OLD | NEW |
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
11 #include <memory> | 11 #include <memory> |
12 #include <utility> // for std::pair | 12 #include <utility> // for std::pair |
13 | 13 |
14 #include "webrtc/p2p/base/transport.h" | 14 #include "webrtc/p2p/base/jseptransport.h" |
15 | 15 |
16 #include "webrtc/p2p/base/candidate.h" | 16 #include "webrtc/p2p/base/candidate.h" |
| 17 #include "webrtc/p2p/base/dtlstransportchannel.h" |
17 #include "webrtc/p2p/base/p2pconstants.h" | 18 #include "webrtc/p2p/base/p2pconstants.h" |
| 19 #include "webrtc/p2p/base/p2ptransportchannel.h" |
18 #include "webrtc/p2p/base/port.h" | 20 #include "webrtc/p2p/base/port.h" |
19 #include "webrtc/p2p/base/transportchannelimpl.h" | 21 #include "webrtc/p2p/base/transportchannelimpl.h" |
20 #include "webrtc/base/bind.h" | 22 #include "webrtc/base/bind.h" |
21 #include "webrtc/base/checks.h" | 23 #include "webrtc/base/checks.h" |
22 #include "webrtc/base/logging.h" | 24 #include "webrtc/base/logging.h" |
23 | 25 |
24 namespace cricket { | 26 namespace cricket { |
25 | 27 |
26 static bool VerifyIceParams(const TransportDescription& desc) { | 28 static bool VerifyIceParams(const TransportDescription& desc) { |
27 // For legacy protocols. | 29 // For legacy protocols. |
(...skipping 23 matching lines...) Expand all Loading... |
51 const std::string& old_pwd, | 53 const std::string& old_pwd, |
52 const std::string& new_ufrag, | 54 const std::string& new_ufrag, |
53 const std::string& new_pwd) { | 55 const std::string& new_pwd) { |
54 // The standard (RFC 5245 Section 9.1.1.1) says that ICE restarts MUST change | 56 // The standard (RFC 5245 Section 9.1.1.1) says that ICE restarts MUST change |
55 // both the ufrag and password. However, section 9.2.1.1 says changing the | 57 // both the ufrag and password. However, section 9.2.1.1 says changing the |
56 // ufrag OR password indicates an ICE restart. So, to keep compatibility with | 58 // ufrag OR password indicates an ICE restart. So, to keep compatibility with |
57 // endpoints that only change one, we'll treat this as an ICE restart. | 59 // endpoints that only change one, we'll treat this as an ICE restart. |
58 return (old_ufrag != new_ufrag) || (old_pwd != new_pwd); | 60 return (old_ufrag != new_ufrag) || (old_pwd != new_pwd); |
59 } | 61 } |
60 | 62 |
61 Transport::Transport(const std::string& name, PortAllocator* allocator) | 63 bool VerifyCandidate(const Candidate& cand, std::string* error) { |
62 : name_(name), allocator_(allocator) {} | 64 // No address zero. |
| 65 if (cand.address().IsNil() || cand.address().IsAnyIP()) { |
| 66 *error = "candidate has address of zero"; |
| 67 return false; |
| 68 } |
63 | 69 |
64 Transport::~Transport() { | 70 // Disallow all ports below 1024, except for 80 and 443 on public addresses. |
65 RTC_DCHECK(channels_destroyed_); | 71 int port = cand.address().port(); |
| 72 if (cand.protocol() == TCP_PROTOCOL_NAME && |
| 73 (cand.tcptype() == TCPTYPE_ACTIVE_STR || port == 0)) { |
| 74 // Expected for active-only candidates per |
| 75 // http://tools.ietf.org/html/rfc6544#section-4.5 so no error. |
| 76 // Libjingle clients emit port 0, in "active" mode. |
| 77 return true; |
| 78 } |
| 79 if (port < 1024) { |
| 80 if ((port != 80) && (port != 443)) { |
| 81 *error = "candidate has port below 1024, but not 80 or 443"; |
| 82 return false; |
| 83 } |
| 84 |
| 85 if (cand.address().IsPrivateIP()) { |
| 86 *error = "candidate has port of 80 or 443 with private IP address"; |
| 87 return false; |
| 88 } |
| 89 } |
| 90 |
| 91 return true; |
66 } | 92 } |
67 | 93 |
68 void Transport::SetIceRole(IceRole role) { | 94 bool VerifyCandidates(const Candidates& candidates, std::string* error) { |
