Revert "Use SRTP_AES128_CM_SHA1_80 by default instead of SRTP_AES128_CM_SHA1_32."
This reverts commit 6780c51b23516803dc27173d10ba98d018780447.
Reason for revert:
More details in crbug.com/810292
Original change's description:
> Use SRTP_AES128_CM_SHA1_80 by default instead of SRTP_AES128_CM_SHA1_32.
>
> A field has been added to "CryptoOptions" to enable SRTP_AES128_CM_SHA1_32
> from native apps if really necessary.
>
> R=​deadbeef@webrtc.org
>
> Bug: webrtc:7670
> Change-Id: I36b6ab3e302fbf3cda2611ff196757e43a56e704
> Reviewed-on: https://webrtc-review.googlesource.com/41420
> Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
> Reviewed-by: Magnus Jedvert <magjed@webrtc.org>
> Commit-Queue: Joachim Bauch <jbauch@webrtc.org>
> Cr-Commit-Position: refs/heads/master@{#21952}
TBR=deadbeef@webrtc.org,magjed@webrtc.org,jbauch@webrtc.org
Change-Id: I643dbe023eca526f2cda4d97df045f2533741dd4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: webrtc:7670
Reviewed-on: https://webrtc-review.googlesource.com/49880
Reviewed-by: Tommi <tommi@webrtc.org>
Commit-Queue: Tommi <tommi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21961}
diff --git a/p2p/base/dtlstransport_unittest.cc b/p2p/base/dtlstransport_unittest.cc
index a96d883..430b41d 100644
--- a/p2p/base/dtlstransport_unittest.cc
+++ b/p2p/base/dtlstransport_unittest.cc
@@ -334,9 +334,9 @@
if (use_dtls_) {
// Check that we negotiated the right ciphers. Since GCM ciphers are not
- // negotiated by default, we should end up with SRTP_AES128_CM_SHA1_80.
- client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80);
- client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80);
+ // negotiated by default, we should end up with SRTP_AES128_CM_SHA1_32.
+ client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_32);
+ client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_32);
} else {
// If DTLS isn't actually being used, GetSrtpCryptoSuite should return
// false.
diff --git a/pc/mediasession.cc b/pc/mediasession.cc
index e67a7d2..a2f47dc 100644
--- a/pc/mediasession.cc
+++ b/pc/mediasession.cc
@@ -194,17 +194,14 @@
return false;
}
-// For audio, HMAC 32 (if enabled) is prefered over HMAC 80 because of the
-// low overhead.
+// For audio, HMAC 32 is prefered over HMAC 80 because of the low overhead.
void GetSupportedAudioSdesCryptoSuites(const rtc::CryptoOptions& crypto_options,
std::vector<int>* crypto_suites) {
if (crypto_options.enable_gcm_crypto_suites) {
crypto_suites->push_back(rtc::SRTP_AEAD_AES_256_GCM);
crypto_suites->push_back(rtc::SRTP_AEAD_AES_128_GCM);
}
- if (crypto_options.enable_aes128_sha1_32_crypto_cipher) {
- crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32);
- }
+ crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_32);
crypto_suites->push_back(rtc::SRTP_AES128_CM_SHA1_80);
}
@@ -248,8 +245,8 @@
}
// Support any GCM cipher (if enabled through options). For video support only
-// 80-bit SHA1 HMAC. For audio 32-bit HMAC is tolerated (if enabled) unless
-// bundle is enabled because it is low overhead.
+// 80-bit SHA1 HMAC. For audio 32-bit HMAC is tolerated unless bundle is enabled
+// because it is low overhead.
// Pick the crypto in the list that is supported.
static bool SelectCrypto(const MediaContentDescription* offer,
bool bundle,
@@ -264,7 +261,7 @@
rtc::IsGcmCryptoSuiteName(i->cipher_suite)) ||
rtc::CS_AES_CM_128_HMAC_SHA1_80 == i->cipher_suite ||
(rtc::CS_AES_CM_128_HMAC_SHA1_32 == i->cipher_suite && audio &&
- !bundle && crypto_options.enable_aes128_sha1_32_crypto_cipher)) {
+ !bundle)) {
return CreateCryptoParams(i->tag, i->cipher_suite, crypto);
}
}
diff --git a/pc/mediasession_unittest.cc b/pc/mediasession_unittest.cc
index f37d8d4..971e568 100644
--- a/pc/mediasession_unittest.cc
+++ b/pc/mediasession_unittest.cc
@@ -213,11 +213,6 @@
"TCP/TLS/RTP/SAVPF", "TCP/TLS/RTP/SAVP", "UDP/TLS/RTP/SAVPF",
"UDP/TLS/RTP/SAVP"};
-// SRTP cipher name negotiated by the tests. This must be updated if the
-// default changes.
