admin/webrtc_m130
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Use SRTP_AES128_CM_SHA1_80 by default instead of SRTP_AES128_CM_SHA1_32."

Browse Source 
This reverts commit 6780c51b23516803dc27173d10ba98d018780447.

Reason for revert:

More details in crbug.com/810292

Original change's description:
> Use SRTP_AES128_CM_SHA1_80 by default instead of SRTP_AES128_CM_SHA1_32.
> 
> A field has been added to "CryptoOptions" to enable SRTP_AES128_CM_SHA1_32
> from native apps if really necessary.
> 
> R=​deadbeef@webrtc.org
> 
> Bug: webrtc:7670
> Change-Id: I36b6ab3e302fbf3cda2611ff196757e43a56e704
> Reviewed-on: https://webrtc-review.googlesource.com/41420
> Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
> Reviewed-by: Magnus Jedvert <magjed@webrtc.org>
> Commit-Queue: Joachim Bauch <jbauch@webrtc.org>
> Cr-Commit-Position: refs/heads/master@{#21952}

TBR=deadbeef@webrtc.org,magjed@webrtc.org,jbauch@webrtc.org

Change-Id: I643dbe023eca526f2cda4d97df045f2533741dd4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: webrtc:7670
Reviewed-on: https://webrtc-review.googlesource.com/49880
Reviewed-by: Tommi <tommi@webrtc.org>
Commit-Queue: Tommi <tommi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21961}
This commit is contained in:
Tommi 2018-02-08 16:25:20 +00:00 committed by Commit Bot
parent 2018823a68
commit 8e545eee1e
12 changed files with 55 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
p2p/base/dtlstransport_unittest.cc
View File

@ -334,9 +334,9 @@ class DtlsTransportTestBase {
if (use_dtls_) {
// Check that we negotiated the right ciphers. Since GCM ciphers are not
// negotiated by default, we should end up with SRTP_AES128_CM_SHA1_80.
client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80);
client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80);
// negotiated by default, we should end up with SRTP_AES128_CM_SHA1_32.
client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_32);
client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_32);
} else {
// If DTLS isn't actually being used, GetSrtpCryptoSuite should return
// false.

13
pc/mediasession.cc
View File

@ -194,17 +194,14 @@ bool FindMatchingCrypto(const CryptoParamsVec& cryptos,
return false;
}
// For audio, HMAC 32 (if enabled) is prefered over HMAC 80 because of the
// low overhead.
// For audio, HMAC 32 is prefered over HMAC 80 because of the low overhead.
void GetSupportedAudioSdesCryptoSuites(const rtc::CryptoOptions& crypto_options,
std::vector<int>* crypto_suites) {
if (crypto_options.enable_gcm_crypto_suites) {
crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM);
crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM);
}
if (crypto_options.enable_aes128_sha1_32_crypto_cipher) {
crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32);
}
crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32);
crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_80);
}
@ -248,8 +245,8 @@ void GetSupportedDataSdesCryptoSuiteNames(
}
// Support any GCM cipher (if enabled through options). For video support only
// 80-bit SHA1 HMAC. For audio 32-bit HMAC is tolerated (if enabled) unless
// bundle is enabled because it is low overhead.
// 80-bit SHA1 HMAC. For audio 32-bit HMAC is tolerated unless bundle is enabled
// because it is low overhead.
// Pick the crypto in the list that is supported.
static bool SelectCrypto(const MediaContentDescription* offer,
bool bundle,
@ -264,7 +261,7 @@ static bool SelectCrypto(const MediaContentDescription* offer,
rtc::IsGcmCryptoSuiteName(i->cipher_suite)) ||
rtc::CS_AES_CM_128_HMAC_SHA1_80 == i->cipher_suite ||
(rtc::CS_AES_CM_128_HMAC_SHA1_32 == i->cipher_suite && audio &&
!bundle && crypto_options.enable_aes128_sha1_32_crypto_cipher)) {
!bundle)) {
return CreateCryptoParams(i->tag, i->cipher_suite, crypto);
}
}

