mediasoup 3.20.4 → 3.20.6

package/worker/src/RTC/Transport.cpp

@@ -12,7 +12,7 @@
 #include "FBS/transport.h"
 #include "RTC/BweType.hpp"
 #include "RTC/Consts.hpp"
-#include "RTC/PipeConsumer.hpp"
+#include "RTC/Consumer.hpp"
 #include "RTC/RTCP/FeedbackPs.hpp"
 #include "RTC/RTCP/FeedbackPsAfb.hpp"
 #include "RTC/RTCP/FeedbackPsRemb.hpp"
@@ -22,9 +22,6 @@
 #include "RTC/RtpDictionaries.hpp"
 #include "RTC/SCTP/association/Association.hpp"
 #include "RTC/SCTP/public/SctpOptions.hpp"
-#include "RTC/SimpleConsumer.hpp"
-#include "RTC/SimulcastConsumer.hpp"
-#include "RTC/SvcConsumer.hpp"
 #ifdef MS_RTC_LOGGER_RTP
 #include "RTC/RtcLogger.hpp"
 #endif
@@ -41,7 +38,8 @@ namespace RTC
 	  SharedInterface* shared,
 	  const std::string& id,
 	  RTC::Transport::Listener* listener,
-	  const FBS::Transport::Options* options)
+	  const FBS::Transport::Options* options,
+	  bool requireSctpStateCookieAuthentication)
 	  : id(id),
 	    shared(shared),
 	    listener(listener),
@@ -87,7 +85,8 @@ namespace RTC
 				.maxSendBufferSize           = this->sctpSendBufferSize,
 				.perStreamSendQueueLimit     = this->sctpPerStreamSendQueueLimit,
 				.maxReceiveMessageSize       = this->maxReceiveMessageSize,
-				.maxReceiverWindowBufferSize = this->sctpMaxReceiverWindowBufferSize
+				.maxReceiverWindowBufferSize = this->sctpMaxReceiverWindowBufferSize,
+				.requireAuthenticatedCookie  = requireSctpStateCookieAuthentication
 			};
 
 			this->sctpAssociation = std::make_unique<RTC::SCTP::Association>(
@@ -780,44 +779,8 @@ namespace RTC
 					MS_THROW_ERROR("a Consumer with same consumerId already exists");
 				}
 
-				auto type = RTC::RtpParameters::Type(body->type());
-
-				RTC::Consumer* consumer{ nullptr };
-
-				switch (type)
-				{
-					case RTC::RtpParameters::Type::SIMPLE:
-					{
-						// This may throw.
-						consumer = new RTC::SimpleConsumer(this->shared, consumerId, producerId, this, body);
-
-						break;
-					}
-
-					case RTC::RtpParameters::Type::SIMULCAST:
-					{
-						// This may throw.
-						consumer = new RTC::SimulcastConsumer(this->shared, consumerId, producerId, this, body);
-
-						break;
-					}
-
-					case RTC::RtpParameters::Type::SVC:
-					{
-						// This may throw.
-						consumer = new RTC::SvcConsumer(this->shared, consumerId, producerId, this, body);
-
-						break;
-					}
-
-					case RTC::RtpParameters::Type::PIPE:
-					{
-						// This may throw.
-						consumer = new RTC::PipeConsumer(this->shared, consumerId, producerId, this, body);
-
-						break;
-					}
-				}
+				// This may throw.
+				auto* consumer = new RTC::Consumer(this->shared, consumerId, producerId, this, body);
 
 				// Notify the listener.
 				// This may throw if no Producer is found.

package/worker/src/RTC/WebRtcTransport.cpp

@@ -38,7 +38,10 @@ namespace RTC
 	  const std::string& id,
 	  RTC::Transport::Listener* listener,
 	  const FBS::WebRtcTransport::WebRtcTransportOptions* options)
-	  : RTC::Transport::Transport(shared, id, listener, options->base())
+	  // SCTP over WebRtcTransport runs within a DTLS session, so State Cookie
+	  // authentication is not needed.
+	  : RTC::Transport::Transport(
+	      shared, id, listener, options->base(), /*requireSctpStateCookieAuthentication*/ false)
 	{
 		MS_TRACE();
 
