5

I have a server which receives OFFER, ANSWER, CANDIDATE-s from web browser for a WebRTC session and passes to its peer. Later the data is also passed from the same server.

Now to implement our own SFU-like mechanism, I was considering, if this data I can decrypt to the actual raw bytes and then pass it to the multiple peers with their own encryption. For that I thought of using open source libsrtp library. Here is its example code.
It has primarily 2 functions srtp_protect() to encrtypt and srtp_unprotect() to decrypt.

Question: How to use such library in the conjunction of above WebRTC SDP headers (viz offer, answer, candidate) to get the raw RTP bytes & encrypt them again?

[Note: The other open source solutions like "MediaSoup", "Janus" etc. are not in scope of this post.]

iammilind
  • 68,093
  • 33
  • 169
  • 336

2 Answers2

2

If you have the Offer, Answer and Candidates you have enough information to establish a WebRTC Session. Before you worry about encrypting/decrypting you need to establish ICE Connectivity

For ICE you need each Agents user-fragment and password. You exchange these values via Offer/Answer. I would start with ice-lite. You need to accept STUN Request packets, assert that the user-fragment is correct and it is signed with the password. You then respond with STUN Response with your user fragment and signed with your password. The IP/Port that is sending you traffic is the remote peer.

For C/C++ I would suggest libjuice or libnice. This is also something you could write yourself! Happy to add more details to my answer on either implementation if that is helpful.

Next you need to establish a DTLS Session. You need to know each sides role. In the Offer/Answer each side will declare either setup:active for Client, setup:passive for Server or setup:actpass if it defers the choice to the other side. When you know the details it is time to start the handshake.

See dtls.c for examples of making a DTLS Handshake, Extracting the keying material and more. The important part is setting your role properly, and setting up Read/Write BIOs. Since OpenSSL can't send over ICE you need to pass data in/out of OpenSSL yourself. Also make sure you validate the certificate fingerprint in the Offer/Answer!

When you are done you can send SCTP(DataChannels) over this DTLS connection.

If you want to do SRTP you need to Export the Keying material and then determine what cipher suite was used.

With this keying material + cipher suite. You create the session and then you can decrypt the packets

I am happy to add more examples/talk more specifically about certain APIs if that is helpful.

Sean DuBois
  • 3,972
  • 1
  • 11
  • 22
  • Very nice answer! – iammilind Feb 10 '22 at 02:46
  • Thank you! Best of luck on your journey on building your SFU. I love questions like these, it gets more good WebRTC info out there. I am also working on a Open Source book https://webrtcforthecurious.com and would love your feedback as you learn more about WebRTC! – Sean DuBois Feb 10 '22 at 14:21
  • Have started a bounty. Please see if you can provide some examples which I can easily integrate in my project. Thanks for the help! Here is another [question for the bounty](https://stackoverflow.com/q/71107066). – iammilind Feb 17 '22 at 00:56
1

WebRTC uses DTLS-SRTP so the SRTP keys are derived from the DTLS handshake which preceedes the SRTP packets.

The main openssl (or boringssl) APIs used for this are SSL_CTX_set_tlsext_use_srtp, SSL_set_info_callback and SSL_export_keying_material which exports the SRTP keys (that are used in the calls to libsrtps srtp_create)

Examples of using those APIs together are quite rare, both Janus and MediaSoup are good examples of how to use them if you are allowed to look at their code license-wise.

Philipp Hancke
  • 15,855
  • 2
  • 23
  • 31
  • Have started a bounty. Please see if you can provide some examples which I can easily integrate in my project. Thanks for the help! Here is another [question for the bounty](https://stackoverflow.com/q/71107066) – iammilind Feb 17 '22 at 00:56