From ddb1f6a4a6531fecf65c6f15314e96a6c841ff60 Mon Sep 17 00:00:00 2001 From: cloudwebrtc Date: Fri, 22 Mar 2024 09:40:27 +0800 Subject: [PATCH 1/3] Add key ring size to keyProviderOptions. --- api/crypto/frame_crypto_transformer.cc | 4 ++-- api/crypto/frame_crypto_transformer.h | 18 +++++++++++++++--- .../api/org/webrtc/FrameCryptorFactory.java | 6 +++--- sdk/android/src/jni/pc/frame_cryptor.cc | 7 ++++--- .../RTCFrameCryptorKeyProvider.h | 3 ++- .../RTCFrameCryptorKeyProvider.mm | 4 +++- 6 files changed, 29 insertions(+), 13 deletions(-) diff --git a/api/crypto/frame_crypto_transformer.cc b/api/crypto/frame_crypto_transformer.cc index c5b823409e..c53b3eba2b 100644 --- a/api/crypto/frame_crypto_transformer.cc +++ b/api/crypto/frame_crypto_transformer.cc @@ -551,11 +551,11 @@ void FrameCryptorTransformer::decryptFrame( ? key_provider_->GetSharedKey(participant_id_) : key_provider_->GetKey(participant_id_); - if (key_index >= KEYRING_SIZE || key_handler == nullptr || + if (0 > key_index || key_index >= key_provider_->options().key_ring_size || key_handler == nullptr || key_handler->GetKeySet(key_index) == nullptr) { RTC_LOG(LS_INFO) << "FrameCryptorTransformer::decryptFrame() no keys, or " "key_index[" - << key_index_ << "] out of range for participant " + << key_index << "] out of range for participant " << participant_id_; if (last_dec_error_ != FrameCryptionState::kMissingKey) { last_dec_error_ = FrameCryptionState::kMissingKey; diff --git a/api/crypto/frame_crypto_transformer.h b/api/crypto/frame_crypto_transformer.h index f9027d08f7..e80a53d250 100644 --- a/api/crypto/frame_crypto_transformer.h +++ b/api/crypto/frame_crypto_transformer.h @@ -44,14 +44,20 @@ struct KeyProviderOptions { std::vector uncrypted_magic_bytes; int ratchet_window_size; int failure_tolerance; + // key ring size should be between 1 and 255 + int key_ring_size; KeyProviderOptions() - : shared_key(false), ratchet_window_size(0), failure_tolerance(-1) {} + : shared_key(false), + ratchet_window_size(0), + failure_tolerance(-1), + key_ring_size(KEYRING_SIZE) {} KeyProviderOptions(KeyProviderOptions& copy) : shared_key(copy.shared_key), ratchet_salt(copy.ratchet_salt), uncrypted_magic_bytes(copy.uncrypted_magic_bytes), ratchet_window_size(copy.ratchet_window_size), - failure_tolerance(copy.failure_tolerance) {} + failure_tolerance(copy.failure_tolerance), + key_ring_size(copy.key_ring_size) {} }; class KeyProvider : public rtc::RefCountInterface { @@ -99,7 +105,13 @@ class ParticipantKeyHandler : public rtc::RefCountInterface { public: ParticipantKeyHandler(KeyProvider* key_provider) : key_provider_(key_provider) { - crypto_key_ring_.resize(KEYRING_SIZE); + int key_ring_size = key_provider_->options().key_ring_size; + if(key_ring_size <= 0) { + key_ring_size = KEYRING_SIZE; + } else if (key_ring_size >= 255) { + key_ring_size = 255; + } + crypto_key_ring_.resize(key_ring_size); } virtual ~ParticipantKeyHandler() = default; diff --git a/sdk/android/api/org/webrtc/FrameCryptorFactory.java b/sdk/android/api/org/webrtc/FrameCryptorFactory.java index 1ade0b6c9e..1558110513 100644 --- a/sdk/android/api/org/webrtc/FrameCryptorFactory.java +++ b/sdk/android/api/org/webrtc/FrameCryptorFactory.java @@ -18,8 +18,8 @@ public class FrameCryptorFactory { public static FrameCryptorKeyProvider createFrameCryptorKeyProvider( - boolean sharedKey, byte[] ratchetSalt, int ratchetWindowSize, byte[] uncryptedMagicBytes, int failureTolerance) { - return