PSA: restrictions to ice-ufrag and ice-pwd syntax

[Philipp Hancke]

If you encounter the following error please read this message in full. This should only happen when talking to non-browser endpoints in Chrome 81 (beta):

Failed to execute 'setRemoteDescription' on 'RTCPeerConnection': Failed to set remote offer sdp: Failed to apply the description for video:

Invalid ICE parameters: ICE ufrag must contain only alphanumeric characters, '+', and '/'.

(there is a similar variant for ice-pwd)

In the past the parsing of the ice-ufrag and ice-pwd attributes in the SDP has been relatively liberal and allowed a bunch of characters that were not allowed by the specification

RFC 5245 defines ice-ufrag and ice-pwd as follows in

  https://tools.ietf.org/html/rfc5245#section-15.4

   ice-pwd-att           = "ice-pwd" ":" password
   ice-ufrag-att         = "ice-ufrag" ":" ufrag
   password              = 22*256ice-char
   ufrag                 = 4*256ice-char

with ice-char being defined as
  ALPHA / DIGIT / "+" / "/"

so basically alphanumeric characters, "+" and "/" (which is what the commit message says).

Recently I found a creative way to put some potentially harmful stuff there. I'll go into details some day ;-)

As a mitigation,
  https://webrtc.googlesource.com/src.git/+/71ff07369837d6575c04ebff7002d07d6e0af25f
started enforcing the definition from the spec. We've recently been notified that this also breaks when including a "-":
  https://bugs.chromium.org/p/chromium/issues/detail?id=1053756

My servers broke on the next chrome unstable nightly test because I included a "=". Whoops.

While spec-compliance is a great goal, breaking stuff without announcements is not cool so we're temporarily allowing "-" and "=" despite not being allowed by the specification.

The Google folks have said that they intend to merge the more lenient rules to Chrome 81 which is where the restrictions are going to ship as well. According to the chrome release calendar this is going to ship mid-march:
  https://www.chromium.org/developers/calendar
If this still breaks for you and you need more time: please holler. Here, in the bug or reach out in another way.

Please note that "-" and "/" will be rejected again at some point in the future. Please verify your implementations do the correct thing.

Philipp

very sad about no longer ebing allowed to include the snowman emoji in the SDP

[Roman Shpount]

I assume you mean

Please note that "-" and "=" will be rejected again at some point in the future.

since "/" is legal in https://tools.ietf.org/html/draft-ietf-mmusic-ice-sip-sdp-39#section-5 and https://tools.ietf.org/html/rfc5245#section-15.4

Roman

[Philipp Hancke]

Good catch, thank you Roman!

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/5bd1bbed-a171-4564-8796-a556fe8f3578%40googlegroups.com.

[Philipp Hancke]

add "#" and "_" to the list of temporarily allowed characters (those haven't rolled into chrome yet).

[Philipp Hancke]

reminder: this is still going to ship in M81, even though a tad later according to https://chromereleases.googleblog.com/2020/03/chrome-and-chrome-os-release-updates.html