Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the remote description after SDP negotiation? #1203

Closed
achingbrain opened this issue Jun 6, 2024 · 6 comments · Fixed by #1206
Closed

Update the remote description after SDP negotiation? #1203

achingbrain opened this issue Jun 6, 2024 · 6 comments · Fixed by #1206

Comments

@achingbrain
Copy link
Contributor

This is related to #1166

For libp2p WebRTC-Direct after the DTLS handshake has taken place and the connection becomes ready to use, we open a datachannel and use it to verify the local and remote certificate fingerprints and the peer identifier so we can assert that the remote peer is the peer we think they are.

During connection we set the remote certificate fingerprint to a dummy value and disable fingerprint validation, since we are going to do it later.

When we come to do it we need access to the fingerprint of the remote certificate.

The browser RTCPeerConnection has a .currentRemoteDescription property - this returns:

an object describing the remote end of the connection as it was most recently successfully negotiated

and includes the fingerprint of the remote connection.

The node.js polyfill returns the remoteDescription when this property is accessed, the same as .remoteDescription - this is not quite right as the .remoteDescription property should return what was passed to .setRemoteDescription - this can be different to the currently negotiated state of remote end of the connection.

The Description class parses the fingerprint out of the description passed to .setRemoteDescription, later on that fingerprint is verified or not, depending on config - would it be possible to have a copy of the local Description that gets updated with the actual fingerprint the connection uses?

If this is done along with the final ICE candidates etc it would make it possible to implement .currentRemoteDescription on the polyfill correctly and also for me to implement the final piece of the WebRTC-Direct connection listener.

I can try to implement this if it's acceptable though it's really stretching my C++!
@xicilion
Copy link
Contributor

xicilion commented Jun 6, 2024
edited
Loading

sure, this is a feature that is needed on the listening side, I tried to make some modifications but may need to change the const attribute of libdatachannel's checkFingerprint function, which feels bad.
Maybe you can have a better implementation.

This was referenced Jun 7, 2024
Closed
Closed
@achingbrain
Copy link
Contributor Author

may need to change the const attribute of libdatachannel's checkFingerprint function, which feels bad

I opened #1204 to implement this and edit up removing the const attribute as above. It works though I'm open to better ideas..

@xicilion
Copy link
Contributor

xicilion commented Jun 7, 2024

I opened #1204 to implement this and edit up removing the const attribute as above. It works though I'm open to better ideas..

Yes, I noticed that, adding currentRemoteDescription is a great idea, I like it.

@paullouisageneau
Copy link
Owner

The browser RTCPeerConnection has a .currentRemoteDescription property - this returns:

an object describing the remote end of the connection as it was most recently successfully negotiated

and includes the fingerprint of the remote connection.

The node.js polyfill returns the remoteDescription when this property is accessed, the same as .remoteDescription - this is not quite right as the .remoteDescription property should return what was passed to .setRemoteDescription - this can be different to the currently negotiated state of remote end of the connection.

The Description class parses the fingerprint out of the description passed to .setRemoteDescription, later on that fingerprint is verified or not, depending on config - would it be possible to have a copy of the local Description that gets updated with the actual fingerprint the connection uses?

@achingbrain I think there is a misunderstanding about what RTCPeerConnection.currentRemoteDescription is. The difference only matters during renegotiation: the current description corresponds to the last successful negotiation, whereas pendingRemoteDescription is the new one being negotiated. remoteDescription is the pending description if it exists, otherwise the current one. For more details look at Pending and current descriptions.

The situation you are discussing here does not happen in the standard because a peer is supposed to reject fingerprints that don't match, but the sure thing is that set descriptions must not be updated according to what happens on the wire. In this case changing the description might even be misleading as users could consider it as the source of truth for what the expected fingerprint was.

I appreciate the effort, however currentRemoteDescription is not a proper way to report information about the current connection to the user, I think a rtc::PeerConnection::remoteFingerprints() getter would be appropriate for this use case.

achingbrain added a commit to achingbrain/libdatachannel that referenced this issue Jun 11, 2024
@achingbrain
feat: add remoteFingerprints method to PeerConnection
29eb6a6 
Returns a vector that contains the certificate fingerprints used
by the connection to the remote peer.

Closes paullouisageneau#1203
Refs paullouisageneau#1166
achingbrain added a commit to achingbrain/libdatachannel that referenced this issue Jun 11, 2024
@achingbrain
feat: add remoteFingerprints method to PeerConnection
ec95ef5 
Returns a vector that contains the certificate fingerprints used
by the connection to the remote peer.

Closes paullouisageneau#1203
Refs paullouisageneau#1166
achingbrain added a commit to achingbrain/libdatachannel that referenced this issue Jun 11, 2024
@achingbrain
feat: add remoteFingerprints method to PeerConnection
be5a4d9 
Returns a vector that contains the certificate fingerprints used
by the connection to the remote peer.

Closes paullouisageneau#1203
Refs paullouisageneau#1166
@achingbrain achingbrain mentioned this issue Jun 11, 2024
Merged
@achingbrain
Copy link
Contributor Author

I chose currentRemoteDescription precisely because it can change during the lifetime of the connection, though my opinion is not very strong.

#1206 adds the suggested rtc::PeerConnection::remoteFingerprints() method.

@paullouisageneau
Copy link
Owner

I chose currentRemoteDescription precisely because it can change during the lifetime of the connection, though my opinion is not very strong.

Sure, all descriptions can change, only they have to be changed by signaling, and currentRemoteDescription must be the same as remoteDescriptionwhen there is no pending description. It must not be changed to reflect wire status.

#1206 adds the suggested rtc::PeerConnection::remoteFingerprints() method.

Thank you for adding!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@paullouisageneau @achingbrain @xicilion