Handle DTLS close_notify alert

Author: mickel8

examples/whip_whep/lib/whip_whep/forwarder.ex

@@ -94,7 +94,7 @@ defmodule WhipWhep.Forwarder do
   @impl true
   def handle_info({:ex_webrtc, pc, {:connection_state_change, :failed}}, state) do
     Logger.info("Output peer connection (#{inspect(pc)}) state change: failed. Removing.")
-    :ok = PeerConnection.close(pc)
+    :ok = PeerConnection.stop(pc)
     pending_outputs = List.delete(state.pending_outputs, pc)
     outputs = Map.delete(state.outputs, pc)
     state = %{state | pending_outputs: pending_outputs, outputs: outputs}

lib/ex_webrtc/dtls_transport.ex

@@ -146,7 +146,7 @@ defmodule ExWebRTC.DTLSTransport do
     state = %{state | ice_connected: true}
 
     if state.mode == :active do
-      {packets, timeout} = ExDTLS.do_handshake(state.dtls)
+      {:ok, packets, timeout} = ExDTLS.do_handshake(state.dtls)
       Process.send_after(self(), :dtls_timeout, timeout)
       :ok = do_send(state, packets)
       state = update_dtls_state(state, :connecting)
@@ -158,7 +158,7 @@ defmodule ExWebRTC.DTLSTransport do
   end
 
   @impl true
-  def handle_call(:set_ice_connected, _from, state) do
+  def handle_call(:set_ice_connected, _from, %{dtls_state: :connecting} = state) do
     state = %{state | ice_connected: true}
 
     if state.buffered_local_packets do
@@ -171,6 +171,17 @@ defmodule ExWebRTC.DTLSTransport do
     end
   end
 
+  @impl true
+  def handle_call(:set_ice_connected, _from, state) do
+    Logger.debug("""
+    Setting ice connected in unexpected DTLS state: #{state.dtls_state}. \
+    DTLS handshake won't be performed.\
+    """)
+
+    state = %{state | ice_connected: true}
+    {:reply, :ok, state}
+  end
+
   @impl true
   def handle_call(:get_certs_info, _from, state) do
     local_cert_info = %{
@@ -327,6 +338,14 @@ defmodule ExWebRTC.DTLSTransport do
       {:ok, state} ->
         {:noreply, state}
 
+      {:error, :peer_closed_for_writing} ->
+        # See W3C WebRTC sec. 5.5.1
+        # peer_closed_for_writing is returned when the remote side
+        # sends close_notify alert
+        ExDTLS.disconnect(state.dtls)
+        state = update_dtls_state(state, :closed)
+        {:noreply, state}
+
       {:error, _reason} ->
         # See W3C WebRTC sec. 5.5.
         state = update_dtls_state(state, :failed)
@@ -345,6 +364,12 @@ defmodule ExWebRTC.DTLSTransport do
     Logger.debug("Stopping DTLSTransport with reason: #{inspect(reason)}")
   end
 
+  defp handle_ice_data({:data, _data}, %{dtls_state: dtls_state} = state)
+       when dtls_state in [:failed, :closed] do
+    Logger.debug("Received DTLS packets in state #{dtls_state}. Ignoring.")
+    {:ok, state}
+  end
+
   defp handle_ice_data({:data, data}, %{dtls: nil} = state) do
     # received DTLS data from remote peer before receiving an
     # SDP answer and initializing the DTLS Transport, will buffer the data

lib/ex_webrtc/peer_connection.ex

@@ -63,7 +63,7 @@ defmodule ExWebRTC.PeerConnection do
 
   For the exact meaning, refer to the [RTCDtlsTransport: state property](https://developer.mozilla.org/en-US/docs/Web/API/RTCDtlsTransport/state)
   """
-  @type dtls_transport_state() :: :new | :connecting | :connected | :failed
+  @type dtls_transport_state() :: :new | :connecting | :connected | :closed | :failed
 
   @typedoc """
   Possible signaling states.
@@ -105,8 +105,8 @@ defmodule ExWebRTC.PeerConnection do
            | {:track_muted, MediaStreamTrack.id()}
            | {:track_ended, MediaStreamTrack.id()}
            | {:data, DataChannel.ref(), binary()}
-           | {:rtp, MediaStreamTrack.id(), String.t() | nil, ExRTP.Packet.t()}}
-          | {:rtcp, [{MediaStreamTrack.id() | nil, ExRTCP.Packet.packet()}]}
+           | {:rtp, MediaStreamTrack.id(), String.t() | nil, ExRTP.Packet.t()}
+           | {:rtcp, [{MediaStreamTrack.id() | nil, ExRTCP.Packet.packet()}]}}
 
   #### NON-MDN-API ####
 
@@ -574,11 +574,20 @@ defmodule ExWebRTC.PeerConnection do
   @doc """
   Closes the PeerConnection.
 
