zstein | 398c3fd | 2017-07-19 20:38:02 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2017 The WebRTC project authors. All Rights Reserved. |
| 3 | * |
| 4 | * Use of this source code is governed by a BSD-style license |
| 5 | * that can be found in the LICENSE file in the root of the source |
| 6 | * tree. An additional intellectual property rights grant can be found |
| 7 | * in the file PATENTS. All contributing project authors may |
| 8 | * be found in the AUTHORS file in the root of the source tree. |
| 9 | */ |
| 10 | |
Mirko Bonadei | 92ea95e | 2017-09-15 04:47:31 | [diff] [blame] | 11 | #include "pc/srtptransport.h" |
zstein | 398c3fd | 2017-07-19 20:38:02 | [diff] [blame] | 12 | |
| 13 | #include <string> |
| 14 | |
Mirko Bonadei | 92ea95e | 2017-09-15 04:47:31 | [diff] [blame] | 15 | #include "media/base/rtputils.h" |
| 16 | #include "pc/rtptransport.h" |
| 17 | #include "pc/srtpsession.h" |
| 18 | #include "rtc_base/asyncpacketsocket.h" |
Zhi Huang | cf990f5 | 2017-09-22 19:12:30 | [diff] [blame^] | 19 | #include "rtc_base/base64.h" |
Mirko Bonadei | 92ea95e | 2017-09-15 04:47:31 | [diff] [blame] | 20 | #include "rtc_base/copyonwritebuffer.h" |
| 21 | #include "rtc_base/ptr_util.h" |
| 22 | #include "rtc_base/trace_event.h" |
zstein | 398c3fd | 2017-07-19 20:38:02 | [diff] [blame] | 23 | |
| 24 | namespace webrtc { |
| 25 | |
| 26 | SrtpTransport::SrtpTransport(bool rtcp_mux_enabled, |
| 27 | const std::string& content_name) |
| 28 | : content_name_(content_name), |
| 29 | rtp_transport_(rtc::MakeUnique<RtpTransport>(rtcp_mux_enabled)) { |
| 30 | ConnectToRtpTransport(); |
| 31 | } |
| 32 | |
| 33 | SrtpTransport::SrtpTransport(std::unique_ptr<RtpTransportInternal> transport, |
| 34 | const std::string& content_name) |
| 35 | : content_name_(content_name), rtp_transport_(std::move(transport)) { |
| 36 | ConnectToRtpTransport(); |
| 37 | } |
| 38 | |
| 39 | void SrtpTransport::ConnectToRtpTransport() { |
| 40 | rtp_transport_->SignalPacketReceived.connect( |
| 41 | this, &SrtpTransport::OnPacketReceived); |
| 42 | rtp_transport_->SignalReadyToSend.connect(this, |
| 43 | &SrtpTransport::OnReadyToSend); |
| 44 | } |
| 45 | |
Zhi Huang | cf990f5 | 2017-09-22 19:12:30 | [diff] [blame^] | 46 | bool SrtpTransport::SendRtpPacket(rtc::CopyOnWriteBuffer* packet, |
| 47 | const rtc::PacketOptions& options, |
| 48 | int flags) { |
| 49 | return SendPacket(false, packet, options, flags); |
| 50 | } |
| 51 | |
| 52 | bool SrtpTransport::SendRtcpPacket(rtc::CopyOnWriteBuffer* packet, |
| 53 | const rtc::PacketOptions& options, |
| 54 | int flags) { |
| 55 | return SendPacket(true, packet, options, flags); |
| 56 | } |
| 57 | |
zstein | 398c3fd | 2017-07-19 20:38:02 | [diff] [blame] | 58 | bool SrtpTransport::SendPacket(bool rtcp, |
| 59 | rtc::CopyOnWriteBuffer* packet, |
| 60 | const rtc::PacketOptions& options, |
| 61 | int flags) { |
Zhi Huang | cf990f5 | 2017-09-22 19:12:30 | [diff] [blame^] | 62 | if (!IsActive()) { |
| 63 | LOG(LS_ERROR) |
| 64 | << "Failed to send the packet because SRTP transport is inactive."; |
