Support encrypted RTP extensions (RFC 6904)

webrtc/pc/srtpfilter.cc

Index: webrtc/pc/srtpfilter.cc
diff --git a/webrtc/pc/srtpfilter.cc b/webrtc/pc/srtpfilter.cc
index f8537f3dd678fedd72a74b80c7ff8f2efb8fe5b4..23f128c56fae0144c066859042eab76e516465d5 100644
--- a/webrtc/pc/srtpfilter.cc
+++ b/webrtc/pc/srtpfilter.cc
@@ -66,6 +66,26 @@ bool SrtpFilter::SetProvisionalAnswer(
   return DoSetAnswer(answer_params, source, false);
 }
 
+void SrtpFilter::GetSendRecvEncryptedHeaderExtensions(
+    std::vector<int>* send_extensions, std::vector<int>* recv_extensions) {
+  // Send local extension header encrypted if the remote also uses it
+  // encrypted and vice versa.
+  for (const webrtc::RtpExtension& extension :
+       local_encrypted_header_extensions_) {
+    if (webrtc::RtpExtension::FindHeaderExtensionByUri(
+        remote_encrypted_header_extensions_, extension.uri)) {
+      send_extensions->push_back(extension.id);
+    }
+  }
+  for (const webrtc::RtpExtension& extension :
+       remote_encrypted_header_extensions_) {
+    if (webrtc::RtpExtension::FindHeaderExtensionByUri(
+        local_encrypted_header_extensions_, extension.uri)) {
+      recv_extensions->push_back(extension.id);
+    }
+  }
+}
+
 bool SrtpFilter::SetRtpParams(int send_cs,
                               const uint8_t* send_key,
                               int send_key_len,
@@ -77,11 +97,20 @@ bool SrtpFilter::SetRtpParams(int send_cs,
     return false;
   }
   CreateSrtpSessions();
-  if (!send_session_->SetSend(send_cs, send_key, send_key_len))
+  std::vector<int> send_encrypted_header_extensions;
+  std::vector<int> recv_encrypted_header_extensions;
+
+  GetSendRecvEncryptedHeaderExtensions(&send_encrypted_header_extensions,
+      &recv_encrypted_header_extensions);
+  if (!send_session_->SetSend(send_cs, send_key, send_key_len,
+      send_encrypted_header_extensions)) {
     return false;
+  }
 
-  if (!recv_session_->SetRecv(recv_cs, recv_key, recv_key_len))
+  if (!recv_session_->SetRecv(recv_cs, recv_key, recv_key_len,
+      recv_encrypted_header_extensions)) {
     return false;
+  }
 
   state_ = ST_ACTIVE;
 
@@ -112,17 +141,23 @@ bool SrtpFilter::SetRtcpParams(int send_cs,
     return false;
   }
 
+  // RTCP doesn't support header encryption.
+  std::vector<int> no_encrypted_header_extensions;
   send_rtcp_session_.reset(new SrtpSession());
   SignalSrtpError.repeat(send_rtcp_session_->SignalSrtpError);
   send_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_);
-  if (!send_rtcp_session_->SetRecv(send_cs, send_key, send_key_len))
+  if (!send_rtcp_session_->SetRecv(send_cs, send_key, send_key_len,
+      no_encrypted_header_extensions)) {
     return false;
+  }
 
   recv_rtcp_session_.reset(new SrtpSession());
   SignalSrtpError.repeat(recv_rtcp_session_->SignalSrtpError);
   recv_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_);
-  if (!recv_rtcp_session_->SetRecv(recv_cs, recv_key, recv_key_len))
+  if (!recv_rtcp_session_->SetRecv(recv_cs, recv_key, recv_key_len,
+      no_encrypted_header_extensions)) {
     return false;
+  }
 
   LOG(LS_INFO) << "SRTCP activated with negotiated parameters:"
                << " send cipher_suite " << send_cs
@@ -242,6 +277,15 @@ void SrtpFilter::set_signal_silent_time(int signal_silent_time_in_ms) {
   }
 }
 
+void SrtpFilter::SetEncryptedHeaderExtensions(ContentSource source,
+    const std::vector<webrtc::RtpExtension>& extensions) {

[Taylor Brandstetter, 2017/03/23 20:10:56]

The situation that's not being handled right now is when this is called while
"IsActive" is already true.

