diff --git a/talk/app/webrtc/peerconnection_unittest.cc b/talk/app/webrtc/peerconnection_unittest.cc index 3193ffd898..4faf599907 100644 --- a/talk/app/webrtc/peerconnection_unittest.cc +++ b/talk/app/webrtc/peerconnection_unittest.cc @@ -113,7 +113,7 @@ static const char kDataChannelLabel[] = "data_channel"; #if !defined(THREAD_SANITIZER) // SRTP cipher name negotiated by the tests. This must be updated if the // default changes. -static const char kDefaultSrtpCipher[] = "AES_CM_128_HMAC_SHA1_32"; +static const int kDefaultSrtpCryptoSuite = rtc::SRTP_AES128_CM_SHA1_32; #endif static void RemoveLinesFromSdp(const std::string& line_start, @@ -1327,7 +1327,7 @@ TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12None) { initializing_client()->pc()->RegisterUMAObserver(init_observer); LocalP2PTest(); - EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::GetSslCipherSuiteName( + EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName( rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)), initializing_client()->GetDtlsCipherStats(), @@ -1337,12 +1337,12 @@ TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12None) { rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT))); - EXPECT_EQ_WAIT(kDefaultSrtpCipher, + EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite), initializing_client()->GetSrtpCipherStats(), kMaxWaitForStatsMs); - EXPECT_EQ(1, init_observer->GetEnumCounter( - webrtc::kEnumCounterAudioSrtpCipher, - rtc::GetSrtpCryptoSuiteFromName(kDefaultSrtpCipher))); + EXPECT_EQ(1, + init_observer->GetEnumCounter(webrtc::kEnumCounterAudioSrtpCipher, + kDefaultSrtpCryptoSuite)); } // Test that DTLS 1.2 is used if both ends support it. @@ -1358,7 +1358,7 @@ TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12Both) { initializing_client()->pc()->RegisterUMAObserver(init_observer); LocalP2PTest(); - EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::GetSslCipherSuiteName( + EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName( rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT)), initializing_client()->GetDtlsCipherStats(), @@ -1368,12 +1368,12 @@ TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12Both) { rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT))); - EXPECT_EQ_WAIT(kDefaultSrtpCipher, + EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite), initializing_client()->GetSrtpCipherStats(), kMaxWaitForStatsMs); - EXPECT_EQ(1, init_observer->GetEnumCounter( - webrtc::kEnumCounterAudioSrtpCipher, - rtc::GetSrtpCryptoSuiteFromName(kDefaultSrtpCipher))); + EXPECT_EQ(1, + init_observer->GetEnumCounter(webrtc::kEnumCounterAudioSrtpCipher, + kDefaultSrtpCryptoSuite)); } // Test that DTLS 1.0 is used if the initator supports DTLS 1.2 and the @@ -1390,7 +1390,7 @@ TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12Init) { initializing_client()->pc()->RegisterUMAObserver(init_observer); LocalP2PTest(); - EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::GetSslCipherSuiteName( + EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName( rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)), initializing_client()->GetDtlsCipherStats(), @@ -1400,12 +1400,12 @@ TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12Init) { rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT))); - EXPECT_EQ_WAIT(kDefaultSrtpCipher, + EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite), initializing_client()->GetSrtpCipherStats(), kMaxWaitForStatsMs); - EXPECT_EQ(1, init_observer->GetEnumCounter( - webrtc::kEnumCounterAudioSrtpCipher, - rtc::GetSrtpCryptoSuiteFromName(kDefaultSrtpCipher))); + EXPECT_EQ(1, + init_observer->GetEnumCounter(webrtc::kEnumCounterAudioSrtpCipher, + kDefaultSrtpCryptoSuite)); } // Test that DTLS 1.0 is used if the initator supports DTLS 1.0 and the @@ -1422,7 +1422,7 @@ TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12Recv) { initializing_client()->pc()->RegisterUMAObserver(init_observer); LocalP2PTest(); - EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::GetSslCipherSuiteName( + EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName( rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)), initializing_client()->GetDtlsCipherStats(), @@ -1432,12 +1432,12 @@ TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12Recv) { rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT))); - EXPECT_EQ_WAIT(kDefaultSrtpCipher, + EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite), initializing_client()->GetSrtpCipherStats(), kMaxWaitForStatsMs); - EXPECT_EQ(1, init_observer->GetEnumCounter( - webrtc::kEnumCounterAudioSrtpCipher, - rtc::GetSrtpCryptoSuiteFromName(kDefaultSrtpCipher))); + EXPECT_EQ(1, + init_observer->GetEnumCounter(webrtc::kEnumCounterAudioSrtpCipher, + kDefaultSrtpCryptoSuite)); } // This test sets up a call between two parties with audio, video and data. diff --git a/talk/app/webrtc/statscollector.cc b/talk/app/webrtc/statscollector.cc index 347a84640c..28686965e6 100644 --- a/talk/app/webrtc/statscollector.cc +++ b/talk/app/webrtc/statscollector.cc @@ -730,17 +730,20 @@ void StatsCollector::ExtractSessionInfo() { channel_report->AddId(StatsReport::kStatsValueNameRemoteCertificateId, remote_cert_report_id); } - const std::string& srtp_cipher = channel_iter.srtp_cipher; - if (!srtp_cipher.empty()) { - channel_report->AddString(StatsReport::kStatsValueNameSrtpCipher, - srtp_cipher); + int srtp_crypto_suite = channel_iter.srtp_crypto_suite; + if (srtp_crypto_suite != rtc::SRTP_INVALID_CRYPTO_SUITE && + rtc::SrtpCryptoSuiteToName(srtp_crypto_suite).length()) { + channel_report->AddString( + StatsReport::kStatsValueNameSrtpCipher, + rtc::SrtpCryptoSuiteToName(srtp_crypto_suite)); } - int ssl_cipher = channel_iter.ssl_cipher; - if (ssl_cipher && - rtc::SSLStreamAdapter::GetSslCipherSuiteName(ssl_cipher).length()) { + int ssl_cipher_suite = channel_iter.ssl_cipher_suite; + if (ssl_cipher_suite != rtc::TLS_NULL_WITH_NULL_NULL && + rtc::SSLStreamAdapter::SslCipherSuiteToName(ssl_cipher_suite) + .length()) { channel_report->AddString( StatsReport::kStatsValueNameDtlsCipher, - rtc::SSLStreamAdapter::GetSslCipherSuiteName(ssl_cipher)); + rtc::SSLStreamAdapter::SslCipherSuiteToName(ssl_cipher_suite)); } int connection_id = 0; diff --git a/talk/app/webrtc/statscollector_unittest.cc b/talk/app/webrtc/statscollector_unittest.cc index 9121c691b1..eb2e3f3c41 100644 --- a/talk/app/webrtc/statscollector_unittest.cc +++ b/talk/app/webrtc/statscollector_unittest.cc @@ -683,8 +683,8 @@ class StatsCollectorTest : public testing::Test { // Fake stats to process. cricket::TransportChannelStats channel_stats; channel_stats.component = 1; - channel_stats.srtp_cipher = "the-srtp-cipher"; - channel_stats.ssl_cipher = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; + channel_stats.srtp_crypto_suite = rtc::SRTP_AES128_CM_SHA1_80; + channel_stats.ssl_cipher_suite = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; cricket::TransportStats transport_stats; transport_stats.transport_name = "audio"; @@ -747,18 +747,17 @@ class StatsCollectorTest : public testing::Test { } // Check negotiated ciphers. - std::string dtls_cipher = ExtractStatsValue( - StatsReport::kStatsReportTypeComponent, - reports, - StatsReport::kStatsValueNameDtlsCipher); - EXPECT_EQ(rtc::SSLStreamAdapter::GetSslCipherSuiteName( + std::string dtls_cipher_suite = + ExtractStatsValue(StatsReport::kStatsReportTypeComponent, reports, + StatsReport::kStatsValueNameDtlsCipher); + EXPECT_EQ(rtc::SSLStreamAdapter::SslCipherSuiteToName( TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), - dtls_cipher); - std::string srtp_cipher = ExtractStatsValue( - StatsReport::kStatsReportTypeComponent, - reports, - StatsReport::kStatsValueNameSrtpCipher); - EXPECT_EQ("the-srtp-cipher", srtp_cipher); + dtls_cipher_suite); + std::string srtp_crypto_suite = + ExtractStatsValue(StatsReport::kStatsReportTypeComponent, reports, + StatsReport::kStatsValueNameSrtpCipher); + EXPECT_EQ(rtc::SrtpCryptoSuiteToName(rtc::SRTP_AES128_CM_SHA1_80), + srtp_crypto_suite); } cricket::FakeMediaEngine* media_engine_; @@ -1407,16 +1406,14 @@ TEST_F(StatsCollectorTest, NoTransport) { ASSERT_EQ(kNotFound, remote_certificate_id); // Check that the negotiated ciphers are absent. - std::string dtls_cipher = ExtractStatsValue( - StatsReport::kStatsReportTypeComponent, - reports, - StatsReport::kStatsValueNameDtlsCipher); - ASSERT_EQ(kNotFound, dtls_cipher); - std::string srtp_cipher = ExtractStatsValue( - StatsReport::kStatsReportTypeComponent, - reports, - StatsReport::kStatsValueNameSrtpCipher); - ASSERT_EQ(kNotFound, srtp_cipher); + std::string dtls_cipher_suite = + ExtractStatsValue(StatsReport::kStatsReportTypeComponent, reports, + StatsReport::kStatsValueNameDtlsCipher); + ASSERT_EQ(kNotFound, dtls_cipher_suite); + std::string srtp_crypto_suite = + ExtractStatsValue(StatsReport::kStatsReportTypeComponent, reports, + StatsReport::kStatsValueNameSrtpCipher); + ASSERT_EQ(kNotFound, srtp_crypto_suite); } // This test verifies that the stats are generated correctly when the transport diff --git a/talk/app/webrtc/webrtcsession.cc b/talk/app/webrtc/webrtcsession.cc index 1fc2a37902..ada35c5e4d 100644 --- a/talk/app/webrtc/webrtcsession.cc +++ b/talk/app/webrtc/webrtcsession.cc @@ -2157,9 +2157,10 @@ void WebRtcSession::ReportNegotiatedCiphers( return; } - const std::string& srtp_cipher = stats.channel_stats[0].srtp_cipher; - int ssl_cipher = stats.channel_stats[0].ssl_cipher; - if (srtp_cipher.empty() && !ssl_cipher) { + int srtp_crypto_suite = stats.channel_stats[0].srtp_crypto_suite; + int ssl_cipher_suite = stats.channel_stats[0].ssl_cipher_suite; + if (srtp_crypto_suite == rtc::SRTP_INVALID_CRYPTO_SUITE && + ssl_cipher_suite == rtc::TLS_NULL_WITH_NULL_NULL) { return; } @@ -2179,12 +2180,13 @@ void WebRtcSession::ReportNegotiatedCiphers( return; } - if (!srtp_cipher.empty()) { - metrics_observer_->IncrementSparseEnumCounter( - srtp_counter_type, rtc::GetSrtpCryptoSuiteFromName(srtp_cipher)); + if (srtp_crypto_suite != rtc::SRTP_INVALID_CRYPTO_SUITE) { + metrics_observer_->IncrementSparseEnumCounter(srtp_counter_type, + srtp_crypto_suite); } - if (ssl_cipher) { - metrics_observer_->IncrementSparseEnumCounter(ssl_counter_type, ssl_cipher); + if (ssl_cipher_suite != rtc::TLS_NULL_WITH_NULL_NULL) { + metrics_observer_->IncrementSparseEnumCounter(ssl_counter_type, + ssl_cipher_suite); } } diff --git a/talk/media/base/cryptoparams.h b/talk/media/base/cryptoparams.h index 9dd1db5166..589953db3e 100644 --- a/talk/media/base/cryptoparams.h +++ b/talk/media/base/cryptoparams.h @@ -35,8 +35,10 @@ namespace cricket { // Parameters for SRTP negotiation, as described in RFC 4568. struct CryptoParams { CryptoParams() : tag(0) {} - CryptoParams(int t, const std::string& cs, - const std::string& kp, const std::string& sp) + CryptoParams(int t, + const std::string& cs, + const std::string& kp, + const std::string& sp) : tag(t), cipher_suite(cs), key_params(kp), session_params(sp) {} bool Matches(const CryptoParams& params) const { diff --git a/talk/session/media/channel.cc b/talk/session/media/channel.cc index 8d3efec4fa..ef26704f1a 100644 --- a/talk/session/media/channel.cc +++ b/talk/session/media/channel.cc @@ -218,11 +218,11 @@ bool BaseChannel::Init() { return false; } - if (!SetDtlsSrtpCiphers(transport_channel(), false)) { + if (!SetDtlsSrtpCryptoSuites(transport_channel(), false)) { return false; } if (rtcp_transport_enabled() && - !SetDtlsSrtpCiphers(rtcp_transport_channel(), true)) { + !SetDtlsSrtpCryptoSuites(rtcp_transport_channel(), true)) { return false; } @@ -809,16 +809,16 @@ void BaseChannel::SignalDtlsSetupFailure_s(bool rtcp) { SignalDtlsSetupFailure(this, rtcp); } -bool BaseChannel::SetDtlsSrtpCiphers(TransportChannel *tc, bool rtcp) { - std::vector ciphers; - // We always use the default SRTP ciphers for RTCP, but we may use different - // ciphers for RTP depending on the media type. +bool BaseChannel::SetDtlsSrtpCryptoSuites(TransportChannel* tc, bool rtcp) { + std::vector crypto_suites; + // We always use the default SRTP crypto suites for RTCP, but we may use + // different crypto suites for RTP depending on the media type. if (!rtcp) { - GetSrtpCryptoSuiteNames(&ciphers); + GetSrtpCryptoSuites(&crypto_suites); } else { - GetDefaultSrtpCryptoSuiteNames(&ciphers); + GetDefaultSrtpCryptoSuites(&crypto_suites); } - return tc->SetSrtpCiphers(ciphers); + return tc->SetSrtpCryptoSuites(crypto_suites); } bool BaseChannel::ShouldSetupDtlsSrtp() const { @@ -837,10 +837,10 @@ bool BaseChannel::SetupDtlsSrtp(bool rtcp_channel) { if (!channel->IsDtlsActive()) return true; - std::string selected_cipher; + int selected_crypto_suite; - if (!channel->GetSrtpCryptoSuite(&selected_cipher)) { - LOG(LS_ERROR) << "No DTLS-SRTP selected cipher"; + if (!channel->GetSrtpCryptoSuite(&selected_crypto_suite)) { + LOG(LS_ERROR) << "No DTLS-SRTP selected crypto suite"; return false; } @@ -896,21 +896,15 @@ bool BaseChannel::SetupDtlsSrtp(bool rtcp_channel) { } if (rtcp_channel) { - ret = srtp_filter_.SetRtcpParams( - selected_cipher, - &(*send_key)[0], - static_cast(send_key->size()), - selected_cipher, - &(*recv_key)[0], - static_cast(recv_key->size())); + ret = srtp_filter_.SetRtcpParams(selected_crypto_suite, &(*send_key)[0], + static_cast(send_key->size()), + selected_crypto_suite, &(*recv_key)[0], + static_cast(recv_key->size())); } else { - ret = srtp_filter_.SetRtpParams( - selected_cipher, - &(*send_key)[0], - static_cast(send_key->size()), - selected_cipher, - &(*recv_key)[0], - static_cast(recv_key->size())); + ret = srtp_filter_.SetRtpParams(selected_crypto_suite, &(*send_key)[0], + static_cast(send_key->size()), + selected_crypto_suite, &(*recv_key)[0], + static_cast(recv_key->size())); } if (!ret) @@ -1580,9 +1574,8 @@ void VoiceChannel::OnAudioMonitorUpdate(AudioMonitor* monitor, SignalAudioMonitor(this, info); } -void VoiceChannel::GetSrtpCryptoSuiteNames( - std::vector* ciphers) const { - GetSupportedAudioCryptoSuites(ciphers); +void VoiceChannel::GetSrtpCryptoSuites(std::vector* crypto_suites) const { + GetSupportedAudioCryptoSuites(crypto_suites); } VideoChannel::VideoChannel(rtc::Thread* thread, @@ -1970,9 +1963,8 @@ bool VideoChannel::GetLocalSsrc(const VideoCapturer* capturer, uint32_t* ssrc) { return false; } -void VideoChannel::GetSrtpCryptoSuiteNames( - std::vector* ciphers) const { - GetSupportedVideoCryptoSuites(ciphers); +void VideoChannel::GetSrtpCryptoSuites(std::vector* crypto_suites) const { + GetSupportedVideoCryptoSuites(crypto_suites); } DataChannel::DataChannel(rtc::Thread* thread, @@ -2278,9 +2270,8 @@ void DataChannel::OnDataChannelReadyToSend(bool writable) { new DataChannelReadyToSendMessageData(writable)); } -void DataChannel::GetSrtpCryptoSuiteNames( - std::vector* ciphers) const { - GetSupportedDataCryptoSuites(ciphers); +void DataChannel::GetSrtpCryptoSuites(std::vector* crypto_suites) const { + GetSupportedDataCryptoSuites(crypto_suites); } bool DataChannel::ShouldSetupDtlsSrtp() const { diff --git a/talk/session/media/channel.h b/talk/session/media/channel.h index 603115cee7..9342d31a25 100644 --- a/talk/session/media/channel.h +++ b/talk/session/media/channel.h @@ -236,7 +236,7 @@ class BaseChannel // |rtcp_channel| indicates whether to set up the RTP or RTCP filter. bool SetupDtlsSrtp(bool rtcp_channel); // Set the DTLS-SRTP cipher policy on this channel as appropriate. - bool SetDtlsSrtpCiphers(TransportChannel *tc, bool rtcp); + bool SetDtlsSrtpCryptoSuites(TransportChannel* tc, bool rtcp); virtual void ChangeState() = 0; @@ -282,9 +282,8 @@ class BaseChannel void OnMessage(rtc::Message* pmsg) override; // Handled in derived classes - // Get the SRTP ciphers to use for RTP media - virtual void GetSrtpCryptoSuiteNames( - std::vector* ciphers) const = 0; + // Get the SRTP crypto suites to use for RTP media + virtual void GetSrtpCryptoSuites(std::vector* crypto_suites) const = 0; virtual void OnConnectionMonitorUpdate(ConnectionMonitor* monitor, const std::vector& infos) = 0; @@ -407,7 +406,7 @@ class VoiceChannel : public BaseChannel { bool GetStats_w(VoiceMediaInfo* stats); virtual