OLD | NEW |
| (Empty) |
1 /* | |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | |
3 * | |
4 * Use of this source code is governed by a BSD-style license | |
5 * that can be found in the LICENSE file in the root of the source | |
6 * tree. An additional intellectual property rights grant can be found | |
7 * in the file PATENTS. All contributing project authors may | |
8 * be found in the AUTHORS file in the root of the source tree. | |
9 */ | |
10 | |
11 #include <memory> | |
12 #include <utility> // for std::pair | |
13 | |
14 #include "webrtc/p2p/base/transport.h" | |
15 | |
16 #include "webrtc/p2p/base/candidate.h" | |
17 #include "webrtc/p2p/base/p2pconstants.h" | |
18 #include "webrtc/p2p/base/port.h" | |
19 #include "webrtc/p2p/base/transportchannelimpl.h" | |
20 #include "webrtc/base/bind.h" | |
21 #include "webrtc/base/checks.h" | |
22 #include "webrtc/base/logging.h" | |
23 | |
24 namespace cricket { | |
25 | |
26 static bool VerifyIceParams(const TransportDescription& desc) { | |
27 // For legacy protocols. | |
28 if (desc.ice_ufrag.empty() && desc.ice_pwd.empty()) | |
29 return true; | |
30 | |
31 if (desc.ice_ufrag.length() < ICE_UFRAG_MIN_LENGTH || | |
32 desc.ice_ufrag.length() > ICE_UFRAG_MAX_LENGTH) { | |
33 return false; | |
34 } | |
35 if (desc.ice_pwd.length() < ICE_PWD_MIN_LENGTH || | |
36 desc.ice_pwd.length() > ICE_PWD_MAX_LENGTH) { | |
37 return false; | |
38 } | |
39 return true; | |
40 } | |
41 | |
42 bool BadTransportDescription(const std::string& desc, std::string* err_desc) { | |
43 if (err_desc) { | |
44 *err_desc = desc; | |
45 } | |
46 LOG(LS_ERROR) << desc; | |
47 return false; | |
48 } | |
49 | |
50 bool IceCredentialsChanged(const std::string& old_ufrag, | |
51 const std::string& old_pwd, | |
52 const std::string& new_ufrag, | |
53 const std::string& new_pwd) { | |
54 // The standard (RFC 5245 Section 9.1.1.1) says that ICE restarts MUST change | |
55 // both the ufrag and password. However, section 9.2.1.1 says changing the | |
56 // ufrag OR password indicates an ICE restart. So, to keep compatibility with | |
57 // endpoints that only change one, we'll treat this as an ICE restart. | |
58 return (old_ufrag != new_ufrag) || (old_pwd != new_pwd); | |
59 } | |
60 | |
61 Transport::Transport(const std::string& name, PortAllocator* allocator) | |
62 : name_(name), allocator_(allocator) {} | |
63 | |
64 Transport::~Transport() { | |
65 RTC_DCHECK(channels_destroyed_); | |
66 } | |
67 | |
68 void Transport::SetIceRole(IceRole role) { | |
69 ice_role_ = role; | |
70 for (const auto& kv : channels_) { | |
71 kv.second->SetIceRole(ice_role_); | |
72 } | |
73 } | |
74 | |
75 std::unique_ptr<rtc::SSLCertificate> Transport::GetRemoteSSLCertificate() { | |
76 if (channels_.empty()) { | |
77 return nullptr; | |
78 } | |
79 | |
80 auto iter = channels_.begin(); | |
81 return iter->second->GetRemoteSSLCertificate(); | |
82 } | |
83 | |
84 void Transport::SetIceConfig(const IceConfig& config) { | |
85 ice_config_ = config; | |
86 for (const auto& kv : channels_) { | |
87 kv.second->SetIceConfig(ice_config_); | |
88 } | |
89 } | |
90 | |
91 bool Transport::SetLocalTransportDescription( | |
92 const TransportDescription& description, | |
93 ContentAction action, | |
94 std::string* error_desc) { | |
95 bool ret = true; | |
96 | |
97 if (!VerifyIceParams(description)) { | |
98 return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", | |
99 error_desc); | |
100 } | |
101 | |