75
pc/mediasession_unittest.cc
View File

@ -213,11 +213,6 @@ static const char* kMediaProtocolsDtls[] = {
"TCP/TLS/RTP/SAVPF", "TCP/TLS/RTP/SAVP", "UDP/TLS/RTP/SAVPF",
"UDP/TLS/RTP/SAVP"};
// SRTP cipher name negotiated by the tests. This must be updated if the
// default changes.
static const char* kDefaultSrtpCryptoSuite = CS_AES_CM_128_HMAC_SHA1_80;
static const char* kDefaultSrtpCryptoSuiteGcm = CS_AEAD_AES_256_GCM;
// These constants are used to make the code using "AddMediaSection" more
// readable.
static constexpr bool kStopped = true;
@ -550,7 +545,7 @@ class MediaSessionDescriptionFactoryTest : public testing::Test {
EXPECT_TRUE(CompareCryptoParams(audio_media_desc->cryptos(),
video_media_desc->cryptos()));
EXPECT_EQ(1u, audio_media_desc->cryptos().size());
EXPECT_EQ(std::string(kDefaultSrtpCryptoSuite),
EXPECT_EQ(std::string(CS_AES_CM_128_HMAC_SHA1_80),
audio_media_desc->cryptos()[0].cipher_suite);
// Verify the selected crypto is one from the reference audio
@ -641,18 +636,18 @@ class MediaSessionDescriptionFactoryTest : public testing::Test {
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
if (gcm_offer && gcm_answer) {
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuiteGcm);
ASSERT_CRYPTO(acd, 1U, CS_AEAD_AES_256_GCM);
} else {
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
}
EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type());
EXPECT_EQ(MAKE_VECTOR(kVideoCodecsAnswer), vcd->codecs());
EXPECT_EQ(0U, vcd->first_ssrc()); // no sender is attached
EXPECT_TRUE(vcd->rtcp_mux()); // negotiated rtcp-mux
if (gcm_offer && gcm_answer) {
ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuiteGcm);
ASSERT_CRYPTO(vcd, 1U, CS_AEAD_AES_256_GCM);
} else {
ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
}
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol());
}
@ -681,7 +676,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateAudioOffer) {
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached.
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
}
@ -705,14 +700,14 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateVideoOffer) {
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type());
EXPECT_EQ(f1_.video_codecs(), vcd->codecs());
EXPECT_EQ(0U, vcd->first_ssrc()); // no sender is attached
EXPECT_EQ(kAutoBandwidth, vcd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(vcd->rtcp_mux()); // rtcp-mux defaults on
ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol());
}
@ -783,11 +778,11 @@ TEST_F(MediaSessionDescriptionFactoryTest,
EXPECT_TRUE(NULL != acd);
EXPECT_TRUE(NULL != dcd);
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol());
ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol());
}
@ -812,7 +807,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateRtpDataOffer) {
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attched.
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type());
EXPECT_EQ(f1_.data_codecs(), dcd->codecs());
@ -820,7 +815,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateRtpDataOffer) {
EXPECT_EQ(cricket::kDataMaxBandwidth,
dcd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(dcd->rtcp_mux()); // rtcp-mux defaults on
ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol());
}
@ -948,7 +943,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateAudioAnswer) {
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
}
@ -974,7 +969,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateAudioAnswerGcm) {
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuiteGcm);
ASSERT_CRYPTO(acd, 1U, CS_AEAD_AES_256_GCM);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
}
@ -1001,12 +996,12 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateVideoAnswer) {
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type());
EXPECT_EQ(MAKE_VECTOR(kVideoCodecsAnswer), vcd->codecs());
EXPECT_EQ(0U, vcd->first_ssrc()); // no sender is attached
EXPECT_TRUE(vcd->rtcp_mux()); // negotiated rtcp-mux
ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol());
}
@ -1050,12 +1045,12 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswer) {
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type());
EXPECT_EQ(MAKE_VECTOR(kDataCodecsAnswer), dcd->codecs());
EXPECT_EQ(0U, dcd->first_ssrc()); // no sender is attached
EXPECT_TRUE(dcd->rtcp_mux()); // negotiated rtcp-mux
ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol());
}
@ -1082,12 +1077,12 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswerGcm) {
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuiteGcm);
ASSERT_CRYPTO(acd, 1U, CS_AEAD_AES_256_GCM);
EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type());
EXPECT_EQ(MAKE_VECTOR(kDataCodecsAnswer), dcd->codecs());
EXPECT_EQ(0U, dcd->first_ssrc()); // no sender is attached
EXPECT_TRUE(dcd->rtcp_mux()); // negotiated rtcp-mux
ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuiteGcm);
ASSERT_CRYPTO(dcd, 1U, CS_AEAD_AES_256_GCM);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol());
}
@ -1648,11 +1643,11 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoOffer) {
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type());
EXPECT_EQ(f1_.video_codecs(), vcd->codecs());
ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
const StreamParamsVec& video_streams = vcd->streams();
ASSERT_EQ(1U, video_streams.size());
@ -1663,7 +1658,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoOffer) {
EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type());
EXPECT_EQ(f1_.data_codecs(), dcd->codecs());
ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
const StreamParamsVec& data_streams = dcd->streams();
ASSERT_EQ(2U, data_streams.size());
@ -1678,7 +1673,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoOffer) {
EXPECT_EQ(cricket::kDataMaxBandwidth,
dcd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(dcd->rtcp_mux()); // rtcp-mux defaults on
ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
// Update the offer. Add a new video track that is not synched to the
// other tracks and replace audio track 2 with audio track 3.
@ -1713,11 +1708,11 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoOffer) {
EXPECT_EQ(vcd->codecs(), updated_vcd->codecs());
EXPECT_EQ(dcd->type(), updated_dcd->type());
EXPECT_EQ(dcd->codecs(), updated_dcd->codecs());
ASSERT_CRYPTO(updated_acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(updated_acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_TRUE(CompareCryptoParams(acd->cryptos(), updated_acd->cryptos()));
ASSERT_CRYPTO(updated_vcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(updated_vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_TRUE(CompareCryptoParams(vcd->cryptos(), updated_vcd->cryptos()));
ASSERT_CRYPTO(updated_dcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(updated_dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_TRUE(CompareCryptoParams(dcd->cryptos(), updated_dcd->cryptos()));
const StreamParamsVec& updated_audio_streams = updated_acd->streams();
@ -1826,9 +1821,9 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoAnswer) {
const AudioContentDescription* acd = ac->media_description()->as_audio();
const VideoContentDescription* vcd = vc->media_description()->as_video();
const DataContentDescription* dcd = dc->media_description()->as_data();
ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(MEDIA_TYPE_AUDIO, acd->type());
EXPECT_EQ(MAKE_VECTOR(kAudioCodecsAnswer), acd->codecs());
@ -1896,11 +1891,11 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoAnswer) {
const DataContentDescription* updated_dcd =
dc->media_description()->as_data();
ASSERT_CRYPTO(updated_acd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(updated_acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_TRUE(CompareCryptoParams(acd->cryptos(), updated_acd->cryptos()));
ASSERT_CRYPTO(updated_vcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(updated_vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_TRUE(CompareCryptoParams(vcd->cryptos(), updated_vcd->cryptos()));
ASSERT_CRYPTO(updated_dcd, 1U, kDefaultSrtpCryptoSuite);
ASSERT_CRYPTO(updated_dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_TRUE(CompareCryptoParams(dcd->cryptos(), updated_dcd->cryptos()));
EXPECT_EQ(acd->type(), updated_acd->type());
@ -2824,7 +2819,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCryptoDtls) {
ASSERT_TRUE(audio_media_desc != NULL);
video_media_desc = offer->GetContentDescriptionByName("video");
ASSERT_TRUE(video_media_desc != NULL);
EXPECT_EQ(1u, audio_media_desc->cryptos().size());
EXPECT_EQ(2u, audio_media_desc->cryptos().size());
EXPECT_EQ(1u, video_media_desc->cryptos().size());
audio_trans_desc = offer->GetTransportDescriptionByName("audio");

