From 8f4bc41c42318534a564e75e48b01f065f2cbc57 Mon Sep 17 00:00:00 2001 From: Oleh Prypin Date: Thu, 11 Oct 2018 21:10:39 +0000 Subject: [PATCH] Revert "Move CryptoOptions to api/crypto from rtc_base/sslstreamadapter.h" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit ac2f3d14e45398930bc35ff05ed7a3b9b617d328. Reason for revert: Breaks downstream project Original change's description: > Move CryptoOptions to api/crypto from rtc_base/sslstreamadapter.h > > Promotes rtc::CryptoOptions to webrtc::CryptoOptions converting it from class > that only handles SRTP configuration to a more generic structure that can be > used and extended for all per peer connection CryptoOptions that can be on a > given PeerConnection. > > Now all SRTP related options are under webrtc::CryptoOptions::Srtp and can be > accessed as crypto_options.srtp.whatever_option_name. This is more inline with > other structures we have in WebRTC such as VideoConfig. As additional features > are added over time this will allow the structure to remain compartmentalized > and concerned components can only request a subset of the overall configuration > structure e.g: > > void MySrtpFunction(const webrtc::CryptoOptions::Srtp& srtp_config); > > In addition to this it made little sense for sslstreamadapter.h to hold all > Srtp related configuration options. The header has become loo large and takes on > too many responsibilities and spilting this up will lead to more maintainable > code going forward. > > This will be used in a future CL to enable configuration options for the newly > supported Frame Crypto. > > Change-Id: I99d1be36740c59548c8e62db52d68d738649707f > Bug: webrtc:9681 > Reviewed-on: https://webrtc-review.googlesource.com/c/105180 > Reviewed-by: Emad Omara > Reviewed-by: Kári Helgason > Reviewed-by: Sami Kalliomäki > Reviewed-by: Qingsi Wang > Reviewed-by: Steve Anton > Commit-Queue: Benjamin Wright > Cr-Commit-Position: refs/heads/master@{#25130} TBR=steveanton@webrtc.org,sakal@webrtc.org,kthelgason@webrtc.org,emadomara@webrtc.org,qingsi@webrtc.org,benwright@webrtc.org Bug: webrtc:9681 Change-Id: Ib0075c477c951b540d4deecb3b0cf8cf86ba0fff Reviewed-on: https://webrtc-review.googlesource.com/c/105541 Reviewed-by: Oleh Prypin Commit-Queue: Oleh Prypin Cr-Commit-Position: refs/heads/master@{#25133} --- api/BUILD.gn | 2 - api/crypto/cryptooptions.cc | 52 --------------- api/crypto/cryptooptions.h | 64 ------------------- api/cryptoparams.h | 2 - api/peerconnectioninterface.h | 5 +- p2p/base/dtlstransport.cc | 10 +-- p2p/base/dtlstransport.h | 9 ++- p2p/base/dtlstransport_unittest.cc | 4 +- p2p/base/dtlstransportinternal.h | 3 +- p2p/base/fakedtlstransport.h | 7 +- p2p/base/transportfactoryinterface.h | 2 +- pc/channel.cc | 10 +-- pc/channel.h | 10 +-- pc/channel_unittest.cc | 6 +- pc/channelmanager.cc | 6 +- pc/channelmanager.h | 6 +- pc/channelmanager_unittest.cc | 6 +- pc/jseptransportcontroller.cc | 2 +- pc/jseptransportcontroller.h | 4 +- pc/jseptransportcontroller_unittest.cc | 2 +- pc/mediasession.cc | 43 ++++++------- pc/mediasession.h | 23 +++---- pc/mediasession_unittest.cc | 8 +-- pc/peerconnection.cc | 2 +- pc/peerconnection_crypto_unittest.cc | 6 +- pc/peerconnection_integrationtest.cc | 22 +++---- pc/peerconnectionfactory.cc | 11 ---- pc/rtpsenderreceiver_unittest.cc | 4 +- pc/test/fakepeerconnectionforstats.h | 4 +- rtc_base/sslstreamadapter.cc | 26 ++++++++ rtc_base/sslstreamadapter.h | 28 ++++++++ .../src/jni/pc/peerconnectionfactory.cc | 4 +- .../RTCPeerConnectionFactoryOptions.mm | 5 +- 33 files changed, 153 insertions(+), 245 deletions(-) delete mode 100644 api/crypto/cryptooptions.cc delete mode 100644 api/crypto/cryptooptions.h diff --git a/api/BUILD.gn b/api/BUILD.gn index c420b10a41..60eb7514c2 100644 --- a/api/BUILD.gn +++ b/api/BUILD.gn @@ -52,8 +52,6 @@ rtc_static_library("libjingle_peerconnection_api") { "bitrate_constraints.h", "candidate.cc", "candidate.h", - "crypto/cryptooptions.cc", - "crypto/cryptooptions.h", "crypto/framedecryptorinterface.h", "crypto/frameencryptorinterface.h", "cryptoparams.h", diff --git a/api/crypto/cryptooptions.cc b/api/crypto/cryptooptions.cc deleted file mode 100644 index ed6db471d5..0000000000 --- a/api/crypto/cryptooptions.cc +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright 2018 The WebRTC Project Authors. All rights reserved. - * - * Use of this source code is governed by a BSD-style license - * that can be found in the LICENSE file in the root of the source - * tree. An additional intellectual property rights grant can be found - * in the file PATENTS. All contributing project authors may - * be found in the AUTHORS file in the root of the source tree. - */ - -#include "api/crypto/cryptooptions.h" -#include "rtc_base/sslstreamadapter.h" - -namespace webrtc { - -CryptoOptions::CryptoOptions() {} - -CryptoOptions::CryptoOptions(const CryptoOptions& other) { - enable_gcm_crypto_suites = other.enable_gcm_crypto_suites; - enable_encrypted_rtp_header_extensions = - other.enable_encrypted_rtp_header_extensions; - srtp = other.srtp; -} - -CryptoOptions::~CryptoOptions() {} - -// static -CryptoOptions CryptoOptions::NoGcm() { - CryptoOptions options; - options.srtp.enable_gcm_crypto_suites = false; - return options; -} - -std::vector CryptoOptions::GetSupportedDtlsSrtpCryptoSuites() const { - std::vector crypto_suites; - if (srtp.enable_gcm_crypto_suites) { - crypto_suites.push_back(rtc::SRTP_AEAD_AES_256_GCM); - crypto_suites.push_back(rtc::SRTP_AEAD_AES_128_GCM); - } - // Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by - // draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as - // well, and saves a few bytes per packet if it ends up selected. - // As the cipher suite is potentially insecure, it will only be used if - // enabled by both peers. - if (srtp.enable_aes128_sha1_32_crypto_cipher) { - crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32); - } - crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80); - return crypto_suites; -} - -} // namespace webrtc diff --git a/api/crypto/cryptooptions.h b/api/crypto/cryptooptions.h deleted file mode 100644 index d2e62248b5..0000000000 --- a/api/crypto/cryptooptions.h +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright 2018 The WebRTC Project Authors. All rights reserved. - * - * Use of this source code is governed by a BSD-style license - * that can be found in the LICENSE file in the root of the source - * tree. An additional intellectual property rights grant can be found - * in the file PATENTS. All contributing project authors may - * be found in the AUTHORS file in the root of the source tree. - */ - -#ifndef API_CRYPTO_CRYPTOOPTIONS_H_ -#define API_CRYPTO_CRYPTOOPTIONS_H_ - -#include -#include "absl/types/optional.h" - -namespace webrtc { - -// CryptoOptions defines advanced cryptographic settings for native WebRTC. -// These settings must be passed into PeerConnectionFactoryInterface::Options -// and are only applicable to native use cases of WebRTC. -struct CryptoOptions { - CryptoOptions(); - CryptoOptions(const CryptoOptions& other); - ~CryptoOptions(); - - // Helper method to return an instance of the CryptoOptions with GCM crypto - // suites disabled. This method should be used instead of depending on current - // default values set by the constructor. - static CryptoOptions NoGcm(); - - // Returns a list of the supported DTLS-SRTP Crypto suites based on this set - // of crypto options. - std::vector GetSupportedDtlsSrtpCryptoSuites() const; - - // TODO(webrtc:9859) - Remove duplicates once chromium is fixed. - // Will be removed once srtp.enable_gcm_crypto_suites is updated in Chrome. - absl::optional enable_gcm_crypto_suites; - // TODO(webrtc:9859) - Remove duplicates once chromium is fixed. - // Will be removed once srtp.enable_encrypted_rtp_header_extensions is - // updated in Chrome. - absl::optional enable_encrypted_rtp_header_extensions; - - // SRTP Related Peer Connection options. - struct Srtp { - // Enable GCM crypto suites from RFC 7714 for SRTP. GCM will only be used - // if both sides enable it. - bool enable_gcm_crypto_suites = false; - - // If set to true, the (potentially insecure) crypto cipher - // SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers - // during negotiation. It will only be used if both peers support it and no - // other ciphers get preferred. - bool enable_aes128_sha1_32_crypto_cipher = false; - - // If set to true, encrypted RTP header extensions as defined in RFC 6904 - // will be negotiated. They will only be used if both peers support them. - bool enable_encrypted_rtp_header_extensions = false; - } srtp; -}; - -} // namespace webrtc - -#endif // API_CRYPTO_CRYPTOOPTIONS_H_ diff --git a/api/cryptoparams.h b/api/cryptoparams.h index abe9055462..2350528358 100644 --- a/api/cryptoparams.h +++ b/api/cryptoparams.h @@ -16,8 +16,6 @@ namespace cricket { // Parameters for SRTP negotiation, as described in RFC 4568. -// TODO(benwright) - Rename to SrtpCryptoParams as these only apply to SRTP and -// not generic crypto parameters for WebRTC. struct CryptoParams { CryptoParams() : tag(0) {} CryptoParams(int t, diff --git a/api/peerconnectioninterface.h b/api/peerconnectioninterface.h index 141b2c9272..3d8a9c1e41 100644 --- a/api/peerconnectioninterface.h +++ b/api/peerconnectioninterface.h @@ -77,7 +77,6 @@ #include "api/audio_codecs/audio_encoder_factory.h" #include "api/audio_options.h" #include "api/call/callfactoryinterface.h" -#include "api/crypto/cryptooptions.h" #include "api/datachannelinterface.h" #include "api/fec_controller.h" #include "api/jsep.h" @@ -1181,7 +1180,7 @@ class PeerConnectionFactoryInterface : public rtc::RefCountInterface { public: class Options { public: - Options() {} + Options() : crypto_options(rtc::CryptoOptions::NoGcm()) {} // If set to true, created PeerConnections won't enforce any SRTP // requirement, allowing unsecured media. Should only be used for @@ -1210,7 +1209,7 @@ class PeerConnectionFactoryInterface : public rtc::RefCountInterface { rtc::SSLProtocolVersion ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12; // Sets crypto related options, e.g. enabled cipher suites. - CryptoOptions crypto_options = CryptoOptions::NoGcm(); + rtc::CryptoOptions crypto_options; }; // Set the options to be used for subsequently created PeerConnections. diff --git a/p2p/base/dtlstransport.cc b/p2p/base/dtlstransport.cc index f498253c25..314f63ce74 100644 --- a/p2p/base/dtlstransport.cc +++ b/p2p/base/dtlstransport.cc @@ -114,12 +114,12 @@ void StreamInterfaceChannel::Close() { } DtlsTransport::DtlsTransport(IceTransportInternal* ice_transport, - const webrtc::CryptoOptions& crypto_options) + const rtc::CryptoOptions& crypto_options) : transport_name_(ice_transport->transport_name()), component_(ice_transport->component()), ice_transport_(ice_transport), downward_(NULL), - srtp_ciphers_(crypto_options.GetSupportedDtlsSrtpCryptoSuites()), + srtp_ciphers_(GetSupportedDtlsSrtpCryptoSuites(crypto_options)), ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_12), crypto_options_(crypto_options) { RTC_DCHECK(ice_transport_); @@ -128,13 +128,13 @@ DtlsTransport::DtlsTransport(IceTransportInternal* ice_transport, DtlsTransport::DtlsTransport( std::unique_ptr ice_transport, - const webrtc::CryptoOptions& crypto_options) + const rtc::CryptoOptions& crypto_options) : transport_name_(ice_transport->transport_name()), component_(ice_transport->component()), ice_transport_(ice_transport.get()), owned_ice_transport_(std::move(ice_transport)), downward_(NULL), - srtp_ciphers_(crypto_options.GetSupportedDtlsSrtpCryptoSuites()), + srtp_ciphers_(GetSupportedDtlsSrtpCryptoSuites(crypto_options)), ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_12), crypto_options_(crypto_options) { RTC_DCHECK(owned_ice_transport_); @@ -143,7 +143,7 @@ DtlsTransport::DtlsTransport( DtlsTransport::~DtlsTransport() = default; -const webrtc::CryptoOptions& DtlsTransport::crypto_options() const { +const rtc::CryptoOptions& DtlsTransport::crypto_options() const { return crypto_options_; } diff --git a/p2p/base/dtlstransport.h b/p2p/base/dtlstransport.h index 2eafc9e8d5..456f375a10 100644 --- a/p2p/base/dtlstransport.h +++ b/p2p/base/dtlstransport.h @@ -15,7 +15,6 @@ #include #include -#include "api/crypto/cryptooptions.h" #include "p2p/base/dtlstransportinternal.h" #include "p2p/base/icetransportinternal.h" #include "rtc_base/buffer.h" @@ -97,13 +96,13 @@ class DtlsTransport : public DtlsTransportInternal { // whether GCM crypto suites are negotiated. // TODO(zhihuang): Remove this once we switch to JsepTransportController. explicit DtlsTransport(IceTransportInternal* ice_transport, - const webrtc::CryptoOptions& crypto_options); + const rtc::CryptoOptions& crypto_options); explicit DtlsTransport(std::unique_ptr ice_transport, - const webrtc::CryptoOptions& crypto_options); + const rtc::CryptoOptions& crypto_options); ~DtlsTransport() override; - const webrtc::CryptoOptions& crypto_options() const override; + const rtc::CryptoOptions& crypto_options() const override; DtlsTransportState dtls_state() const override; const std::string& transport_name() const override; int component() const override; @@ -232,7 +231,7 @@ class DtlsTransport : public DtlsTransportInternal { rtc::scoped_refptr local_certificate_; absl::optional dtls_role_; rtc::SSLProtocolVersion ssl_max_version_; - webrtc::CryptoOptions crypto_options_; + rtc::CryptoOptions crypto_options_; rtc::Buffer remote_fingerprint_value_; std::string remote_fingerprint_algorithm_; diff --git a/p2p/base/dtlstransport_unittest.cc b/p2p/base/dtlstransport_unittest.cc index 8dfbf6106c..3cf423e851 100644 --- a/p2p/base/dtlstransport_unittest.cc +++ b/p2p/base/dtlstransport_unittest.cc @@ -86,8 +86,8 @@ class DtlsTestClient : public sigslot::has_slots<> { fake_ice_transport_->SignalReadPacket.connect( this, &DtlsTestClient::OnFakeIceTransportReadPacket); - dtls_transport_ = absl::make_unique( - fake_ice_transport_.get(), webrtc::CryptoOptions()); + dtls_transport_.reset( + new DtlsTransport(fake_ice_transport_.get(), rtc::CryptoOptions())); dtls_transport_->SetSslMaxProtocolVersion(ssl_max_version_); // Note: Certificate may be null here if testing passthrough. dtls_transport_->SetLocalCertificate(certificate_); diff --git a/p2p/base/dtlstransportinternal.h b/p2p/base/dtlstransportinternal.h index a7137449f4..238057e4c9 100644 --- a/p2p/base/dtlstransportinternal.h +++ b/p2p/base/dtlstransportinternal.h @@ -15,7 +15,6 @@ #include #include -#include "api/crypto/cryptooptions.h" #include "p2p/base/icetransportinternal.h" #include "p2p/base/packettransportinternal.h" #include "rtc_base/sslstreamadapter.h" @@ -51,7 +50,7 @@ class DtlsTransportInternal : public rtc::PacketTransportInternal { public: ~DtlsTransportInternal() override; - virtual const webrtc::CryptoOptions& crypto_options() const = 0; + virtual const rtc::CryptoOptions& crypto_options() const = 0; virtual DtlsTransportState dtls_state() const = 0; diff --git a/p2p/base/fakedtlstransport.h b/p2p/base/fakedtlstransport.h index c4f9d2c239..cb944d3db5 100644 --- a/p2p/base/fakedtlstransport.h +++ b/p2p/base/fakedtlstransport.h @@ -17,7 +17,6 @@ #include #include "absl/memory/memory.h" -#include "api/crypto/cryptooptions.h" #include "p2p/base/dtlstransportinternal.h" #include "p2p/base/fakeicetransport.h" #include "rtc_base/fakesslidentity.h" @@ -150,10 +149,10 @@ class FakeDtlsTransport : public DtlsTransportInternal { *role = *dtls_role_; return true; } - const webrtc::CryptoOptions& crypto_options() const override { + const rtc::CryptoOptions& crypto_options() const override { return crypto_options_; } - void SetCryptoOptions(const webrtc::CryptoOptions& crypto_options) { + void SetCryptoOptions(const rtc::CryptoOptions& crypto_options) { crypto_options_ = crypto_options; } bool SetLocalCertificate( @@ -273,7 +272,7 @@ class FakeDtlsTransport : public DtlsTransportInternal { rtc::SSLFingerprint dtls_fingerprint_; absl::optional dtls_role_; int crypto_suite_ = rtc::SRTP_AES128_CM_SHA1_80; - webrtc::CryptoOptions crypto_options_; + rtc::CryptoOptions crypto_options_; DtlsTransportState dtls_state_ = DTLS_TRANSPORT_NEW; diff --git a/p2p/base/transportfactoryinterface.h b/p2p/base/transportfactoryinterface.h index 9805db005c..ce32ee8483 100644 --- a/p2p/base/transportfactoryinterface.h +++ b/p2p/base/transportfactoryinterface.h @@ -34,7 +34,7 @@ class TransportFactoryInterface { virtual std::unique_ptr CreateDtlsTransport( std::unique_ptr ice, - const webrtc::CryptoOptions& crypto_options) = 0; + const rtc::CryptoOptions& crypto_options) = 0; }; } // namespace cricket diff --git a/pc/channel.cc b/pc/channel.cc index cd1534ffec..b63cea7cec 100644 --- a/pc/channel.cc +++ b/pc/channel.cc @@ -101,7 +101,7 @@ BaseChannel::BaseChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - webrtc::CryptoOptions crypto_options) + rtc::CryptoOptions crypto_options) : worker_thread_(worker_thread), network_thread_(network_thread), signaling_thread_(signaling_thread), @@ -673,7 +673,7 @@ bool BaseChannel::UpdateRemoteStreams_w( RtpHeaderExtensions BaseChannel::GetFilteredRtpHeaderExtensions( const RtpHeaderExtensions& extensions) { RTC_DCHECK(rtp_transport_); - if (crypto_options_.srtp.enable_encrypted_rtp_header_extensions) { + if (crypto_options_.enable_encrypted_rtp_header_extensions) { RtpHeaderExtensions filtered; auto pred = [](const webrtc::RtpExtension& extension) { return !extension.encrypt; @@ -742,7 +742,7 @@ VoiceChannel::VoiceChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - webrtc::CryptoOptions crypto_options) + rtc::CryptoOptions crypto_options) : BaseChannel(worker_thread, network_thread, signaling_thread, @@ -881,7 +881,7 @@ VideoChannel::VideoChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - webrtc::CryptoOptions crypto_options) + rtc::CryptoOptions crypto_options) : BaseChannel(worker_thread, network_thread, signaling_thread, @@ -1019,7 +1019,7 @@ RtpDataChannel::RtpDataChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - webrtc::CryptoOptions crypto_options) + rtc::CryptoOptions crypto_options) : BaseChannel(worker_thread, network_thread, signaling_thread, diff --git a/pc/channel.h b/pc/channel.h index 535f64ee68..ba584690ba 100644 --- a/pc/channel.h +++ b/pc/channel.h @@ -82,7 +82,7 @@ class BaseChannel : public rtc::MessageHandler, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - webrtc::CryptoOptions crypto_options); + rtc::CryptoOptions crypto_options); virtual ~BaseChannel(); void Init_w(webrtc::RtpTransportInternal* rtp_transport); @@ -313,7 +313,7 @@ class BaseChannel : public rtc::MessageHandler, bool was_ever_writable_ = false; bool has_received_packet_ = false; const bool srtp_required_ = true; - webrtc::CryptoOptions crypto_options_; + rtc::CryptoOptions crypto_options_; // MediaChannel related members that should be accessed from the worker // thread. @@ -343,7 +343,7 @@ class VoiceChannel : public BaseChannel { std::unique_ptr channel, const std::string& content_name, bool srtp_required, - webrtc::CryptoOptions crypto_options); + rtc::CryptoOptions crypto_options); ~VoiceChannel(); // downcasts a MediaChannel @@ -383,7 +383,7 @@ class VideoChannel : public BaseChannel { std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - webrtc::CryptoOptions crypto_options); + rtc::CryptoOptions crypto_options); ~VideoChannel(); // downcasts a MediaChannel @@ -422,7 +422,7 @@ class RtpDataChannel : public BaseChannel { std::unique_ptr channel, const std::string& content_name, bool srtp_required, - webrtc::CryptoOptions crypto_options); + rtc::CryptoOptions crypto_options); ~RtpDataChannel(); // TODO(zhihuang): Remove this once the RtpTransport can be shared between // BaseChannels. diff --git a/pc/channel_unittest.cc b/pc/channel_unittest.cc index 94f38c9a39..58cb17b8bb 100644 --- a/pc/channel_unittest.cc +++ b/pc/channel_unittest.cc @@ -250,7 +250,7 @@ class ChannelTest : public testing::Test, public sigslot::has_slots<> { rtc::Thread* signaling_thread = rtc::Thread::Current(); auto channel = absl::make_unique( worker_thread, network_thread, signaling_thread, engine, std::move(ch), - cricket::CN_AUDIO, (flags & DTLS) != 0, webrtc::CryptoOptions()); + cricket::CN_AUDIO, (flags & DTLS) != 0, rtc::CryptoOptions()); channel->Init_w(rtp_transport); return channel; } @@ -1545,7 +1545,7 @@ std::unique_ptr ChannelTest::CreateChannel( rtc::Thread* signaling_thread = rtc::Thread::Current(); auto channel = absl::make_unique( worker_thread, network_thread, signaling_thread, std::move(ch), - cricket::CN_VIDEO, (flags & DTLS) != 0, webrtc::CryptoOptions()); + cricket::CN_VIDEO, (flags & DTLS) != 0, rtc::CryptoOptions()); channel->Init_w(rtp_transport); return channel; } @@ -2164,7 +2164,7 @@ std::unique_ptr ChannelTest::CreateChannel( rtc::Thread* signaling_thread = rtc::Thread::Current(); auto channel = absl::make_unique( worker_thread, network_thread, signaling_thread, std::move(ch), - cricket::CN_DATA, (flags & DTLS) != 0, webrtc::CryptoOptions()); + cricket::CN_DATA, (flags & DTLS) != 0, rtc::CryptoOptions()); channel->Init_w(rtp_transport); return channel; } diff --git a/pc/channelmanager.cc b/pc/channelmanager.cc index 1c80719949..dab622ad70 100644 --- a/pc/channelmanager.cc +++ b/pc/channelmanager.cc @@ -159,7 +159,7 @@ VoiceChannel* ChannelManager::CreateVoiceChannel( rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, const AudioOptions& options) { if (!worker_thread_->IsCurrent()) { return worker_thread_->Invoke(RTC_FROM_HERE, [&] { @@ -226,7 +226,7 @@ VideoChannel* ChannelManager::CreateVideoChannel( rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, const VideoOptions& options) { if (!worker_thread_->IsCurrent()) { return worker_thread_->Invoke(RTC_FROM_HERE, [&] { @@ -291,7 +291,7 @@ RtpDataChannel* ChannelManager::CreateRtpDataChannel( rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const webrtc::CryptoOptions& crypto_options) { + const rtc::CryptoOptions& crypto_options) { if (!worker_thread_->IsCurrent()) { return worker_thread_->Invoke(RTC_FROM_HERE, [&] { return CreateRtpDataChannel(media_config, rtp_transport, signaling_thread, diff --git a/pc/channelmanager.h b/pc/channelmanager.h index 6430f8ee84..c6b601ea8f 100644 --- a/pc/channelmanager.h +++ b/pc/channelmanager.h @@ -86,7 +86,7 @@ class ChannelManager final { rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, const AudioOptions& options); // Destroys a voice channel created by CreateVoiceChannel. void DestroyVoiceChannel(VoiceChannel* voice_channel); @@ -100,7 +100,7 @@ class ChannelManager final { rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, const VideoOptions& options); // Destroys a video channel created by CreateVideoChannel. void DestroyVideoChannel(VideoChannel* video_channel); @@ -111,7 +111,7 @@ class ChannelManager final { rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const webrtc::CryptoOptions& crypto_options); + const rtc::CryptoOptions& crypto_options); // Destroys a data channel created by CreateRtpDataChannel. void