69 ice_role_ = role; | 95 for (const Candidate& candidate : candidates) { |
70 for (const auto& kv : channels_) { | 96 if (!VerifyCandidate(candidate, error)) { |
71 kv.second->SetIceRole(ice_role_); | 97 return false; |
| 98 } |
72 } | 99 } |
| 100 return true; |
73 } | 101 } |
74 | 102 |
75 std::unique_ptr<rtc::SSLCertificate> Transport::GetRemoteSSLCertificate() { | 103 JsepTransport::JsepTransport( |
76 if (channels_.empty()) { | 104 const std::string& mid, |
77 return nullptr; | 105 const rtc::scoped_refptr<rtc::RTCCertificate>& certificate) |
| 106 : mid_(mid), certificate_(certificate) {} |
| 107 |
| 108 bool JsepTransport::AddChannel(TransportChannelImpl* dtls, int component) { |
| 109 if (channels_.find(component) != channels_.end()) { |
| 110 LOG(LS_ERROR) << "Adding channel for component " << component << " twice."; |
| 111 return false; |
| 112 } |
| 113 channels_[component] = dtls; |
| 114 // Something's wrong if a channel is being added after a description is set. |
| 115 // This may currently occur if rtcp-mux is negotiated, then a new m= section |
| 116 // is added in a later offer/answer. But this is suboptimal and should be |
| 117 // changed; we shouldn't support going from muxed to non-muxed. |
| 118 // TODO(deadbeef): Once this is fixed, make the warning an error, and remove |
| 119 // the calls to "ApplyXTransportDescription" below. |
| 120 if (local_description_set_ || remote_description_set_) { |
| 121 LOG(LS_WARNING) << "Adding new transport channel after " |
| 122 "transport description already applied."; |
| 123 } |
| 124 bool ret = true; |
| 125 std::string err; |
| 126 if (local_description_set_) { |
| 127 ret &= ApplyLocalTransportDescription(channels_[component], &err); |
| 128 } |
| 129 if (remote_description_set_) { |
| 130 ret &= ApplyRemoteTransportDescription(channels_[component], &err); |
| 131 } |
| 132 if (local_description_set_ && remote_description_set_) { |
| 133 ret &= ApplyNegotiatedTransportDescription(channels_[component], &err); |
| 134 } |
| 135 return ret; |
| 136 } |
| 137 |
| 138 bool JsepTransport::RemoveChannel(int component) { |
| 139 auto it = channels_.find(component); |
| 140 if (it == channels_.end()) { |
| 141 LOG(LS_ERROR) << "Trying to remove channel for component " << component |
| 142 << ", which doesn't exist."; |
| 143 return false; |
| 144 } |
| 145 channels_.erase(component); |
| 146 return true; |
| 147 } |
| 148 |
| 149 bool JsepTransport::HasChannels() const { |
| 150 return !channels_.empty(); |
| 151 } |
| 152 |
| 153 void JsepTransport::SetLocalCertificate( |
| 154 const rtc::scoped_refptr<rtc::RTCCertificate>& certificate) { |
| 155 certificate_ = certificate; |
| 156 } |
| 157 |
| 158 bool JsepTransport::GetLocalCertificate( |
| 159 rtc::scoped_refptr<rtc::RTCCertificate>* certificate) const { |
| 160 if (!certificate_) { |
| 161 return false; |
78 } | 162 } |
79 | 163 |
80 auto iter = channels_.begin(); | 164 *certificate = certificate_; |
81 return iter->second->GetRemoteSSLCertificate(); | 165 return true; |
82 } | 166 } |
83 | 167 |
84 void Transport::SetIceConfig(const IceConfig& config) { | 168 bool JsepTransport::SetLocalTransportDescription( |
85 ice_config_ = config; | |
86 for (const auto& kv : channels_) { | |
87 kv.second->SetIceConfig(ice_config_); | |
88 } | |
89 } | |
90 | |
91 bool Transport::SetLocalTransportDescription( | |
92 const TransportDescription& description, | 169 const TransportDescription& description, |
93 ContentAction action, | 170 ContentAction action, |
94 std::string* error_desc) { | 171 std::string* error_desc) { |
95 bool ret = true; | 172 bool ret = true; |
96 | 173 |
