3 * Copyright 2009 Google Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
17 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
19 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
20 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
22 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 #include "talk/session/media/srtpfilter.h"
36 #include "talk/media/base/rtputils.h"
37 #include "webrtc/base/base64.h"
38 #include "webrtc/base/logging.h"
39 #include "webrtc/base/stringencode.h"
40 #include "webrtc/base/timeutils.h"
42 // Enable this line to turn on SRTP debugging
46 #ifdef SRTP_RELATIVE_PATH
47 #include "srtp.h" // NOLINT
48 extern "C" srtp_stream_t srtp_get_stream(srtp_t srtp, uint32_t ssrc);
49 #include "srtp_priv.h" // NOLINT
51 #include "third_party/libsrtp/include/srtp.h"
52 extern "C" srtp_stream_t srtp_get_stream(srtp_t srtp, uint32_t ssrc);
53 #include "third_party/libsrtp/include/srtp_priv.h"
54 #endif // SRTP_RELATIVE_PATH
55 #ifdef ENABLE_EXTERNAL_AUTH
56 #include "talk/session/media/externalhmac.h"
57 #endif // ENABLE_EXTERNAL_AUTH
59 extern "C" debug_module_t mod_srtp;
60 extern "C" debug_module_t mod_auth;
61 extern "C" debug_module_t mod_cipher;
62 extern "C" debug_module_t mod_stat;
63 extern "C" debug_module_t mod_alloc;
64 extern "C" debug_module_t mod_aes_icm;
65 extern "C" debug_module_t mod_aes_hmac;
68 // SrtpFilter needs that constant.
69 #define SRTP_MASTER_KEY_LEN 30
74 const char CS_AES_CM_128_HMAC_SHA1_80[] = "AES_CM_128_HMAC_SHA1_80";
75 const char CS_AES_CM_128_HMAC_SHA1_32[] = "AES_CM_128_HMAC_SHA1_32";
76 const int SRTP_MASTER_KEY_BASE64_LEN = SRTP_MASTER_KEY_LEN * 4 / 3;
77 const int SRTP_MASTER_KEY_KEY_LEN = 16;
78 const int SRTP_MASTER_KEY_SALT_LEN = 14;
82 // This helper function is used on systems that don't (yet) have SRTP,
83 // to log that the functions that require it won't do anything.
85 bool SrtpNotAvailable(const char *func) {
86 LOG(LS_ERROR) << func << ": SRTP is not available on your system.";
89 } // anonymous namespace
93 void EnableSrtpDebugging() {
101 debug_on(mod_aes_icm);
102 // debug_on(mod_aes_cbc);
103 // debug_on(mod_hmac);
108 // NOTE: This is called from ChannelManager D'tor.
109 void ShutdownSrtp() {
111 // If srtp_dealloc is not executed then this will clear all existing sessions.
112 // This should be called when application is shutting down.
113 SrtpSession::Terminate();
117 SrtpFilter::SrtpFilter()
119 signal_silent_time_in_ms_(0) {
122 SrtpFilter::~SrtpFilter() {
125 bool SrtpFilter::IsActive() const {
126 return state_ >= ST_ACTIVE;
129 bool SrtpFilter::SetOffer(const std::vector<CryptoParams>& offer_params,
130 ContentSource source) {
131 if (!ExpectOffer(source)) {
132 LOG(LS_ERROR) << "Wrong state to update SRTP offer";
135 return StoreParams(offer_params, source);
138 bool SrtpFilter::SetAnswer(const std::vector<CryptoParams>& answer_params,
139 ContentSource source) {
140 return DoSetAnswer(answer_params, source, true);
143 bool SrtpFilter::SetProvisionalAnswer(
144 const std::vector<CryptoParams>& answer_params,
145 ContentSource source) {
146 return DoSetAnswer(answer_params, source, false);
149 bool SrtpFilter::SetRtpParams(const std::string& send_cs,
150 const uint8* send_key, int send_key_len,
151 const std::string& recv_cs,
152 const uint8* recv_key, int recv_key_len) {
153 if (state_ == ST_ACTIVE) {
154 LOG(LS_ERROR) << "Tried to set SRTP Params when filter already active";
157 CreateSrtpSessions();
158 if (!send_session_->SetSend(send_cs, send_key, send_key_len))
161 if (!recv_session_->SetRecv(recv_cs, recv_key, recv_key_len))
166 LOG(LS_INFO) << "SRTP activated with negotiated parameters:"
167 << " send cipher_suite " << send_cs
168 << " recv cipher_suite " << recv_cs;
172 // This function is provided separately because DTLS-SRTP behaves
173 // differently in RTP/RTCP mux and non-mux modes.