void OnMessage(rtc::Message* pmsg); - virtual void GetSrtpCryptoSuiteNames(std::vector* ciphers) const; + virtual void GetSrtpCryptoSuites(std::vector* crypto_suites) const; virtual void OnConnectionMonitorUpdate( ConnectionMonitor* monitor, const std::vector& infos); virtual void OnMediaMonitorUpdate( @@ -497,7 +496,7 @@ class VideoChannel : public BaseChannel { bool GetStats_w(VideoMediaInfo* stats); virtual void OnMessage(rtc::Message* pmsg); - virtual void GetSrtpCryptoSuiteNames(std::vector* ciphers) const; + virtual void GetSrtpCryptoSuites(std::vector* crypto_suites) const; virtual void OnConnectionMonitorUpdate( ConnectionMonitor* monitor, const std::vector& infos); virtual void OnMediaMonitorUpdate( @@ -614,7 +613,7 @@ class DataChannel : public BaseChannel { virtual bool WantsPacket(bool rtcp, rtc::Buffer* packet); virtual void OnMessage(rtc::Message* pmsg); - virtual void GetSrtpCryptoSuiteNames(std::vector* ciphers) const; + virtual void GetSrtpCryptoSuites(std::vector* crypto_suites) const; virtual void OnConnectionMonitorUpdate( ConnectionMonitor* monitor, const std::vector& infos); virtual void OnMediaMonitorUpdate( diff --git a/talk/session/media/mediasession.cc b/talk/session/media/mediasession.cc index 7413026092..ed626e2f34 100644 --- a/talk/session/media/mediasession.cc +++ b/talk/session/media/mediasession.cc @@ -50,6 +50,17 @@ static const uint32_t kMaxSctpSid = 1023; namespace { const char kInline[] = "inline:"; + +void GetSupportedCryptoSuiteNames(void (*func)(std::vector*), + std::vector* names) { +#ifdef HAVE_SRTP + std::vector crypto_suites; + func(&crypto_suites); + for (const auto crypto : crypto_suites) { + names->push_back(rtc::SrtpCryptoSuiteToName(crypto)); + } +#endif +} } namespace cricket { @@ -152,30 +163,50 @@ bool FindMatchingCrypto(const CryptoParamsVec& cryptos, } // For audio, HMAC 32 is prefered because of the low overhead. -void GetSupportedAudioCryptoSuites( - std::vector* crypto_suites) { +void GetSupportedAudioCryptoSuites(std::vector* crypto_suites) { #ifdef HAVE_SRTP - crypto_suites->push_back(rtc::CS_AES_CM_128_HMAC_SHA1_32); - crypto_suites->push_back(rtc::CS_AES_CM_128_HMAC_SHA1_80); + crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32); + crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_80); #endif } -void GetSupportedVideoCryptoSuites( - std::vector* crypto_suites) { - GetDefaultSrtpCryptoSuiteNames(crypto_suites); +void GetSupportedAudioCryptoSuiteNames( + std::vector* crypto_suite_names) { + GetSupportedCryptoSuiteNames(GetSupportedAudioCryptoSuites, + crypto_suite_names); } -void GetSupportedDataCryptoSuites( - std::vector* crypto_suites) { - GetDefaultSrtpCryptoSuiteNames(crypto_suites); +void GetSupportedVideoCryptoSuites(std::vector* crypto_suites) { + GetDefaultSrtpCryptoSuites(crypto_suites); } -void GetDefaultSrtpCryptoSuiteNames(std::vector* crypto_suites) { +void GetSupportedVideoCryptoSuiteNames( + std::vector* crypto_suite_names) { + GetSupportedCryptoSuiteNames(GetSupportedVideoCryptoSuites, + crypto_suite_names); +} + +void GetSupportedDataCryptoSuites(std::vector* crypto_suites) { + GetDefaultSrtpCryptoSuites(crypto_suites); +} + +void GetSupportedDataCryptoSuiteNames( + std::vector* crypto_suite_names) { + GetSupportedCryptoSuiteNames(GetSupportedDataCryptoSuites, + crypto_suite_names); +} + +void GetDefaultSrtpCryptoSuites(std::vector* crypto_suites) { #ifdef HAVE_SRTP - crypto_suites->push_back(rtc::CS_AES_CM_128_HMAC_SHA1_80); + crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_80); #endif } +void GetDefaultSrtpCryptoSuiteNames( + std::vector* crypto_suite_names) { + GetSupportedCryptoSuiteNames(GetDefaultSrtpCryptoSuites, crypto_suite_names); +} + // For video support only 80-bit SHA1 HMAC. For audio 32-bit HMAC is // tolerated unless bundle is enabled because it is low overhead. Pick the // crypto in the list that is supported. @@ -1514,7 +1545,7 @@ bool MediaSessionDescriptionFactory::AddAudioContentForOffer( scoped_ptr audio(new AudioContentDescription()); std::vector crypto_suites; - GetSupportedAudioCryptoSuites(&crypto_suites); + GetSupportedAudioCryptoSuiteNames(&crypto_suites); if (!CreateMediaContentOffer( options, audio_codecs, @@ -1568,7 +1599,7 @@ bool MediaSessionDescriptionFactory::AddVideoContentForOffer( scoped_ptr video(new VideoContentDescription()); std::vector crypto_suites; - GetSupportedVideoCryptoSuites(&crypto_suites); + GetSupportedVideoCryptoSuiteNames(&crypto_suites); if (!CreateMediaContentOffer( options, video_codecs, @@ -1638,7 +1669,7 @@ bool MediaSessionDescriptionFactory::AddDataContentForOffer( data->set_protocol( secure_transport ? kMediaProtocolDtlsSctp : kMediaProtocolSctp); } else { - GetSupportedDataCryptoSuites(&crypto_suites); + GetSupportedDataCryptoSuiteNames(&crypto_suites); } if (!CreateMediaContentOffer( diff --git a/talk/session/media/mediasession.h b/talk/session/media/mediasession.h index e92628e711..25ea017c7c 100644 --- a/talk/session/media/mediasession.h +++ b/talk/session/media/mediasession.h @@ -547,10 +547,19 @@ const VideoContentDescription* GetFirstVideoContentDescription( const DataContentDescription* GetFirstDataContentDescription( const SessionDescription* sdesc); -void GetSupportedAudioCryptoSuites(std::vector* crypto_suites); -void GetSupportedVideoCryptoSuites(std::vector* crypto_suites); -void GetSupportedDataCryptoSuites(std::vector* crypto_suites); -void GetDefaultSrtpCryptoSuiteNames(std::vector* crypto_suites); +void GetSupportedAudioCryptoSuites(std::vector* crypto_suites); +void GetSupportedVideoCryptoSuites(std::vector* crypto_suites); +void GetSupportedDataCryptoSuites(std::vector* crypto_suites); +void GetDefaultSrtpCryptoSuites(std::vector* crypto_suites); +void GetSupportedAudioCryptoSuiteNames( + std::vector* crypto_suite_names); +void GetSupportedVideoCryptoSuiteNames( + std::vector* crypto_suite_names); +void GetSupportedDataCryptoSuiteNames( + std::vector* crypto_suite_names); +void GetDefaultSrtpCryptoSuiteNames( + std::vector* crypto_suite_names); + } // namespace cricket #endif // TALK_SESSION_MEDIA_MEDIASESSION_H_ diff --git a/talk/session/media/srtpfilter.cc b/talk/session/media/srtpfilter.cc index 079ddfb57e..4a54740cef 100644 --- a/talk/session/media/srtpfilter.cc +++ b/talk/session/media/srtpfilter.cc @@ -146,10 +146,10 @@ bool SrtpFilter::SetProvisionalAnswer( return DoSetAnswer(answer_params, source, false); } -bool SrtpFilter::SetRtpParams(const std::string& send_cs, +bool SrtpFilter::SetRtpParams(int send_cs, const uint8_t* send_key, int send_key_len, - const std::string& recv_cs, + int recv_cs, const uint8_t* recv_key, int recv_key_len) { if (IsActive()) { @@ -179,10 +179,10 @@ bool SrtpFilter::SetRtpParams(const std::string& send_cs, // SrtpSession. // - In the muxed case, they are keyed with the same keys, so // this function is not needed -bool SrtpFilter::SetRtcpParams(const std::string& send_cs, +bool SrtpFilter::SetRtcpParams(int send_cs, const uint8_t* send_key, int send_key_len, - const std::string& recv_cs, + int recv_cs, const uint8_t* recv_key, int recv_key_len) { // This can only be called once, but can be safely called after @@ -428,10 +428,12 @@ bool SrtpFilter::ApplyParams(const CryptoParams& send_params, ParseKeyParams(recv_params.key_params, recv_key, sizeof(recv_key))); if (ret) { CreateSrtpSessions(); - ret = (send_session_->SetSend(send_params.cipher_suite, - send_key, sizeof(send_key)) && - recv_session_->SetRecv(recv_params.cipher_suite, - recv_key, sizeof(recv_key))); + ret = (send_session_->SetSend( + rtc::SrtpCryptoSuiteFromName(send_params.cipher_suite), send_key, + sizeof(send_key)) && + recv_session_->SetRecv( + rtc::SrtpCryptoSuiteFromName(recv_params.cipher_suite), recv_key, + sizeof(recv_key))); } if (ret) { LOG(LS_INFO) << "SRTP activated with negotiated parameters:" @@ -507,11 +509,11 @@ SrtpSession::~SrtpSession() { } } -bool SrtpSession::SetSend(const std::string& cs, const uint8_t* key, int len) { +bool SrtpSession::SetSend(int cs, const uint8_t* key, int len) { return