97 if (!VerifyIceParams(description)) { | 174 if (!VerifyIceParams(description)) { |
98 return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", | 175 return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", |
99 error_desc); | 176 error_desc); |
100 } | 177 } |
101 | 178 |
102 local_description_.reset(new TransportDescription(description)); | 179 local_description_.reset(new TransportDescription(description)); |
103 | 180 |
| 181 rtc::SSLFingerprint* local_fp = |
| 182 local_description_->identity_fingerprint.get(); |
| 183 |
| 184 if (!local_fp) { |
| 185 certificate_ = nullptr; |
| 186 } else if (!VerifyCertificateFingerprint(certificate_.get(), local_fp, |
| 187 error_desc)) { |
| 188 return false; |
| 189 } |
| 190 |
104 for (const auto& kv : channels_) { | 191 for (const auto& kv : channels_) { |
105 ret &= ApplyLocalTransportDescription(kv.second, error_desc); | 192 ret &= ApplyLocalTransportDescription(kv.second, error_desc); |
106 } | 193 } |
107 if (!ret) { | 194 if (!ret) { |
108 return false; | 195 return false; |
109 } | 196 } |
110 | 197 |
111 // If PRANSWER/ANSWER is set, we should decide transport protocol type. | 198 // If PRANSWER/ANSWER is set, we should decide transport protocol type. |
112 if (action == CA_PRANSWER || action == CA_ANSWER) { | 199 if (action == CA_PRANSWER || action == CA_ANSWER) { |
113 ret &= NegotiateTransportDescription(action, error_desc); | 200 ret &= NegotiateTransportDescription(action, error_desc); |
114 } | 201 } |
115 if (ret) { | 202 if (ret) { |
116 local_description_set_ = true; | 203 local_description_set_ = true; |
117 } | 204 } |
118 | 205 |
119 return ret; | 206 return ret; |
120 } | 207 } |
121 | 208 |
122 bool Transport::SetRemoteTransportDescription( | 209 bool JsepTransport::SetRemoteTransportDescription( |
123 const TransportDescription& description, | 210 const TransportDescription& description, |
124 ContentAction action, | 211 ContentAction action, |
125 std::string* error_desc) { | 212 std::string* error_desc) { |
126 bool ret = true; | 213 bool ret = true; |
127 | 214 |
128 if (!VerifyIceParams(description)) { | 215 if (!VerifyIceParams(description)) { |
129 return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", | 216 return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", |
130 error_desc); | 217 error_desc); |
131 } | 218 } |
132 | 219 |
133 remote_description_.reset(new TransportDescription(description)); | 220 remote_description_.reset(new TransportDescription(description)); |
134 for (const auto& kv : channels_) { | 221 for (const auto& kv : channels_) { |
135 ret &= ApplyRemoteTransportDescription(kv.second, error_desc); | 222 ret &= ApplyRemoteTransportDescription(kv.second, error_desc); |
136 } | 223 } |
137 | 224 |
138 // If PRANSWER/ANSWER is set, we should decide transport protocol type. | 225 // If PRANSWER/ANSWER is set, we should decide transport protocol type. |
139 if (action == CA_PRANSWER || action == CA_ANSWER) { | 226 if (action == CA_PRANSWER || action == CA_ANSWER) { |
140 ret = NegotiateTransportDescription(CA_OFFER, error_desc); | 227 ret = NegotiateTransportDescription(CA_OFFER, error_desc); |
141 } | 228 } |
142 if (ret) { | 229 if (ret) { |
143 remote_description_set_ = true; | 230 remote_description_set_ = true; |
144 } | 231 } |
145 | 232 |
146 return ret; | 233 return ret; |
147 } | 234 } |
148 | 235 |
149 TransportChannelImpl* Transport::CreateChannel(int component) { | 236 void JsepTransport::GetSslRole(rtc::SSLRole* ssl_role) const { |
150 TransportChannelImpl* channel; | 237 RTC_DCHECK(ssl_role); |
151 | 238 *ssl_role = secure_role_; |
152 // Create the entry if it does not exist. | |
153 bool channel_exists = false; | |
