Improve testing of SRTP external auth code paths.

webrtc/pc/srtpfilter.cc

 /*
  *  Copyright 2009 The WebRTC project authors. All Rights Reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 33 matching lines @@
 
 // NOTE: This is called from ChannelManager D'tor.
 void ShutdownSrtp() {
 #ifdef HAVE_SRTP
   // If srtp_dealloc is not executed then this will clear all existing sessions.
   // This should be called when application is shutting down.
   SrtpSession::Terminate();
 #endif
 }
 
-SrtpFilter::SrtpFilter()
-    : state_(ST_INIT),
-      signal_silent_time_in_ms_(0) {
+SrtpFilter::SrtpFilter() {
+#if defined(ENABLE_EXTERNAL_AUTH)
+  external_auth_allowed_ = true;
+#endif

[Taylor Brandstetter, 2017/03/03 02:20:34]

Another option, which I slightly prefer, would be to have two methods called
"EnableExternalAuth" and "ExternalAuthEnabled", and put the #ifdef in
webrtcsession.cc where it constructs the SrtpFilter.

#ifdef ENABLE_EXTERNAL_AUTH
srtp_filter_.EnableExternalAuth();
#endif

That way no "for testing" method would be needed, and the SrtpFilter unit tests
would succeed even when ENABLE_EXTERNAL_AUTH is defined.

[joachim, 2017/03/03 20:42:57]

Done (gets enabled in channel.cc). I used "IsExternalAuthEnabled" to match other
methods that check for something.
Yes, that's better - the define is only used in channel.cc now.

[Taylor Brandstetter, 2017/03/03 23:03:57]

Yep, channel.cc is what I meant, sorry for the mixup.

 }
 
 SrtpFilter::~SrtpFilter() {
 }
 
 bool SrtpFilter::IsActive() const {
   return state_ >= ST_ACTIVE;
 }
 
 bool SrtpFilter::SetOffer(const std::vector<CryptoParams>& offer_params,
@@ skipping 152 matching lines @@
   if (!IsActive()) {
     LOG(LS_WARNING) << "Failed to GetSrtpOverhead: SRTP not active";
     return false;
   }
 
   RTC_CHECK(send_session_);
   *srtp_overhead = send_session_->GetSrtpOverhead();
   return true;
 }
 
-#if defined(ENABLE_EXTERNAL_AUTH)
+void SrtpFilter::AllowExternalAuthForTest(bool allow) {
+  external_auth_allowed_ = allow;
+  if (IsActive()) {
+    RTC_CHECK(send_session_);
+    send_session_->AllowExternalAuthForTest(allow);
+  }
+}
+
+bool SrtpFilter::IsExternalAuthAllowed() const {
+  return external_auth_allowed_;
+}
+
 bool SrtpFilter::IsExternalAuthActive() const {
   if (!IsActive()) {
     LOG(LS_WARNING) << "Failed to check IsExternalAuthActive: SRTP not active";
     return false;
   }
 
   RTC_CHECK(send_session_);
   return send_session_->IsExternalAuthActive();
 }
-#endif
 
 void SrtpFilter::set_signal_silent_time(int signal_silent_time_in_ms) {
   signal_silent_time_in_ms_ = signal_silent_time_in_ms;
   if (IsActive()) {
     RTC_CHECK(send_session_);
     send_session_->set_signal_silent_time(signal_silent_time_in_ms);
     RTC_CHECK(recv_session_);
     recv_session_->set_signal_silent_time(signal_silent_time_in_ms);
     if (send_rtcp_session_)
       send_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms);
@@ skipping 81 matching lines @@
   send_session_.reset(new SrtpSession());
   applied_send_params_ = CryptoParams();
   recv_session_.reset(new SrtpSession());
   applied_recv_params_ = CryptoParams();
 
   SignalSrtpError.repeat(send_session_->SignalSrtpError);
   SignalSrtpError.repeat(recv_session_->SignalSrtpError);
 
   send_session_->set_signal_silent_time(signal_silent_time_in_ms_);
   recv_session_->set_signal_silent_time(signal_silent_time_in_ms_);
+  send_session_->AllowExternalAuthForTest(external_auth_allowed_);
 }
 
 bool SrtpFilter::NegotiateParams(const std::vector<CryptoParams>& answer_params,
                                  CryptoParams* selected_params) {
   // We're processing an accept. We should have exactly one set of params,
   // unless the offer didn't mention crypto, in which case we shouldn't be here.
   bool ret = (answer_params.size() == 1U && !offer_params_.empty());
   if (ret) {
     // We should find a match between the answer params and the offered params.
     std::vector<CryptoParams>::const_iterator it;
@@ skipping 118 matching lines @@
 // SrtpSession
 
 #ifdef HAVE_SRTP
 
 bool SrtpSession::inited_ = false;
 
 // This lock protects SrtpSession::inited_.
 rtc::GlobalLockPod SrtpSession::lock_;
 
 SrtpSession::SrtpSession() : srtp_stat_(new SrtpStat()) {
+#if defined(ENABLE_EXTERNAL_AUTH)
+  external_auth_allowed_ = true;
+#endif
   SignalSrtpError.repeat(srtp_stat_->SignalSrtpError);
 }
 
 SrtpSession::~SrtpSession() {
   if (session_) {
     srtp_set_user_data(session_, nullptr);
     srtp_dealloc(session_);
   }
 }
 