SetKey(ssrc_any_outbound, cs, key, len); } -bool SrtpSession::SetRecv(const std::string& cs, const uint8_t* key, int len) { +bool SrtpSession::SetRecv(int cs, const uint8_t* key, int len) { return SetKey(ssrc_any_inbound, cs, key, len); } @@ -658,10 +660,7 @@ void SrtpSession::set_signal_silent_time(uint32_t signal_silent_time_in_ms) { srtp_stat_->set_signal_silent_time(signal_silent_time_in_ms); } -bool SrtpSession::SetKey(int type, - const std::string& cs, - const uint8_t* key, - int len) { +bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, int len) { if (session_) { LOG(LS_ERROR) << "Failed to create SRTP session: " << "SRTP session already created"; @@ -675,15 +674,15 @@ bool SrtpSession::SetKey(int type, srtp_policy_t policy; memset(&policy, 0, sizeof(policy)); - if (cs == rtc::CS_AES_CM_128_HMAC_SHA1_80) { + if (cs == rtc::SRTP_AES128_CM_SHA1_80) { crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp); crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp); - } else if (cs == rtc::CS_AES_CM_128_HMAC_SHA1_32) { + } else if (cs == rtc::SRTP_AES128_CM_SHA1_32) { crypto_policy_set_aes_cm_128_hmac_sha1_32(&policy.rtp); // rtp is 32, crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp); // rtcp still 80 } else { LOG(LS_WARNING) << "Failed to create SRTP session: unsupported" - << " cipher_suite " << cs.c_str(); + << " cipher_suite " << cs; return false; } diff --git a/talk/session/media/srtpfilter.h b/talk/session/media/srtpfilter.h index 3c3a8e848b..d30cee69c3 100644 --- a/talk/session/media/srtpfilter.h +++ b/talk/session/media/srtpfilter.h @@ -104,16 +104,16 @@ class SrtpFilter { // Just set up both sets of keys directly. // Used with DTLS-SRTP. - bool SetRtpParams(const std::string& send_cs, + bool SetRtpParams(int send_cs, const uint8_t* send_key, int send_key_len, - const std::string& recv_cs, + int recv_cs, const uint8_t* recv_key, int recv_key_len); - bool SetRtcpParams(const std::string& send_cs, + bool SetRtcpParams(int send_cs, const uint8_t* send_key, int send_key_len, - const std::string& recv_cs, + int recv_cs, const uint8_t* recv_key, int recv_key_len); @@ -199,10 +199,10 @@ class SrtpSession { // Configures the session for sending data using the specified // cipher-suite and key. Receiving must be done by a separate session. - bool SetSend(const std::string& cs, const uint8_t* key, int len); + bool SetSend(int cs, const uint8_t* key, int len); // Configures the session for receiving data using the specified // cipher-suite and key. Sending must be done by a separate session. - bool SetRecv(const std::string& cs, const uint8_t* key, int len); + bool SetRecv(int cs, const uint8_t* key, int len); // Encrypts/signs an individual RTP/RTCP packet, in-place. // If an HMAC is used, this will increase the packet size. @@ -232,7 +232,7 @@ class SrtpSession { SignalSrtpError; private: - bool SetKey(int type, const std::string& cs, const uint8_t* key, int len); + bool SetKey(int type, int cs, const uint8_t* key, int len); // Returns send stream current packet index from srtp db. bool GetSendStreamPacketIndex(void* data, int in_len, int64_t* index); diff --git a/talk/session/media/srtpfilter_unittest.cc b/talk/session/media/srtpfilter_unittest.cc index 8122455205..11874380e2 100644 --- a/talk/session/media/srtpfilter_unittest.cc +++ b/talk/session/media/srtpfilter_unittest.cc @@ -508,21 +508,17 @@ TEST_F(SrtpFilterTest, TestDisableEncryption) { // Test directly setting the params with AES_CM_128_HMAC_SHA1_80 TEST_F(SrtpFilterTest, TestProtect_SetParamsDirect_AES_CM_128_HMAC_SHA1_80) { - EXPECT_TRUE(f1_.SetRtpParams(CS_AES_CM_128_HMAC_SHA1_80, - kTestKey1, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_80, + EXPECT_TRUE(f1_.SetRtpParams(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_80, kTestKey2, kTestKeyLen)); - EXPECT_TRUE(f2_.SetRtpParams(CS_AES_CM_128_HMAC_SHA1_80, - kTestKey2, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_80, + EXPECT_TRUE(f2_.SetRtpParams(rtc::SRTP_AES128_CM_SHA1_80, kTestKey2, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); - EXPECT_TRUE(f1_.SetRtcpParams(CS_AES_CM_128_HMAC_SHA1_80, - kTestKey1, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_80, + EXPECT_TRUE(f1_.SetRtcpParams(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_80, kTestKey2, kTestKeyLen)); - EXPECT_TRUE(f2_.SetRtcpParams(CS_AES_CM_128_HMAC_SHA1_80, - kTestKey2, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_80, + EXPECT_TRUE(f2_.SetRtcpParams(rtc::SRTP_AES128_CM_SHA1_80, kTestKey2, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); EXPECT_TRUE(f1_.IsActive()); EXPECT_TRUE(f2_.IsActive()); @@ -531,21 +527,17 @@ TEST_F(SrtpFilterTest, TestProtect_SetParamsDirect_AES_CM_128_HMAC_SHA1_80) { // Test directly setting the params with AES_CM_128_HMAC_SHA1_32 TEST_F(SrtpFilterTest, TestProtect_SetParamsDirect_AES_CM_128_HMAC_SHA1_32) { - EXPECT_TRUE(f1_.SetRtpParams(CS_AES_CM_128_HMAC_SHA1_32, - kTestKey1, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_32, + EXPECT_TRUE(f1_.SetRtpParams(rtc::SRTP_AES128_CM_SHA1_32, kTestKey1, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_32, kTestKey2, kTestKeyLen)); - EXPECT_TRUE(f2_.SetRtpParams(CS_AES_CM_128_HMAC_SHA1_32, - kTestKey2, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_32, + EXPECT_TRUE(f2_.SetRtpParams(rtc::SRTP_AES128_CM_SHA1_32, kTestKey2, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_32, kTestKey1, kTestKeyLen)); - EXPECT_TRUE(f1_.SetRtcpParams(CS_AES_CM_128_HMAC_SHA1_32, - kTestKey1, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_32, + EXPECT_TRUE(f1_.SetRtcpParams(rtc::SRTP_AES128_CM_SHA1_32, kTestKey1, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_32, kTestKey2, kTestKeyLen)); - EXPECT_TRUE(f2_.SetRtcpParams(CS_AES_CM_128_HMAC_SHA1_32, - kTestKey2, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_32, + EXPECT_TRUE(f2_.SetRtcpParams(rtc::SRTP_AES128_CM_SHA1_32, kTestKey2, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_32, kTestKey1, kTestKeyLen)); EXPECT_TRUE(f1_.IsActive()); EXPECT_TRUE(f2_.IsActive()); @@ -554,25 +546,21 @@ TEST_F(SrtpFilterTest, TestProtect_SetParamsDirect_AES_CM_128_HMAC_SHA1_32) { // Test directly setting the params with bogus keys TEST_F(SrtpFilterTest, TestSetParamsKeyTooShort) { - EXPECT_FALSE(f1_.SetRtpParams(CS_AES_CM_128_HMAC_SHA1_80, - kTestKey1, kTestKeyLen - 1, - CS_AES_CM_128_HMAC_SHA1_80, + EXPECT_FALSE(f1_.SetRtpParams(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, + kTestKeyLen - 1, rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen - 1)); - EXPECT_FALSE(f1_.SetRtcpParams(CS_AES_CM_128_HMAC_SHA1_80, - kTestKey1, kTestKeyLen - 1, - CS_AES_CM_128_HMAC_SHA1_80, + EXPECT_FALSE(f1_.SetRtcpParams(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, + kTestKeyLen - 1, rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen - 1)); } #if defined(ENABLE_EXTERNAL_AUTH) TEST_F(SrtpFilterTest, TestGetSendAuthParams) { - EXPECT_TRUE(f1_.SetRtpParams(CS_AES_CM_128_HMAC_SHA1_32, - kTestKey1, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_32, + EXPECT_TRUE(f1_.SetRtpParams(rtc::SRTP_AES128_CM_SHA1_32, kTestKey1, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_32, kTestKey2, kTestKeyLen)); - EXPECT_TRUE(f1_.SetRtcpParams(CS_AES_CM_128_HMAC_SHA1_32, - kTestKey1, kTestKeyLen, - CS_AES_CM_128_HMAC_SHA1_32, + EXPECT_TRUE(f1_.SetRtcpParams(rtc::SRTP_AES128_CM_SHA1_32, kTestKey1, + kTestKeyLen, rtc::SRTP_AES128_CM_SHA1_32, kTestKey2, kTestKeyLen)); uint8_t* auth_key = NULL; int auth_key_len = 0, auth_tag_len = 0; @@ -629,28 +617,30 @@ class SrtpSessionTest : public testing::Test { // Test that we can set up the session and keys properly. TEST_F(SrtpSessionTest, TestGoodSetup) { - EXPECT_TRUE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); - EXPECT_TRUE(s2_.SetRecv(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s2_.SetRecv(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); } // Test that we can't change the keys once