154 auto iter = channels_.find(component); | |
155 if (iter == channels_.end()) { | |
156 channel = CreateTransportChannel(component); | |
157 channels_.insert(std::pair<int, TransportChannelImpl*>(component, channel)); | |
158 } else { | |
159 channel = iter->second; | |
160 channel_exists = true; | |
161 } | |
162 | |
163 channels_destroyed_ = false; | |
164 | |
165 if (channel_exists) { | |
166 // If this is an existing channel, we should just return it. | |
167 return channel; | |
168 } | |
169 | |
170 // Push down our transport state to the new channel. | |
171 channel->SetIceRole(ice_role_); | |
172 channel->SetIceTiebreaker(tiebreaker_); | |
173 channel->SetIceConfig(ice_config_); | |
174 // TODO(ronghuawu): Change CreateChannel to be able to return error since | |
175 // below Apply**Description calls can fail. | |
176 if (local_description_) | |
177 ApplyLocalTransportDescription(channel, nullptr); | |
178 if (remote_description_) | |
179 ApplyRemoteTransportDescription(channel, nullptr); | |
180 if (local_description_ && remote_description_) | |
181 ApplyNegotiatedTransportDescription(channel, nullptr); | |
182 | |
183 return channel; | |
184 } | 239 } |
185 | 240 |
186 TransportChannelImpl* Transport::GetChannel(int component) { | 241 bool JsepTransport::GetStats(TransportStats* stats) { |
187 auto iter = channels_.find(component); | 242 stats->transport_name = mid(); |
188 return (iter != channels_.end()) ? iter->second : nullptr; | |
189 } | |
190 | |
191 bool Transport::HasChannels() { | |
192 return !channels_.empty(); | |
193 } | |
194 | |
195 void Transport::DestroyChannel(int component) { | |
196 auto iter = channels_.find(component); | |
197 if (iter == channels_.end()) | |
198 return; | |
199 | |
200 TransportChannelImpl* channel = iter->second; | |
201 channels_.erase(iter); | |
202 DestroyTransportChannel(channel); | |
203 } | |
204 | |
205 void Transport::MaybeStartGathering() { | |
206 CallChannels(&TransportChannelImpl::MaybeStartGathering); | |
207 } | |
208 | |
209 void Transport::DestroyAllChannels() { | |
210 for (const auto& kv : channels_) { | |
211 DestroyTransportChannel(kv.second); | |
212 } | |
213 channels_.clear(); | |
214 channels_destroyed_ = true; | |
215 } | |
216 | |
217 void Transport::CallChannels(TransportChannelFunc func) { | |
218 for (const auto& kv : channels_) { | |
219 (kv.second->*func)(); | |
220 } | |
221 } | |
222 | |
223 bool Transport::VerifyCandidate(const Candidate& cand, std::string* error) { | |
224 // No address zero. | |
225 if (cand.address().IsNil() || cand.address().IsAnyIP()) { | |
226 *error = "candidate has address of zero"; | |
227 return false; | |
228 } | |
229 | |
230 // Disallow all ports below 1024, except for 80 and 443 on public addresses. | |
231 int port = cand.address().port(); | |
232 if (cand.protocol() == TCP_PROTOCOL_NAME && | |
233 (cand.tcptype() == TCPTYPE_ACTIVE_STR || port == 0)) { | |
234 // Expected for active-only candidates per | |
235 // http://tools.ietf.org/html/rfc6544#section-4.5 so no error. | |
236 // Libjingle clients emit port 0, in "active" mode. | |
237 return true; | |
238 } | |
239 if (port < 1024) { | |
240 if ((port != 80) && (port != 443)) { | |
241 *error = "candidate has port below 1024, but not 80 or 443"; | |
242 return false; | |
243 } | |
244 | |
245 if (cand.address().IsPrivateIP()) { | |
246 *error = "candidate has port of 80 or 443 with private IP address"; | |
247 return false; | |
248 } | |
249 } | |
250 | |
251 if (!HasChannel(cand.component())) { | |
252 *error = "Candidate has an unknown component: " + cand.ToString() + | |
253 " for content: " + name(); | |
254 return false; | |
