| OLD | NEW |
|---|
| (Empty) |
| 1 /* | |
| 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | |
| 3 * | |
| 4 * Use of this source code is governed by a BSD-style license | |
| 5 * that can be found in the LICENSE file in the root of the source | |
| 6 * tree. An additional intellectual property rights grant can be found | |
| 7 * in the file PATENTS. All contributing project authors may | |
| 8 * be found in the AUTHORS file in the root of the source tree. | |
| 9 */ | |
| 10 | |
| 11 #include <memory> | |
| 12 #include <utility> // for std::pair | |
| 13 | |
| 14 #include "webrtc/p2p/base/jseptransport.h" | |
| 15 | |
| 16 #include "webrtc/p2p/base/candidate.h" | |
| 17 #include "webrtc/p2p/base/dtlstransportchannel.h" | |
| 18 #include "webrtc/p2p/base/p2pconstants.h" | |
| 19 #include "webrtc/p2p/base/p2ptransportchannel.h" | |
| 20 #include "webrtc/p2p/base/port.h" | |
| 21 #include "webrtc/p2p/base/transportchannelimpl.h" | |
| 22 #include "webrtc/base/bind.h" | |
| 23 #include "webrtc/base/checks.h" | |
| 24 #include "webrtc/base/logging.h" | |
| 25 | |
| 26 namespace cricket { | |
| 27 | |
| 28 static bool VerifyIceParams(const TransportDescription& desc) { | |
| 29 // For legacy protocols. | |
| 30 if (desc.ice_ufrag.empty() && desc.ice_pwd.empty()) | |
| 31 return true; | |
| 32 | |
| 33 if (desc.ice_ufrag.length() < ICE_UFRAG_MIN_LENGTH || | |
| 34 desc.ice_ufrag.length() > ICE_UFRAG_MAX_LENGTH) { | |
| 35 return false; | |
| 36 } | |
| 37 if (desc.ice_pwd.length() < ICE_PWD_MIN_LENGTH || | |
| 38 desc.ice_pwd.length() > ICE_PWD_MAX_LENGTH) { | |
| 39 return false; | |
| 40 } | |
| 41 return true; | |
| 42 } | |
| 43 | |
| 44 bool BadTransportDescription(const std::string& desc, std::string* err_desc) { | |
| 45 if (err_desc) { | |
| 46 *err_desc = desc; | |
| 47 } | |
| 48 LOG(LS_ERROR) << desc; | |
| 49 return false; | |
| 50 } | |
| 51 | |
| 52 bool IceCredentialsChanged(const std::string& old_ufrag, | |
| 53 const std::string& old_pwd, | |
| 54 const std::string& new_ufrag, | |
| 55 const std::string& new_pwd) { | |
| 56 // The standard (RFC 5245 Section 9.1.1.1) says that ICE restarts MUST change | |
| 57 // both the ufrag and password. However, section 9.2.1.1 says changing the | |
| 58 // ufrag OR password indicates an ICE restart. So, to keep compatibility with | |
| 59 // endpoints that only change one, we'll treat this as an ICE restart. | |
| 60 return (old_ufrag != new_ufrag) || (old_pwd != new_pwd); | |
| 61 } | |
| 62 | |
| 63 bool VerifyCandidate(const Candidate& cand, std::string* error) { | |
| 64 // No address zero. | |
| 65 if (cand.address().IsNil() || cand.address().IsAnyIP()) { | |
| 66 *error = "candidate has address of zero"; | |
| 67 return false; | |
| 68 } | |
| 69 | |
| 70 // Disallow all ports below 1024, except for 80 and 443 on public addresses. | |
| 71 int port = cand.address().port(); | |
| 72 if (cand.protocol() == TCP_PROTOCOL_NAME && | |
| 73 (cand.tcptype() == TCPTYPE_ACTIVE_STR || port == 0)) { | |
| 74 // Expected for active-only candidates per | |
| 75 // http://tools.ietf.org/html/rfc6544#section-4.5 so no error. | |
| 76 // Libjingle clients emit port 0, in "active" mode. | |
| 77 return true; | |
| 78 } | |
| 79 if (port < 1024) { | |
| 80 if ((port != 80) && (port != 443)) { | |
| 81 *error = "candidate has port below 1024, but not 80 or 443"; | |
| 82 return false; | |
| 83 } | |
| 84 | |
| 85 if (cand.address().IsPrivateIP()) { | |
| 86 *error = "candidate has port of 80 or 443 with private IP address"; | |
| 87 return false; | |
| 88 } | |
| 89 } | |
| 90 | |
| 91 return true; | |
| 92 } | |
| 93 | |