@@ skipping 103 matching lines @@
   int err = srtp_unprotect_rtcp(session_, p, out_len);
   srtp_stat_->AddUnprotectRtcpResult(err);
   if (err != srtp_err_status_ok) {
     LOG(LS_WARNING) << "Failed to unprotect SRTCP packet, err=" << err;
     return false;
   }
   return true;
 }
 
 bool SrtpSession::GetRtpAuthParams(uint8_t** key, int* key_len, int* tag_len) {
-#if defined(ENABLE_EXTERNAL_AUTH)
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
   RTC_DCHECK(IsExternalAuthActive());
   if (!IsExternalAuthActive()) {
     return false;
   }
 
   ExternalHmacContext* external_hmac = nullptr;
   // stream_template will be the reference context for other streams.
   // Let's use it for getting the keys.
   srtp_stream_ctx_t* srtp_context = session_->stream_template;
   if (srtp_context && srtp_context->rtp_auth) {
     external_hmac = reinterpret_cast<ExternalHmacContext*>(
         srtp_context->rtp_auth->state);
   }
 
   if (!external_hmac) {
     LOG(LS_ERROR) << "Failed to get auth keys from libsrtp!.";
     return false;
   }
 
   *key = external_hmac->key;
   *key_len = external_hmac->key_length;
   *tag_len = rtp_auth_tag_len_;
   return true;
-#else
-  return false;
-#endif
 }
 
 int SrtpSession::GetSrtpOverhead() const {
   return rtp_auth_tag_len_;
 }
 
-#if defined(ENABLE_EXTERNAL_AUTH)
+void SrtpSession::AllowExternalAuthForTest(bool allow) {
+  external_auth_allowed_ = allow;
+}
+
+bool SrtpSession::IsExternalAuthAllowed() const {
+  return external_auth_allowed_;
+}
+
 bool SrtpSession::IsExternalAuthActive() const {
   return external_auth_active_;
 }
-#endif
 
 bool SrtpSession::GetSendStreamPacketIndex(void* p,
                                            int in_len,
                                            int64_t* index) {
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
   srtp_hdr_t* hdr = reinterpret_cast<srtp_hdr_t*>(p);
   srtp_stream_ctx_t* stream = srtp_get_stream(session_, hdr->ssrc);
   if (!stream) {
     return false;
   }
@@ skipping 61 matching lines @@
   policy.ssrc.type = static_cast<srtp_ssrc_type_t>(type);
   policy.ssrc.value = 0;
   policy.key = const_cast<uint8_t*>(key);
   // TODO(astor) parse window size from WSH session-param
   policy.window_size = 1024;
   policy.allow_repeat_tx = 1;
   // If external authentication option is enabled, supply custom auth module
   // id EXTERNAL_HMAC_SHA1 in the policy structure.
   // We want to set this option only for rtp packets.
   // By default policy structure is initialized to HMAC_SHA1.
-#if defined(ENABLE_EXTERNAL_AUTH)
   // Enable external HMAC authentication only for outgoing streams and only
   // for cipher suites that support it (i.e. only non-GCM cipher suites).
-  if (type == ssrc_any_outbound && !rtc::IsGcmCryptoSuite(cs)) {
+  if (type == ssrc_any_outbound && IsExternalAuthAllowed() &&
+      !rtc::IsGcmCryptoSuite(cs)) {
     policy.rtp.auth_type = EXTERNAL_HMAC_SHA1;
   }
-#endif
   policy.next = nullptr;
 
   int err = srtp_create(&session_, &policy);
   if (err != srtp_err_status_ok) {
     session_ = nullptr;
     LOG(LS_ERROR) << "Failed to create SRTP session, err=" << err;
     return false;
   }
 
   srtp_set_user_data(session_, this);
   rtp_auth_tag_len_ = policy.rtp.auth_tag_len;
   rtcp_auth_tag_len_ = policy.rtcp.auth_tag_len;
-#if defined(ENABLE_EXTERNAL_AUTH)
   external_auth_active_ = (policy.rtp.auth_type == EXTERNAL_HMAC_SHA1);
-#endif
   return true;
 }
 
 bool SrtpSession::Init() {
   rtc::GlobalLockScope ls(&lock_);
 
   if (!inited_) {
     int err;
     err = srtp_init();
     if (err != srtp_err_status_ok) {
       LOG(LS_ERROR) << "Failed to init SRTP, err=" << err;
       return false;
     }
 
     err = srtp_install_event_handler(&SrtpSession::HandleEventThunk);
     if (err != srtp_err_status_ok) {
       LOG(LS_ERROR) << "Failed to install SRTP event handler, err=" << err;
       return false;
     }
-#if defined(ENABLE_EXTERNAL_AUTH)
+
     err = external_crypto_init();
     if (err != srtp_err_status_ok) {
       LOG(LS_ERROR) << "Failed to initialize fake auth, err=" << err;
       return false;
     }
-#endif
     inited_ = true;
   }
 
   return true;
 }
 
 void SrtpSession::Terminate() {
   rtc::GlobalLockScope ls(&lock_);
 
   if (inited_) {
@@ skipping 177 matching lines @@
   SrtpNotAvailable(__FUNCTION__);
 }
 
 void SrtpStat::HandleSrtpResult(const SrtpStat::FailureKey& key) {
   SrtpNotAvailable(__FUNCTION__);
 }
 
 #endif  // HAVE_SRTP
 
 }  // namespace cricket