root/content/browser/renderer_host/p2p/socket_host.cc

DEFINITIONS

1. IsTurnChannelData
2. IsDtlsPacket
3. IsRtcpPacket
4. IsTurnSendIndicationPacket
5. IsRtpPacket
6. ValidateRtpHeader
7. UpdateAbsSendTimeExtnValue
8. UpdateRtpAuthTag
9. ApplyPacketOptions
10. GetRtpPacketStartPositionAndLength
11. UpdateRtpAbsSendTimeExtn
12. state_
13. GetStunPacketType
14. IsRequestOrResponse
15. Create

// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "content/browser/renderer_host/p2p/socket_host.h"

#include "base/sys_byteorder.h"
#include "content/browser/renderer_host/p2p/socket_host_tcp.h"
#include "content/browser/renderer_host/p2p/socket_host_tcp_server.h"
#include "content/browser/renderer_host/p2p/socket_host_udp.h"
#include "crypto/hmac.h"
#include "third_party/libjingle/source/talk/base/asyncpacketsocket.h"
#include "third_party/libjingle/source/talk/base/byteorder.h"
#include "third_party/libjingle/source/talk/base/messagedigest.h"
#include "third_party/libjingle/source/talk/p2p/base/stun.h"

namespace {

const uint32 kStunMagicCookie = 0x2112A442;
const int kMinRtpHdrLen = 12;
const int kRtpExtnHdrLen = 4;
const int kDtlsRecordHeaderLen = 13;
const int kTurnChannelHdrLen = 4;
const int kAbsSendTimeExtnLen = 3;
const int kOneByteHdrLen = 1;

// Fake auth tag written by the render process if external authentication is
// enabled. HMAC in packet will be compared against this value before updating
// packet with actual HMAC value.
static const unsigned char kFakeAuthTag[10] = {
    0xba, 0xdd, 0xba, 0xdd, 0xba, 0xdd, 0xba, 0xdd, 0xba, 0xdd
};

bool IsTurnChannelData(const char* data) {
  return ((*data & 0xC0) == 0x40);
}

bool IsDtlsPacket(const char* data, int len) {
  const uint8* u = reinterpret_cast<const uint8*>(data);
  return (len >= kDtlsRecordHeaderLen && (u[0] > 19 && u[0] < 64));
}

bool IsRtcpPacket(const char* data) {
  int type = (static_cast<uint8>(data[1]) & 0x7F);
  return (type >= 64 && type < 96);
}

bool IsTurnSendIndicationPacket(const char* data) {
  uint16 type = talk_base::GetBE16(data);
  return (type == cricket::TURN_SEND_INDICATION);
}

bool IsRtpPacket(const char* data, int len) {
  return ((*data & 0xC0) == 0x80);
}

// Verifies rtp header and message length.
bool ValidateRtpHeader(char* rtp, int length) {
  int cc_count = rtp[0] & 0x0F;
  int rtp_hdr_len_without_extn = kMinRtpHdrLen + 4 * cc_count;
  if (rtp_hdr_len_without_extn > length) {
    return false;
  }

  // If extension bit is not set, we are done with header processing, as input
  // length is verified above.
  if (!(rtp[0] & 0x10)) {
    return true;
  }

  rtp += rtp_hdr_len_without_extn;

  // Getting extension profile length.
  // Length is in 32 bit words.
  uint16 extn_length = talk_base::GetBE16(rtp + 2) * 4;

  // Verify input length against total header size.
  if (rtp_hdr_len_without_extn + kRtpExtnHdrLen + extn_length > length) {
    return false;
  }
  return true;
}

void UpdateAbsSendTimeExtnValue(char* extn_data, int len,
                                uint32 abs_send_time) {
  // Absolute send time in RTP streams.
  //
  // The absolute send time is signaled to the receiver in-band using the
  // general mechanism for RTP header extensions [RFC5285]. The payload
  // of this extension (the transmitted value) is a 24-bit unsigned integer
  // containing the sender's current time in seconds as a fixed point number
  // with 18 bits fractional part.
  //
  // The form of the absolute send time extension block:
  //
  //    0                   1                   2                   3
  //    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  //   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  //   |  ID   | len=2 |              absolute send time               |
  //   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  DCHECK_EQ(len, kAbsSendTimeExtnLen);
  // Now() has resolution ~1-15ms, using HighResNow(). But it is warned not to
  // use it unless necessary, as it is expensive than Now().
  uint32 now_second = abs_send_time;
  if (!now_second) {
    uint64 now_us =
        (base::TimeTicks::HighResNow() - base::TimeTicks()).InMicroseconds();
    // Convert second to 24-bit unsigned with 18 bit fractional part
    now_second =
        ((now_us << 18) / base::Time::kMicrosecondsPerSecond) & 0x00FFFFFF;
  }
  // TODO(mallinath) - Add SetBE24 to byteorder.h in libjingle.
  extn_data[0] = static_cast<uint8>(now_second >> 16);
  extn_data[1] = static_cast<uint8>(now_second >> 8);
  extn_data[2] = static_cast<uint8>(now_second);
}