| 94 bool VerifyCandidates(const Candidates& candidates, std::string* error) { | |
| 95 for (const Candidate& candidate : candidates) { | |
| 96 if (!VerifyCandidate(candidate, error)) { | |
| 97 return false; | |
| 98 } | |
| 99 } | |
| 100 return true; | |
| 101 } | |
| 102 | |
| 103 JsepTransport::JsepTransport( | |
| 104 const std::string& mid, | |
| 105 const rtc::scoped_refptr<rtc::RTCCertificate>& certificate) | |
| 106 : mid_(mid), certificate_(certificate) {} | |
| 107 | |
| 108 bool JsepTransport::AddChannel(TransportChannelImpl* dtls, int component) { | |
| 109 if (channels_.find(component) != channels_.end()) { | |
| 110 LOG(LS_ERROR) << "Adding channel for component " << component << " twice."; | |
| 111 return false; | |
| 112 } | |
| 113 channels_[component] = dtls; | |
| 114 // Something's wrong if a channel is being added after a description is set. | |
| 115 // This may currently occur if rtcp-mux is negotiated, then a new m= section | |
| 116 // is added in a later offer/answer. But this is suboptimal and should be | |
| 117 // changed; we shouldn't support going from muxed to non-muxed. | |
| 118 // TODO(deadbeef): Once this is fixed, make the warning an error, and remove | |
| 119 // the calls to "ApplyXTransportDescription" below. | |
| 120 if (local_description_set_ || remote_description_set_) { | |
| 121 LOG(LS_WARNING) << "Adding new transport channel after " | |
| 122 "transport description already applied."; | |
| 123 } | |
| 124 bool ret = true; | |
| 125 std::string err; | |
| 126 if (local_description_set_) { | |
| 127 ret &= ApplyLocalTransportDescription(channels_[component], &err); | |
| 128 } | |
| 129 if (remote_description_set_) { | |
| 130 ret &= ApplyRemoteTransportDescription(channels_[component], &err); | |
| 131 } | |
| 132 if (local_description_set_ && remote_description_set_) { | |
| 133 ret &= ApplyNegotiatedTransportDescription(channels_[component], &err); | |
| 134 } | |
| 135 return ret; | |
| 136 } | |
| 137 | |
| 138 bool JsepTransport::RemoveChannel(int component) { | |
| 139 auto it = channels_.find(component); | |
| 140 if (it == channels_.end()) { | |
| 141 LOG(LS_ERROR) << "Trying to remove channel for component " << component | |
| 142 << ", which doesn't exist."; | |
| 143 return false; | |
| 144 } | |
| 145 channels_.erase(component); | |
| 146 return true; | |
| 147 } | |
| 148 | |
| 149 bool JsepTransport::HasChannels() const { | |
| 150 return !channels_.empty(); | |
| 151 } | |
| 152 | |
| 153 void JsepTransport::SetLocalCertificate( | |
| 154 const rtc::scoped_refptr<rtc::RTCCertificate>& certificate) { | |
| 155 certificate_ = certificate; | |
| 156 } | |
| 157 | |
| 158 bool JsepTransport::GetLocalCertificate( | |
| 159 rtc::scoped_refptr<rtc::RTCCertificate>* certificate) const { | |
| 160 if (!certificate_) { | |
| 161 return false; | |
| 162 } | |
| 163 | |
| 164 *certificate = certificate_; | |
| 165 return true; | |
| 166 } | |
| 167 | |
| 168 bool JsepTransport::SetLocalTransportDescription( | |
| 169 const TransportDescription& description, | |
| 170 ContentAction action, | |
| 171 std::string* error_desc) { | |
| 172 bool ret = true; | |
| 173 | |
| 174 if (!VerifyIceParams(description)) { | |
| 175 return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", | |
| 176 error_desc); | |
| 177 } | |
| 178 | |
| 179 local_description_.reset(new TransportDescription(description)); | |
| 180 | |
| 181 rtc::SSLFingerprint* local_fp = | |
| 182 local_description_->identity_fingerprint.get(); | |
| 183 | |
| 184 if (!local_fp) { | |
| 185 certificate_ = nullptr; | |
| 186 } else if (!VerifyCertificateFingerprint(certificate_.get(), local_fp, | |