-static const char* kDefaultSrtpCryptoSuite = CS_AES_CM_128_HMAC_SHA1_80;
-static const char* kDefaultSrtpCryptoSuiteGcm = CS_AEAD_AES_256_GCM;
-
// These constants are used to make the code using "AddMediaSection" more
// readable.
static constexpr bool kStopped = true;
@@ -550,7 +545,7 @@
EXPECT_TRUE(CompareCryptoParams(audio_media_desc->cryptos(),
video_media_desc->cryptos()));
EXPECT_EQ(1u, audio_media_desc->cryptos().size());
- EXPECT_EQ(std::string(kDefaultSrtpCryptoSuite),
+ EXPECT_EQ(std::string(CS_AES_CM_128_HMAC_SHA1_80),
audio_media_desc->cryptos()[0].cipher_suite);
// Verify the selected crypto is one from the reference audio
@@ -641,18 +636,18 @@
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
if (gcm_offer && gcm_answer) {
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuiteGcm);
+ ASSERT_CRYPTO(acd, 1U, CS_AEAD_AES_256_GCM);
} else {
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
}
EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type());
EXPECT_EQ(MAKE_VECTOR(kVideoCodecsAnswer), vcd->codecs());
EXPECT_EQ(0U, vcd->first_ssrc()); // no sender is attached
EXPECT_TRUE(vcd->rtcp_mux()); // negotiated rtcp-mux
if (gcm_offer && gcm_answer) {
- ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuiteGcm);
+ ASSERT_CRYPTO(vcd, 1U, CS_AEAD_AES_256_GCM);
} else {
- ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
}
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol());
}
@@ -681,7 +676,7 @@
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached.
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
}
@@ -705,14 +700,14 @@
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type());
EXPECT_EQ(f1_.video_codecs(), vcd->codecs());
EXPECT_EQ(0U, vcd->first_ssrc()); // no sender is attached
EXPECT_EQ(kAutoBandwidth, vcd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(vcd->rtcp_mux()); // rtcp-mux defaults on
- ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol());
}
@@ -783,11 +778,11 @@
EXPECT_TRUE(NULL != acd);
EXPECT_TRUE(NULL != dcd);
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
- ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol());
- ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol());
}
@@ -812,7 +807,7 @@
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attched.
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type());
EXPECT_EQ(f1_.data_codecs(), dcd->codecs());
@@ -820,7 +815,7 @@
EXPECT_EQ(cricket::kDataMaxBandwidth,
dcd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(dcd->rtcp_mux()); // rtcp-mux defaults on
- ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol());
}
@@ -948,7 +943,7 @@
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
}
@@ -974,7 +969,7 @@
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuiteGcm);
+ ASSERT_CRYPTO(acd, 1U, CS_AEAD_AES_256_GCM);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), acd->protocol());
}
@@ -1001,12 +996,12 @@
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type());
EXPECT_EQ(MAKE_VECTOR(kVideoCodecsAnswer), vcd->codecs());
EXPECT_EQ(0U, vcd->first_ssrc()); // no sender is attached
EXPECT_TRUE(vcd->rtcp_mux()); // negotiated rtcp-mux
- ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), vcd->protocol());
}
@@ -1050,12 +1045,12 @@
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type());
EXPECT_EQ(MAKE_VECTOR(kDataCodecsAnswer), dcd->codecs());
EXPECT_EQ(0U, dcd->first_ssrc()); // no sender is attached
EXPECT_TRUE(dcd->rtcp_mux()); // negotiated rtcp-mux
- ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol());
}
@@ -1082,12 +1077,12 @@
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // negotiated auto bw
EXPECT_EQ(0U, acd->first_ssrc()); // no sender is attached
EXPECT_TRUE(acd->rtcp_mux()); // negotiated rtcp-mux
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuiteGcm);
+ ASSERT_CRYPTO(acd, 1U, CS_AEAD_AES_256_GCM);
EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type());
EXPECT_EQ(MAKE_VECTOR(kDataCodecsAnswer), dcd->codecs());
EXPECT_EQ(0U, dcd->first_ssrc()); // no sender is attached
EXPECT_TRUE(dcd->rtcp_mux()); // negotiated rtcp-mux
- ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuiteGcm);