255 } | |
256 | |
257 return true; | |
258 } | |
259 | |
260 bool Transport::VerifyCandidates(const Candidates& candidates, | |
261 std::string* error) { | |
262 for (const Candidate& candidate : candidates) { | |
263 if (!VerifyCandidate(candidate, error)) { | |
264 return false; | |
265 } | |
266 } | |
267 return true; | |
268 } | |
269 | |
270 | |
271 bool Transport::GetStats(TransportStats* stats) { | |
272 stats->transport_name = name(); | |
273 stats->channel_stats.clear(); | 243 stats->channel_stats.clear(); |
274 for (auto kv : channels_) { | 244 for (auto& kv : channels_) { |
275 TransportChannelImpl* channel = kv.second; | 245 TransportChannelImpl* channel = kv.second; |
276 TransportChannelStats substats; | 246 TransportChannelStats substats; |
277 substats.component = channel->component(); | 247 substats.component = kv.first; |
278 channel->GetSrtpCryptoSuite(&substats.srtp_crypto_suite); | 248 channel->GetSrtpCryptoSuite(&substats.srtp_crypto_suite); |
279 channel->GetSslCipherSuite(&substats.ssl_cipher_suite); | 249 channel->GetSslCipherSuite(&substats.ssl_cipher_suite); |
280 if (!channel->GetStats(&substats.connection_infos)) { | 250 if (!channel->GetStats(&substats.connection_infos)) { |
281 return false; | 251 return false; |
282 } | 252 } |
283 stats->channel_stats.push_back(substats); | 253 stats->channel_stats.push_back(substats); |
284 } | 254 } |
285 return true; | 255 return true; |
286 } | 256 } |
287 | 257 |
288 bool Transport::AddRemoteCandidates(const std::vector<Candidate>& candidates, | 258 bool JsepTransport::VerifyCertificateFingerprint( |
289 std::string* error) { | 259 const rtc::RTCCertificate* certificate, |
290 ASSERT(!channels_destroyed_); | 260 const rtc::SSLFingerprint* fingerprint, |
291 // Verify each candidate before passing down to the transport layer. | 261 std::string* error_desc) const { |
292 if (!VerifyCandidates(candidates, error)) { | 262 if (!fingerprint) { |
293 return false; | 263 return BadTransportDescription("No fingerprint.", error_desc); |
294 } | 264 } |
| 265 if (!certificate) { |
| 266 return BadTransportDescription( |
| 267 "Fingerprint provided but no identity available.", error_desc); |
| 268 } |
| 269 std::unique_ptr<rtc::SSLFingerprint> fp_tmp(rtc::SSLFingerprint::Create( |
| 270 fingerprint->algorithm, certificate->identity())); |
| 271 ASSERT(fp_tmp.get() != NULL); |
| 272 if (*fp_tmp == *fingerprint) { |
| 273 return true; |
| 274 } |
| 275 std::ostringstream desc; |
| 276 desc << "Local fingerprint does not match identity. Expected: "; |
| 277 desc << fp_tmp->ToString(); |
| 278 desc << " Got: " << fingerprint->ToString(); |
| 279 return BadTransportDescription(desc.str(), error_desc); |
| 280 } |
295 | 281 |
296 for (const Candidate& candidate : candidates) { | 282 bool JsepTransport::ApplyLocalTransportDescription( |
297 TransportChannelImpl* channel = GetChannel(candidate.component()); | 283 TransportChannelImpl* channel, |
298 if (channel != nullptr) { | 284 std::string* error_desc) { |
299 channel->AddRemoteCandidate(candidate); | 285 channel->SetIceParameters(local_description_->GetIceParameters()); |
300 } | 286 return true; |
| 287 } |
| 288 |
| 289 bool JsepTransport::ApplyRemoteTransportDescription( |
| 290 TransportChannelImpl* channel, |
| 291 std::string* error_desc) { |
| 292 // Currently, all ICE-related calls still go through this DTLS channel. But |
| 293 // that will change once we get rid of TransportChannelImpl, and the DTLS |
| 294 // channel interface no longer includes ICE-specific methods. Then this class |
| 295 // will need to call dtls->ice()->SetIceRole(), for example, assuming the Dtls |
| 296 // interface will expose its inner ICE channel. |
