henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 | * |
| 4 | * Use of this source code is governed by a BSD-style license |
| 5 | * that can be found in the LICENSE file in the root of the source |
| 6 | * tree. An additional intellectual property rights grant can be found |
| 7 | * in the file PATENTS. All contributing project authors may |
| 8 | * be found in the AUTHORS file in the root of the source tree. |
| 9 | */ |
| 10 | |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 11 | #include "webrtc/p2p/base/jseptransport.h" |
| 12 | |
jbauch | 555604a | 2016-04-26 03:13:22 -0700 | [diff] [blame] | 13 | #include <memory> |
deadbeef | cbecd35 | 2015-09-23 11:50:27 -0700 | [diff] [blame] | 14 | #include <utility> // for std::pair |
| 15 | |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 16 | #include "webrtc/base/bind.h" |
| 17 | #include "webrtc/base/checks.h" |
| 18 | #include "webrtc/base/logging.h" |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 19 | #include "webrtc/p2p/base/candidate.h" |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 20 | #include "webrtc/p2p/base/dtlstransportchannel.h" |
kjellander | f475277 | 2016-03-02 05:42:30 -0800 | [diff] [blame] | 21 | #include "webrtc/p2p/base/p2pconstants.h" |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 22 | #include "webrtc/p2p/base/p2ptransportchannel.h" |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 23 | #include "webrtc/p2p/base/port.h" |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 24 | |
| 25 | namespace cricket { |
| 26 | |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 27 | static bool VerifyIceParams(const TransportDescription& desc) { |
| 28 | // For legacy protocols. |
| 29 | if (desc.ice_ufrag.empty() && desc.ice_pwd.empty()) |
| 30 | return true; |
| 31 | |
| 32 | if (desc.ice_ufrag.length() < ICE_UFRAG_MIN_LENGTH || |
| 33 | desc.ice_ufrag.length() > ICE_UFRAG_MAX_LENGTH) { |
| 34 | return false; |
| 35 | } |
| 36 | if (desc.ice_pwd.length() < ICE_PWD_MIN_LENGTH || |
| 37 | desc.ice_pwd.length() > ICE_PWD_MAX_LENGTH) { |
| 38 | return false; |
| 39 | } |
| 40 | return true; |
| 41 | } |
| 42 | |
hbos | 06495bc | 2017-01-02 08:08:18 -0800 | [diff] [blame] | 43 | ConnectionInfo::ConnectionInfo() |
| 44 | : best_connection(false), |
| 45 | writable(false), |
| 46 | receiving(false), |
| 47 | timeout(false), |
| 48 | new_connection(false), |
| 49 | rtt(0), |
| 50 | sent_total_bytes(0), |
| 51 | sent_bytes_second(0), |
| 52 | sent_discarded_packets(0), |
| 53 | sent_total_packets(0), |
| 54 | sent_ping_requests_total(0), |
| 55 | sent_ping_requests_before_first_response(0), |
| 56 | sent_ping_responses(0), |
| 57 | recv_total_bytes(0), |
| 58 | recv_bytes_second(0), |
| 59 | recv_ping_requests(0), |
| 60 | recv_ping_responses(0), |
| 61 | key(nullptr), |
| 62 | state(IceCandidatePairState::WAITING), |
hbos | 92eaec6 | 2017-02-27 01:38:08 -0800 | [diff] [blame] | 63 | priority(0), |
hbos | bf8d3e5 | 2017-02-28 06:34:47 -0800 | [diff] [blame] | 64 | nominated(false), |
| 65 | total_round_trip_time_ms(0) {} |
hbos | 06495bc | 2017-01-02 08:08:18 -0800 | [diff] [blame] | 66 | |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 67 | bool BadTransportDescription(const std::string& desc, std::string* err_desc) { |
| 68 | if (err_desc) { |
| 69 | *err_desc = desc; |
| 70 | } |
| 71 | LOG(LS_ERROR) << desc; |
| 72 | return false; |
| 73 | } |
| 74 | |
| 75 | bool IceCredentialsChanged(const std::string& old_ufrag, |
| 76 | const std::string& old_pwd, |
| 77 | const std::string& new_ufrag, |
| 78 | const std::string& new_pwd) { |
