Reputation: 69988
How to use libsrtp or similar library to decrypt/encrypt the WebRTC data stream?
I have a server which receives OFFER, ANSWER, CANDIDATE-s from web browser for a WebRTC session and passes to its peer. Later the data is also passed from the same server.
Now to implement our own SFU-like mechanism, I was considering, if this data I can decrypt to the actual raw bytes and then pass it to the multiple peers with their own encryption. For that I thought of using open source libsrtp library. Here is its example code.
It has primarily 2 functions srtp_protect() to encrtypt and srtp_unprotect() to decrypt.
Question: How to use such library in the conjunction of above WebRTC SDP headers (viz offer, answer, candidate) to get the raw RTP bytes & encrypt them again?
[Note: The other open source solutions like "MediaSoup", "Janus" etc. are not in scope of this post.]
Upvotes: 4
Views: 1458
Answers (2)
Reputation: 4242
If you have the Offer, Answer and Candidates you have enough information to establish a WebRTC Session. Before you worry about encrypting/decrypting you need to establish ICE Connectivity
For ICE you need each Agents user-fragment and password. You exchange these values via Offer/Answer. I would start with ice-lite. You need to accept STUN Request packets, assert that the user-fragment is correct and it is signed with the password. You then respond with STUN Response with your user fragment and signed with your password. The IP/Port that is sending you traffic is the remote peer.
For C/C++ I would suggest libjuice or libnice. This is also something you could write yourself! Happy to add more details to my answer on either implementation if that is helpful.
Next you need to establish a DTLS Session. You need to know each sides role. In the Offer/Answer each side will declare either setup:active for Client, setup:passive for Server or setup:actpass if it defers the choice to the other side. When you know the details it is time to start the handshake.
See dtls.c for examples of making a DTLS Handshake, Extracting the keying material and more. The important part is setting your role properly, and setting up Read/Write BIOs. Since OpenSSL can't send over ICE you need to pass data in/out of OpenSSL yourself. Also make sure you validate the certificate fingerprint in the Offer/Answer!
When you are done you can send SCTP(DataChannels) over this DTLS connection.
If you want to do SRTP you need to Export the Keying material and then determine what cipher suite was used.
With this keying material + cipher suite. You create the session and then you can decrypt the packets
I am happy to add more examples/talk more specifically about certain APIs if that is helpful.
Upvotes: 2
Reputation: 17305
WebRTC uses DTLS-SRTP so the SRTP keys are derived from the DTLS handshake which preceedes the SRTP packets.
The main openssl (or boringssl) APIs used for this are SSL_CTX_set_tlsext_use_srtp, SSL_set_info_callback and SSL_export_keying_material which exports the SRTP keys (that are used in the calls to libsrtps srtp_create)
Examples of using those APIs together are quite rare, both Janus and MediaSoup are good examples of how to use them if you are allowed to look at their code license-wise.
Upvotes: 1
Related Questions
- Does WebRTC encrypts data from the offer SDP for the offerer and answer SDP for the answerer?
- How to capture rtp stream from webrtc then convert it to hls to broadcast to client?
- WebRTC encryption mechanism of SRTP
- Analyzing RTP packets from browser's webRTC stream using Wireshark or similar tool
- Native Webrtc how to disable encryption for DataChannel of PeerConnection
- Encrypt data (pjsip)
- Decrypt SCTP-DTLS Traffic in WebRTC in Chrome
- WebRTC SRTP decryption
- Securing RTP packets without encrypting each packets
- How to make fingerprint and decode in webrtc sdp