admin/webrtc_m130
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Spanify SRTP key export"

Browse Source 
This reverts commit 65ae3245f9380e46b1d755f3f452ba63ab6cdf8d.

Reason for revert: breaks downstream compilation

Original change's description:
> Spanify SRTP key export
>
> and simplify the interface used as this is only used for exporting
> SRTP keys and passing arcane OpenSSL arguments around does not make
> much sense.
>
> BUG=webrtc:357776213
>
> Change-Id: I9e5a94fe368b77975e48b6dd5ab6a2d2575d6382
> Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/364521
> Commit-Queue: Philipp Hancke <phancke@meta.com>
> Reviewed-by: Harald Alvestrand <hta@webrtc.org>
> Reviewed-by: Florent Castelli <orphis@webrtc.org>
> Cr-Commit-Position: refs/heads/main@{#43198}

Bug: webrtc:357776213
Change-Id: I03ffcda3d6821718f355b243ce78a9c54b4036f3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/365062
Bot-Commit: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Jeremy Leconte <jleconte@webrtc.org>
Owners-Override: Jeremy Leconte <jleconte@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#43202}
This commit is contained in:
Jeremy Leconte 2024-10-09 08:50:51 +00:00 committed by WebRTC LUCI CQ
parent 8fad80b8a2
commit 32590ef877
11 changed files with 101 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
p2p/base/dtls_transport.cc
View File

@ -354,26 +354,16 @@ std::unique_ptr<rtc::SSLCertChain> DtlsTransport::GetRemoteSSLCertChain()
return dtls_->GetPeerSSLCertChain(); return dtls_->GetPeerSSLCertChain();
} }
bool DtlsTransport::ExportSrtpKeyingMaterial(
rtc::ZeroOnFreeBuffer<unsigned char>& keying_material) {
return dtls_ ? dtls_->ExportSrtpKeyingMaterial(keying_material) : false;
}
bool DtlsTransport::ExportKeyingMaterial(absl::string_view label, bool DtlsTransport::ExportKeyingMaterial(absl::string_view label,
const uint8_t* context, const uint8_t* context,
size_t context_len, size_t context_len,
bool use_context, bool use_context,
uint8_t* result, uint8_t* result,
size_t result_len) { size_t result_len) {
RTC_DCHECK(!context); return (dtls_.get())
RTC_DCHECK_EQ(context_len, 0u); ? dtls_->ExportKeyingMaterial(label, context, context_len,
RTC_DCHECK_EQ(use_context, false); use_context, result, result_len)
rtc::ZeroOnFreeBuffer<unsigned char> temporary_result(result_len); : false;
if (ExportSrtpKeyingMaterial(temporary_result)) {
std::memcpy(result, temporary_result.data(), result_len);
return true;
}
return false;
} }
bool DtlsTransport::SetupDtls() { bool DtlsTransport::SetupDtls() {

17
p2p/base/dtls_transport.h
View File

@ -179,16 +179,13 @@ class DtlsTransport : public DtlsTransportInternal {
// Once DTLS has established (i.e., this ice_transport is writable), this // Once DTLS has established (i.e., this ice_transport is writable), this
// method extracts the keys negotiated during the DTLS handshake, for use in // method extracts the keys negotiated during the DTLS handshake, for use in
// external encryption. DTLS-SRTP uses this to extract the needed SRTP keys. // external encryption. DTLS-SRTP uses this to extract the needed SRTP keys.
bool ExportSrtpKeyingMaterial( // See the SSLStreamAdapter documentation for info on the specific parameters.
rtc::ZeroOnFreeBuffer<unsigned char>& keying_material) override; bool ExportKeyingMaterial(absl::string_view label,
const uint8_t* context,
[[deprecated("Use ExportSrtpKeyingMaterial instead")]] bool size_t context_len,
ExportKeyingMaterial(absl::string_view label, bool use_context,
const uint8_t* context, uint8_t* result,
size_t context_len, size_t result_len) override;
bool use_context,
uint8_t* result,
size_t result_len) override;
IceTransportInternal* ice_transport() override; IceTransportInternal* ice_transport() override;

