summaryrefslogtreecommitdiffstats
path: root/third_party/libwebrtc/pc/srtp_transport.cc
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /third_party/libwebrtc/pc/srtp_transport.cc
parentInitial commit. (diff)
downloadfirefox-esr-upstream.tar.xz
firefox-esr-upstream.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/libwebrtc/pc/srtp_transport.cc')
-rw-r--r--third_party/libwebrtc/pc/srtp_transport.cc519
1 files changed, 519 insertions, 0 deletions
diff --git a/third_party/libwebrtc/pc/srtp_transport.cc b/third_party/libwebrtc/pc/srtp_transport.cc
new file mode 100644
index 0000000000..838040876c
--- /dev/null
+++ b/third_party/libwebrtc/pc/srtp_transport.cc
@@ -0,0 +1,519 @@
+/*
+ * Copyright 2017 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "pc/srtp_transport.h"
+
+#include <string.h>
+
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "absl/strings/match.h"
+#include "media/base/rtp_utils.h"
+#include "modules/rtp_rtcp/source/rtp_util.h"
+#include "pc/rtp_transport.h"
+#include "pc/srtp_session.h"
+#include "rtc_base/async_packet_socket.h"
+#include "rtc_base/checks.h"
+#include "rtc_base/copy_on_write_buffer.h"
+#include "rtc_base/logging.h"
+#include "rtc_base/numerics/safe_conversions.h"
+#include "rtc_base/ssl_stream_adapter.h"
+#include "rtc_base/third_party/base64/base64.h"
+#include "rtc_base/trace_event.h"
+#include "rtc_base/zero_memory.h"
+
+namespace webrtc {
+
+SrtpTransport::SrtpTransport(bool rtcp_mux_enabled,
+ const FieldTrialsView& field_trials)
+ : RtpTransport(rtcp_mux_enabled), field_trials_(field_trials) {}
+
+RTCError SrtpTransport::SetSrtpSendKey(const cricket::CryptoParams& params) {
+ if (send_params_) {
+ LOG_AND_RETURN_ERROR(
+ webrtc::RTCErrorType::UNSUPPORTED_OPERATION,
+ "Setting the SRTP send key twice is currently unsupported.");
+ }
+ if (recv_params_ && recv_params_->cipher_suite != params.cipher_suite) {
+ LOG_AND_RETURN_ERROR(
+ webrtc::RTCErrorType::UNSUPPORTED_OPERATION,
+ "The send key and receive key must have the same cipher suite.");
+ }
+
+ send_cipher_suite_ = rtc::SrtpCryptoSuiteFromName(params.cipher_suite);
+ if (*send_cipher_suite_ == rtc::kSrtpInvalidCryptoSuite) {
+ return RTCError(RTCErrorType::INVALID_PARAMETER,
+ "Invalid SRTP crypto suite");
+ }
+
+ int send_key_len, send_salt_len;
+ if (!rtc::GetSrtpKeyAndSaltLengths(*send_cipher_suite_, &send_key_len,
+ &send_salt_len)) {
+ return RTCError(RTCErrorType::INVALID_PARAMETER,
+ "Could not get lengths for crypto suite(s):"
+ " send cipher_suite ");
+ }
+
+ send_key_ = rtc::ZeroOnFreeBuffer<uint8_t>(send_key_len + send_salt_len);
+ if (!ParseKeyParams(params.key_params, send_key_.data(), send_key_.size())) {
+ return RTCError(RTCErrorType::INVALID_PARAMETER,
+ "Failed to parse the crypto key params");
+ }
+
+ if (!MaybeSetKeyParams()) {
+ return RTCError(RTCErrorType::INVALID_PARAMETER,
+ "Failed to set the crypto key params");
+ }
+ send_params_ = params;
+ return RTCError::OK();
+}
+
+RTCError SrtpTransport::SetSrtpReceiveKey(const cricket::CryptoParams& params) {
+ if (recv_params_) {
+ LOG_AND_RETURN_ERROR(
+ webrtc::RTCErrorType::UNSUPPORTED_OPERATION,
+ "Setting the SRTP send key twice is currently unsupported.");