| 297 channel->SetRemoteIceParameters(remote_description_->GetIceParameters()); |
| 298 channel->SetRemoteIceMode(remote_description_->ice_mode); |
| 299 return true; |
| 300 } |
| 301 |
| 302 bool JsepTransport::ApplyNegotiatedTransportDescription( |
| 303 TransportChannelImpl* channel, |
| 304 std::string* error_desc) { |
| 305 // Set SSL role. Role must be set before fingerprint is applied, which |
| 306 // initiates DTLS setup. |
| 307 if (!channel->SetSslRole(secure_role_)) { |
| 308 return BadTransportDescription("Failed to set SSL role for the channel.", |
| 309 error_desc); |
| 310 } |
| 311 // Apply remote fingerprint. |
| 312 if (!channel->SetRemoteFingerprint( |
| 313 remote_fingerprint_->algorithm, |
| 314 reinterpret_cast<const uint8_t*>(remote_fingerprint_->digest.data()), |
| 315 remote_fingerprint_->digest.size())) { |
| 316 return BadTransportDescription("Failed to apply remote fingerprint.", |
| 317 error_desc); |
301 } | 318 } |
302 return true; | 319 return true; |
303 } | 320 } |
304 | 321 |
305 bool Transport::RemoveRemoteCandidates(const std::vector<Candidate>& candidates, | 322 bool JsepTransport::NegotiateTransportDescription(ContentAction local_role, |
306 std::string* error) { | 323 std::string* error_desc) { |
307 ASSERT(!channels_destroyed_); | 324 if (!local_description_ || !remote_description_) { |
308 // Verify each candidate before passing down to the transport layer. | 325 const std::string msg = |
309 if (!VerifyCandidates(candidates, error)) { | 326 "Applying an answer transport description " |
310 return false; | 327 "without applying any offer."; |
| 328 return BadTransportDescription(msg, error_desc); |
311 } | 329 } |
312 | 330 rtc::SSLFingerprint* local_fp = |
313 for (const Candidate& candidate : candidates) { | 331 local_description_->identity_fingerprint.get(); |
314 TransportChannelImpl* channel = GetChannel(candidate.component()); | 332 rtc::SSLFingerprint* remote_fp = |
315 if (channel != nullptr) { | 333 remote_description_->identity_fingerprint.get(); |
316 channel->RemoveRemoteCandidate(candidate); | 334 if (remote_fp && local_fp) { |
| 335 remote_fingerprint_.reset(new rtc::SSLFingerprint(*remote_fp)); |
| 336 if (!NegotiateRole(local_role, &secure_role_, error_desc)) { |
| 337 return false; |
317 } | 338 } |
| 339 } else if (local_fp && (local_role == CA_ANSWER)) { |
| 340 return BadTransportDescription( |
| 341 "Local fingerprint supplied when caller didn't offer DTLS.", |
| 342 error_desc); |
| 343 } else { |
| 344 // We are not doing DTLS |
| 345 remote_fingerprint_.reset(new rtc::SSLFingerprint("", nullptr, 0)); |
318 } | 346 } |
319 return true; | |
320 } | |
321 | |
322 bool Transport::ApplyLocalTransportDescription(TransportChannelImpl* ch, | |
323 std::string* error_desc) { | |
324 ch->SetIceParameters(local_description_->GetIceParameters()); | |
325 return true; | |
326 } | |
327 | |
328 bool Transport::ApplyRemoteTransportDescription(TransportChannelImpl* ch, | |
329 std::string* error_desc) { | |
330 ch->SetRemoteIceParameters(remote_description_->GetIceParameters()); | |
331 return true; | |
332 } | |
333 | |
334 bool Transport::ApplyNegotiatedTransportDescription( | |
335 TransportChannelImpl* channel, | |
336 std::string* error_desc) { | |
337 channel->SetRemoteIceMode(remote_ice_mode_); | |
338 return true; | |
339 } | |
340 | |
341 bool Transport::NegotiateTransportDescription(ContentAction local_role, | |
342 std::string* error_desc) { | |
343 // TODO(ekr@rtfm.com): This is ICE-specific stuff. Refactor into | |
344 // P2PTransport. | |
345 | |
346 // If transport is in ICEROLE_CONTROLLED and remote end point supports only | |
