Support GCM ciphers even if ENABLE_EXTERNAL_AUTH is defined.

webrtc/pc/srtpfilter.cc

 /*
  *  Copyright 2009 The WebRTC project authors. All Rights Reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
 #include "webrtc/pc/srtpfilter.h"
 
 #include <string.h>
 
 #include <algorithm>
 
 #include "third_party/libsrtp/include/srtp.h"
 #include "third_party/libsrtp/include/srtp_priv.h"
 #include "webrtc/base/base64.h"
 #include "webrtc/base/buffer.h"
 #include "webrtc/base/byteorder.h"
 #include "webrtc/base/checks.h"
 #include "webrtc/base/logging.h"
+#include "webrtc/base/sslstreamadapter.h"
 #include "webrtc/base/stringencode.h"
 #include "webrtc/base/timeutils.h"
 #include "webrtc/media/base/rtputils.h"
 #include "webrtc/pc/externalhmac.h"
 
 namespace cricket {
 
 #ifndef HAVE_SRTP
 
 // This helper function is used on systems that don't (yet) have SRTP,
@@ skipping 184 matching lines @@
   if (!IsActive()) {
     LOG(LS_WARNING) << "Failed to GetSrtpOverhead: SRTP not active";
     return false;
   }
 
   RTC_CHECK(send_session_);
   *srtp_overhead = send_session_->GetSrtpOverhead();
   return true;
 }
 
+#if defined(ENABLE_EXTERNAL_AUTH)
+bool SrtpFilter::IsExternalAuthActive() const {
+  if (!IsActive()) {
+    LOG(LS_WARNING) << "Failed to check IsExternalAuthActive: SRTP not active";
+    return false;
+  }
+
+  RTC_CHECK(send_session_);
+  return send_session_->IsExternalAuthActive();
+}
+#endif
+
 void SrtpFilter::set_signal_silent_time(int signal_silent_time_in_ms) {
   signal_silent_time_in_ms_ = signal_silent_time_in_ms;
   if (IsActive()) {
     RTC_CHECK(send_session_);
     send_session_->set_signal_silent_time(signal_silent_time_in_ms);
     RTC_CHECK(recv_session_);
     recv_session_->set_signal_silent_time(signal_silent_time_in_ms);
     if (send_rtcp_session_)
       send_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms);
     if (recv_rtcp_session_)
@@ skipping 217 matching lines @@
 ///////////////////////////////////////////////////////////////////////////////
 // SrtpSession
 
 #ifdef HAVE_SRTP
 
 bool SrtpSession::inited_ = false;
 
 // This lock protects SrtpSession::inited_.
 rtc::GlobalLockPod SrtpSession::lock_;
 
-SrtpSession::SrtpSession()
-    : session_(nullptr),
-      rtp_auth_tag_len_(0),
-      rtcp_auth_tag_len_(0),
-      srtp_stat_(new SrtpStat()),
-      last_send_seq_num_(-1) {
+SrtpSession::SrtpSession() : srtp_stat_(new SrtpStat()) {
   SignalSrtpError.repeat(srtp_stat_->SignalSrtpError);
 }
 
 SrtpSession::~SrtpSession() {
   if (session_) {
     srtp_set_user_data(session_, nullptr);
     srtp_dealloc(session_);
   }
 }
 
@@ skipping 105 matching lines @@
   if (err != srtp_err_status_ok) {
     LOG(LS_WARNING) << "Failed to unprotect SRTCP packet, err=" << err;
     return false;
   }
   return true;
 }
 
 bool SrtpSession::GetRtpAuthParams(uint8_t** key, int* key_len, int* tag_len) {
 #if defined(ENABLE_EXTERNAL_AUTH)
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
+  RTC_DCHECK(IsExternalAuthActive());
+  if (!IsExternalAuthActive()) {
+    return false;
+  }
+
   ExternalHmacContext* external_hmac = nullptr;
   // stream_template will be the reference context for other streams.
   // Let's use it for getting the keys.
   srtp_stream_ctx_t* srtp_context = session_->stream_template;
   if (srtp_context && srtp_context->rtp_auth) {
     external_hmac = reinterpret_cast<ExternalHmacContext*>(
         srtp_context->rtp_auth->state);
   }
 
   if (!external_hmac) {
     LOG(LS_ERROR) << "Failed to get auth keys from libsrtp!.";
     return false;
   }
 
