lib-gst-meet 0.6.0

Connect GStreamer pipelines to Jitsi Meet conferences
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

#[cfg(any(
  feature = "tls-rustls-native-roots",
  feature = "tls-rustls-webpki-roots"
))]
use std::sync::Arc;

#[cfg(not(feature = "tls-insecure"))]
use anyhow::bail;
use anyhow::{Context, Result};
use tokio_tungstenite::Connector;

#[cfg(feature = "tls-rustls-native-roots")]
pub(crate) fn wss_connector(insecure: bool) -> Result<tokio_tungstenite::Connector> {
  let mut roots = rustls::RootCertStore::empty();
  for cert in
    rustls_native_certs::load_native_certs().context("failed to load native root certs")?
  {
    roots
      .add(&rustls::Certificate(cert.0))
      .context("failed to add native root certs")?;
  }

  let mut config = rustls::ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(roots)
    .with_no_client_auth();
  #[cfg(feature = "tls-insecure")]
  if insecure {
    config
      .dangerous()
      .set_certificate_verifier(Arc::new(InsecureServerCertVerifier));
  }
  #[cfg(not(feature = "tls-insecure"))]
  if insecure {
    bail!(
      "Insecure TLS mode can only be enabled if the tls-insecure feature was enabled at compile time."
    )
  }
  Ok(Connector::Rustls(Arc::new(config)))
}

#[cfg(feature = "tls-rustls-webpki-roots")]
pub(crate) fn wss_connector(insecure: bool) -> Result<tokio_tungstenite::Connector> {
  let mut roots = rustls::RootCertStore::empty();
  roots.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
    rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
      ta.subject,
      ta.spki,
      ta.name_constraints,
    )
  }));

  let config = rustls::ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(roots)
    .with_no_client_auth();
  #[cfg(feature = "tls-insecure")]
  if insecure {
    config
      .dangerous()
      .set_certificate_verifier(Arc::new(InsecureServerCertVerifier));
  }
  #[cfg(not(feature = "tls-insecure"))]
  if insecure {
    bail!(
      "Insecure TLS mode can only be enabled if the tls-insecure feature was enabled at compile time."
    )
  }
  Ok(Connector::Rustls(Arc::new(config)))
}

#[cfg(any(feature = "tls-native", feature = "tls-native-vendored"))]
pub(crate) fn wss_connector(insecure: bool) -> Result<tokio_tungstenite::Connector> {
  let mut builder = native_tls::TlsConnector::builder();
  builder.min_protocol_version(Some(native_tls::Protocol::Tlsv12));
  #[cfg(feature = "tls-insecure")]
  if insecure {
    builder.danger_accept_invalid_certs(true);
    builder.danger_accept_invalid_hostnames(true);
  }
  #[cfg(not(feature = "tls-insecure"))]
  if insecure {
    bail!(
      "Insecure TLS mode can only be enabled if the tls-insecure feature was enabled at compile time."
    )
  }
  Ok(Connector::NativeTls(
    builder
      .build()
      .context("failed to build native TLS connector")?,
  ))
}

#[cfg(all(
  feature = "tls-insecure",
  any(
    feature = "tls-rustls-native-roots",
    feature = "tls-rustls-webpki-roots"
  )
))]
struct InsecureServerCertVerifier;

#[cfg(all(
  feature = "tls-insecure",
  any(
    feature = "tls-rustls-native-roots",
    feature = "tls-rustls-webpki-roots"
  )
))]
impl rustls::client::ServerCertVerifier for InsecureServerCertVerifier {
  fn verify_server_cert(
    &self,
    _end_entity: &rustls::Certificate,
    _intermediates: &[rustls::Certificate],
    _server_name: &rustls::ServerName,
    _scts: &mut dyn Iterator<Item = &[u8]>,
    _ocsp_response: &[u8],
    _now: std::time::SystemTime,
  ) -> Result<rustls::client::ServerCertVerified, rustls::Error> {
    Ok(rustls::client::ServerCertVerified::assertion())
  }
}