Chromium Code Reviews Chromium Code Reviews
Issue 2761143002:
Support encrypted RTP extensions (RFC 6904) (Closed)
| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright 2009 The WebRTC project authors. All Rights Reserved. | 2 * Copyright 2009 The WebRTC project authors. All Rights Reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 62 | 62 |
| 63 bool SrtpFilter::SetProvisionalAnswer( | 63 bool SrtpFilter::SetProvisionalAnswer( |
| 64 const std::vector<CryptoParams>& answer_params, | 64 const std::vector<CryptoParams>& answer_params, |
| 65 ContentSource source) { | 65 ContentSource source) { |
| 66 return DoSetAnswer(answer_params, source, false); | 66 return DoSetAnswer(answer_params, source, false); |
| 67 } | 67 } |
| 68 | 68 |
| 69 bool SrtpFilter::SetRtpParams(int send_cs, | 69 bool SrtpFilter::SetRtpParams(int send_cs, |
| 70 const uint8_t* send_key, | 70 const uint8_t* send_key, |
| 71 int send_key_len, | 71 int send_key_len, |
| 72 const std::vector<int>& send_encrypted_headers, | |
| 72 int recv_cs, | 73 int recv_cs, |
| 73 const uint8_t* recv_key, | 74 const uint8_t* recv_key, |
| 74 int recv_key_len) { | 75 int recv_key_len, |
| 76 const std::vector<int>& recv_encrypted_headers) { | |
| 75 if (IsActive()) { | 77 if (IsActive()) { |
| 76 LOG(LS_ERROR) << "Tried to set SRTP Params when filter already active"; | 78 LOG(LS_ERROR) << "Tried to set SRTP Params when filter already active"; |
| 77 return false; | 79 return false; |
| 78 } | 80 } |
| 79 CreateSrtpSessions(); | 81 CreateSrtpSessions(); |
| 80 if (!send_session_->SetSend(send_cs, send_key, send_key_len)) | 82 if (!send_session_->SetSend(send_cs, send_key, send_key_len, |
| 83 send_encrypted_headers)) { | |
| 81 return false; | 84 return false; |
| 85 } | |
| 82 | 86 |
| 83 if (!recv_session_->SetRecv(recv_cs, recv_key, recv_key_len)) | 87 if (!recv_session_->SetRecv(recv_cs, recv_key, recv_key_len, |
| 88 recv_encrypted_headers)) { | |
| 84 return false; | 89 return false; |
| 90 } | |
| 85 | 91 |
| 86 state_ = ST_ACTIVE; | 92 state_ = ST_ACTIVE; |
| 87 | 93 |
| 88 LOG(LS_INFO) << "SRTP activated with negotiated parameters:" | 94 LOG(LS_INFO) << "SRTP activated with negotiated parameters:" |
| 89 << " send cipher_suite " << send_cs | 95 << " send cipher_suite " << send_cs |
| 90 << " recv cipher_suite " << recv_cs; | 96 << " recv cipher_suite " << recv_cs; |
| 91 return true; | 97 return true; |
| 92 } | 98 } |
| 93 | 99 |
| 94 // This function is provided separately because DTLS-SRTP behaves | 100 // This function is provided separately because DTLS-SRTP behaves |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 105 int recv_cs, | 111 int recv_cs, |
| 106 const uint8_t* recv_key, | 112 const uint8_t* recv_key, |
| 107 int recv_key_len) { | 113 int recv_key_len) { |
| 108 // This can only be called once, but can be safely called after | 114 // This can only be called once, but can be safely called after |
| 109 // SetRtpParams | 115 // SetRtpParams |
| 110 if (send_rtcp_session_ || recv_rtcp_session_) { | 116 if (send_rtcp_session_ || recv_rtcp_session_) { |
| 111 LOG(LS_ERROR) << "Tried to set SRTCP Params when filter already active"; | 117 LOG(LS_ERROR) << "Tried to set SRTCP Params when filter already active"; |
| 112 return false; | 118 return false; |
| 113 } | 119 } |
| 114 | 120 |
| 121 // RTCP doesn't support header encryption. | |
| 122 std::vector<int> no_encrypted_headers; | |
| 115 send_rtcp_session_.reset(new SrtpSession()); | 123 send_rtcp_session_.reset(new SrtpSession()); |