16
p2p/base/dtls_transport_internal.h
View File

@ -89,16 +89,12 @@ class DtlsTransportInternal : public rtc::PacketTransportInternal {
virtual std::unique_ptr<rtc::SSLCertChain> GetRemoteSSLCertChain() const = 0; virtual std::unique_ptr<rtc::SSLCertChain> GetRemoteSSLCertChain() const = 0;
// Allows key material to be extracted for external encryption. // Allows key material to be extracted for external encryption.
virtual bool ExportSrtpKeyingMaterial( virtual bool ExportKeyingMaterial(absl::string_view label,
rtc::ZeroOnFreeBuffer<unsigned char>& keying_material) = 0; const uint8_t* context,
size_t context_len,
[[deprecated("Use ExportSrtpKeyingMaterial instead")]] virtual bool bool use_context,
ExportKeyingMaterial(absl::string_view label, uint8_t* result,
const uint8_t* context, size_t result_len) = 0;
size_t context_len,
bool use_context,
uint8_t* result,
size_t result_len) = 0;
// Set DTLS remote fingerprint. Must be after local identity set. // Set DTLS remote fingerprint. Must be after local identity set.
ABSL_DEPRECATED("Use SetRemoteParameters instead.") ABSL_DEPRECATED("Use SetRemoteParameters instead.")

27
p2p/base/dtls_transport_unittest.cc
View File

@ -458,33 +458,6 @@ TEST_F(DtlsTransportTest, TestTransferDtlsCombineRecords) {
TestTransfer(500, 100, /*srtp=*/false); TestTransfer(500, 100, /*srtp=*/false);
} }
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wdeprecated-declarations"
TEST_F(DtlsTransportTest, KeyingMaterialExporter) {
PrepareDtls(rtc::KT_DEFAULT);
ASSERT_TRUE(Connect());
int crypto_suite;
EXPECT_TRUE(client1_.dtls_transport()->GetSrtpCryptoSuite(&crypto_suite));
int key_len;
int salt_len;
EXPECT_TRUE(rtc::GetSrtpKeyAndSaltLengths(crypto_suite, &key_len, &salt_len));
rtc::ZeroOnFreeBuffer<unsigned char> client1_out(2 * (key_len + salt_len));
rtc::ZeroOnFreeBuffer<unsigned char> client2_out(2 * (key_len + salt_len));
EXPECT_TRUE(client1_.dtls_transport()->ExportSrtpKeyingMaterial(client1_out));
EXPECT_TRUE(client2_.dtls_transport()->ExportSrtpKeyingMaterial(client2_out));
EXPECT_EQ(client1_out, client2_out);
// Legacy variant using the deprecated API.
rtc::ZeroOnFreeBuffer<unsigned char> client1_out_legacy(2 *
(key_len + salt_len));
EXPECT_TRUE(client1_.dtls_transport()->ExportKeyingMaterial(
"EXTRACTOR-dtls_srtp", nullptr, 0, false, client1_out_legacy.data(),
client1_out_legacy.size()));
EXPECT_EQ(client1_out, client1_out_legacy);
}
#pragma clang diagnostic pop
class DtlsTransportVersionTest class DtlsTransportVersionTest
: public DtlsTransportTestBase, : public DtlsTransportTestBase,
public ::testing::TestWithParam< public ::testing::TestWithParam<

8
p2p/base/fake_dtls_transport.h
View File

@ -11,7 +11,6 @@
#ifndef P2P_BASE_FAKE_DTLS_TRANSPORT_H_ #ifndef P2P_BASE_FAKE_DTLS_TRANSPORT_H_
#define P2P_BASE_FAKE_DTLS_TRANSPORT_H_ #define P2P_BASE_FAKE_DTLS_TRANSPORT_H_
#include <cstring>
#include <memory> #include <memory>
#include <string> #include <string>
#include <utility> #include <utility>
@ -228,13 +227,6 @@ class FakeDtlsTransport : public DtlsTransportInternal {
} }
return std::make_unique<rtc::SSLCertChain>(remote_cert_->Clone()); return std::make_unique<rtc::SSLCertChain>(remote_cert_->Clone());
} }
bool ExportSrtpKeyingMaterial(
rtc::ZeroOnFreeBuffer<unsigned char>& keying_material) override {
if (do_dtls_) {
std::memset(keying_material.data(), 0xff, keying_material.size());
}
return do_dtls_;
}
bool ExportKeyingMaterial(absl::string_view label, bool ExportKeyingMaterial(absl::string_view label,
const uint8_t* context, const uint8_t* context,
size_t context_len, size_t context_len,