deadbeef | 0ed85b2 | 2016-02-23 17:24:52 -0800 | [diff] [blame] | 79 | // The standard (RFC 5245 Section 9.1.1.1) says that ICE restarts MUST change |
| 80 | // both the ufrag and password. However, section 9.2.1.1 says changing the |
| 81 | // ufrag OR password indicates an ICE restart. So, to keep compatibility with |
| 82 | // endpoints that only change one, we'll treat this as an ICE restart. |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 83 | return (old_ufrag != new_ufrag) || (old_pwd != new_pwd); |
| 84 | } |
| 85 | |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 86 | bool VerifyCandidate(const Candidate& cand, std::string* error) { |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 87 | // No address zero. |
tfarina | 8ac544e | 2015-10-08 07:15:44 -0700 | [diff] [blame] | 88 | if (cand.address().IsNil() || cand.address().IsAnyIP()) { |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 89 | *error = "candidate has address of zero"; |
| 90 | return false; |
| 91 | } |
| 92 | |
| 93 | // Disallow all ports below 1024, except for 80 and 443 on public addresses. |
| 94 | int port = cand.address().port(); |
| 95 | if (cand.protocol() == TCP_PROTOCOL_NAME && |
| 96 | (cand.tcptype() == TCPTYPE_ACTIVE_STR || port == 0)) { |
| 97 | // Expected for active-only candidates per |
| 98 | // http://tools.ietf.org/html/rfc6544#section-4.5 so no error. |
| 99 | // Libjingle clients emit port 0, in "active" mode. |
| 100 | return true; |
| 101 | } |
| 102 | if (port < 1024) { |
| 103 | if ((port != 80) && (port != 443)) { |
| 104 | *error = "candidate has port below 1024, but not 80 or 443"; |
| 105 | return false; |
| 106 | } |
| 107 | |
| 108 | if (cand.address().IsPrivateIP()) { |
| 109 | *error = "candidate has port of 80 or 443 with private IP address"; |
| 110 | return false; |
| 111 | } |
| 112 | } |
| 113 | |
Honghai Zhang | 7fb69db | 2016-03-14 11:59:18 -0700 | [diff] [blame] | 114 | return true; |
| 115 | } |
| 116 | |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 117 | bool VerifyCandidates(const Candidates& candidates, std::string* error) { |
Honghai Zhang | 7fb69db | 2016-03-14 11:59:18 -0700 | [diff] [blame] | 118 | for (const Candidate& candidate : candidates) { |
| 119 | if (!VerifyCandidate(candidate, error)) { |
| 120 | return false; |
| 121 | } |
| 122 | } |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 123 | return true; |
| 124 | } |
| 125 | |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 126 | JsepTransport::JsepTransport( |
| 127 | const std::string& mid, |
| 128 | const rtc::scoped_refptr<rtc::RTCCertificate>& certificate) |
| 129 | : mid_(mid), certificate_(certificate) {} |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 130 | |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 131 | bool JsepTransport::AddChannel(DtlsTransportInternal* dtls, int component) { |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 132 | if (channels_.find(component) != channels_.end()) { |
| 133 | LOG(LS_ERROR) << "Adding channel for component " << component << " twice."; |
| 134 | return false; |
| 135 | } |
| 136 | channels_[component] = dtls; |
| 137 | // Something's wrong if a channel is being added after a description is set. |
| 138 | // This may currently occur if rtcp-mux is negotiated, then a new m= section |
| 139 | // is added in a later offer/answer. But this is suboptimal and should be |
| 140 | // changed; we shouldn't support going from muxed to non-muxed. |
| 141 | // TODO(deadbeef): Once this is fixed, make the warning an error, and remove |