| 116 SignalSrtpError.repeat(send_rtcp_session_->SignalSrtpError); | 124 SignalSrtpError.repeat(send_rtcp_session_->SignalSrtpError); |
| 117 send_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_); | 125 send_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_); |
| 118 if (!send_rtcp_session_->SetRecv(send_cs, send_key, send_key_len)) | 126 if (!send_rtcp_session_->SetRecv(send_cs, send_key, send_key_len, |
| 127 no_encrypted_headers)) { | |
| 119 return false; | 128 return false; |
| 129 } | |
| 120 | 130 |
| 121 recv_rtcp_session_.reset(new SrtpSession()); | 131 recv_rtcp_session_.reset(new SrtpSession()); |
| 122 SignalSrtpError.repeat(recv_rtcp_session_->SignalSrtpError); | 132 SignalSrtpError.repeat(recv_rtcp_session_->SignalSrtpError); |
| 123 recv_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_); | 133 recv_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_); |
| 124 if (!recv_rtcp_session_->SetRecv(recv_cs, recv_key, recv_key_len)) | 134 if (!recv_rtcp_session_->SetRecv(recv_cs, recv_key, recv_key_len, |
| 135 no_encrypted_headers)) { | |
| 125 return false; | 136 return false; |
| 137 } | |
| 126 | 138 |
| 127 LOG(LS_INFO) << "SRTCP activated with negotiated parameters:" | 139 LOG(LS_INFO) << "SRTCP activated with negotiated parameters:" |
| 128 << " send cipher_suite " << send_cs | 140 << " send cipher_suite " << send_cs |
| 129 << " recv cipher_suite " << recv_cs; | 141 << " recv cipher_suite " << recv_cs; |
| 130 | 142 |
| 131 return true; | 143 return true; |
| 132 } | 144 } |
| 133 | 145 |
| 134 bool SrtpFilter::ProtectRtp(void* p, int in_len, int max_len, int* out_len) { | 146 bool SrtpFilter::ProtectRtp(void* p, int in_len, int max_len, int* out_len) { |
| 135 if (!IsActive()) { | 147 if (!IsActive()) { |
| (...skipping 264 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 400 // TODO(juberti): Zero these buffers after use. | 412 // TODO(juberti): Zero these buffers after use. |
| 401 bool ret; | 413 bool ret; |
| 402 rtc::Buffer send_key(send_key_len + send_salt_len); | 414 rtc::Buffer send_key(send_key_len + send_salt_len); |
| 403 rtc::Buffer recv_key(recv_key_len + recv_salt_len); | 415 rtc::Buffer recv_key(recv_key_len + recv_salt_len); |
| 404 ret = (ParseKeyParams(send_params.key_params, send_key.data(), | 416 ret = (ParseKeyParams(send_params.key_params, send_key.data(), |
| 405 send_key.size()) && | 417 send_key.size()) && |
| 406 ParseKeyParams(recv_params.key_params, recv_key.data(), | 418 ParseKeyParams(recv_params.key_params, recv_key.data(), |
| 407 recv_key.size())); | 419 recv_key.size())); |
| 408 if (ret) { | 420 if (ret) { |
| 409 CreateSrtpSessions(); | 421 CreateSrtpSessions(); |
| 422 std::vector<int> encrypted_headers; // No encrypted headers in this case. | |
|
Taylor Brandstetter
2017/03/22 18:00:11
Use the pattern of "no_encrypted_headers" here as
joachim
2017/03/23 00:04:33
I now also added support for encrypted header exte
| |
| 410 ret = (send_session_->SetSend( | 423 ret = (send_session_->SetSend( |
| 411 rtc::SrtpCryptoSuiteFromName(send_params.cipher_suite), | 424 rtc::SrtpCryptoSuiteFromName(send_params.cipher_suite), |
| 412 send_key.data(), send_key.size()) && | 425 send_key.data(), send_key.size(), encrypted_headers) && |
| 413 recv_session_->SetRecv( | 426 recv_session_->SetRecv( |
| 414 rtc::SrtpCryptoSuiteFromName(recv_params.cipher_suite), | 427 rtc::SrtpCryptoSuiteFromName(recv_params.cipher_suite), |
| 415 recv_key.data(), recv_key.size())); | 428 recv_key.data(), recv_key.size(), encrypted_headers)); |