DestroyRtpDataChannel(RtpDataChannel* data_channel); diff --git a/pc/channelmanager_unittest.cc b/pc/channelmanager_unittest.cc index 053166ba13..47c95306ee 100644 --- a/pc/channelmanager_unittest.cc +++ b/pc/channelmanager_unittest.cc @@ -65,16 +65,16 @@ class ChannelManagerTest : public testing::Test { cricket::VoiceChannel* voice_channel = cm_->CreateVoiceChannel( &fake_call_, cricket::MediaConfig(), rtp_transport, rtc::Thread::Current(), cricket::CN_AUDIO, kDefaultSrtpRequired, - webrtc::CryptoOptions(), AudioOptions()); + rtc::CryptoOptions(), AudioOptions()); EXPECT_TRUE(voice_channel != nullptr); cricket::VideoChannel* video_channel = cm_->CreateVideoChannel( &fake_call_, cricket::MediaConfig(), rtp_transport, rtc::Thread::Current(), cricket::CN_VIDEO, kDefaultSrtpRequired, - webrtc::CryptoOptions(), VideoOptions()); + rtc::CryptoOptions(), VideoOptions()); EXPECT_TRUE(video_channel != nullptr); cricket::RtpDataChannel* rtp_data_channel = cm_->CreateRtpDataChannel( cricket::MediaConfig(), rtp_transport, rtc::Thread::Current(), - cricket::CN_DATA, kDefaultSrtpRequired, webrtc::CryptoOptions()); + cricket::CN_DATA, kDefaultSrtpRequired, rtc::CryptoOptions()); EXPECT_TRUE(rtp_data_channel != nullptr); cm_->DestroyVideoChannel(video_channel); cm_->DestroyVoiceChannel(voice_channel); diff --git a/pc/jseptransportcontroller.cc b/pc/jseptransportcontroller.cc index 19a2d40275..1847d95c94 100644 --- a/pc/jseptransportcontroller.cc +++ b/pc/jseptransportcontroller.cc @@ -814,7 +814,7 @@ std::vector JsepTransportController::GetEncryptedHeaderExtensionIds( static_cast( content_info.description); - if (!config_.crypto_options.srtp.enable_encrypted_rtp_header_extensions) { + if (!config_.crypto_options.enable_encrypted_rtp_header_extensions) { return std::vector(); } diff --git a/pc/jseptransportcontroller.h b/pc/jseptransportcontroller.h index 518d31060f..bca4481624 100644 --- a/pc/jseptransportcontroller.h +++ b/pc/jseptransportcontroller.h @@ -18,7 +18,6 @@ #include #include "api/candidate.h" -#include "api/crypto/cryptooptions.h" #include "api/media_transport_interface.h" #include "api/peerconnectioninterface.h" #include "logging/rtc_event_log/rtc_event_log.h" @@ -34,6 +33,7 @@ #include "rtc_base/asyncinvoker.h" #include "rtc_base/constructormagic.h" #include "rtc_base/refcountedobject.h" +#include "rtc_base/sslstreamadapter.h" #include "rtc_base/third_party/sigslot/sigslot.h" namespace rtc { @@ -68,7 +68,7 @@ class JsepTransportController : public sigslot::has_slots<> { rtc::SSLProtocolVersion ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12; // |crypto_options| is used to determine if created DTLS transports // negotiate GCM crypto suites or not. - webrtc::CryptoOptions crypto_options; + rtc::CryptoOptions crypto_options; PeerConnectionInterface::BundlePolicy bundle_policy = PeerConnectionInterface::kBundlePolicyBalanced; PeerConnectionInterface::RtcpMuxPolicy rtcp_mux_policy = diff --git a/pc/jseptransportcontroller_unittest.cc b/pc/jseptransportcontroller_unittest.cc index 26813e1c4f..ce431c38ae 100644 --- a/pc/jseptransportcontroller_unittest.cc +++ b/pc/jseptransportcontroller_unittest.cc @@ -52,7 +52,7 @@ class FakeTransportFactory : public cricket::TransportFactoryInterface { std::unique_ptr CreateDtlsTransport( std::unique_ptr ice, - const webrtc::CryptoOptions& crypto_options) override { + const rtc::CryptoOptions& crypto_options) override { std::unique_ptr fake_ice( static_cast(ice.release())); return absl::make_unique(std::move(fake_ice)); diff --git a/pc/mediasession.cc b/pc/mediasession.cc index 889576c306..d186513e9b 100644 --- a/pc/mediasession.cc +++ b/pc/mediasession.cc @@ -39,10 +39,10 @@ using webrtc::RtpTransceiverDirection; const char kInline[] = "inline:"; -void GetSupportedSdesCryptoSuiteNames( - void (*func)(const webrtc::CryptoOptions&, std::vector*), - const webrtc::CryptoOptions& crypto_options, - std::vector* names) { +void GetSupportedSdesCryptoSuiteNames(void (*func)(const rtc::CryptoOptions&, + std::vector*), + const rtc::CryptoOptions& crypto_options, + std::vector* names) { std::vector crypto_suites; func(crypto_options, &crypto_suites); for (const auto crypto : crypto_suites) { @@ -195,30 +195,28 @@ bool FindMatchingCrypto(const CryptoParamsVec& cryptos, // For audio, HMAC 32 (if enabled) is prefered over HMAC 80 because of the // low overhead. -void GetSupportedAudioSdesCryptoSuites( - const webrtc::CryptoOptions& crypto_options, - std::vector* crypto_suites) { - if (crypto_options.srtp.enable_gcm_crypto_suites) { +void GetSupportedAudioSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, + std::vector* crypto_suites) { + if (crypto_options.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } - if (crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher) { + if (crypto_options.enable_aes128_sha1_32_crypto_cipher) { crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32); } crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_80); } void GetSupportedAudioSdesCryptoSuiteNames( - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names) { GetSupportedSdesCryptoSuiteNames(GetSupportedAudioSdesCryptoSuites, crypto_options, crypto_suite_names); } -void GetSupportedVideoSdesCryptoSuites( - const webrtc::CryptoOptions& crypto_options, - std::vector* crypto_suites) { - if (crypto_options.srtp.enable_gcm_crypto_suites) { +void GetSupportedVideoSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, + std::vector* crypto_suites) { + if (crypto_options.