diff --git a/p2p/base/dtlstransport_unittest.cc b/p2p/base/dtlstransport_unittest.cc index a96d8839b2..430b41dbc2 100644 --- a/p2p/base/dtlstransport_unittest.cc +++ b/p2p/base/dtlstransport_unittest.cc @@ -334,9 +334,9 @@ class DtlsTransportTestBase { if (use_dtls_) { // Check that we negotiated the right ciphers. Since GCM ciphers are not - // negotiated by default, we should end up with SRTP_AES128_CM_SHA1_80. - client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80); - client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80); + // negotiated by default, we should end up with SRTP_AES128_CM_SHA1_32. + client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_32); + client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_32); } else { // If DTLS isn't actually being used, GetSrtpCryptoSuite should return // false. diff --git a/pc/mediasession.cc b/pc/mediasession.cc index e67a7d2dda..a2f47dcb27 100644 --- a/pc/mediasession.cc +++ b/pc/mediasession.cc @@ -194,17 +194,14 @@ bool FindMatchingCrypto(const CryptoParamsVec& cryptos, return false; } -// For audio, HMAC 32 (if enabled) is prefered over HMAC 80 because of the -// low overhead. +// For audio, HMAC 32 is prefered over HMAC 80 because of the low overhead. void GetSupportedAudioSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, std::vector* crypto_suites) { if (crypto_options.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } - if (crypto_options.enable_aes128_sha1_32_crypto_cipher) { - crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32); - } + crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32); crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_80); } @@ -248,8 +245,8 @@ void GetSupportedDataSdesCryptoSuiteNames( } // Support any GCM cipher (if enabled through options). For video support only -// 80-bit SHA1 HMAC. For audio 32-bit HMAC is tolerated (if enabled) unless -// bundle is enabled because it is low overhead. +// 80-bit SHA1 HMAC. For audio 32-bit HMAC is tolerated unless bundle is enabled +// because it is low overhead. // Pick the crypto in the list that is supported. static bool SelectCrypto(const MediaContentDescription* offer, bool bundle, @@ -264,7 +261,7 @@ static bool SelectCrypto(const MediaContentDescription* offer, rtc::IsGcmCryptoSuiteName(i->cipher_suite)) || rtc::CS_AES_CM_128_HMAC_SHA1_80 == i->cipher_suite || (rtc::CS_AES_CM_128_HMAC_SHA1_32 == i->cipher_suite && audio && - !bundle && crypto_options.enable_aes128_sha1_32_crypto_cipher)) { + !bundle)) { return CreateCryptoParams(i->tag, i->cipher_suite, crypto); } } diff --git a/pc/mediasession_unittest.cc b/pc/mediasession_unittest.cc index f37d8d4ef6..971e568889 100644 --- a/pc/mediasession_unittest.cc +++ b/pc/mediasession_unittest.cc @@ -213,11 +213,6 @@ static const char* kMediaProtocolsDtls[] = { "TCP/TLS/RTP/SAVPF", "TCP/TLS/RTP/SAVP", "UDP/TLS/RTP/SAVPF", "UDP/TLS/RTP/SAVP"}; -// SRTP cipher name negotiated by the tests. This must be updated if the -// default changes. -static const char* kDefaultSrtpCryptoSuite = CS_AES_CM_128_HMAC_SHA1_80; -static const char* kDefaultSrtpCryptoSuiteGcm = CS_AEAD_AES_256_GCM; - // These constants are used to make the code using "AddMediaSection" more // readable. static constexpr bool kStopped = true; @@ -550,7 +545,7 @@ class MediaSessionDescriptionFactoryTest : public testing::Test { EXPECT_TRUE(CompareCryptoParams(audio_media_desc->cryptos(), video_media_desc->cryptos())); EXPECT_EQ(1u, audio_media_desc->cryptos().size()); - EXPECT_EQ(std::string(kDefaultSrtpCryptoSuite), + EXPECT_EQ(std::string(CS_AES_CM_128_HMAC_SHA1_80), audio_media_desc->cryptos()[0].cipher_suite); // Verify the selected crypto is one from the reference audio @@ -641,18 +636,18 @@ class