1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
/*
* Copyright 2018 The WebRTC Project Authors. All rights reserved.
*
* Use of this source code is governed by a BSD-style license
* that can be found in the LICENSE file in the root of the source
* tree. An additional intellectual property rights grant can be found
* in the file PATENTS. All contributing project authors may
* be found in the AUTHORS file in the root of the source tree.
*/
#include "api/crypto/crypto_options.h"
#include <algorithm>
#include <cstdint>
#include <set>
#include <utility>
#include <vector>
#include "api/field_trials_view.h"
#include "rtc_base/checks.h"
#include "rtc_base/ssl_stream_adapter.h"
namespace webrtc {
CryptoOptions::CryptoOptions() {}
// static
CryptoOptions CryptoOptions::NoGcm() {
CryptoOptions options;
options.srtp.enable_gcm_crypto_suites = false;
return options;
}
std::vector<int> CryptoOptions::GetSupportedDtlsSrtpCryptoSuites() const {
std::vector<int> crypto_suites;
// Note: kSrtpAes128CmSha1_80 is what is required to be supported (by
// draft-ietf-rtcweb-security-arch), but kSrtpAes128CmSha1_32 is allowed as
// well, and saves a few bytes per packet if it ends up selected.
// As the cipher suite is potentially insecure, it will only be used if
// enabled by both peers.
if (srtp.enable_aes128_sha1_32_crypto_cipher) {
crypto_suites.push_back(kSrtpAes128CmSha1_32);
}
if (srtp.enable_aes128_sha1_80_crypto_cipher) {
crypto_suites.push_back(kSrtpAes128CmSha1_80);
}
// Note: GCM cipher suites are not the top choice since they increase the
// packet size. In order to negotiate them the other side must not support
// kSrtpAes128CmSha1_80.
if (srtp.enable_gcm_crypto_suites) {
crypto_suites.push_back(kSrtpAeadAes256Gcm);
crypto_suites.push_back(kSrtpAeadAes128Gcm);
}
RTC_CHECK(!crypto_suites.empty());
return crypto_suites;
}
bool CryptoOptions::operator==(const CryptoOptions& other) const {
struct data_being_tested_for_equality {
struct Srtp {
bool enable_gcm_crypto_suites;
bool enable_aes128_sha1_32_crypto_cipher;
bool enable_aes128_sha1_80_crypto_cipher;
bool enable_encrypted_rtp_header_extensions;
} srtp;
struct SFrame {
bool require_frame_encryption;
} sframe;
EphemeralKeyExchangeCipherGroups ephemeral_key_exchange_cipher_groups;
};
static_assert(sizeof(data_being_tested_for_equality) == sizeof(*this),
"Did you add something to CryptoOptions and forget to "
"update operator==?");
return srtp.enable_gcm_crypto_suites == other.srtp.enable_gcm_crypto_suites &&
srtp.enable_aes128_sha1_32_crypto_cipher ==
other.srtp.enable_aes128_sha1_32_crypto_cipher &&
srtp.enable_aes128_sha1_80_crypto_cipher ==
other.srtp.enable_aes128_sha1_80_crypto_cipher &&
srtp.enable_encrypted_rtp_header_extensions ==
other.srtp.enable_encrypted_rtp_header_extensions &&
sframe.require_frame_encryption ==
other.sframe.require_frame_encryption &&
ephemeral_key_exchange_cipher_groups ==
other.ephemeral_key_exchange_cipher_groups;
}
bool CryptoOptions::operator!=(const CryptoOptions& other) const {
return !(*this == other);
}
CryptoOptions::EphemeralKeyExchangeCipherGroups::
EphemeralKeyExchangeCipherGroups()
: enabled_(SSLStreamAdapter::GetDefaultEphemeralKeyExchangeCipherGroups(
/* field_trials= */ nullptr)) {}
bool CryptoOptions::EphemeralKeyExchangeCipherGroups::operator==(
const CryptoOptions::EphemeralKeyExchangeCipherGroups& other) const {
return enabled_ == other.enabled_;
}
std::set<uint16_t>
CryptoOptions::EphemeralKeyExchangeCipherGroups::GetSupported() {
return SSLStreamAdapter::GetSupportedEphemeralKeyExchangeCipherGroups();
}
void CryptoOptions::EphemeralKeyExchangeCipherGroups::AddFirst(uint16_t group) {
std::erase(enabled_, group);
enabled_.insert(enabled_.begin(), group);
}
void CryptoOptions::EphemeralKeyExchangeCipherGroups::Update(
const FieldTrialsView* field_trials,
const std::vector<uint16_t>* disabled_groups) {
// Note: assumption is that these lists contains few elements...so converting
// to set<> is not worth it.
std::vector<uint16_t> default_groups =
SSLStreamAdapter::GetDefaultEphemeralKeyExchangeCipherGroups(
field_trials);
// Remove all disabled.
if (disabled_groups) {
default_groups.erase(std::remove_if(
default_groups.begin(), default_groups.end(), [&](uint16_t val) {
return std::find(disabled_groups->begin(), disabled_groups->end(),
val) != disabled_groups->end();
}));
enabled_.erase(
std::remove_if(enabled_.begin(), enabled_.end(), [&](uint16_t val) {
return std::find(disabled_groups->begin(), disabled_groups->end(),
val) != disabled_groups->end();
}));
}
// Add those enabled by field-trials first.
std::vector<uint16_t> current = std::move(enabled_);
for (auto val : default_groups) {
if (std::find(current.begin(), current.end(), val) == current.end()) {
enabled_.push_back(val);
}
}
// Then re-add those present (unless already there).
for (auto val : current) {
if (std::find(enabled_.begin(), enabled_.end(), val) == enabled_.end()) {
enabled_.push_back(val);
}
}
}
} // namespace webrtc
|
