[Asterisk-code-review] res_srtp: Disable parsing of not enabled cryptos (asterisk[18])

Friendly Automation asteriskteam at digium.com
Wed Sep 8 18:20:47 CDT 2021 

Friendly Automation has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/16436 )

Change subject: res_srtp: Disable parsing of not enabled cryptos
......................................................................

res_srtp: Disable parsing of not enabled cryptos

When compiled without extended srtp crypto suites also disable parsing
these from received SDP. This prevents using these, as some client
implementations are not stable.

ASTERISK-29625

Change-Id: I7dafb29be1cdaabdc984002573f4bea87520533a
---
M res/res_srtp.c
1 file changed, 18 insertions(+), 14 deletions(-)

Approvals:
  Joshua Colp: Looks good to me, but someone else must approve
  Kevin Harwell: Looks good to me, approved
  Benjamin Keith Ford: Looks good to me, but someone else must approve
  Friendly Automation: Approved for Submit



diff --git a/res/res_srtp.c b/res/res_srtp.c
index 3519def..cdd95af 100644
--- a/res/res_srtp.c
+++ b/res/res_srtp.c
@@ -275,7 +275,7 @@
 		crypto_policy_set_aes_cm_128_hmac_sha1_32(p);
 		return 0;
 
-#ifdef HAVE_SRTP_192
+#if defined(HAVE_SRTP_192) && defined(ENABLE_SRTP_AES_192)
 	case AST_AES_CM_192_HMAC_SHA1_80:
 		crypto_policy_set_aes_cm_192_hmac_sha1_80(p);
 		return 0;
@@ -284,7 +284,7 @@
 		crypto_policy_set_aes_cm_192_hmac_sha1_32(p);
 		return 0;
 #endif
-#ifdef HAVE_SRTP_256
+#if defined(HAVE_SRTP_256) && defined(ENABLE_SRTP_AES_256)
 	case AST_AES_CM_256_HMAC_SHA1_80:
 		crypto_policy_set_aes_cm_256_hmac_sha1_80(p);
 		return 0;
@@ -293,18 +293,19 @@
 		crypto_policy_set_aes_cm_256_hmac_sha1_32(p);
 		return 0;
 #endif
-#ifdef HAVE_SRTP_GCM
+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM)
 	case AST_AES_GCM_128:
 		crypto_policy_set_aes_gcm_128_16_auth(p);
 		return 0;
 
-	case AST_AES_GCM_256:
-		crypto_policy_set_aes_gcm_256_16_auth(p);
-		return 0;
-
 	case AST_AES_GCM_128_8:
 		crypto_policy_set_aes_gcm_128_8_auth(p);
 		return 0;
+#endif
+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) && defined(ENABLE_SRTP_AES_256)
+	case AST_AES_GCM_256:
+		crypto_policy_set_aes_gcm_256_16_auth(p);
+		return 0;
 
 	case AST_AES_GCM_256_8:
 		crypto_policy_set_aes_gcm_256_8_auth(p);
@@ -880,7 +881,7 @@
 		suite_val = AST_AES_CM_128_HMAC_SHA1_32;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_32);
 		key_len_expected = 30;
-#ifdef HAVE_SRTP_192
+#if defined(HAVE_SRTP_192) && defined(ENABLE_SRTP_AES_192)
 	} else if (!strcmp(suite, "AES_192_CM_HMAC_SHA1_80")) {
 		suite_val = AST_AES_CM_192_HMAC_SHA1_80;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_80);
@@ -905,7 +906,7 @@
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_OLD_NAME);
 		key_len_expected = 38;
 #endif
-#ifdef HAVE_SRTP_256
+#if defined(HAVE_SRTP_256) && defined(ENABLE_SRTP_AES_256)
 	} else if (!strcmp(suite, "AES_256_CM_HMAC_SHA1_80")) {
 		suite_val = AST_AES_CM_256_HMAC_SHA1_80;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_80);
@@ -930,21 +931,24 @@
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_OLD_NAME);
 		key_len_expected = 46;
 #endif
-#ifdef HAVE_SRTP_GCM
+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM)
 	} else if (!strcmp(suite, "AEAD_AES_128_GCM")) {
 		suite_val = AST_AES_GCM_128;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_16);
 		key_len_expected = AES_128_GCM_KEYSIZE_WSALT;
+	/* RFC contained a (too) short auth tag for RTP media, some still use that */
+	} else if (!strcmp(suite, "AEAD_AES_128_GCM_8")) {
+		suite_val = AST_AES_GCM_128_8;
+		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);
+		key_len_expected = AES_128_GCM_KEYSIZE_WSALT;
+#endif
+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) && defined(ENABLE_SRTP_AES_256)
 	} else if (!strcmp(suite, "AEAD_AES_256_GCM")) {
 		suite_val = AST_AES_GCM_256;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_16);
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_AES_256);
 		key_len_expected = AES_256_GCM_KEYSIZE_WSALT;
 	/* RFC contained a (too) short auth tag for RTP media, some still use that */
-	} else if (!strcmp(suite, "AEAD_AES_128_GCM_8")) {
-		suite_val = AST_AES_GCM_128_8;
-		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);
-		key_len_expected = AES_128_GCM_KEYSIZE_WSALT;
 	} else if (!strcmp(suite, "AEAD_AES_256_GCM_8")) {
 		suite_val = AST_AES_GCM_256_8;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/16436
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 18
Gerrit-Change-Id: I7dafb29be1cdaabdc984002573f4bea87520533a
Gerrit-Change-Number: 16436
Gerrit-PatchSet: 2
Gerrit-Owner: Jasper Hafkenscheid <jasper.hafkenscheid at wearespindle.com>
Gerrit-Reviewer: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20210908/234973fa/attachment-0001.html>

More information about the asterisk-code-review mailing list