56
pc/peerconnection_integrationtest.cc
View File

@ -107,7 +107,7 @@ static const char kDataChannelLabel[] = "data_channel";
// SRTP cipher name negotiated by the tests. This must be updated if the
// default changes.
static const int kDefaultSrtpCryptoSuite = rtc::SRTP_AES128_CM_SHA1_80;
static const int kDefaultSrtpCryptoSuite = rtc::SRTP_AES128_CM_SHA1_32;
static const int kDefaultSrtpCryptoSuiteGcm = rtc::SRTP_AEAD_AES_256_GCM;
static const SocketAddress kDefaultLocalAddress("192.168.1.1", 0);
@ -1152,10 +1152,13 @@ class PeerConnectionIntegrationTest : public testing::Test {
expected_callee_received_video_frames);
}
void TestNegotiatedCipherSuite(
const PeerConnectionFactory::Options& caller_options,
const PeerConnectionFactory::Options& callee_options,
int expected_cipher_suite) {
void TestGcmNegotiationUsesCipherSuite(bool local_gcm_enabled,
bool remote_gcm_enabled,
int expected_cipher_suite) {
PeerConnectionFactory::Options caller_options;
caller_options.crypto_options.enable_gcm_crypto_suites = local_gcm_enabled;
PeerConnectionFactory::Options callee_options;
callee_options.crypto_options.enable_gcm_crypto_suites = remote_gcm_enabled;
ASSERT_TRUE(CreatePeerConnectionWrappersWithOptions(caller_options,
callee_options));
rtc::scoped_refptr<webrtc::FakeMetricsObserver> caller_observer =
@ -1174,17 +1177,6 @@ class PeerConnectionIntegrationTest : public testing::Test {
caller()->pc()->RegisterUMAObserver(nullptr);
}
void TestGcmNegotiationUsesCipherSuite(bool local_gcm_enabled,
bool remote_gcm_enabled,
int expected_cipher_suite) {
PeerConnectionFactory::Options caller_options;
caller_options.crypto_options.enable_gcm_crypto_suites = local_gcm_enabled;
PeerConnectionFactory::Options callee_options;
callee_options.crypto_options.enable_gcm_crypto_suites = remote_gcm_enabled;
TestNegotiatedCipherSuite(caller_options, callee_options,
expected_cipher_suite);
}
private:
// |ss_| is used by |network_thread_| so it must be destroyed later.
std::unique_ptr<rtc::VirtualSocketServer> ss_;
@ -2318,38 +2310,6 @@ TEST_F(PeerConnectionIntegrationTest, CallerDtls10ToCalleeDtls12) {
kMaxWaitForFramesMs);
}
TEST_F(PeerConnectionIntegrationTest,
Aes128Sha1_32_CipherNotUsedWhenOnlyCallerSupported) {
ASSERT_NE(rtc::SRTP_AES128_CM_SHA1_32, kDefaultSrtpCryptoSuite);
PeerConnectionFactory::Options caller_options;
caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true;
PeerConnectionFactory::Options callee_options;
int expected_cipher_suite = kDefaultSrtpCryptoSuite;
TestNegotiatedCipherSuite(caller_options, callee_options,
expected_cipher_suite);
}
TEST_F(PeerConnectionIntegrationTest,
Aes128Sha1_32_CipherNotUsedWhenOnlyCalleeSupported) {
ASSERT_NE(rtc::SRTP_AES128_CM_SHA1_32, kDefaultSrtpCryptoSuite);
PeerConnectionFactory::Options caller_options;
PeerConnectionFactory::Options callee_options;
callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true;
int expected_cipher_suite = kDefaultSrtpCryptoSuite;
TestNegotiatedCipherSuite(caller_options, callee_options,
expected_cipher_suite);
}
TEST_F(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherUsedWhenSupported) {
PeerConnectionFactory::Options caller_options;
caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true;
PeerConnectionFactory::Options callee_options;
callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true;
int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_32;
TestNegotiatedCipherSuite(caller_options, callee_options,
expected_cipher_suite);
}
// Test that a non-GCM cipher is used if both sides only support non-GCM.
TEST_F(PeerConnectionIntegrationTest, NonGcmCipherUsedWhenGcmNotSupported) {
bool local_gcm_enabled = false;

2
pc/peerconnectioninterface_unittest.cc
View File

@ -320,7 +320,7 @@ static const char kDtlsSdesFallbackSdp[] =
"a=fingerprint:sha-1 "
"4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB\r\n"
"a=setup:actpass\r\n"
"a=crypto:0 AES_CM_128_HMAC_SHA1_32 "
"a=crypto:1 AES_CM_128_HMAC_SHA1_32 "
"inline:NzB4d1BINUAvLEw6UzF3WSJ+PSdFcGdUJShpX1Zj|2^20|1:32 "
"dummy_session_params\r\n";

4
pc/test/testsdpstrings.h
View File

@ -92,7 +92,7 @@ static const char kAudioSdp[] =
"a=sendrecv\r\n"
"a=rtcp:16000 IN IP4 192.168.30.208\r\n"
"a=rtcp-mux\r\n"
"a=crypto:0 AES_CM_128_HMAC_SHA1_80 "
"a=crypto:1 AES_CM_128_HMAC_SHA1_80 "
"inline:tvKIFjbMQ7W0/C2RzhwN0oQglj/7GJg+frdsNRxt\r\n"
"a=ice-ufrag:AI2sRT3r\r\n"
"a=ice-pwd:lByS9z2RSQlSE9XurlvjYmEm\r\n"
@ -117,7 +117,7 @@ static const char kAudioSdpWithUnsupportedCodecs[] =
"a=sendonly\r\n"
"a=rtcp:16000 IN IP4 192.168.30.208\r\n"
"a=rtcp-mux\r\n"
"a=crypto:0 AES_CM_128_HMAC_SHA1_80 "
"a=crypto:1 AES_CM_128_HMAC_SHA1_80 "
"inline:tvKIFjbMQ7W0/C2RzhwN0oQglj/7GJg+frdsNRxt\r\n"
"a=ice-ufrag:AI2sRT3r\r\n"
"a=ice-pwd:lByS9z2RSQlSE9XurlvjYmEm\r\n"