+ ASSERT_CRYPTO(dcd, 1U, CS_AEAD_AES_256_GCM);
EXPECT_EQ(std::string(cricket::kMediaProtocolSavpf), dcd->protocol());
}
@@ -1648,11 +1643,11 @@
EXPECT_EQ(kAutoBandwidth, acd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(acd->rtcp_mux()); // rtcp-mux defaults on
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_EQ(MEDIA_TYPE_VIDEO, vcd->type());
EXPECT_EQ(f1_.video_codecs(), vcd->codecs());
- ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
const StreamParamsVec& video_streams = vcd->streams();
ASSERT_EQ(1U, video_streams.size());
@@ -1663,7 +1658,7 @@
EXPECT_EQ(MEDIA_TYPE_DATA, dcd->type());
EXPECT_EQ(f1_.data_codecs(), dcd->codecs());
- ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
const StreamParamsVec& data_streams = dcd->streams();
ASSERT_EQ(2U, data_streams.size());
@@ -1678,7 +1673,7 @@
EXPECT_EQ(cricket::kDataMaxBandwidth,
dcd->bandwidth()); // default bandwidth (auto)
EXPECT_TRUE(dcd->rtcp_mux()); // rtcp-mux defaults on
- ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
// Update the offer. Add a new video track that is not synched to the
// other tracks and replace audio track 2 with audio track 3.
@@ -1713,11 +1708,11 @@
EXPECT_EQ(vcd->codecs(), updated_vcd->codecs());
EXPECT_EQ(dcd->type(), updated_dcd->type());
EXPECT_EQ(dcd->codecs(), updated_dcd->codecs());
- ASSERT_CRYPTO(updated_acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(updated_acd, 2U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_TRUE(CompareCryptoParams(acd->cryptos(), updated_acd->cryptos()));
- ASSERT_CRYPTO(updated_vcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(updated_vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_TRUE(CompareCryptoParams(vcd->cryptos(), updated_vcd->cryptos()));
- ASSERT_CRYPTO(updated_dcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(updated_dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_TRUE(CompareCryptoParams(dcd->cryptos(), updated_dcd->cryptos()));
const StreamParamsVec& updated_audio_streams = updated_acd->streams();
@@ -1826,9 +1821,9 @@
const AudioContentDescription* acd = ac->media_description()->as_audio();
const VideoContentDescription* vcd = vc->media_description()->as_video();
const DataContentDescription* dcd = dc->media_description()->as_data();
- ASSERT_CRYPTO(acd, 1U, kDefaultSrtpCryptoSuite);
- ASSERT_CRYPTO(vcd, 1U, kDefaultSrtpCryptoSuite);
- ASSERT_CRYPTO(dcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
+ ASSERT_CRYPTO(vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
+ ASSERT_CRYPTO(dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_EQ(MEDIA_TYPE_AUDIO, acd->type());
EXPECT_EQ(MAKE_VECTOR(kAudioCodecsAnswer), acd->codecs());
@@ -1896,11 +1891,11 @@
const DataContentDescription* updated_dcd =
dc->media_description()->as_data();
- ASSERT_CRYPTO(updated_acd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(updated_acd, 1U, CS_AES_CM_128_HMAC_SHA1_32);
EXPECT_TRUE(CompareCryptoParams(acd->cryptos(), updated_acd->cryptos()));
- ASSERT_CRYPTO(updated_vcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(updated_vcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_TRUE(CompareCryptoParams(vcd->cryptos(), updated_vcd->cryptos()));
- ASSERT_CRYPTO(updated_dcd, 1U, kDefaultSrtpCryptoSuite);
+ ASSERT_CRYPTO(updated_dcd, 1U, CS_AES_CM_128_HMAC_SHA1_80);
EXPECT_TRUE(CompareCryptoParams(dcd->cryptos(), updated_dcd->cryptos()));
EXPECT_EQ(acd->type(), updated_acd->type());
@@ -2824,7 +2819,7 @@
ASSERT_TRUE(audio_media_desc != NULL);
video_media_desc = offer->GetContentDescriptionByName("video");
ASSERT_TRUE(video_media_desc != NULL);
- EXPECT_EQ(1u, audio_media_desc->cryptos().size());
+ EXPECT_EQ(2u, audio_media_desc->cryptos().size());
EXPECT_EQ(1u, video_media_desc->cryptos().size());
audio_trans_desc = offer->GetTransportDescriptionByName("audio");
diff --git a/pc/peerconnection_integrationtest.cc b/pc/peerconnection_integrationtest.cc
index b090856..788b432 100644
--- a/pc/peerconnection_integrationtest.cc
+++ b/pc/peerconnection_integrationtest.cc
@@ -107,7 +107,7 @@
// SRTP cipher name negotiated by the tests. This must be updated if the
// default changes.