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } @@ -226,16 +224,15 @@ void GetSupportedVideoSdesCryptoSuites( } void GetSupportedVideoSdesCryptoSuiteNames( - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names) { GetSupportedSdesCryptoSuiteNames(GetSupportedVideoSdesCryptoSuites, crypto_options, crypto_suite_names); } -void GetSupportedDataSdesCryptoSuites( - const webrtc::CryptoOptions& crypto_options, - std::vector* crypto_suites) { - if (crypto_options.srtp.enable_gcm_crypto_suites) { +void GetSupportedDataSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, + std::vector* crypto_suites) { + if (crypto_options.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } @@ -243,7 +240,7 @@ void GetSupportedDataSdesCryptoSuites( } void GetSupportedDataSdesCryptoSuiteNames( - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names) { GetSupportedSdesCryptoSuiteNames(GetSupportedDataSdesCryptoSuites, crypto_options, crypto_suite_names); @@ -255,17 +252,17 @@ void GetSupportedDataSdesCryptoSuiteNames( // Pick the crypto in the list that is supported. static bool SelectCrypto(const MediaContentDescription* offer, bool bundle, - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, CryptoParams* crypto_out) { bool audio = offer->type() == MEDIA_TYPE_AUDIO; const CryptoParamsVec& cryptos = offer->cryptos(); for (const CryptoParams& crypto : cryptos) { - if ((crypto_options.srtp.enable_gcm_crypto_suites && + if ((crypto_options.enable_gcm_crypto_suites && rtc::IsGcmCryptoSuiteName(crypto.cipher_suite)) || rtc::CS_AES_CM_128_HMAC_SHA1_80 == crypto.cipher_suite || (rtc::CS_AES_CM_128_HMAC_SHA1_32 == crypto.cipher_suite && audio && - !bundle && crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher)) { + !bundle && crypto_options.enable_aes128_sha1_32_crypto_cipher)) { return CreateCryptoParams(crypto.tag, crypto.cipher_suite, crypto_out); } } diff --git a/pc/mediasession.h b/pc/mediasession.h index b1df1dbd26..81b88e1fe5 100644 --- a/pc/mediasession.h +++ b/pc/mediasession.h @@ -95,7 +95,7 @@ struct MediaSessionOptions { bool bundle_enabled = false; bool is_unified_plan = false; std::string rtcp_cname = kDefaultRtcpCname; - webrtc::CryptoOptions crypto_options; + rtc::CryptoOptions crypto_options; // List of media description options in the same order that the media // descriptions will be generated. std::vector media_description_options; @@ -337,23 +337,20 @@ DataContentDescription* GetFirstDataContentDescription( SessionDescription* sdesc); // Helper functions to return crypto suites used for SDES. -void GetSupportedAudioSdesCryptoSuites( - const webrtc::CryptoOptions& crypto_options, - std::vector* crypto_suites); -void GetSupportedVideoSdesCryptoSuites( - const webrtc::CryptoOptions& crypto_options, - std::vector* crypto_suites); -void GetSupportedDataSdesCryptoSuites( - const webrtc::CryptoOptions& crypto_options, - std::vector* crypto_suites); +void GetSupportedAudioSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, + std::vector* crypto_suites); +void GetSupportedVideoSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, + std::vector* crypto_suites); +void GetSupportedDataSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, + std::vector* crypto_suites); void GetSupportedAudioSdesCryptoSuiteNames( - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names); void GetSupportedVideoSdesCryptoSuiteNames( - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names); void GetSupportedDataSdesCryptoSuiteNames( - const webrtc::CryptoOptions& crypto_options, + const rtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names); // Returns true if the given media section protocol indicates use of RTP. diff --git a/pc/mediasession_unittest.cc b/pc/mediasession_unittest.cc index 3bc2766625..7162a3713c 100644 --- a/pc/mediasession_unittest.cc +++ b/pc/mediasession_unittest.cc @@ -609,11 +609,11 @@ class MediaSessionDescriptionFactoryTest : public testing::Test { void TestVideoGcmCipher(bool gcm_offer, bool gcm_answer) { MediaSessionOptions offer_opts; AddAudioVideoSections(RtpTransceiverDirection::kRecvOnly, &offer_opts); - offer_opts.crypto_options.srtp.enable_gcm_crypto_suites = gcm_offer; + offer_opts.crypto_options.enable_gcm_crypto_suites = gcm_offer; MediaSessionOptions answer_opts; AddAudioVideoSections(RtpTransceiverDirection::kRecvOnly, &answer_opts); - answer_opts.crypto_options.srtp.enable_gcm_crypto_suites = gcm_answer; + answer_opts.crypto_options.enable_gcm_crypto_suites = gcm_answer; f1_.set_secure(SEC_ENABLED); f2_.set_secure(SEC_ENABLED); @@ -953,7 +953,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateAudioAnswerGcm) { f1_.set_secure(SEC_ENABLED); f2_.set_secure(SEC_ENABLED); MediaSessionOptions opts = CreatePlanBMediaSessionOptions(); - opts.crypto_options.srtp.enable_gcm_crypto_suites = true; + opts.crypto_options.enable_gcm_crypto_suites = true; std::unique_ptr offer(f1_.CreateOffer(opts, NULL)); ASSERT_TRUE(offer.get() != NULL); std::unique_ptr answer( @@ -1057,7 +1057,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswer) { TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswerGcm) { MediaSessionOptions opts = CreatePlanBMediaSessionOptions(); AddDataSection(cricket::DCT_RTP, RtpTransceiverDirection::kRecvOnly, &opts); - opts.crypto_options.srtp.enable_gcm_crypto_suites = true; + opts.crypto_options.enable_gcm_crypto_suites = true; f1_.set_secure(SEC_ENABLED); f2_.set_secure(SEC_ENABLED); std::unique_ptr offer(f1_.CreateOffer(opts, NULL)); diff --git a/pc/peerconnection.cc b/pc/peerconnection.cc index 0861246151..5cca4a881d 100644 --- a/pc/peerconnection.cc +++ b/pc/peerconnection.cc @@ -1027,7 +1027,7 @@ bool PeerConnection::Initialize( } webrtc_session_desc_factory_->set_enable_encrypted_rtp_header_extensions( - options.crypto_options.srtp.enable_encrypted_rtp_header_extensions); + options.crypto_options.enable_encrypted_rtp_header_extensions); // Add default audio/video transceivers for Plan B SDP. if (!IsUnifiedPlan()) { diff --git a/pc/peerconnection_crypto_unittest.cc b/pc/peerconnection_crypto_unittest.cc