@@ -284,7 +287,10 @@ namespace RTC
 	  WebRtcTransportListener* webRtcTransportListener,
 	  const std::vector<RTC::ICE::IceCandidate>& iceCandidates,
 	  const FBS::WebRtcTransport::WebRtcTransportOptions* options)
-	  : RTC::Transport::Transport(shared, id, listener, options->base()),
+	  // SCTP over WebRtcTransport runs within a DTLS session, so State Cookie
+	  // authentication is not needed.
+	  : RTC::Transport::Transport(
+	      shared, id, listener, options->base(), /*requireSctpStateCookieAuthentication*/ false),
 	    webRtcTransportListener(webRtcTransportListener),
 	    iceCandidates(iceCandidates)
 	{

package/worker/test/include/RTC/SCTP/sctpCommon.hpp

@@ -54,8 +54,8 @@ namespace sctpCommon
 		REQUIRE(packet->GetSourcePort() == sourcePort);                                                \
 		REQUIRE(packet->GetDestinationPort() == destinationPort);                                      \
 		REQUIRE(packet->GetVerificationTag() == verificationTag);                                      \
-		REQUIRE(packet->GetChecksum() == checksum);                                                    \
 		REQUIRE(packet->ValidateCRC32cChecksum() == hasValidCrc32cChecksum);                           \
+		REQUIRE(packet->GetChecksum() == checksum);                                                    \
 		REQUIRE(packet->GetChunksCount() == chunksCount);                                              \
 		REQUIRE(packet->HasChunks() == (chunksCount > 0));                                             \
 		REQUIRE(packet->GetChunkAt(chunksCount) == nullptr);                                           \

package/worker/test/src/RTC/SCTP/association/TestAssociation.cpp

@@ -1,5 +1,7 @@
 #include "common.hpp"
 #include "RTC/SCTP/association/Association.hpp"
+#include "RTC/SCTP/association/NegotiatedCapabilities.hpp"
+#include "RTC/SCTP/association/StateCookie.hpp"
 #include "RTC/SCTP/packet/ErrorCause.hpp"
 #include "RTC/SCTP/packet/Packet.hpp"
 #include "RTC/SCTP/packet/chunks/AbortAssociationChunk.hpp"
@@ -1752,4 +1754,117 @@ SCENARIO("SCTP Association", "[sctp][association]")
 
