From ac2f3d14e45398930bc35ff05ed7a3b9b617d328 Mon Sep 17 00:00:00 2001 From: Benjamin Wright Date: Wed, 10 Oct 2018 17:21:08 -0700 Subject: [PATCH] Move CryptoOptions to api/crypto from rtc_base/sslstreamadapter.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Promotes rtc::CryptoOptions to webrtc::CryptoOptions converting it from class that only handles SRTP configuration to a more generic structure that can be used and extended for all per peer connection CryptoOptions that can be on a given PeerConnection. Now all SRTP related options are under webrtc::CryptoOptions::Srtp and can be accessed as crypto_options.srtp.whatever_option_name. This is more inline with other structures we have in WebRTC such as VideoConfig. As additional features are added over time this will allow the structure to remain compartmentalized and concerned components can only request a subset of the overall configuration structure e.g: void MySrtpFunction(const webrtc::CryptoOptions::Srtp& srtp_config); In addition to this it made little sense for sslstreamadapter.h to hold all Srtp related configuration options. The header has become loo large and takes on too many responsibilities and spilting this up will lead to more maintainable code going forward. This will be used in a future CL to enable configuration options for the newly supported Frame Crypto. Change-Id: I99d1be36740c59548c8e62db52d68d738649707f Bug: webrtc:9681 Reviewed-on: https://webrtc-review.googlesource.com/c/105180 Reviewed-by: Emad Omara Reviewed-by: Kári Helgason Reviewed-by: Sami Kalliomäki Reviewed-by: Qingsi Wang Reviewed-by: Steve Anton Commit-Queue: Benjamin Wright Cr-Commit-Position: refs/heads/master@{#25130} --- api/BUILD.gn | 2 + api/crypto/cryptooptions.cc | 52 +++++++++++++++ api/crypto/cryptooptions.h | 64 +++++++++++++++++++ api/cryptoparams.h | 2 + api/peerconnectioninterface.h | 5 +- p2p/base/dtlstransport.cc | 10 +-- p2p/base/dtlstransport.h | 9 +-- p2p/base/dtlstransport_unittest.cc | 4 +- p2p/base/dtlstransportinternal.h | 3 +- p2p/base/fakedtlstransport.h | 7 +- p2p/base/transportfactoryinterface.h | 2 +- pc/channel.cc | 10 +-- pc/channel.h | 10 +-- pc/channel_unittest.cc | 6 +- pc/channelmanager.cc | 6 +- pc/channelmanager.h | 6 +- pc/channelmanager_unittest.cc | 6 +- pc/jseptransportcontroller.cc | 2 +- pc/jseptransportcontroller.h | 4 +- pc/jseptransportcontroller_unittest.cc | 2 +- pc/mediasession.cc | 43 +++++++------ pc/mediasession.h | 23 ++++--- pc/mediasession_unittest.cc | 8 +-- pc/peerconnection.cc | 2 +- pc/peerconnection_crypto_unittest.cc | 6 +- pc/peerconnection_integrationtest.cc | 22 ++++--- pc/peerconnectionfactory.cc | 11 ++++ pc/rtpsenderreceiver_unittest.cc | 4 +- pc/test/fakepeerconnectionforstats.h | 4 +- rtc_base/sslstreamadapter.cc | 26 -------- rtc_base/sslstreamadapter.h | 28 -------- .../src/jni/pc/peerconnectionfactory.cc | 4 +- .../RTCPeerConnectionFactoryOptions.mm | 5 +- 33 files changed, 245 insertions(+), 153 deletions(-) create mode 100644 api/crypto/cryptooptions.cc create mode 100644 api/crypto/cryptooptions.h diff --git a/api/BUILD.gn b/api/BUILD.gn index 60eb7514c2..c420b10a41 100644 --- a/api/BUILD.gn +++ b/api/BUILD.gn @@ -52,6 +52,8 @@ rtc_static_library("libjingle_peerconnection_api") { "bitrate_constraints.h", "candidate.cc", "candidate.h", + "crypto/cryptooptions.cc", + "crypto/cryptooptions.h", "crypto/framedecryptorinterface.h", "crypto/frameencryptorinterface.h", "cryptoparams.h", diff --git a/api/crypto/cryptooptions.cc b/api/crypto/cryptooptions.cc new file mode 100644 index 0000000000..ed6db471d5 --- /dev/null +++ b/api/crypto/cryptooptions.cc @@ -0,0 +1,52 @@ +/* + * Copyright 2018 The WebRTC Project Authors. All rights reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include "api/crypto/cryptooptions.h" +#include "rtc_base/sslstreamadapter.h" + +namespace webrtc { + +CryptoOptions::CryptoOptions() {} + +CryptoOptions::CryptoOptions(const CryptoOptions& other) { + enable_gcm_crypto_suites = other.enable_gcm_crypto_suites; + enable_encrypted_rtp_header_extensions = + other.enable_encrypted_rtp_header_extensions; + srtp = other.srtp; +} + +CryptoOptions::~CryptoOptions() {} + +// static +CryptoOptions CryptoOptions::NoGcm() { + CryptoOptions options; + options.srtp.enable_gcm_crypto_suites = false; + return options; +} + +std::vector CryptoOptions::GetSupportedDtlsSrtpCryptoSuites() const { + std::vector crypto_suites; + if (srtp.enable_gcm_crypto_suites) { + crypto_suites.push_back(rtc::SRTP_AEAD_AES_256_GCM); + crypto_suites.push_back(rtc::SRTP_AEAD_AES_128_GCM); + } + // Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by + // draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as + // well, and saves a few bytes per packet if it ends up selected. + // As the cipher suite is potentially insecure, it will only be used if + // enabled by both peers. + if (srtp.enable_aes128_sha1_32_crypto_cipher) { + crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32); + } + crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80); + return crypto_suites; +} + +} // namespace webrtc diff --git a/api/crypto/cryptooptions.h b/api/crypto/cryptooptions.h new file mode 100644 index 0000000000..d2e62248b5 --- /dev/null +++ b/api/crypto/cryptooptions.h @@ -0,0 +1,64 @@ +/* + * Copyright 2018 The WebRTC Project Authors. All rights reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#ifndef API_CRYPTO_CRYPTOOPTIONS_H_ +#define API_CRYPTO_CRYPTOOPTIONS_H_ + +#include +#include "absl/types/optional.h" + +namespace