| 65 | return false; |
| 66 | } |
zstein | 398c3fd | 2017-07-19 20:38:02 | [diff] [blame] | 67 | |
Zhi Huang | cf990f5 | 2017-09-22 19:12:30 | [diff] [blame^] | 68 | rtc::PacketOptions updated_options = options; |
| 69 | rtc::CopyOnWriteBuffer cp = *packet; |
| 70 | TRACE_EVENT0("webrtc", "SRTP Encode"); |
| 71 | bool res; |
| 72 | uint8_t* data = packet->data(); |
| 73 | int len = static_cast<int>(packet->size()); |
| 74 | if (!rtcp) { |
| 75 | // If ENABLE_EXTERNAL_AUTH flag is on then packet authentication is not done |
| 76 | // inside libsrtp for a RTP packet. A external HMAC module will be writing |
| 77 | // a fake HMAC value. This is ONLY done for a RTP packet. |
| 78 | // Socket layer will update rtp sendtime extension header if present in |
| 79 | // packet with current time before updating the HMAC. |
| 80 | #if !defined(ENABLE_EXTERNAL_AUTH) |
| 81 | res = ProtectRtp(data, len, static_cast<int>(packet->capacity()), &len); |
| 82 | #else |
| 83 | if (!IsExternalAuthActive()) { |
| 84 | res = ProtectRtp(data, len, static_cast<int>(packet->capacity()), &len); |
| 85 | } else { |
| 86 | updated_options.packet_time_params.rtp_sendtime_extension_id = |
| 87 | rtp_abs_sendtime_extn_id_; |
| 88 | res = ProtectRtp(data, len, static_cast<int>(packet->capacity()), &len, |
| 89 | &updated_options.packet_time_params.srtp_packet_index); |
| 90 | // If protection succeeds, let's get auth params from srtp. |
| 91 | if (res) { |
| 92 | uint8_t* auth_key = NULL; |
| 93 | int key_len; |
| 94 | res = GetRtpAuthParams( |
| 95 | &auth_key, &key_len, |
| 96 | &updated_options.packet_time_params.srtp_auth_tag_len); |
| 97 | if (res) { |
| 98 | updated_options.packet_time_params.srtp_auth_key.resize(key_len); |
| 99 | updated_options.packet_time_params.srtp_auth_key.assign( |
| 100 | auth_key, auth_key + key_len); |
| 101 | } |
| 102 | } |
| 103 | } |
| 104 | #endif |
| 105 | if (!res) { |
| 106 | int seq_num = -1; |
| 107 | uint32_t ssrc = 0; |
| 108 | cricket::GetRtpSeqNum(data, len, &seq_num); |
| 109 | cricket::GetRtpSsrc(data, len, &ssrc); |
| 110 | LOG(LS_ERROR) << "Failed to protect " << content_name_ |
| 111 | << " RTP packet: size=" << len << ", seqnum=" << seq_num |
| 112 | << ", SSRC=" << ssrc; |
| 113 | return false; |
| 114 | } |
| 115 | } else { |
| 116 | res = ProtectRtcp(data, len, static_cast<int>(packet->capacity()), &len); |
| 117 | if (!res) { |
| 118 | int type = -1; |
| 119 | cricket::GetRtcpType(data, len, &type); |
| 120 | LOG(LS_ERROR) << "Failed to protect " << content_name_ |
| 121 | << " RTCP packet: size=" << len << ", type=" << type; |
| 122 | return false; |
| 123 | } |
| 124 | } |
| 125 | |
| 126 | // Update the length of the packet now that we've added the auth tag. |
| 127 | packet->SetSize(len); |
| 128 | return rtcp ? rtp_transport_->SendRtcpPacket(packet, updated_options, flags) |
| 129 | : rtp_transport_->SendRtpPacket(packet, updated_options, flags); |
zstein | 398c3fd | 2017-07-19 20:38:02 | [diff] [blame] | 130 | } |