nativeCreateFrameCryptorKeyProvider(sharedKey, ratchetSalt, ratchetWindowSize, uncryptedMagicBytes, failureTolerance); + boolean sharedKey, byte[] ratchetSalt, int ratchetWindowSize, byte[] uncryptedMagicBytes, int failureTolerance, int keyRingSize) { + return nativeCreateFrameCryptorKeyProvider(sharedKey, ratchetSalt, ratchetWindowSize, uncryptedMagicBytes, failureTolerance, keyRingSize); } public static FrameCryptor createFrameCryptorForRtpSender(PeerConnectionFactory factory, RtpSender rtpSender, @@ -40,5 +40,5 @@ private static native FrameCryptor nativeCreateFrameCryptorForRtpReceiver(long f long rtpReceiver, String participantId, int algorithm, long nativeFrameCryptorKeyProvider); private static native FrameCryptorKeyProvider nativeCreateFrameCryptorKeyProvider( - boolean sharedKey, byte[] ratchetSalt, int ratchetWindowSize, byte[] uncryptedMagicBytes, int failureTolerance); + boolean sharedKey, byte[] ratchetSalt, int ratchetWindowSize, byte[] uncryptedMagicBytes, int failureTolerance, int keyRingSize); } diff --git a/sdk/android/src/jni/pc/frame_cryptor.cc b/sdk/android/src/jni/pc/frame_cryptor.cc index 59710cd6d3..8aae566a28 100644 --- a/sdk/android/src/jni/pc/frame_cryptor.cc +++ b/sdk/android/src/jni/pc/frame_cryptor.cc @@ -179,18 +179,19 @@ JNI_FrameCryptorFactory_CreateFrameCryptorKeyProvider( const base::android::JavaParamRef& j_ratchetSalt, jint j_ratchetWindowSize, const base::android::JavaParamRef& j_uncryptedMagicBytes, - jint j_failureTolerance) { + jint j_failureTolerance, + jint j_keyRingSize) { auto ratchetSalt = JavaToNativeByteArray(env, j_ratchetSalt); KeyProviderOptions options; options.ratchet_salt = std::vector(ratchetSalt.begin(), ratchetSalt.end()); options.ratchet_window_size = j_ratchetWindowSize; - auto uncryptedMagicBytes = JavaToNativeByteArray(env, j_uncryptedMagicBytes); options.uncrypted_magic_bytes = std::vector(uncryptedMagicBytes.begin(), uncryptedMagicBytes.end()); options.shared_key = j_shared; - options.failure_tolerance = j_failureTolerance; + options.failure_tolerance = j_failureTolerance; + options.key_ring_size = j_keyRingSize; return NativeToJavaFrameCryptorKeyProvider( env, rtc::make_ref_counted(options)); } diff --git a/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.h b/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.h index b10cf8c4b2..c8e5e445c0 100644 --- a/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.h +++ b/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.h @@ -46,7 +46,8 @@ RTC_OBJC_EXPORT ratchetWindowSize:(int)windowSize sharedKeyMode:(BOOL)sharedKey uncryptedMagicBytes:(nullable NSData *)uncryptedMagicBytes - failureTolerance:(int)failureTolerance; + failureTolerance:(int)failureTolerance + keyRingSize:(int)keyRingSize; @end diff --git a/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.mm b/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.mm index 1596b98016..97612916f3 100644 --- a/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.mm +++ b/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.mm @@ -45,7 +45,8 @@ - (instancetype)initWithRatchetSalt:(NSData *)salt ratchetWindowSize:(int)windowSize sharedKeyMode:(BOOL)sharedKey uncryptedMagicBytes:(nullable NSData *)uncryptedMagicBytes - failureTolerance:(int)failureTolerance { + failureTolerance:(int)failureTolerance + keyRingSize:(int)keyRingSize { if (self = [super init]) { webrtc::KeyProviderOptions options; options.ratchet_salt = std::vector((const uint8_t *)salt.bytes, @@ -53,6 +54,7 @@ - (instancetype)initWithRatchetSalt:(NSData *)salt options.ratchet_window_size = windowSize; options.shared_key = sharedKey; options.failure_tolerance = failureTolerance; + options.key_ring_size = keyRingSize; if(uncryptedMagicBytes != nil) { options.uncrypted_magic_bytes = std::vector((const uint8_t *)uncryptedMagicBytes.bytes, ((const uint8_t *)uncryptedMagicBytes.bytes) + uncryptedMagicBytes.length); From 1c5389f0cd5952f17f77540aa74917c93fe2e529 Mon Sep 17 00:00:00 2001 From: cloudwebrtc Date: Thu, 4 Apr 2024 10:48:09 +0800 Subject: [PATCH 2/3] add discard_frame_when_cryptor_not_ready to KeyProviderOptions. --- api/crypto/frame_crypto_transformer.cc | 8 ++++++-- api/crypto/frame_crypto_transformer.h | 14 ++++++++----- .../api/org/webrtc/FrameCryptorFactory.java | 6 +++--- sdk/android/src/jni/pc/frame_cryptor.cc | 4 +++- .../RTCFrameCryptorKeyProvider.h | 8 ++++++++ .../RTCFrameCryptorKeyProvider.mm | 20 ++++++++++++++++++- 6 files changed, 48 insertions(+), 12 deletions(-) diff --git a/api/crypto/frame_crypto_transformer.cc b/api/crypto/frame_crypto_transformer.cc index c53b3eba2b..9ec8452077 100644 --- a/api/crypto/frame_crypto_transformer.cc +++ b/api/crypto/frame_crypto_transformer.cc @@ -386,7 +386,9 @@ void FrameCryptorTransformer::encryptFrame( if (date_in.size() == 0 || !enabled_cryption) { RTC_LOG(LS_WARNING) << "FrameCryptorTransformer::encryptFrame() " "date_in.size() == 0 || enabled_cryption == false"; - sink_callback->OnTransformedFrame(std::move(frame)); + if(!key_provider_->options().discard_frame_when_cryptor_not_ready) { + sink_callback->OnTransformedFrame(std::move(frame)); + } return; } @@ -494,7 +496,9 @@ void FrameCryptorTransformer::decryptFrame( if (date_in.size() == 0 || !enabled_cryption) { RTC_LOG(LS_WARNING) << "FrameCryptorTransformer::decryptFrame() " "date_in.size() == 0 || enabled_cryption == false"; - sink_callback->OnTransformedFrame(std::move(frame)); + if(!key_provider_->options().discard_frame_when_cryptor_not_ready) { + sink_callback->OnTransformedFrame(std::move(frame)); + } return; } diff --git a/api/crypto/frame_crypto_transformer.h b/api/crypto/frame_crypto_transformer.h index e80a53d250..9689ec1593 100644 --- a/api/crypto/frame_crypto_transformer.h +++ b/api/crypto/frame_crypto_transformer.h @@ -34,7 +34,8 @@ int DerivePBKDF2KeyFromRawKey(const std::vector raw_key, namespace webrtc { -const size_t KEYRING_SIZE = 16; +const size_t DEFAULT_KEYRING_SIZE = 16; +const size_t MAX_KEYRING_SIZE = 255; class ParticipantKeyHandler; @@ -46,11 +47,13 @@ struct KeyProviderOptions { int failure_tolerance; // key ring size should be between 1 and 255 int key_ring_size; + bool discard_frame_when_cryptor_not_ready; KeyProviderOptions() : shared_key(false), ratchet_window_size(0), failure_tolerance(-1), - key_ring_size(KEYRING_SIZE) {} + key_ring_size(DEFAULT_KEYRING_SIZE), + discard_frame_when_cryptor_not_ready(false) {} KeyProviderOptions(KeyProviderOptions& copy) : shared_key(copy.shared_key), ratchet_salt(copy.ratchet_salt), @@ -107,9 +110,10 @@ class ParticipantKeyHandler : public rtc::RefCountInterface { : key_provider_(key_provider) { int key_ring_size = key_provider_->options().key_ring_size; if(key_ring_size <= 0) { - key_ring_size = KEYRING_SIZE; - } else if (key_ring_size >= 255) { - key_ring_size = 255; + key_ring_size = DEFAULT_KEYRING_SIZE; + } else if (key_ring_size > (int)MAX_KEYRING_SIZE) { + // Keyring size needs to be between 