Support GCM ciphers even if ENABLE_EXTERNAL_AUTH is defined.

webrtc/pc/srtpfilter.cc

 /*
  *  Copyright 2009 The WebRTC project authors. All Rights Reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 186 matching lines @@
     return false;
   }
   if (recv_rtcp_session_) {
     return recv_rtcp_session_->UnprotectRtcp(p, in_len, out_len);
   } else {
     RTC_CHECK(recv_session_);
     return recv_session_->UnprotectRtcp(p, in_len, out_len);
   }
 }
 
+bool SrtpFilter::AllowExternalAuth() {
+  if (!IsActive()) {
+    LOG(LS_WARNING) << "Failed to AllowExternalAuth: SRTP not active";
+    return false;

[Taylor Brandstetter, 2017/02/28 22:53:40]

Could DCHECK here.

[joachim, 2017/03/01 00:43:46]

I didn't DCHECK to stay consistent with the existing methods that only log a
warning.

[Taylor Brandstetter, 2017/03/01 01:45:32]

Acknowledged.

+  }
+
+  RTC_CHECK(send_session_);
+  return send_session_->AllowExternalAuth();
+}
+
+void SrtpFilter::DisableAllowExternalAuthForTests(
+    bool disable_allow_external_auth) {
+  force_disable_allow_external_auth_ = disable_allow_external_auth;
+  if (!IsActive()) {
+    return;
+  }
+
+  RTC_CHECK(send_session_);
+  send_session_->DisableAllowExternalAuthForTests(disable_allow_external_auth);
+}
+
 bool SrtpFilter::GetRtpAuthParams(uint8_t** key, int* key_len, int* tag_len) {
   if (!IsActive()) {
     LOG(LS_WARNING) << "Failed to GetRtpAuthParams: SRTP not active";
     return false;
   }
 
   RTC_CHECK(send_session_);
   return send_session_->GetRtpAuthParams(key, key_len, tag_len);
 }
 
@@ skipping 101 matching lines @@
   send_session_.reset(new SrtpSession());
   applied_send_params_ = CryptoParams();
   recv_session_.reset(new SrtpSession());
   applied_recv_params_ = CryptoParams();
 
   SignalSrtpError.repeat(send_session_->SignalSrtpError);
   SignalSrtpError.repeat(recv_session_->SignalSrtpError);
 
   send_session_->set_signal_silent_time(signal_silent_time_in_ms_);
   recv_session_->set_signal_silent_time(signal_silent_time_in_ms_);
+
+  send_session_->DisableAllowExternalAuthForTests(
+      force_disable_allow_external_auth_);
 }
 
 bool SrtpFilter::NegotiateParams(const std::vector<CryptoParams>& answer_params,
                                  CryptoParams* selected_params) {
   // We're processing an accept. We should have exactly one set of params,
   // unless the offer didn't mention crypto, in which case we shouldn't be here.
   bool ret = (answer_params.size() == 1U && !offer_params_.empty());
   if (ret) {
     // We should find a match between the answer params and the offered params.
     std::vector<CryptoParams>::const_iterator it;
@@ skipping 117 matching lines @@
 ///////////////////////////////////////////////////////////////////////////////
 // SrtpSession
 
 #ifdef HAVE_SRTP
 
 bool SrtpSession::inited_ = false;
 
 // This lock protects SrtpSession::inited_.
 rtc::GlobalLockPod SrtpSession::lock_;
 
-SrtpSession::SrtpSession()
-    : session_(nullptr),
-      rtp_auth_tag_len_(0),
-      rtcp_auth_tag_len_(0),
-      srtp_stat_(new SrtpStat()),
-      last_send_seq_num_(-1) {
+SrtpSession::SrtpSession() : srtp_stat_(new SrtpStat()) {
   SignalSrtpError.repeat(srtp_stat_->SignalSrtpError);
 }
 
 SrtpSession::~SrtpSession() {
   if (session_) {
     srtp_set_user_data(session_, nullptr);
     srtp_dealloc(session_);
   }
 }
 
@@ skipping 102 matching lines @@
   *out_len = in_len;
   int err = srtp_unprotect_rtcp(session_, p, out_len);
   srtp_stat_->AddUnprotectRtcpResult(err);
   if (err != srtp_err_status_ok) {
     LOG(LS_WARNING) << "Failed to unprotect SRTCP packet, err=" << err;
     return false;
   }
   return true;
 }
 
+bool SrtpSession::AllowExternalAuth() {

[Taylor Brandstetter, 2017/02/28 22:53:40]

"AllowExternalAuth" implies some action, but this just returns a flag. Maybe
rename to "ExternalAuthAllowed"?

[joachim, 2017/03/01 00:43:46]

Renamed to "IsExternalAuthActive".

+  RTC_DCHECK(thread_checker_.CalledOnValidThread());
+  return allow_external_auth_ && !force_disable_allow_external_auth_;
+}
+
+void SrtpSession::DisableAllowExternalAuthForTests(
+    bool disable_allow_external_auth) {
+  RTC_DCHECK(thread_checker_.CalledOnValidThread());
+  force_disable_allow_external_auth_ = disable_allow_external_auth;
+}
+
 bool SrtpSession::GetRtpAuthParams(uint8_t** key, int* key_len, int* tag_len) {
-#if defined(ENABLE_EXTERNAL_AUTH)
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
+  if (!AllowExternalAuth()) {

[Taylor Brandstetter, 2017/02/28 22:53:40]

DCHECK?