// Assumes |len| is actual packet length + tag length. Updates HMAC at end of
// the RTP packet.
void UpdateRtpAuthTag(char* rtp, int len,
                      const talk_base::PacketOptions& options) {
  // If there is no key, return.
  if (options.packet_time_params.srtp_auth_key.empty())
    return;

  size_t tag_length = options.packet_time_params.srtp_auth_tag_len;
  char* auth_tag = rtp + (len - tag_length);

  // We should have a fake HMAC value @ auth_tag.
  DCHECK_EQ(0, memcmp(auth_tag, kFakeAuthTag, tag_length));

  crypto::HMAC hmac(crypto::HMAC::SHA1);
  if (!hmac.Init(reinterpret_cast<const unsigned char*>(
        &options.packet_time_params.srtp_auth_key[0]),
        options.packet_time_params.srtp_auth_key.size())) {
    NOTREACHED();
    return;
  }

  if (hmac.DigestLength() < tag_length) {
    NOTREACHED();
    return;
  }

  // Copy ROC after end of rtp packet.
  memcpy(auth_tag, &options.packet_time_params.srtp_packet_index, 4);
  // Authentication of a RTP packet will have RTP packet + ROC size.
  int auth_required_length = len - tag_length + 4;

  unsigned char output[64];
  if (!hmac.Sign(base::StringPiece(rtp, auth_required_length),
                 output, sizeof(output))) {
    NOTREACHED();
    return;
  }
  // Copy HMAC from output to packet. This is required as auth tag length
  // may not be equal to the actual HMAC length.
  memcpy(auth_tag, output, tag_length);
}

}  // namespace

namespace content {

namespace packet_processing_helpers {

bool ApplyPacketOptions(char* data, int length,
                        const talk_base::PacketOptions& options,
                        uint32 abs_send_time) {
  DCHECK(data != NULL);
  DCHECK(length > 0);
  // if there is no valid |rtp_sendtime_extension_id| and |srtp_auth_key| in
  // PacketOptions, nothing to be updated in this packet.
  if (options.packet_time_params.rtp_sendtime_extension_id == -1 &&
      options.packet_time_params.srtp_auth_key.empty()) {
    return true;
  }

  DCHECK(!IsDtlsPacket(data, length));
  DCHECK(!IsRtcpPacket(data));

  // If there is a srtp auth key present then packet must be a RTP packet.
  // RTP packet may have been wrapped in a TURN Channel Data or
  // TURN send indication.
  int rtp_start_pos;
  int rtp_length;
  if (!GetRtpPacketStartPositionAndLength(
      data, length, &rtp_start_pos, &rtp_length)) {
    // This method should never return false.
    NOTREACHED();
    return false;
  }

  // Skip to rtp packet.
  char* start = data + rtp_start_pos;
  // If packet option has non default value (-1) for sendtime extension id,
  // then we should parse the rtp packet to update the timestamp. Otherwise
  // just calculate HMAC and update packet with it.
  if (options.packet_time_params.rtp_sendtime_extension_id != -1) {
    UpdateRtpAbsSendTimeExtn(
        start, rtp_length,
        options.packet_time_params.rtp_sendtime_extension_id, abs_send_time);
  }

  UpdateRtpAuthTag(start, rtp_length, options);
  return true;
}

bool GetRtpPacketStartPositionAndLength(
    char* packet, int length, int* rtp_start_pos, int* rtp_packet_length) {
  int rtp_begin, rtp_length;
  if (IsTurnChannelData(packet)) {
    // Turn Channel Message header format.
    //   0                   1                   2                   3
    //  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    // |         Channel Number        |            Length             |
    // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    // |                                                               |
    // /                       Application Data                        /
    // /                                                               /
    // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    if (length < kTurnChannelHdrLen) {
      return false;
    }

    rtp_begin = kTurnChannelHdrLen;
    rtp_length = talk_base::GetBE16(&packet[2]);
    if (length < rtp_length + kTurnChannelHdrLen) {
      return false;
    }
  } else if (IsTurnSendIndicationPacket(packet)) {
    if (length <= P2PSocketHost::kStunHeaderSize) {
      // Message must be greater than 20 bytes, if it's carrying any payload.
      return false;
    }
    // Validate STUN message length.
    int stun_msg_len = talk_base::GetBE16(&packet[2]);
    if (stun_msg_len + P2PSocketHost::kStunHeaderSize != length) {
      return false;
    }