1 and 256 + key_ring_size = MAX_KEYRING_SIZE; } crypto_key_ring_.resize(key_ring_size); } diff --git a/sdk/android/api/org/webrtc/FrameCryptorFactory.java b/sdk/android/api/org/webrtc/FrameCryptorFactory.java index 1558110513..865a4b78bb 100644 --- a/sdk/android/api/org/webrtc/FrameCryptorFactory.java +++ b/sdk/android/api/org/webrtc/FrameCryptorFactory.java @@ -18,8 +18,8 @@ public class FrameCryptorFactory { public static FrameCryptorKeyProvider createFrameCryptorKeyProvider( - boolean sharedKey, byte[] ratchetSalt, int ratchetWindowSize, byte[] uncryptedMagicBytes, int failureTolerance, int keyRingSize) { - return nativeCreateFrameCryptorKeyProvider(sharedKey, ratchetSalt, ratchetWindowSize, uncryptedMagicBytes, failureTolerance, keyRingSize); + boolean sharedKey, byte[] ratchetSalt, int ratchetWindowSize, byte[] uncryptedMagicBytes, int failureTolerance, int keyRingSize, boolean discardFrameWhenCryptorNotReady) { + return nativeCreateFrameCryptorKeyProvider(sharedKey, ratchetSalt, ratchetWindowSize, uncryptedMagicBytes, failureTolerance, keyRingSize, discardFrameWhenCryptorNotReady); } public static FrameCryptor createFrameCryptorForRtpSender(PeerConnectionFactory factory, RtpSender rtpSender, @@ -40,5 +40,5 @@ private static native FrameCryptor nativeCreateFrameCryptorForRtpReceiver(long f long rtpReceiver, String participantId, int algorithm, long nativeFrameCryptorKeyProvider); private static native FrameCryptorKeyProvider nativeCreateFrameCryptorKeyProvider( - boolean sharedKey, byte[] ratchetSalt, int ratchetWindowSize, byte[] uncryptedMagicBytes, int failureTolerance, int keyRingSize); + boolean sharedKey, byte[] ratchetSalt, int ratchetWindowSize, byte[] uncryptedMagicBytes, int failureTolerance, int keyRingSize, boolean discardFrameWhenCryptorNotReady); } diff --git a/sdk/android/src/jni/pc/frame_cryptor.cc b/sdk/android/src/jni/pc/frame_cryptor.cc index 8aae566a28..af2fd8f2b0 100644 --- a/sdk/android/src/jni/pc/frame_cryptor.cc +++ b/sdk/android/src/jni/pc/frame_cryptor.cc @@ -180,7 +180,8 @@ JNI_FrameCryptorFactory_CreateFrameCryptorKeyProvider( jint j_ratchetWindowSize, const base::android::JavaParamRef& j_uncryptedMagicBytes, jint j_failureTolerance, - jint j_keyRingSize) { + jint j_keyRingSize, + jboolean j_discardFrameWhenCryptorNotReady) { auto ratchetSalt = JavaToNativeByteArray(env, j_ratchetSalt); KeyProviderOptions options; options.ratchet_salt = @@ -192,6 +193,7 @@ JNI_FrameCryptorFactory_CreateFrameCryptorKeyProvider( options.shared_key = j_shared; options.failure_tolerance = j_failureTolerance; options.key_ring_size = j_keyRingSize; + options.discard_frame_when_cryptor_not_ready = j_discardFrameWhenCryptorNotReady; return NativeToJavaFrameCryptorKeyProvider( env, rtc::make_ref_counted(options)); } diff --git a/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.h b/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.h index c8e5e445c0..6443b23349 100644 --- a/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.h +++ b/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.h @@ -49,6 +49,14 @@ RTC_OBJC_EXPORT failureTolerance:(int)failureTolerance keyRingSize:(int)keyRingSize; +- (instancetype)initWithRatchetSalt:(NSData *)salt + ratchetWindowSize:(int)windowSize + sharedKeyMode:(BOOL)sharedKey + uncryptedMagicBytes:(nullable NSData *)uncryptedMagicBytes + failureTolerance:(int)failureTolerance + keyRingSize:(int)keyRingSize + discardFrameWhenCryptorNotReady:(BOOL)discardFrameWhenCryptorNotReady; + @end