-  This function kills the `peer_connection` process.
+  This function doest not kill the `peer_connection` process.
+  If you want to stop the `peer_connection` process, see `stop/1`.
   For more information, refer to the [RTCPeerConnection: close() method](https://developer.mozilla.org/en-US/docs/Web/API/RTCPeerConnection/close).
   """
   @spec close(peer_connection()) :: :ok
   def close(peer_connection) do
+    GenServer.call(peer_connection, :close)
+  end
+
+  @doc """
+  Closes and stops PeerConnection process.
+  """
+  @spec stop(peer_connection()) :: :ok
+  def stop(peer_connection) do
     GenServer.stop(peer_connection)
   end
 
@@ -1271,6 +1280,11 @@ defmodule ExWebRTC.PeerConnection do
     {:reply, stats, state}
   end
 
+  @impl true
+  def handle_call(:close, _from, state) do
+    {:reply, :ok, state}
+  end
+
   @impl true
   def handle_cast({:send_rtp, track_id, packet, opts}, %{conn_state: conn_state} = state)
       when conn_state != :failed do

mix.exs

@@ -58,7 +58,8 @@ defmodule ExWebRTC.MixProject do
     [
       {:ex_sdp, "~> 1.0"},
       {:ex_ice, "~> 0.12.0"},
-      {:ex_dtls, "~> 0.17.0"},
+      # {:ex_dtls, "~> 0.17.0"},
+      {:ex_dtls, path: "/home/michal/Repos/elixir-webrtc/ex_dtls"},
       {:ex_libsrtp, "~> 0.7.1"},
       {:ex_rtp, "~> 0.4.0"},
       {:ex_rtcp, "~> 0.4.0"},

mix.lock

@@ -29,7 +29,7 @@
   "makeup_elixir": {:hex, :makeup_elixir, "1.0.1", "e928a4f984e795e41e3abd27bfc09f51db16ab8ba1aebdba2b3a575437efafc2", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}, {:nimble_parsec, "~> 1.2.3 or ~> 1.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "7284900d412a3e5cfd97fdaed4f5ed389b8f2b4cb49efc0eb3bd10e2febf9507"},
   "makeup_erlang": {:hex, :makeup_erlang, "1.0.2", "03e1804074b3aa64d5fad7aa64601ed0fb395337b982d9bcf04029d68d51b6a7", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm", "af33ff7ef368d5893e4a267933e7744e46ce3cf1f61e2dccf53a111ed3aa3727"},
   "membrane_precompiled_dependency_provider": {:hex, :membrane_precompiled_dependency_provider, "0.1.2", "8af73b7dc15ba55c9f5fbfc0453d4a8edfb007ade54b56c37d626be0d1189aba", [:mix], [{:bundlex, "~> 1.4", [hex: :bundlex, repo: "hexpm", optional: false]}], "hexpm", "7fe3e07361510445a29bee95336adde667c4162b76b7f4c8af3aeb3415292023"},
-  "mime": {:hex, :mime, "2.0.6", "8f18486773d9b15f95f4f4f1e39b710045fa1de891fada4516559967276e4dc2", [:mix], [], "hexpm", "c9945363a6b26d747389aac3643f8e0e09d30499a138ad64fe8fd1d13d9b153e"},
+  "mime": {:hex, :mime, "2.0.7", "b8d739037be7cd402aee1ba0306edfdef982687ee7e9859bee6198c1e7e2f128", [:mix], [], "hexpm", "6171188e399ee16023ffc5b76ce445eb6d9672e2e241d2df6050f3c771e80ccd"},
   "mint": {:hex, :mint, "1.7.1", "113fdb2b2f3b59e47c7955971854641c61f378549d73e829e1768de90fc1abf1", [:mix], [{:castore, "~> 0.1.0 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: true]}, {:hpax, "~> 0.1.1 or ~> 0.2.0 or ~> 1.0", [hex: :hpax, repo: "hexpm", optional: false]}], "hexpm", "fceba0a4d0f24301ddee3024ae116df1c3f4bb7a563a731f45fdfeb9d39a231b"},
   "nimble_options": {:hex, :nimble_options, "1.1.1", "e3a492d54d85fc3fd7c5baf411d9d2852922f66e69476317787a7b2bb000a61b", [:mix], [], "hexpm", "821b2470ca9442c4b6984882fe9bb0389371b8ddec4d45a9504f00a66f650b44"},
   "nimble_parsec": {:hex, :nimble_parsec, "1.4.2", "8efba0122db06df95bfaa78f791344a89352ba04baedd3849593bfce4d0dc1c6", [:mix], [], "hexpm", "4b21398942dda052b403bbe1da991ccd03a053668d147d53fb8c4e0efe09c973"},

test/ex_webrtc/dtls_transport_test.exs

@@ -10,8 +10,10 @@ defmodule ExWebRTC.DTLSTransportTest do
                |> Utils.hex_dump()
 