+ }
+ if (send_params_ && send_params_->cipher_suite != params.cipher_suite) {
+ LOG_AND_RETURN_ERROR(
+ webrtc::RTCErrorType::UNSUPPORTED_OPERATION,
+ "The send key and receive key must have the same cipher suite.");
+ }
+
+ recv_cipher_suite_ = rtc::SrtpCryptoSuiteFromName(params.cipher_suite);
+ if (*recv_cipher_suite_ == rtc::kSrtpInvalidCryptoSuite) {
+ return RTCError(RTCErrorType::INVALID_PARAMETER,
+ "Invalid SRTP crypto suite");
+ }
+
+ int recv_key_len, recv_salt_len;
+ if (!rtc::GetSrtpKeyAndSaltLengths(*recv_cipher_suite_, &recv_key_len,
+ &recv_salt_len)) {
+ return RTCError(RTCErrorType::INVALID_PARAMETER,
+ "Could not get lengths for crypto suite(s):"
+ " recv cipher_suite ");
+ }
+
+ recv_key_ = rtc::ZeroOnFreeBuffer<uint8_t>(recv_key_len + recv_salt_len);
+ if (!ParseKeyParams(params.key_params, recv_key_.data(), recv_key_.size())) {
+ return RTCError(RTCErrorType::INVALID_PARAMETER,
+ "Failed to parse the crypto key params");
+ }
+
+ if (!MaybeSetKeyParams()) {
+ return RTCError(RTCErrorType::INVALID_PARAMETER,
+ "Failed to set the crypto key params");
+ }
+ recv_params_ = params;
+ return RTCError::OK();
+}
+
+bool SrtpTransport::SendRtpPacket(rtc::CopyOnWriteBuffer* packet,
+ const rtc::PacketOptions& options,
+ int flags) {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_ERROR)
+ << "Failed to send the packet because SRTP transport is inactive.";
+ return false;
+ }
+ rtc::PacketOptions updated_options = options;
+ TRACE_EVENT0("webrtc", "SRTP Encode");
+ bool res;
+ uint8_t* data = packet->MutableData();
+ int len = rtc::checked_cast<int>(packet->size());
+// If ENABLE_EXTERNAL_AUTH flag is on then packet authentication is not done
+// inside libsrtp for a RTP packet. A external HMAC module will be writing
+// a fake HMAC value. This is ONLY done for a RTP packet.
+// Socket layer will update rtp sendtime extension header if present in
+// packet with current time before updating the HMAC.
+#if !defined(ENABLE_EXTERNAL_AUTH)
+ res = ProtectRtp(data, len, static_cast<int>(packet->capacity()), &len);
+#else
+ if (!IsExternalAuthActive()) {
+ res = ProtectRtp(data, len, static_cast<int>(packet->capacity()), &len);
+ } else {
+ updated_options.packet_time_params.rtp_sendtime_extension_id =
+ rtp_abs_sendtime_extn_id_;
+ res = ProtectRtp(data, len, static_cast<int>(packet->capacity()), &len,
+ &updated_options.packet_time_params.srtp_packet_index);
+ // If protection succeeds, let's get auth params from srtp.
+ if (res) {
+ uint8_t* auth_key = nullptr;
+ int key_len = 0;
+ res = GetRtpAuthParams(
+ &auth_key, &key_len,
+ &updated_options.packet_time_params.srtp_auth_tag_len);
+ if (res) {
+ updated_options.packet_time_params.srtp_auth_key.resize(key_len);
+ updated_options.packet_time_params.srtp_auth_key.assign(
+ auth_key, auth_key + key_len);
+ }
+ }
+ }
+#endif
+ if (!res) {
+ uint16_t seq_num = ParseRtpSequenceNumber(*packet);
+ uint32_t ssrc = ParseRtpSsrc(*packet);
+ RTC_LOG(LS_ERROR) << "Failed to protect RTP packet: size=" << len
+ << ", seqnum=" << seq_num << ", SSRC=" << ssrc;
+ return false;
+ }
+
+ // Update the length of the packet now that we've added the auth tag.