webrtc { + +// CryptoOptions defines advanced cryptographic settings for native WebRTC. +// These settings must be passed into PeerConnectionFactoryInterface::Options +// and are only applicable to native use cases of WebRTC. +struct CryptoOptions { + CryptoOptions(); + CryptoOptions(const CryptoOptions& other); + ~CryptoOptions(); + + // Helper method to return an instance of the CryptoOptions with GCM crypto + // suites disabled. This method should be used instead of depending on current + // default values set by the constructor. + static CryptoOptions NoGcm(); + + // Returns a list of the supported DTLS-SRTP Crypto suites based on this set + // of crypto options. + std::vector GetSupportedDtlsSrtpCryptoSuites() const; + + // TODO(webrtc:9859) - Remove duplicates once chromium is fixed. + // Will be removed once srtp.enable_gcm_crypto_suites is updated in Chrome. + absl::optional enable_gcm_crypto_suites; + // TODO(webrtc:9859) - Remove duplicates once chromium is fixed. + // Will be removed once srtp.enable_encrypted_rtp_header_extensions is + // updated in Chrome. + absl::optional enable_encrypted_rtp_header_extensions; + + // SRTP Related Peer Connection options. + struct Srtp { + // Enable GCM crypto suites from RFC 7714 for SRTP. GCM will only be used + // if both sides enable it. + bool enable_gcm_crypto_suites = false; + + // If set to true, the (potentially insecure) crypto cipher + // SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers + // during negotiation. It will only be used if both peers support it and no + // other ciphers get preferred. + bool enable_aes128_sha1_32_crypto_cipher = false; + + // If set to true, encrypted RTP header extensions as defined in RFC 6904 + // will be negotiated. They will only be used if both peers support them. + bool enable_encrypted_rtp_header_extensions = false; + } srtp; +}; + +} // namespace webrtc + +#endif // API_CRYPTO_CRYPTOOPTIONS_H_ diff --git a/api/cryptoparams.h b/api/cryptoparams.h index 2350528358..abe9055462 100644 --- a/api/cryptoparams.h +++ b/api/cryptoparams.h @@ -16,6 +16,8 @@ namespace cricket { // Parameters for SRTP negotiation, as described in RFC 4568. +// TODO(benwright) - Rename to SrtpCryptoParams as these only apply to SRTP and +// not generic crypto parameters for WebRTC. struct CryptoParams { CryptoParams() : tag(0) {} CryptoParams(int t, diff --git a/api/peerconnectioninterface.h b/api/peerconnectioninterface.h index 3d8a9c1e41..141b2c9272 100644 --- a/api/peerconnectioninterface.h +++ b/api/peerconnectioninterface.h @@ -77,6 +77,7 @@ #include "api/audio_codecs/audio_encoder_factory.h" #include "api/audio_options.h" #include "api/call/callfactoryinterface.h" +#include "api/crypto/cryptooptions.h" #include "api/datachannelinterface.h" #include "api/fec_controller.h" #include "api/jsep.h" @@ -1180,7 +1181,7 @@ class PeerConnectionFactoryInterface : public rtc::RefCountInterface { public: class Options { public: - Options() : crypto_options(rtc::CryptoOptions::NoGcm()) {} + Options() {} // If set to true, created PeerConnections won't enforce any SRTP // requirement, allowing unsecured media. Should only be used for @@ -1209,7 +1210,7 @@ class PeerConnectionFactoryInterface : public rtc::RefCountInterface { rtc::SSLProtocolVersion ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12; // Sets crypto related options, e.g. enabled cipher suites. - rtc::CryptoOptions crypto_options; + CryptoOptions crypto_options = CryptoOptions::NoGcm(); }; // Set the options to be used for subsequently created PeerConnections. diff --git a/p2p/base/dtlstransport.cc b/p2p/base/dtlstransport.cc index 314f63ce74..f498253c25 100644 --- a/p2p/base/dtlstransport.cc +++ b/p2p/base/dtlstransport.cc @@ -114,12 +114,12 @@ void StreamInterfaceChannel::Close() { } DtlsTransport::DtlsTransport(IceTransportInternal* ice_transport, - const rtc::CryptoOptions& crypto_options) + const webrtc::CryptoOptions& crypto_options) : transport_name_(ice_transport->transport_name()), component_(ice_transport->component()), ice_transport_(ice_transport), downward_(NULL), - srtp_ciphers_(GetSupportedDtlsSrtpCryptoSuites(crypto_options)), + srtp_ciphers_(crypto_options.GetSupportedDtlsSrtpCryptoSuites()), ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_12), crypto_options_(crypto_options) { RTC_DCHECK(ice_transport_); @@ -128,13 +128,13 @@ DtlsTransport::DtlsTransport(IceTransportInternal* ice_transport, DtlsTransport::DtlsTransport( std::unique_ptr ice_transport, - const rtc::CryptoOptions& crypto_options) + const webrtc::CryptoOptions& crypto_options) : transport_name_(ice_transport->transport_name()), component_(ice_transport->component()), ice_transport_(ice_transport.get()), owned_ice_transport_(std::move(ice_transport)), downward_(NULL), - srtp_ciphers_(GetSupportedDtlsSrtpCryptoSuites(crypto_options)), + srtp_ciphers_(crypto_options.GetSupportedDtlsSrtpCryptoSuites()), ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_12), crypto_options_(crypto_options) { RTC_DCHECK(owned_ice_transport_); @@ -143,7 +143,7 @@ DtlsTransport::DtlsTransport( DtlsTransport::~DtlsTransport() = default; -const rtc::CryptoOptions& DtlsTransport::crypto_options() const { +const webrtc::CryptoOptions& DtlsTransport::crypto_options() const { return crypto_options_; } diff --git a/p2p/base/dtlstransport.h b/p2p/base/dtlstransport.h index 456f375a10..2eafc9e8d5 100644 --- a/p2p/base/dtlstransport.h +++ b/p2p/base/dtlstransport.h @@ -15,6 +15,7 @@ #include #include +#include "api/crypto/cryptooptions.h" #include "p2p/base/dtlstransportinternal.h" #include "p2p/base/icetransportinternal.h" #include "rtc_base/buffer.h" @@ -96,13 +97,13 @@ class DtlsTransport : public DtlsTransportInternal { // whether GCM crypto suites are negotiated. // TODO(zhihuang): Remove this once we switch to JsepTransportController. explicit DtlsTransport(IceTransportInternal* ice_transport, - const rtc::CryptoOptions& crypto_options); + const webrtc::CryptoOptions& crypto_options); explicit DtlsTransport(std::unique_ptr ice_transport, - const rtc::CryptoOptions& crypto_options); + const webrtc::CryptoOptions& crypto_options); ~DtlsTransport() override; - const rtc::CryptoOptions& crypto_options() const override; + const webrtc::CryptoOptions& crypto_options() const override; DtlsTransportState dtls_state() const override; const std::string& transport_name() const override; int component() const override; @@ -231,7 +232,7 @@ class DtlsTransport : public DtlsTransportInternal { rtc::scoped_refptr local_certificate_; absl::optional dtls_role_; rtc::SSLProtocolVersion ssl_max_version_; - rtc::CryptoOptions crypto_options_; + webrtc::CryptoOptions crypto_options_; rtc::Buffer remote_fingerprint_value_; std::string remote_fingerprint_algorithm_; diff --git a/p2p/base/dtlstransport_unittest.cc b/p2p/base/dtlstransport_unittest.cc index 3cf423e851..8dfbf6106c 100644 --- a/p2p/base/dtlstransport_unittest.cc +++ b/p2p/base/dtlstransport_unittest.cc @@ -86,8 +86,8 @@ class DtlsTestClient : public sigslot::has_slots<> { fake_ice_transport_->SignalReadPacket.connect( this, &DtlsTestClient::OnFakeIceTransportReadPacket); - dtls_transport_.reset( - new DtlsTransport(fake_ice_transport_.get(), rtc::CryptoOptions())); + dtls_transport_ = absl::make_unique( + fake_ice_transport_.get(), webrtc::CryptoOptions()); dtls_transport_->SetSslMaxProtocolVersion(ssl_max_version_); // Note: Certificate may be null here if testing passthrough. dtls_transport_->SetLocalCertificate(certificate_); diff --git a/p2p/base/dtlstransportinternal.h b/p2p/base/dtlstransportinternal.h index 238057e4c9..a7137449f4 100644 --- a/p2p/base/dtlstransportinternal.h +++ b/p2p/base/dtlstransportinternal.h @@ -15,6 +15,7 @@ #include #include +#include "api/crypto/cryptooptions.h" #include "p2p/base/icetransportinternal.h" #include "p2p/base/packettransportinternal.h" #include "rtc_base/sslstreamadapter.h" @@ -50,7 +51,7 @@ class DtlsTransportInternal : public rtc::PacketTransportInternal { public: ~DtlsTransportInternal() override; - virtual const rtc::CryptoOptions& crypto_options() const = 0; + virtual const webrtc::CryptoOptions& crypto_options() const = 0; virtual DtlsTransportState dtls_state() const = 0; diff --git a/p2p/base/fakedtlstransport.h b/p2p/base/fakedtlstransport.h index cb944d3db5..c4f9d2c239 100644 --- a/p2p/base/fakedtlstransport.h +++ b/p2p/base/fakedtlstransport.h @@ -17,6 +17,7 @@ #include #include "absl/memory/memory.h" +#include "api/crypto/cryptooptions.h" #include "p2p/base/dtlstransportinternal.h" #include "p2p/base/fakeicetransport.h" #include "rtc_base/fakesslidentity.h" @@ -149,10 +150,10 @@ class FakeDtlsTransport : public DtlsTransportInternal { *role = *dtls_role_; return true; } - const rtc::CryptoOptions& crypto_options() const override { + const webrtc::CryptoOptions& crypto_options() const override { return crypto_options_; } - void SetCryptoOptions(const rtc::CryptoOptions& crypto_options) { + void SetCryptoOptions(const webrtc::CryptoOptions& crypto_options) { crypto_options_ = crypto_options; } bool SetLocalCertificate( @@ -272,7 +273,7 @@ class FakeDtlsTransport : public DtlsTransportInternal { rtc::SSLFingerprint dtls_fingerprint_; absl::optional dtls_role_; int crypto_suite_ = rtc::SRTP_AES128_CM_SHA1_80; - rtc::CryptoOptions crypto_options_; + webrtc::CryptoOptions crypto_options_; DtlsTransportState dtls_state_ = DTLS_TRANSPORT_NEW; diff --git a/p2p/base/transportfactoryinterface.h b/p2p/base/transportfactoryinterface.h index ce32ee8483..9805db005c 100644 --- a/p2p/base/transportfactoryinterface.h +++ b/p2p/base/transportfactoryinterface.h @@ -34,7 +34,7 @@ class TransportFactoryInterface { virtual std::unique_ptr CreateDtlsTransport( std::unique_ptr ice, - const rtc::CryptoOptions& crypto_options) = 0; + const webrtc::CryptoOptions& crypto_options) = 0; }; } // namespace cricket diff --git a/pc/channel.cc b/pc/channel.cc index b63cea7cec..cd1534ffec 100644 --- a/pc/channel.cc +++ b/pc/channel.cc @@ -101,7 +101,7 @@ BaseChannel::BaseChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options) + webrtc::CryptoOptions crypto_options) : worker_thread_(worker_thread), network_thread_(network_thread), signaling_thread_(signaling_thread), @@ -673,7 +673,7 @@ bool BaseChannel::UpdateRemoteStreams_w( RtpHeaderExtensions BaseChannel::GetFilteredRtpHeaderExtensions( const RtpHeaderExtensions& extensions) { RTC_DCHECK(rtp_transport_); - if (crypto_options_.enable_encrypted_rtp_header_extensions) { + if (crypto_options_.srtp.enable_encrypted_rtp_header_extensions) { RtpHeaderExtensions filtered; auto pred = [](const webrtc::RtpExtension& extension) { return !extension.encrypt; @@ -742,7 +742,7 @@ VoiceChannel::VoiceChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options) + webrtc::CryptoOptions crypto_options) : BaseChannel(worker_thread, network_thread, signaling_thread, @@ -881,7 +881,7 @@ VideoChannel::VideoChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options) + webrtc::CryptoOptions