diff --git a/api/BUILD.gn b/api/BUILD.gn index 60eb7514c2..c420b10a41 100644 --- a/api/BUILD.gn +++ b/api/BUILD.gn @@ -52,6 +52,8 @@ rtc_static_library("libjingle_peerconnection_api") { "bitrate_constraints.h", "candidate.cc", "candidate.h", + "crypto/cryptooptions.cc", + "crypto/cryptooptions.h", "crypto/framedecryptorinterface.h", "crypto/frameencryptorinterface.h", "cryptoparams.h", diff --git a/api/crypto/cryptooptions.cc b/api/crypto/cryptooptions.cc new file mode 100644 index 0000000000..ed6db471d5 --- /dev/null +++ b/api/crypto/cryptooptions.cc @@ -0,0 +1,52 @@ +/* + * Copyright 2018 The WebRTC Project Authors. All rights reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include "api/crypto/cryptooptions.h" +#include "rtc_base/sslstreamadapter.h" + +namespace webrtc { + +CryptoOptions::CryptoOptions() {} + +CryptoOptions::CryptoOptions(const CryptoOptions& other) { + enable_gcm_crypto_suites = other.enable_gcm_crypto_suites; + enable_encrypted_rtp_header_extensions = + other.enable_encrypted_rtp_header_extensions; + srtp = other.srtp; +} + +CryptoOptions::~CryptoOptions() {} + +// static +CryptoOptions CryptoOptions::NoGcm() { + CryptoOptions options; + options.srtp.enable_gcm_crypto_suites = false; + return options; +} + +std::vector CryptoOptions::GetSupportedDtlsSrtpCryptoSuites() const { + std::vector crypto_suites; + if (srtp.enable_gcm_crypto_suites) { + crypto_suites.push_back(rtc::SRTP_AEAD_AES_256_GCM); + crypto_suites.push_back(rtc::SRTP_AEAD_AES_128_GCM); + } + // Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by + // draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as + // well, and saves a few bytes per packet if it ends up selected. + // As the cipher suite is potentially insecure, it will only be used if + // enabled by both peers. + if (srtp.enable_aes128_sha1_32_crypto_cipher) { + crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32); + } + crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80); + return crypto_suites; +} + +} // namespace webrtc diff --git a/api/crypto/cryptooptions.h b/api/crypto/cryptooptions.h new file mode 100644 index 0000000000..0ac973f08a --- /dev/null +++ b/api/crypto/cryptooptions.h @@ -0,0 +1,67 @@ +/* + * Copyright 2018 The WebRTC Project Authors. All rights reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#ifndef API_CRYPTO_CRYPTOOPTIONS_H_ +#define API_CRYPTO_CRYPTOOPTIONS_H_ + +#include +#include "absl/types/optional.h" + +namespace webrtc { + +// CryptoOptions defines advanced cryptographic settings for native WebRTC. +// These settings must be passed into PeerConnectionFactoryInterface::Options +// and are only applicable to native use cases of WebRTC. +struct CryptoOptions { + CryptoOptions(); + CryptoOptions(const CryptoOptions& other); + ~CryptoOptions(); + + // Helper method to return an instance of the CryptoOptions with GCM crypto + // suites disabled. This method should be used instead of depending on current + // default values set by the constructor. + static CryptoOptions NoGcm(); + + // Returns a list of the supported DTLS-SRTP Crypto suites based on this set + // of crypto options. + std::vector GetSupportedDtlsSrtpCryptoSuites() const; + + // TODO(webrtc:9859) - Remove duplicates once chromium is fixed. + // Will be removed once srtp.enable_gcm_crypto_suites is updated in Chrome. + absl::optional enable_gcm_crypto_suites; + // TODO(webrtc:9859) - Remove duplicates once chromium is fixed. + // Will be removed once srtp.enable_encrypted_rtp_header_extensions is + // updated in Chrome. + absl::optional enable_encrypted_rtp_header_extensions; + // Will be removed once srtp.enable_encrypted_rtp_header_extensions is + // updated in Tacl. + absl::optional enable_aes128_sha1_32_crypto_cipher; + + // SRTP Related Peer Connection options. + struct Srtp { + // Enable GCM crypto suites from RFC 7714 for SRTP. GCM will only be used + // if both sides enable it. + bool enable_gcm_crypto_suites = false; + + // If set to true, the (potentially insecure) crypto cipher + // SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers + // during negotiation. It will only be used if both peers support it and no + // other ciphers get preferred. + bool enable_aes128_sha1_32_crypto_cipher = false; + + // If set to true, encrypted RTP header extensions as defined in RFC 6904 + // will be negotiated. They will only be used if both peers support them. + bool enable_encrypted_rtp_header_extensions = false; + } srtp; +}; + +} // namespace webrtc + +#endif // API_CRYPTO_CRYPTOOPTIONS_H_ diff --git a/api/cryptoparams.h b/api/cryptoparams.h index 2350528358..abe9055462 100644 --- a/api/cryptoparams.h +++ b/api/cryptoparams.h @@ -16,6 +16,8 @@ namespace cricket { // Parameters for SRTP negotiation, as described in RFC 4568. +// TODO(benwright) - Rename to SrtpCryptoParams as these only apply to SRTP and +// not generic crypto parameters for WebRTC. struct CryptoParams { CryptoParams() : tag(0) {} CryptoParams(int t, diff --git a/api/peerconnectioninterface.h b/api/peerconnectioninterface.h index 3d8a9c1e41..141b2c9272 100644 --- a/api/peerconnectioninterface.h +++ b/api/peerconnectioninterface.h @@ -77,6 +77,7 @@ #include "api/audio_codecs/audio_encoder_factory.h" #include "api/audio_options.h" #include "api/call/callfactoryinterface.h" +#include "api/crypto/cryptooptions.h" #include "api/datachannelinterface.h" #include "api/fec_controller.h" #include "api/jsep.h" @@ -1180,7 +1181,7 @@ class PeerConnectionFactoryInterface : public rtc::RefCountInterface { public: class Options { public: - Options() : crypto_options(rtc::CryptoOptions::NoGcm()) {} + Options() {} // If set to true, created PeerConnections won't enforce any SRTP // requirement, allowing unsecured media. Should only be used for @@ -1209,7 +1210,7 @@ class PeerConnectionFactoryInterface : public rtc::RefCountInterface { rtc::SSLProtocolVersion ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12; // Sets crypto related options, e.g. enabled cipher suites. - rtc::CryptoOptions crypto_options; + CryptoOptions crypto_options = CryptoOptions::NoGcm(); }; // Set the options to be used for subsequently created PeerConnections. diff --git a/p2p/base/dtlstransport.cc b/p2p/base/dtlstransport.cc index 314f63ce74..f498253c25 100644 --- a/p2p/base/dtlstransport.cc +++ b/p2p/base/dtlstransport.cc @@ -114,12 +114,12 @@ void StreamInterfaceChannel::Close() { } DtlsTransport::DtlsTransport(IceTransportInternal* ice_transport, - const rtc::CryptoOptions& crypto_options) + const webrtc::CryptoOptions& crypto_options) : transport_name_(ice_transport->transport_name()), component_(ice_transport->component()), ice_transport_(ice_transport), downward_(NULL), - srtp_ciphers_(GetSupportedDtlsSrtpCryptoSuites(crypto_options)), + srtp_ciphers_(crypto_options.GetSupportedDtlsSrtpCryptoSuites()), ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_12), crypto_options_(crypto_options) { RTC_DCHECK(ice_transport_); @@ -128,13 +128,13 @@ DtlsTransport::DtlsTransport(IceTransportInternal* ice_transport, DtlsTransport::DtlsTransport( std::unique_ptr ice_transport, - const rtc::CryptoOptions& crypto_options) + const webrtc::CryptoOptions& crypto_options) : transport_name_(ice_transport->transport_name()), component_(ice_transport->component()), ice_transport_(ice_transport.get()), owned_ice_transport_(std::move(ice_transport)), downward_(NULL), - srtp_ciphers_(GetSupportedDtlsSrtpCryptoSuites(crypto_options)), + srtp_ciphers_(crypto_options.GetSupportedDtlsSrtpCryptoSuites()), ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_12), crypto_options_(crypto_options) { RTC_DCHECK(owned_ice_transport_); @@ -143,7 +143,7 @@ DtlsTransport::DtlsTransport( DtlsTransport::~DtlsTransport() = default; -const rtc::CryptoOptions& DtlsTransport::crypto_options() const { +const webrtc::CryptoOptions& DtlsTransport::crypto_options() const { return crypto_options_; } diff --git a/p2p/base/dtlstransport.h b/p2p/base/dtlstransport.h index 456f375a10..2eafc9e8d5 100644 --- a/p2p/base/dtlstransport.h +++ b/p2p/base/dtlstransport.h @@ -15,6 +15,7 @@ #include #include +#include "api/crypto/cryptooptions.h" #include "p2p/base/dtlstransportinternal.h" #include "p2p/base/icetransportinternal.h" #include "rtc_base/buffer.h" @@ -96,13 +97,13 @@ class DtlsTransport : public DtlsTransportInternal { // whether GCM crypto suites are negotiated. // TODO(zhihuang): Remove this once we switch to JsepTransportController. explicit DtlsTransport(IceTransportInternal* ice_transport, - const rtc::CryptoOptions& crypto_options); + const webrtc::CryptoOptions& crypto_options); explicit DtlsTransport(std::unique_ptr ice_transport, - const rtc::CryptoOptions& crypto_options); + const webrtc::CryptoOptions& crypto_options); ~DtlsTransport() override; - const rtc::CryptoOptions& crypto_options() const override; + const webrtc::CryptoOptions& crypto_options() const override; DtlsTransportState dtls_state() const override; const std::string& transport_name() const override; int component() const override; @@ -231,7 +232,7 @@ class DtlsTransport : public DtlsTransportInternal { rtc::scoped_refptr local_certificate_; absl::optional dtls_role_; rtc::SSLProtocolVersion ssl_max_version_; - rtc::CryptoOptions crypto_options_; + webrtc::CryptoOptions crypto_options_; rtc::Buffer remote_fingerprint_value_; std::string remote_fingerprint_algorithm_; diff --git a/p2p/base/dtlstransport_unittest.cc b/p2p/base/dtlstransport_unittest.cc index 3cf423e851..8dfbf6106c 100644 --- a/p2p/base/dtlstransport_unittest.cc +++ b/p2p/base/dtlstransport_unittest.cc @@ -86,8 +86,8 @@ class DtlsTestClient : public sigslot::has_slots<> { fake_ice_transport_->SignalReadPacket.connect( this, &DtlsTestClient::OnFakeIceTransportReadPacket); - dtls_transport_.reset( - new DtlsTransport(fake_ice_transport_.get(), rtc::CryptoOptions())); + dtls_transport_ = absl::make_unique( + fake_ice_transport_.get(), webrtc::CryptoOptions()); dtls_transport_->SetSslMaxProtocolVersion(ssl_max_version_); // Note: Certificate may be null here if testing passthrough. dtls_transport_->SetLocalCertificate(certificate_); diff --git a/p2p/base/dtlstransportinternal.h b/p2p/base/dtlstransportinternal.h index 238057e4c9..a7137449f4 100644 --- a/p2p/base/dtlstransportinternal.h +++ b/p2p/base/dtlstransportinternal.h @@ -15,6 +15,7 @@ #include #include +#include "api/crypto/cryptooptions.h" #include "p2p/base/icetransportinternal.h" #include "p2p/base/packettransportinternal.h" #include "rtc_base/sslstreamadapter.h" @@ -50,7 +51,7 @@ class DtlsTransportInternal : public rtc::PacketTransportInternal { public: ~DtlsTransportInternal() override; - virtual const rtc::CryptoOptions& crypto_options() const = 0; + virtual const webrtc::CryptoOptions& crypto_options() const = 0; virtual DtlsTransportState dtls_state() const = 0; diff --git a/p2p/base/fakedtlstransport.h b/p2p/base/fakedtlstransport.h index cb944d3db5..c4f9d2c239 100644 --- a/p2p/base/fakedtlstransport.h +++ b/p2p/base/fakedtlstransport.h @@ -17,6 +17,7 @@ #include #include "absl/memory/memory.h" +#include "api/crypto/cryptooptions.h" #include "p2p/base/dtlstransportinternal.h" #include "p2p/base/fakeicetransport.h" #include "rtc_base/fakesslidentity.h" @@ -149,10 +150,10 @@ class FakeDtlsTransport : public DtlsTransportInternal { *role = *dtls_role_; return true; } - const rtc::CryptoOptions& crypto_options() const override { + const webrtc::CryptoOptions& crypto_options() const override { return crypto_options_; } - void SetCryptoOptions(const rtc::CryptoOptions& crypto_options) { + void SetCryptoOptions(const webrtc::CryptoOptions& crypto_options) { crypto_options_ = crypto_options; } bool SetLocalCertificate( @@ -272,7 +273,7 @@ class FakeDtlsTransport : public DtlsTransportInternal { rtc::SSLFingerprint dtls_fingerprint_; absl::optional dtls_role_; int crypto_suite_ = rtc::SRTP_AES128_CM_SHA1_80; - rtc::CryptoOptions crypto_options_; + webrtc::CryptoOptions crypto_options_; DtlsTransportState dtls_state_ = DTLS_TRANSPORT_NEW; diff --git a/p2p/base/transportfactoryinterface.h b/p2p/base/transportfactoryinterface.h index ce32ee8483..9805db005c 100644 --- a/p2p/base/transportfactoryinterface.h +++ b/p2p/base/transportfactoryinterface.h @@ -34,7 +34,7 @@ class TransportFactoryInterface { virtual std::unique_ptr CreateDtlsTransport( std::unique_ptr ice, - const rtc::CryptoOptions& crypto_options) = 0; + const webrtc::CryptoOptions& crypto_options) = 0; }; } // namespace cricket diff --git a/pc/channel.cc b/pc/channel.cc index b63cea7cec..cd1534ffec 100644 --- a/pc/channel.cc +++ b/pc/channel.cc @@ -101,7 +101,7 @@ BaseChannel::BaseChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options) + webrtc::CryptoOptions crypto_options) : worker_thread_(worker_thread), network_thread_(network_thread), signaling_thread_(signaling_thread), @@ -673,7 +673,7 @@ bool BaseChannel::UpdateRemoteStreams_w( RtpHeaderExtensions BaseChannel::GetFilteredRtpHeaderExtensions( const RtpHeaderExtensions& extensions) { RTC_DCHECK(rtp_transport_); - if (crypto_options_.enable_encrypted_rtp_header_extensions) { + if (crypto_options_.srtp.enable_encrypted_rtp_header_extensions) { RtpHeaderExtensions filtered; auto pred = [](const webrtc::RtpExtension& extension) { return !extension.encrypt; @@ -742,7 +742,7 @@ VoiceChannel::VoiceChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options) + webrtc::CryptoOptions crypto_options) : BaseChannel(worker_thread, network_thread, signaling_thread, @@ -881,7 +881,7 @@ VideoChannel::VideoChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options) + webrtc::CryptoOptions crypto_options) : BaseChannel(worker_thread, network_thread, signaling_thread, @@ -1019,7 +1019,7 @@ RtpDataChannel::RtpDataChannel(rtc::Thread* worker_thread, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options) + webrtc::CryptoOptions crypto_options) : BaseChannel(worker_thread, network_thread, signaling_thread, diff --git a/pc/channel.h b/pc/channel.h index ba584690ba..535f64ee68 100644 --- a/pc/channel.h +++ b/pc/channel.h @@ -82,7 +82,7 @@ class BaseChannel : public rtc::MessageHandler, std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options); + webrtc::CryptoOptions crypto_options); virtual ~BaseChannel(); void Init_w(webrtc::RtpTransportInternal* rtp_transport); @@ -313,7 +313,7 @@ class BaseChannel : public rtc::MessageHandler, bool was_ever_writable_ = false; bool has_received_packet_ = false; const bool srtp_required_ = true; - rtc::CryptoOptions crypto_options_; + webrtc::CryptoOptions crypto_options_; // MediaChannel related members that should be accessed from the worker // thread. @@ -343,7 +343,7 @@ class VoiceChannel : public BaseChannel { std::unique_ptr channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options); + webrtc::CryptoOptions crypto_options); ~VoiceChannel(); // downcasts a MediaChannel @@ -383,7 +383,7 @@ class VideoChannel : public BaseChannel { std::unique_ptr media_channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options); + webrtc::CryptoOptions crypto_options); ~VideoChannel(); // downcasts a MediaChannel @@ -422,7 +422,7 @@ class RtpDataChannel : public BaseChannel { std::unique_ptr channel, const std::string& content_name, bool srtp_required, - rtc::CryptoOptions crypto_options); + webrtc::CryptoOptions crypto_options); ~RtpDataChannel(); // TODO(zhihuang): Remove this once the RtpTransport can be shared between // BaseChannels. diff --git a/pc/channel_unittest.cc b/pc/channel_unittest.cc index 58cb17b8bb..94f38c9a39 100644 --- a/pc/channel_unittest.cc +++ b/pc/channel_unittest.cc @@ -250,7 +250,7 @@ class ChannelTest : public testing::Test, public sigslot::has_slots<> { rtc::Thread* signaling_thread = rtc::Thread::Current(); auto channel = absl::make_unique( worker_thread, network_thread, signaling_thread, engine, std::move(ch), - cricket::CN_AUDIO, (flags & DTLS) != 0, rtc::CryptoOptions()); + cricket::CN_AUDIO, (flags & DTLS) != 0, webrtc::CryptoOptions()); channel->Init_w(rtp_transport); return channel; } @@ -1545,7 +1545,7 @@ std::unique_ptr ChannelTest::CreateChannel( rtc::Thread* signaling_thread = rtc::Thread::Current(); auto channel = absl::make_unique( worker_thread, network_thread, signaling_thread, std::move(ch), - cricket::CN_VIDEO, (flags & DTLS) != 0, rtc::CryptoOptions()); + cricket::CN_VIDEO, (flags & DTLS) != 0, webrtc::CryptoOptions()); channel->Init_w(rtp_transport); return channel; } @@ -2164,7 +2164,7 @@ std::unique_ptr ChannelTest::CreateChannel( rtc::Thread* signaling_thread = rtc::Thread::Current(); auto channel = absl::make_unique( worker_thread, network_thread, signaling_thread, std::move(ch), - cricket::CN_DATA, (flags & DTLS) != 0, rtc::CryptoOptions()); + cricket::CN_DATA, (flags & DTLS) != 0, webrtc::CryptoOptions()); channel->Init_w(rtp_transport); return channel; } diff --git a/pc/channelmanager.cc b/pc/channelmanager.cc index dab622ad70..1c80719949 100644 --- a/pc/channelmanager.cc +++ b/pc/channelmanager.cc @@ -159,7 +159,7 @@ VoiceChannel* ChannelManager::CreateVoiceChannel( rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, const AudioOptions& options) { if (!worker_thread_->IsCurrent()) { return worker_thread_->Invoke(RTC_FROM_HERE, [&] { @@ -226,7 +226,7 @@ VideoChannel* ChannelManager::CreateVideoChannel( rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, const VideoOptions& options) { if (!worker_thread_->IsCurrent()) { return worker_thread_->Invoke(RTC_FROM_HERE, [&] { @@ -291,7 +291,7 @@ RtpDataChannel* ChannelManager::CreateRtpDataChannel( rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options) { + const webrtc::CryptoOptions& crypto_options) { if (!worker_thread_->IsCurrent()) { return worker_thread_->Invoke(RTC_FROM_HERE, [&] { return CreateRtpDataChannel(media_config, rtp_transport, signaling_thread, diff --git a/pc/channelmanager.h b/pc/channelmanager.h index c6b601ea8f..6430f8ee84 100644 --- a/pc/channelmanager.h +++ b/pc/channelmanager.h @@ -86,7 +86,7 @@ class ChannelManager final { rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, const AudioOptions& options); // Destroys a voice channel created by CreateVoiceChannel. void DestroyVoiceChannel(VoiceChannel* voice_channel); @@ -100,7 +100,7 @@ class ChannelManager final { rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, const VideoOptions& options); // Destroys a video channel created by CreateVideoChannel. void DestroyVideoChannel(VideoChannel* video_channel); @@ -111,7 +111,7 @@ class ChannelManager final { rtc::Thread* signaling_thread, const std::string& content_name, bool srtp_required, - const rtc::CryptoOptions& crypto_options); + const webrtc::CryptoOptions& crypto_options); // Destroys a data channel created by CreateRtpDataChannel. void DestroyRtpDataChannel(RtpDataChannel* data_channel); diff --git a/pc/channelmanager_unittest.cc b/pc/channelmanager_unittest.cc index 47c95306ee..053166ba13 100644 --- a/pc/channelmanager_unittest.cc +++ b/pc/channelmanager_unittest.cc @@ -65,16 +65,16 @@ class ChannelManagerTest : public testing::Test { cricket::VoiceChannel* voice_channel = cm_->CreateVoiceChannel( &fake_call_, cricket::MediaConfig(), rtp_transport, rtc::Thread::Current(), cricket::CN_AUDIO, kDefaultSrtpRequired, - rtc::CryptoOptions(), AudioOptions()); + webrtc::CryptoOptions(), AudioOptions()); EXPECT_TRUE(voice_channel != nullptr); cricket::VideoChannel* video_channel = cm_->CreateVideoChannel( &fake_call_, cricket::MediaConfig(), rtp_transport, rtc::Thread::Current(), cricket::CN_VIDEO, kDefaultSrtpRequired, - rtc::CryptoOptions(), VideoOptions()); + webrtc::CryptoOptions(), VideoOptions()); EXPECT_TRUE(video_channel != nullptr); cricket::RtpDataChannel* rtp_data_channel = cm_->CreateRtpDataChannel( cricket::MediaConfig(), rtp_transport, rtc::Thread::Current(), - cricket::CN_DATA, kDefaultSrtpRequired, rtc::CryptoOptions()); + cricket::CN_DATA, kDefaultSrtpRequired, webrtc::CryptoOptions()); EXPECT_TRUE(rtp_data_channel != nullptr); cm_->DestroyVideoChannel(video_channel); cm_->DestroyVoiceChannel(voice_channel); diff --git a/pc/jseptransportcontroller.cc b/pc/jseptransportcontroller.cc index 1847d95c94..19a2d40275 100644 --- a/pc/jseptransportcontroller.cc +++ b/pc/jseptransportcontroller.cc @@ -814,7 +814,7 @@ std::vector JsepTransportController::GetEncryptedHeaderExtensionIds( static_cast( content_info.description); - if (!config_.crypto_options.enable_encrypted_rtp_header_extensions) { + if (!config_.crypto_options.srtp.enable_encrypted_rtp_header_extensions) { return std::vector(); } diff --git a/pc/jseptransportcontroller.h b/pc/jseptransportcontroller.h index bca4481624..518d31060f 100644 --- a/pc/jseptransportcontroller.h +++ b/pc/jseptransportcontroller.h @@ -18,6 +18,7 @@ #include #include "api/candidate.h" +#include "api/crypto/cryptooptions.h" #include "api/media_transport_interface.h" #include "api/peerconnectioninterface.h" #include "logging/rtc_event_log/rtc_event_log.h" @@ -33,7 +34,6 @@ #include "rtc_base/asyncinvoker.h" #include "rtc_base/constructormagic.h" #include "rtc_base/refcountedobject.h" -#include "rtc_base/sslstreamadapter.h" #include "rtc_base/third_party/sigslot/sigslot.h" namespace rtc { @@ -68,7 +68,7 @@ class JsepTransportController : public sigslot::has_slots<> { rtc::SSLProtocolVersion ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12; // |crypto_options| is used to determine if created DTLS transports // negotiate GCM crypto suites or not. - rtc::CryptoOptions crypto_options; + webrtc::CryptoOptions crypto_options; PeerConnectionInterface::BundlePolicy bundle_policy = PeerConnectionInterface::kBundlePolicyBalanced; PeerConnectionInterface::RtcpMuxPolicy rtcp_mux_policy = diff --git a/pc/jseptransportcontroller_unittest.cc b/pc/jseptransportcontroller_unittest.cc index ce431c38ae..26813e1c4f 100644 --- a/pc/jseptransportcontroller_unittest.cc +++ b/pc/jseptransportcontroller_unittest.cc @@ -52,7 +52,7 @@ class FakeTransportFactory : public cricket::TransportFactoryInterface { std::unique_ptr CreateDtlsTransport( std::unique_ptr ice, - const rtc::CryptoOptions& crypto_options) override { + const webrtc::CryptoOptions& crypto_options) override { std::unique_ptr fake_ice( static_cast(ice.release())); return absl::make_unique(std::move(fake_ice)); diff --git a/pc/mediasession.cc b/pc/mediasession.cc index d186513e9b..889576c306 100644 --- a/pc/mediasession.cc +++ b/pc/mediasession.cc @@ -39,10 +39,10 @@ using webrtc::RtpTransceiverDirection; const char kInline[] = "inline:"; -void GetSupportedSdesCryptoSuiteNames(void (*func)(const rtc::CryptoOptions&, - std::vector*), - const rtc::CryptoOptions& crypto_options, - std::vector* names) { +void GetSupportedSdesCryptoSuiteNames( + void (*func)(const webrtc::CryptoOptions&, std::vector*), + const webrtc::CryptoOptions& crypto_options, + std::vector* names) { std::vector crypto_suites; func(crypto_options, &crypto_suites); for (const auto crypto : crypto_suites) { @@ -195,28 +195,30 @@ bool FindMatchingCrypto(const CryptoParamsVec& cryptos, // For audio, HMAC 32 (if enabled) is prefered over HMAC 80 because of the // low overhead. -void GetSupportedAudioSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites) { - if (crypto_options.enable_gcm_crypto_suites) { +void GetSupportedAudioSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites) { + if (crypto_options.srtp.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } - if (crypto_options.enable_aes128_sha1_32_crypto_cipher) { + if (crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher) { crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32); } crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_80); } void GetSupportedAudioSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names) { GetSupportedSdesCryptoSuiteNames(GetSupportedAudioSdesCryptoSuites, crypto_options, crypto_suite_names); } -void GetSupportedVideoSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites) { - if (crypto_options.enable_gcm_crypto_suites) { +void GetSupportedVideoSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites) { + if (crypto_options.srtp.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } @@ -224,15 +226,16 @@ void GetSupportedVideoSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, } void GetSupportedVideoSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names) { GetSupportedSdesCryptoSuiteNames(GetSupportedVideoSdesCryptoSuites, crypto_options, crypto_suite_names); } -void GetSupportedDataSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites) { - if (crypto_options.enable_gcm_crypto_suites) { +void GetSupportedDataSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites) { + if (crypto_options.srtp.enable_gcm_crypto_suites) { crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM); crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM); } @@ -240,7 +243,7 @@ void GetSupportedDataSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, } void GetSupportedDataSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names) { GetSupportedSdesCryptoSuiteNames(GetSupportedDataSdesCryptoSuites, crypto_options, crypto_suite_names); @@ -252,17 +255,17 @@ void GetSupportedDataSdesCryptoSuiteNames( // Pick the crypto in the list that is supported. static bool SelectCrypto(const MediaContentDescription* offer, bool bundle, - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, CryptoParams* crypto_out) { bool audio = offer->type() == MEDIA_TYPE_AUDIO; const CryptoParamsVec& cryptos = offer->cryptos(); for (const CryptoParams& crypto : cryptos) { - if ((crypto_options.enable_gcm_crypto_suites && + if ((crypto_options.srtp.enable_gcm_crypto_suites && rtc::IsGcmCryptoSuiteName(crypto.cipher_suite)) || rtc::CS_AES_CM_128_HMAC_SHA1_80 == crypto.cipher_suite || (rtc::CS_AES_CM_128_HMAC_SHA1_32 == crypto.cipher_suite && audio && - !bundle && crypto_options.enable_aes128_sha1_32_crypto_cipher)) { + !bundle && crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher)) { return CreateCryptoParams(crypto.tag, crypto.cipher_suite, crypto_out); } } diff --git a/pc/mediasession.h b/pc/mediasession.h index 81b88e1fe5..b1df1dbd26 100644 --- a/pc/mediasession.h +++ b/pc/mediasession.h @@ -95,7 +95,7 @@ struct MediaSessionOptions { bool bundle_enabled = false; bool is_unified_plan = false; std::string rtcp_cname = kDefaultRtcpCname; - rtc::CryptoOptions crypto_options; + webrtc::CryptoOptions crypto_options; // List of media description options in the same order that the media // descriptions will be generated. std::vector media_description_options; @@ -337,20 +337,23 @@ DataContentDescription* GetFirstDataContentDescription( SessionDescription* sdesc); // Helper functions to return crypto suites used for SDES. -void GetSupportedAudioSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites); -void GetSupportedVideoSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites); -void GetSupportedDataSdesCryptoSuites(const rtc::CryptoOptions& crypto_options, - std::vector* crypto_suites); +void GetSupportedAudioSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites); +void GetSupportedVideoSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites); +void GetSupportedDataSdesCryptoSuites( + const webrtc::CryptoOptions& crypto_options, + std::vector* crypto_suites); void GetSupportedAudioSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names); void GetSupportedVideoSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names); void GetSupportedDataSdesCryptoSuiteNames( - const rtc::CryptoOptions& crypto_options, + const webrtc::CryptoOptions& crypto_options, std::vector* crypto_suite_names); // Returns true if the given media section protocol indicates use of RTP. diff --git a/pc/mediasession_unittest.cc b/pc/mediasession_unittest.cc index 7162a3713c..3bc2766625 100644 --- a/pc/mediasession_unittest.cc +++ b/pc/mediasession_unittest.cc @@ -609,11 +609,11 @@ class MediaSessionDescriptionFactoryTest : public testing::Test { void TestVideoGcmCipher(bool gcm_offer, bool gcm_answer) { MediaSessionOptions offer_opts; AddAudioVideoSections(RtpTransceiverDirection::kRecvOnly, &offer_opts); - offer_opts.crypto_options.enable_gcm_crypto_suites = gcm_offer; + offer_opts.crypto_options.srtp.enable_gcm_crypto_suites = gcm_offer; MediaSessionOptions answer_opts; AddAudioVideoSections(RtpTransceiverDirection::kRecvOnly, &answer_opts); - answer_opts.crypto_options.enable_gcm_crypto_suites = gcm_answer; + answer_opts.crypto_options.srtp.enable_gcm_crypto_suites = gcm_answer; f1_.set_secure(SEC_ENABLED); f2_.set_secure(SEC_ENABLED); @@ -953,7 +953,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateAudioAnswerGcm) { f1_.set_secure(SEC_ENABLED); f2_.set_secure(SEC_ENABLED); MediaSessionOptions opts = CreatePlanBMediaSessionOptions(); - opts.crypto_options.enable_gcm_crypto_suites = true; + opts.crypto_options.srtp.enable_gcm_crypto_suites = true; std::unique_ptr offer(f1_.CreateOffer(opts, NULL)); ASSERT_TRUE(offer.get() != NULL); std::unique_ptr answer( @@ -1057,7 +1057,7 @@ TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswer) { TEST_F(MediaSessionDescriptionFactoryTest, TestCreateDataAnswerGcm) { MediaSessionOptions opts = CreatePlanBMediaSessionOptions(); AddDataSection(cricket::DCT_RTP, RtpTransceiverDirection::kRecvOnly, &opts); - opts.crypto_options.enable_gcm_crypto_suites = true; + opts.crypto_options.srtp.enable_gcm_crypto_suites = true; f1_.set_secure(SEC_ENABLED); f2_.set_secure(SEC_ENABLED); std::unique_ptr offer(f1_.CreateOffer(opts, NULL)); diff --git a/pc/peerconnection.cc b/pc/peerconnection.cc index 5cca4a881d..0861246151 100644 --- a/pc/peerconnection.cc +++ b/pc/peerconnection.cc @@ -1027,7 +1027,7 @@ bool PeerConnection::Initialize( } webrtc_session_desc_factory_->set_enable_encrypted_rtp_header_extensions( - options.crypto_options.enable_encrypted_rtp_header_extensions); + options.crypto_options.srtp.enable_encrypted_rtp_header_extensions); // Add default audio/video transceivers for Plan B SDP. if (!IsUnifiedPlan()) { diff --git a/pc/peerconnection_crypto_unittest.cc b/pc/peerconnection_crypto_unittest.cc index 1ccfe5560f..71e87636e2 100644 --- a/pc/peerconnection_crypto_unittest.cc +++ b/pc/peerconnection_crypto_unittest.cc @@ -284,7 +284,7 @@ TEST_P(PeerConnectionCryptoTest, CorrectCryptoInAnswerWhenEncryptionDisabled) { // in the answer. TEST_P(PeerConnectionCryptoTest, CorrectCryptoInOfferWithSdesAndGcm) { PeerConnectionFactoryInterface::Options options; - options.crypto_options.enable_gcm_crypto_suites = true; + options.crypto_options.srtp.enable_gcm_crypto_suites = true; pc_factory_->SetOptions(options); RTCConfiguration config; @@ -299,7 +299,7 @@ TEST_P(PeerConnectionCryptoTest, CorrectCryptoInOfferWithSdesAndGcm) { } TEST_P(PeerConnectionCryptoTest, CorrectCryptoInAnswerWithSdesAndGcm) { PeerConnectionFactoryInterface::Options options; - options.crypto_options.enable_gcm_crypto_suites = true; + options.crypto_options.srtp.enable_gcm_crypto_suites = true; pc_factory_->SetOptions(options); RTCConfiguration config; @@ -317,7 +317,7 @@ TEST_P(PeerConnectionCryptoTest, CorrectCryptoInAnswerWithSdesAndGcm) { TEST_P(PeerConnectionCryptoTest, CanSetSdesGcmRemoteOfferAndLocalAnswer) { PeerConnectionFactoryInterface::Options options; - options.crypto_options.enable_gcm_crypto_suites = true; + options.crypto_options.srtp.enable_gcm_crypto_suites = true; pc_factory_->SetOptions(options); RTCConfiguration config; diff --git a/pc/peerconnection_integrationtest.cc b/pc/peerconnection_integrationtest.cc index 5825898b1f..36a832c0fb 100644 --- a/pc/peerconnection_integrationtest.cc +++ b/pc/peerconnection_integrationtest.cc @@ -1558,9 +1558,11 @@ class PeerConnectionIntegrationBaseTest : public testing::Test { bool remote_gcm_enabled, int expected_cipher_suite) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_gcm_crypto_suites = local_gcm_enabled; + caller_options.crypto_options.srtp.enable_gcm_crypto_suites = + local_gcm_enabled; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_gcm_crypto_suites = remote_gcm_enabled; + callee_options.crypto_options.srtp.enable_gcm_crypto_suites = + remote_gcm_enabled; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); } @@ -2843,9 +2845,10 @@ TEST_P(PeerConnectionIntegrationTest, CallerDtls10ToCalleeDtls12) { TEST_P(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherNotUsedWhenOnlyCallerSupported) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; + caller_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = false; + callee_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = + false; int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_80; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); @@ -2854,9 +2857,10 @@ TEST_P(PeerConnectionIntegrationTest, TEST_P(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherNotUsedWhenOnlyCalleeSupported) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = false; + caller_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = + false; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; + callee_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_80; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); @@ -2864,9 +2868,9 @@ TEST_P(PeerConnectionIntegrationTest, TEST_P(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherUsedWhenSupported) { PeerConnectionFactory::Options caller_options; - caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; + caller_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; PeerConnectionFactory::Options callee_options; - callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true; + callee_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = true; int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_32; TestNegotiatedCipherSuite(caller_options, callee_options, expected_cipher_suite); @@ -2916,7 +2920,7 @@ TEST_P(PeerConnectionIntegrationTest, // works with it. TEST_P(PeerConnectionIntegrationTest, EndToEndCallWithGcmCipher) { PeerConnectionFactory::Options gcm_options; - gcm_options.crypto_options.enable_gcm_crypto_suites = true; + gcm_options.crypto_options.srtp.enable_gcm_crypto_suites = true; ASSERT_TRUE( CreatePeerConnectionWrappersWithOptions(gcm_options, gcm_options)); ConnectFakeSignaling(); diff --git a/pc/peerconnectionfactory.cc b/pc/peerconnectionfactory.cc index edc13034a3..fd4ec0bbef 100644 --- a/pc/peerconnectionfactory.cc +++ b/pc/peerconnectionfactory.cc @@ -234,6 +234,21 @@ bool PeerConnectionFactory::Initialize() { void PeerConnectionFactory::SetOptions(const Options& options) { options_ = options; + // TODO(webrtc:9859) - Remove Chromium Compatibility once fix lands in + // Chromium + if (options.crypto_options.enable_gcm_crypto_suites.has_value()) { + options_.crypto_options.srtp.enable_gcm_crypto_suites = + *options.crypto_options.enable_gcm_crypto_suites; + } + if (options.crypto_options.enable_encrypted_rtp_header_extensions + .has_value()) { + options_.crypto_options.srtp.enable_encrypted_rtp_header_extensions = + *options.crypto_options.enable_encrypted_rtp_header_extensions; + } + if (options.crypto_options.enable_aes128_sha1_32_crypto_cipher.has_value()) { + options_.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = + *options.crypto_options.enable_aes128_sha1_32_crypto_cipher; + } } RtpCapabilities PeerConnectionFactory::GetRtpSenderCapabilities( diff --git a/pc/rtpsenderreceiver_unittest.cc b/pc/rtpsenderreceiver_unittest.cc index 07ff6a3865..fad839cc4c 100644 --- a/pc/rtpsenderreceiver_unittest.cc +++ b/pc/rtpsenderreceiver_unittest.cc @@ -81,11 +81,11 @@ class RtpSenderReceiverTest : public testing::Test, voice_channel_ = channel_manager_.CreateVoiceChannel( &fake_call_, cricket::MediaConfig(), rtp_transport_.get(), rtc::Thread::Current(), cricket::CN_AUDIO, srtp_required, - rtc::CryptoOptions(), cricket::AudioOptions()); + webrtc::CryptoOptions(), cricket::AudioOptions()); video_channel_ = channel_manager_.CreateVideoChannel( &fake_call_, cricket::MediaConfig(), rtp_transport_.get(), rtc::Thread::Current(), cricket::CN_VIDEO, srtp_required, - rtc::CryptoOptions(), cricket::VideoOptions()); + webrtc::CryptoOptions(), cricket::VideoOptions()); voice_channel_->Enable(true); video_channel_->Enable(true); voice_media_channel_ = media_engine_->GetVoiceChannel(0); diff --git a/pc/test/fakepeerconnectionforstats.h b/pc/test/fakepeerconnectionforstats.h index 642fa011eb..ae329e4450 100644 --- a/pc/test/fakepeerconnectionforstats.h +++ b/pc/test/fakepeerconnectionforstats.h @@ -126,7 +126,7 @@ class FakePeerConnectionForStats : public FakePeerConnectionBase { voice_channel_ = absl::make_unique( worker_thread_, network_thread_, signaling_thread_, nullptr, std::move(voice_media_channel), mid, kDefaultSrtpRequired, - rtc::CryptoOptions()); + webrtc::CryptoOptions()); voice_channel_->set_transport_name_for_testing(transport_name); GetOrCreateFirstTransceiverOfType(cricket::MEDIA_TYPE_AUDIO) ->internal() @@ -144,7 +144,7 @@ class FakePeerConnectionForStats : public FakePeerConnectionBase { video_channel_ = absl::make_unique( worker_thread_, network_thread_, signaling_thread_, std::move(video_media_channel), mid, kDefaultSrtpRequired, - rtc::CryptoOptions()); + webrtc::CryptoOptions()); video_channel_->set_transport_name_for_testing(transport_name); GetOrCreateFirstTransceiverOfType(cricket::MEDIA_TYPE_VIDEO) ->internal() diff --git a/rtc_base/sslstreamadapter.cc b/rtc_base/sslstreamadapter.cc index 746ebd5006..fe42bf4ad6 100644 --- a/rtc_base/sslstreamadapter.cc +++ b/rtc_base/sslstreamadapter.cc @@ -89,32 +89,6 @@ bool IsGcmCryptoSuiteName(const std::string& crypto_suite) { crypto_suite == CS_AEAD_AES_128_GCM); } -// static -CryptoOptions CryptoOptions::NoGcm() { - CryptoOptions options; - options.enable_gcm_crypto_suites = false; - return options; -} - -std::vector GetSupportedDtlsSrtpCryptoSuites( - const rtc::CryptoOptions& crypto_options) { - std::vector crypto_suites; - if (crypto_options.enable_gcm_crypto_suites) { - crypto_suites.push_back(rtc::SRTP_AEAD_AES_256_GCM); - crypto_suites.push_back(rtc::SRTP_AEAD_AES_128_GCM); - } - // Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by - // draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as - // well, and saves a few bytes per packet if it ends up selected. - // As the cipher suite is potentially insecure, it will only be used if - // enabled by both peers. - if (crypto_options.enable_aes128_sha1_32_crypto_cipher) { - crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32); - } - crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80); - return crypto_suites; -} - SSLStreamAdapter* SSLStreamAdapter::Create(StreamInterface* stream) { return new OpenSSLStreamAdapter(stream); } diff --git a/rtc_base/sslstreamadapter.h b/rtc_base/sslstreamadapter.h index 2d4e19f9b5..dad8a4ece0 100644 --- a/rtc_base/sslstreamadapter.h +++ b/rtc_base/sslstreamadapter.h @@ -70,34 +70,6 @@ bool IsGcmCryptoSuite(int crypto_suite); // Returns true if the given crypto suite name uses a GCM cipher. bool IsGcmCryptoSuiteName(const std::string& crypto_suite); -struct CryptoOptions { - CryptoOptions() {} - - // Helper method to return an instance of the CryptoOptions with GCM crypto - // suites disabled. This method should be used instead of depending on current - // default values set by the constructor. - static CryptoOptions NoGcm(); - - // Enable GCM crypto suites from RFC 7714 for SRTP. GCM will only be used - // if both sides enable it. - bool enable_gcm_crypto_suites = false; - - // If set to true, the (potentially insecure) crypto cipher - // SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers - // during negotiation. It will only be used if both peers support it and no - // other ciphers get preferred. - bool enable_aes128_sha1_32_crypto_cipher = false; - - // If set to true, encrypted RTP header extensions as defined in RFC 6904 - // will be negotiated. They will only be used if both peers support them. - bool enable_encrypted_rtp_header_extensions = false; -}; - -// Returns supported crypto suites, given |crypto_options|. -// CS_AES_CM_128_HMAC_SHA1_32 will be preferred by default. -std::vector GetSupportedDtlsSrtpCryptoSuites( - const rtc::CryptoOptions& crypto_options); - // SSLStreamAdapter : A StreamInterfaceAdapter that does SSL/TLS. // After SSL has been started, the stream will only open on successful // SSL verification of certificates, and the communication is diff --git a/sdk/android/src/jni/pc/peerconnectionfactory.cc b/sdk/android/src/jni/pc/peerconnectionfactory.cc index 01c1accaa3..049858a139 100644 --- a/sdk/android/src/jni/pc/peerconnectionfactory.cc +++ b/sdk/android/src/jni/pc/peerconnectionfactory.cc @@ -63,9 +63,9 @@ JavaToNativePeerConnectionFactoryOptions(JNIEnv* jni, native_options.disable_encryption = disable_encryption; native_options.disable_network_monitor = disable_network_monitor; - native_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = + native_options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = enable_aes128_sha1_32_crypto_cipher; - native_options.crypto_options.enable_gcm_crypto_suites = + native_options.crypto_options.srtp.enable_gcm_crypto_suites = enable_gcm_crypto_suites; return native_options; } diff --git a/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm b/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm index 103a130390..1690385937 100644 --- a/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm +++ b/sdk/objc/api/peerconnection/RTCPeerConnectionFactoryOptions.mm @@ -52,8 +52,9 @@ void setNetworkBit(webrtc::PeerConnectionFactoryInterface::Options* options, setNetworkBit(&options, rtc::ADAPTER_TYPE_WIFI, self.ignoreWiFiNetworkAdapter); setNetworkBit(&options, rtc::ADAPTER_TYPE_ETHERNET, self.ignoreEthernetNetworkAdapter); - options.crypto_options.enable_aes128_sha1_32_crypto_cipher = self.enableAes128Sha1_32CryptoCipher; - options.crypto_options.enable_gcm_crypto_suites = self.enableGcmCryptoSuites; + options.crypto_options.srtp.enable_aes128_sha1_32_crypto_cipher = + self.enableAes128Sha1_32CryptoCipher; + options.crypto_options.srtp.enable_gcm_crypto_suites = self.enableGcmCryptoSuites; return options; }