175 // - In the non-muxed case, RTP and RTCP are keyed with different
176 // keys (from different DTLS handshakes), and so we need a new
178 // - In the muxed case, they are keyed with the same keys, so
179 // this function is not needed
180 bool SrtpFilter::SetRtcpParams(const std::string& send_cs,
181 const uint8* send_key, int send_key_len,
182 const std::string& recv_cs,
183 const uint8* recv_key, int recv_key_len) {
184 // This can only be called once, but can be safely called after
186 if (send_rtcp_session_ || recv_rtcp_session_) {
187 LOG(LS_ERROR) << "Tried to set SRTCP Params when filter already active";
191 send_rtcp_session_.reset(new SrtpSession());
192 SignalSrtpError.repeat(send_rtcp_session_->SignalSrtpError);
193 send_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_);
194 if (!send_rtcp_session_->SetRecv(send_cs, send_key, send_key_len))
197 recv_rtcp_session_.reset(new SrtpSession());
198 SignalSrtpError.repeat(recv_rtcp_session_->SignalSrtpError);
199 recv_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms_);
200 if (!recv_rtcp_session_->SetRecv(recv_cs, recv_key, recv_key_len))
203 LOG(LS_INFO) << "SRTCP activated with negotiated parameters:"
204 << " send cipher_suite " << send_cs
205 << " recv cipher_suite " << recv_cs;
210 bool SrtpFilter::ProtectRtp(void* p, int in_len, int max_len, int* out_len) {
212 LOG(LS_WARNING) << "Failed to ProtectRtp: SRTP not active";
215 return send_session_->ProtectRtp(p, in_len, max_len, out_len);
218 bool SrtpFilter::ProtectRtp(void* p, int in_len, int max_len, int* out_len,
221 LOG(LS_WARNING) << "Failed to ProtectRtp: SRTP not active";
225 return send_session_->ProtectRtp(p, in_len, max_len, out_len, index);
228 bool SrtpFilter::ProtectRtcp(void* p, int in_len, int max_len, int* out_len) {
230 LOG(LS_WARNING) << "Failed to ProtectRtcp: SRTP not active";
233 if (send_rtcp_session_) {
234 return send_rtcp_session_->ProtectRtcp(p, in_len, max_len, out_len);
236 return send_session_->ProtectRtcp(p, in_len, max_len, out_len);
240 bool SrtpFilter::UnprotectRtp(void* p, int in_len, int* out_len) {
242 LOG(LS_WARNING) << "Failed to UnprotectRtp: SRTP not active";
245 return recv_session_->UnprotectRtp(p, in_len, out_len);
248 bool SrtpFilter::UnprotectRtcp(void* p, int in_len, int* out_len) {
250 LOG(LS_WARNING) << "Failed to UnprotectRtcp: SRTP not active";
253 if (recv_rtcp_session_) {
254 return recv_rtcp_session_->UnprotectRtcp(p, in_len, out_len);
256 return recv_session_->UnprotectRtcp(p, in_len, out_len);
260 bool SrtpFilter::GetRtpAuthParams(uint8** key, int* key_len, int* tag_len) {
262 LOG(LS_WARNING) << "Failed to GetRtpAuthParams: SRTP not active";
266 return send_session_->GetRtpAuthParams(key, key_len, tag_len);
269 void SrtpFilter::set_signal_silent_time(uint32 signal_silent_time_in_ms) {
270 signal_silent_time_in_ms_ = signal_silent_time_in_ms;
271 if (state_ == ST_ACTIVE) {
272 send_session_->set_signal_silent_time(signal_silent_time_in_ms);
273 recv_session_->set_signal_silent_time(signal_silent_time_in_ms);
274 if (send_rtcp_session_)
275 send_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms);
276 if (recv_rtcp_session_)