| 416 } | 429 } |
| 417 if (ret) { | 430 if (ret) { |
| 418 LOG(LS_INFO) << "SRTP activated with negotiated parameters:" | 431 LOG(LS_INFO) << "SRTP activated with negotiated parameters:" |
| 419 << " send cipher_suite " << send_params.cipher_suite | 432 << " send cipher_suite " << send_params.cipher_suite |
| 420 << " recv cipher_suite " << recv_params.cipher_suite; | 433 << " recv cipher_suite " << recv_params.cipher_suite; |
| 421 applied_send_params_ = send_params; | 434 applied_send_params_ = send_params; |
| 422 applied_recv_params_ = recv_params; | 435 applied_recv_params_ = recv_params; |
| 423 } else { | 436 } else { |
| 424 LOG(LS_WARNING) << "Failed to apply negotiated SRTP parameters"; | 437 LOG(LS_WARNING) << "Failed to apply negotiated SRTP parameters"; |
| 425 } | 438 } |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 470 SignalSrtpError.repeat(srtp_stat_->SignalSrtpError); | 483 SignalSrtpError.repeat(srtp_stat_->SignalSrtpError); |
| 471 } | 484 } |
| 472 | 485 |
| 473 SrtpSession::~SrtpSession() { | 486 SrtpSession::~SrtpSession() { |
| 474 if (session_) { | 487 if (session_) { |
| 475 srtp_set_user_data(session_, nullptr); | 488 srtp_set_user_data(session_, nullptr); |
| 476 srtp_dealloc(session_); | 489 srtp_dealloc(session_); |
| 477 } | 490 } |
| 478 } | 491 } |
| 479 | 492 |
| 480 bool SrtpSession::SetSend(int cs, const uint8_t* key, size_t len) { | 493 bool SrtpSession::SetSend(int cs, const uint8_t* key, size_t len, |
| 481 return SetKey(ssrc_any_outbound, cs, key, len); | 494 const std::vector<int>& encrypted_headers) { |
| 495 return SetKey(ssrc_any_outbound, cs, key, len, encrypted_headers); | |
| 482 } | 496 } |
| 483 | 497 |
| 484 bool SrtpSession::SetRecv(int cs, const uint8_t* key, size_t len) { | 498 bool SrtpSession::SetRecv(int cs, const uint8_t* key, size_t len, |
| 485 return SetKey(ssrc_any_inbound, cs, key, len); | 499 const std::vector<int>& encrypted_headers) { |
| 500 return SetKey(ssrc_any_inbound, cs, key, len, encrypted_headers); | |
| 486 } | 501 } |
| 487 | 502 |
| 488 bool SrtpSession::ProtectRtp(void* p, int in_len, int max_len, int* out_len) { | 503 bool SrtpSession::ProtectRtp(void* p, int in_len, int max_len, int* out_len) { |
| 489 RTC_DCHECK(thread_checker_.CalledOnValidThread()); | 504 RTC_DCHECK(thread_checker_.CalledOnValidThread()); |
| 490 if (!session_) { | 505 if (!session_) { |
| 491 LOG(LS_WARNING) << "Failed to protect SRTP packet: no SRTP Session"; | 506 LOG(LS_WARNING) << "Failed to protect SRTP packet: no SRTP Session"; |
| 492 return false; | 507 return false; |
| 493 } | 508 } |
| 494 | 509 |
| 495 int need_len = in_len + rtp_auth_tag_len_; // NOLINT | 510 int need_len = in_len + rtp_auth_tag_len_; // NOLINT |
| (...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 647 *index = static_cast<int64_t>( | 662 *index = static_cast<int64_t>( |
| 648 rtc::NetworkToHost64( | 663 rtc::NetworkToHost64( |
| 649 srtp_rdbx_get_packet_index(&stream->rtp_rdbx) << 16)); | 664 srtp_rdbx_get_packet_index(&stream->rtp_rdbx) << 16)); |
| 650 return true; | 665 return true; |
| 651 } | 666 } |
| 652 | 667 |
| 653 void SrtpSession::set_signal_silent_time(int signal_silent_time_in_ms) { | 668 void SrtpSession::set_signal_silent_time(int signal_silent_time_in_ms) { |
| 654 srtp_stat_->set_signal_silent_time(signal_silent_time_in_ms); | 669 srtp_stat_->set_signal_silent_time(signal_silent_time_in_ms); |
| 655 } | 670 } |
| 656 | 671 |