102 local_description_.reset(new TransportDescription(description)); | |
103 | |
104 for (const auto& kv : channels_) { | |
105 ret &= ApplyLocalTransportDescription(kv.second, error_desc); | |
106 } | |
107 if (!ret) { | |
108 return false; | |
109 } | |
110 | |
111 // If PRANSWER/ANSWER is set, we should decide transport protocol type. | |
112 if (action == CA_PRANSWER || action == CA_ANSWER) { | |
113 ret &= NegotiateTransportDescription(action, error_desc); | |
114 } | |
115 if (ret) { | |
116 local_description_set_ = true; | |
117 } | |
118 | |
119 return ret; | |
120 } | |
121 | |
122 bool Transport::SetRemoteTransportDescription( | |
123 const TransportDescription& description, | |
124 ContentAction action, | |
125 std::string* error_desc) { | |
126 bool ret = true; | |
127 | |
128 if (!VerifyIceParams(description)) { | |
129 return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", | |
130 error_desc); | |
131 } | |
132 | |
133 remote_description_.reset(new TransportDescription(description)); | |
134 for (const auto& kv : channels_) { | |
135 ret &= ApplyRemoteTransportDescription(kv.second, error_desc); | |
136 } | |
137 | |
138 // If PRANSWER/ANSWER is set, we should decide transport protocol type. | |
139 if (action == CA_PRANSWER || action == CA_ANSWER) { | |
140 ret = NegotiateTransportDescription(CA_OFFER, error_desc); | |
141 } | |
142 if (ret) { | |
143 remote_description_set_ = true; | |
144 } | |
145 | |
146 return ret; | |
147 } | |
148 | |
149 TransportChannelImpl* Transport::CreateChannel(int component) { | |
150 TransportChannelImpl* channel; | |
151 | |
152 // Create the entry if it does not exist. | |
153 bool channel_exists = false; | |
154 auto iter = channels_.find(component); | |
155 if (iter == channels_.end()) { | |
156 channel = CreateTransportChannel(component); | |
157 channels_.insert(std::pair<int, TransportChannelImpl*>(component, channel)); | |
158 } else { | |
159 channel = iter->second; | |
160 channel_exists = true; | |
161 } | |
162 | |
163 channels_destroyed_ = false; | |
164 | |
165 if (channel_exists) { | |
166 // If this is an existing channel, we should just return it. | |
167 return channel; | |
168 } | |
169 | |
170 // Push down our transport state to the new channel. | |
171 channel->SetIceRole(ice_role_); | |
172 channel->SetIceTiebreaker(tiebreaker_); | |
173 channel->SetIceConfig(ice_config_); | |
174 // TODO(ronghuawu): Change CreateChannel to be able to return error since | |
175 // below Apply**Description calls can fail. | |
176 if (local_description_) | |
177 ApplyLocalTransportDescription(channel, nullptr); | |
178 if (remote_description_) | |
179 ApplyRemoteTransportDescription(channel, nullptr); | |
180 if (local_description_ && remote_description_) | |
181 ApplyNegotiatedTransportDescription(channel, nullptr); | |
182 | |
183 return channel; | |
184 } | |
185 | |
186 TransportChannelImpl* Transport::GetChannel(int component) { | |
187 auto iter = channels_.find(component); | |
188 return (iter != channels_.end()) ? iter->second : nullptr; | |
189 } | |
190 | |
191 bool Transport::HasChannels() { | |
192 return !channels_.empty(); | |
193 } | |
194 | |
195 void Transport::DestroyChannel(int component) { | |
196 auto iter = channels_.find(component); | |
197 if (iter == channels_.end()) | |
198 return; | |
199 | |
200 TransportChannelImpl* channel = iter->second; | |
201 channels_.erase(iter); | |
202 DestroyTransportChannel(channel); | |
203 } | |
204 | |
205 void Transport::MaybeStartGathering() { | |