crypto_options) : BaseChannel(worker_thread, network_thread, signaling_thread, @@ -1019,7 +1019,7 @@ RtpDataChannel::RtpDataChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options) + webrtc::CryptoOptions crypto_options) : BaseChannel(worker_thread, network_thread, signaling_thread, diff --git a/pc/channel.h b/pc/channel.h index ba584690ba..535f64ee68 100644 --- a/pc/channel.h +++ b/pc/channel.h @@ -82,7 +82,7 @@ class BaseChannel : public rtc::MessageHandler, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options); + webrtc::CryptoOptions crypto_options); virtual ~BaseChannel(); void Init_w(webrtc::RtpTransportInternal* rtp_transport); @@ -313,7 +313,7 @@ class BaseChannel : public rtc::MessageHandler, bool was_ever_writable_ = false; bool has_received_packet_ = false; const bool srtp_required_ = true; - rtc::CryptoOptions crypto_options_; + webrtc::CryptoOptions crypto_options_; // MediaChannel related members that should be accessed from the worker // thread. @@ -343,7 +343,7 @@ class VoiceChannel : public BaseChannel { std::unique_ptr channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options); + webrtc::CryptoOptions crypto_options); ~VoiceChannel(); // downcasts a MediaChannel @@ -383,7 +383,7 @@ class VideoChannel : public BaseChannel { std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options); + webrtc::CryptoOptions crypto_options); ~VideoChannel(); // downcasts a MediaChannel @@ -422,7 +422,7 @@ class RtpDataChannel : public BaseChannel { std::unique_ptr channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options); + webrtc::CryptoOptions crypto_options); ~RtpDataChannel(); // TODO(zhihuang): Remove this once the RtpTransport can be shared between // BaseChannels. diff --git a/pc/channel_unittest.cc b/pc/channel_unittest.cc index 58cb17b8bb..94f38c9a39 100644 --- a/pc/channel_unittest.cc +++ b/pc/channel_unittest.cc @@ -250,7 +250,7 @@ class ChannelTest : public testing::Test, public sigslot::has_slots<> { rtc::Thread* signaling_thread = rtc::Thread::Current(); auto channel = absl::make_unique( worker_thread, network_thread, signaling_thread, engine, std::move(ch), - cricket::CN_AUDIO, (flags & DTLS) != 0, rtc::CryptoOptions()); + cricket::CN_AUDIO, (flags & DTLS) != 0, webrtc::CryptoOptions()); channel->Init_w(rtp_transport); return channel; } @@ -1545,7 +1545,7 @@ std::unique_ptr ChannelTest::CreateChannel( rtc::Thread* signaling_thread = rtc::Thread::Current(); auto channel = absl::make_unique( worker_thread, network_thread, signaling_thread, std::move(ch), - cricket::CN_VIDEO, (flags & DTLS) != 0, rtc::CryptoOptions()); + cricket::CN_VIDEO, (flags & DTLS) != 0, webrtc::CryptoOptions()); channel->Init_w(rtp_transport); return channel; } @@ -2164,7 +2164,7 @@ std::unique_ptr ChannelTest::CreateChannel( rtc::Thread* signaling_thread = rtc::Thread::Current(); auto channel = absl::make_unique( worker_thread, network_thread, signaling_thread, std::move(ch), - cricket::CN_DATA, (flags & DTLS) != 0, rtc::CryptoOptions()); + cricket::CN_DATA, (flags & DTLS) != 0, webrtc::CryptoOptions()); channel->Init_w(rtp_transport); return channel; } diff --git a/pc/channelmanager.cc b/pc/channelmanager.cc index dab622ad70..1c80719949 100644 --- a/pc/channelmanager.cc +++ b/pc/channelmanager.cc @@ -159,7 +159,7 @@ VoiceChannel* ChannelManager::CreateVoiceChannel( rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, const AudioOptions& options) { if (!worker_thread_->IsCurrent()) { return worker_thread_->Invoke(RTC_FROM_HERE, [&] { @@ -226,7 +226,7 @@ VideoChannel* ChannelManager::CreateVideoChannel( rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, const VideoOptions& options) { if (!worker_thread_->IsCurrent()) { return worker_thread_->Invoke(RTC_FROM_HERE, [&] { @@ -291,7 +291,7 @@ RtpDataChannel* ChannelManager::CreateRtpDataChannel( rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options) { + const webrtc::CryptoOptions& crypto_options) { if (!worker_thread_->IsCurrent()) { return worker_thread_->Invoke(RTC_FROM_HERE, [&] { return CreateRtpDataChannel(media_config, rtp_transport, signaling_thread, diff --git a/pc/channelmanager.h b/pc/channelmanager.h index c6b601ea8f..6430f8ee84 100644 --- a/pc/channelmanager.h +++ b/pc/channelmanager.h @@ -86,7 +86,7 @@ class ChannelManager final { rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, const AudioOptions& options); // Destroys a voice channel created by CreateVoiceChannel. void DestroyVoiceChannel(VoiceChannel* voice_channel); @@ -100,7 +100,7 @@ class ChannelManager final { rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, const VideoOptions& options); // Destroys a video channel created by CreateVideoChannel. void DestroyVideoChannel(VideoChannel* video_channel); @@ -111,7 +111,7 @@ class ChannelManager final { rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options); + const webrtc::CryptoOptions& crypto_options); // Destroys a data channel created by CreateRtpDataChannel. void DestroyRtpDataChannel(RtpDataChannel* data_channel); diff --git a/pc/channelmanager_unittest.cc b/pc/channelmanager_unittest.cc index 47c95306ee..053166ba13 100644 --- a/pc/channelmanager_unittest.cc +++ b/pc/channelmanager_unittest.cc @@ -65,16 +65,16 @@ class ChannelManagerTest : public testing::Test { cricket::VoiceChannel* voice_channel = cm_->CreateVoiceChannel( &fake_call_, cricket::MediaConfig(), rtp_transport, rtc::Thread::Current(), cricket::CN_AUDIO, kDefaultSrtpRequired, - rtc::CryptoOptions(), AudioOptions()); + webrtc::CryptoOptions(), AudioOptions()); EXPECT_TRUE(voice_channel != nullptr); cricket::VideoChannel* video_channel = cm_->CreateVideoChannel( &fake_call_, cricket::MediaConfig(), rtp_transport, rtc::Thread::Current(), cricket::CN_VIDEO, kDefaultSrtpRequired, - rtc::CryptoOptions(), VideoOptions()); + webrtc::CryptoOptions(), VideoOptions()); EXPECT_TRUE(video_channel != nullptr); cricket::RtpDataChannel* rtp_data_channel = cm_->CreateRtpDataChannel( cricket::MediaConfig(), rtp_transport, rtc::Thread::Current(), - cricket::CN_DATA, kDefaultSrtpRequired, rtc::CryptoOptions()); + cricket::CN_DATA, kDefaultSrtpRequired, webrtc::CryptoOptions()); EXPECT_TRUE(rtp_data_channel != nullptr); cm_->DestroyVideoChannel(video_channel); cm_->DestroyVoiceChannel(voice_channel); diff --git a/pc/jseptransportcontroller.cc b/pc/jseptransportcontroller.cc index 1847d95c94..19a2d40275 100644 --- a/pc/jseptransportcontroller.cc +++ b/pc/jseptransportcontroller.cc @@ -814,7 +814,7 @@ std::vector JsepTransportController::GetEncryptedHeaderExtensionIds( static_cast( content_info.description); - if (!config_.crypto_options.enable_encrypted_rtp_header_extensions) { + if (!config_.crypto_options.srtp.enable_encrypted_rtp_header_extensions) { return std::vector(); } diff --git a/pc/jseptransportcontroller.h b/pc/jseptransportcontroller.h index bca4481624..518d31060f 100644 --- a/pc/jseptransportcontroller.h +++ b/pc/jseptransportcontroller.h @@ -18,6 +18,7 @@ #include #include "api/candidate.h" +#include "api/crypto/cryptooptions.h" #include "api/media_transport_interface.h" #include "api/peerconnectioninterface.h" #include "logging/rtc_event_log/rtc_event_log.h" @@ -33,7 +34,6 @@ #include "rtc_base/asyncinvoker.h" #include "rtc_base/constructormagic.h" #include "rtc_base/refcountedobject.h" -#include "rtc_base/sslstreamadapter.h" #include "rtc_base/third_party/sigslot/sigslot.h" namespace rtc { @@ -68,7 +68,7 @@ class JsepTransportController : public sigslot::has_slots<> { rtc::SSLProtocolVersion ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12; // |crypto_options| is used to determine if created DTLS transports // negotiate GCM crypto suites or not. - rtc::CryptoOptions crypto_options; + webrtc::CryptoOptions crypto_options; PeerConnectionInterface::BundlePolicy bundle_policy = PeerConnectionInterface::kBundlePolicyBalanced; PeerConnectionInterface::RtcpMuxPolicy rtcp_mux_policy = diff --git a/pc/jseptransportcontroller_unittest.cc b/pc/jseptransportcontroller_unittest.cc index ce431c38ae..26813e1c4f 100644 --- a/pc/jseptransportcontroller_unittest.cc +++ b/pc/jseptransportcontroller_unittest.cc @@ -52,7 +52,7 @@ class FakeTransportFactory : public cricket::TransportFactoryInterface { std::unique_ptr CreateDtlsTransport( std::unique_ptr ice, - const rtc::CryptoOptions& crypto_options) override { + const webrtc::CryptoOptions& crypto_options) override { std::unique_ptr fake_ice( static_cast(ice.release())); return absl::make_unique(std::move(fake_ice)); diff --git a/pc/mediasession.cc b/pc/mediasession.cc index 2e4accc708..b75dfd6855 100644 --- a/pc/mediasession.cc +++ b/pc/mediasession.cc @@ -39,10 +39,10 @@ using webrtc::RtpTransceiverDirection; const char kInline[] = "inline:"; -void GetSupportedSdesCryptoSuiteNames(void (*func)(const rtc::CryptoOptions&, - std::vector*), - const rtc::CryptoOptions& crypto_options, - std::vector* names) { +void GetSupportedSdesCryptoSuiteNames( + void (*func)(const webrtc::CryptoOptions&, std::vector*), + const webrtc::CryptoOptions& crypto_options, + std::vector* names) { std::vector crypto_suites; func(crypto_options, &crypto_suites); for (const auto crypto : crypto_suites) { @@ -195,28 +195,30 @@ bool FindMatchingCrypto(const CryptoParamsVec& cryptos, // For audio, HMAC 32 (if enabled) is prefered over HMAC 80 because of the // low overhead. -void GetSupportedAudioSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites) { - if (crypto_options.enable_gcm_crypto_suites) { +void GetSupportedAudioSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites) { + if (crypto_options.srtp.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } - if (crypto_options.enable_aes128_sha1_32_crypto_cipher) { + if (crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher) { crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32); } crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_80); } void GetSupportedAudioSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names) { GetSupportedSdesCryptoSuiteNames(GetSupportedAudioSdesCryptoSuites, crypto_options, crypto_suite_names); } -void GetSupportedVideoSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites) { - if (crypto_options.enable_gcm_crypto_suites) { +void GetSupportedVideoSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites) { + if (crypto_options.srtp.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } @@ -224,15 +226,16 @@ void GetSupportedVideoSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, } void GetSupportedVideoSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names) { GetSupportedSdesCryptoSuiteNames(GetSupportedVideoSdesCryptoSuites, crypto_options, crypto_suite_names); } -void GetSupportedDataSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites) { - if (crypto_options.enable_gcm_crypto_suites) { +void GetSupportedDataSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites) { + if (crypto_options.srtp.