zqz/platform-external-webrtc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding flag to enable/disable use of SRTP_AES128_CM_SHA1_32 crypto suite.

Browse Source 
This flag (added to CryptoOptions) will allow applications to opt-in to
use of this suite, before it's disabled by default later. See bug for
more details.

TBR=magjed@webrtc.org

Bug: webrtc:7670
Change-Id: I800bedd4b26d807b6b7ac66b505d419c3323e454
Reviewed-on: https://webrtc-review.googlesource.com/64390
Commit-Queue: Taylor Brandstetter <deadbeef@webrtc.org>
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#22586}
This commit is contained in:
Taylor Brandstetter
2018-03-23 11:50:16 -07:00
committed by Commit Bot
parent 767a2ced73
commit 5e55fe845e
8 changed files with 87 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
rtc_base/sslstreamadapter.cc
View File

@ -105,7 +105,11 @@ std::vector<int> GetSupportedDtlsSrtpCryptoSuites(
// Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by
// draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as
// well, and saves a few bytes per packet if it ends up selected.
crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32);
// As the cipher suite is potentially insecure, it will only be used if
// enabled by both peers.
if (crypto_options.enable_aes128_sha1_32_crypto_cipher) {
crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32);
}
crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80);
return crypto_suites;
}

9
rtc_base/sslstreamadapter.h
View File

@ -80,6 +80,15 @@ struct CryptoOptions {
// if both sides enable it.
bool enable_gcm_crypto_suites = false;
// If set to true, the (potentially insecure) crypto cipher
// SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers
// during negotiation. It will only be used if both peers support it and no
// other ciphers get preferred.
// TODO(crbug.com/webrtc/7670): Change default to false after sending PSA and
// giving time for users to set this flag to true explicitly, if they still
// want to use this crypto suite.
bool enable_aes128_sha1_32_crypto_cipher = true;
// If set to true, encrypted RTP header extensions as defined in RFC 6904
// will be negotiated. They will only be used if both peers support them.
bool enable_encrypted_rtp_header_extensions = false;