11
pc/dtls_srtp_transport.cc
View File

@ -20,6 +20,11 @@
#include "rtc_base/logging.h" #include "rtc_base/logging.h"
#include "rtc_base/ssl_stream_adapter.h" #include "rtc_base/ssl_stream_adapter.h"
namespace {
// Value specified in RFC 5764.
static const char kDtlsSrtpExporterLabel[] = "EXTRACTOR-dtls_srtp";
} // namespace
namespace webrtc { namespace webrtc {
DtlsSrtpTransport::DtlsSrtpTransport(bool rtcp_mux_enabled, DtlsSrtpTransport::DtlsSrtpTransport(bool rtcp_mux_enabled,
@ -225,8 +230,10 @@ bool DtlsSrtpTransport::ExtractParams(
rtc::ZeroOnFreeBuffer<unsigned char> dtls_buffer(key_len * 2 + salt_len * 2); rtc::ZeroOnFreeBuffer<unsigned char> dtls_buffer(key_len * 2 + salt_len * 2);
// RFC 5705 exporter using the RFC 5764 parameters // RFC 5705 exporter using the RFC 5764 parameters
if (!dtls_transport->ExportSrtpKeyingMaterial(dtls_buffer)) { if (!dtls_transport->ExportKeyingMaterial(kDtlsSrtpExporterLabel, NULL, 0,
RTC_LOG(LS_ERROR) << "DTLS-SRTP key export failed"; false, &dtls_buffer[0],
dtls_buffer.size())) {
RTC_LOG(LS_WARNING) << "DTLS-SRTP key export failed";
RTC_DCHECK_NOTREACHED(); // This should never happen RTC_DCHECK_NOTREACHED(); // This should never happen
return false; return false;
} }

28
rtc_base/openssl_stream_adapter.cc
View File

@ -63,11 +63,6 @@
#error "webrtc requires at least OpenSSL version 1.1.0, to support DTLS-SRTP" #error "webrtc requires at least OpenSSL version 1.1.0, to support DTLS-SRTP"
#endif #endif
namespace {
// Value specified in RFC 5764.
static const char kDtlsSrtpExporterLabel[] = "EXTRACTOR-dtls_srtp";
} // namespace
namespace rtc { namespace rtc {
namespace { namespace {
using ::webrtc::SafeTask; using ::webrtc::SafeTask;
@ -382,19 +377,16 @@ bool OpenSSLStreamAdapter::GetSslVersionBytes(int* version) const {
return true; return true;
} }
bool OpenSSLStreamAdapter::ExportSrtpKeyingMaterial( // Key Extractor interface
rtc::ZeroOnFreeBuffer<unsigned char>& keying_material) { bool OpenSSLStreamAdapter::ExportKeyingMaterial(absl::string_view label,
// Arguments are: const uint8_t* context,
// keying material/len -- a buffer to hold the keying material. size_t context_len,
// label -- the exporter label. bool use_context,
// part of the RFC defining each exporter uint8_t* result,
// usage. We only use RFC 5764 for DTLS-SRTP. size_t result_len) {
// context/context_len -- a context to bind to for this connection; if (SSL_export_keying_material(ssl_, result, result_len, label.data(),
// use_context optional, can be null, 0 (IN). Not used by WebRTC. label.length(), context, context_len,
if (SSL_export_keying_material(ssl_, keying_material.data(), use_context) != 1) {
keying_material.size(), kDtlsSrtpExporterLabel,
sizeof(kDtlsSrtpExporterLabel), nullptr, 0,
false) != 1) {
return false; return false;
} }
return true; return true;

8
rtc_base/openssl_stream_adapter.h
View File

@ -109,8 +109,12 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter {
const override; const override;
bool GetSslVersionBytes(int* version) const override; bool GetSslVersionBytes(int* version) const override;
// Key Extractor interface // Key Extractor interface
bool ExportSrtpKeyingMaterial( bool ExportKeyingMaterial(absl::string_view label,
rtc::ZeroOnFreeBuffer<unsigned char>& keying_material) override; const uint8_t* context,
size_t context_len,
bool use_context,
uint8_t* result,
size_t result_len) override;
uint16_t GetPeerSignatureAlgorithm() const override; uint16_t GetPeerSignatureAlgorithm() const override;

9
rtc_base/ssl_stream_adapter.cc
View File

@ -87,6 +87,15 @@ std::unique_ptr<SSLStreamAdapter> SSLStreamAdapter::Create(
std::move(handshake_error)); std::move(handshake_error));
} }
bool SSLStreamAdapter::ExportKeyingMaterial(absl::string_view label,
const uint8_t* context,
size_t context_len,
bool use_context,
uint8_t* result,
size_t result_len) {
return false; // Default is unsupported
}
bool SSLStreamAdapter::IsBoringSsl() { bool SSLStreamAdapter::IsBoringSsl() {
return OpenSSLStreamAdapter::IsBoringSsl(); return OpenSSLStreamAdapter::IsBoringSsl();
} }