| 142 | // the calls to "ApplyXTransportDescription" below. |
| 143 | if (local_description_set_ || remote_description_set_) { |
| 144 | LOG(LS_WARNING) << "Adding new transport channel after " |
| 145 | "transport description already applied."; |
| 146 | } |
| 147 | bool ret = true; |
| 148 | std::string err; |
| 149 | if (local_description_set_) { |
| 150 | ret &= ApplyLocalTransportDescription(channels_[component], &err); |
| 151 | } |
| 152 | if (remote_description_set_) { |
| 153 | ret &= ApplyRemoteTransportDescription(channels_[component], &err); |
| 154 | } |
| 155 | if (local_description_set_ && remote_description_set_) { |
| 156 | ret &= ApplyNegotiatedTransportDescription(channels_[component], &err); |
| 157 | } |
| 158 | return ret; |
| 159 | } |
| 160 | |
| 161 | bool JsepTransport::RemoveChannel(int component) { |
| 162 | auto it = channels_.find(component); |
| 163 | if (it == channels_.end()) { |
| 164 | LOG(LS_ERROR) << "Trying to remove channel for component " << component |
| 165 | << ", which doesn't exist."; |
| 166 | return false; |
| 167 | } |
| 168 | channels_.erase(component); |
| 169 | return true; |
| 170 | } |
| 171 | |
| 172 | bool JsepTransport::HasChannels() const { |
| 173 | return !channels_.empty(); |
| 174 | } |
| 175 | |
| 176 | void JsepTransport::SetLocalCertificate( |
| 177 | const rtc::scoped_refptr<rtc::RTCCertificate>& certificate) { |
| 178 | certificate_ = certificate; |
| 179 | } |
| 180 | |
| 181 | bool JsepTransport::GetLocalCertificate( |
| 182 | rtc::scoped_refptr<rtc::RTCCertificate>* certificate) const { |
| 183 | if (!certificate_) { |
| 184 | return false; |
| 185 | } |
| 186 | |
| 187 | *certificate = certificate_; |
| 188 | return true; |
| 189 | } |
| 190 | |
| 191 | bool JsepTransport::SetLocalTransportDescription( |
| 192 | const TransportDescription& description, |
| 193 | ContentAction action, |
| 194 | std::string* error_desc) { |
| 195 | bool ret = true; |
| 196 | |
| 197 | if (!VerifyIceParams(description)) { |
| 198 | return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", |
| 199 | error_desc); |
| 200 | } |
| 201 | |
deadbeef | d1a38b5 | 2016-12-10 13:15:33 -0800 | [diff] [blame] | 202 | bool ice_restarting = |
| 203 | local_description_set_ && |
| 204 | IceCredentialsChanged(local_description_->ice_ufrag, |
| 205 | local_description_->ice_pwd, description.ice_ufrag, |
| 206 | description.ice_pwd); |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 207 | local_description_.reset(new TransportDescription(description)); |
| 208 | |
| 209 | rtc::SSLFingerprint* local_fp = |
| 210 | local_description_->identity_fingerprint.get(); |
| 211 | |
| 212 | if (!local_fp) { |
| 213 | certificate_ = nullptr; |
| 214 | } else if (!VerifyCertificateFingerprint(certificate_.get(), local_fp, |
| 215 | error_desc)) { |
| 216 | return false; |
| 217 | } |
| 218 | |
| 219 | for (const auto& kv : channels_) { |
| 220 | ret &= ApplyLocalTransportDescription(kv.second, error_desc); |
| 221 | } |
| 222 | if (!ret) { |
| 223 | return false; |
| 224 | } |
| 225 | |
| 226 | // If PRANSWER/ANSWER is set, we should decide transport protocol type. |
| 227 | if (action == CA_PRANSWER || action == CA_ANSWER) { |
| 228 | ret &= NegotiateTransportDescription(action, error_desc); |
| 229 | } |
deadbeef | d1a38b5 | 2016-12-10 13:15:33 -0800 | [diff] [blame] | 230 | if (!ret) { |
| 231 | return false; |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 232 | } |
| 233 | |
deadbeef | d1a38b5 | 2016-12-10 13:15:33 -0800 | [diff] [blame] | 234 | if (needs_ice_restart_ && ice_restarting) { |
| 235 | needs_ice_restart_ = false; |
