Add server side ICE consent checks to detect silent WebRTC disconnect…

…ion (#1332)

Fixes #1127

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ### Next
 
+- Add server side ICE consent checks to detect silent WebRTC disconnections ([PR #1332](https://github.com/versatica/mediasoup/pull/1332)).
 - Fix regression (crash) in transport-cc feedback generation ([PR #1339](https://github.com/versatica/mediasoup/pull/1339)).
 
 ### 3.13.19

node/src/Router.ts

@@ -454,6 +454,7 @@ export class Router<
 		numSctpStreams = { OS: 1024, MIS: 1024 },
 		maxSctpMessageSize = 262144,
 		sctpSendBufferSize = 262144,
+		iceConsentTimeout = 30,
 		appData,
 	}: WebRtcTransportOptions<WebRtcTransportAppData>): Promise<
 		WebRtcTransport<WebRtcTransportAppData>
@@ -596,7 +597,8 @@ export class Router<
 				enableUdp,
 				enableTcp,
 				preferUdp,
-				preferTcp
+				preferTcp,
+				iceConsentTimeout
 			);
 
 		const requestOffset = new FbsRouter.CreateWebRtcTransportRequestT(

node/src/WebRtcTransport.ts

@@ -96,6 +96,11 @@ export type WebRtcTransportOptionsBase<WebRtcTransportAppData> = {
 	 */
 	preferTcp?: boolean;
 
+	/**
+	 * ICE consent timeout (in seconds). If 0 it is disabled. Default 30.
+	 */
+	iceConsentTimeout?: number;
+
 	/**
 	 * Initial available outgoing bitrate (in bps). Default 600000.
 	 */
@@ -836,7 +841,6 @@ function createConnectRequest({
 	// Serialize DtlsParameters. This can throw.
 	const dtlsParametersOffset = serializeDtlsParameters(builder, dtlsParameters);
 
-	// Create request.
 	return FbsWebRtcTransport.ConnectRequest.createConnectRequest(
 		builder,
 		dtlsParametersOffset

node/src/test/test-WebRtcTransport.ts

@@ -299,12 +299,16 @@ test('webRtcTransport.connect() succeeds', async () => {
 	};
 
 	await expect(
-		webRtcTransport.connect({ dtlsParameters: dtlsRemoteParameters })
+		webRtcTransport.connect({
+			dtlsParameters: dtlsRemoteParameters,
+		})
 	).resolves.toBeUndefined();
 
 	// Must fail if connected.
 	await expect(
-		webRtcTransport.connect({ dtlsParameters: dtlsRemoteParameters })
+		webRtcTransport.connect({
+			dtlsParameters: dtlsRemoteParameters,
+		})
 	).rejects.toThrow(Error);
 
 	expect(webRtcTransport.dtlsParameters.role).toBe('server');

rust/src/messages.rs

@@ -669,6 +669,7 @@ pub(crate) struct RouterCreateWebrtcTransportData {
     enable_tcp: bool,
     prefer_udp: bool,
     prefer_tcp: bool,
+    ice_consent_timeout: u8,
     enable_sctp: bool,
     num_sctp_streams: NumSctpStreams,
     max_sctp_message_size: u32,
@@ -701,6 +702,7 @@ impl RouterCreateWebrtcTransportData {
             enable_tcp: webrtc_transport_options.enable_tcp,
             prefer_udp: webrtc_transport_options.prefer_udp,
             prefer_tcp: webrtc_transport_options.prefer_tcp,
+            ice_consent_timeout: webrtc_transport_options.ice_consent_timeout,
             enable_sctp: webrtc_transport_options.enable_sctp,
             num_sctp_streams: webrtc_transport_options.num_sctp_streams,
             max_sctp_message_size: webrtc_transport_options.max_sctp_message_size,
@@ -726,6 +728,7 @@ impl RouterCreateWebrtcTransportData {
             enable_tcp: self.enable_tcp,
             prefer_udp: self.prefer_udp,
             prefer_tcp: self.prefer_tcp,
+            ice_consent_timeout: self.ice_consent_timeout,
         }
     }
 }