set. TEST_F(SrtpSessionTest, TestBadSetup) { - EXPECT_TRUE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); - EXPECT_TRUE(s2_.SetRecv(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); - EXPECT_FALSE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_80, kTestKey2, kTestKeyLen)); - EXPECT_FALSE(s2_.SetRecv(CS_AES_CM_128_HMAC_SHA1_80, kTestKey2, kTestKeyLen)); + EXPECT_TRUE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s2_.SetRecv(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_FALSE( + s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_80, kTestKey2, kTestKeyLen)); + EXPECT_FALSE( + s2_.SetRecv(rtc::SRTP_AES128_CM_SHA1_80, kTestKey2, kTestKeyLen)); } // Test that we fail keys of the wrong length. TEST_F(SrtpSessionTest, TestKeysTooShort) { - EXPECT_FALSE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, 1)); - EXPECT_FALSE(s2_.SetRecv(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, 1)); + EXPECT_FALSE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, 1)); + EXPECT_FALSE(s2_.SetRecv(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, 1)); } // Test that we can encrypt and decrypt RTP/RTCP using AES_CM_128_HMAC_SHA1_80. TEST_F(SrtpSessionTest, TestProtect_AES_CM_128_HMAC_SHA1_80) { - EXPECT_TRUE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); - EXPECT_TRUE(s2_.SetRecv(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s2_.SetRecv(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); TestProtectRtp(CS_AES_CM_128_HMAC_SHA1_80); TestProtectRtcp(CS_AES_CM_128_HMAC_SHA1_80); TestUnprotectRtp(CS_AES_CM_128_HMAC_SHA1_80); @@ -659,8 +649,8 @@ TEST_F(SrtpSessionTest, TestProtect_AES_CM_128_HMAC_SHA1_80) { // Test that we can encrypt and decrypt RTP/RTCP using AES_CM_128_HMAC_SHA1_32. TEST_F(SrtpSessionTest, TestProtect_AES_CM_128_HMAC_SHA1_32) { - EXPECT_TRUE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_32, kTestKey1, kTestKeyLen)); - EXPECT_TRUE(s2_.SetRecv(CS_AES_CM_128_HMAC_SHA1_32, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_32, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s2_.SetRecv(rtc::SRTP_AES128_CM_SHA1_32, kTestKey1, kTestKeyLen)); TestProtectRtp(CS_AES_CM_128_HMAC_SHA1_32); TestProtectRtcp(CS_AES_CM_128_HMAC_SHA1_32); TestUnprotectRtp(CS_AES_CM_128_HMAC_SHA1_32); @@ -668,7 +658,7 @@ TEST_F(SrtpSessionTest, TestProtect_AES_CM_128_HMAC_SHA1_32) { } TEST_F(SrtpSessionTest, TestGetSendStreamPacketIndex) { - EXPECT_TRUE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_32, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_32, kTestKey1, kTestKeyLen)); int64_t index; int out_len = 0; EXPECT_TRUE(s1_.ProtectRtp(rtp_packet_, rtp_len_, @@ -681,8 +671,8 @@ TEST_F(SrtpSessionTest, TestGetSendStreamPacketIndex) { // Test that we fail to unprotect if someone tampers with the RTP/RTCP paylaods. TEST_F(SrtpSessionTest, TestTamperReject) { int out_len; - EXPECT_TRUE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); - EXPECT_TRUE(s2_.SetRecv(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s2_.SetRecv(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); TestProtectRtp(CS_AES_CM_128_HMAC_SHA1_80); TestProtectRtcp(CS_AES_CM_128_HMAC_SHA1_80); rtp_packet_[0] = 0x12; @@ -694,8 +684,8 @@ TEST_F(SrtpSessionTest, TestTamperReject) { // Test that we fail to unprotect if the payloads are not authenticated. TEST_F(SrtpSessionTest, TestUnencryptReject) { int out_len; - EXPECT_TRUE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); - EXPECT_TRUE(s2_.SetRecv(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s2_.SetRecv(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); EXPECT_FALSE(s2_.UnprotectRtp(rtp_packet_, rtp_len_, &out_len)); EXPECT_FALSE(s2_.UnprotectRtcp(rtcp_packet_, rtcp_len_, &out_len)); } @@ -703,7 +693,7 @@ TEST_F(SrtpSessionTest, TestUnencryptReject) { // Test that we fail when using buffers that are too small. TEST_F(SrtpSessionTest, TestBuffersTooSmall) { int out_len; - EXPECT_TRUE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); EXPECT_FALSE(s1_.ProtectRtp(rtp_packet_, rtp_len_, sizeof(rtp_packet_) - 10, &out_len)); EXPECT_FALSE(s1_.ProtectRtcp(rtcp_packet_, rtcp_len_, @@ -717,8 +707,8 @@ TEST_F(SrtpSessionTest, TestReplay) { static const uint16_t replay_window = 1024; int out_len; - EXPECT_TRUE(s1_.SetSend(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); - EXPECT_TRUE(s2_.SetRecv(CS_AES_CM_128_HMAC_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s1_.SetSend(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); + EXPECT_TRUE(s2_.SetRecv(rtc::SRTP_AES128_CM_SHA1_80, kTestKey1, kTestKeyLen)); // Initial sequence number. rtc::SetBE16(reinterpret_cast(rtp_packet_) + 2, seqnum_big); diff --git a/webrtc/base/opensslstreamadapter.cc b/webrtc/base/opensslstreamadapter.cc index 346b44289d..abbb7158e1 100644 --- a/webrtc/base/opensslstreamadapter.cc +++ b/webrtc/base/opensslstreamadapter.cc @@ -43,17 +43,19 @@ namespace rtc { #endif #ifdef HAVE_DTLS_SRTP -// SRTP cipher suite table +// SRTP cipher suite table. |internal_name| is used to construct a +// colon-separated profile strings which is needed by +// SSL_CTX_set_tlsext_use_srtp(). struct SrtpCipherMapEntry { - const char* external_name; const char* internal_name; + const int id; }; // This isn't elegant, but it's better than an external reference static SrtpCipherMapEntry SrtpCipherMap[] = { - {CS_AES_CM_128_HMAC_SHA1_80, "SRTP_AES128_CM_SHA1_80"}, - {CS_AES_CM_128_HMAC_SHA1_32, "SRTP_AES128_CM_SHA1_32"}, - {NULL, NULL}}; + {"SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80}, + {"SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32}, + {nullptr, 0}}; #endif #ifndef OPENSSL_IS_BORINGSSL @@ -350,9 +352,9 @@ bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string return true; } -std::string OpenSSLStreamAdapter::GetSslCipherSuiteName(int cipher) { +std::string OpenSSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) { #ifdef OPENSSL_IS_BORINGSSL - const SSL_CIPHER* ssl_cipher = SSL_get_cipher_by_value(cipher); + const SSL_CIPHER* ssl_cipher = SSL_get_cipher_by_value(cipher_suite); if (!ssl_cipher) { return std::string(); } @@ -363,7 +365,7 @@ std::string OpenSSLStreamAdapter::GetSslCipherSuiteName(int cipher) { #else for (const SslCipherMapEntry* entry = kSslCipherMap; entry->rfc_name; ++entry) { - if (cipher == entry->openssl_id) { + if (cipher_suite == entry->openssl_id) { return entry->rfc_name; } } @@ -371,7 +373,7 @@ std::string OpenSSLStreamAdapter::GetSslCipherSuiteName(int cipher) { #endif } -bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher) { +bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) { if (state_ != SSL_CONNECTED) return false; @@ -380,7 +382,7 @@ bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher) { return false; } - *cipher = static_cast(SSL_CIPHER_get_id(current_cipher)); + *cipher_suite = static_cast(SSL_CIPHER_get_id(current_cipher)); return true; } @@ -407,20 +409,20 @@ bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label, #endif } -bool OpenSSLStreamAdapter::SetDtlsSrtpCiphers( - const std::vector& ciphers) { +bool OpenSSLStreamAdapter::SetDtlsSrtpCryptoSuites( + const std::vector& ciphers) { #ifdef HAVE_DTLS_SRTP std::string internal_ciphers; if (state_ != SSL_NONE) return false; - for (std::vector::const_iterator cipher = ciphers.begin(); + for (std::vector::const_iterator cipher = ciphers.begin(); cipher != ciphers.end(); ++cipher) { bool found = false; - for (SrtpCipherMapEntry *entry = SrtpCipherMap; entry->internal_name; + for (SrtpCipherMapEntry* entry = SrtpCipherMap; entry->internal_name; ++entry) { - if (*cipher == entry->external_name) { + if (*cipher == entry->id) { found = true; if (!internal_ciphers.empty()) internal_ciphers += ":"; @@ -445,7 +447,7 @@ bool OpenSSLStreamAdapter::SetDtlsSrtpCiphers( #endif } -bool OpenSSLStreamAdapter::GetDtlsSrtpCipher(std::string* cipher) { +bool OpenSSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) { #ifdef HAVE_DTLS_SRTP ASSERT(state_ == SSL_CONNECTED); if (state_ != SSL_CONNECTED) @@ -457,17 +459,9 @@ bool OpenSSLStreamAdapter::GetDtlsSrtpCipher(std::string* cipher) { if (!srtp_profile) return false; - for (SrtpCipherMapEntry *entry = SrtpCipherMap; - entry->internal_name; ++entry) { - if (!strcmp(entry->internal_name, srtp_profile->name)) { - *cipher = entry->external_name; - return true; - } - } - - ASSERT(false); // This should never happen - - return false; + *crypto_suite = srtp_profile->id; + ASSERT(!SrtpCryptoSuiteToName(*crypto_suite).empty()); + return true; #else return false; #endif diff --git a/webrtc/base/opensslstreamadapter.h b/webrtc/base/opensslstreamadapter.h index 0f3ded9cb4..e57b2a3293 100644 --- a/webrtc/base/opensslstreamadapter.h +++ b/webrtc/base/opensslstreamadapter.h @@ -88,7 +88,7 @@ class OpenSSLStreamAdapter : public SSLStreamAdapter { StreamState GetState() const override; // TODO(guoweis): Move this away from a static class method. - static std::string GetSslCipherSuiteName(int cipher); + static std::string SslCipherSuiteToName(int crypto_suite); bool GetSslCipherSuite(int* cipher) override; @@ -101,8 +101,8 @@ class OpenSSLStreamAdapter : public SSLStreamAdapter { size_t result_len) override; // DTLS-SRTP interface - bool SetDtlsSrtpCiphers(const std::vector& ciphers) override; - bool GetDtlsSrtpCipher(std::string* cipher) override; + bool SetDtlsSrtpCryptoSuites(const std::vector& crypto_suites) override; + bool GetDtlsSrtpCryptoSuite(int* crypto_suite) override; // Capabilities interfaces static bool HaveDtls(); diff --git a/webrtc/base/sslstreamadapter.cc b/webrtc/base/sslstreamadapter.cc index b9ba9d3f2a..a2cff3e448 100644 --- a/webrtc/base/sslstreamadapter.cc +++ b/webrtc/base/sslstreamadapter.cc @@ -30,12 +30,20 @@ namespace rtc { const char CS_AES_CM_128_HMAC_SHA1_80[] = "AES_CM_128_HMAC_SHA1_80"; const char CS_AES_CM_128_HMAC_SHA1_32[] = "AES_CM_128_HMAC_SHA1_32"; -int GetSrtpCryptoSuiteFromName(const std::string& cipher) { - if (cipher == CS_AES_CM_128_HMAC_SHA1_32) +std::string SrtpCryptoSuiteToName(int crypto_suite) { + if (crypto_suite == SRTP_AES128_CM_SHA1_32) + return CS_AES_CM_128_HMAC_SHA1_32; + if (crypto_suite == SRTP_AES128_CM_SHA1_80) + return CS_AES_CM_128_HMAC_SHA1_80; + return std::string(); +} + +int SrtpCryptoSuiteFromName(const std::string& crypto_suite) { + if (crypto_suite == CS_AES_CM_128_HMAC_SHA1_32) return SRTP_AES128_CM_SHA1_32; - if (cipher == CS_AES_CM_128_HMAC_SHA1_80) + if (crypto_suite == CS_AES_CM_128_HMAC_SHA1_80) return SRTP_AES128_CM_SHA1_80; - return 0; + return SRTP_INVALID_CRYPTO_SUITE; } SSLStreamAdapter* SSLStreamAdapter::Create(StreamInterface* stream) { @@ -46,7 +54,7 @@ SSLStreamAdapter* SSLStreamAdapter::Create(StreamInterface* stream) { #endif // SSL_USE_OPENSSL } -bool SSLStreamAdapter::GetSslCipherSuite(int* cipher) { +bool SSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) { return false; } @@ -59,12 +67,12 @@ bool SSLStreamAdapter::ExportKeyingMaterial(const std::string& label, return false; // Default is unsupported } -bool SSLStreamAdapter::SetDtlsSrtpCiphers( - const std::vector& ciphers) { +bool SSLStreamAdapter::SetDtlsSrtpCryptoSuites( + const std::vector& crypto_suites) { return false; } -bool SSLStreamAdapter::GetDtlsSrtpCipher(std::string* cipher) { +bool SSLStreamAdapter::GetDtlsSrtpCryptoSuite(int* crypto_suite) { return false; } @@ -83,8 +91,8 @@ int SSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version, return OpenSSLStreamAdapter::GetDefaultSslCipherForTest(version, key_type); } -std::string SSLStreamAdapter::GetSslCipherSuiteName(int cipher) { - return OpenSSLStreamAdapter::GetSslCipherSuiteName(cipher); +std::string SSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) { + return OpenSSLStreamAdapter::SslCipherSuiteToName(cipher_suite); } #endif // SSL_USE_OPENSSL diff --git a/webrtc/base/sslstreamadapter.h b/webrtc/base/sslstreamadapter.h index 65a7729d16..c57056b14a 100644 --- a/webrtc/base/sslstreamadapter.h +++ b/webrtc/base/sslstreamadapter.h @@ -19,7 +19,11 @@ namespace rtc { +// Constants for SSL profile. +const int TLS_NULL_WITH_NULL_NULL = 0; + // Constants for SRTP profiles. +const int SRTP_INVALID_CRYPTO_SUITE = 0; const int SRTP_AES128_CM_SHA1_80 = 0x0001; const int SRTP_AES128_CM_SHA1_32 = 0x0002; @@ -31,10 +35,13 @@ extern const char CS_AES_CM_128_HMAC_SHA1_80[]; // 128-bit AES with 32-bit SHA-1 HMAC. extern const char CS_AES_CM_128_HMAC_SHA1_32[]; -// Returns the DTLS-SRTP protection profile ID, as defined in -// https://tools.ietf.org/html/rfc5764#section-4.1.2, for the given SRTP -// Crypto-suite, as defined in https://tools.ietf.org/html/rfc4568#section-6.2 -int GetSrtpCryptoSuiteFromName(const std::string& cipher_rfc_name); +// Given the DTLS-SRTP protection profile ID, as defined in +// https://tools.ietf.org/html/rfc4568#section-6.2 , return the SRTP profile +// name, as defined in https://tools.ietf.org/html/rfc5764#section-4.1.2. +std::string SrtpCryptoSuiteToName(int crypto_suite); + +// The reverse of above conversion. +int SrtpCryptoSuiteFromName(const std::string& crypto_suite); // SSLStreamAdapter : A StreamInterfaceAdapter that does SSL/TLS. // After SSL has been started, the stream will only open on successful @@ -152,7 +159,7 @@ class SSLStreamAdapter : public StreamAdapterInterface { // Retrieves the IANA registration id of the cipher suite used for the // connection (e.g. 0x2F for "TLS_RSA_WITH_AES_128_CBC_SHA"). - virtual bool GetSslCipherSuite(int* cipher); + virtual bool GetSslCipherSuite(int* cipher_suite); // Key Exporter interface from RFC 5705 // Arguments are: @@ -174,8 +181,8 @@ class SSLStreamAdapter : public StreamAdapterInterface { size_t result_len); // DTLS-SRTP interface - virtual bool SetDtlsSrtpCiphers(const std::vector& ciphers); - virtual bool GetDtlsSrtpCipher(std::string* cipher); + virtual bool SetDtlsSrtpCryptoSuites(const std::vector& crypto_suites); + virtual bool GetDtlsSrtpCryptoSuite(int* crypto_suite); // Capabilities testing static bool HaveDtls(); @@ -191,7 +198,7 @@ class SSLStreamAdapter : public StreamAdapterInterface { // TODO(guoweis): Move this away from a static class method. Currently this is // introduced such that any caller could depend on sslstreamadapter.h without // depending on specific SSL implementation. - static std::string GetSslCipherSuiteName(int cipher); + static std::string SslCipherSuiteToName(int cipher_suite); private: // If true, the server certificate need not match the configured diff --git a/webrtc/base/sslstreamadapter_unittest.cc b/webrtc/base/sslstreamadapter_unittest.cc index a3e8d9c637..0344bd057a 100644 --- a/webrtc/base/sslstreamadapter_unittest.cc +++ b/webrtc/base/sslstreamadapter_unittest.cc @@ -29,8 +29,6 @@ using ::testing::Combine; using ::testing::tuple; static const int kBlockSize = 4096; -static const char kAES_CM_HMAC_SHA1_80[] = "AES_CM_128_HMAC_SHA1_80"; -static const char kAES_CM_HMAC_SHA1_32[] = "AES_CM_128_HMAC_SHA1_32"; static const char kExporterLabel[] = "label"; static const unsigned char kExporterContext[] = "context"; static int kExporterContextLen = sizeof(kExporterContext); @@ -389,19 +387,18 @@ class SSLStreamAdapterTestBase : public testing::Test, handshake_wait_ = wait; } - void SetDtlsSrtpCiphers(const std::vector &ciphers, - bool client) { + void SetDtlsSrtpCryptoSuites(const std::vector& ciphers, bool client) { if (client) - client_ssl_->SetDtlsSrtpCiphers(ciphers); + client_ssl_->SetDtlsSrtpCryptoSuites(ciphers); else - server_ssl_->SetDtlsSrtpCiphers(ciphers); + server_ssl_->SetDtlsSrtpCryptoSuites(ciphers); } - bool GetDtlsSrtpCipher(bool client, std::string *retval) { + bool GetDtlsSrtpCryptoSuite(bool client, int* retval) { if (client) - return client_ssl_->GetDtlsSrtpCipher(retval); + return client_ssl_->GetDtlsSrtpCryptoSuite(retval); else - return server_ssl_->GetDtlsSrtpCipher(retval); + return server_ssl_->GetDtlsSrtpCryptoSuite(retval); } bool GetPeerCertificate(bool client, rtc::SSLCertificate** cert) { @@ -809,74 +806,74 @@ TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestDTLSTransferWithDamage) { // Test DTLS-SRTP with all high ciphers TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHigh) { MAYBE_SKIP_TEST(HaveDtlsSrtp); - std::vector