 		REQUIRE(getReceivedMessagePpids(z).empty() == true);
 	}
+
+	SECTION("establishes connection with State Cookie authentication enabled")
+	{
+		auto sctpOptions = makeSctpOptions();
+
+		sctpOptions.requireAuthenticatedCookie = true;
+
+		AssociationUnderTest a(sctpOptions);
+		AssociationUnderTest z(sctpOptions);
+
+		// The full handshake must succeed: Z generates an authenticated cookie that
+		// A echoes back and Z verifies against its own secret.
+		connectAssociations(a, z);
+	}
+
+	SECTION("forged COOKIE-ECHO is accepted without authentication but rejected with it")
+	{
+		// Forge a plain (unauthenticated) State Cookie with attacker-chosen values,
+		// as in the published PoC. It passes the magic checks but carries no MAC.
+		const uint32_t forgedTag = 0xDEADBEEF;
+		const RTC::SCTP::NegotiatedCapabilities negotiatedCapabilities;
+
+		std::vector<uint8_t> cookieBuffer(RTC::SCTP::StateCookie::StateCookieLength);
+
+		RTC::SCTP::StateCookie::Write(
+		  cookieBuffer.data(),
+		  cookieBuffer.size(),
+		  /*localVerificationTag*/ forgedTag,
+		  /*remoteVerificationTag*/ 0xCAFEBABE,
+		  /*localInitialTsn*/ 1000,
+		  /*remoteInitialTsn*/ 2000,
+		  /*remoteAdvertisedReceiverWindowCredit*/ 65535,
+		  /*tieTag*/ 0,
+		  negotiatedCapabilities);
+
+		// Builds a COOKIE-ECHO packet carrying the forged cookie. `buffers` must
+		// outlive the returned packet.
+		const auto buildForgedCookieEcho =
+		  [&](std::vector<uint8_t>& packetBuffer) -> std::unique_ptr<RTC::SCTP::Packet>
+		{
+			auto packet           = buildPacket(packetBuffer, forgedTag);
+			auto* cookieEchoChunk = packet->BuildChunkInPlace<RTC::SCTP::CookieEchoChunk>();
+
+			cookieEchoChunk->SetCookie(cookieBuffer.data(), cookieBuffer.size());
+			cookieEchoChunk->Consolidate();
+
+			return packet;
+		};
+
+		// Without authentication, the forged COOKIE-ECHO is accepted and an
+		// association is wrongly established (this is the vulnerability).
+		{
+			AssociationUnderTest z;
+
+			std::vector<uint8_t> packetBuffer(1500);
+
+			const auto packet = buildForgedCookieEcho(packetBuffer);
+
+			injectPacket(z, packet.get());
+
+			REQUIRE(z.association.GetAssociationState() == RTC::SCTP::Types::AssociationState::CONNECTED);
+		}
+
+		// With authentication required, the forged COOKIE-ECHO fails MAC
+		// verification and is silently discarded.
+		{
+			auto sctpOptions = makeSctpOptions();
+
+			sctpOptions.requireAuthenticatedCookie = true;
+
+			AssociationUnderTest z(sctpOptions);
+
+			std::vector<uint8_t> packetBuffer(1500);
+
+			const auto packet = buildForgedCookieEcho(packetBuffer);
+
+			injectPacket(z, packet.get());
+
+			REQUIRE(z.association.GetAssociationState() != RTC::SCTP::Types::AssociationState::CONNECTED);
+			// No COOKIE-ACK (nor any other packet) is sent in response.
+			REQUIRE(z.listener.ConsumeFirstSentPacket().empty() == true);
+		}
+	}
+
+	SECTION("rejects a stale COOKIE-ECHO when authentication is required")
+	{
+		auto sctpOptions = makeSctpOptions();
+
+		sctpOptions.requireAuthenticatedCookie = true;
+
+		AssociationUnderTest a(sctpOptions);
+		AssociationUnderTest z(sctpOptions);
+
+		a.association.Connect();
+		// Z reads INIT, produces INIT-ACK with an authenticated cookie timestamped
+		// with Z's current time.
+		deliverFirstSentPacket(a, z);
+		// A reads INIT-ACK, produces COOKIE-ECHO (echoing Z's cookie).
+		deliverFirstSentPacket(z, a);
+
+		// Make the cookie stale on Z's side by advancing its clock beyond the cookie
+		// lifespan before the COOKIE-ECHO is delivered.
+		z.AdvanceTimeMs(RTC::SCTP::StateCookie::ValidCookieLifeMs + 1000);
+
+		// Z reads the now stale COOKIE-ECHO.
+		deliverFirstSentPacket(a, z);
+
+		REQUIRE(z.association.GetAssociationState() != RTC::SCTP::Types::AssociationState::CONNECTED);
+		// Z responds with an ERROR chunk (carrying a Stale Cookie error cause).
+		REQUIRE(
+		  packetHasSingleChunkOfType<RTC::SCTP::OperationErrorChunk>(
+		    z.listener.ConsumeFirstSentPacket()) == true);
+	}
 }