347 // ice_lite, this local end point should take CONTROLLING role. | |
348 if (ice_role_ == ICEROLE_CONTROLLED && | |
349 remote_description_->ice_mode == ICEMODE_LITE) { | |
350 SetIceRole(ICEROLE_CONTROLLING); | |
351 } | |
352 | |
353 // Update remote ice_mode to all existing channels. | |
354 remote_ice_mode_ = remote_description_->ice_mode; | |
355 | |
356 // Now that we have negotiated everything, push it downward. | 347 // Now that we have negotiated everything, push it downward. |
357 // Note that we cache the result so that if we have race conditions | 348 // Note that we cache the result so that if we have race conditions |
358 // between future SetRemote/SetLocal invocations and new channel | 349 // between future SetRemote/SetLocal invocations and new channel |
359 // creation, we have the negotiation state saved until a new | 350 // creation, we have the negotiation state saved until a new |
360 // negotiation happens. | 351 // negotiation happens. |
361 for (const auto& kv : channels_) { | 352 for (const auto& kv : channels_) { |
362 if (!ApplyNegotiatedTransportDescription(kv.second, error_desc)) { | 353 if (!ApplyNegotiatedTransportDescription(kv.second, error_desc)) { |
363 return false; | 354 return false; |
364 } | 355 } |
365 } | 356 } |
366 return true; | 357 return true; |
367 } | 358 } |
368 | 359 |
369 bool Transport::VerifyCertificateFingerprint( | 360 bool JsepTransport::NegotiateRole(ContentAction local_role, |
370 const rtc::RTCCertificate* certificate, | 361 rtc::SSLRole* ssl_role, |
371 const rtc::SSLFingerprint* fingerprint, | 362 std::string* error_desc) const { |
372 std::string* error_desc) const { | |
373 if (!fingerprint) { | |
374 return BadTransportDescription("No fingerprint.", error_desc); | |
375 } | |
376 if (!certificate) { | |
377 return BadTransportDescription( | |
378 "Fingerprint provided but no identity available.", error_desc); | |
379 } | |
380 std::unique_ptr<rtc::SSLFingerprint> fp_tmp(rtc::SSLFingerprint::Create( | |
381 fingerprint->algorithm, certificate->identity())); | |
382 ASSERT(fp_tmp.get() != NULL); | |
383 if (*fp_tmp == *fingerprint) { | |
384 return true; | |
385 } | |
386 std::ostringstream desc; | |
387 desc << "Local fingerprint does not match identity. Expected: "; | |
388 desc << fp_tmp->ToString(); | |
389 desc << " Got: " << fingerprint->ToString(); | |
390 return BadTransportDescription(desc.str(), error_desc); | |
391 } | |
392 | |
393 bool Transport::NegotiateRole(ContentAction local_role, | |
394 rtc::SSLRole* ssl_role, | |
395 std::string* error_desc) const { | |
396 RTC_DCHECK(ssl_role); | 363 RTC_DCHECK(ssl_role); |
397 if (!local_description() || !remote_description()) { | 364 if (!local_description_ || !remote_description_) { |
398 const std::string msg = | 365 const std::string msg = |
399 "Local and Remote description must be set before " | 366 "Local and Remote description must be set before " |
400 "transport descriptions are negotiated"; | 367 "transport descriptions are negotiated"; |
401 return BadTransportDescription(msg, error_desc); | 368 return BadTransportDescription(msg, error_desc); |
402 } | 369 } |
403 | 370 |
404 // From RFC 4145, section-4.1, The following are the values that the | 371 // From RFC 4145, section-4.1, The following are the values that the |
405 // 'setup' attribute can take in an offer/answer exchange: | 372 // 'setup' attribute can take in an offer/answer exchange: |
406 // Offer Answer | 373 // Offer Answer |
407 // ________________ | 374 // ________________ |
408 // active passive / holdconn | 375 // active passive / holdconn |
409 // passive active / holdconn | 376 // passive active / holdconn |