[joachim, 2017/03/01 00:43:46]

Done.

+    return false;
+  }
+
   ExternalHmacContext* external_hmac = nullptr;
   // stream_template will be the reference context for other streams.
   // Let's use it for getting the keys.
   srtp_stream_ctx_t* srtp_context = session_->stream_template;
   if (srtp_context && srtp_context->rtp_auth) {
     external_hmac = reinterpret_cast<ExternalHmacContext*>(
         srtp_context->rtp_auth->state);
   }
 
   if (!external_hmac) {
     LOG(LS_ERROR) << "Failed to get auth keys from libsrtp!.";
     return false;
   }
 
   *key = external_hmac->key;
   *key_len = external_hmac->key_length;
   *tag_len = rtp_auth_tag_len_;
   return true;
-#else
-  return false;
-#endif
 }
 
 int SrtpSession::GetSrtpOverhead() const {
   return rtp_auth_tag_len_;
 }
 
 bool SrtpSession::GetSendStreamPacketIndex(void* p,
                                            int in_len,
                                            int64_t* index) {
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
@@ skipping 24 matching lines @@
 
   if (!Init()) {
     return false;
   }
 
   srtp_policy_t policy;
   memset(&policy, 0, sizeof(policy));
   if (cs == rtc::SRTP_AES128_CM_SHA1_80) {
     srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp);
     srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);
+    allow_external_auth_ = true;
   } else if (cs == rtc::SRTP_AES128_CM_SHA1_32) {
     // RTP HMAC is shortened to 32 bits, but RTCP remains 80 bits.
     srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(&policy.rtp);
     srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);
-#if !defined(ENABLE_EXTERNAL_AUTH)
-    // TODO(jbauch): Re-enable once https://crbug.com/628400 is resolved.
+    allow_external_auth_ = true;
   } else if (cs == rtc::SRTP_AEAD_AES_128_GCM) {
     srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtp);
     srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtcp);
+    allow_external_auth_ = false;
   } else if (cs == rtc::SRTP_AEAD_AES_256_GCM) {
     srtp_crypto_policy_set_aes_gcm_256_16_auth(&policy.rtp);
     srtp_crypto_policy_set_aes_gcm_256_16_auth(&policy.rtcp);
-#endif  // ENABLE_EXTERNAL_AUTH
+    allow_external_auth_ = false;
   } else {
     LOG(LS_WARNING) << "Failed to create SRTP session: unsupported"
                     << " cipher_suite " << cs;
     return false;
   }
 
   int expected_key_len;
   int expected_salt_len;
   if (!rtc::GetSrtpKeyAndSaltLengths(cs, &expected_key_len,
       &expected_salt_len)) {
@@ skipping 12 matching lines @@
   policy.ssrc.type = static_cast<srtp_ssrc_type_t>(type);
   policy.ssrc.value = 0;
   policy.key = const_cast<uint8_t*>(key);
   // TODO(astor) parse window size from WSH session-param
   policy.window_size = 1024;
   policy.allow_repeat_tx = 1;
   // If external authentication option is enabled, supply custom auth module
   // id EXTERNAL_HMAC_SHA1 in the policy structure.
   // We want to set this option only for rtp packets.
   // By default policy structure is initialized to HMAC_SHA1.
-#if defined(ENABLE_EXTERNAL_AUTH)
   // Enable external HMAC authentication only for outgoing streams.
-  if (type == ssrc_any_outbound) {
+  if (AllowExternalAuth() && type == ssrc_any_outbound) {
     policy.rtp.auth_type = EXTERNAL_HMAC_SHA1;
   }
-#endif
   policy.next = nullptr;
 
   int err = srtp_create(&session_, &policy);
   if (err != srtp_err_status_ok) {
     session_ = nullptr;
     LOG(LS_ERROR) << "Failed to create SRTP session, err=" << err;
     return false;
   }
 
   srtp_set_user_data(session_, this);
@@ skipping 11 matching lines @@
     if (err != srtp_err_status_ok) {
       LOG(LS_ERROR) << "Failed to init SRTP, err=" << err;
       return false;
     }
 
     err = srtp_install_event_handler(&SrtpSession::HandleEventThunk);
     if (err != srtp_err_status_ok) {
       LOG(LS_ERROR) << "Failed to install SRTP event handler, err=" << err;
       return false;
     }
-#if defined(ENABLE_EXTERNAL_AUTH)
+
     err = external_crypto_init();
     if (err != srtp_err_status_ok) {
       LOG(LS_ERROR) << "Failed to initialize fake auth, err=" << err;
       return false;
     }
-#endif
+
     inited_ = true;
   }
 
   return true;
 }
 
 void SrtpSession::Terminate() {
   rtc::GlobalLockScope ls(&lock_);
 
   if (inited_) {
@@ skipping 177 matching lines @@
   SrtpNotAvailable(__FUNCTION__);
 }
 
 void SrtpStat::HandleSrtpResult(const SrtpStat::FailureKey& key) {
   SrtpNotAvailable(__FUNCTION__);
 }
 
 #endif  // HAVE_SRTP
 
 }  // namespace cricket