rust/src/router/webrtc_transport.rs

@@ -129,6 +129,9 @@ pub struct WebRtcTransportOptions {
     /// Prefer TCP.
     /// Default false.
     pub prefer_tcp: bool,
+    /// ICE consent timeout (in seconds). If 0 it is disabled.
+    /// Default 30.
+    pub ice_consent_timeout: u8,
     /// Create a SCTP association.
     /// Default false.
     pub enable_sctp: bool,
@@ -155,6 +158,7 @@ impl WebRtcTransportOptions {
             enable_tcp: false,
             prefer_udp: false,
             prefer_tcp: false,
+            ice_consent_timeout: 30,
             enable_sctp: false,
             num_sctp_streams: NumSctpStreams::default(),
             max_sctp_message_size: 262_144,
@@ -172,6 +176,7 @@ impl WebRtcTransportOptions {
             enable_tcp: true,
             prefer_udp: false,
             prefer_tcp: false,
+            ice_consent_timeout: 30,
             enable_sctp: false,
             num_sctp_streams: NumSctpStreams::default(),
             max_sctp_message_size: 262_144,

worker/Dockerfile

@@ -26,8 +26,8 @@ ENV LANG="C.UTF-8"
 ENV CC="clang"
 ENV CXX="clang++"
 
-ENV MEDIASOUP_LOCAL_DEV=true
-ENV KEEP_BUILD_ARTIFACTS=1
+ENV MEDIASOUP_LOCAL_DEV="true"
+ENV KEEP_BUILD_ARTIFACTS="1"
 
 WORKDIR /mediasoup
 

worker/Dockerfile.alpine

@@ -9,8 +9,8 @@ ENV LANG="C.UTF-8"
 ENV CC="gcc"
 ENV CXX="g++"
 
-ENV MEDIASOUP_LOCAL_DEV=true
-ENV KEEP_BUILD_ARTIFACTS=1
+ENV MEDIASOUP_LOCAL_DEV="true"
+ENV KEEP_BUILD_ARTIFACTS="1"
 
 WORKDIR /mediasoup
 

worker/fbs/webRtcTransport.fbs

@@ -23,6 +23,7 @@ table WebRtcTransportOptions {
     enable_tcp: bool = true;
     prefer_udp: bool = false;
     prefer_tcp: bool = false;
+    ice_consent_timeout: uint8 = 30;
 }
 
 enum FingerprintAlgorithm: uint8 {

worker/fuzzer/src/RTC/FuzzerStunPacket.cpp

@@ -1,6 +1,9 @@
 #include "RTC/FuzzerStunPacket.hpp"
 #include "RTC/StunPacket.hpp"
 
+static constexpr size_t StunSerializeBufferSize{ 65536 };
+thread_local static uint8_t StunSerializeBuffer[StunSerializeBufferSize];
+
 void Fuzzer::RTC::StunPacket::Fuzz(const uint8_t* data, size_t len)
 {
 	if (!::RTC::StunPacket::IsStun(data, len))
@@ -21,6 +24,7 @@ void Fuzzer::RTC::StunPacket::Fuzz(const uint8_t* data, size_t len)
 	packet->GetData();
 	packet->GetSize();
 	packet->SetUsername("foo", 3);
+	packet->SetPassword("lalala");
 	packet->SetPriority(123);
 	packet->SetIceControlling(123);
 	packet->SetIceControlled(123);
@@ -37,13 +41,21 @@ void Fuzzer::RTC::StunPacket::Fuzz(const uint8_t* data, size_t len)
 	packet->GetErrorCode();
 	packet->HasMessageIntegrity();
 	packet->HasFingerprint();
-	packet->CheckAuthentication("foo", "bar");
-	// TODO: packet->CreateSuccessResponse(); // This cannot be easily tested.
-	// TODO: packet->CreateErrorResponse(); // This cannot be easily tested.
-	packet->Authenticate("lalala");
-	// TODO: Cannot test Serialize() because we don't know the exact required
-	// buffer size (setters above may change the total size).
-	// TODO: packet->Serialize();
+	packet->CheckAuthentication("foo", "xxx");
+
+	if (packet->GetClass() == ::RTC::StunPacket::Class::REQUEST)
+	{
+		auto* successResponse = packet->CreateSuccessResponse();
+		auto* errorResponse   = packet->CreateErrorResponse(444);
+
+		delete successResponse;
+		delete errorResponse;
+	}
+
+	if (len < StunSerializeBufferSize - 1000)
+	{
+		packet->Serialize(StunSerializeBuffer);
+	}
 