410 // actpass active / passive / holdconn | 377 // actpass active / passive / holdconn |
411 // holdconn holdconn | 378 // holdconn holdconn |
412 // | 379 // |
413 // Set the role that is most conformant with RFC 5763, Section 5, bullet 1 | 380 // Set the role that is most conformant with RFC 5763, Section 5, bullet 1 |
414 // The endpoint MUST use the setup attribute defined in [RFC4145]. | 381 // The endpoint MUST use the setup attribute defined in [RFC4145]. |
415 // The endpoint that is the offerer MUST use the setup attribute | 382 // The endpoint that is the offerer MUST use the setup attribute |
416 // value of setup:actpass and be prepared to receive a client_hello | 383 // value of setup:actpass and be prepared to receive a client_hello |
417 // before it receives the answer. The answerer MUST use either a | 384 // before it receives the answer. The answerer MUST use either a |
418 // setup attribute value of setup:active or setup:passive. Note that | 385 // setup attribute value of setup:active or setup:passive. Note that |
419 // if the answerer uses setup:passive, then the DTLS handshake will | 386 // if the answerer uses setup:passive, then the DTLS handshake will |
420 // not begin until the answerer is received, which adds additional | 387 // not begin until the answerer is received, which adds additional |
421 // latency. setup:active allows the answer and the DTLS handshake to | 388 // latency. setup:active allows the answer and the DTLS handshake to |
422 // occur in parallel. Thus, setup:active is RECOMMENDED. Whichever | 389 // occur in parallel. Thus, setup:active is RECOMMENDED. Whichever |
423 // party is active MUST initiate a DTLS handshake by sending a | 390 // party is active MUST initiate a DTLS handshake by sending a |
424 // ClientHello over each flow (host/port quartet). | 391 // ClientHello over each flow (host/port quartet). |
425 // IOW - actpass and passive modes should be treated as server and | 392 // IOW - actpass and passive modes should be treated as server and |
426 // active as client. | 393 // active as client. |
427 ConnectionRole local_connection_role = local_description()->connection_role; | 394 ConnectionRole local_connection_role = local_description_->connection_role; |
428 ConnectionRole remote_connection_role = remote_description()->connection_role; | 395 ConnectionRole remote_connection_role = remote_description_->connection_role; |
429 | 396 |
430 bool is_remote_server = false; | 397 bool is_remote_server = false; |
431 if (local_role == CA_OFFER) { | 398 if (local_role == CA_OFFER) { |
432 if (local_connection_role != CONNECTIONROLE_ACTPASS) { | 399 if (local_connection_role != CONNECTIONROLE_ACTPASS) { |
433 return BadTransportDescription( | 400 return BadTransportDescription( |
434 "Offerer must use actpass value for setup attribute.", error_desc); | 401 "Offerer must use actpass value for setup attribute.", error_desc); |
435 } | 402 } |
436 | 403 |
437 if (remote_connection_role == CONNECTIONROLE_ACTIVE || | 404 if (remote_connection_role == CONNECTIONROLE_ACTIVE || |
438 remote_connection_role == CONNECTIONROLE_PASSIVE || | 405 remote_connection_role == CONNECTIONROLE_PASSIVE || |
(...skipping 24 matching lines...) Expand all Loading... |
463 } | 430 } |
464 | 431 |
465 // If local is passive, local will act as server. | 432 // If local is passive, local will act as server. |
466 } | 433 } |
467 | 434 |
468 *ssl_role = is_remote_server ? rtc::SSL_CLIENT : rtc::SSL_SERVER; | 435 *ssl_role = is_remote_server ? rtc::SSL_CLIENT : rtc::SSL_SERVER; |
469 return true; | 436 return true; |
470 } | 437 } |
471 | 438 |
472 } // namespace cricket | 439 } // namespace cricket |
OLD | NEW |