| 187 error_desc)) { | |
| 188 return false; | |
| 189 } | |
| 190 | |
| 191 for (const auto& kv : channels_) { | |
| 192 ret &= ApplyLocalTransportDescription(kv.second, error_desc); | |
| 193 } | |
| 194 if (!ret) { | |
| 195 return false; | |
| 196 } | |
| 197 | |
| 198 // If PRANSWER/ANSWER is set, we should decide transport protocol type. | |
| 199 if (action == CA_PRANSWER || action == CA_ANSWER) { | |
| 200 ret &= NegotiateTransportDescription(action, error_desc); | |
| 201 } | |
| 202 if (ret) { | |
| 203 local_description_set_ = true; | |
| 204 } | |
| 205 | |
| 206 return ret; | |
| 207 } | |
| 208 | |
| 209 bool JsepTransport::SetRemoteTransportDescription( | |
| 210 const TransportDescription& description, | |
| 211 ContentAction action, | |
| 212 std::string* error_desc) { | |
| 213 bool ret = true; | |
| 214 | |
| 215 if (!VerifyIceParams(description)) { | |
| 216 return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", | |
| 217 error_desc); | |
| 218 } | |
| 219 | |
| 220 remote_description_.reset(new TransportDescription(description)); | |
| 221 for (const auto& kv : channels_) { | |
| 222 ret &= ApplyRemoteTransportDescription(kv.second, error_desc); | |
| 223 } | |
| 224 | |
| 225 // If PRANSWER/ANSWER is set, we should decide transport protocol type. | |
| 226 if (action == CA_PRANSWER || action == CA_ANSWER) { | |
| 227 ret = NegotiateTransportDescription(CA_OFFER, error_desc); | |
| 228 } | |
| 229 if (ret) { | |
| 230 remote_description_set_ = true; | |
| 231 } | |
| 232 | |
| 233 return ret; | |
| 234 } | |
| 235 | |
| 236 void JsepTransport::GetSslRole(rtc::SSLRole* ssl_role) const { | |
| 237 RTC_DCHECK(ssl_role); | |
| 238 *ssl_role = secure_role_; | |
| 239 } | |
| 240 | |
| 241 bool JsepTransport::GetStats(TransportStats* stats) { | |
| 242 stats->transport_name = mid(); | |
| 243 stats->channel_stats.clear(); | |
| 244 for (auto& kv : channels_) { | |
| 245 TransportChannelImpl* channel = kv.second; | |
| 246 TransportChannelStats substats; | |
| 247 substats.component = kv.first; | |
| 248 channel->GetSrtpCryptoSuite(&substats.srtp_crypto_suite); | |
| 249 channel->GetSslCipherSuite(&substats.ssl_cipher_suite); | |
| 250 if (!channel->GetStats(&substats.connection_infos)) { | |
| 251 return false; | |
| 252 } | |
| 253 stats->channel_stats.push_back(substats); | |
| 254 } | |
| 255 return true; | |
| 256 } | |
| 257 | |
| 258 bool JsepTransport::VerifyCertificateFingerprint( | |
| 259 const rtc::RTCCertificate* certificate, | |
| 260 const rtc::SSLFingerprint* fingerprint, | |
| 261 std::string* error_desc) const { | |
| 262 if (!fingerprint) { | |
| 263 return BadTransportDescription("No fingerprint.", error_desc); | |
| 264 } | |
| 265 if (!certificate) { | |
| 266 return BadTransportDescription( | |
| 267 "Fingerprint provided but no identity available.", error_desc); | |
| 268 } | |
| 269 std::unique_ptr<rtc::SSLFingerprint> fp_tmp(rtc::SSLFingerprint::Create( | |
| 270 fingerprint->algorithm, certificate->identity())); | |
| 271 ASSERT(fp_tmp.get() != NULL); | |
| 272 if (*fp_tmp == *fingerprint) { | |
| 273 return true; | |
| 274 } | |
| 275 std::ostringstream desc; | |
| 276 desc << "Local fingerprint does not match identity. Expected: "; | |
| 277 desc << fp_tmp->ToString(); | |
| 278 desc << " Got: " << fingerprint->ToString(); | |
| 279 return BadTransportDescription(desc.str(), error_desc); | |
| 280 } | |
| 281 | |
| 282 bool JsepTransport::ApplyLocalTransportDescription( | |
| 283 TransportChannelImpl* channel, | |
| 284 std::string* error_desc) { | |
| 285 channel->SetIceParameters(local_description_->GetIceParameters()); | |