6
rtc_base/sslstreamadapter.cc
View File

@ -105,11 +105,7 @@ std::vector<int> GetSupportedDtlsSrtpCryptoSuites(
// Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by
// draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as
// well, and saves a few bytes per packet if it ends up selected.
// As the cipher suite is potentially insecure, it will only be used if
// enabled by both peers.
if (crypto_options.enable_aes128_sha1_32_crypto_cipher) {
crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32);
}
crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32);
crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80);
return crypto_suites;
}

6
rtc_base/sslstreamadapter.h
View File

@ -80,12 +80,6 @@ struct CryptoOptions {
// if both sides enable it.
bool enable_gcm_crypto_suites = false;
// If set to true, the (potentially insecure) crypto cipher
// SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers
// during negotiation. It will only be used if both peers support it and no
// other ciphers get preferred.
bool enable_aes128_sha1_32_crypto_cipher = false;
// If set to true, encrypted RTP header extensions as defined in RFC 6904
// will be negotiated. They will only be used if both peers support them.
bool enable_encrypted_rtp_header_extensions = false;

6
sdk/android/api/org/webrtc/PeerConnectionFactory.java
View File

@ -107,7 +107,6 @@ public class PeerConnectionFactory {
public int networkIgnoreMask;
public boolean disableEncryption;
public boolean disableNetworkMonitor;
public boolean enableAes128Sha1_32CryptoCipher;
@CalledByNative("Options")
int getNetworkIgnoreMask() {
@ -123,11 +122,6 @@ public class PeerConnectionFactory {
boolean getDisableNetworkMonitor() {
return disableNetworkMonitor;
}
@CalledByNative("Options")
boolean getEnableAes128Sha1_32CryptoCipher() {
return enableAes128Sha1_32CryptoCipher;
}
}
/**

5
sdk/android/src/jni/pc/peerconnectionfactory.cc
View File

@ -52,8 +52,6 @@ JavaToNativePeerConnectionFactoryOptions(JNIEnv* jni,
bool disable_encryption = Java_Options_getDisableEncryption(jni, options);
bool disable_network_monitor =
Java_Options_getDisableNetworkMonitor(jni, options);
bool enable_aes128_sha1_32_crypto_cipher =
Java_Options_getEnableAes128Sha1_32CryptoCipher(jni, options);
PeerConnectionFactoryInterface::Options native_options;
@ -62,9 +60,6 @@ JavaToNativePeerConnectionFactoryOptions(JNIEnv* jni,
native_options.network_ignore_mask = network_ignore_mask;
native_options.disable_encryption = disable_encryption;
native_options.disable_network_monitor = disable_network_monitor;
native_options.crypto_options.enable_aes128_sha1_32_crypto_cipher =
enable_aes128_sha1_32_crypto_cipher;
return native_options;
}
} // namespace

3
sdk/objc/Framework/Classes/PeerConnection/RTCPeerConnectionFactoryOptions.mm
View File

@ -34,7 +34,6 @@ void setNetworkBit(webrtc::PeerConnectionFactoryInterface::Options* options,
@synthesize ignoreCellularNetworkAdapter = _ignoreCellularNetworkAdapter;
@synthesize ignoreWiFiNetworkAdapter = _ignoreWiFiNetworkAdapter;
@synthesize ignoreEthernetNetworkAdapter = _ignoreEthernetNetworkAdapter;
@synthesize enableAes128Sha1_32CryptoCipher = _enableAes128Sha1_32CryptoCipher;
- (instancetype)init {
return [super init];
@ -51,8 +50,6 @@ void setNetworkBit(webrtc::PeerConnectionFactoryInterface::Options* options,
setNetworkBit(&options, rtc::ADAPTER_TYPE_WIFI, self.ignoreWiFiNetworkAdapter);
setNetworkBit(&options, rtc::ADAPTER_TYPE_ETHERNET, self.ignoreEthernetNetworkAdapter);
options.crypto_options.enable_aes128_sha1_32_crypto_cipher = self.enableAes128Sha1_32CryptoCipher;
return options;
}

2
sdk/objc/Framework/Headers/WebRTC/RTCPeerConnectionFactoryOptions.h
View File

@ -31,8 +31,6 @@ RTC_EXPORT
@property(nonatomic, assign) BOOL ignoreEthernetNetworkAdapter;
@property(nonatomic, assign) BOOL enableAes128Sha1_32CryptoCipher;
- (instancetype)init NS_DESIGNATED_INITIALIZER;
@end