Reland "Move CryptoOptions to api/crypto from rtc_base/sslstreamadapter.h"
Promotes rtc::CryptoOptions to webrtc::CryptoOptions converting it from class
that only handles SRTP configuration to a more generic structure that can be
used and extended for all per peer connection CryptoOptions that can be on a
given PeerConnection.
Now all SRTP related options are under webrtc::CryptoOptions::Srtp and can be
accessed as crypto_options.srtp.whatever_option_name. This is more inline with
other structures we have in WebRTC such as VideoConfig. As additional features
are added over time this will allow the structure to remain compartmentalized
and concerned components can only request a subset of the overall configuration
structure e.g:
void MySrtpFunction(const webrtc::CryptoOptions::Srtp& srtp_config);
In addition to this it made little sense for sslstreamadapter.h to hold all
Srtp related configuration options. The header has become loo large and takes on
too many responsibilities and spilting this up will lead to more maintainable
code going forward.
This will be used in a future CL to enable configuration options for the newly
supported Frame Crypto.
Reland Fix:
- cryptooptions.h - now has enable_aes128_sha1_32_crypto_cipher as an optional
root level configuration.
- peerconnectionfactory - If this optional is set will now overwrite the
underyling value.
This along with the other field will be deprecated once dependent projects
are updated.
TBR=sakal@webrtc.org,kthelgason@webrtc.org,emadomara@webrtc.org,qingsi@webrtc.org
Bug: webrtc:9681
Change-Id: Iaa6b741baafb85d352e42f54226119f19d97151d
Reviewed-on: https://webrtc-review.googlesource.com/c/105560
Reviewed-by: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: Steve Anton <steveanton@webrtc.org>
Reviewed-by: Emad Omara <emadomara@webrtc.org>
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#25135}diff --git a/api/BUILD.gn b/api/BUILD.gn
index 60eb751..c420b10 100644
--- a/api/BUILD.gn
+++ b/api/BUILD.gn
@@ -52,6 +52,8 @@
"bitrate_constraints.h",
"candidate.cc",
"candidate.h",
+ "crypto/cryptooptions.cc",
+ "crypto/cryptooptions.h",
"crypto/framedecryptorinterface.h",
"crypto/frameencryptorinterface.h",
"cryptoparams.h",
diff --git a/api/crypto/cryptooptions.cc b/api/crypto/cryptooptions.cc
new file mode 100644
index 0000000..ed6db47
--- /dev/null
+++ b/api/crypto/cryptooptions.cc
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2018 The WebRTC Project Authors. All rights reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "api/crypto/cryptooptions.h"
+#include "rtc_base/sslstreamadapter.h"
+
+namespace webrtc {
+
+CryptoOptions::CryptoOptions() {}
+
+CryptoOptions::CryptoOptions(const CryptoOptions& other) {
+ enable_gcm_crypto_suites = other.enable_gcm_crypto_suites;
+ enable_encrypted_rtp_header_extensions =
+ other.enable_encrypted_rtp_header_extensions;
+ srtp = other.srtp;
+}
+
+CryptoOptions::~CryptoOptions() {}
+
+// static
+CryptoOptions CryptoOptions::NoGcm() {
+ CryptoOptions options;
+ options.srtp.enable_gcm_crypto_suites = false;
+ return options;
+}
+
+std::vector<int> CryptoOptions::GetSupportedDtlsSrtpCryptoSuites() const {
+ std::vector<int> crypto_suites;
+ if (srtp.enable_gcm_crypto_suites) {
+ crypto_suites.push_back(rtc::SRTP_AEAD_AES_256_GCM);
+ crypto_suites.push_back(rtc::SRTP_AEAD_AES_128_GCM);
+ }
+ // Note: SRTP_AES128_CM_SHA1_80 is what is required to be supported (by
+ // draft-ietf-rtcweb-security-arch), but SRTP_AES128_CM_SHA1_32 is allowed as
+ // well, and saves a few bytes per packet if it ends up selected.
+ // As the cipher suite is potentially insecure, it will only be used if
+ // enabled by both peers.