    // First skip mandatory stun header which is of 20 bytes.
    rtp_begin = P2PSocketHost::kStunHeaderSize;
    // Loop through STUN attributes until we find STUN DATA attribute.
    char* start = packet + rtp_begin;
    bool data_attr_present = false;
    while ((packet + rtp_begin) - start < stun_msg_len) {
      // Keep reading STUN attributes until we hit DATA attribute.
      // Attribute will be a TLV structure.
      // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      // |         Type                  |            Length             |
      // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      // |                         Value (variable)                ....
      // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      // The value in the length field MUST contain the length of the Value
      // part of the attribute, prior to padding, measured in bytes.  Since
      // STUN aligns attributes on 32-bit boundaries, attributes whose content
      // is not a multiple of 4 bytes are padded with 1, 2, or 3 bytes of
      // padding so that its value contains a multiple of 4 bytes.  The
      // padding bits are ignored, and may be any value.
      uint16 attr_type, attr_length;
      // Getting attribute type and length.
      attr_type = talk_base::GetBE16(&packet[rtp_begin]);
      attr_length = talk_base::GetBE16(
          &packet[rtp_begin + sizeof(attr_type)]);
      // Checking for bogus attribute length.
      if (length < attr_length + rtp_begin) {
        return false;
      }

      if (attr_type != cricket::STUN_ATTR_DATA) {
        rtp_begin += sizeof(attr_type) + sizeof(attr_length) + attr_length;
        if ((attr_length % 4) != 0) {
          rtp_begin += (4 - (attr_length % 4));
        }
        continue;
      }

      data_attr_present = true;
      rtp_begin += 4;  // Skip STUN_DATA_ATTR header.
      rtp_length = attr_length;
      // One final check of length before exiting.
      if (length < rtp_length + rtp_begin) {
        return false;
      }
      // We found STUN_DATA_ATTR. We can skip parsing rest of the packet.
      break;
    }

    if (!data_attr_present) {
      // There is no data attribute present in the message. We can't do anything
      // with the message.
      return false;
    }

  } else {
    // This is a raw RTP packet.
    rtp_begin = 0;
    rtp_length = length;
  }

  // Making sure we have a valid RTP packet at the end.
  if (!(rtp_length < kMinRtpHdrLen) &&
      IsRtpPacket(packet + rtp_begin, rtp_length) &&
      ValidateRtpHeader(packet + rtp_begin, rtp_length)) {
    *rtp_start_pos = rtp_begin;
    *rtp_packet_length = rtp_length;
    return true;
  }
  return false;
}

// ValidateRtpHeader must be called before this method to make sure, we have
// a sane rtp packet.
bool UpdateRtpAbsSendTimeExtn(char* rtp, int length,
                              int extension_id, uint32 abs_send_time) {
  //  0                   1                   2                   3
  //  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  // |V=2|P|X|  CC   |M|     PT      |       sequence number         |
  // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  // |                           timestamp                           |
  // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  // |           synchronization source (SSRC) identifier            |
  // +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
  // |            contributing source (CSRC) identifiers             |
  // |                             ....                              |
  // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  // Return if extension bit is not set.
  if (!(rtp[0] & 0x10)) {
    return true;
  }

  int cc_count = rtp[0] & 0x0F;
  int rtp_hdr_len_without_extn = kMinRtpHdrLen + 4 * cc_count;

  rtp += rtp_hdr_len_without_extn;

  // Getting extension profile ID and length.
  uint16 profile_id = talk_base::GetBE16(rtp);
  // Length is in 32 bit words.
  uint16 extn_length = talk_base::GetBE16(rtp + 2) * 4;

  rtp += kRtpExtnHdrLen;  // Moving past extn header.

  bool found = false;
  // WebRTC is using one byte header extension.
  // TODO(mallinath) - Handle two byte header extension.
  if (profile_id == 0xBEDE) {  // OneByte extension header
    //  0
    //  0 1 2 3 4 5 6 7
    // +-+-+-+-+-+-+-+-+
    // |  ID   |  len  |
    // +-+-+-+-+-+-+-+-+