+ packet->SetSize(len);
+ return SendPacket(/*rtcp=*/false, packet, updated_options, flags);
+}
+
+bool SrtpTransport::SendRtcpPacket(rtc::CopyOnWriteBuffer* packet,
+ const rtc::PacketOptions& options,
+ int flags) {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_ERROR)
+ << "Failed to send the packet because SRTP transport is inactive.";
+ return false;
+ }
+
+ TRACE_EVENT0("webrtc", "SRTP Encode");
+ uint8_t* data = packet->MutableData();
+ int len = rtc::checked_cast<int>(packet->size());
+ if (!ProtectRtcp(data, len, static_cast<int>(packet->capacity()), &len)) {
+ int type = -1;
+ cricket::GetRtcpType(data, len, &type);
+ RTC_LOG(LS_ERROR) << "Failed to protect RTCP packet: size=" << len
+ << ", type=" << type;
+ return false;
+ }
+ // Update the length of the packet now that we've added the auth tag.
+ packet->SetSize(len);
+
+ return SendPacket(/*rtcp=*/true, packet, options, flags);
+}
+
+void SrtpTransport::OnRtpPacketReceived(rtc::CopyOnWriteBuffer packet,
+ int64_t packet_time_us) {
+ TRACE_EVENT0("webrtc", "SrtpTransport::OnRtpPacketReceived");
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING)
+ << "Inactive SRTP transport received an RTP packet. Drop it.";
+ return;
+ }
+ char* data = packet.MutableData<char>();
+ int len = rtc::checked_cast<int>(packet.size());
+ if (!UnprotectRtp(data, len, &len)) {
+ // Limit the error logging to avoid excessive logs when there are lots of
+ // bad packets.
+ const int kFailureLogThrottleCount = 100;
+ if (decryption_failure_count_ % kFailureLogThrottleCount == 0) {
+ RTC_LOG(LS_ERROR) << "Failed to unprotect RTP packet: size=" << len
+ << ", seqnum=" << ParseRtpSequenceNumber(packet)
+ << ", SSRC=" << ParseRtpSsrc(packet)
+ << ", previous failure count: "
+ << decryption_failure_count_;
+ }
+ ++decryption_failure_count_;
+ return;
+ }
+ packet.SetSize(len);
+ DemuxPacket(std::move(packet), packet_time_us);
+}
+
+void SrtpTransport::OnRtcpPacketReceived(rtc::CopyOnWriteBuffer packet,
+ int64_t packet_time_us) {
+ TRACE_EVENT0("webrtc", "SrtpTransport::OnRtcpPacketReceived");
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING)
+ << "Inactive SRTP transport received an RTCP packet. Drop it.";
+ return;
+ }
+ char* data = packet.MutableData<char>();
+ int len = rtc::checked_cast<int>(packet.size());
+ if (!UnprotectRtcp(data, len, &len)) {
+ int type = -1;
+ cricket::GetRtcpType(data, len, &type);
+ RTC_LOG(LS_ERROR) << "Failed to unprotect RTCP packet: size=" << len
+ << ", type=" << type;
+ return;
+ }
+ packet.SetSize(len);
+ SignalRtcpPacketReceived(&packet, packet_time_us);
+}
+
+void SrtpTransport::OnNetworkRouteChanged(
+ absl::optional<rtc::NetworkRoute> network_route) {
+ // Only append the SRTP overhead when there is a selected network route.
+ if (network_route) {
+ int srtp_overhead = 0;
+ if (IsSrtpActive()) {
+ GetSrtpOverhead(&srtp_overhead);
+ }
+ network_route->packet_overhead += srtp_overhead;
+ }
+ SignalNetworkRouteChanged(network_route);
+}
+
+void SrtpTransport::OnWritableState(
+ rtc::PacketTransportInternal* packet_transport) {
+ SignalWritableState(IsWritable(/*rtcp=*/false) && IsWritable(/*rtcp=*/true));
+}
+
+bool SrtpTransport::SetRtpParams(int send_cs,
+ const uint8_t* send_key,
+ int send_key_len,
+ const std::vector<int>& send_extension_ids,
+ int recv_cs,
+ const uint8_t* recv_key,
+ int recv_key_len,
+ const std::vector<int>& recv_extension_ids) {
+ // If parameters are being set for the first time, we should create new SRTP
+ // sessions and call "SetSend/SetRecv". Otherwise we should call
+ // "UpdateSend"/"UpdateRecv" on the existing sessions, which will internally
+ // call "srtp_update".