+ if (srtp.enable_aes128_sha1_32_crypto_cipher) {
+ crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_32);
+ }
+ crypto_suites.push_back(rtc::SRTP_AES128_CM_SHA1_80);
+ return crypto_suites;
+}
+
+} // namespace webrtc
diff --git a/api/crypto/cryptooptions.h b/api/crypto/cryptooptions.h
new file mode 100644
index 0000000..0ac973f
--- /dev/null
+++ b/api/crypto/cryptooptions.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2018 The WebRTC Project Authors. All rights reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#ifndef API_CRYPTO_CRYPTOOPTIONS_H_
+#define API_CRYPTO_CRYPTOOPTIONS_H_
+
+#include <vector>
+#include "absl/types/optional.h"
+
+namespace webrtc {
+
+// CryptoOptions defines advanced cryptographic settings for native WebRTC.
+// These settings must be passed into PeerConnectionFactoryInterface::Options
+// and are only applicable to native use cases of WebRTC.
+struct CryptoOptions {
+ CryptoOptions();
+ CryptoOptions(const CryptoOptions& other);
+ ~CryptoOptions();
+
+ // Helper method to return an instance of the CryptoOptions with GCM crypto
+ // suites disabled. This method should be used instead of depending on current
+ // default values set by the constructor.
+ static CryptoOptions NoGcm();
+
+ // Returns a list of the supported DTLS-SRTP Crypto suites based on this set
+ // of crypto options.
+ std::vector<int> GetSupportedDtlsSrtpCryptoSuites() const;
+
+ // TODO(webrtc:9859) - Remove duplicates once chromium is fixed.
+ // Will be removed once srtp.enable_gcm_crypto_suites is updated in Chrome.
+ absl::optional<bool> enable_gcm_crypto_suites;
+ // TODO(webrtc:9859) - Remove duplicates once chromium is fixed.
+ // Will be removed once srtp.enable_encrypted_rtp_header_extensions is
+ // updated in Chrome.
+ absl::optional<bool> enable_encrypted_rtp_header_extensions;
+ // Will be removed once srtp.enable_encrypted_rtp_header_extensions is
+ // updated in Tacl.
+ absl::optional<bool> enable_aes128_sha1_32_crypto_cipher;
+
+ // SRTP Related Peer Connection options.
+ struct Srtp {
+ // Enable GCM crypto suites from RFC 7714 for SRTP. GCM will only be used
+ // if both sides enable it.
+ bool enable_gcm_crypto_suites = false;
+
+ // If set to true, the (potentially insecure) crypto cipher
+ // SRTP_AES128_CM_SHA1_32 will be included in the list of supported ciphers
+ // during negotiation. It will only be used if both peers support it and no
+ // other ciphers get preferred.
+ bool enable_aes128_sha1_32_crypto_cipher = false;
+
+ // If set to true, encrypted RTP header extensions as defined in RFC 6904
+ // will be negotiated. They will only be used if both peers support them.
+ bool enable_encrypted_rtp_header_extensions = false;
+ } srtp;
+};
+
+} // namespace webrtc
+
+#endif // API_CRYPTO_CRYPTOOPTIONS_H_
diff --git a/api/cryptoparams.h b/api/cryptoparams.h
index 2350528..abe9055 100644
--- a/api/cryptoparams.h
+++ b/api/cryptoparams.h
@@ -16,6 +16,8 @@
namespace cricket {
// Parameters for SRTP negotiation, as described in RFC 4568.
+// TODO(benwright) - Rename to SrtpCryptoParams as these only apply to SRTP and
+// not generic crypto parameters for WebRTC.
struct CryptoParams {
CryptoParams() : tag(0) {}
CryptoParams(int t,
diff --git a/api/peerconnectioninterface.h b/api/peerconnectioninterface.h
index 3d8a9c1..141b2c9 100644
--- a/api/peerconnectioninterface.h
+++ b/api/peerconnectioninterface.h
@@ -77,6 +77,7 @@
#include "api/audio_codecs/audio_encoder_factory.h"
#include "api/audio_options.h"
#include "api/call/callfactoryinterface.h"
+#include "api/crypto/cryptooptions.h"
#include "api/datachannelinterface.h"
#include "api/fec_controller.h"
#include "api/jsep.h"
@@ -1180,7 +1181,7 @@
public:
class Options {
public:
- Options() : crypto_options(rtc::CryptoOptions::NoGcm()) {}
+ Options() {}
// If set to true, created PeerConnections won't enforce any SRTP
// requirement, allowing unsecured media. Should only be used for
@@ -1209,7 +1210,7 @@
rtc::SSLProtocolVersion ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12;
// Sets crypto related options, e.g. enabled cipher suites.
- rtc::CryptoOptions crypto_options;
+ CryptoOptions crypto_options = CryptoOptions::NoGcm();
};
// Set the options to be used for subsequently created PeerConnections.