[Asterisk-code-review] res_rtp_asterisk: Check remote ICE reset and reset local ice attrb (asterisk[master])

Joshua Colp asteriskteam at digium.com
Wed Mar 3 09:54:02 CST 2021 

Joshua Colp has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/15533 )

Change subject: res_rtp_asterisk:  Check remote ICE reset and reset local ice attrb
......................................................................

res_rtp_asterisk:  Check remote ICE reset and reset local ice attrb

This change will check is the remote ICE session got reset or not by
checking the offered ufrag and password with session. If the remote ICE
reset session then Asterisk reset its local ufrag and password to reject
binding request with Old ufrag and Password.

ASTERISK-29266

Change-Id: I9c55e79a7af98a8fbb497d336b828ba41bc34eeb
---
M res/res_pjsip_sdp_rtp.c
M res/res_rtp_asterisk.c
2 files changed, 57 insertions(+), 0 deletions(-)

Approvals:
  Joshua Colp: Looks good to me, but someone else must approve; Approved for Submit
  George Joseph: Looks good to me, approved



diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c
index a807c23..a6f4975 100644
--- a/res/res_pjsip_sdp_rtp.c
+++ b/res/res_pjsip_sdp_rtp.c
@@ -773,6 +773,43 @@
 	}
 }
 
+static void process_ice_auth_attrb(struct ast_sip_session *session, struct ast_sip_session_media *session_media,
+				   const struct pjmedia_sdp_session *remote, const struct pjmedia_sdp_media *remote_stream)
+{
+	struct ast_rtp_engine_ice *ice;
+	const pjmedia_sdp_attr *ufrag_attr, *passwd_attr;
+	char ufrag_attr_value[256];
+	char passwd_attr_value[256];
+
+	/* If ICE support is not enabled or available exit early */
+	if (!session->endpoint->media.rtp.ice_support || !(ice = ast_rtp_instance_get_ice(session_media->rtp))) {
+		return;
+	}
+
+	ufrag_attr = pjmedia_sdp_media_find_attr2(remote_stream, "ice-ufrag", NULL);
+	if (!ufrag_attr) {
+		ufrag_attr = pjmedia_sdp_attr_find2(remote->attr_count, remote->attr, "ice-ufrag", NULL);
+	}
+	if (ufrag_attr) {
+		ast_copy_pj_str(ufrag_attr_value, (pj_str_t*)&ufrag_attr->value, sizeof(ufrag_attr_value));
+	} else {
+		return;
+	}
+        passwd_attr = pjmedia_sdp_media_find_attr2(remote_stream, "ice-pwd", NULL);
+	if (!passwd_attr) {
+		passwd_attr = pjmedia_sdp_attr_find2(remote->attr_count, remote->attr, "ice-pwd", NULL);
+	}
+	if (passwd_attr) {
+		ast_copy_pj_str(passwd_attr_value, (pj_str_t*)&passwd_attr->value, sizeof(passwd_attr_value));
+	} else {
+		return;
+	}
+
+	if (ufrag_attr && passwd_attr) {
+		ice->set_authentication(session_media->rtp, ufrag_attr_value, passwd_attr_value);
+	}
+}
+
 /*! \brief Function which processes ICE attributes in an audio stream */
 static void process_ice_attributes(struct ast_sip_session *session, struct ast_sip_session_media *session_media,
 				   const struct pjmedia_sdp_session *remote, const struct pjmedia_sdp_media *remote_stream)
@@ -1509,6 +1546,11 @@
 	/* If ICE support is enabled find all the needed attributes */
 	check_ice_support(session, session_media, stream);
 
+	/* If ICE support is enabled then check remote ICE started? */
+	if (session_media->remote_ice) {
+		process_ice_auth_attrb(session, session_media, sdp, stream);
+	}
+
 	if (ast_sip_session_is_pending_stream_default(session, asterisk_stream) && media_type == AST_MEDIA_TYPE_AUDIO) {
 		/* Check if incomming SDP is changing the remotely held state */
 		if (ast_sockaddr_isnull(addrs) ||
diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
index 403c397..a962d70 100644
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -273,6 +273,8 @@
 /*! \brief List of ICE host candidate mappings */
 static AST_RWLIST_HEAD_STATIC(host_candidates, ast_ice_host_candidate);
 
+static char *generate_random_string(char *buf, size_t size);
+
 #endif
 
 #define FLAG_3389_WARNING               (1 << 0)
@@ -766,14 +768,27 @@
 static void ast_rtp_ice_set_authentication(struct ast_rtp_instance *instance, const char *ufrag, const char *password)
 {
 	struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
+	int ice_attrb_reset = 0;
 
 	if (!ast_strlen_zero(ufrag)) {
+		if (!ast_strlen_zero(rtp->remote_ufrag) && strcmp(ufrag, rtp->remote_ufrag)) {
+			ice_attrb_reset = 1;
+		}
 		ast_copy_string(rtp->remote_ufrag, ufrag, sizeof(rtp->remote_ufrag));
 	}
 
 	if (!ast_strlen_zero(password)) {
+		if (!ast_strlen_zero(rtp->remote_passwd) && strcmp(password, rtp->remote_passwd)) {
+			ice_attrb_reset = 1;
+		}
 		ast_copy_string(rtp->remote_passwd, password, sizeof(rtp->remote_passwd));
 	}
+
+	/* If the remote ufrag or passwd changed, local ufrag and passwd need to regenerate */
+	if (ice_attrb_reset) {
+		generate_random_string(rtp->local_ufrag, sizeof(rtp->local_ufrag));
+		generate_random_string(rtp->local_passwd, sizeof(rtp->local_passwd));
+	}
 }
 
 static int ice_candidate_cmp(void *obj, void *arg, int flags)

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15533
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: I9c55e79a7af98a8fbb497d336b828ba41bc34eeb
Gerrit-Change-Number: 15533
Gerrit-PatchSet: 2
Gerrit-Owner: Salah Ahmed <txrubel at gmail.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20210303/ab03d5ca/attachment-0001.html>

More information about the asterisk-code-review mailing list