277 recv_rtcp_session_->set_signal_silent_time(signal_silent_time_in_ms);
281 bool SrtpFilter::ExpectOffer(ContentSource source) {
282 return ((state_ == ST_INIT) ||
283 (state_ == ST_ACTIVE) ||
284 (state_ == ST_SENTOFFER && source == CS_LOCAL) ||
285 (state_ == ST_SENTUPDATEDOFFER && source == CS_LOCAL) ||
286 (state_ == ST_RECEIVEDOFFER && source == CS_REMOTE) ||
287 (state_ == ST_RECEIVEDUPDATEDOFFER && source == CS_REMOTE));
290 bool SrtpFilter::StoreParams(const std::vector<CryptoParams>& params,
291 ContentSource source) {
292 offer_params_ = params;
293 if (state_ == ST_INIT) {
294 state_ = (source == CS_LOCAL) ? ST_SENTOFFER : ST_RECEIVEDOFFER;
295 } else { // state >= ST_ACTIVE
297 (source == CS_LOCAL) ? ST_SENTUPDATEDOFFER : ST_RECEIVEDUPDATEDOFFER;
302 bool SrtpFilter::ExpectAnswer(ContentSource source) {
303 return ((state_ == ST_SENTOFFER && source == CS_REMOTE) ||
304 (state_ == ST_RECEIVEDOFFER && source == CS_LOCAL) ||
305 (state_ == ST_SENTUPDATEDOFFER && source == CS_REMOTE) ||
306 (state_ == ST_RECEIVEDUPDATEDOFFER && source == CS_LOCAL) ||
307 (state_ == ST_SENTPRANSWER_NO_CRYPTO && source == CS_LOCAL) ||
308 (state_ == ST_SENTPRANSWER && source == CS_LOCAL) ||
309 (state_ == ST_RECEIVEDPRANSWER_NO_CRYPTO && source == CS_REMOTE) ||
310 (state_ == ST_RECEIVEDPRANSWER && source == CS_REMOTE));
313 bool SrtpFilter::DoSetAnswer(const std::vector<CryptoParams>& answer_params,
314 ContentSource source,
316 if (!ExpectAnswer(source)) {
317 LOG(LS_ERROR) << "Invalid state for SRTP answer";
321 // If the answer doesn't requests crypto complete the negotiation of an
322 // unencrypted session.
323 // Otherwise, finalize the parameters and apply them.
324 if (answer_params.empty()) {
326 return ResetParams();
328 // Need to wait for the final answer to decide if
329 // we should go to Active state.
330 state_ = (source == CS_LOCAL) ? ST_SENTPRANSWER_NO_CRYPTO :
331 ST_RECEIVEDPRANSWER_NO_CRYPTO;
335 CryptoParams selected_params;
336 if (!NegotiateParams(answer_params, &selected_params))
338 const CryptoParams& send_params =
339 (source == CS_REMOTE) ? selected_params : answer_params[0];
340 const CryptoParams& recv_params =
341 (source == CS_REMOTE) ? answer_params[0] : selected_params;
342 if (!ApplyParams(send_params, recv_params)) {
347 offer_params_.clear();
351 (source == CS_LOCAL) ? ST_SENTPRANSWER : ST_RECEIVEDPRANSWER;
356 void SrtpFilter::CreateSrtpSessions() {
357 send_session_.reset(new SrtpSession());
358 applied_send_params_ = CryptoParams();
359 recv_session_.reset(new SrtpSession());
360 applied_recv_params_ = CryptoParams();
362 SignalSrtpError.repeat(send_session_->SignalSrtpError);
363 SignalSrtpError.repeat(recv_session_->SignalSrtpError);
365 send_session_->set_signal_silent_time(signal_silent_time_in_ms_);
366 recv_session_->set_signal_silent_time(signal_silent_time_in_ms_);
369 bool SrtpFilter::NegotiateParams(const std::vector<CryptoParams>& answer_params,
370 CryptoParams* selected_params) {
371 // We're processing an accept. We should have exactly one set of params,
372 // unless the offer didn't mention crypto, in which case we shouldn't be here.