 	delete packet;
 }

worker/include/RTC/IceServer.hpp

@@ -2,15 +2,17 @@
 #define MS_RTC_ICE_SERVER_HPP
 
 #include "common.hpp"
+#include "Utils.hpp"
 #include "FBS/webRtcTransport.h"
 #include "RTC/StunPacket.hpp"
 #include "RTC/TransportTuple.hpp"
+#include "handles/TimerHandle.hpp"
 #include <list>
 #include <string>
 
 namespace RTC
 {
-	class IceServer
+	class IceServer : public TimerHandle::Listener
 	{
 	public:
 		enum class IceState
@@ -53,8 +55,12 @@ namespace RTC
 		};
 
 	public:
-		IceServer(Listener* listener, const std::string& usernameFragment, const std::string& password);
-		~IceServer();
+		IceServer(
+		  Listener* listener,
+		  const std::string& usernameFragment,
+		  const std::string& password,
+		  uint8_t consentTimeoutSec);
+		~IceServer() override;
 
 	public:
 		void ProcessStunPacket(RTC::StunPacket* packet, RTC::TransportTuple* tuple);
@@ -74,28 +80,7 @@ namespace RTC
 		{
 			return this->selectedTuple;
 		}
-		void RestartIce(const std::string& usernameFragment, const std::string& password)
-		{
-			if (!this->oldUsernameFragment.empty())
-			{
-				this->listener->OnIceServerLocalUsernameFragmentRemoved(this, this->oldUsernameFragment);
-			}
-
-			this->oldUsernameFragment = this->usernameFragment;
-			this->usernameFragment    = usernameFragment;
-
-			this->oldPassword = this->password;
-			this->password    = password;
-
-			this->remoteNomination = 0u;
-
-			// Notify the listener.
-			this->listener->OnIceServerLocalUsernameFragmentAdded(this, usernameFragment);
-
-			// NOTE: Do not call listener->OnIceServerLocalUsernameFragmentRemoved()
-			// yet with old usernameFragment. Wait until we receive a STUN packet
-			// with the new one.
-		}
+		void RestartIce(const std::string& usernameFragment, const std::string& password);
 		bool IsValidTuple(const RTC::TransportTuple* tuple) const;
 		void RemoveTuple(RTC::TransportTuple* tuple);
 		/**
@@ -105,6 +90,9 @@ namespace RTC
 		void MayForceSelectedTuple(const RTC::TransportTuple* tuple);
 
 	private:
+		void ProcessStunRequest(RTC::StunPacket* request, RTC::TransportTuple* tuple);
+		void ProcessStunIndication(RTC::StunPacket* indication);
+		void ProcessStunResponse(RTC::StunPacket* response);
 		void HandleTuple(
 		  RTC::TransportTuple* tuple, bool hasUseCandidate, bool hasNomination, uint32_t nomination);
 		/**
@@ -120,19 +108,37 @@ namespace RTC
 		 * NOTE: The given tuple MUST be already stored within the list.
 		 */
 		void SetSelectedTuple(RTC::TransportTuple* storedTuple);
+		bool IsConsentCheckSupported() const
+		{
+			return this->consentTimeoutMs != 0u;
+		}
+		bool IsConsentCheckRunning() const
+		{
+			return (this->consentCheckTimer && this->consentCheckTimer->IsActive());
+		}
+		void StartConsentCheck();
+		void RestartConsentCheck();
+		void StopConsentCheck();
+
+		/* Pure virtual methods inherited from TimerHandle::Listener. */
+	public:
+		void OnTimer(TimerHandle* timer) override;
 