| 236 | LOG(LS_VERBOSE) << "needs-ice-restart flag cleared for transport " << mid(); |
| 237 | } |
| 238 | |
| 239 | local_description_set_ = true; |
| 240 | return true; |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 241 | } |
| 242 | |
| 243 | bool JsepTransport::SetRemoteTransportDescription( |
| 244 | const TransportDescription& description, |
| 245 | ContentAction action, |
| 246 | std::string* error_desc) { |
| 247 | bool ret = true; |
| 248 | |
| 249 | if (!VerifyIceParams(description)) { |
| 250 | return BadTransportDescription("Invalid ice-ufrag or ice-pwd length", |
| 251 | error_desc); |
| 252 | } |
| 253 | |
| 254 | remote_description_.reset(new TransportDescription(description)); |
| 255 | for (const auto& kv : channels_) { |
| 256 | ret &= ApplyRemoteTransportDescription(kv.second, error_desc); |
| 257 | } |
| 258 | |
| 259 | // If PRANSWER/ANSWER is set, we should decide transport protocol type. |
| 260 | if (action == CA_PRANSWER || action == CA_ANSWER) { |
| 261 | ret = NegotiateTransportDescription(CA_OFFER, error_desc); |
| 262 | } |
| 263 | if (ret) { |
| 264 | remote_description_set_ = true; |
| 265 | } |
| 266 | |
| 267 | return ret; |
| 268 | } |
| 269 | |
deadbeef | d1a38b5 | 2016-12-10 13:15:33 -0800 | [diff] [blame] | 270 | void JsepTransport::SetNeedsIceRestartFlag() { |
| 271 | if (!needs_ice_restart_) { |
| 272 | needs_ice_restart_ = true; |
| 273 | LOG(LS_VERBOSE) << "needs-ice-restart flag set for transport " << mid(); |
| 274 | } |
| 275 | } |
| 276 | |
| 277 | bool JsepTransport::NeedsIceRestart() const { |
| 278 | return needs_ice_restart_; |
| 279 | } |
| 280 | |
deadbeef | d8cfa1a | 2017-03-27 10:33:26 -0700 | [diff] [blame^] | 281 | rtc::Optional<rtc::SSLRole> JsepTransport::GetSslRole() const { |
| 282 | return ssl_role_; |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 283 | } |
| 284 | |
| 285 | bool JsepTransport::GetStats(TransportStats* stats) { |
| 286 | stats->transport_name = mid(); |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 287 | stats->channel_stats.clear(); |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 288 | for (auto& kv : channels_) { |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 289 | DtlsTransportInternal* dtls_transport = kv.second; |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 290 | TransportChannelStats substats; |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 291 | substats.component = kv.first; |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 292 | dtls_transport->GetSrtpCryptoSuite(&substats.srtp_crypto_suite); |
| 293 | dtls_transport->GetSslCipherSuite(&substats.ssl_cipher_suite); |
| 294 | substats.dtls_state = dtls_transport->dtls_state(); |
| 295 | if (!dtls_transport->ice_transport()->GetStats( |
| 296 | &substats.connection_infos)) { |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 297 | return false; |
| 298 | } |
| 299 | stats->channel_stats.push_back(substats); |
| 300 | } |
| 301 | return true; |
| 302 | } |
| 303 | |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 304 | bool JsepTransport::VerifyCertificateFingerprint( |
mikescarlett | e774867 | 2016-04-29 20:20:54 -0700 | [diff] [blame] | 305 | const rtc::RTCCertificate* certificate, |
| 306 | const rtc::SSLFingerprint* fingerprint, |
| 307 | std::string* error_desc) const { |
| 308 | if (!fingerprint) { |
| 309 | return BadTransportDescription("No fingerprint.", error_desc); |
| 310 | } |
| 311 | if (!certificate) { |
| 312 | return BadTransportDescription( |
| 313 | "Fingerprint provided but no identity available.", error_desc); |