-static const int kDefaultSrtpCryptoSuite = rtc::SRTP_AES128_CM_SHA1_80;
+static const int kDefaultSrtpCryptoSuite = rtc::SRTP_AES128_CM_SHA1_32;
static const int kDefaultSrtpCryptoSuiteGcm = rtc::SRTP_AEAD_AES_256_GCM;
static const SocketAddress kDefaultLocalAddress("192.168.1.1", 0);
@@ -1152,10 +1152,13 @@
expected_callee_received_video_frames);
}
- void TestNegotiatedCipherSuite(
- const PeerConnectionFactory::Options& caller_options,
- const PeerConnectionFactory::Options& callee_options,
- int expected_cipher_suite) {
+ void TestGcmNegotiationUsesCipherSuite(bool local_gcm_enabled,
+ bool remote_gcm_enabled,
+ int expected_cipher_suite) {
+ PeerConnectionFactory::Options caller_options;
+ caller_options.crypto_options.enable_gcm_crypto_suites = local_gcm_enabled;
+ PeerConnectionFactory::Options callee_options;
+ callee_options.crypto_options.enable_gcm_crypto_suites = remote_gcm_enabled;
ASSERT_TRUE(CreatePeerConnectionWrappersWithOptions(caller_options,
callee_options));
rtc::scoped_refptr<webrtc::FakeMetricsObserver> caller_observer =
@@ -1174,17 +1177,6 @@
caller()->pc()->RegisterUMAObserver(nullptr);
}
- void TestGcmNegotiationUsesCipherSuite(bool local_gcm_enabled,
- bool remote_gcm_enabled,
- int expected_cipher_suite) {
- PeerConnectionFactory::Options caller_options;
- caller_options.crypto_options.enable_gcm_crypto_suites = local_gcm_enabled;
- PeerConnectionFactory::Options callee_options;
- callee_options.crypto_options.enable_gcm_crypto_suites = remote_gcm_enabled;
- TestNegotiatedCipherSuite(caller_options, callee_options,
- expected_cipher_suite);
- }
-
private:
// |ss_| is used by |network_thread_| so it must be destroyed later.
std::unique_ptr<rtc::VirtualSocketServer> ss_;
@@ -2318,38 +2310,6 @@
kMaxWaitForFramesMs);
}
-TEST_F(PeerConnectionIntegrationTest,
- Aes128Sha1_32_CipherNotUsedWhenOnlyCallerSupported) {
- ASSERT_NE(rtc::SRTP_AES128_CM_SHA1_32, kDefaultSrtpCryptoSuite);
- PeerConnectionFactory::Options caller_options;
- caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true;
- PeerConnectionFactory::Options callee_options;
- int expected_cipher_suite = kDefaultSrtpCryptoSuite;
- TestNegotiatedCipherSuite(caller_options, callee_options,
- expected_cipher_suite);
-}
-
-TEST_F(PeerConnectionIntegrationTest,
- Aes128Sha1_32_CipherNotUsedWhenOnlyCalleeSupported) {
- ASSERT_NE(rtc::SRTP_AES128_CM_SHA1_32, kDefaultSrtpCryptoSuite);
- PeerConnectionFactory::Options caller_options;
- PeerConnectionFactory::Options callee_options;
- callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true;
- int expected_cipher_suite = kDefaultSrtpCryptoSuite;
- TestNegotiatedCipherSuite(caller_options, callee_options,
- expected_cipher_suite);
-}
-
-TEST_F(PeerConnectionIntegrationTest, Aes128Sha1_32_CipherUsedWhenSupported) {
- PeerConnectionFactory::Options caller_options;
- caller_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true;
- PeerConnectionFactory::Options callee_options;
- callee_options.crypto_options.enable_aes128_sha1_32_crypto_cipher = true;
- int expected_cipher_suite = rtc::SRTP_AES128_CM_SHA1_32;
- TestNegotiatedCipherSuite(caller_options, callee_options,
- expected_cipher_suite);
-}
-
// Test that a non-GCM cipher is used if both sides only support non-GCM.