| 131 | |
| 132 | void SrtpTransport::OnPacketReceived(bool rtcp, |
| 133 | rtc::CopyOnWriteBuffer* packet, |
| 134 | const rtc::PacketTime& packet_time) { |
Zhi Huang | cf990f5 | 2017-09-22 19:12:30 | [diff] [blame^] | 135 | if (!IsActive()) { |
| 136 | LOG(LS_WARNING) << "Inactive SRTP transport received a packet. Drop it."; |
| 137 | return; |
| 138 | } |
zstein | 398c3fd | 2017-07-19 20:38:02 | [diff] [blame] | 139 | |
Zhi Huang | cf990f5 | 2017-09-22 19:12:30 | [diff] [blame^] | 140 | TRACE_EVENT0("webrtc", "SRTP Decode"); |
| 141 | char* data = packet->data<char>(); |
| 142 | int len = static_cast<int>(packet->size()); |
| 143 | bool res; |
| 144 | if (!rtcp) { |
| 145 | res = UnprotectRtp(data, len, &len); |
| 146 | if (!res) { |
| 147 | int seq_num = -1; |
| 148 | uint32_t ssrc = 0; |
| 149 | cricket::GetRtpSeqNum(data, len, &seq_num); |
| 150 | cricket::GetRtpSsrc(data, len, &ssrc); |
| 151 | LOG(LS_ERROR) << "Failed to unprotect " << content_name_ |
| 152 | << " RTP packet: size=" << len << ", seqnum=" << seq_num |
| 153 | << ", SSRC=" << ssrc; |
| 154 | return; |
| 155 | } |
| 156 | } else { |
| 157 | res = UnprotectRtcp(data, len, &len); |
| 158 | if (!res) { |
| 159 | int type = -1; |
| 160 | cricket::GetRtcpType(data, len, &type); |
| 161 | LOG(LS_ERROR) << "Failed to unprotect " << content_name_ |
| 162 | << " RTCP packet: size=" << len << ", type=" << type; |
| 163 | return; |
| 164 | } |
| 165 | } |
| 166 | |
| 167 | packet->SetSize(len); |
zstein | 398c3fd | 2017-07-19 20:38:02 | [diff] [blame] | 168 | SignalPacketReceived(rtcp, packet, packet_time); |
| 169 | } |
| 170 | |
Zhi Huang | cf990f5 | 2017-09-22 19:12:30 | [diff] [blame^] | 171 | bool SrtpTransport::SetRtpParams(int send_cs, |
| 172 | const uint8_t* send_key, |
| 173 | int send_key_len, |
| 174 | int recv_cs, |
| 175 | const uint8_t* recv_key, |
| 176 | int recv_key_len) { |
| 177 | // If parameters are being set for the first time, we should create new SRTP |
| 178 | // sessions and call "SetSend/SetRecv". Otherwise we should call |
| 179 | // "UpdateSend"/"UpdateRecv" on the existing sessions, which will internally |
| 180 | // call "srtp_update". |
| 181 | bool new_sessions = false; |
| 182 | if (!send_session_) { |
| 183 | RTC_DCHECK(!recv_session_); |
| 184 | CreateSrtpSessions(); |
| 185 | new_sessions = true; |
| 186 | } |
| 187 | send_session_->SetEncryptedHeaderExtensionIds( |
| 188 | send_encrypted_header_extension_ids_); |
| 189 | bool ret = new_sessions |
| 190 | ? send_session_->SetSend(send_cs, send_key, send_key_len) |
| 191 | : send_session_->UpdateSend(send_cs, send_key, send_key_len); |
| 192 | if (!ret) { |
| 193 | ResetParams(); |
| 194 | return false; |
| 195 | } |
| 196 | |
| 197 | recv_session_->SetEncryptedHeaderExtensionIds( |
| 198 | recv_encrypted_header_extension_ids_); |
| 199 | ret = new_sessions |
| 200 | ? recv_session_->SetRecv(recv_cs, recv_key, recv_key_len) |
| 201 | : recv_session_->UpdateRecv(recv_cs, recv_key, recv_key_len); |
| 202 | if (!ret) { |
| 203 | ResetParams(); |