index 71e87636e2..1ccfe5560f 100644 --- a/pc/peerconnection_crypto_unittest.cc +++ b/pc/peerconnection_crypto_unittest.cc @@ -284,7 +284,7 @@ TEST_P(PeerConnectionCryptoTest, CorrectCryptoInAnswerWhenEncryptionDisabled) { // in the answer. TEST_P(PeerConnectionCryptoTest, CorrectCryptoInOfferWithSdesAndGcm) { PeerConnectionFactoryInterface::Options options; - options.crypto_options.srtp.enable_gcm_crypto_suites = true; + options.crypto_options.enable_gcm_crypto_suites = true; pc_factory_->SetOptions(options); RTCConfiguration config; @@ -299,7 +299,7 @@ TEST_P(PeerConnectionCryptoTest, CorrectCryptoInOfferWithSdesAndGcm) { } TEST_P(PeerConnectionCryptoTest, CorrectCryptoInAnswerWithSdesAndGcm) { PeerConnectionFactoryInterface::Options options; - options.crypto_options.srtp.enable_gcm_crypto_suites = true; + options.crypto_options.enable_gcm_crypto_suites = true; pc_factory_->SetOptions(options); RTCConfiguration config; @@ -317,7 +317,7 @@ TEST_P(PeerConnectionCryptoTest, CorrectCryptoInAnswerWithSdesAndGcm) { TEST_P(PeerConnectionCryptoTest, CanSetSdesGcmRemoteOfferAndLocalAnswer) { PeerConnectionFactoryInterface::Options options; - options.crypto_options.srtp.enable_gcm_crypto_suites = true; + options.crypto_options.enable_gcm_crypto_suites = true; pc_factory_->SetOptions(options); RTCConfiguration config; diff --git a/pc/peerconnection_integrationtest.cc b/pc/peerconnection_integrationtest.cc index 36a832c0fb..5825898b1f 100644 --- a/pc/peerconnection_integrationtest.cc +++ b/pc/peerconnection_integrationtest.cc @@ -1558,11 +1558,9 @@ class PeerConnectionIntegrationBaseTest : public testing::Test { bool remote_gcm_enabled, int expected_cipher_suite) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.srtp.enable_gcm_crypto_suites = - local_gcm_enabled; + caller_options.crypto_options.enable_gcm_crypto_suites = local_gcm_enabled; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.srtp.enable_gcm_crypto_suites = - remote_gcm_enabled; + callee_options.crypto_options.enable_gcm_crypto_suites = remote_gcm_enabled; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); } @@ -2845,10 +2843,9 @@ TEST_P(PeerConnectionIntegrationTest, CallerDtls10ToCalleeDtls12) { TEST_P(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherNotUsedWhenOnlyCallerSupported) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; + caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = - false; + callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = false; int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_80; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); @@ -2857,10 +2854,9 @@ TEST_P(PeerConnectionIntegrationTest, TEST_P(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherNotUsedWhenOnlyCalleeSupported) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = - false; + caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = false; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; + callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_80; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); @@ -2868,9 +2864,9 @@ TEST_P(PeerConnectionIntegrationTest, TEST_P(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherUsedWhenSupported) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; + caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; + callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_32; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); @@ -2920,7 +2916,7 @@ TEST_P(PeerConnectionIntegrationTest, // works with it. TEST_P(PeerConnectionIntegrationTest, EndToEndCallWithGcmCipher) { PeerConnectionFactory::Options gcm_options; - gcm_options.crypto_options.srtp.enable_gcm_crypto_suites = true; + gcm_options.crypto_options.enable_gcm_crypto_suites = true; ASSERT_TRUE( CreatePeerConnectionWrappersWithOptions(gcm_options, gcm_options)); ConnectFakeSignaling(); diff --git a/pc/peerconnectionfactory.cc b/pc/peerconnectionfactory.cc index c3db9cf380..edc13034a3 100644 --- a/pc/peerconnectionfactory.cc +++ b/pc/peerconnectionfactory.cc @@ -234,17 +234,6 @@ bool PeerConnectionFactory::Initialize() { void PeerConnectionFactory::SetOptions(const Options& options) { options_ = options; - // TODO(webrtc:9859) - Remove Chromium Compatibility once fix lands in - // Chromium - if (options.crypto_options.enable_gcm_crypto_suites.has_value()) { - options_.crypto_options.srtp.enable_gcm_crypto_suites = - *options.crypto_options.enable_gcm_crypto_suites; - } - if (options.crypto_options.enable_encrypted_rtp_header_extensions - .has_value()) { - options_.crypto_options.srtp.enable_encrypted_rtp_header_extensions = - *options.crypto_options.enable_encrypted_rtp_header_extensions; - } } RtpCapabilities PeerConnectionFactory::GetRtpSenderCapabilities( diff --git a/pc/rtpsenderreceiver_unittest.cc b/pc/rtpsenderreceiver_unittest.cc index fad839cc4c..07ff6a3865 100644 --- a/pc/rtpsenderreceiver_unittest.cc +++ b/pc/rtpsenderreceiver_unittest.cc @@ -81,11 +81,11 @@ class RtpSenderReceiverTest : public testing::Test, voice_channel_ = channel_manager_.CreateVoiceChannel( &fake_call_, cricket::MediaConfig(), rtp_transport_.get(), rtc::Thread::Current(), cricket::CN_AUDIO, srtp_required, - webrtc::CryptoOptions(), cricket::AudioOptions()); + rtc::CryptoOptions(), cricket::AudioOptions()); video_channel_ = channel_manager_.CreateVideoChannel( &fake_call_, cricket::MediaConfig(), rtp_transport_.get(), rtc::Thread::Current(), cricket::CN_VIDEO, srtp_required, - webrtc::CryptoOptions(), cricket::VideoOptions()); + rtc::CryptoOptions(), cricket::VideoOptions()); voice_channel_->Enable(true); video_channel_->Enable(true); voice_media_channel_ = media_engine_->GetVoiceChannel(0); diff --git a/pc/test/fakepeerconnectionforstats.h b/pc/test/fakepeerconnectionforstats.h