206 CallChannels(&TransportChannelImpl::MaybeStartGathering); | |
207 } | |
208 | |
209 void Transport::DestroyAllChannels() { | |
210 for (const auto& kv : channels_) { | |
211 DestroyTransportChannel(kv.second); | |
212 } | |
213 channels_.clear(); | |
214 channels_destroyed_ = true; | |
215 } | |
216 | |
217 void Transport::CallChannels(TransportChannelFunc func) { | |
218 for (const auto& kv : channels_) { | |
219 (kv.second->*func)(); | |
220 } | |
221 } | |
222 | |
223 bool Transport::VerifyCandidate(const Candidate& cand, std::string* error) { | |
224 // No address zero. | |
225 if (cand.address().IsNil() || cand.address().IsAnyIP()) { | |
226 *error = "candidate has address of zero"; | |
227 return false; | |
228 } | |
229 | |
230 // Disallow all ports below 1024, except for 80 and 443 on public addresses. | |
231 int port = cand.address().port(); | |
232 if (cand.protocol() == TCP_PROTOCOL_NAME && | |
233 (cand.tcptype() == TCPTYPE_ACTIVE_STR || port == 0)) { | |
234 // Expected for active-only candidates per | |
235 // http://tools.ietf.org/html/rfc6544#section-4.5 so no error. | |
236 // Libjingle clients emit port 0, in "active" mode. | |
237 return true; | |
238 } | |
239 if (port < 1024) { | |
240 if ((port != 80) && (port != 443)) { | |
241 *error = "candidate has port below 1024, but not 80 or 443"; | |
242 return false; | |
243 } | |
244 | |
245 if (cand.address().IsPrivateIP()) { | |
246 *error = "candidate has port of 80 or 443 with private IP address"; | |
247 return false; | |
248 } | |
249 } | |
250 | |
251 if (!HasChannel(cand.component())) { | |
252 *error = "Candidate has an unknown component: " + cand.ToString() + | |
253 " for content: " + name(); | |
254 return false; | |
255 } | |
256 | |
257 return true; | |
258 } | |
259 | |
260 bool Transport::VerifyCandidates(const Candidates& candidates, | |
261 std::string* error) { | |
262 for (const Candidate& candidate : candidates) { | |
263 if (!VerifyCandidate(candidate, error)) { | |
264 return false; | |
265 } | |
266 } | |
267 return true; | |
268 } | |
269 | |
270 | |
271 bool Transport::GetStats(TransportStats* stats) { | |
272 stats->transport_name = name(); | |
273 stats->channel_stats.clear(); | |
274 for (auto kv : channels_) { | |
275 TransportChannelImpl* channel = kv.second; | |
276 TransportChannelStats substats; | |
277 substats.component = channel->component(); | |
278 channel->GetSrtpCryptoSuite(&substats.srtp_crypto_suite); | |
279 channel->GetSslCipherSuite(&substats.ssl_cipher_suite); | |
280 if (!channel->GetStats(&substats.connection_infos)) { | |
281 return false; | |
282 } | |
283 stats->channel_stats.push_back(substats); | |
284 } | |
285 return true; | |
286 } | |
287 | |
288 bool Transport::AddRemoteCandidates(const std::vector<Candidate>& candidates, | |
289 std::string* error) { | |
290 ASSERT(!channels_destroyed_); | |
291 // Verify each candidate before passing down to the transport layer. | |
292 if (!VerifyCandidates(candidates, error)) { | |
293 return false; | |
294 } | |
295 | |
296 for (const Candidate& candidate : candidates) { | |
297 TransportChannelImpl* channel = GetChannel(candidate.component()); | |
298 if (channel != nullptr) { | |
299 channel->AddRemoteCandidate(candidate); | |
300 } | |
301 } | |
302 return true; | |
303 } | |
304 | |
305 bool Transport::RemoveRemoteCandidates(const std::vector<Candidate>& candidates, | |
306 std::string* error) { | |
307 ASSERT(!channels_destroyed_); | |