| 314 | } |
kwiberg | bfefb03 | 2016-05-01 14:53:46 -0700 | [diff] [blame] | 315 | std::unique_ptr<rtc::SSLFingerprint> fp_tmp(rtc::SSLFingerprint::Create( |
mikescarlett | e774867 | 2016-04-29 20:20:54 -0700 | [diff] [blame] | 316 | fingerprint->algorithm, certificate->identity())); |
nisse | ede5da4 | 2017-01-12 05:15:36 -0800 | [diff] [blame] | 317 | RTC_DCHECK(fp_tmp.get() != NULL); |
mikescarlett | e774867 | 2016-04-29 20:20:54 -0700 | [diff] [blame] | 318 | if (*fp_tmp == *fingerprint) { |
| 319 | return true; |
| 320 | } |
| 321 | std::ostringstream desc; |
| 322 | desc << "Local fingerprint does not match identity. Expected: "; |
| 323 | desc << fp_tmp->ToString(); |
| 324 | desc << " Got: " << fingerprint->ToString(); |
| 325 | return BadTransportDescription(desc.str(), error_desc); |
| 326 | } |
| 327 | |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 328 | bool JsepTransport::ApplyLocalTransportDescription( |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 329 | DtlsTransportInternal* dtls_transport, |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 330 | std::string* error_desc) { |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 331 | dtls_transport->ice_transport()->SetIceParameters( |
| 332 | local_description_->GetIceParameters()); |
deadbeef | 8662f94 | 2017-01-20 21:20:51 -0800 | [diff] [blame] | 333 | bool ret = true; |
| 334 | if (certificate_) { |
| 335 | ret = dtls_transport->SetLocalCertificate(certificate_); |
| 336 | RTC_DCHECK(ret); |
| 337 | } |
| 338 | return ret; |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 339 | } |
| 340 | |
| 341 | bool JsepTransport::ApplyRemoteTransportDescription( |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 342 | DtlsTransportInternal* dtls_transport, |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 343 | std::string* error_desc) { |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 344 | dtls_transport->ice_transport()->SetRemoteIceParameters( |
| 345 | remote_description_->GetIceParameters()); |
| 346 | dtls_transport->ice_transport()->SetRemoteIceMode( |
| 347 | remote_description_->ice_mode); |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 348 | return true; |
| 349 | } |
| 350 | |
| 351 | bool JsepTransport::ApplyNegotiatedTransportDescription( |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 352 | DtlsTransportInternal* dtls_transport, |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 353 | std::string* error_desc) { |
| 354 | // Set SSL role. Role must be set before fingerprint is applied, which |
| 355 | // initiates DTLS setup. |
deadbeef | d8cfa1a | 2017-03-27 10:33:26 -0700 | [diff] [blame^] | 356 | if (ssl_role_ && !dtls_transport->SetSslRole(*ssl_role_)) { |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 357 | return BadTransportDescription("Failed to set SSL role for the channel.", |
| 358 | error_desc); |
| 359 | } |
| 360 | // Apply remote fingerprint. |
zhihuang | b2cdd93 | 2017-01-19 16:54:25 -0800 | [diff] [blame] | 361 | if (!dtls_transport->SetRemoteFingerprint( |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 362 | remote_fingerprint_->algorithm, |
| 363 | reinterpret_cast<const uint8_t*>(remote_fingerprint_->digest.data()), |
| 364 | remote_fingerprint_->digest.size())) { |
| 365 | return BadTransportDescription("Failed to apply remote fingerprint.", |
| 366 | error_desc); |
| 367 | } |
| 368 | return true; |
| 369 | } |
| 370 | |
deadbeef | d8cfa1a | 2017-03-27 10:33:26 -0700 | [diff] [blame^] | 371 | bool JsepTransport::NegotiateTransportDescription( |