   @rtp_header <<1::1, 0::1, 0::1, 0::1, 0::4, 0::1, 96::7, 1::16, 1::32, 1::32>>
+  @next_rtp_header <<1::1, 0::1, 0::1, 0::1, 0::4, 0::1, 96::7, 2::16, 1::32, 1::32>>
   @rtp_payload <<0>>
   @rtp_packet <<@rtp_header::binary, @rtp_payload::binary>>
+  @next_rtp_packet <<@next_rtp_header::binary, @rtp_payload::binary>>
 
   # empty rr packet
   @rtcp_rr_header <<2::2, 0::1, 0::5, 201::8, 1::16, 1::32>>
@@ -128,7 +130,7 @@ defmodule ExWebRTC.DTLSTransportTest do
     :ok = DTLSTransport.set_ice_connected(dtls)
 
     remote_dtls = ExDTLS.init(mode: :client, dtls_srtp: true)
-    {packets, _timeout} = ExDTLS.do_handshake(remote_dtls)
+    {:ok, packets, _timeout} = ExDTLS.do_handshake(remote_dtls)
 
     Enum.each(packets, &ice_transport.send_dtls(ice_pid, {:data, &1}))
     refute_receive {:mock_ice, _packets}
@@ -180,7 +182,7 @@ defmodule ExWebRTC.DTLSTransportTest do
     :ok = DTLSTransport.start_dtls(dtls, :passive, @fingerprint)
 
     remote_dtls = ExDTLS.init(mode: :client, dtls_srtp: true)
-    {packets, _timeout} = ExDTLS.do_handshake(remote_dtls)
+    {:ok, packets, _timeout} = ExDTLS.do_handshake(remote_dtls)
 
     Enum.each(packets, &ice_transport.send_dtls(ice_pid, {:data, &1}))
     refute_receive {:mock_ice, _packets}
@@ -200,7 +202,7 @@ defmodule ExWebRTC.DTLSTransportTest do
 
     :ok = DTLSTransport.set_ice_connected(dtls)
 
-    assert :ok = check_handshake(dtls, ice_transport, ice_pid, remote_dtls)
+    assert {:ok, _, _, _} = check_handshake(dtls, ice_transport, ice_pid, remote_dtls)
     assert_receive {:dtls_transport, ^dtls, {:state_change, :connecting}}
     assert_receive {:dtls_transport, ^dtls, {:state_change, :connected}}
 
@@ -228,12 +230,12 @@ defmodule ExWebRTC.DTLSTransportTest do
 
     :ok = DTLSTransport.start_dtls(dtls, :passive, remote_fingerprint)
 
-    {packets, _timeout} = ExDTLS.do_handshake(remote_dtls)
+    {:ok, packets, _timeout} = ExDTLS.do_handshake(remote_dtls)
     :ok = DTLSTransport.set_ice_connected(dtls)
 
     Enum.each(packets, &ice_transport.send_dtls(ice_pid, {:data, &1}))
 
-    assert :ok == check_handshake(dtls, ice_transport, ice_pid, remote_dtls)
+    assert {:ok, _, _, _} = check_handshake(dtls, ice_transport, ice_pid, remote_dtls)
     assert_receive {:dtls_transport, ^dtls, {:state_change, :connecting}}
     assert_receive {:dtls_transport, ^dtls, {:state_change, :connected}}
 
@@ -256,7 +258,7 @@ defmodule ExWebRTC.DTLSTransportTest do
 
     :ok = DTLSTransport.set_ice_connected(dtls)
 
-    assert :ok = check_handshake(dtls, ice_transport, ice_pid, remote_dtls)
+    assert {:ok, _, _, _} = check_handshake(dtls, ice_transport, ice_pid, remote_dtls)
     assert_receive {:dtls_transport, ^dtls, {:state_change, :connecting}}
     assert_receive {:dtls_transport, ^dtls, {:state_change, :connected}}
 
@@ -278,6 +280,60 @@ defmodule ExWebRTC.DTLSTransportTest do
     refute_receive {:mock_ice, _datachannel_packet}
   end
 