package/worker/test/src/RTC/SCTP/association/TestStateCookie.cpp

@@ -507,4 +507,127 @@ SCENARIO("SCTP State Cookie", "[sctp][statecookie]")
 		  RTC::SCTP::StateCookie::DetermineSctpImplementation(buffer4, sizeof(buffer4)) ==
 		  RTC::SCTP::Types::SctpImplementation::UNKNOWN);
 	}
+
+	SECTION("authenticated StateCookie::Write() and StateCookie::VerifyMac() succeed")
+	{
+		const RTC::SCTP::NegotiatedCapabilities negotiatedCapabilities = {
+			.negotiatedMaxOutboundStreams = 62000,
+			.negotiatedMaxInboundStreams  = 55555,
+			.partialReliability           = true,
+			.messageInterleaving          = true,
+			.reConfig                     = true,
+			.zeroChecksum                 = false
+		};
+
+		const uint8_t macKey[]             = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+			                                     0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF };
+		const uint64_t creationTimestampMs = 1234567890;
+
+		auto* buffer = sctpCommon::FactoryBuffer;
+
+		RTC::SCTP::StateCookie::Write(
+		  /*buffer*/ buffer,
+		  /*bufferLength*/ RTC::SCTP::StateCookie::AuthenticatedStateCookieLength,
+		  /*localVerificationTag*/ 6660666,
+		  /*remoteVerificationTag*/ 9990999,
+		  /*localInitialTsn*/ 1110111,
+		  /*remoteInitialTsn*/ 2220222,
+		  /*remoteAdvertisedReceiverWindowCredit*/ 999909999,
+		  /*tieTag*/ 1111222233334444,
+		  negotiatedCapabilities,
+		  /*creationTimestampMs*/ creationTimestampMs,
+		  /*macKey*/ macKey,
+		  /*macKeyLength*/ sizeof(macKey));
+
+		/* It must be recognized as a (longer) mediasoup State Cookie. */
+
+		REQUIRE(
+		  RTC::SCTP::StateCookie::IsMediasoupStateCookie(
+		    buffer, RTC::SCTP::StateCookie::AuthenticatedStateCookieLength) == true);
+
+		/* Parse it. */
+
+		auto* stateCookie =
+		  RTC::SCTP::StateCookie::Parse(buffer, RTC::SCTP::StateCookie::AuthenticatedStateCookieLength);
+
+		REQUIRE(stateCookie);
+		REQUIRE(stateCookie->GetLength() == RTC::SCTP::StateCookie::AuthenticatedStateCookieLength);
+		REQUIRE(stateCookie->IsAuthenticated() == true);
+		REQUIRE(stateCookie->GetCreationTimestampMs() == creationTimestampMs);
+		REQUIRE(stateCookie->GetLocalVerificationTag() == 6660666);
+		REQUIRE(stateCookie->GetRemoteVerificationTag() == 9990999);
+
+		/* The MAC must verify with the right key. */
+
+		REQUIRE(
+		  RTC::SCTP::StateCookie::VerifyMac(
+		    buffer, RTC::SCTP::StateCookie::AuthenticatedStateCookieLength, macKey, sizeof(macKey)) ==
+		  true);
+
+		/* The MAC must NOT verify with a wrong key. */
+
+		const uint8_t wrongMacKey[] = { 0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99, 0x88,
+			                              0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00 };
+
+		REQUIRE(
+		  RTC::SCTP::StateCookie::VerifyMac(
+		    buffer,
+		    RTC::SCTP::StateCookie::AuthenticatedStateCookieLength,
+		    wrongMacKey,
+		    sizeof(wrongMacKey)) == false);
+
+		/* Tampering with any byte must invalidate the MAC. */
+
+		buffer[8] ^= 0x01;
+
+		REQUIRE(
+		  RTC::SCTP::StateCookie::VerifyMac(
+		    buffer, RTC::SCTP::StateCookie::AuthenticatedStateCookieLength, macKey, sizeof(macKey)) ==
+		  false);
+
+		buffer[8] ^= 0x01;
+
+		/* It verifies again once restored. */
+
+		REQUIRE(
+		  RTC::SCTP::StateCookie::VerifyMac(
+		    buffer, RTC::SCTP::StateCookie::AuthenticatedStateCookieLength, macKey, sizeof(macKey)) ==
+		  true);
+
+		delete stateCookie;
+	}
+
+	SECTION("StateCookie::VerifyMac() fails on a non-authenticated (plain) cookie")
+	{
+		const RTC::SCTP::NegotiatedCapabilities negotiatedCapabilities = {
+			.negotiatedMaxOutboundStreams = 62000,
+			.negotiatedMaxInboundStreams  = 55555,
+			.partialReliability           = true,
+			.messageInterleaving          = true,
+			.reConfig                     = true,
+			.zeroChecksum                 = false
+		};
+
+		const uint8_t macKey[] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 };
+
+		auto* buffer = sctpCommon::FactoryBuffer;
+
+		// Write a plain (44 bytes) cookie.
+		RTC::SCTP::StateCookie::Write(
+		  /*buffer*/ buffer,
+		  /*bufferLength*/ RTC::SCTP::StateCookie::StateCookieLength,
+		  /*localVerificationTag*/ 6660666,
+		  /*remoteVerificationTag*/ 9990999,
+		  /*localInitialTsn*/ 1110111,
+		  /*remoteInitialTsn*/ 2220222,
+		  /*remoteAdvertisedReceiverWindowCredit*/ 999909999,
+		  /*tieTag*/ 1111222233334444,
+		  negotiatedCapabilities);
+
+		// A plain cookie has no MAC, so `VerifyMac()` must fail regardless of the
+		// key.
+		REQUIRE(
+		  RTC::SCTP::StateCookie::VerifyMac(
+		    buffer, RTC::SCTP::StateCookie::StateCookieLength, macKey, sizeof(macKey)) == false);
+	}
 }

package/worker/test/src/RTC/SCTP/packet/TestPacket.cpp

@@ -25,7 +25,7 @@ SCENARIO("SCTP Packet", "[serializable][sctp][packet]")
 		REQUIRE(alignof(RTC::SCTP::Packet::CommonHeader) == 4);
 	}
 