19
rtc_base/ssl_stream_adapter.h
View File

@ -198,8 +198,23 @@ class SSLStreamAdapter : public StreamInterface {
virtual bool GetSslVersionBytes(int* version) const = 0; virtual bool GetSslVersionBytes(int* version) const = 0;
// Key Exporter interface from RFC 5705 // Key Exporter interface from RFC 5705
virtual bool ExportSrtpKeyingMaterial( // Arguments are:
rtc::ZeroOnFreeBuffer<unsigned char>& keying_material) = 0; // label -- the exporter label.
// part of the RFC defining each exporter
// usage (IN)
// context/context_len -- a context to bind to for this connection;
// optional, can be null, 0 (IN)
// use_context -- whether to use the context value
// (needed to distinguish no context from
// zero-length ones).
// result -- where to put the computed value
// result_len -- the length of the computed value
virtual bool ExportKeyingMaterial(absl::string_view label,
const uint8_t* context,
size_t context_len,
bool use_context,
uint8_t* result,
size_t result_len);
// Returns the signature algorithm or 0 if not applicable. // Returns the signature algorithm or 0 if not applicable.
virtual uint16_t GetPeerSignatureAlgorithm() const = 0; virtual uint16_t GetPeerSignatureAlgorithm() const = 0;

48
rtc_base/ssl_stream_adapter_unittest.cc
View File

@ -56,6 +56,10 @@ using ::testing::Values;
using ::testing::WithParamInterface; using ::testing::WithParamInterface;
using ::webrtc::SafeTask; using ::webrtc::SafeTask;
static const char kExporterLabel[] = "label";
static const unsigned char kExporterContext[] = "context";
static int kExporterContextLen = sizeof(kExporterContext);
// A private key used for testing, broken into pieces in order to avoid // A private key used for testing, broken into pieces in order to avoid
// issues with Git's checks for private keys in repos. // issues with Git's checks for private keys in repos.
// Generated using `openssl genrsa -out key.pem 2048` // Generated using `openssl genrsa -out key.pem 2048`
@ -814,6 +818,21 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
return server_ssl_->GetSslVersionBytes(version); return server_ssl_->GetSslVersionBytes(version);
} }
bool ExportKeyingMaterial(absl::string_view label,
const unsigned char* context,
size_t context_len,
bool use_context,
bool client,
unsigned char* result,
size_t result_len) {
if (client)
return client_ssl_->ExportKeyingMaterial(label, context, context_len,
use_context, result, result_len);
else
return server_ssl_->ExportKeyingMaterial(label, context, context_len,
use_context, result, result_len);
}
// To be implemented by subclasses. // To be implemented by subclasses.
virtual void WriteData() = 0; virtual void WriteData() = 0;
virtual void ReadData(rtc::StreamInterface* stream) = 0; virtual void ReadData(rtc::StreamInterface* stream) = 0;
@ -1379,23 +1398,22 @@ TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpKeyAndSaltLengths) {
// Test an exporter // Test an exporter
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSExporter) { TEST_F(SSLStreamAdapterTestDTLS, TestDTLSExporter) {
const std::vector<int> crypto_suites = {rtc::kSrtpAes128CmSha1_80};
SetDtlsSrtpCryptoSuites(crypto_suites, true);
SetDtlsSrtpCryptoSuites(crypto_suites, false);
TestHandshake(); TestHandshake();
int selected_crypto_suite; unsigned char client_out[EVP_MAX_MD_SIZE];
EXPECT_TRUE(GetDtlsSrtpCryptoSuite(/*client=*/false, &selected_crypto_suite)); unsigned char server_out[EVP_MAX_MD_SIZE];
int key_len;
int salt_len;
ASSERT_TRUE(rtc::GetSrtpKeyAndSaltLengths(selected_crypto_suite, &key_len,
&salt_len));
rtc::ZeroOnFreeBuffer<unsigned char> client_out(2 * (key_len + salt_len));
rtc::ZeroOnFreeBuffer<unsigned char> server_out(2 * (key_len + salt_len));
EXPECT_TRUE(client_ssl_->ExportSrtpKeyingMaterial(client_out)); bool result;
EXPECT_TRUE(server_ssl_->ExportSrtpKeyingMaterial(server_out)); result = ExportKeyingMaterial(kExporterLabel, kExporterContext,
EXPECT_EQ(client_out, server_out); kExporterContextLen, true, true, client_out,
sizeof(client_out));
ASSERT_TRUE(result);
result = ExportKeyingMaterial(kExporterLabel, kExporterContext,
kExporterContextLen, true, false, server_out,
sizeof(server_out));
ASSERT_TRUE(result);
ASSERT_TRUE(!memcmp(client_out, server_out, sizeof(client_out)));
} }
// Test not yet valid certificates are not rejected. // Test not yet valid certificates are not rejected.