MediaSessionDescriptionFactoryTest : public testing::Test { EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux if (gcm_offer && gcm_answer) { - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuiteGcm); + ASSERT_CRYPTO(acd, 1U, CS_AEAD_AES_256_GCM); } else { - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32); } EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type()); EXPECT_EQ(MAKE_VECTOR(kVideoCodecsAnswer), vcd->codecs()); EXPECT_EQ(0U, vcd->first_ssrc()); // no sender is attached EXPECT_TRUE(vcd->rtcp_mux()); // negotiated rtcp-mux if (gcm_offer && gcm_answer) { - ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuiteGcm); + ASSERT_CRYPTO(vcd, 1U, CS_AEAD_AES_256_GCM); } else { - ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); } EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol()); } @@ -681,7 +676,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateAudioOffer) { EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached. EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto) EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol()); } @@ -705,14 +700,14 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateVideoOffer) { EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto) EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol()); EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type()); EXPECT_EQ(f1_.video_codecs(), vcd->codecs()); EXPECT_EQ(0U, vcd->first_ssrc()); // no sender is attached EXPECT_EQ(kAutoBandwidth, vcd->bandwidth()); // default bandwidth (auto) EXPECT_TRUE(vcd->rtcp_mux()); // rtcp-mux defaults on - ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol()); } @@ -783,11 +778,11 @@ TEST_F(MediaSessionDescriptionFactoryTest, EXPECT_TRUE(NULL != acd); EXPECT_TRUE(NULL != dcd); - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol()); - ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol()); - ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol()); } @@ -812,7 +807,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateRtpDataOffer) { EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attched. EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto) EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol()); EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type()); EXPECT_EQ(f1_.data_codecs(), dcd->codecs()); @@ -820,7 +815,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateRtpDataOffer) { EXPECT_EQ(cricket::kDataMaxBandwidth, dcd->bandwidth()); // default bandwidth (auto) EXPECT_TRUE(dcd->rtcp_mux()); // rtcp-mux defaults on - ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol()); } @@ -948,7 +943,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateAudioAnswer) { EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol()); } @@ -974,7 +969,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateAudioAnswerGcm) { EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuiteGcm); + ASSERT_CRYPTO(acd, 1U, CS_AEAD_AES_256_GCM); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol()); } @@ -1001,12 +996,12 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateVideoAnswer) { EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32); EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type()); EXPECT_EQ(MAKE_VECTOR(kVideoCodecsAnswer), vcd->codecs()); EXPECT_EQ(0U, vcd->first_ssrc()); // no sender is attached EXPECT_TRUE(vcd->rtcp_mux()); // negotiated rtcp-mux - ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol()); } @@ -1050,12 +1045,12 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswer) { EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32); EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type()); EXPECT_EQ(MAKE_VECTOR(kDataCodecsAnswer), dcd->codecs()); EXPECT_EQ(0U, dcd->first_ssrc()); // no