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } @@ -240,7 +243,7 @@ void GetSupportedDataSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, } void GetSupportedDataSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names) { GetSupportedSdesCryptoSuiteNames(GetSupportedDataSdesCryptoSuites, crypto_options, crypto_suite_names); @@ -252,17 +255,17 @@ void GetSupportedDataSdesCryptoSuiteNames( // Pick the crypto in the list that is supported. static bool SelectCrypto(const MediaContentDescription* offer, bool bundle, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, CryptoParams* crypto_out) { bool audio = offer->type() == MEDIA_TYPE_AUDIO; const CryptoParamsVec& cryptos = offer->cryptos(); for (const CryptoParams& crypto : cryptos) { - if ((crypto_options.enable_gcm_crypto_suites && + if ((crypto_options.srtp.enable_gcm_crypto_suites && rtc::IsGcmCryptoSuiteName(crypto.cipher_suite)) || rtc::CS_AES_CM_128_HMAC_SHA1_80 == crypto.cipher_suite || (rtc::CS_AES_CM_128_HMAC_SHA1_32 == crypto.cipher_suite && audio && - !bundle && crypto_options.enable_aes128_sha1_32_crypto_cipher)) { + !bundle && crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher)) { return CreateCryptoParams(crypto.tag, crypto.cipher_suite, crypto_out); } } diff --git a/pc/mediasession.h b/pc/mediasession.h index b40974039b..54ca7c870e 100644 --- a/pc/mediasession.h +++ b/pc/mediasession.h @@ -94,7 +94,7 @@ struct MediaSessionOptions { bool bundle_enabled = false; bool is_unified_plan = false; std::string rtcp_cname = kDefaultRtcpCname; - rtc::CryptoOptions crypto_options; + webrtc::CryptoOptions crypto_options; // List of media description options in the same order that the media // descriptions will be generated. std::vector media_description_options; @@ -327,20 +327,23 @@ DataContentDescription* GetFirstDataContentDescription( SessionDescription* sdesc); // Helper functions to return crypto suites used for SDES. -void GetSupportedAudioSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites); -void GetSupportedVideoSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites); -void GetSupportedDataSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites); +void GetSupportedAudioSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites); +void GetSupportedVideoSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites); +void GetSupportedDataSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites); void GetSupportedAudioSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names); void GetSupportedVideoSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names); void GetSupportedDataSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names); // Returns true if the given media section protocol indicates use of RTP. diff --git a/pc/mediasession_unittest.cc b/pc/mediasession_unittest.cc index 7162a3713c..3bc2766625 100644 --- a/pc/mediasession_unittest.cc +++ b/pc/mediasession_unittest.cc @@ -609,11 +609,11 @@ class MediaSessionDescriptionFactoryTest : public testing::Test { void TestVideoGcmCipher(bool gcm_offer, bool gcm_answer) { MediaSessionOptions offer_opts; AddAudioVideoSections(RtpTransceiverDirection::kRecvOnly, &offer_opts); - offer_opts.crypto_options.enable_gcm_crypto_suites = gcm_offer; + offer_opts.crypto_options.srtp.enable_gcm_crypto_suites = gcm_offer; MediaSessionOptions answer_opts; AddAudioVideoSections(RtpTransceiverDirection::kRecvOnly, &answer_opts); - answer_opts.crypto_options.enable_gcm_crypto_suites = gcm_answer; + answer_opts.crypto_options.srtp.enable_gcm_crypto_suites = gcm_answer; f1_.set_secure(SEC_ENABLED); f2_.set_secure(SEC_ENABLED); @@ -953,7 +953,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateAudioAnswerGcm) { f1_.set_secure(SEC_ENABLED); f2_.set_secure(SEC_ENABLED); MediaSessionOptions opts = CreatePlanBMediaSessionOptions(); - opts.crypto_options.enable_gcm_crypto_suites = true; + opts.crypto_options.srtp.enable_gcm_crypto_suites = true; std::unique_ptr offer(f1_.CreateOffer(opts, NULL)); ASSERT_TRUE(offer.get() != NULL); std::unique_ptr answer( @@ -1057,7 +1057,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswer) { TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswerGcm) { MediaSessionOptions opts = CreatePlanBMediaSessionOptions(); AddDataSection(cricket::DCT_RTP, RtpTransceiverDirection::kRecvOnly, &opts); - opts.crypto_options.enable_gcm_crypto_suites = true; + opts.crypto_options.srtp.enable_gcm_crypto_suites = true; f1_.set_secure(SEC_ENABLED); f2_.set_secure(SEC_ENABLED); std::unique_ptr offer(f1_.CreateOffer(opts, NULL)); diff --git a/pc/peerconnection.cc b/pc/peerconnection.cc index 7430898912..659d16b073 100644 --- a/pc/peerconnection.cc +++ b/pc/peerconnection.cc @@ -1027,7 +1027,7 @@ bool PeerConnection::Initialize( } webrtc_session_desc_factory_->set_enable_encrypted_rtp_header_extensions( - options.crypto_options.enable_encrypted_rtp_header_extensions); + options.crypto_options.srtp.enable_encrypted_rtp_header_extensions); // Add default audio/video transceivers for Plan B SDP. if (!IsUnifiedPlan()) { diff --git a/pc/peerconnection_crypto_unittest.cc b/pc/peerconnection_crypto_unittest.cc index 1ccfe5560f..71e87636e2 100644 --- a/pc/peerconnection_crypto_unittest.cc +++ b/pc/peerconnection_crypto_unittest.cc @@ -284,7 +284,7 @@ TEST_P(PeerConnectionCryptoTest, CorrectCryptoInAnswerWhenEncryptionDisabled) { // in the answer. TEST_P(PeerConnectionCryptoTest, CorrectCryptoInOfferWithSdesAndGcm) { PeerConnectionFactoryInterface::Options options; - options.crypto_options.enable_gcm_crypto_suites = true; + options.crypto_options.srtp.enable_gcm_crypto_suites = true; pc_factory_->SetOptions(options); RTCConfiguration