[joachim, 2017/03/30 22:43:49]

This is now supported. Encrypted header extensions can be changed.

+  if (source == CS_LOCAL) {
+    local_encrypted_header_extensions_ = extensions;
+  } else {
+    remote_encrypted_header_extensions_ = extensions;
+  }
+}
+
 bool SrtpFilter::ExpectOffer(ContentSource source) {
   return ((state_ == ST_INIT) ||
           (state_ == ST_ACTIVE) ||
@@ -407,12 +451,19 @@ bool SrtpFilter::ApplyParams(const CryptoParams& send_params,
                         recv_key.size()));
   if (ret) {
     CreateSrtpSessions();
+    std::vector<int> send_encrypted_header_extensions;
+    std::vector<int> recv_encrypted_header_extensions;
+
+    GetSendRecvEncryptedHeaderExtensions(&send_encrypted_header_extensions,
+        &recv_encrypted_header_extensions);
     ret = (send_session_->SetSend(
                rtc::SrtpCryptoSuiteFromName(send_params.cipher_suite),
-               send_key.data(), send_key.size()) &&
+               send_key.data(), send_key.size(),
+               send_encrypted_header_extensions) &&
            recv_session_->SetRecv(
                rtc::SrtpCryptoSuiteFromName(recv_params.cipher_suite),
-               recv_key.data(), recv_key.size()));
+               recv_key.data(), recv_key.size(),
+               recv_encrypted_header_extensions));
   }
   if (ret) {
     LOG(LS_INFO) << "SRTP activated with negotiated parameters:"
@@ -433,6 +484,8 @@ bool SrtpFilter::ResetParams() {
   recv_session_ = nullptr;
   send_rtcp_session_ = nullptr;
   recv_rtcp_session_ = nullptr;
+  local_encrypted_header_extensions_.clear();
+  remote_encrypted_header_extensions_.clear();
   LOG(LS_INFO) << "SRTP reset to init state";
   return true;
 }
@@ -477,12 +530,16 @@ SrtpSession::~SrtpSession() {
   }
 }
 
-bool SrtpSession::SetSend(int cs, const uint8_t* key, size_t len) {
-  return SetKey(ssrc_any_outbound, cs, key, len);
+bool SrtpSession::SetSend(int cs, const uint8_t* key, size_t len,
+    const std::vector<int>& encrypted_header_extensions) {
+  return SetKeyAndEncryptedHeaderExtensions(ssrc_any_outbound, cs, key, len,
+      encrypted_header_extensions);
 }
 
-bool SrtpSession::SetRecv(int cs, const uint8_t* key, size_t len) {
-  return SetKey(ssrc_any_inbound, cs, key, len);
+bool SrtpSession::SetRecv(int cs, const uint8_t* key, size_t len,
+    const std::vector<int>& encrypted_header_extensions) {
+  return SetKeyAndEncryptedHeaderExtensions(ssrc_any_inbound, cs, key, len,
+      encrypted_header_extensions);
 }
 
 bool SrtpSession::ProtectRtp(void* p, int in_len, int max_len, int* out_len) {
@@ -654,7 +711,9 @@ void SrtpSession::set_signal_silent_time(int signal_silent_time_in_ms) {
   srtp_stat_->set_signal_silent_time(signal_silent_time_in_ms);
 }
 
-bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, size_t len) {
+bool SrtpSession::SetKeyAndEncryptedHeaderExtensions(int type, int cs,
+    const uint8_t* key, size_t len,
+    const std::vector<int>& encrypted_header_extensions) {
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
   if (session_) {
     LOG(LS_ERROR) << "Failed to create SRTP session: "
@@ -719,6 +778,10 @@ bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, size_t len) {
       !rtc::IsGcmCryptoSuite(cs)) {
     policy.rtp.auth_type = EXTERNAL_HMAC_SHA1;
   }
+  if (!encrypted_header_extensions.empty()) {
+    policy.enc_xtn_hdr = const_cast<int*>(&encrypted_header_extensions[0]);
+    policy.enc_xtn_hdr_count = encrypted_header_extensions.size();
+  }
   policy.next = nullptr;
 
   int err = srtp_create(&session_, &policy);