sender is attached EXPECT_TRUE(dcd->rtcp_mux()); // negotiated rtcp-mux - ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol()); } @@ -1082,12 +1077,12 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswerGcm) { EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuiteGcm); + ASSERT_CRYPTO(acd, 1U, CS_AEAD_AES_256_GCM); EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type()); EXPECT_EQ(MAKE_VECTOR(kDataCodecsAnswer), dcd->codecs()); EXPECT_EQ(0U, dcd->first_ssrc()); // no sender is attached EXPECT_TRUE(dcd->rtcp_mux()); // negotiated rtcp-mux - ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuiteGcm); + ASSERT_CRYPTO(dcd, 1U, CS_AEAD_AES_256_GCM); EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol()); } @@ -1648,11 +1643,11 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoOffer) { EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto) EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32); EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type()); EXPECT_EQ(f1_.video_codecs(), vcd->codecs()); - ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); const StreamParamsVec& video_streams = vcd->streams(); ASSERT_EQ(1U, video_streams.size()); @@ -1663,7 +1658,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoOffer) { EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type()); EXPECT_EQ(f1_.data_codecs(), dcd->codecs()); - ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); const StreamParamsVec& data_streams = dcd->streams(); ASSERT_EQ(2U, data_streams.size()); @@ -1678,7 +1673,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoOffer) { EXPECT_EQ(cricket::kDataMaxBandwidth, dcd->bandwidth()); // default bandwidth (auto) EXPECT_TRUE(dcd->rtcp_mux()); // rtcp-mux defaults on - ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); // Update the offer. Add a new video track that is not synched to the // other tracks and replace audio track 2 with audio track 3. @@ -1713,11 +1708,11 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoOffer) { EXPECT_EQ(vcd->codecs(), updated_vcd->codecs()); EXPECT_EQ(dcd->type(), updated_dcd->type()); EXPECT_EQ(dcd->codecs(), updated_dcd->codecs()); - ASSERT_CRYPTO(updated_acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(updated_acd, 2U, CS_AES_CM_128_HMAC_SHA1_32); EXPECT_TRUE(CompareCryptoParams(acd->cryptos(), updated_acd->cryptos())); - ASSERT_CRYPTO(updated_vcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(updated_vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_TRUE(CompareCryptoParams(vcd->cryptos(), updated_vcd->cryptos())); - ASSERT_CRYPTO(updated_dcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(updated_dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_TRUE(CompareCryptoParams(dcd->cryptos(), updated_dcd->cryptos())); const StreamParamsVec& updated_audio_streams = updated_acd->streams(); @@ -1826,9 +1821,9 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoAnswer) { const AudioContentDescription* acd = ac->media_description()->as_audio(); const VideoContentDescription* vcd = vc->media_description()->as_video(); const DataContentDescription* dcd = dc->media_description()->as_data(); - ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite); - ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite); - ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32); + ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); + ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_EQ(MEDIA_TYPE_AUDIO, acd->type()); EXPECT_EQ(MAKE_VECTOR(kAudioCodecsAnswer), acd->codecs()); @@ -1896,11 +1891,11 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateMultiStreamVideoAnswer) { const DataContentDescription* updated_dcd = dc->media_description()->as_data(); - ASSERT_CRYPTO(updated_acd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(updated_acd, 1U, CS_AES_CM_128_HMAC_SHA1_32); EXPECT_TRUE(CompareCryptoParams(acd->cryptos(), updated_acd->cryptos())); - ASSERT_CRYPTO(updated_vcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(updated_vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_TRUE(CompareCryptoParams(vcd->cryptos(), updated_vcd->cryptos())); - ASSERT_CRYPTO(updated_dcd, 1U, kDefaultSrtpCryptoSuite); + ASSERT_CRYPTO(updated_dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80); EXPECT_TRUE(CompareCryptoParams(dcd->cryptos(), updated_dcd->cryptos())); EXPECT_EQ(acd->type(), updated_acd->type()); @@ -2824,7 +2819,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCryptoDtls) { ASSERT_TRUE(audio_media_desc != NULL); video_media_desc = offer->GetContentDescriptionByName("video"); ASSERT_TRUE(video_media_desc != NULL); - EXPECT_EQ(1u, audio_media_desc->cryptos().size()); + EXPECT_EQ(2u, audio_media_desc->cryptos().size()); EXPECT_EQ(1u, video_media_desc->cryptos().size()); audio_trans_desc = offer->GetTransportDescriptionByName("audio"); diff --git a/pc/peerconnection_integrationtest.cc b/pc/peerconnection_integrationtest.cc index b0908561f6..788b432edd 100644 --- a/pc/peerconnection_integrationtest.cc +++ b/pc/peerconnection_integrationtest.cc @@ -107,7 +107,7 @@ static const char kDataChannelLabel[] = "data_channel"; // SRTP cipher name negotiated by the tests. This must be updated if the // default changes. -static const int kDefaultSrtpCryptoSuite = rtc::SRTP_AES128_CM_SHA1_80; +static const int kDefaultSrtpCryptoSuite = rtc::SRTP_AES128_CM_SHA1_32; static const int kDefaultSrtpCryptoSuiteGcm = rtc::SRTP_AEAD_AES_256_GCM; static const SocketAddress kDefaultLocalAddress("192.168.1.1", 0); @@ -1152,10 +1152,13 @@ class PeerConnectionIntegrationTest : public testing::Test { expected_callee_received_video_frames); } - void TestNegotiatedCipherSuite( - const PeerConnectionFactory::Options& caller_options, - const PeerConnectionFactory::Options& callee_options, - int expected_cipher_suite) { + void TestGcmNegotiationUsesCipherSuite(bool local_gcm_enabled, + bool remote_gcm_enabled, + int expected_cipher_suite) { + PeerConnectionFactory::Options caller_options; + caller_options.crypto_options.enable_gcm_crypto_suites = local_gcm_enabled; + PeerConnectionFactory::Options callee_options; + callee_options.crypto_options.enable_gcm_crypto_suites = remote_gcm_enabled; ASSERT_TRUE(CreatePeerConnectionWrappersWithOptions(caller_options, callee_options)); rtc::scoped_refptr caller_observer = @@ -1174,17 +1177,6 @@ class PeerConnectionIntegrationTest : public testing::Test { caller()->pc()->RegisterUMAObserver(nullptr); } - void TestGcmNegotiationUsesCipherSuite(bool local_gcm_enabled, - bool remote_gcm_enabled, - int expected_cipher_suite) { - PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_gcm_crypto_suites = local_gcm_enabled; - PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_gcm_crypto_suites = remote_gcm_enabled; - TestNegotiatedCipherSuite(caller_options, callee_options, - expected_cipher_suite); - } - private: // |ss_| is used by |network_thread_| so it must be destroyed later. std::unique_ptr ss_; @@ -2318,38 +2310,6 @@ TEST_F(PeerConnectionIntegrationTest, CallerDtls10ToCalleeDtls12) { kMaxWaitForFramesMs); } -TEST_F(PeerConnectionIntegrationTest, - Aes128Sha1_32_CipherNotUsedWhenOnlyCallerSupported) { - ASSERT_NE(rtc::SRTP_AES128_CM_SHA1_32, kDefaultSrtpCryptoSuite); - PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; - PeerConnectionFactory::Options callee_options; - int expected_cipher_suite = kDefaultSrtpCryptoSuite; - TestNegotiatedCipherSuite(caller_options, callee_options, - expected_cipher_suite); -} - -TEST_F(PeerConnectionIntegrationTest, - Aes128Sha1_32_CipherNotUsedWhenOnlyCalleeSupported) { - ASSERT_NE(rtc::SRTP_AES128_CM_SHA1_32, kDefaultSrtpCryptoSuite); - PeerConnectionFactory::Options caller_options; - PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; - int expected_cipher_suite = kDefaultSrtpCryptoSuite; - TestNegotiatedCipherSuite(caller_options, callee_options, - expected_cipher_suite); -} - -TEST_F(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherUsedWhenSupported) { - PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; - PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; - int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_32; - TestNegotiatedCipherSuite(caller_options, callee_options, - expected_cipher_suite); -} - // Test that a non-GCM cipher is used if both sides only support non-GCM. TEST_F(PeerConnectionIntegrationTest, NonGcmCipherUsedWhenGcmNotSupported) { bool local_gcm_enabled = false; diff --git a/pc/peerconnectioninterface_unittest.cc b/pc/peerconnectioninterface_unittest.cc index 0206003fab..e496e4ede6 100644 --- a/pc/peerconnectioninterface_unittest.cc +++ b/pc/peerconnectioninterface_unittest.cc @@ -320,7 +320,7 @@ static const char kDtlsSdesFallbackSdp[] = "a=fingerprint:sha-1 " "4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB\r\n" "a=setup:actpass\r\n" - "a=crypto:0 AES_CM_128_HMAC_SHA1_32 " + "a=crypto:1 AES_CM_128_HMAC_SHA1_32 " "inline:NzB4d1BINUAvLEw6UzF3WSJ+PSdFcGdUJShpX1Zj|2^20|1:32 " "dummy_session_params\r\n"; diff --git a/pc/test/testsdpstrings.h b/pc/test/testsdpstrings.h index 614a580e00..fc884a1de3 100644 --- a/pc/test/testsdpstrings.h +++ b/pc/test/testsdpstrings.h @@ -92,7 +92,7 @@ static const char kAudioSdp[] = "a=sendrecv\r\n" "a=rtcp:16000 IN IP4 192.168.30.208\r\n" "a=rtcp-mux\r\n" - "a=crypto:0 AES_CM_128_HMAC_SHA1_80 " + "a=crypto:1 AES_CM_128_HMAC_SHA1_80 " "inline:tvKIFjbMQ7W0/C2RzhwN0oQglj/7GJg+frdsNRxt\r\n" "a=ice-ufrag:AI2sRT3r\r\n" "a=ice-pwd:lByS9z2RSQlSE9XurlvjYmEm\r\n" @@ -117,7 +117,7 @@ static const char kAudioSdpWithUnsupportedCodecs[] = "a=sendonly\r\n" "a=rtcp:16000 IN IP4 192.168.30.208\r\n" "a=rtcp-mux\r\n" - "a=crypto:0 AES_CM_128_HMAC_SHA1_80 " + "a=crypto:1 AES_CM_128_HMAC_SHA1_80 " "inline:tvKIFjbMQ7W0/C2RzhwN0oQglj/7GJg+frdsNRxt\r\n" "a=ice-ufrag:AI2sRT3r\r\n" "a=ice-pwd:lByS9z2RSQlSE9XurlvjYmEm\r\n" diff --git a/rtc_base/sslstreamadapter.cc b/rtc_base/sslstreamadapter.cc index d52dc45629..b09c1440a4 100644 --- a/rtc_base/sslstreamadapter.cc +++ b/rtc_base/sslstreamadapter.cc @@ -105,11 +105,7 @@ std::vector GetSupportedDtlsSrtpCryptoSuites( // Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by // draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as // well, and saves a few bytes per packet if it ends up selected. - // As the cipher suite is potentially insecure, it will only be used if - // enabled by both peers. - if (crypto_options.enable_aes128_sha1_32_crypto_cipher) { - crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32); - } + crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32); crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80); return crypto_suites; } diff --git a/rtc_base/sslstreamadapter.h b/rtc_base/sslstreamadapter.h index eaf87d45d0..560dd591c0 100644 --- a/rtc_base/sslstreamadapter.h +++ b/rtc_base/sslstreamadapter.h @@ -80,12 +80,6 @@ struct CryptoOptions { // if both sides enable it. bool enable_gcm_crypto_suites = false; - // If set to true, the (potentially insecure) crypto cipher - // SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers - // during negotiation. It will only be used if both peers support it and no - // other ciphers get preferred. - bool enable_aes128_sha1_32_crypto_cipher = false; - // If set to true, encrypted