| 372 | ContentAction local_description_type, |
| 373 | std::string* error_desc) { |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 374 | if (!local_description_ || !remote_description_) { |
| 375 | const std::string msg = |
| 376 | "Applying an answer transport description " |
| 377 | "without applying any offer."; |
| 378 | return BadTransportDescription(msg, error_desc); |
| 379 | } |
| 380 | rtc::SSLFingerprint* local_fp = |
| 381 | local_description_->identity_fingerprint.get(); |
| 382 | rtc::SSLFingerprint* remote_fp = |
| 383 | remote_description_->identity_fingerprint.get(); |
| 384 | if (remote_fp && local_fp) { |
| 385 | remote_fingerprint_.reset(new rtc::SSLFingerprint(*remote_fp)); |
deadbeef | d8cfa1a | 2017-03-27 10:33:26 -0700 | [diff] [blame^] | 386 | if (!NegotiateRole(local_description_type, error_desc)) { |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 387 | return false; |
| 388 | } |
deadbeef | d8cfa1a | 2017-03-27 10:33:26 -0700 | [diff] [blame^] | 389 | } else if (local_fp && (local_description_type == CA_ANSWER)) { |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 390 | return BadTransportDescription( |
| 391 | "Local fingerprint supplied when caller didn't offer DTLS.", |
| 392 | error_desc); |
| 393 | } else { |
| 394 | // We are not doing DTLS |
| 395 | remote_fingerprint_.reset(new rtc::SSLFingerprint("", nullptr, 0)); |
| 396 | } |
| 397 | // Now that we have negotiated everything, push it downward. |
| 398 | // Note that we cache the result so that if we have race conditions |
| 399 | // between future SetRemote/SetLocal invocations and new channel |
| 400 | // creation, we have the negotiation state saved until a new |
| 401 | // negotiation happens. |
| 402 | for (const auto& kv : channels_) { |
| 403 | if (!ApplyNegotiatedTransportDescription(kv.second, error_desc)) { |
| 404 | return false; |
| 405 | } |
| 406 | } |
| 407 | return true; |
| 408 | } |
| 409 | |
deadbeef | d8cfa1a | 2017-03-27 10:33:26 -0700 | [diff] [blame^] | 410 | bool JsepTransport::NegotiateRole(ContentAction local_description_type, |
| 411 | std::string* error_desc) { |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 412 | if (!local_description_ || !remote_description_) { |
mikescarlett | e774867 | 2016-04-29 20:20:54 -0700 | [diff] [blame] | 413 | const std::string msg = |
| 414 | "Local and Remote description must be set before " |
| 415 | "transport descriptions are negotiated"; |
| 416 | return BadTransportDescription(msg, error_desc); |
| 417 | } |
| 418 | |
| 419 | // From RFC 4145, section-4.1, The following are the values that the |
| 420 | // 'setup' attribute can take in an offer/answer exchange: |
| 421 | // Offer Answer |
| 422 | // ________________ |
| 423 | // active passive / holdconn |
| 424 | // passive active / holdconn |
| 425 | // actpass active / passive / holdconn |
| 426 | // holdconn holdconn |
| 427 | // |
| 428 | // Set the role that is most conformant with RFC 5763, Section 5, bullet 1 |
| 429 | // The endpoint MUST use the setup attribute defined in [RFC4145]. |
| 430 | // The endpoint that is the offerer MUST use the setup attribute |
| 431 | // value of setup:actpass and be prepared to receive a client_hello |
| 432 | // before it receives the answer. The answerer MUST use either a |
| 433 | // setup attribute value of setup:active or setup:passive. Note that |
| 434 | // if the answerer uses setup:passive, then the DTLS handshake will |
| 435 | // not begin until the answerer is received, which adds additional |
| 436 | // latency. setup:active allows the answer and the DTLS handshake to |
