MODE_DTLS) {
577 PRIntervalTime timeout;
579 SECStatus rv = DTLS_GetHandshakeTimeout(ssl_fd_, &timeout);
580 if (rv == SECSuccess) {
581 LOG(LS_INFO) << "Timeout is " << timeout << " ms";
582 Thread::Current()->PostDelayed(PR_IntervalToMilliseconds(timeout),
583 this, MSG_DTLS_TIMEOUT, 0);
589 LOG(LS_INFO) << "Error " << err;
593 Error("ContinueSSL", -1, true);
597 void NSSStreamAdapter::Cleanup() {
598 if (state_ != SSL_ERROR) {
608 peer_certificate_.reset();
610 Thread::Current()->Clear(this, MSG_DTLS_TIMEOUT);
613 StreamResult NSSStreamAdapter::Read(void* data, size_t data_len,
614 size_t* read, int* error) {
615 // SSL_CONNECTED sanity check.
631 *error = ssl_error_code_;
635 PRInt32 rv = PR_Read(ssl_fd_, data, checked_cast<PRInt32>(data_len));
643 PRInt32 err = PR_GetError();
646 case PR_WOULD_BLOCK_ERROR:
649 Error("Read", -1, false);
650 *error = err; // libjingle semantics are that this is impl-specific
661 StreamResult NSSStreamAdapter::Write(const void* data, size_t data_len,
662 size_t* written, int* error) {
663 // SSL_CONNECTED sanity check.
677 *error = ssl_error_code_;
681 PRInt32 rv = PR_Write(ssl_fd_, data, checked_cast<PRInt32>(data_len));
685 PRInt32 err = PR_GetError();
688 case PR_WOULD_BLOCK_ERROR:
691 Error("Write", -1, false);
692 *error = err; // libjingle semantics are that this is impl-specific
703 void NSSStreamAdapter::OnEvent(StreamInterface* stream, int events,
705 int events_to_signal = 0;
706 int signal_error = 0;
707 ASSERT(stream == this->stream());
708 if ((events & SE_OPEN)) {
709 LOG(LS_INFO) << "NSSStreamAdapter::OnEvent SE_OPEN";
710 if (state_ != SSL_WAIT) {
711 ASSERT(state_ == SSL_NONE);
712 events_to_signal |= SE_OPEN;
714 state_ = SSL_CONNECTING;
715 if (int err = BeginSSL()) {
716 Error("BeginSSL", err, true);
721 if ((events & (SE_READ|SE_WRITE))) {
722 LOG(LS_INFO) << "NSSStreamAdapter::OnEvent"
723 << ((events & SE_READ) ? " SE_READ" : "")
724 << ((events & SE_WRITE) ? " SE_WRITE" : "");
725 if (state_ == SSL_NONE) {
726 events_to_signal |= events & (SE_READ|SE_WRITE);
727 } else if (state_ == SSL_CONNECTING) {
728 if (int err = ContinueSSL()) {
729 Error("ContinueSSL", err, true);
732 } else if (state_ == SSL_CONNECTED) {
733 if (events & SE_WRITE) {
734 LOG(LS_INFO) << " -- onStreamWriteable";
735 events_to_signal |= SE_WRITE;
737 if (events & SE_READ) {
738 LOG(LS_INFO) << " -- onStreamReadable";
739 events_to_signal |= SE_READ;
743 if ((events & SE_CLOSE)) {
744 LOG(LS_INFO) << "NSSStreamAdapter::OnEvent(SE_CLOSE, " << err << ")";
746 events_to_signal |= SE_CLOSE;
747 // SE_CLOSE is the only event that uses the final parameter to OnEvent().
748 ASSERT(signal_error == 0);
751 if (events_to_signal)
752 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error);
755 void NSSStreamAdapter::OnMessage(Message* msg) {
756 // Process our own messages and then pass others to the superclass
757 if (MSG_DTLS_TIMEOUT == msg->message_id) {
758 LOG(LS_INFO) << "DTLS timeout expired";
761 StreamInterface::OnMessage(msg);
765 // Certificate verification callback. Called to check any certificate
766 SECStatus NSSStreamAdapter::AuthCertificateHook(void *arg,
770 LOG(LS_INFO) << "NSSStreamAdapter::AuthCertificateHook";
771 // SSL_PeerCertificate returns a pointer that is owned by the caller, and
772 // the NSSCertificate constructor copies its argument, so |raw_peer_cert|
773 // must be destroyed in this function.
774 CERTCertificate* raw_peer_cert = SSL_PeerCertificate(fd);
775 NSSCertificate peer_cert(raw_peer_cert);
776 CERT_DestroyCertificate(raw_peer_cert);
778 NSSStreamAdapter *stream = reinterpret_cast<NSSStreamAdapter *>(arg);
779 stream->cert_ok_ = false;
781 // Read the peer's certificate chain.
782 CERTCertList* cert_list = SSL_PeerCertificateChain(fd);
783 ASSERT(cert_list != NULL);
785 // If the peer provided multiple certificates, check that they form a valid
786 // chain as defined by RFC 5246 Section 7.4.2: "Each following certificate
787 // MUST directly certify the one preceding it.". This check does NOT
788 // verify other requirements, such as whether the chain reaches a trusted
789 // root, self-signed certificates have valid signatures, certificates are not
791 // Even if the chain is valid, the leaf certificate must still match a
792 // provided certificate or digest.
