Support encrypted RTP extensions (RFC 6904)

webrtc/pc/srtpfilter.cc

Index: webrtc/pc/srtpfilter.cc
diff --git a/webrtc/pc/srtpfilter.cc b/webrtc/pc/srtpfilter.cc
index f8537f3dd678fedd72a74b80c7ff8f2efb8fe5b4..98c67b423e5d39f8939ac8b214e3636071447f3c 100644
--- a/webrtc/pc/srtpfilter.cc
+++ b/webrtc/pc/srtpfilter.cc
@@ -69,19 +69,25 @@ bool SrtpFilter::SetProvisionalAnswer(
 bool SrtpFilter::SetRtpParams(int send_cs,
                               const uint8_t* send_key,
                               int send_key_len,
+                              const std::vector<int>& send_encrypted_headers,
                               int recv_cs,
                               const uint8_t* recv_key,
-                              int recv_key_len) {
+                              int recv_key_len,
+                              const std::vector<int>& recv_encrypted_headers) {
   if (IsActive()) {
     LOG(LS_ERROR) << "Tried to set SRTP Params when filter already active";
     return false;
   }
   CreateSrtpSessions();
-  if (!send_session_->SetSend(send_cs, send_key, send_key_len))
+  if (!send_session_->SetSend(send_cs, send_key, send_key_len,
+      send_encrypted_headers)) {
     return false;
+  }
 
-  if (!recv_session_->SetRecv(recv_cs, recv_key, recv_key_len))
+  if (!recv_session_->SetRecv(recv_cs, recv_key, recv_key_len,
+      recv_encrypted_headers)) {
     return false;
+  }
 
   state_ = ST_ACTIVE;
 
@@ -112,17 +118,23 @@ bool SrtpFilter::SetRtcpParams(int send_cs,
     return false;
   }
 
+  // RTCP doesn't support header encryption.
+  std::vector<int> no_encrypted_headers;
   send_rtcp_session_.reset(new SrtpSession());
   SignalSrtpError.repeat(send_rtcp_session_->SignalSrtpError);
   send_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_);
-  if (!send_rtcp_session_->SetRecv(send_cs, send_key, send_key_len))
+  if (!send_rtcp_session_->SetRecv(send_cs, send_key, send_key_len,
+      no_encrypted_headers)) {
     return false;
+  }
 
   recv_rtcp_session_.reset(new SrtpSession());
   SignalSrtpError.repeat(recv_rtcp_session_->SignalSrtpError);
   recv_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_);
-  if (!recv_rtcp_session_->SetRecv(recv_cs, recv_key, recv_key_len))
+  if (!recv_rtcp_session_->SetRecv(recv_cs, recv_key, recv_key_len,
+      no_encrypted_headers)) {
     return false;
+  }
 
   LOG(LS_INFO) << "SRTCP activated with negotiated parameters:"
                << " send cipher_suite " << send_cs
@@ -407,12 +419,13 @@ bool SrtpFilter::ApplyParams(const CryptoParams& send_params,
                         recv_key.size()));
   if (ret) {
     CreateSrtpSessions();
+    std::vector<int> encrypted_headers;  // No encrypted headers in this case.

[Taylor Brandstetter, 2017/03/22 18:00:11]

Use the pattern of "no_encrypted_headers" here as well?

Also, if we don't support encrypted header extensions with SDES, that should be
documented somewhere, and we should make sure it doesn't result in them being
sent encrypted, but rather not sent at all.

[joachim, 2017/03/23 00:04:33]

I now also added support for encrypted header extensions with SDES.

     ret = (send_session_->SetSend(
                rtc::SrtpCryptoSuiteFromName(send_params.cipher_suite),
-               send_key.data(), send_key.size()) &&
+               send_key.data(), send_key.size(), encrypted_headers) &&
            recv_session_->SetRecv(
                rtc::SrtpCryptoSuiteFromName(recv_params.cipher_suite),
-               recv_key.data(), recv_key.size()));
+               recv_key.data(), recv_key.size(), encrypted_headers));
   }
   if (ret) {
     LOG(LS_INFO) << "SRTP activated with negotiated parameters:"
@@ -477,12 +490,14 @@ SrtpSession::~SrtpSession() {
   }
 }
 
-bool SrtpSession::SetSend(int cs, const uint8_t* key, size_t len) {
-  return SetKey(ssrc_any_outbound, cs, key, len);
+bool SrtpSession::SetSend(int cs, const uint8_t* key, size_t len,
+    const std::vector<int>& encrypted_headers) {
+  return SetKey(ssrc_any_outbound, cs, key, len, encrypted_headers);
 }
 
-bool SrtpSession::SetRecv(int cs, const uint8_t* key, size_t len) {
-  return SetKey(ssrc_any_inbound, cs, key, len);
+bool SrtpSession::SetRecv(int cs, const uint8_t* key, size_t len,
+    const std::vector<int>& encrypted_headers) {
+  return SetKey(ssrc_any_inbound, cs, key, len, encrypted_headers);
 }
 
 bool SrtpSession::ProtectRtp(void* p, int in_len, int max_len, int* out_len) {
@@ -654,7 +669,8 @@ void SrtpSession::set_signal_silent_time(int signal_silent_time_in_ms) {
   srtp_stat_->set_signal_silent_time(signal_silent_time_in_ms);
 }
 
-bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, size_t len) {
+bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, size_t len,
+    const std::vector<int>& encrypted_headers) {
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
   if (session_) {
     LOG(LS_ERROR) << "Failed to create SRTP session: "
@@ -719,6 +735,10 @@ bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, size_t len) {
       !rtc::IsGcmCryptoSuite(cs)) {
     policy.rtp.auth_type = EXTERNAL_HMAC_SHA1;
   }
+  if (!encrypted_headers.empty()) {

[pthatcher1, 2017/03/21 07:07:06]

Please stick with "_header_extensions" or "hdr_exts" instead of just "headers".

[joachim, 2017/03/23 00:04:33]

Done (here and in various other places).

+    policy.enc_xtn_hdr = const_cast<int*>(&encrypted_headers[0]);
+    policy.enc_xtn_hdr_count = encrypted_headers.size();
+  }
   policy.next = nullptr;
 
   int err = srtp_create(&session_, &policy);