| 286 return true; | |
| 287 } | |
| 288 | |
| 289 bool JsepTransport::ApplyRemoteTransportDescription( | |
| 290 TransportChannelImpl* channel, | |
| 291 std::string* error_desc) { | |
| 292 // Currently, all ICE-related calls still go through this DTLS channel. But | |
| 293 // that will change once we get rid of TransportChannelImpl, and the DTLS | |
| 294 // channel interface no longer includes ICE-specific methods. Then this class | |
| 295 // will need to call dtls->ice()->SetIceRole(), for example, assuming the Dtls | |
| 296 // interface will expose its inner ICE channel. | |
| 297 channel->SetRemoteIceParameters(remote_description_->GetIceParameters()); | |
| 298 channel->SetRemoteIceMode(remote_description_->ice_mode); | |
| 299 return true; | |
| 300 } | |
| 301 | |
| 302 bool JsepTransport::ApplyNegotiatedTransportDescription( | |
| 303 TransportChannelImpl* channel, | |
| 304 std::string* error_desc) { | |
| 305 // Set SSL role. Role must be set before fingerprint is applied, which | |
| 306 // initiates DTLS setup. | |
| 307 if (!channel->SetSslRole(secure_role_)) { | |
| 308 return BadTransportDescription("Failed to set SSL role for the channel.", | |
| 309 error_desc); | |
| 310 } | |
| 311 // Apply remote fingerprint. | |
| 312 if (!channel->SetRemoteFingerprint( | |
| 313 remote_fingerprint_->algorithm, | |
| 314 reinterpret_cast<const uint8_t*>(remote_fingerprint_->digest.data()), | |
| 315 remote_fingerprint_->digest.size())) { | |
| 316 return BadTransportDescription("Failed to apply remote fingerprint.", | |
| 317 error_desc); | |
| 318 } | |
| 319 return true; | |
| 320 } | |
| 321 | |
| 322 bool JsepTransport::NegotiateTransportDescription(ContentAction local_role, | |
| 323 std::string* error_desc) { | |
| 324 if (!local_description_ || !remote_description_) { | |
| 325 const std::string msg = | |
| 326 "Applying an answer transport description " | |
| 327 "without applying any offer."; | |
| 328 return BadTransportDescription(msg, error_desc); | |
| 329 } | |
| 330 rtc::SSLFingerprint* local_fp = | |
| 331 local_description_->identity_fingerprint.get(); | |
| 332 rtc::SSLFingerprint* remote_fp = | |
| 333 remote_description_->identity_fingerprint.get(); | |
| 334 if (remote_fp && local_fp) { | |
| 335 remote_fingerprint_.reset(new rtc::SSLFingerprint(*remote_fp)); | |
| 336 if (!NegotiateRole(local_role, &secure_role_, error_desc)) { | |
| 337 return false; | |
| 338 } | |
| 339 } else if (local_fp && (local_role == CA_ANSWER)) { | |
| 340 return BadTransportDescription( | |
| 341 "Local fingerprint supplied when caller didn't offer DTLS.", | |
| 342 error_desc); | |
| 343 } else { | |
| 344 // We are not doing DTLS | |
| 345 remote_fingerprint_.reset(new rtc::SSLFingerprint("", nullptr, 0)); | |
| 346 } | |
| 347 // Now that we have negotiated everything, push it downward. | |
| 348 // Note that we cache the result so that if we have race conditions | |
| 349 // between future SetRemote/SetLocal invocations and new channel | |
| 350 // creation, we have the negotiation state saved until a new | |
| 351 // negotiation happens. | |
| 352 for (const auto& kv : channels_) { | |
| 353 if (!ApplyNegotiatedTransportDescription(kv.second, error_desc)) { | |
| 354 return false; | |
| 355 } | |
| 356 } | |
| 357 return true; | |
| 358 } | |
| 359 | |
| 360 bool JsepTransport::NegotiateRole(ContentAction local_role, | |
| 361 rtc::SSLRole* ssl_role, | |
| 362 std::string* error_desc) const { | |
| 363 RTC_DCHECK(ssl_role); | |
| 364 if (!local_description_ || !remote_description_) { | |
| 365 const std::string msg = | |
| 366 "Local and Remote description must be set before " | |