793 if (!NSSCertificate::IsValidChain(cert_list)) {
794 CERT_DestroyCertList(cert_list);
795 PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
799 if (stream->peer_certificate_.get()) {
800 LOG(LS_INFO) << "Checking against specified certificate";
802 // The peer certificate was specified
803 if (reinterpret_cast<NSSCertificate *>(stream->peer_certificate_.get())->
804 Equals(&peer_cert)) {
805 LOG(LS_INFO) << "Accepted peer certificate";
806 stream->cert_ok_ = true;
808 } else if (!stream->peer_certificate_digest_algorithm_.empty()) {
809 LOG(LS_INFO) << "Checking against specified digest";
810 // The peer certificate digest was specified
811 unsigned char digest[64]; // Maximum size
812 size_t digest_length;
814 if (!peer_cert.ComputeDigest(
815 stream->peer_certificate_digest_algorithm_,
816 digest, sizeof(digest), &digest_length)) {
817 LOG(LS_ERROR) << "Digest computation failed";
819 Buffer computed_digest(digest, digest_length);
820 if (computed_digest == stream->peer_certificate_digest_value_) {
821 LOG(LS_INFO) << "Accepted peer certificate";
822 stream->cert_ok_ = true;
826 // Other modes, but we haven't implemented yet
827 // TODO(ekr@rtfm.com): Implement real certificate validation
831 if (!stream->cert_ok_ && stream->ignore_bad_cert()) {
832 LOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
833 stream->cert_ok_ = true;
836 if (stream->cert_ok_)
837 stream->peer_certificate_.reset(new NSSCertificate(cert_list));
839 CERT_DestroyCertList(cert_list);
841 if (stream->cert_ok_)
844 PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
849 SECStatus NSSStreamAdapter::GetClientAuthDataHook(void *arg, PRFileDesc *fd,
850 CERTDistNames *caNames,
851 CERTCertificate **pRetCert,
852 SECKEYPrivateKey **pRetKey) {
853 LOG(LS_INFO) << "Client cert requested";
854 NSSStreamAdapter *stream = reinterpret_cast<NSSStreamAdapter *>(arg);
856 if (!stream->identity_.get()) {
857 LOG(LS_ERROR) << "No identity available";
861 NSSIdentity *identity = static_cast<NSSIdentity *>(stream->identity_.get());
862 // Destroyed internally by NSS
863 *pRetCert = CERT_DupCertificate(identity->certificate().certificate());
864 *pRetKey = SECKEY_CopyPrivateKey(identity->keypair()->privkey());
869 // RFC 5705 Key Exporter
870 bool NSSStreamAdapter::ExportKeyingMaterial(const std::string& label,
871 const uint8* context,
876 SECStatus rv = SSL_ExportKeyingMaterial(
879 checked_cast<unsigned int>(label.size()),
882 checked_cast<unsigned int>(context_len),
884 checked_cast<unsigned int>(result_len));
886 return rv == SECSuccess;
889 bool NSSStreamAdapter::SetDtlsSrtpCiphers(
890 const std::vector<std::string>& ciphers) {
891 #ifdef HAVE_DTLS_SRTP
892 std::vector<PRUint16> internal_ciphers;
893 if (state_ != SSL_NONE)
896 for (std::vector<std::string>::const_iterator cipher = ciphers.begin();
897 cipher != ciphers.end(); ++cipher) {
899 for (const SrtpCipherMapEntry *entry = kSrtpCipherMap; entry->cipher_id;
901 if (*cipher == entry->external_name) {
903 internal_ciphers.push_back(entry->cipher_id);
909 LOG(LS_ERROR) << "Could not find cipher: " << *cipher;
914 if (internal_ciphers.empty())
917 srtp_ciphers_ = internal_ciphers;
925 bool NSSStreamAdapter::GetDtlsSrtpCipher(std::string* cipher) {
926 #ifdef HAVE_DTLS_SRTP
927 ASSERT(state_ == SSL_CONNECTED);
928 if (state_ != SSL_CONNECTED)
931 PRUint16 selected_cipher;
933 SECStatus rv = SSL_GetSRTPCipher(ssl_fd_, &selected_cipher);
934 if (rv == SECFailure)
937 for (const SrtpCipherMapEntry *entry = kSrtpCipherMap;
938 entry->cipher_id; ++entry) {
939 if (selected_cipher == entry->cipher_id) {
940 *cipher = entry->external_name;
945 ASSERT(false); // This should never happen
951 bool NSSContext::initialized;
952 NSSContext *NSSContext::global_nss_context;
954 // Static initialization and shutdown
955 NSSContext *NSSContext::Instance() {
956 if (!global_nss_context) {
957 scoped_ptr<NSSContext> new_ctx(new NSSContext());
958 new_ctx->slot_ = PK11_GetInternalSlot();
960 global_nss_context = new_ctx.release();
962 return global_nss_context;
967 bool NSSContext::InitializeSSL(VerificationCallback callback) {
973 rv = NSS_NoDB_Init(NULL);
974 if (rv != SECSuccess) {
975 LOG(LS_ERROR) << "Couldn't initialize NSS error=" <<
980 NSS_SetDomesticPolicy();
988 bool NSSContext::InitializeSSLThread() {
993 bool NSSContext::CleanupSSL() {
998 bool NSSStreamAdapter::HaveDtls() {
1002 bool NSSStreamAdapter::HaveDtlsSrtp() {
1003 #ifdef HAVE_DTLS_SRTP
1010 bool NSSStreamAdapter::HaveExporter() {
1016 #endif // HAVE_NSS_SSL_H