index ae329e4450..642fa011eb 100644 --- a/pc/test/fakepeerconnectionforstats.h +++ b/pc/test/fakepeerconnectionforstats.h @@ -126,7 +126,7 @@ class FakePeerConnectionForStats : public FakePeerConnectionBase { voice_channel_ = absl::make_unique( worker_thread_, network_thread_, signaling_thread_, nullptr, std::move(voice_media_channel), mid, kDefaultSrtpRequired, - webrtc::CryptoOptions()); + rtc::CryptoOptions()); voice_channel_->set_transport_name_for_testing(transport_name); GetOrCreateFirstTransceiverOfType(cricket::MEDIA_TYPE_AUDIO) ->internal() @@ -144,7 +144,7 @@ class FakePeerConnectionForStats : public FakePeerConnectionBase { video_channel_ = absl::make_unique( worker_thread_, network_thread_, signaling_thread_, std::move(video_media_channel), mid, kDefaultSrtpRequired, - webrtc::CryptoOptions()); + rtc::CryptoOptions()); video_channel_->set_transport_name_for_testing(transport_name); GetOrCreateFirstTransceiverOfType(cricket::MEDIA_TYPE_VIDEO) ->internal() diff --git a/rtc_base/sslstreamadapter.cc b/rtc_base/sslstreamadapter.cc index fe42bf4ad6..746ebd5006 100644 --- a/rtc_base/sslstreamadapter.cc +++ b/rtc_base/sslstreamadapter.cc @@ -89,6 +89,32 @@ bool IsGcmCryptoSuiteName(const std::string& crypto_suite) { crypto_suite == CS_AEAD_AES_128_GCM); } +// static +CryptoOptions CryptoOptions::NoGcm() { + CryptoOptions options; + options.enable_gcm_crypto_suites = false; + return options; +} + +std::vector GetSupportedDtlsSrtpCryptoSuites( + const rtc::CryptoOptions& crypto_options) { + std::vector crypto_suites; + if (crypto_options.enable_gcm_crypto_suites) { + crypto_suites.push_back(rtc::SRTP_AEAD_AES_256_GCM); + crypto_suites.push_back(rtc::SRTP_AEAD_AES_128_GCM); + } + // Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by + // draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as + // well, and saves a few bytes per packet if it ends up selected. + // As the cipher suite is potentially insecure, it will only be used if + // enabled by both peers. + if (crypto_options.enable_aes128_sha1_32_crypto_cipher) { + crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32); + } + crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80); + return crypto_suites; +} + SSLStreamAdapter* SSLStreamAdapter::Create(StreamInterface* stream) { return new OpenSSLStreamAdapter(stream); } diff --git a/rtc_base/sslstreamadapter.h b/rtc_base/sslstreamadapter.h index dad8a4ece0..2d4e19f9b5 100644 --- a/rtc_base/sslstreamadapter.h +++ b/rtc_base/sslstreamadapter.h @@ -70,6 +70,34 @@ bool IsGcmCryptoSuite(int crypto_suite); // Returns true if the given crypto suite name uses a GCM cipher. bool IsGcmCryptoSuiteName(const std::string& crypto_suite); +struct CryptoOptions { + CryptoOptions() {} + + // Helper method to return an instance of the CryptoOptions with GCM crypto + // suites disabled. This method should be used instead of depending on current + // default values set by the constructor. + static CryptoOptions NoGcm(); + + // Enable GCM crypto suites from RFC 7714 for SRTP. GCM will only be used + // if both sides enable it. + bool enable_gcm_crypto_suites = false; + + // If set to true, the (potentially insecure) crypto cipher + // SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers + // during negotiation. It will only be used if both peers support it and no + // other ciphers get preferred. + bool enable_aes128_sha1_32_crypto_cipher = false; + + // If set to true, encrypted RTP header extensions as defined in RFC 6904 + // will be negotiated. They will only be used if both peers support them. + bool enable_encrypted_rtp_header_extensions = false; +}; + +// Returns supported crypto suites, given |crypto_options|. +// CS_AES_CM_128_HMAC_SHA1_32 will be preferred by default. +std::vector GetSupportedDtlsSrtpCryptoSuites( + const rtc::CryptoOptions& crypto_options); + // SSLStreamAdapter : A StreamInterfaceAdapter that does SSL/TLS. // After SSL has been started, the stream will only open on successful // SSL verification of certificates, and the communication is diff --git a/sdk/android/src/jni/pc/peerconnectionfactory.cc b/sdk/android/src/jni/pc/peerconnectionfactory.cc index 049858a139..01c1accaa3 100644 --- a/sdk/android/src/jni/pc/peerconnectionfactory.cc +++ b/sdk/android/src/jni/pc/peerconnectionfactory.cc @@ -63,9 +63,9 @@ JavaToNativePeerConnectionFactoryOptions(JNIEnv* jni, native_options.disable_encryption = disable_encryption; native_options.disable_network_monitor = disable_network_monitor; - native_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = + native_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = enable_aes128_sha1_32_crypto_cipher; - native_options.crypto_options.srtp.enable_gcm_crypto_suites = + native_options.crypto_options.enable_gcm_crypto_suites = enable_gcm_crypto_suites; return native_options; } diff --git a/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm b/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm index 1690385937..103a130390 100644 --- a/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm +++ b/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm @@ -52,9 +52,8 @@ void setNetworkBit(webrtc::PeerConnectionFactoryInterface::Options* options, setNetworkBit(&options, rtc::ADAPTER_TYPE_WIFI, self.ignoreWiFiNetworkAdapter); setNetworkBit(&options, rtc::ADAPTER_TYPE_ETHERNET, self.ignoreEthernetNetworkAdapter); - options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = - self.enableAes128Sha1_32CryptoCipher; - options.crypto_options.srtp.enable_gcm_crypto_suites = self.enableGcmCryptoSuites; + options.crypto_options.enable_aes128_sha1_32_crypto_cipher = self.enableAes128Sha1_32CryptoCipher; + options.crypto_options.enable_gcm_crypto_suites = self.enableGcmCryptoSuites; return options; }