 	private:
 		// Passed by argument.
 		Listener* listener{ nullptr };
-		// Others.
 		std::string usernameFragment;
 		std::string password;
+		uint16_t consentTimeoutMs{ 30000u };
+		// Others.
 		std::string oldUsernameFragment;
 		std::string oldPassword;
 		IceState state{ IceState::NEW };
 		uint32_t remoteNomination{ 0u };
 		std::list<RTC::TransportTuple> tuples;
 		RTC::TransportTuple* selectedTuple{ nullptr };
+		TimerHandle* consentCheckTimer{ nullptr };
+		uint64_t lastConsentRequestReceivedAtMs{ 0u };
 	};
 } // namespace RTC
 

worker/include/RTC/StunPacket.hpp

@@ -50,7 +50,7 @@ namespace RTC
 		{
 			OK           = 0,
 			UNAUTHORIZED = 1,
-			BAD_REQUEST  = 2
+			BAD_MESSAGE  = 2
 		};
 
 	public:
@@ -95,6 +95,10 @@ namespace RTC
 		{
 			return this->size;
 		}
+		const uint8_t* GetTransactionId() const
+		{
+			return this->transactionId;
+		}
 		void SetUsername(const char* username, size_t len)
 		{
 			this->username.assign(username, len);
@@ -127,6 +131,10 @@ namespace RTC
 		{
 			this->errorCode = errorCode;
 		}
+		void SetSoftware(const char* software, size_t len)
+		{
+			this->software.assign(software, len);
+		}
 		void SetMessageIntegrity(const uint8_t* messageIntegrity)
 		{
 			this->messageIntegrity = messageIntegrity;
@@ -139,6 +147,7 @@ namespace RTC
 		{
 			return this->username;
 		}
+		void SetPassword(const std::string& password);
 		uint32_t GetPriority() const
 		{
 			return this->priority;
@@ -171,6 +180,10 @@ namespace RTC
 		{
 			return this->errorCode;
 		}
+		std::string GetSoftware() const
+		{
+			return this->software;
+		}
 		bool HasMessageIntegrity() const
 		{
 			return (this->messageIntegrity != nullptr);
@@ -180,10 +193,11 @@ namespace RTC
 			return this->hasFingerprint;
 		}
 		Authentication CheckAuthentication(
-		  const std::string& localUsername, const std::string& localPassword);
+		  // The first username fragment in the USERNAME attribute.
+		  const std::string& usernameFragment1,
+		  const std::string& password);
 		StunPacket* CreateSuccessResponse();
 		StunPacket* CreateErrorResponse(uint16_t errorCode);
-		void Authenticate(const std::string& password);
 		void Serialize(uint8_t* buffer);
 
 	private:
@@ -194,7 +208,8 @@ namespace RTC
 		uint8_t* data{ nullptr };                // Pointer to binary data.
 		size_t size{ 0u };                       // The full message size (including header).
 		// STUN attributes.
-		std::string username;          // Less than 513 bytes.
+		std::string username; // Less than 513 bytes.
+		std::string password;
 		uint32_t priority{ 0u };       // 4 bytes unsigned integer.
 		uint64_t iceControlling{ 0u }; // 8 bytes unsigned integer.
 		uint64_t iceControlled{ 0u };  // 8 bytes unsigned integer.
@@ -205,7 +220,7 @@ namespace RTC
 		bool hasFingerprint{ false };                       // 4 bytes.
 		const struct sockaddr* xorMappedAddress{ nullptr }; // 8 or 20 bytes.
 		uint16_t errorCode{ 0u };                           // 4 bytes (no reason phrase).
-		std::string password;
+		std::string software;                               // Less than 763 bytes.
 	};
 } // namespace RTC