   *key = external_hmac->key;
   *key_len = external_hmac->key_length;
   *tag_len = rtp_auth_tag_len_;
   return true;
 #else
   return false;
 #endif
 }
 
 int SrtpSession::GetSrtpOverhead() const {
   return rtp_auth_tag_len_;
 }
 
+#if defined(ENABLE_EXTERNAL_AUTH)
+bool SrtpSession::IsExternalAuthActive() const {
+  return external_auth_active_;
+}
+#endif
+
 bool SrtpSession::GetSendStreamPacketIndex(void* p,
                                            int in_len,
                                            int64_t* index) {
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
   srtp_hdr_t* hdr = reinterpret_cast<srtp_hdr_t*>(p);
   srtp_stream_ctx_t* stream = srtp_get_stream(session_, hdr->ssrc);
   if (!stream) {
     return false;
   }
 
@@ skipping 22 matching lines @@
 
   srtp_policy_t policy;
   memset(&policy, 0, sizeof(policy));
   if (cs == rtc::SRTP_AES128_CM_SHA1_80) {
     srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp);
     srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);
   } else if (cs == rtc::SRTP_AES128_CM_SHA1_32) {
     // RTP HMAC is shortened to 32 bits, but RTCP remains 80 bits.
     srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(&policy.rtp);
     srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);
-#if !defined(ENABLE_EXTERNAL_AUTH)
-    // TODO(jbauch): Re-enable once https://crbug.com/628400 is resolved.
   } else if (cs == rtc::SRTP_AEAD_AES_128_GCM) {
     srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtp);
     srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtcp);
   } else if (cs == rtc::SRTP_AEAD_AES_256_GCM) {
     srtp_crypto_policy_set_aes_gcm_256_16_auth(&policy.rtp);
     srtp_crypto_policy_set_aes_gcm_256_16_auth(&policy.rtcp);
-#endif  // ENABLE_EXTERNAL_AUTH
   } else {
     LOG(LS_WARNING) << "Failed to create SRTP session: unsupported"
                     << " cipher_suite " << cs;
     return false;
   }
 
   int expected_key_len;
   int expected_salt_len;
   if (!rtc::GetSrtpKeyAndSaltLengths(cs, &expected_key_len,
       &expected_salt_len)) {
@@ skipping 13 matching lines @@
   policy.ssrc.value = 0;
   policy.key = const_cast<uint8_t*>(key);
   // TODO(astor) parse window size from WSH session-param
   policy.window_size = 1024;
   policy.allow_repeat_tx = 1;
   // If external authentication option is enabled, supply custom auth module
   // id EXTERNAL_HMAC_SHA1 in the policy structure.
   // We want to set this option only for rtp packets.
   // By default policy structure is initialized to HMAC_SHA1.
 #if defined(ENABLE_EXTERNAL_AUTH)
-  // Enable external HMAC authentication only for outgoing streams.
-  if (type == ssrc_any_outbound) {
+  // Enable external HMAC authentication only for outgoing streams and only
+  // for cipher suites that support it (i.e. only non-GCM cipher suites).
+  if (type == ssrc_any_outbound && !rtc::IsGcmCryptoSuite(cs)) {
     policy.rtp.auth_type = EXTERNAL_HMAC_SHA1;
   }
 #endif
   policy.next = nullptr;
 
   int err = srtp_create(&session_, &policy);
   if (err != srtp_err_status_ok) {
     session_ = nullptr;
     LOG(LS_ERROR) << "Failed to create SRTP session, err=" << err;
     return false;
   }
 
   srtp_set_user_data(session_, this);
   rtp_auth_tag_len_ = policy.rtp.auth_tag_len;
   rtcp_auth_tag_len_ = policy.rtcp.auth_tag_len;
+#if defined(ENABLE_EXTERNAL_AUTH)
+  external_auth_active_ = (policy.rtp.auth_type == EXTERNAL_HMAC_SHA1);
+#endif
   return true;
 }
 
 bool SrtpSession::Init() {
   rtc::GlobalLockScope ls(&lock_);
 
   if (!inited_) {
     int err;
     err = srtp_init();
     if (err != srtp_err_status_ok) {
@@ skipping 203 matching lines @@
   SrtpNotAvailable(__FUNCTION__);
 }
 
 void SrtpStat::HandleSrtpResult(const SrtpStat::FailureKey& key) {
   SrtpNotAvailable(__FUNCTION__);
 }
 
 #endif  // HAVE_SRTP
 
 }  // namespace cricket