+ bool new_sessions = false;
+ if (!send_session_) {
+ RTC_DCHECK(!recv_session_);
+ CreateSrtpSessions();
+ new_sessions = true;
+ }
+ bool ret = new_sessions
+ ? send_session_->SetSend(send_cs, send_key, send_key_len,
+ send_extension_ids)
+ : send_session_->UpdateSend(send_cs, send_key, send_key_len,
+ send_extension_ids);
+ if (!ret) {
+ ResetParams();
+ return false;
+ }
+
+ ret = new_sessions ? recv_session_->SetRecv(recv_cs, recv_key, recv_key_len,
+ recv_extension_ids)
+ : recv_session_->UpdateRecv(
+ recv_cs, recv_key, recv_key_len, recv_extension_ids);
+ if (!ret) {
+ ResetParams();
+ return false;
+ }
+
+ RTC_LOG(LS_INFO) << "SRTP " << (new_sessions ? "activated" : "updated")
+ << " with negotiated parameters: send cipher_suite "
+ << send_cs << " recv cipher_suite " << recv_cs;
+ MaybeUpdateWritableState();
+ return true;
+}
+
+bool SrtpTransport::SetRtcpParams(int send_cs,
+ const uint8_t* send_key,
+ int send_key_len,
+ const std::vector<int>& send_extension_ids,
+ int recv_cs,
+ const uint8_t* recv_key,
+ int recv_key_len,
+ const std::vector<int>& recv_extension_ids) {
+ // This can only be called once, but can be safely called after
+ // SetRtpParams
+ if (send_rtcp_session_ || recv_rtcp_session_) {
+ RTC_LOG(LS_ERROR) << "Tried to set SRTCP Params when filter already active";
+ return false;
+ }
+
+ send_rtcp_session_.reset(new cricket::SrtpSession(field_trials_));
+ if (!send_rtcp_session_->SetSend(send_cs, send_key, send_key_len,
+ send_extension_ids)) {
+ return false;
+ }
+
+ recv_rtcp_session_.reset(new cricket::SrtpSession(field_trials_));
+ if (!recv_rtcp_session_->SetRecv(recv_cs, recv_key, recv_key_len,
+ recv_extension_ids)) {
+ return false;
+ }
+
+ RTC_LOG(LS_INFO) << "SRTCP activated with negotiated parameters:"
+ " send cipher_suite "
+ << send_cs << " recv cipher_suite " << recv_cs;
+ MaybeUpdateWritableState();
+ return true;
+}
+
+bool SrtpTransport::IsSrtpActive() const {
+ return send_session_ && recv_session_;
+}
+
+bool SrtpTransport::IsWritable(bool rtcp) const {
+ return IsSrtpActive() && RtpTransport::IsWritable(rtcp);
+}
+
+void SrtpTransport::ResetParams() {
+ send_session_ = nullptr;
+ recv_session_ = nullptr;
+ send_rtcp_session_ = nullptr;
+ recv_rtcp_session_ = nullptr;
+ MaybeUpdateWritableState();
+ RTC_LOG(LS_INFO) << "The params in SRTP transport are reset.";
+}
+
+void SrtpTransport::CreateSrtpSessions() {
+ send_session_.reset(new cricket::SrtpSession(field_trials_));
+ recv_session_.reset(new cricket::SrtpSession(field_trials_));
+ if (external_auth_enabled_) {
+ send_session_->EnableExternalAuth();
+ }
+}
+
+bool SrtpTransport::ProtectRtp(void* p, int in_len, int max_len, int* out_len) {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING) << "Failed to ProtectRtp: SRTP not active";
+ return false;
+ }
+ RTC_CHECK(send_session_);
+ return send_session_->ProtectRtp(p, in_len, max_len, out_len);
+}
+
+bool SrtpTransport::ProtectRtp(void* p,
+ int in_len,
+ int max_len,
+ int* out_len,
+ int64_t* index) {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING) << "Failed to ProtectRtp: SRTP not active";
+ return false;
+ }
+ RTC_CHECK(send_session_);
+ return send_session_->ProtectRtp(p, in_len, max_len, out_len, index);
+}
+
+bool SrtpTransport::ProtectRtcp(void* p,
+ int in_len,
+ int max_len,
+ int* out_len) {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING) << "Failed to ProtectRtcp: SRTP not active";
