| /* |
| * Copyright 2018 The WebRTC Project Authors. All rights reserved. |
| * |
| * Use of this source code is governed by a BSD-style license |
| * that can be found in the LICENSE file in the root of the source |
| * tree. An additional intellectual property rights grant can be found |
| * in the file PATENTS. All contributing project authors may |
| * be found in the AUTHORS file in the root of the source tree. |
| */ |
| |
| #include "api/crypto/crypto_options.h" |
| |
| #include <cstdint> |
| #include <optional> |
| #include <set> |
| #include <string> |
| #include <utility> |
| #include <vector> |
| |
| #include "absl/algorithm/container.h" |
| #include "api/field_trials_view.h" |
| #include "rtc_base/checks.h" |
| #include "rtc_base/ssl_stream_adapter.h" |
| |
| namespace webrtc { |
| |
| CryptoOptions::CryptoOptions() {} |
| |
| // static |
| CryptoOptions CryptoOptions::NoGcm() { |
| CryptoOptions options; |
| options.srtp.enable_gcm_crypto_suites = false; |
| return options; |
| } |
| |
| std::vector<int> CryptoOptions::GetSupportedDtlsSrtpCryptoSuites() const { |
| std::vector<int> crypto_suites; |
| // Note: kSrtpAes128CmSha1_80 is what is required to be supported (by |
| // draft-ietf-rtcweb-security-arch), but kSrtpAes128CmSha1_32 is allowed as |
| // well, and saves a few bytes per packet if it ends up selected. |
| // As the cipher suite is potentially insecure, it will only be used if |
| // enabled by both peers. |
| if (srtp.enable_aes128_sha1_32_crypto_cipher) { |
| crypto_suites.push_back(kSrtpAes128CmSha1_32); |
| } |
| if (srtp.enable_aes128_sha1_80_crypto_cipher) { |
| crypto_suites.push_back(kSrtpAes128CmSha1_80); |
| } |
| |
| // Note: GCM cipher suites are not the top choice since they increase the |
| // packet size. In order to negotiate them the other side must not support |
| // kSrtpAes128CmSha1_80. |
| if (srtp.enable_gcm_crypto_suites) { |
| crypto_suites.push_back(kSrtpAeadAes256Gcm); |
| crypto_suites.push_back(kSrtpAeadAes128Gcm); |
| } |
| RTC_CHECK(!crypto_suites.empty()); |
| return crypto_suites; |
| } |
| |
| bool CryptoOptions::operator==(const CryptoOptions& other) const { |
| struct data_being_tested_for_equality { |
| struct Srtp { |
| bool enable_gcm_crypto_suites; |
| bool enable_aes128_sha1_32_crypto_cipher; |
| bool enable_aes128_sha1_80_crypto_cipher; |
| bool enable_encrypted_rtp_header_extensions; |
| } srtp; |
| struct SFrame { |
| bool require_frame_encryption; |
| } sframe; |
| EphemeralKeyExchangeCipherGroups ephemeral_key_exchange_cipher_groups; |
| }; |
| static_assert(sizeof(data_being_tested_for_equality) == sizeof(*this), |
| "Did you add something to CryptoOptions and forget to " |
| "update operator==?"); |
| |
| return srtp.enable_gcm_crypto_suites == other.srtp.enable_gcm_crypto_suites && |
| srtp.enable_aes128_sha1_32_crypto_cipher == |
| other.srtp.enable_aes128_sha1_32_crypto_cipher && |
| srtp.enable_aes128_sha1_80_crypto_cipher == |
| other.srtp.enable_aes128_sha1_80_crypto_cipher && |
| srtp.enable_encrypted_rtp_header_extensions == |
| other.srtp.enable_encrypted_rtp_header_extensions && |
| sframe.require_frame_encryption == |
| other.sframe.require_frame_encryption && |
| ephemeral_key_exchange_cipher_groups == |
| other.ephemeral_key_exchange_cipher_groups; |
| } |
| |
| bool CryptoOptions::operator!=(const CryptoOptions& other) const { |
| return !(*this == other); |
| } |
| |
| CryptoOptions::EphemeralKeyExchangeCipherGroups:: |
| EphemeralKeyExchangeCipherGroups() |
| : enabled_(SSLStreamAdapter::GetDefaultEphemeralKeyExchangeCipherGroups( |
| /* field_trials= */ nullptr)) {} |
| |
| bool CryptoOptions::EphemeralKeyExchangeCipherGroups::operator==( |
| const CryptoOptions::EphemeralKeyExchangeCipherGroups& other) const { |
| return enabled_ == other.enabled_; |
| } |
| |
| std::set<uint16_t> |
| CryptoOptions::EphemeralKeyExchangeCipherGroups::GetSupported() { |
| return SSLStreamAdapter::GetSupportedEphemeralKeyExchangeCipherGroups(); |
| } |
| |
| std::optional<std::string> |
| CryptoOptions::EphemeralKeyExchangeCipherGroups::GetName(uint16_t group_id) { |
| return SSLStreamAdapter::GetEphemeralKeyExchangeCipherGroupName(group_id); |
| } |
| |
| void CryptoOptions::EphemeralKeyExchangeCipherGroups::AddFirst(uint16_t group) { |
| std::erase(enabled_, group); |
| enabled_.insert(enabled_.begin(), group); |
| } |
| |
| void CryptoOptions::EphemeralKeyExchangeCipherGroups::Update( |
| const FieldTrialsView* field_trials, |
| const std::vector<uint16_t>* disabled_groups) { |
| // Note: assumption is that these lists contains few elements...so converting |
| // to set<> is not worth it. |
| std::vector<uint16_t> default_groups = |
| SSLStreamAdapter::GetDefaultEphemeralKeyExchangeCipherGroups( |
| field_trials); |
| // Remove all disabled. |
| if (disabled_groups) { |
| std::erase_if(default_groups, [&](uint16_t val) { |
| return absl::c_linear_search(*disabled_groups, val); |
| }); |
| std::erase_if(enabled_, [&](uint16_t val) { |
| return absl::c_linear_search(*disabled_groups, val); |
| }); |
| } |
| |
| // Add those enabled by field-trials first. |
| std::vector<uint16_t> current = std::move(enabled_); |
| enabled_.clear(); |
| for (auto val : default_groups) { |
| if (!absl::c_linear_search(current, val)) { |
| enabled_.push_back(val); |
| } |
| } |
| |
| // Then re-add those present (unless already there). |
| for (auto val : current) { |
| if (!absl::c_linear_search(enabled_, val)) { |
| enabled_.push_back(val); |
| } |
| } |
| } |
| |
| } // namespace webrtc |
