PSA: restrictions to ice-ufrag and ice-pwd syntax

467 views
Skip to first unread message

Philipp Hancke

unread,
Feb 21, 2020, 8:58:05 AM2/21/20
to discuss...@googlegroups.com
If you encounter the following error please read this message in full. This should only happen when talking to non-browser endpoints in Chrome 81 (beta):
Failed to execute 'setRemoteDescription' on 'RTCPeerConnection': Failed to set remote offer sdp: Failed to apply the description for video:
Invalid ICE parameters: ICE ufrag must contain only alphanumeric characters, '+', and '/'.
(there is a similar variant for ice-pwd)

In the past the parsing of the ice-ufrag and ice-pwd attributes in the SDP has been relatively liberal and allowed a bunch of characters that were not allowed by the specification
RFC 5245 defines ice-ufrag and ice-pwd as follows in
   ice-pwd-att           = "ice-pwd" ":" password
   ice-ufrag-att         = "ice-ufrag" ":" ufrag
   password              = 22*256ice-char
   ufrag                 = 4*256ice-char
with ice-char being defined as
ALPHA / DIGIT / "+" / "/"
so basically alphanumeric characters, "+" and "/" (which is what the commit message says).
Recently I found a creative way to put some potentially harmful stuff there. I'll go into details some day ;-)

As a mitigation,
https://webrtc.googlesource.com/src.git/+/71ff07369837d6575c04ebff7002d07d6e0af25f
started enforcing the definition from the spec. We've recently been notified that this also breaks when including a "-":
https://bugs.chromium.org/p/chromium/issues/detail?id=1053756
My servers broke on the next chrome unstable nightly test because I included a "=". Whoops.
While spec-compliance is a great goal, breaking stuff without announcements is not cool so we're temporarily allowing "-" and "=" despite not being allowed by the specification.

The Google folks have said that they intend to merge the more lenient rules to Chrome 81 which is where the restrictions are going to ship as well. According to the chrome release calendar this is going to ship mid-march:
https://www.chromium.org/developers/calendar
If this still breaks for you and you need more time: please holler. Here, in the bug or reach out in another way.

Please note that "-" and "/" will be rejected again at some point in the future. Please verify your implementations do the correct thing.

Philipp
very sad about no longer ebing allowed to include the snowman emoji in the SDP

Roman Shpount

unread,
Feb 21, 2020, 10:20:19 AM2/21/20
to discuss-webrtc
I assume you mean

Please note that "-" and "=" will be rejected again at some point in the future.


Roman

Philipp Hancke

unread,
Feb 21, 2020, 10:54:25 AM2/21/20
to discuss...@googlegroups.com
Good catch, thank you Roman!

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/5bd1bbed-a171-4564-8796-a556fe8f3578%40googlegroups.com.

Philipp Hancke

unread,
Feb 25, 2020, 12:06:19 PM2/25/20
to discuss...@googlegroups.com
add "#" and "_" to the list of temporarily allowed characters (those haven't rolled into chrome yet).

Philipp Hancke

unread,
Mar 26, 2020, 12:52:43 PM3/26/20
to discuss...@googlegroups.com
reminder: this is still going to ship in M81, even though a tad later according to https://chromereleases.googleblog.com/2020/03/chrome-and-chrome-os-release-updates.html
Reply all
Reply to author
Forward
0 new messages