| 204 | return false; |
| 205 | } |
| 206 | |
| 207 | LOG(LS_INFO) << "SRTP " << (new_sessions ? "updated" : "activated") |
| 208 | << " with negotiated parameters:" |
| 209 | << " send cipher_suite " << send_cs << " recv cipher_suite " |
| 210 | << recv_cs; |
| 211 | return true; |
| 212 | } |
| 213 | |
| 214 | bool SrtpTransport::SetRtcpParams(int send_cs, |
| 215 | const uint8_t* send_key, |
| 216 | int send_key_len, |
| 217 | int recv_cs, |
| 218 | const uint8_t* recv_key, |
| 219 | int recv_key_len) { |
| 220 | // This can only be called once, but can be safely called after |
| 221 | // SetRtpParams |
| 222 | if (send_rtcp_session_ || recv_rtcp_session_) { |
| 223 | LOG(LS_ERROR) << "Tried to set SRTCP Params when filter already active"; |
| 224 | return false; |
| 225 | } |
| 226 | |
| 227 | send_rtcp_session_.reset(new cricket::SrtpSession()); |
| 228 | if (!send_rtcp_session_->SetRecv(send_cs, send_key, send_key_len)) { |
| 229 | return false; |
| 230 | } |
| 231 | |
| 232 | recv_rtcp_session_.reset(new cricket::SrtpSession()); |
| 233 | if (!recv_rtcp_session_->SetRecv(recv_cs, recv_key, recv_key_len)) { |
| 234 | return false; |
| 235 | } |
| 236 | |
| 237 | LOG(LS_INFO) << "SRTCP activated with negotiated parameters:" |
| 238 | << " send cipher_suite " << send_cs << " recv cipher_suite " |
| 239 | << recv_cs; |
| 240 | |
| 241 | return true; |
| 242 | } |
| 243 | |
| 244 | bool SrtpTransport::IsActive() const { |
| 245 | return send_session_ && recv_session_; |
| 246 | } |
| 247 | |
| 248 | void SrtpTransport::ResetParams() { |
| 249 | send_session_ = nullptr; |
| 250 | recv_session_ = nullptr; |
| 251 | send_rtcp_session_ = nullptr; |
| 252 | recv_rtcp_session_ = nullptr; |
| 253 | LOG(LS_INFO) << "The params in SRTP transport are reset."; |
| 254 | } |
| 255 | |
| 256 | void SrtpTransport::SetEncryptedHeaderExtensionIds( |
| 257 | cricket::ContentSource source, |
| 258 | const std::vector<int>& extension_ids) { |
| 259 | if (source == cricket::CS_LOCAL) { |
| 260 | recv_encrypted_header_extension_ids_ = extension_ids; |
| 261 | } else { |
| 262 | send_encrypted_header_extension_ids_ = extension_ids; |
| 263 | } |
| 264 | } |
| 265 | |
| 266 | void SrtpTransport::CreateSrtpSessions() { |
| 267 | send_session_.reset(new cricket::SrtpSession()); |
| 268 | recv_session_.reset(new cricket::SrtpSession()); |
| 269 | |
| 270 | if (external_auth_enabled_) { |
| 271 | send_session_->EnableExternalAuth(); |
| 272 | } |
| 273 | } |
| 274 | |
| 275 | bool SrtpTransport::ProtectRtp(void* p, int in_len, int max_len, int* out_len) { |
| 276 | if (!IsActive()) { |
| 277 | LOG(LS_WARNING) << "Failed to ProtectRtp: SRTP not active"; |
| 278 | return false; |
| 279 | } |
| 280 | RTC_CHECK(send_session_); |
| 281 | return send_session_->ProtectRtp(p, in_len, max_len, out_len); |
| 282 | } |
| 283 | |
| 284 | bool SrtpTransport::ProtectRtp(void* p, |
| 285 | int in_len, |
| 286 | int max_len, |
| 287 | int* out_len, |
| 288 | int64_t* index) { |
| 289 | if (!IsActive()) { |