RTP header extensions as defined in RFC 6904 // will be negotiated. They will only be used if both peers support them. bool enable_encrypted_rtp_header_extensions = false; diff --git a/sdk/android/api/org/webrtc/PeerConnectionFactory.java b/sdk/android/api/org/webrtc/PeerConnectionFactory.java index d63480add5..79eca7e5d3 100644 --- a/sdk/android/api/org/webrtc/PeerConnectionFactory.java +++ b/sdk/android/api/org/webrtc/PeerConnectionFactory.java @@ -107,7 +107,6 @@ public class PeerConnectionFactory { public int networkIgnoreMask; public boolean disableEncryption; public boolean disableNetworkMonitor; - public boolean enableAes128Sha1_32CryptoCipher; @CalledByNative("Options") int getNetworkIgnoreMask() { @@ -123,11 +122,6 @@ public class PeerConnectionFactory { boolean getDisableNetworkMonitor() { return disableNetworkMonitor; } - - @CalledByNative("Options") - boolean getEnableAes128Sha1_32CryptoCipher() { - return enableAes128Sha1_32CryptoCipher; - } } /** diff --git a/sdk/android/src/jni/pc/peerconnectionfactory.cc b/sdk/android/src/jni/pc/peerconnectionfactory.cc index 59b2aff763..1a7008a426 100644 --- a/sdk/android/src/jni/pc/peerconnectionfactory.cc +++ b/sdk/android/src/jni/pc/peerconnectionfactory.cc @@ -52,8 +52,6 @@ JavaToNativePeerConnectionFactoryOptions(JNIEnv* jni, bool disable_encryption = Java_Options_getDisableEncryption(jni, options); bool disable_network_monitor = Java_Options_getDisableNetworkMonitor(jni, options); - bool enable_aes128_sha1_32_crypto_cipher = - Java_Options_getEnableAes128Sha1_32CryptoCipher(jni, options); PeerConnectionFactoryInterface::Options native_options; @@ -62,9 +60,6 @@ JavaToNativePeerConnectionFactoryOptions(JNIEnv* jni, native_options.network_ignore_mask = network_ignore_mask; native_options.disable_encryption = disable_encryption; native_options.disable_network_monitor = disable_network_monitor; - - native_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = - enable_aes128_sha1_32_crypto_cipher; return native_options; } } // namespace diff --git a/sdk/objc/Framework/Classes/PeerConnection/RTCPeerConnectionFactoryOptions.mm b/sdk/objc/Framework/Classes/PeerConnection/RTCPeerConnectionFactoryOptions.mm index b5e9d74d61..f0cc6a6c81 100644 --- a/sdk/objc/Framework/Classes/PeerConnection/RTCPeerConnectionFactoryOptions.mm +++ b/sdk/objc/Framework/Classes/PeerConnection/RTCPeerConnectionFactoryOptions.mm @@ -34,7 +34,6 @@ void setNetworkBit(webrtc::PeerConnectionFactoryInterface::Options* options, @synthesize ignoreCellularNetworkAdapter = _ignoreCellularNetworkAdapter; @synthesize ignoreWiFiNetworkAdapter = _ignoreWiFiNetworkAdapter; @synthesize ignoreEthernetNetworkAdapter = _ignoreEthernetNetworkAdapter; -@synthesize enableAes128Sha1_32CryptoCipher = _enableAes128Sha1_32CryptoCipher; - (instancetype)init { return [super init]; @@ -51,8 +50,6 @@ void setNetworkBit(webrtc::PeerConnectionFactoryInterface::Options* options, setNetworkBit(&options, rtc::ADAPTER_TYPE_WIFI, self.ignoreWiFiNetworkAdapter); setNetworkBit(&options, rtc::ADAPTER_TYPE_ETHERNET, self.ignoreEthernetNetworkAdapter); - options.crypto_options.enable_aes128_sha1_32_crypto_cipher = self.enableAes128Sha1_32CryptoCipher; - return options; } diff --git a/sdk/objc/Framework/Headers/WebRTC/RTCPeerConnectionFactoryOptions.h b/sdk/objc/Framework/Headers/WebRTC/RTCPeerConnectionFactoryOptions.h index 33faa1e6aa..a65abc6c8b 100644 --- a/sdk/objc/Framework/Headers/WebRTC/RTCPeerConnectionFactoryOptions.h +++ b/sdk/objc/Framework/Headers/WebRTC/RTCPeerConnectionFactoryOptions.h @@ -31,8 +31,6 @@ RTC_EXPORT @property(nonatomic, assign) BOOL ignoreEthernetNetworkAdapter; -@property(nonatomic, assign) BOOL enableAes128Sha1_32CryptoCipher; - - (instancetype)init NS_DESIGNATED_INITIALIZER; @end