373 bool ret = (answer_params.size() == 1U && !offer_params_.empty());
375 // We should find a match between the answer params and the offered params.
376 std::vector<CryptoParams>::const_iterator it;
377 for (it = offer_params_.begin(); it != offer_params_.end(); ++it) {
378 if (answer_params[0].Matches(*it)) {
383 if (it != offer_params_.end()) {
384 *selected_params = *it;
391 LOG(LS_WARNING) << "Invalid parameters in SRTP answer";
396 bool SrtpFilter::ApplyParams(const CryptoParams& send_params,
397 const CryptoParams& recv_params) {
398 // TODO(jiayl): Split this method to apply send and receive CryptoParams
399 // independently, so that we can skip one method when either send or receive
400 // CryptoParams is unchanged.
401 if (applied_send_params_.cipher_suite == send_params.cipher_suite &&
402 applied_send_params_.key_params == send_params.key_params &&
403 applied_recv_params_.cipher_suite == recv_params.cipher_suite &&
404 applied_recv_params_.key_params == recv_params.key_params) {
405 LOG(LS_INFO) << "Applying the same SRTP parameters again. No-op.";
407 // We do not want to reset the ROC if the keys are the same. So just return.
410 // TODO(juberti): Zero these buffers after use.
412 uint8 send_key[SRTP_MASTER_KEY_LEN], recv_key[SRTP_MASTER_KEY_LEN];
413 ret = (ParseKeyParams(send_params.key_params, send_key, sizeof(send_key)) &&
414 ParseKeyParams(recv_params.key_params, recv_key, sizeof(recv_key)));
416 CreateSrtpSessions();
417 ret = (send_session_->SetSend(send_params.cipher_suite,
418 send_key, sizeof(send_key)) &&
419 recv_session_->SetRecv(recv_params.cipher_suite,
420 recv_key, sizeof(recv_key)));
423 LOG(LS_INFO) << "SRTP activated with negotiated parameters:"
424 << " send cipher_suite " << send_params.cipher_suite
425 << " recv cipher_suite " << recv_params.cipher_suite;
426 applied_send_params_ = send_params;
427 applied_recv_params_ = recv_params;
429 LOG(LS_WARNING) << "Failed to apply negotiated SRTP parameters";
434 bool SrtpFilter::ResetParams() {
435 offer_params_.clear();
437 LOG(LS_INFO) << "SRTP reset to init state";
441 bool SrtpFilter::ParseKeyParams(const std::string& key_params,
442 uint8* key, int len) {
443 // example key_params: "inline:YUJDZGVmZ2hpSktMbW9QUXJzVHVWd3l6MTIzNDU2"
445 // Fail if key-method is wrong.
446 if (key_params.find("inline:") != 0) {
450 // Fail if base64 decode fails, or the key is the wrong size.
451 std::string key_b64(key_params.substr(7)), key_str;
452 if (!rtc::Base64::Decode(key_b64, rtc::Base64::DO_STRICT,
454 static_cast<int>(key_str.size()) != len) {
458 memcpy(key, key_str.c_str(), len);
462 ///////////////////////////////////////////////////////////////////////////////
467 bool SrtpSession::inited_ = false;
469 SrtpSession::SrtpSession()
471 rtp_auth_tag_len_(0),
472 rtcp_auth_tag_len_(0),
473 srtp_stat_(new SrtpStat()),
474 last_send_seq_num_(-1) {
475 sessions()->push_back(this);
476 SignalSrtpError.repeat(srtp_stat_->SignalSrtpError);