308 // Verify each candidate before passing down to the transport layer. | |
309 if (!VerifyCandidates(candidates, error)) { | |
310 return false; | |
311 } | |
312 | |
313 for (const Candidate& candidate : candidates) { | |
314 TransportChannelImpl* channel = GetChannel(candidate.component()); | |
315 if (channel != nullptr) { | |
316 channel->RemoveRemoteCandidate(candidate); | |
317 } | |
318 } | |
319 return true; | |
320 } | |
321 | |
322 bool Transport::ApplyLocalTransportDescription(TransportChannelImpl* ch, | |
323 std::string* error_desc) { | |
324 ch->SetIceParameters(local_description_->GetIceParameters()); | |
325 return true; | |
326 } | |
327 | |
328 bool Transport::ApplyRemoteTransportDescription(TransportChannelImpl* ch, | |
329 std::string* error_desc) { | |
330 ch->SetRemoteIceParameters(remote_description_->GetIceParameters()); | |
331 return true; | |
332 } | |
333 | |
334 bool Transport::ApplyNegotiatedTransportDescription( | |
335 TransportChannelImpl* channel, | |
336 std::string* error_desc) { | |
337 channel->SetRemoteIceMode(remote_ice_mode_); | |
338 return true; | |
339 } | |
340 | |
341 bool Transport::NegotiateTransportDescription(ContentAction local_role, | |
342 std::string* error_desc) { | |
343 // TODO(ekr@rtfm.com): This is ICE-specific stuff. Refactor into | |
344 // P2PTransport. | |
345 | |
346 // If transport is in ICEROLE_CONTROLLED and remote end point supports only | |
347 // ice_lite, this local end point should take CONTROLLING role. | |
348 if (ice_role_ == ICEROLE_CONTROLLED && | |
349 remote_description_->ice_mode == ICEMODE_LITE) { | |
350 SetIceRole(ICEROLE_CONTROLLING); | |
351 } | |
352 | |
353 // Update remote ice_mode to all existing channels. | |
354 remote_ice_mode_ = remote_description_->ice_mode; | |
355 | |
356 // Now that we have negotiated everything, push it downward. | |
357 // Note that we cache the result so that if we have race conditions | |
358 // between future SetRemote/SetLocal invocations and new channel | |
359 // creation, we have the negotiation state saved until a new | |
360 // negotiation happens. | |
361 for (const auto& kv : channels_) { | |
362 if (!ApplyNegotiatedTransportDescription(kv.second, error_desc)) { | |
363 return false; | |
364 } | |
365 } | |
366 return true; | |
367 } | |
368 | |
369 bool Transport::VerifyCertificateFingerprint( | |
370 const rtc::RTCCertificate* certificate, | |
371 const rtc::SSLFingerprint* fingerprint, | |
372 std::string* error_desc) const { | |
373 if (!fingerprint) { | |
374 return BadTransportDescription("No fingerprint.", error_desc); | |
375 } | |
376 if (!certificate) { | |
377 return BadTransportDescription( | |
378 "Fingerprint provided but no identity available.", error_desc); | |
379 } | |
380 std::unique_ptr<rtc::SSLFingerprint> fp_tmp(rtc::SSLFingerprint::Create( | |
381 fingerprint->algorithm, certificate->identity())); | |
382 ASSERT(fp_tmp.get() != NULL); | |
383 if (*fp_tmp == *fingerprint) { | |
384 return true; | |
385 } | |
386 std::ostringstream desc; | |
387 desc << "Local fingerprint does not match identity. Expected: "; | |
388 desc << fp_tmp->ToString(); | |
389 desc << " Got: " << fingerprint->ToString(); | |
390 return BadTransportDescription(desc.str(), error_desc); | |
391 } | |
392 | |
393 bool Transport::NegotiateRole(ContentAction local_role, | |
394 rtc::SSLRole* ssl_role, | |
395 std::string* error_desc) const { | |
396 RTC_DCHECK(ssl_role); | |
397 if (!local_description() || !remote_description()) { | |