high; - high.push_back(kAES_CM_HMAC_SHA1_80); - SetDtlsSrtpCiphers(high, true); - SetDtlsSrtpCiphers(high, false); + std::vector high; + high.push_back(rtc::SRTP_AES128_CM_SHA1_80); + SetDtlsSrtpCryptoSuites(high, true); + SetDtlsSrtpCryptoSuites(high, false); TestHandshake(); - std::string client_cipher; - ASSERT_TRUE(GetDtlsSrtpCipher(true, &client_cipher)); - std::string server_cipher; - ASSERT_TRUE(GetDtlsSrtpCipher(false, &server_cipher)); + int client_cipher; + ASSERT_TRUE(GetDtlsSrtpCryptoSuite(true, &client_cipher)); + int server_cipher; + ASSERT_TRUE(GetDtlsSrtpCryptoSuite(false, &server_cipher)); ASSERT_EQ(client_cipher, server_cipher); - ASSERT_EQ(client_cipher, kAES_CM_HMAC_SHA1_80); + ASSERT_EQ(client_cipher, rtc::SRTP_AES128_CM_SHA1_80); }; // Test DTLS-SRTP with all low ciphers TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpLow) { MAYBE_SKIP_TEST(HaveDtlsSrtp); - std::vector low; - low.push_back(kAES_CM_HMAC_SHA1_32); - SetDtlsSrtpCiphers(low, true); - SetDtlsSrtpCiphers(low, false); + std::vector low; + low.push_back(rtc::SRTP_AES128_CM_SHA1_32); + SetDtlsSrtpCryptoSuites(low, true); + SetDtlsSrtpCryptoSuites(low, false); TestHandshake(); - std::string client_cipher; - ASSERT_TRUE(GetDtlsSrtpCipher(true, &client_cipher)); - std::string server_cipher; - ASSERT_TRUE(GetDtlsSrtpCipher(false, &server_cipher)); + int client_cipher; + ASSERT_TRUE(GetDtlsSrtpCryptoSuite(true, &client_cipher)); + int server_cipher; + ASSERT_TRUE(GetDtlsSrtpCryptoSuite(false, &server_cipher)); ASSERT_EQ(client_cipher, server_cipher); - ASSERT_EQ(client_cipher, kAES_CM_HMAC_SHA1_32); + ASSERT_EQ(client_cipher, rtc::SRTP_AES128_CM_SHA1_32); }; // Test DTLS-SRTP with a mismatch -- should not converge TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHighLow) { MAYBE_SKIP_TEST(HaveDtlsSrtp); - std::vector high; - high.push_back(kAES_CM_HMAC_SHA1_80); - std::vector low; - low.push_back(kAES_CM_HMAC_SHA1_32); - SetDtlsSrtpCiphers(high, true); - SetDtlsSrtpCiphers(low, false); + std::vector high; + high.push_back(rtc::SRTP_AES128_CM_SHA1_80); + std::vector low; + low.push_back(rtc::SRTP_AES128_CM_SHA1_32); + SetDtlsSrtpCryptoSuites(high, true); + SetDtlsSrtpCryptoSuites(low, false); TestHandshake(); - std::string client_cipher; - ASSERT_FALSE(GetDtlsSrtpCipher(true, &client_cipher)); - std::string server_cipher; - ASSERT_FALSE(GetDtlsSrtpCipher(false, &server_cipher)); + int client_cipher; + ASSERT_FALSE(GetDtlsSrtpCryptoSuite(true, &client_cipher)); + int server_cipher; + ASSERT_FALSE(GetDtlsSrtpCryptoSuite(false, &server_cipher)); }; // Test DTLS-SRTP with each side being mixed -- should select high TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpMixed) { MAYBE_SKIP_TEST(HaveDtlsSrtp); - std::vector mixed; - mixed.push_back(kAES_CM_HMAC_SHA1_80); - mixed.push_back(kAES_CM_HMAC_SHA1_32); - SetDtlsSrtpCiphers(mixed, true); - SetDtlsSrtpCiphers(mixed, false); + std::vector mixed; + mixed.push_back(rtc::SRTP_AES128_CM_SHA1_80); + mixed.push_back(rtc::SRTP_AES128_CM_SHA1_32); + SetDtlsSrtpCryptoSuites(mixed, true); + SetDtlsSrtpCryptoSuites(mixed, false); TestHandshake(); - std::string client_cipher; - ASSERT_TRUE(GetDtlsSrtpCipher(true, &client_cipher)); - std::string server_cipher; - ASSERT_TRUE(GetDtlsSrtpCipher(false, &server_cipher)); + int client_cipher; + ASSERT_TRUE(GetDtlsSrtpCryptoSuite(true, &client_cipher)); + int server_cipher; + ASSERT_TRUE(GetDtlsSrtpCryptoSuite(false, &server_cipher)); ASSERT_EQ(client_cipher, server_cipher); - ASSERT_EQ(client_cipher, kAES_CM_HMAC_SHA1_80); + ASSERT_EQ(client_cipher, rtc::SRTP_AES128_CM_SHA1_80); }; // Test an exporter diff --git a/webrtc/p2p/base/dtlstransportchannel.cc b/webrtc/p2p/base/dtlstransportchannel.cc index 0c063e0323..fff24f30b8 100644 --- a/webrtc/p2p/base/dtlstransportchannel.cc +++ b/webrtc/p2p/base/dtlstransportchannel.cc @@ -267,7 +267,7 @@ bool DtlsTransportChannelWrapper::SetupDtls() { // Set up DTLS-SRTP, if it's been enabled. if (!srtp_ciphers_.empty()) { - if (!dtls_->SetDtlsSrtpCiphers(srtp_ciphers_)) { + if (!dtls_->SetDtlsSrtpCryptoSuites(srtp_ciphers_)) { LOG_J(LS_ERROR, this) << "Couldn't set DTLS-SRTP ciphers."; return false; } @@ -279,11 +279,10 @@ bool DtlsTransportChannelWrapper::SetupDtls() { return true; } -bool DtlsTransportChannelWrapper::SetSrtpCiphers( - const std::vector& ciphers) { - if (srtp_ciphers_ == ciphers) { +bool DtlsTransportChannelWrapper::SetSrtpCryptoSuites( + const std::vector& ciphers) { + if (srtp_ciphers_ == ciphers) return true; - } if (dtls_state() == DTLS_TRANSPORT_CONNECTING) { LOG(LS_WARNING) << "Ignoring new SRTP ciphers while DTLS is negotiating"; @@ -294,18 +293,18 @@ bool DtlsTransportChannelWrapper::SetSrtpCiphers( // We don't support DTLS renegotiation currently. If new set of srtp ciphers // are different than what's being used currently, we will not use it. // So for now, let's be happy (or sad) with a warning message. - std::string current_srtp_cipher; - if (!dtls_->GetDtlsSrtpCipher(¤t_srtp_cipher)) { + int current_srtp_cipher; + if (!dtls_->GetDtlsSrtpCryptoSuite(¤t_srtp_cipher)) { LOG(LS_ERROR) << "Failed to get the current SRTP cipher for DTLS channel"; return false; } - const std::vector::const_iterator iter = + const std::vector::const_iterator iter = std::find(ciphers.begin(), ciphers.end(), current_srtp_cipher); if (iter == ciphers.end()) { std::string requested_str; for (size_t i = 0; i < ciphers.size(); ++i) { requested_str.append(" "); - requested_str.append(ciphers[i]); + requested_str.append(rtc::SrtpCryptoSuiteToName(ciphers[i])); requested_str.append(" "); } LOG(LS_WARNING) << "Ignoring new set of SRTP ciphers, as DTLS " @@ -324,12 +323,12 @@ bool DtlsTransportChannelWrapper::SetSrtpCiphers( return true; } -bool DtlsTransportChannelWrapper::GetSrtpCryptoSuite(std::string* cipher) { +bool DtlsTransportChannelWrapper::GetSrtpCryptoSuite(int* cipher) { if (dtls_state() != DTLS_TRANSPORT_CONNECTED) { return false; } - return dtls_->GetDtlsSrtpCipher(cipher); + return dtls_->GetDtlsSrtpCryptoSuite(cipher); } diff --git a/webrtc/p2p/base/dtlstransportchannel.h b/webrtc/p2p/base/dtlstransportchannel.h index 41e081b7fe..71f68877d4 100644 --- a/webrtc/p2p/base/dtlstransportchannel.h +++ b/webrtc/p2p/base/dtlstransportchannel.h @@ -126,10 +126,10 @@ class DtlsTransportChannelWrapper : public TransportChannelImpl { // Set up the ciphers to use for DTLS-SRTP. If this method is not called // before DTLS starts, or |ciphers| is empty, SRTP keys won't be negotiated. // This method should be called before SetupDtls. - bool SetSrtpCiphers(const std::vector& ciphers) override; + bool SetSrtpCryptoSuites(const std::vector& ciphers) override; // Find out which DTLS-SRTP cipher was negotiated - bool GetSrtpCryptoSuite(std::string* cipher) override; + bool GetSrtpCryptoSuite(int* cipher) override; bool GetSslRole(rtc::SSLRole* role) const override; bool SetSslRole(rtc::SSLRole role) override; @@ -223,7 +223,7 @@ class DtlsTransportChannelWrapper : public TransportChannelImpl { TransportChannelImpl* const channel_; rtc::scoped_ptr dtls_; // The DTLS stream StreamInterfaceChannel* downward_; // Wrapper for channel_, owned by dtls_. - std::vector srtp_ciphers_; // SRTP ciphers to use with DTLS. + std::vector srtp_ciphers_; // SRTP ciphers to use with DTLS. bool dtls_active_ = false; rtc::scoped_refptr local_certificate_; rtc::SSLRole ssl_role_; diff --git a/webrtc/p2p/base/dtlstransportchannel_unittest.cc b/webrtc/p2p/base/dtlstransportchannel_unittest.cc index 07e3b87847..a967ae31f1 100644 --- a/webrtc/p2p/base/dtlstransportchannel_unittest.cc +++ b/webrtc/p2p/base/dtlstransportchannel_unittest.cc @@ -28,7 +28,6 @@ return; \ } -static const char AES_CM_128_HMAC_SHA1_80[] = "AES_CM_128_HMAC_SHA1_80"; static const char kIceUfrag1[] = "TESTICEUFRAG0001"; static const char kIcePwd1[] = "TESTICEPWD00000000000001"; static const size_t kPacketNumOffset = 8; @@ -150,9 +149,9 @@ class DtlsTestClient : public sigslot::has_slots<> { // SRTP ciphers will be set only in the beginning. for (std::vector::iterator it = channels_.begin(); it != channels_.end(); ++it) { - std::vector ciphers; - ciphers.push_back(AES_CM_128_HMAC_SHA1_80); - ASSERT_TRUE((*it)->SetSrtpCiphers(ciphers)); + std::vector ciphers; + ciphers.push_back(rtc::SRTP_AES128_CM_SHA1_80); + ASSERT_TRUE((*it)->SetSrtpCryptoSuites(ciphers)); } } @@ -215,16 +214,16 @@ class DtlsTestClient : public sigslot::has_slots<> { } } - void CheckSrtp(const std::string& expected_cipher) { + void CheckSrtp(int expected_crypto_suite) { for (std::vector::iterator it = channels_.begin(); it != channels_.end(); ++it) { - std::string cipher; + int crypto_suite; - bool rv = (*it)->GetSrtpCryptoSuite(&cipher); - if (negotiated_dtls_ && !expected_cipher.empty()) { + bool rv = (*it)->GetSrtpCryptoSuite(&crypto_suite); + if (negotiated_dtls_ && expected_crypto_suite) { ASSERT_TRUE(rv); - ASSERT_EQ(cipher, expected_cipher); + ASSERT_EQ(crypto_suite, expected_crypto_suite); } else { ASSERT_FALSE(rv); } @@ -469,11 +468,11 @@ class DtlsTransportChannelTest : public testing::Test { // Check that we negotiated the right ciphers. if (use_dtls_srtp_) { - client1_.CheckSrtp(AES_CM_128_HMAC_SHA1_80); - client2_.CheckSrtp(AES_CM_128_HMAC_SHA1_80); + client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80); + client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80); } else { - client1_.CheckSrtp(""); - client2_.CheckSrtp(""); + client1_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE); + client2_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE); } client1_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( ssl_expected_version_, rtc::KT_DEFAULT)); diff --git a/webrtc/p2p/base/faketransportcontroller.h b/webrtc/p2p/base/faketransportcontroller.h index 3e656fa4a3..251a0c681a 100644 --- a/webrtc/p2p/base/faketransportcontroller.h +++ b/webrtc/p2p/base/faketransportcontroller.h @@ -242,20 +242,20 @@ class FakeTransportChannel : public TransportChannelImpl, bool IsDtlsActive() const override { return do_dtls_; } - bool SetSrtpCiphers(const std::vector& ciphers) override { + bool SetSrtpCryptoSuites(const std::vector& ciphers) override { srtp_ciphers_ = ciphers; return true; } - bool GetSrtpCryptoSuite(std::string* cipher) override { - if (!chosen_srtp_cipher_.empty()) { - *cipher = chosen_srtp_cipher_; + bool GetSrtpCryptoSuite(int* crypto_suite) override { + if (chosen_crypto_suite_ != rtc::SRTP_INVALID_CRYPTO_SUITE) { + *crypto_suite = chosen_crypto_suite_; return true; } return false; } - bool GetSslCipherSuite(int* cipher) override { return false; } + bool GetSslCipherSuite(int* cipher_suite) override { return false; } rtc::scoped_refptr GetLocalCertificate() const { return local_cert_; @@ -275,7 +275,7 @@ class FakeTransportChannel : public TransportChannelImpl, bool use_context, uint8_t* result, size_t result_len) override { - if (!chosen_srtp_cipher_.empty()) { + if (chosen_crypto_suite_ != rtc::SRTP_INVALID_CRYPTO_SUITE) { memset(result, 0xff, result_len); return true; } @@ -284,14 +284,13 @@ class FakeTransportChannel : public TransportChannelImpl, } void NegotiateSrtpCiphers() { - for (std::vector::const_iterator it1 = srtp_ciphers_.begin(); + for (std::vector::const_iterator it1 = srtp_ciphers_.begin(); it1 != srtp_ciphers_.end(); ++it1) { - for (std::vector::const_iterator it2 = - dest_->srtp_ciphers_.begin(); + for (std::vector::const_iterator it2 = dest_->srtp_ciphers_.begin(); it2 != dest_->srtp_ciphers_.end(); ++it2) { if (*it1 == *it2) { - chosen_srtp_cipher_ = *it1; - dest_->chosen_srtp_cipher_ = *it2; + chosen_crypto_suite_ = *it1; + dest_->chosen_crypto_suite_ = *it2; return; } } @@ -322,8 +321,8 @@ class FakeTransportChannel : public TransportChannelImpl, rtc::scoped_refptr local_cert_; rtc::FakeSSLCertificate* remote_cert_ = nullptr; bool do_dtls_ = false; - std::vector srtp_ciphers_; - std::string chosen_srtp_cipher_; + std::vector srtp_ciphers_; + int chosen_crypto_suite_ = rtc::SRTP_INVALID_CRYPTO_SUITE; int receiving_timeout_ = -1; bool gather_continually_ = false; IceRole role_ = ICEROLE_UNKNOWN; diff --git a/webrtc/p2p/base/p2ptransportchannel.h b/webrtc/p2p/base/p2ptransportchannel.h index 9f2f3a0bb3..7d9b6121a2 100644 --- a/webrtc/p2p/base/p2ptransportchannel.h +++ b/webrtc/p2p/base/p2ptransportchannel.h @@ -108,12 +108,12 @@ class P2PTransportChannel : public TransportChannelImpl, bool SetSslRole(rtc::SSLRole role) override { return false; } // Set up the ciphers to use for DTLS-SRTP. - bool SetSrtpCiphers(const std::vector& ciphers) override { + bool SetSrtpCryptoSuites(const std::vector& ciphers) override { return false; } // Find out which DTLS-SRTP cipher was negotiated. - bool GetSrtpCryptoSuite(std::string* cipher) override { return false; } + bool GetSrtpCryptoSuite(int* cipher) override { return false; } // Find out which DTLS cipher was negotiated. bool GetSslCipherSuite(int* cipher) override { return false; } diff --git a/webrtc/p2p/base/transport.cc b/webrtc/p2p/base/transport.cc index 2328e4587c..eff10aa0a9 100644 --- a/webrtc/p2p/base/transport.cc +++ b/webrtc/p2p/base/transport.cc @@ -305,8 +305,8 @@ bool Transport::GetStats(TransportStats* stats) { TransportChannelImpl* channel = kv.second; TransportChannelStats substats; substats.component = channel->component(); - channel->GetSrtpCryptoSuite(&substats.srtp_cipher); - channel->GetSslCipherSuite(&substats.ssl_cipher); + channel->GetSrtpCryptoSuite(&substats.srtp_crypto_suite); + channel->GetSslCipherSuite(&substats.ssl_cipher_suite); if (!channel->GetStats(&substats.connection_infos)) { return false; } diff --git a/webrtc/p2p/base/transport.h b/webrtc/p2p/base/transport.h index 955eb42098..2e3981243e 100644 --- a/webrtc/p2p/base/transport.h +++ b/webrtc/p2p/base/transport.h @@ -123,8 +123,8 @@ typedef std::vector ConnectionInfos; struct TransportChannelStats { int component = 0; ConnectionInfos connection_infos; - std::string srtp_cipher; - int ssl_cipher = 0; + int srtp_crypto_suite = rtc::SRTP_INVALID_CRYPTO_SUITE; + int ssl_cipher_suite = rtc::TLS_NULL_WITH_NULL_NULL; }; // Information about all the channels of a transport. diff --git a/webrtc/p2p/base/transportchannel.cc b/webrtc/p2p/base/transportchannel.cc index 63d84494e5..f497bce91b 100644 --- a/webrtc/p2p/base/transportchannel.cc +++ b/webrtc/p2p/base/transportchannel.cc @@ -54,4 +54,17 @@ void TransportChannel::set_dtls_state(DtlsTransportState state) { SignalDtlsState(this); } +bool TransportChannel::SetSrtpCryptoSuites(const std::vector& ciphers) { + return false; +} + +// TODO(guoweis): Remove this function once everything is moved away. +bool TransportChannel::SetSrtpCiphers(const std::vector& ciphers) { + std::vector crypto_suites; + for (const auto cipher : ciphers) { + crypto_suites.push_back(rtc::SrtpCryptoSuiteFromName(cipher)); + } + return SetSrtpCryptoSuites(crypto_suites); +} + } // namespace cricket diff --git a/webrtc/p2p/base/transportchannel.h b/webrtc/p2p/base/transportchannel.h index ea18957ef3..de0bd45a25 100644 --- a/webrtc/p2p/base/transportchannel.h +++ b/webrtc/p2p/base/transportchannel.h @@ -107,14 +107,17 @@ class TransportChannel : public sigslot::has_slots<> { // Default implementation. virtual bool GetSslRole(rtc::SSLRole* role) const = 0; - // Sets up the ciphers to use for DTLS-SRTP. - virtual bool SetSrtpCiphers(const std::vector& ciphers) = 0; + // Sets up the ciphers to use for DTLS-SRTP. TODO(guoweis): Make this pure + // virtual once all dependencies have implementation. + virtual bool SetSrtpCryptoSuites(const std::vector& ciphers); + + // Keep the original one for backward compatibility until all dependencies + // move away. TODO(guoweis): Remove this function. + virtual bool SetSrtpCiphers(const std::vector& ciphers); // Finds out which DTLS-SRTP cipher was negotiated. // TODO(guoweis): Remove this once all dependencies implement this. - virtual bool GetSrtpCryptoSuite(std::string* cipher) { - return false; - } + virtual bool GetSrtpCryptoSuite(int* cipher) { return false; } // Finds out which DTLS cipher was negotiated. // TODO(guoweis): Remove this once all dependencies implement this.