479 SrtpSession::~SrtpSession() {
480 sessions()->erase(std::find(sessions()->begin(), sessions()->end(), this));
482 srtp_dealloc(session_);
486 bool SrtpSession::SetSend(const std::string& cs, const uint8* key, int len) {
487 return SetKey(ssrc_any_outbound, cs, key, len);
490 bool SrtpSession::SetRecv(const std::string& cs, const uint8* key, int len) {
491 return SetKey(ssrc_any_inbound, cs, key, len);
494 bool SrtpSession::ProtectRtp(void* p, int in_len, int max_len, int* out_len) {
496 LOG(LS_WARNING) << "Failed to protect SRTP packet: no SRTP Session";
500 int need_len = in_len + rtp_auth_tag_len_; // NOLINT
501 if (max_len < need_len) {
502 LOG(LS_WARNING) << "Failed to protect SRTP packet: The buffer length "
503 << max_len << " is less than the needed " << need_len;
508 int err = srtp_protect(session_, p, out_len);
510 if (GetRtpSsrc(p, in_len, &ssrc)) {
511 srtp_stat_->AddProtectRtpResult(ssrc, err);
514 GetRtpSeqNum(p, in_len, &seq_num);
515 if (err != err_status_ok) {
516 LOG(LS_WARNING) << "Failed to protect SRTP packet, seqnum="
517 << seq_num << ", err=" << err << ", last seqnum="
518 << last_send_seq_num_;
521 last_send_seq_num_ = seq_num;
525 bool SrtpSession::ProtectRtp(void* p, int in_len, int max_len, int* out_len,
527 if (!ProtectRtp(p, in_len, max_len, out_len)) {
530 return (index) ? GetSendStreamPacketIndex(p, in_len, index) : true;
533 bool SrtpSession::ProtectRtcp(void* p, int in_len, int max_len, int* out_len) {
535 LOG(LS_WARNING) << "Failed to protect SRTCP packet: no SRTP Session";
539 int need_len = in_len + sizeof(uint32) + rtcp_auth_tag_len_; // NOLINT
540 if (max_len < need_len) {
541 LOG(LS_WARNING) << "Failed to protect SRTCP packet: The buffer length "
542 << max_len << " is less than the needed " << need_len;
547 int err = srtp_protect_rtcp(session_, p, out_len);
548 srtp_stat_->AddProtectRtcpResult(err);
549 if (err != err_status_ok) {
550 LOG(LS_WARNING) << "Failed to protect SRTCP packet, err=" << err;
556 bool SrtpSession::UnprotectRtp(void* p, int in_len, int* out_len) {
558 LOG(LS_WARNING) << "Failed to unprotect SRTP packet: no SRTP Session";
563 int err = srtp_unprotect(session_, p, out_len);
565 if (GetRtpSsrc(p, in_len, &ssrc)) {
566 srtp_stat_->AddUnprotectRtpResult(ssrc, err);
568 if (err != err_status_ok) {
569 LOG(LS_WARNING) << "Failed to unprotect SRTP packet, err=" << err;
575 bool SrtpSession::UnprotectRtcp(void* p, int in_len, int* out_len) {
577 LOG(LS_WARNING) << "Failed to unprotect SRTCP packet: no SRTP Session";
582 int err = srtp_unprotect_rtcp(session_, p, out_len);
583 srtp_stat_->AddUnprotectRtcpResult(err);
584 if (err != err_status_ok) {
585 LOG(LS_WARNING) << "Failed to unprotect SRTCP packet, err=" << err;
591 bool SrtpSession::GetRtpAuthParams(uint8** key, int* key_len,
593 #if defined(ENABLE_EXTERNAL_AUTH)
594 external_hmac_ctx_t* external_hmac = NULL;
595 // stream_template will be the reference context for other streams.
596 // Let's use it for getting the keys.