-	SECTION("Parse() without Chunks succeeds")
+	SECTION("Parse() without chunks succeeds")
 	{
 		// clang-format off
 		alignas(4) uint8_t buffer[] =
@@ -112,7 +112,7 @@ SCENARIO("SCTP Packet", "[serializable][sctp][packet]")
 		REQUIRE(packet->GetFirstChunkOfType<RTC::SCTP::DataChunk>() == nullptr);
 	}
 
-	SECTION("Parse() with Chunks succeeds")
+	SECTION("Parse() with chunks succeeds")
 	{
 		// clang-format off
 		alignas(4) uint8_t buffer[] =
@@ -502,7 +502,7 @@ SCENARIO("SCTP Packet", "[serializable][sctp][packet]")
 		REQUIRE(parameter3_1->GetInfo()[3] == 0x00);
 	}
 
-	SECTION("Factory() with Chunks succeeds")
+	SECTION("Factory() with chunks succeeds")
 	{
 		std::unique_ptr<RTC::SCTP::Packet> packet{ RTC::SCTP::Packet::Factory(
 			sctpCommon::FactoryBuffer, sizeof(sctpCommon::FactoryBuffer)) };
@@ -813,7 +813,7 @@ SCENARIO("SCTP Packet", "[serializable][sctp][packet]")
 		REQUIRE(obtainedChunk1->GetT() == true);
 	}
 
-	SECTION("BuildChunkInPlace() throws if given Chunk exceeds Packet buffer length")
+	SECTION("BuildChunkInPlace() throws if given chunk exceeds Packet buffer length")
 	{
 		std::unique_ptr<RTC::SCTP::Packet> packet{ RTC::SCTP::Packet::Factory(
 			sctpCommon::FactoryBuffer, 28) };

package/worker/test/src/RTC/{TestSimpleConsumer.cpp → TestConsumer.cpp}

@@ -1,11 +1,11 @@
 #include "FBS/rtpParameters.h"
 #include "FBS/transport.h"
+#include "RTC/Consumer.hpp"
 #include "RTC/RTP/Packet.hpp"
 #include "RTC/RTP/RtpStream.hpp"
 #include "RTC/RTP/RtpStreamRecv.hpp"
 #include "RTC/RTP/SharedPacket.hpp"
 #include "RTC/RtpDictionaries.hpp"
-#include "RTC/SimpleConsumer.hpp"
 #include "flatbuffers/buffer.h"
 #include "mocks/include/MockShared.hpp"
 #include <catch2/catch_test_macros.hpp>
@@ -112,7 +112,7 @@ namespace
 		return rtpParameters.FillBuffer(builder);
 	};
 
-	std::unique_ptr<RTC::SimpleConsumer> createConsumer(ConsumerListener* listener)
+	std::unique_ptr<RTC::Consumer> createConsumer(ConsumerListener* listener)
 	{
 		flatbuffers::FlatBufferBuilder bufferBuilder;
 
@@ -140,8 +140,8 @@ namespace
 
 		const auto* consumeRequest = flatbuffers::GetRoot<FBS::Transport::ConsumeRequest>(buf);
 
-		return std::make_unique<RTC::SimpleConsumer>(
-		  std::addressof(shared),
+		return std::make_unique<RTC::Consumer>(
+		  &shared,
 		  consumeRequest->consumerId()->str(),
 		  consumeRequest->producerId()->str(),
 		  listener,
@@ -181,12 +181,12 @@ namespace
 		}
 
 		std::unique_ptr<ConsumerListener> listener;
-		std::unique_ptr<RTC::SimpleConsumer> consumer;
+		std::unique_ptr<RTC::Consumer> consumer;
 		std::unique_ptr<RTC::RTP::RtpStreamRecv> rtpStream;
 	};
 } // namespace
 
-SCENARIO("SimpleConsumer", "[rtp][consumer]")
+SCENARIO("Consumer with SimpleProducerStreamManager", "[rtp][consumer]")
 {
 	// TODO: We should NOT parse RTP packets for tests anymore. We should use
 	// RTC::RTP::Packet::Factory() instead.
@@ -230,7 +230,6 @@ SCENARIO("SimpleConsumer", "[rtp][consumer]")
 		0xFF, 0xFF, 0xFF, 0xFF,
 		0xFF, 0xFF, 0xFF, 0xFF,
 		0xFF, 0xFF, 0xFF, 0xFF,
-		0xFF, 0xFF, 0xFF, 0xFF,
 	};
 	// clang-format on