| 437 | // occur in parallel. Thus, setup:active is RECOMMENDED. Whichever |
| 438 | // party is active MUST initiate a DTLS handshake by sending a |
| 439 | // ClientHello over each flow (host/port quartet). |
| 440 | // IOW - actpass and passive modes should be treated as server and |
| 441 | // active as client. |
deadbeef | 49f34fd | 2016-12-06 16:22:06 -0800 | [diff] [blame] | 442 | ConnectionRole local_connection_role = local_description_->connection_role; |
| 443 | ConnectionRole remote_connection_role = remote_description_->connection_role; |
mikescarlett | e774867 | 2016-04-29 20:20:54 -0700 | [diff] [blame] | 444 | |
| 445 | bool is_remote_server = false; |
deadbeef | d8cfa1a | 2017-03-27 10:33:26 -0700 | [diff] [blame^] | 446 | if (local_description_type == CA_OFFER) { |
mikescarlett | e774867 | 2016-04-29 20:20:54 -0700 | [diff] [blame] | 447 | if (local_connection_role != CONNECTIONROLE_ACTPASS) { |
| 448 | return BadTransportDescription( |
| 449 | "Offerer must use actpass value for setup attribute.", error_desc); |
| 450 | } |
| 451 | |
| 452 | if (remote_connection_role == CONNECTIONROLE_ACTIVE || |
| 453 | remote_connection_role == CONNECTIONROLE_PASSIVE || |
| 454 | remote_connection_role == CONNECTIONROLE_NONE) { |
| 455 | is_remote_server = (remote_connection_role == CONNECTIONROLE_PASSIVE); |
| 456 | } else { |
| 457 | const std::string msg = |
| 458 | "Answerer must use either active or passive value " |
| 459 | "for setup attribute."; |
| 460 | return BadTransportDescription(msg, error_desc); |
| 461 | } |
| 462 | // If remote is NONE or ACTIVE it will act as client. |
| 463 | } else { |
| 464 | if (remote_connection_role != CONNECTIONROLE_ACTPASS && |
| 465 | remote_connection_role != CONNECTIONROLE_NONE) { |
deadbeef | d8cfa1a | 2017-03-27 10:33:26 -0700 | [diff] [blame^] | 466 | // Accept a remote role attribute that's not "actpass", but matches the |
| 467 | // current negotiated role. This is allowed by dtls-sdp, though our |
| 468 | // implementation will never generate such an offer as it's not |
| 469 | // recommended. |
| 470 | // |
| 471 | // See https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-dtls-sdp, |
| 472 | // section 5.5. |
| 473 | if (!ssl_role_ || |
| 474 | (*ssl_role_ == rtc::SSL_CLIENT && |
| 475 | remote_connection_role == CONNECTIONROLE_ACTIVE) || |
| 476 | (*ssl_role_ == rtc::SSL_SERVER && |
| 477 | remote_connection_role == CONNECTIONROLE_PASSIVE)) { |
| 478 | return BadTransportDescription( |
| 479 | "Offerer must use actpass value or current negotiated role for " |
| 480 | "setup attribute.", |
| 481 | error_desc); |
| 482 | } |
mikescarlett | e774867 | 2016-04-29 20:20:54 -0700 | [diff] [blame] | 483 | } |
| 484 | |
| 485 | if (local_connection_role == CONNECTIONROLE_ACTIVE || |
| 486 | local_connection_role == CONNECTIONROLE_PASSIVE) { |
| 487 | is_remote_server = (local_connection_role == CONNECTIONROLE_ACTIVE); |
| 488 | } else { |
| 489 | const std::string msg = |
| 490 | "Answerer must use either active or passive value " |
| 491 | "for setup attribute."; |
| 492 | return BadTransportDescription(msg, error_desc); |
| 493 | } |
| 494 | |
| 495 | // If local is passive, local will act as server. |
| 496 | } |
| 497 | |
deadbeef | d8cfa1a | 2017-03-27 10:33:26 -0700 | [diff] [blame^] | 498 | ssl_role_.emplace(is_remote_server ? rtc::SSL_CLIENT : rtc::SSL_SERVER); |
mikescarlett | e774867 | 2016-04-29 20:20:54 -0700 | [diff] [blame] | 499 | return true; |
| 500 | } |
| 501 | |
henrike@webrtc.org | 269fb4b | 2014-10-28 22:20:11 +0000 | [diff] [blame] | 502 | } // namespace cricket |