597 srtp_stream_ctx_t* srtp_context = session_->stream_template;
598 if (srtp_context && srtp_context->rtp_auth) {
599 external_hmac = reinterpret_cast<external_hmac_ctx_t*>(
600 srtp_context->rtp_auth->state);
603 if (!external_hmac) {
604 LOG(LS_ERROR) << "Failed to get auth keys from libsrtp!.";
608 *key = external_hmac->key;
609 *key_len = external_hmac->key_length;
610 *tag_len = rtp_auth_tag_len_;
617 bool SrtpSession::GetSendStreamPacketIndex(void* p, int in_len, int64* index) {
618 srtp_hdr_t* hdr = reinterpret_cast<srtp_hdr_t*>(p);
619 srtp_stream_ctx_t* stream = srtp_get_stream(session_, hdr->ssrc);
623 // Shift packet index, put into network byte order
624 *index = be64_to_cpu(rdbx_get_packet_index(&stream->rtp_rdbx) << 16);
628 void SrtpSession::set_signal_silent_time(uint32 signal_silent_time_in_ms) {
629 srtp_stat_->set_signal_silent_time(signal_silent_time_in_ms);
632 bool SrtpSession::SetKey(int type, const std::string& cs,
633 const uint8* key, int len) {
635 LOG(LS_ERROR) << "Failed to create SRTP session: "
636 << "SRTP session already created";
644 srtp_policy_t policy;
645 memset(&policy, 0, sizeof(policy));
647 if (cs == CS_AES_CM_128_HMAC_SHA1_80) {
648 crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp);
649 crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);
650 } else if (cs == CS_AES_CM_128_HMAC_SHA1_32) {
651 crypto_policy_set_aes_cm_128_hmac_sha1_32(&policy.rtp); // rtp is 32,
652 crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp); // rtcp still 80
654 LOG(LS_WARNING) << "Failed to create SRTP session: unsupported"
655 << " cipher_suite " << cs.c_str();
659 if (!key || len != SRTP_MASTER_KEY_LEN) {
660 LOG(LS_WARNING) << "Failed to create SRTP session: invalid key";
664 policy.ssrc.type = static_cast<ssrc_type_t>(type);
665 policy.ssrc.value = 0;
666 policy.key = const_cast<uint8*>(key);
667 // TODO(astor) parse window size from WSH session-param
668 policy.window_size = 1024;
669 policy.allow_repeat_tx = 1;
670 // If external authentication option is enabled, supply custom auth module
671 // id EXTERNAL_HMAC_SHA1 in the policy structure.
672 // We want to set this option only for rtp packets.
673 // By default policy structure is initialized to HMAC_SHA1.
674 #if defined(ENABLE_EXTERNAL_AUTH)
675 // Enable external HMAC authentication only for outgoing streams.
676 if (type == ssrc_any_outbound) {
677 policy.rtp.auth_type = EXTERNAL_HMAC_SHA1;
682 int err = srtp_create(&session_, &policy);
683 if (err != err_status_ok) {
684 LOG(LS_ERROR) << "Failed to create SRTP session, err=" << err;
689 rtp_auth_tag_len_ = policy.rtp.auth_tag_len;
690 rtcp_auth_tag_len_ = policy.rtcp.auth_tag_len;
694 bool SrtpSession::Init() {
698 if (err != err_status_ok) {
699 LOG(LS_ERROR) << "Failed to init SRTP, err=" << err;
703 err = srtp_install_event_handler(&SrtpSession::HandleEventThunk);
704 if (err != err_status_ok) {
705 LOG(LS_ERROR) << "Failed to install SRTP event handler, err=" << err;
708 #if defined(ENABLE_EXTERNAL_AUTH)
709 err = external_crypto_init();
710 if (err != err_status_ok) {
711 LOG(LS_ERROR) << "Failed to initialize fake auth, err=" << err;
721 void SrtpSession::Terminate() {
723 int err = srtp_shutdown();
725 LOG(LS_ERROR) << "srtp_shutdown failed. err=" << err;
732 void SrtpSession::HandleEvent(const srtp_event_data_t* ev) {
734 case event_ssrc_collision:
735 LOG(LS_INFO) << "SRTP event: SSRC collision";
737 case event_key_soft_limit:
738 LOG(LS_INFO) << "SRTP event: reached soft key usage limit";
740 case event_key_hard_limit:
741 LOG(LS_INFO) << "SRTP event: reached hard key usage limit";
743 case event_packet_index_limit:
744 LOG(LS_INFO) << "SRTP event: reached hard packet limit (2^48 packets)";
747 LOG(LS_INFO) << "SRTP event: unknown " << ev->event;
752 void SrtpSession::HandleEventThunk(srtp_event_data_t* ev) {
753 for (std::list<SrtpSession*>::iterator it = sessions()->begin();
754 it != sessions()->end(); ++it) {
755 if ((*it)->session_ == ev->session) {
756 (*it)->HandleEvent(ev);
762 std::list<SrtpSession*>* SrtpSession::sessions() {
763 LIBJINGLE_DEFINE_STATIC_LOCAL(std::list<SrtpSession*>, sessions, ());
769 // On some systems, SRTP is not (yet) available.