| 290 | LOG(LS_WARNING) << "Failed to ProtectRtp: SRTP not active"; |
| 291 | return false; |
| 292 | } |
| 293 | RTC_CHECK(send_session_); |
| 294 | return send_session_->ProtectRtp(p, in_len, max_len, out_len, index); |
| 295 | } |
| 296 | |
| 297 | bool SrtpTransport::ProtectRtcp(void* p, |
| 298 | int in_len, |
| 299 | int max_len, |
| 300 | int* out_len) { |
| 301 | if (!IsActive()) { |
| 302 | LOG(LS_WARNING) << "Failed to ProtectRtcp: SRTP not active"; |
| 303 | return false; |
| 304 | } |
| 305 | if (send_rtcp_session_) { |
| 306 | return send_rtcp_session_->ProtectRtcp(p, in_len, max_len, out_len); |
| 307 | } else { |
| 308 | RTC_CHECK(send_session_); |
| 309 | return send_session_->ProtectRtcp(p, in_len, max_len, out_len); |
| 310 | } |
| 311 | } |
| 312 | |
| 313 | bool SrtpTransport::UnprotectRtp(void* p, int in_len, int* out_len) { |
| 314 | if (!IsActive()) { |
| 315 | LOG(LS_WARNING) << "Failed to UnprotectRtp: SRTP not active"; |
| 316 | return false; |
| 317 | } |
| 318 | RTC_CHECK(recv_session_); |
| 319 | return recv_session_->UnprotectRtp(p, in_len, out_len); |
| 320 | } |
| 321 | |
| 322 | bool SrtpTransport::UnprotectRtcp(void* p, int in_len, int* out_len) { |
| 323 | if (!IsActive()) { |
| 324 | LOG(LS_WARNING) << "Failed to UnprotectRtcp: SRTP not active"; |
| 325 | return false; |
| 326 | } |
| 327 | if (recv_rtcp_session_) { |
| 328 | return recv_rtcp_session_->UnprotectRtcp(p, in_len, out_len); |
| 329 | } else { |
| 330 | RTC_CHECK(recv_session_); |
| 331 | return recv_session_->UnprotectRtcp(p, in_len, out_len); |
| 332 | } |
| 333 | } |
| 334 | |
| 335 | bool SrtpTransport::GetRtpAuthParams(uint8_t** key, |
| 336 | int* key_len, |
| 337 | int* tag_len) { |
| 338 | if (!IsActive()) { |
| 339 | LOG(LS_WARNING) << "Failed to GetRtpAuthParams: SRTP not active"; |
| 340 | return false; |
| 341 | } |
| 342 | |
| 343 | RTC_CHECK(send_session_); |
| 344 | return send_session_->GetRtpAuthParams(key, key_len, tag_len); |
| 345 | } |
| 346 | |
| 347 | bool SrtpTransport::GetSrtpOverhead(int* srtp_overhead) const { |
| 348 | if (!IsActive()) { |
| 349 | LOG(LS_WARNING) << "Failed to GetSrtpOverhead: SRTP not active"; |
| 350 | return false; |
| 351 | } |
| 352 | |
| 353 | RTC_CHECK(send_session_); |
| 354 | *srtp_overhead = send_session_->GetSrtpOverhead(); |
| 355 | return true; |
| 356 | } |
| 357 | |
| 358 | void SrtpTransport::EnableExternalAuth() { |
| 359 | RTC_DCHECK(!IsActive()); |
| 360 | external_auth_enabled_ = true; |
| 361 | } |
| 362 | |
| 363 | bool SrtpTransport::IsExternalAuthEnabled() const { |
| 364 | return external_auth_enabled_; |
| 365 | } |
| 366 | |
| 367 | bool SrtpTransport::IsExternalAuthActive() const { |
| 368 | if (!IsActive()) { |
| 369 | LOG(LS_WARNING) << "Failed to check IsExternalAuthActive: SRTP not active"; |
| 370 | return false; |
| 371 | } |
| 372 | |
| 373 | RTC_CHECK(send_session_); |
| 374 | return send_session_->IsExternalAuthActive(); |
| 375 | } |
| 376 | |
zstein | 398c3fd | 2017-07-19 20:38:02 | [diff] [blame] | 377 | } // namespace webrtc |