TEST_F(PeerConnectionIntegrationTest, NonGcmCipherUsedWhenGcmNotSupported) {
bool local_gcm_enabled = false;
diff --git a/pc/peerconnectioninterface_unittest.cc b/pc/peerconnectioninterface_unittest.cc
index 0206003..e496e4e 100644
--- a/pc/peerconnectioninterface_unittest.cc
+++ b/pc/peerconnectioninterface_unittest.cc
@@ -320,7 +320,7 @@
"a=fingerprint:sha-1 "
"4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB\r\n"
"a=setup:actpass\r\n"
- "a=crypto:0 AES_CM_128_HMAC_SHA1_32 "
+ "a=crypto:1 AES_CM_128_HMAC_SHA1_32 "
"inline:NzB4d1BINUAvLEw6UzF3WSJ+PSdFcGdUJShpX1Zj|2^20|1:32 "
"dummy_session_params\r\n";
diff --git a/pc/test/testsdpstrings.h b/pc/test/testsdpstrings.h
index 614a580..fc884a1 100644
--- a/pc/test/testsdpstrings.h
+++ b/pc/test/testsdpstrings.h
@@ -92,7 +92,7 @@
"a=sendrecv\r\n"
"a=rtcp:16000 IN IP4 192.168.30.208\r\n"
"a=rtcp-mux\r\n"
- "a=crypto:0 AES_CM_128_HMAC_SHA1_80 "
+ "a=crypto:1 AES_CM_128_HMAC_SHA1_80 "
"inline:tvKIFjbMQ7W0/C2RzhwN0oQglj/7GJg+frdsNRxt\r\n"
"a=ice-ufrag:AI2sRT3r\r\n"
"a=ice-pwd:lByS9z2RSQlSE9XurlvjYmEm\r\n"
@@ -117,7 +117,7 @@
"a=sendonly\r\n"
"a=rtcp:16000 IN IP4 192.168.30.208\r\n"
"a=rtcp-mux\r\n"
- "a=crypto:0 AES_CM_128_HMAC_SHA1_80 "
+ "a=crypto:1 AES_CM_128_HMAC_SHA1_80 "
"inline:tvKIFjbMQ7W0/C2RzhwN0oQglj/7GJg+frdsNRxt\r\n"
"a=ice-ufrag:AI2sRT3r\r\n"
"a=ice-pwd:lByS9z2RSQlSE9XurlvjYmEm\r\n"
diff --git a/rtc_base/sslstreamadapter.cc b/rtc_base/sslstreamadapter.cc
index d52dc45..b09c144 100644
--- a/rtc_base/sslstreamadapter.cc
+++ b/rtc_base/sslstreamadapter.cc
@@ -105,11 +105,7 @@
// Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by
// draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as
// well, and saves a few bytes per packet if it ends up selected.
- // As the cipher suite is potentially insecure, it will only be used if
- // enabled by both peers.
- if (crypto_options.enable_aes128_sha1_32_crypto_cipher) {
- crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32);
- }
+ crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32);
crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80);
return crypto_suites;
}
diff --git a/rtc_base/sslstreamadapter.h b/rtc_base/sslstreamadapter.h
index eaf87d4..560dd59 100644
--- a/rtc_base/sslstreamadapter.h
+++ b/rtc_base/sslstreamadapter.h
@@ -80,12 +80,6 @@
// if both sides enable it.
bool enable_gcm_crypto_suites = false;
- // If set to true, the (potentially insecure) crypto cipher
- // SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers
- // during negotiation. It will only be used if both peers support it and no
- // other ciphers get preferred.