771 SrtpSession::SrtpSession() {
772 LOG(WARNING) << "SRTP implementation is missing.";
775 SrtpSession::~SrtpSession() {
778 bool SrtpSession::SetSend(const std::string& cs, const uint8* key, int len) {
779 return SrtpNotAvailable(__FUNCTION__);
782 bool SrtpSession::SetRecv(const std::string& cs, const uint8* key, int len) {
783 return SrtpNotAvailable(__FUNCTION__);
786 bool SrtpSession::ProtectRtp(void* data, int in_len, int max_len,
788 return SrtpNotAvailable(__FUNCTION__);
791 bool SrtpSession::ProtectRtcp(void* data, int in_len, int max_len,
793 return SrtpNotAvailable(__FUNCTION__);
796 bool SrtpSession::UnprotectRtp(void* data, int in_len, int* out_len) {
797 return SrtpNotAvailable(__FUNCTION__);
800 bool SrtpSession::UnprotectRtcp(void* data, int in_len, int* out_len) {
801 return SrtpNotAvailable(__FUNCTION__);
804 void SrtpSession::set_signal_silent_time(uint32 signal_silent_time) {
810 ///////////////////////////////////////////////////////////////////////////////
816 : signal_silent_time_(1000) {
819 void SrtpStat::AddProtectRtpResult(uint32 ssrc, int result) {
822 key.mode = SrtpFilter::PROTECT;
825 key.error = SrtpFilter::ERROR_NONE;
827 case err_status_auth_fail:
828 key.error = SrtpFilter::ERROR_AUTH;
831 key.error = SrtpFilter::ERROR_FAIL;
833 HandleSrtpResult(key);
836 void SrtpStat::AddUnprotectRtpResult(uint32 ssrc, int result) {
839 key.mode = SrtpFilter::UNPROTECT;
842 key.error = SrtpFilter::ERROR_NONE;
844 case err_status_auth_fail:
845 key.error = SrtpFilter::ERROR_AUTH;
847 case err_status_replay_fail:
848 case err_status_replay_old:
849 key.error = SrtpFilter::ERROR_REPLAY;
852 key.error = SrtpFilter::ERROR_FAIL;
854 HandleSrtpResult(key);
857 void SrtpStat::AddProtectRtcpResult(int result) {
858 AddProtectRtpResult(0U, result);
861 void SrtpStat::AddUnprotectRtcpResult(int result) {
862 AddUnprotectRtpResult(0U, result);
865 void SrtpStat::HandleSrtpResult(const SrtpStat::FailureKey& key) {
866 // Handle some cases where error should be signalled right away. For other
867 // errors, trigger error for the first time seeing it. After that, silent
868 // the same error for a certain amount of time (default 1 sec).
869 if (key.error != SrtpFilter::ERROR_NONE) {
870 // For errors, signal first time and wait for 1 sec.
871 FailureStat* stat = &(failures_[key]);
872 uint32 current_time = rtc::Time();
873 if (stat->last_signal_time == 0 ||
874 rtc::TimeDiff(current_time, stat->last_signal_time) >
875 static_cast<int>(signal_silent_time_)) {
876 SignalSrtpError(key.ssrc, key.mode, key.error);
877 stat->last_signal_time = current_time;
884 // On some systems, SRTP is not (yet) available.
887 : signal_silent_time_(1000) {
888 LOG(WARNING) << "SRTP implementation is missing.";
891 void SrtpStat::AddProtectRtpResult(uint32 ssrc, int result) {
892 SrtpNotAvailable(__FUNCTION__);
895 void SrtpStat::AddUnprotectRtpResult(uint32 ssrc, int result) {
896 SrtpNotAvailable(__FUNCTION__);
899 void SrtpStat::AddProtectRtcpResult(int result) {
900 SrtpNotAvailable(__FUNCTION__);
903 void SrtpStat::AddUnprotectRtcpResult(int result) {
904 SrtpNotAvailable(__FUNCTION__);
907 void SrtpStat::HandleSrtpResult(const SrtpStat::FailureKey& key) {
908 SrtpNotAvailable(__FUNCTION__);
913 } // namespace cricket