    //  0                   1                   2                   3
    //  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    // |       0xBE    |    0xDE       |           length=3            |
    // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    // |  ID   | L=0   |     data      |  ID   |  L=1  |   data...
    // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    //       ...data   |    0 (pad)    |    0 (pad)    |  ID   | L=3   |
    // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    // |                          data                                 |
    // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    char* extn_start = rtp;
    while (rtp - extn_start < extn_length) {
      const int id = (*rtp & 0xF0) >> 4;
      const int len = (*rtp & 0x0F) + 1;
      // The 4-bit length is the number minus one of data bytes of this header
      // extension element following the one-byte header.
      if (id == extension_id) {
        UpdateAbsSendTimeExtnValue(rtp + kOneByteHdrLen, len, abs_send_time);
        found = true;
        break;
      }
      rtp += kOneByteHdrLen + len;
      // Counting padding bytes.
      while ((*rtp == 0) && (rtp - extn_start < extn_length)) {
        ++rtp;
      }
    }
  }
  return found;
}

}  // packet_processing_helpers

P2PSocketHost::P2PSocketHost(IPC::Sender* message_sender,
                             int id)
    : message_sender_(message_sender),
      id_(id),
      state_(STATE_UNINITIALIZED) {
}

P2PSocketHost::~P2PSocketHost() { }

// Verifies that the packet |data| has a valid STUN header.
// static
bool P2PSocketHost::GetStunPacketType(
    const char* data, int data_size, StunMessageType* type) {

  if (data_size < kStunHeaderSize)
    return false;

  uint32 cookie = base::NetToHost32(*reinterpret_cast<const uint32*>(data + 4));
  if (cookie != kStunMagicCookie)
    return false;

  uint16 length = base::NetToHost16(*reinterpret_cast<const uint16*>(data + 2));
  if (length != data_size - kStunHeaderSize)
    return false;

  int message_type = base::NetToHost16(*reinterpret_cast<const uint16*>(data));

  // Verify that the type is known:
  switch (message_type) {
    case STUN_BINDING_REQUEST:
    case STUN_BINDING_RESPONSE:
    case STUN_BINDING_ERROR_RESPONSE:
    case STUN_SHARED_SECRET_REQUEST:
    case STUN_SHARED_SECRET_RESPONSE:
    case STUN_SHARED_SECRET_ERROR_RESPONSE:
    case STUN_ALLOCATE_REQUEST:
    case STUN_ALLOCATE_RESPONSE:
    case STUN_ALLOCATE_ERROR_RESPONSE:
    case STUN_SEND_REQUEST:
    case STUN_SEND_RESPONSE:
    case STUN_SEND_ERROR_RESPONSE:
    case STUN_DATA_INDICATION:
      *type = static_cast<StunMessageType>(message_type);
      return true;

    default:
      return false;
  }
}

// static
bool P2PSocketHost::IsRequestOrResponse(StunMessageType type) {
  return type == STUN_BINDING_REQUEST || type == STUN_BINDING_RESPONSE ||
      type == STUN_ALLOCATE_REQUEST || type == STUN_ALLOCATE_RESPONSE;
}

// static
P2PSocketHost* P2PSocketHost::Create(
    IPC::Sender* message_sender, int id, P2PSocketType type,
    net::URLRequestContextGetter* url_context,
    P2PMessageThrottler* throttler) {
  switch (type) {
    case P2P_SOCKET_UDP:
      return new P2PSocketHostUdp(message_sender, id, throttler);
    case P2P_SOCKET_TCP_SERVER:
      return new P2PSocketHostTcpServer(
          message_sender, id, P2P_SOCKET_TCP_CLIENT);

    case P2P_SOCKET_STUN_TCP_SERVER:
      return new P2PSocketHostTcpServer(
          message_sender, id, P2P_SOCKET_STUN_TCP_CLIENT);

    case P2P_SOCKET_TCP_CLIENT:
    case P2P_SOCKET_SSLTCP_CLIENT:
    case P2P_SOCKET_TLS_CLIENT:
      return new P2PSocketHostTcp(message_sender, id, type, url_context);

    case P2P_SOCKET_STUN_TCP_CLIENT:
    case P2P_SOCKET_STUN_SSLTCP_CLIENT:
    case P2P_SOCKET_STUN_TLS_CLIENT:
      return new P2PSocketHostStunTcp(message_sender, id, type, url_context);
  }

  NOTREACHED();
  return NULL;
}

}  // namespace content