+  test "closes on receiving close_notify DTLS alert", %{
+    dtls: dtls,
+    ice_transport: ice_transport,
+    ice_pid: ice_pid
+  } do
+    :ok = DTLSTransport.start_dtls(dtls, :active, @fingerprint)
+    remote_dtls = ExDTLS.init(mode: :server, dtls_srtp: true)
+
+    :ok = DTLSTransport.set_ice_connected(dtls)
+
+    # perform DTLS-SRTP handshake
+    assert {:ok, remote_lkm, remote_rkm, remote_profile} =
+             check_handshake(dtls, ice_transport, ice_pid, remote_dtls)
+
+    assert_receive {:dtls_transport, ^dtls, {:state_change, :connecting}}
+    assert_receive {:dtls_transport, ^dtls, {:state_change, :connected}}
+
+    # create SRTP for remote side
+    {_remote_in_srtp, remote_out_srtp} = setup_srtp(remote_lkm, remote_rkm, remote_profile)
+
+    # assert packets can flow from remote to local
+    {:ok, protected} = ExLibSRTP.protect(remote_out_srtp, @rtp_packet)
+    ice_transport.send_dtls(ice_pid, {:data, protected})
+    assert_receive {:dtls_transport, ^dtls, {:rtp, @rtp_packet}}
+
+    # disconnect and send close_notify from remote to local
+    assert {:ok, packets} = ExDTLS.disconnect(remote_dtls)
+    Enum.each(packets, &ice_transport.send_dtls(ice_pid, {:data, &1}))
+
+    # assert local received close_notify and moved to the closed state
+    assert_receive {:dtls_transport, ^dtls, {:state_change, :closed}}
+
+    # assert that data cannot be sent by local
+    :ok = DTLSTransport.send_rtp(dtls, @rtp_packet)
+    refute_receive {:mock_ice, _rtp_packet}
+    :ok = DTLSTransport.send_rtp(dtls, @rtcp_rr_packet)
+    refute_receive {:mock_ice, _rtcp_packet}
+    :ok = DTLSTransport.send_data(dtls, <<1, 2, 3>>)
+    refute_receive {:mock_ice, _datachannel_packet}
+
+    # assert that incoming data is ignored by local
+    {:ok, protected} = ExLibSRTP.protect(remote_out_srtp, @next_rtp_packet)
+    ice_transport.send_dtls(ice_pid, {:data, protected})
+    refute_receive {:dtls_transport, ^dtls, {:rtp, _data}}
+
+    # assert getting certs still works
+    assert %{local_cert_info: local_cert, remote_cert_info: remote_cert} =
+             DTLSTransport.get_certs_info(dtls)
+
+    assert local_cert != nil
+    assert remote_cert != nil
+    assert DTLSTransport.get_fingerprint(dtls) != nil
+  end
+
   defp check_handshake(dtls, ice_transport, ice_pid, remote_dtls) do
     assert_receive {:mock_ice, packets}
 
@@ -289,17 +345,45 @@ defmodule ExWebRTC.DTLSTransportTest do
         Enum.each(packets, &ice_transport.send_dtls(ice_pid, {:data, &1}))
         check_handshake(dtls, ice_transport, ice_pid, remote_dtls)
 
-      {:handshake_finished, _, _, _, packets} ->
+      {:handshake_finished, lkm, rkm, profile, packets} ->
         Enum.each(packets, &ice_transport.send_dtls(ice_pid, {:data, &1}))
-        :ok
+        {:ok, lkm, rkm, profile}
 
-      {:handshake_finished, _, _, _} ->
-        :ok
+      {:handshake_finished, lkm, rkm, profile} ->
+        {:ok, lkm, rkm, profile}
     end
   end
 
   test "stop/1", %{dtls: dtls} do
     assert :ok == DTLSTransport.stop(dtls)
     assert false == Process.alive?(dtls)
   end
+
+  defp setup_srtp(lkm, rkm, profile) do
+    in_srtp = ExLibSRTP.new()
+    out_srtp = ExLibSRTP.new()
+
+    {:ok, crypto_profile} =
+      ExLibSRTP.Policy.crypto_profile_from_dtls_srtp_protection_profile(profile)
+
+    inbound_policy = %ExLibSRTP.Policy{
+      ssrc: :any_inbound,
+      key: rkm,
+      rtp: crypto_profile,
+      rtcp: crypto_profile
+    }
+
+    :ok = ExLibSRTP.add_stream(in_srtp, inbound_policy)
+
+    outbound_policy = %ExLibSRTP.Policy{
+      ssrc: :any_outbound,
+      key: lkm,
+      rtp: crypto_profile,
+      rtcp: crypto_profile
+    }
+
+    :ok = ExLibSRTP.add_stream(out_srtp, outbound_policy)
+
+    {in_srtp, out_srtp}
+  end
 end