398 const std::string msg = | |
399 "Local and Remote description must be set before " | |
400 "transport descriptions are negotiated"; | |
401 return BadTransportDescription(msg, error_desc); | |
402 } | |
403 | |
404 // From RFC 4145, section-4.1, The following are the values that the | |
405 // 'setup' attribute can take in an offer/answer exchange: | |
406 // Offer Answer | |
407 // ________________ | |
408 // active passive / holdconn | |
409 // passive active / holdconn | |
410 // actpass active / passive / holdconn | |
411 // holdconn holdconn | |
412 // | |
413 // Set the role that is most conformant with RFC 5763, Section 5, bullet 1 | |
414 // The endpoint MUST use the setup attribute defined in [RFC4145]. | |
415 // The endpoint that is the offerer MUST use the setup attribute | |
416 // value of setup:actpass and be prepared to receive a client_hello | |
417 // before it receives the answer. The answerer MUST use either a | |
418 // setup attribute value of setup:active or setup:passive. Note that | |
419 // if the answerer uses setup:passive, then the DTLS handshake will | |
420 // not begin until the answerer is received, which adds additional | |
421 // latency. setup:active allows the answer and the DTLS handshake to | |
422 // occur in parallel. Thus, setup:active is RECOMMENDED. Whichever | |
423 // party is active MUST initiate a DTLS handshake by sending a | |
424 // ClientHello over each flow (host/port quartet). | |
425 // IOW - actpass and passive modes should be treated as server and | |
426 // active as client. | |
427 ConnectionRole local_connection_role = local_description()->connection_role; | |
428 ConnectionRole remote_connection_role = remote_description()->connection_role; | |
429 | |
430 bool is_remote_server = false; | |
431 if (local_role == CA_OFFER) { | |
432 if (local_connection_role != CONNECTIONROLE_ACTPASS) { | |
433 return BadTransportDescription( | |
434 "Offerer must use actpass value for setup attribute.", error_desc); | |
435 } | |
436 | |
437 if (remote_connection_role == CONNECTIONROLE_ACTIVE || | |
438 remote_connection_role == CONNECTIONROLE_PASSIVE || | |
439 remote_connection_role == CONNECTIONROLE_NONE) { | |
440 is_remote_server = (remote_connection_role == CONNECTIONROLE_PASSIVE); | |
441 } else { | |
442 const std::string msg = | |
443 "Answerer must use either active or passive value " | |
444 "for setup attribute."; | |
445 return BadTransportDescription(msg, error_desc); | |
446 } | |
447 // If remote is NONE or ACTIVE it will act as client. | |
448 } else { | |
449 if (remote_connection_role != CONNECTIONROLE_ACTPASS && | |
450 remote_connection_role != CONNECTIONROLE_NONE) { | |
451 return BadTransportDescription( | |
452 "Offerer must use actpass value for setup attribute.", error_desc); | |
453 } | |
454 | |
455 if (local_connection_role == CONNECTIONROLE_ACTIVE || | |
456 local_connection_role == CONNECTIONROLE_PASSIVE) { | |
457 is_remote_server = (local_connection_role == CONNECTIONROLE_ACTIVE); | |
458 } else { | |
459 const std::string msg = | |
460 "Answerer must use either active or passive value " | |
461 "for setup attribute."; | |
462 return BadTransportDescription(msg, error_desc); | |
463 } | |
464 | |
465 // If local is passive, local will act as server. | |
466 } | |
467 | |
468 *ssl_role = is_remote_server ? rtc::SSL_CLIENT : rtc::SSL_SERVER; | |
469 return true; | |
470 } | |
471 | |
472 } // namespace cricket | |
OLD | NEW |