| 657 bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, size_t len) { | 672 bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, size_t len, |
| 673 const std::vector<int>& encrypted_headers) { | |
| 658 RTC_DCHECK(thread_checker_.CalledOnValidThread()); | 674 RTC_DCHECK(thread_checker_.CalledOnValidThread()); |
| 659 if (session_) { | 675 if (session_) { |
| 660 LOG(LS_ERROR) << "Failed to create SRTP session: " | 676 LOG(LS_ERROR) << "Failed to create SRTP session: " |
| 661 << "SRTP session already created"; | 677 << "SRTP session already created"; |
| 662 return false; | 678 return false; |
| 663 } | 679 } |
| 664 | 680 |
| 665 if (!Init()) { | 681 if (!Init()) { |
| 666 return false; | 682 return false; |
| 667 } | 683 } |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 712 // If external authentication option is enabled, supply custom auth module | 728 // If external authentication option is enabled, supply custom auth module |
| 713 // id EXTERNAL_HMAC_SHA1 in the policy structure. | 729 // id EXTERNAL_HMAC_SHA1 in the policy structure. |
| 714 // We want to set this option only for rtp packets. | 730 // We want to set this option only for rtp packets. |
| 715 // By default policy structure is initialized to HMAC_SHA1. | 731 // By default policy structure is initialized to HMAC_SHA1. |
| 716 // Enable external HMAC authentication only for outgoing streams and only | 732 // Enable external HMAC authentication only for outgoing streams and only |
| 717 // for cipher suites that support it (i.e. only non-GCM cipher suites). | 733 // for cipher suites that support it (i.e. only non-GCM cipher suites). |
| 718 if (type == ssrc_any_outbound && IsExternalAuthEnabled() && | 734 if (type == ssrc_any_outbound && IsExternalAuthEnabled() && |
| 719 !rtc::IsGcmCryptoSuite(cs)) { | 735 !rtc::IsGcmCryptoSuite(cs)) { |
| 720 policy.rtp.auth_type = EXTERNAL_HMAC_SHA1; | 736 policy.rtp.auth_type = EXTERNAL_HMAC_SHA1; |
| 721 } | 737 } |
| 738 if (!encrypted_headers.empty()) { | |
|
pthatcher1
2017/03/21 07:07:06
Please stick with "_header_extensions" or "hdr_ext
joachim
2017/03/23 00:04:33
Done (here and in various other places).
| |
| 739 policy.enc_xtn_hdr = const_cast<int*>(&encrypted_headers[0]); | |
| 740 policy.enc_xtn_hdr_count = encrypted_headers.size(); | |
| 741 } | |
| 722 policy.next = nullptr; | 742 policy.next = nullptr; |
| 723 | 743 |
| 724 int err = srtp_create(&session_, &policy); | 744 int err = srtp_create(&session_, &policy); |
| 725 if (err != srtp_err_status_ok) { | 745 if (err != srtp_err_status_ok) { |
| 726 session_ = nullptr; | 746 session_ = nullptr; |
| 727 LOG(LS_ERROR) << "Failed to create SRTP session, err=" << err; | 747 LOG(LS_ERROR) << "Failed to create SRTP session, err=" << err; |
| 728 return false; | 748 return false; |
| 729 } | 749 } |
| 730 | 750 |
| 731 srtp_set_user_data(session_, this); | 751 srtp_set_user_data(session_, this); |
| (...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 871 if (stat->last_signal_time == 0 || | 891 if (stat->last_signal_time == 0 || |
| 872 rtc::TimeDiff(current_time, stat->last_signal_time) > | 892 rtc::TimeDiff(current_time, stat->last_signal_time) > |
| 873 signal_silent_time_) { | 893 signal_silent_time_) { |
| 874 SignalSrtpError(key.ssrc, key.mode, key.error); | 894 SignalSrtpError(key.ssrc, key.mode, key.error); |
| 875 stat->last_signal_time = current_time; | 895 stat->last_signal_time = current_time; |
| 876 } | 896 } |
| 877 } | 897 } |
| 878 } | 898 } |
| 879 | 899 |
| 880 } // namespace cricket | 900 } // namespace cricket |
| OLD | NEW |