| 367 "transport descriptions are negotiated"; | |
| 368 return BadTransportDescription(msg, error_desc); | |
| 369 } | |
| 370 | |
| 371 // From RFC 4145, section-4.1, The following are the values that the | |
| 372 // 'setup' attribute can take in an offer/answer exchange: | |
| 373 // Offer Answer | |
| 374 // ________________ | |
| 375 // active passive / holdconn | |
| 376 // passive active / holdconn | |
| 377 // actpass active / passive / holdconn | |
| 378 // holdconn holdconn | |
| 379 // | |
| 380 // Set the role that is most conformant with RFC 5763, Section 5, bullet 1 | |
| 381 // The endpoint MUST use the setup attribute defined in [RFC4145]. | |
| 382 // The endpoint that is the offerer MUST use the setup attribute | |
| 383 // value of setup:actpass and be prepared to receive a client_hello | |
| 384 // before it receives the answer. The answerer MUST use either a | |
| 385 // setup attribute value of setup:active or setup:passive. Note that | |
| 386 // if the answerer uses setup:passive, then the DTLS handshake will | |
| 387 // not begin until the answerer is received, which adds additional | |
| 388 // latency. setup:active allows the answer and the DTLS handshake to | |
| 389 // occur in parallel. Thus, setup:active is RECOMMENDED. Whichever | |
| 390 // party is active MUST initiate a DTLS handshake by sending a | |
| 391 // ClientHello over each flow (host/port quartet). | |
| 392 // IOW - actpass and passive modes should be treated as server and | |
| 393 // active as client. | |
| 394 ConnectionRole local_connection_role = local_description_->connection_role; | |
| 395 ConnectionRole remote_connection_role = remote_description_->connection_role; | |
| 396 | |
| 397 bool is_remote_server = false; | |
| 398 if (local_role == CA_OFFER) { | |
| 399 if (local_connection_role != CONNECTIONROLE_ACTPASS) { | |
| 400 return BadTransportDescription( | |
| 401 "Offerer must use actpass value for setup attribute.", error_desc); | |
| 402 } | |
| 403 | |
| 404 if (remote_connection_role == CONNECTIONROLE_ACTIVE || | |
| 405 remote_connection_role == CONNECTIONROLE_PASSIVE || | |
| 406 remote_connection_role == CONNECTIONROLE_NONE) { | |
| 407 is_remote_server = (remote_connection_role == CONNECTIONROLE_PASSIVE); | |
| 408 } else { | |
| 409 const std::string msg = | |
| 410 "Answerer must use either active or passive value " | |
| 411 "for setup attribute."; | |
| 412 return BadTransportDescription(msg, error_desc); | |
| 413 } | |
| 414 // If remote is NONE or ACTIVE it will act as client. | |
| 415 } else { | |
| 416 if (remote_connection_role != CONNECTIONROLE_ACTPASS && | |
| 417 remote_connection_role != CONNECTIONROLE_NONE) { | |
| 418 return BadTransportDescription( | |
| 419 "Offerer must use actpass value for setup attribute.", error_desc); | |
| 420 } | |
| 421 | |
| 422 if (local_connection_role == CONNECTIONROLE_ACTIVE || | |
| 423 local_connection_role == CONNECTIONROLE_PASSIVE) { | |
| 424 is_remote_server = (local_connection_role == CONNECTIONROLE_ACTIVE); | |
| 425 } else { | |
| 426 const std::string msg = | |
| 427 "Answerer must use either active or passive value " | |
| 428 "for setup attribute."; | |
| 429 return BadTransportDescription(msg, error_desc); | |
| 430 } | |
| 431 | |
| 432 // If local is passive, local will act as server. | |
| 433 } | |
| 434 | |
| 435 *ssl_role = is_remote_server ? rtc::SSL_CLIENT : rtc::SSL_SERVER; | |
| 436 return true; | |
| 437 } | |
| 438 | |
| 439 } // namespace cricket | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2553043004:
Revert of Refactoring that removes P2PTransport and DtlsTransport classes. (Closed)