NS_ASSUME_NONNULL_END diff --git a/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.mm b/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.mm index 97612916f3..88bebfcd9d 100644 --- a/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.mm +++ b/sdk/objc/api/peerconnection/RTCFrameCryptorKeyProvider.mm @@ -38,7 +38,8 @@ - (instancetype)initWithRatchetSalt:(NSData *)salt ratchetWindowSize:windowSize sharedKeyMode:sharedKey uncryptedMagicBytes:uncryptedMagicBytes - failureTolerance:-1]; + failureTolerance:-1 + keyRingSize:webrtc::DEFAULT_KEYRING_SIZE]; } - (instancetype)initWithRatchetSalt:(NSData *)salt @@ -47,6 +48,22 @@ - (instancetype)initWithRatchetSalt:(NSData *)salt uncryptedMagicBytes:(nullable NSData *)uncryptedMagicBytes failureTolerance:(int)failureTolerance keyRingSize:(int)keyRingSize { + return [self initWithRatchetSalt:salt + ratchetWindowSize:windowSize + sharedKeyMode:sharedKey + uncryptedMagicBytes:uncryptedMagicBytes + failureTolerance:-1 + keyRingSize:keyRingSize + discardFrameWhenCryptorNotReady:false]; +} + +- (instancetype)initWithRatchetSalt:(NSData *)salt + ratchetWindowSize:(int)windowSize + sharedKeyMode:(BOOL)sharedKey + uncryptedMagicBytes:(nullable NSData *)uncryptedMagicBytes + failureTolerance:(int)failureTolerance + keyRingSize:(int)keyRingSize + discardFrameWhenCryptorNotReady:(BOOL)discardFrameWhenCryptorNotReady { if (self = [super init]) { webrtc::KeyProviderOptions options; options.ratchet_salt = std::vector((const uint8_t *)salt.bytes, @@ -55,6 +72,7 @@ - (instancetype)initWithRatchetSalt:(NSData *)salt options.shared_key = sharedKey; options.failure_tolerance = failureTolerance; options.key_ring_size = keyRingSize; + options.discard_frame_when_cryptor_not_ready = discardFrameWhenCryptorNotReady; if(uncryptedMagicBytes != nil) { options.uncrypted_magic_bytes = std::vector((const uint8_t *)uncryptedMagicBytes.bytes, ((const uint8_t *)uncryptedMagicBytes.bytes) + uncryptedMagicBytes.length); From 6437e0f89a50c4c8709ff5d65eb3c0a47e7bb7d6 Mon Sep 17 00:00:00 2001 From: cloudwebrtc Date: Mon, 8 Apr 2024 08:31:56 +0800 Subject: [PATCH 3/3] update. --- api/crypto/frame_crypto_transformer.cc | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/api/crypto/frame_crypto_transformer.cc b/api/crypto/frame_crypto_transformer.cc index 9ec8452077..06ec888170 100644 --- a/api/crypto/frame_crypto_transformer.cc +++ b/api/crypto/frame_crypto_transformer.cc @@ -386,9 +386,10 @@ void FrameCryptorTransformer::encryptFrame( if (date_in.size() == 0 || !enabled_cryption) { RTC_LOG(LS_WARNING) << "FrameCryptorTransformer::encryptFrame() " "date_in.size() == 0 || enabled_cryption == false"; - if(!key_provider_->options().discard_frame_when_cryptor_not_ready) { - sink_callback->OnTransformedFrame(std::move(frame)); + if(key_provider_->options().discard_frame_when_cryptor_not_ready) { + return; } + sink_callback->OnTransformedFrame(std::move(frame)); return; } @@ -496,9 +497,11 @@ void FrameCryptorTransformer::decryptFrame( if (date_in.size() == 0 || !enabled_cryption) { RTC_LOG(LS_WARNING) << "FrameCryptorTransformer::decryptFrame() " "date_in.size() == 0 || enabled_cryption == false"; - if(!key_provider_->options().discard_frame_when_cryptor_not_ready) { - sink_callback->OnTransformedFrame(std::move(frame)); + if(key_provider_->options().discard_frame_when_cryptor_not_ready) { + return; } + + sink_callback->OnTransformedFrame(std::move(frame)); return; }