- bool enable_aes128_sha1_32_crypto_cipher = false;
-
// If set to true, encrypted RTP header extensions as defined in RFC 6904
// will be negotiated. They will only be used if both peers support them.
bool enable_encrypted_rtp_header_extensions = false;
diff --git a/sdk/android/api/org/webrtc/PeerConnectionFactory.java b/sdk/android/api/org/webrtc/PeerConnectionFactory.java
index d63480a..79eca7e 100644
--- a/sdk/android/api/org/webrtc/PeerConnectionFactory.java
+++ b/sdk/android/api/org/webrtc/PeerConnectionFactory.java
@@ -107,7 +107,6 @@
public int networkIgnoreMask;
public boolean disableEncryption;
public boolean disableNetworkMonitor;
- public boolean enableAes128Sha1_32CryptoCipher;
@CalledByNative("Options")
int getNetworkIgnoreMask() {
@@ -123,11 +122,6 @@
boolean getDisableNetworkMonitor() {
return disableNetworkMonitor;
}
-
- @CalledByNative("Options")
- boolean getEnableAes128Sha1_32CryptoCipher() {
- return enableAes128Sha1_32CryptoCipher;
- }
}
/**
diff --git a/sdk/android/src/jni/pc/peerconnectionfactory.cc b/sdk/android/src/jni/pc/peerconnectionfactory.cc
index 59b2aff..1a7008a 100644
--- a/sdk/android/src/jni/pc/peerconnectionfactory.cc
+++ b/sdk/android/src/jni/pc/peerconnectionfactory.cc
@@ -52,8 +52,6 @@
bool disable_encryption = Java_Options_getDisableEncryption(jni, options);
bool disable_network_monitor =
Java_Options_getDisableNetworkMonitor(jni, options);
- bool enable_aes128_sha1_32_crypto_cipher =
- Java_Options_getEnableAes128Sha1_32CryptoCipher(jni, options);
PeerConnectionFactoryInterface::Options native_options;
@@ -62,9 +60,6 @@
native_options.network_ignore_mask = network_ignore_mask;
native_options.disable_encryption = disable_encryption;
native_options.disable_network_monitor = disable_network_monitor;
-
- native_options.crypto_options.enable_aes128_sha1_32_crypto_cipher =
- enable_aes128_sha1_32_crypto_cipher;
return native_options;
}
} // namespace
diff --git a/sdk/objc/Framework/Classes/PeerConnection/RTCPeerConnectionFactoryOptions.mm b/sdk/objc/Framework/Classes/PeerConnection/RTCPeerConnectionFactoryOptions.mm
index b5e9d74..f0cc6a6 100644
--- a/sdk/objc/Framework/Classes/PeerConnection/RTCPeerConnectionFactoryOptions.mm
+++ b/sdk/objc/Framework/Classes/PeerConnection/RTCPeerConnectionFactoryOptions.mm
@@ -34,7 +34,6 @@
@synthesize ignoreCellularNetworkAdapter = _ignoreCellularNetworkAdapter;
@synthesize ignoreWiFiNetworkAdapter = _ignoreWiFiNetworkAdapter;
@synthesize ignoreEthernetNetworkAdapter = _ignoreEthernetNetworkAdapter;
-@synthesize enableAes128Sha1_32CryptoCipher = _enableAes128Sha1_32CryptoCipher;
- (instancetype)init {
return [super init];
@@ -51,8 +50,6 @@
setNetworkBit(&options, rtc::ADAPTER_TYPE_WIFI, self.ignoreWiFiNetworkAdapter);
setNetworkBit(&options, rtc::ADAPTER_TYPE_ETHERNET, self.ignoreEthernetNetworkAdapter);
- options.crypto_options.enable_aes128_sha1_32_crypto_cipher = self.enableAes128Sha1_32CryptoCipher;
-
return options;
}
diff --git a/sdk/objc/Framework/Headers/WebRTC/RTCPeerConnectionFactoryOptions.h b/sdk/objc/Framework/Headers/WebRTC/RTCPeerConnectionFactoryOptions.h
index 33faa1e..a65abc6 100644
--- a/sdk/objc/Framework/Headers/WebRTC/RTCPeerConnectionFactoryOptions.h
+++ b/sdk/objc/Framework/Headers/WebRTC/RTCPeerConnectionFactoryOptions.h
@@ -31,8 +31,6 @@
@property(nonatomic, assign) BOOL ignoreEthernetNetworkAdapter;
-@property(nonatomic, assign) BOOL enableAes128Sha1_32CryptoCipher;
-
- (instancetype)init NS_DESIGNATED_INITIALIZER;
@end