config; @@ -299,7 +299,7 @@ TEST_P(PeerConnectionCryptoTest, CorrectCryptoInOfferWithSdesAndGcm) { } TEST_P(PeerConnectionCryptoTest, CorrectCryptoInAnswerWithSdesAndGcm) { PeerConnectionFactoryInterface::Options options; - options.crypto_options.enable_gcm_crypto_suites = true; + options.crypto_options.srtp.enable_gcm_crypto_suites = true; pc_factory_->SetOptions(options); RTCConfiguration config; @@ -317,7 +317,7 @@ TEST_P(PeerConnectionCryptoTest, CorrectCryptoInAnswerWithSdesAndGcm) { TEST_P(PeerConnectionCryptoTest, CanSetSdesGcmRemoteOfferAndLocalAnswer) { PeerConnectionFactoryInterface::Options options; - options.crypto_options.enable_gcm_crypto_suites = true; + options.crypto_options.srtp.enable_gcm_crypto_suites = true; pc_factory_->SetOptions(options); RTCConfiguration config; diff --git a/pc/peerconnection_integrationtest.cc b/pc/peerconnection_integrationtest.cc index 5825898b1f..36a832c0fb 100644 --- a/pc/peerconnection_integrationtest.cc +++ b/pc/peerconnection_integrationtest.cc @@ -1558,9 +1558,11 @@ class PeerConnectionIntegrationBaseTest : public testing::Test { bool remote_gcm_enabled, int expected_cipher_suite) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_gcm_crypto_suites = local_gcm_enabled; + caller_options.crypto_options.srtp.enable_gcm_crypto_suites = + local_gcm_enabled; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_gcm_crypto_suites = remote_gcm_enabled; + callee_options.crypto_options.srtp.enable_gcm_crypto_suites = + remote_gcm_enabled; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); } @@ -2843,9 +2845,10 @@ TEST_P(PeerConnectionIntegrationTest, CallerDtls10ToCalleeDtls12) { TEST_P(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherNotUsedWhenOnlyCallerSupported) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; + caller_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = false; + callee_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = + false; int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_80; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); @@ -2854,9 +2857,10 @@ TEST_P(PeerConnectionIntegrationTest, TEST_P(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherNotUsedWhenOnlyCalleeSupported) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = false; + caller_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = + false; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; + callee_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_80; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); @@ -2864,9 +2868,9 @@ TEST_P(PeerConnectionIntegrationTest, TEST_P(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherUsedWhenSupported) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; + caller_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; + callee_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_32; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); @@ -2916,7 +2920,7 @@ TEST_P(PeerConnectionIntegrationTest, // works with it. TEST_P(PeerConnectionIntegrationTest, EndToEndCallWithGcmCipher) { PeerConnectionFactory::Options gcm_options; - gcm_options.crypto_options.enable_gcm_crypto_suites = true; + gcm_options.crypto_options.srtp.enable_gcm_crypto_suites = true; ASSERT_TRUE( CreatePeerConnectionWrappersWithOptions(gcm_options, gcm_options)); ConnectFakeSignaling(); diff --git a/pc/peerconnectionfactory.cc b/pc/peerconnectionfactory.cc index edc13034a3..c3db9cf380 100644 --- a/pc/peerconnectionfactory.cc +++ b/pc/peerconnectionfactory.cc @@ -234,6 +234,17 @@ bool PeerConnectionFactory::Initialize() { void PeerConnectionFactory::SetOptions(const Options& options) { options_ = options; + // TODO(webrtc:9859) - Remove Chromium Compatibility once fix lands in + // Chromium + if (options.crypto_options.enable_gcm_crypto_suites.has_value()) { + options_.crypto_options.srtp.enable_gcm_crypto_suites = + *options.crypto_options.enable_gcm_crypto_suites; + } + if (options.crypto_options.enable_encrypted_rtp_header_extensions + .has_value()) { + options_.crypto_options.srtp.enable_encrypted_rtp_header_extensions = + *options.crypto_options.enable_encrypted_rtp_header_extensions; + } } RtpCapabilities PeerConnectionFactory::GetRtpSenderCapabilities( diff --git a/pc/rtpsenderreceiver_unittest.cc b/pc/rtpsenderreceiver_unittest.cc index 07ff6a3865..fad839cc4c 100644 --- a/pc/rtpsenderreceiver_unittest.cc +++ b/pc/rtpsenderreceiver_unittest.cc @@ -81,11 +81,11 @@ class RtpSenderReceiverTest : public testing::Test, voice_channel_ = channel_manager_.CreateVoiceChannel( &fake_call_, cricket::MediaConfig(), rtp_transport_.get(), rtc::Thread::Current(), cricket::CN_AUDIO, srtp_required, - rtc::CryptoOptions(), cricket::AudioOptions()); + webrtc::CryptoOptions(), cricket::AudioOptions()); video_channel_ = channel_manager_.CreateVideoChannel( &fake_call_, cricket::MediaConfig(), rtp_transport_.get(), rtc::Thread::Current(), cricket::CN_VIDEO, srtp_required, - rtc::CryptoOptions(), cricket::VideoOptions()); + webrtc::CryptoOptions(), cricket::VideoOptions()); voice_channel_->Enable(true); video_channel_->Enable(true); voice_media_channel_ = media_engine_->GetVoiceChannel(0); diff --git a/pc/test/fakepeerconnectionforstats.h b/pc/test/fakepeerconnectionforstats.h index 642fa011eb..ae329e4450 100644 --- a/pc/test/fakepeerconnectionforstats.h +++ b/pc/test/fakepeerconnectionforstats.h @@ -126,7 +126,7 @@ class FakePeerConnectionForStats : public FakePeerConnectionBase { voice_channel_ = absl::make_unique( worker_thread_, network_thread_, signaling_thread_, nullptr, std::move(voice_media_channel), mid, kDefaultSrtpRequired, - rtc::CryptoOptions()); + webrtc::CryptoOptions()); voice_channel_->set_transport_name_for_testing(transport_name); GetOrCreateFirstTransceiverOfType(cricket::MEDIA_TYPE_AUDIO) ->internal() @@ -144,7 +144,7 @@ class FakePeerConnectionForStats : public FakePeerConnectionBase { video_channel_ = absl::make_unique( worker_thread_, network_thread_, signaling_thread_, std::move(video_media_channel), mid, kDefaultSrtpRequired, - rtc::CryptoOptions()); + webrtc::CryptoOptions()); video_channel_->set_transport_name_for_testing(transport_name); GetOrCreateFirstTransceiverOfType(cricket::MEDIA_TYPE_VIDEO) ->internal() diff --git a/rtc_base/sslstreamadapter.cc b/rtc_base/sslstreamadapter.cc index 746ebd5006..fe42bf4ad6 100644 --- a/rtc_base/sslstreamadapter.cc +++ b/rtc_base/sslstreamadapter.cc @@ -89,32 +89,6 @@ bool IsGcmCryptoSuiteName(const std::string& crypto_suite) { crypto_suite == CS_AEAD_AES_128_GCM); } -// static -CryptoOptions CryptoOptions::NoGcm() { - CryptoOptions options; - options.enable_gcm_crypto_suites = false; - return options; -} - -std::vector GetSupportedDtlsSrtpCryptoSuites( - const rtc::CryptoOptions& crypto_options) { - std::vector crypto_suites; - if (crypto_options.enable_gcm_crypto_suites) { - crypto_suites.push_back(rtc::SRTP_AEAD_AES_256_GCM); - crypto_suites.push_back(rtc::SRTP_AEAD_AES_128_GCM); - } - // Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by - // draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as - // well, and saves a few bytes per packet if it ends up selected. - // As the cipher suite is potentially insecure, it will only be used if - // enabled by both peers. - if (crypto_options.enable_aes128_sha1_32_crypto_cipher) { - crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32); - } - crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80); - return crypto_suites; -} - SSLStreamAdapter* SSLStreamAdapter::Create(StreamInterface* stream) { return new OpenSSLStreamAdapter(stream); } diff --git a/rtc_base/sslstreamadapter.h b/rtc_base/sslstreamadapter.h index 2d4e19f9b5..dad8a4ece0 100644 --- a/rtc_base/sslstreamadapter.h +++ b/rtc_base/sslstreamadapter.h @@ -70,34 +70,6 @@ bool IsGcmCryptoSuite(int crypto_suite); // Returns true if the given crypto suite name uses a GCM cipher. bool IsGcmCryptoSuiteName(const std::string& crypto_suite); -struct CryptoOptions { - CryptoOptions() {} - - // Helper method to return an instance of the CryptoOptions with GCM crypto - // suites disabled. This method should be used instead of depending on current - // default values set by the constructor. - static CryptoOptions NoGcm(); - - // Enable GCM crypto suites from RFC 7714 for SRTP. GCM will only be used - // if both sides enable it. - bool enable_gcm_crypto_suites = false; - - // If set to true, the (potentially insecure) crypto cipher - // SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers - // during negotiation. It will only be used if both peers support it and no - // other ciphers get preferred. - bool enable_aes128_sha1_32_crypto_cipher = false; - - // If set to true, encrypted RTP header extensions as defined in RFC 6904 - // will be negotiated. They will only be used if both peers support them. - bool enable_encrypted_rtp_header_extensions = false; -}; - -// Returns supported crypto suites, given |crypto_options|. -// CS_AES_CM_128_HMAC_SHA1_32 will be preferred by default. -std::vector GetSupportedDtlsSrtpCryptoSuites( - const rtc::CryptoOptions& crypto_options); - // SSLStreamAdapter : A StreamInterfaceAdapter that does SSL/TLS. // After SSL has been started, the stream will only open on successful // SSL verification of certificates, and the communication is diff --git a/sdk/android/src/jni/pc/peerconnectionfactory.cc b/sdk/android/src/jni/pc/peerconnectionfactory.cc index 01c1accaa3..049858a139 100644 --- a/sdk/android/src/jni/pc/peerconnectionfactory.cc +++ b/sdk/android/src/jni/pc/peerconnectionfactory.cc @@ -63,9 +63,9 @@ JavaToNativePeerConnectionFactoryOptions(JNIEnv* jni, native_options.disable_encryption = disable_encryption; native_options.disable_network_monitor = disable_network_monitor; - native_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = + native_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = enable_aes128_sha1_32_crypto_cipher; - native_options.crypto_options.enable_gcm_crypto_suites = + native_options.crypto_options.srtp.enable_gcm_crypto_suites = enable_gcm_crypto_suites; return native_options; } diff --git a/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm b/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm index 103a130390..1690385937 100644 --- a/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm +++ b/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm @@ -52,8 +52,9 @@ void setNetworkBit(webrtc::PeerConnectionFactoryInterface::Options* options, setNetworkBit(&options, rtc::ADAPTER_TYPE_WIFI, self.ignoreWiFiNetworkAdapter); setNetworkBit(&options, rtc::ADAPTER_TYPE_ETHERNET, self.ignoreEthernetNetworkAdapter); - options.crypto_options.enable_aes128_sha1_32_crypto_cipher = self.enableAes128Sha1_32CryptoCipher; - options.crypto_options.enable_gcm_crypto_suites = self.enableGcmCryptoSuites; + options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = + self.enableAes128Sha1_32CryptoCipher; + options.crypto_options.srtp.enable_gcm_crypto_suites = self.enableGcmCryptoSuites; return options; }