+ return false;
+ }
+ if (send_rtcp_session_) {
+ return send_rtcp_session_->ProtectRtcp(p, in_len, max_len, out_len);
+ } else {
+ RTC_CHECK(send_session_);
+ return send_session_->ProtectRtcp(p, in_len, max_len, out_len);
+ }
+}
+
+bool SrtpTransport::UnprotectRtp(void* p, int in_len, int* out_len) {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING) << "Failed to UnprotectRtp: SRTP not active";
+ return false;
+ }
+ RTC_CHECK(recv_session_);
+ return recv_session_->UnprotectRtp(p, in_len, out_len);
+}
+
+bool SrtpTransport::UnprotectRtcp(void* p, int in_len, int* out_len) {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING) << "Failed to UnprotectRtcp: SRTP not active";
+ return false;
+ }
+ if (recv_rtcp_session_) {
+ return recv_rtcp_session_->UnprotectRtcp(p, in_len, out_len);
+ } else {
+ RTC_CHECK(recv_session_);
+ return recv_session_->UnprotectRtcp(p, in_len, out_len);
+ }
+}
+
+bool SrtpTransport::GetRtpAuthParams(uint8_t** key,
+ int* key_len,
+ int* tag_len) {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING) << "Failed to GetRtpAuthParams: SRTP not active";
+ return false;
+ }
+
+ RTC_CHECK(send_session_);
+ return send_session_->GetRtpAuthParams(key, key_len, tag_len);
+}
+
+bool SrtpTransport::GetSrtpOverhead(int* srtp_overhead) const {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING) << "Failed to GetSrtpOverhead: SRTP not active";
+ return false;
+ }
+
+ RTC_CHECK(send_session_);
+ *srtp_overhead = send_session_->GetSrtpOverhead();
+ return true;
+}
+
+void SrtpTransport::EnableExternalAuth() {
+ RTC_DCHECK(!IsSrtpActive());
+ external_auth_enabled_ = true;
+}
+
+bool SrtpTransport::IsExternalAuthEnabled() const {
+ return external_auth_enabled_;
+}
+
+bool SrtpTransport::IsExternalAuthActive() const {
+ if (!IsSrtpActive()) {
+ RTC_LOG(LS_WARNING)
+ << "Failed to check IsExternalAuthActive: SRTP not active";
+ return false;
+ }
+
+ RTC_CHECK(send_session_);
+ return send_session_->IsExternalAuthActive();
+}
+
+bool SrtpTransport::MaybeSetKeyParams() {
+ if (!send_cipher_suite_ || !recv_cipher_suite_) {
+ return true;
+ }
+
+ return SetRtpParams(*send_cipher_suite_, send_key_.data(),
+ static_cast<int>(send_key_.size()), std::vector<int>(),
+ *recv_cipher_suite_, recv_key_.data(),
+ static_cast<int>(recv_key_.size()), std::vector<int>());
+}
+
+bool SrtpTransport::ParseKeyParams(const std::string& key_params,
+ uint8_t* key,
+ size_t len) {
+ // example key_params: "inline:YUJDZGVmZ2hpSktMbW9QUXJzVHVWd3l6MTIzNDU2"
+
+ // Fail if key-method is wrong.
+ if (!absl::StartsWith(key_params, "inline:")) {
+ return false;
+ }
+
+ // Fail if base64 decode fails, or the key is the wrong size.
+ std::string key_b64(key_params.substr(7)), key_str;
+ if (!rtc::Base64::Decode(key_b64, rtc::Base64::DO_STRICT, &key_str,
+ nullptr) ||
+ key_str.size() != len) {
+ return false;
+ }
+
+ memcpy(key, key_str.c_str(), len);
+ // TODO(bugs.webrtc.org/8905): Switch to ZeroOnFreeBuffer for storing
+ // sensitive data.
+ rtc::ExplicitZeroMemory(&key_str[0], key_str.size());
+ return true;
+}
+
+void SrtpTransport::MaybeUpdateWritableState() {
+ bool writable = IsWritable(/*rtcp=*/true) && IsWritable(/*rtcp=*/false);
+ // Only fire the signal if the writable state changes.
+ if (writable_ != writable) {
+ writable_ = writable;
+ SignalWritableState(writable_);
+ }
+}
+
+} // namespace webrtc