<p>Jasper Hafkenscheid has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/16408">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_srtp: Disable parsing of not enabled cryptos<br><br>When compiled without extended srtp crypto suites also disable parsing<br>these from received SDP. This prevents using these, as some client<br>implementations are not stable.<br><br>ASTERISK-29625<br><br>Change-Id: I7dafb29be1cdaabdc984002573f4bea87520533a<br>---<br>M res/res_srtp.c<br>1 file changed, 18 insertions(+), 14 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/08/16408/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/res/res_srtp.c b/res/res_srtp.c</span><br><span>index 3519def..cdd95af 100644</span><br><span>--- a/res/res_srtp.c</span><br><span>+++ b/res/res_srtp.c</span><br><span>@@ -275,7 +275,7 @@</span><br><span> crypto_policy_set_aes_cm_128_hmac_sha1_32(p);</span><br><span> return 0;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-#ifdef HAVE_SRTP_192</span><br><span style="color: hsl(120, 100%, 40%);">+#if defined(HAVE_SRTP_192) && defined(ENABLE_SRTP_AES_192)</span><br><span> case AST_AES_CM_192_HMAC_SHA1_80:</span><br><span> crypto_policy_set_aes_cm_192_hmac_sha1_80(p);</span><br><span> return 0;</span><br><span>@@ -284,7 +284,7 @@</span><br><span> crypto_policy_set_aes_cm_192_hmac_sha1_32(p);</span><br><span> return 0;</span><br><span> #endif</span><br><span style="color: hsl(0, 100%, 40%);">-#ifdef HAVE_SRTP_256</span><br><span style="color: hsl(120, 100%, 40%);">+#if defined(HAVE_SRTP_256) && defined(ENABLE_SRTP_AES_256)</span><br><span> case AST_AES_CM_256_HMAC_SHA1_80:</span><br><span> crypto_policy_set_aes_cm_256_hmac_sha1_80(p);</span><br><span> return 0;</span><br><span>@@ -293,18 +293,19 @@</span><br><span> crypto_policy_set_aes_cm_256_hmac_sha1_32(p);</span><br><span> return 0;</span><br><span> #endif</span><br><span style="color: hsl(0, 100%, 40%);">-#ifdef HAVE_SRTP_GCM</span><br><span style="color: hsl(120, 100%, 40%);">+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM)</span><br><span> case AST_AES_GCM_128:</span><br><span> crypto_policy_set_aes_gcm_128_16_auth(p);</span><br><span> return 0;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- case AST_AES_GCM_256:</span><br><span style="color: hsl(0, 100%, 40%);">- crypto_policy_set_aes_gcm_256_16_auth(p);</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> case AST_AES_GCM_128_8:</span><br><span> crypto_policy_set_aes_gcm_128_8_auth(p);</span><br><span> return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) && defined(ENABLE_SRTP_AES_256)</span><br><span style="color: hsl(120, 100%, 40%);">+ case AST_AES_GCM_256:</span><br><span style="color: hsl(120, 100%, 40%);">+ crypto_policy_set_aes_gcm_256_16_auth(p);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> </span><br><span> case AST_AES_GCM_256_8:</span><br><span> crypto_policy_set_aes_gcm_256_8_auth(p);</span><br><span>@@ -880,7 +881,7 @@</span><br><span> suite_val = AST_AES_CM_128_HMAC_SHA1_32;</span><br><span> ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_32);</span><br><span> key_len_expected = 30;</span><br><span style="color: hsl(0, 100%, 40%);">-#ifdef HAVE_SRTP_192</span><br><span style="color: hsl(120, 100%, 40%);">+#if defined(HAVE_SRTP_192) && defined(ENABLE_SRTP_AES_192)</span><br><span> } else if (!strcmp(suite, "AES_192_CM_HMAC_SHA1_80")) {</span><br><span> suite_val = AST_AES_CM_192_HMAC_SHA1_80;</span><br><span> ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_80);</span><br><span>@@ -905,7 +906,7 @@</span><br><span> ast_set_flag(srtp, AST_SRTP_CRYPTO_OLD_NAME);</span><br><span> key_len_expected = 38;</span><br><span> #endif</span><br><span style="color: hsl(0, 100%, 40%);">-#ifdef HAVE_SRTP_256</span><br><span style="color: hsl(120, 100%, 40%);">+#if defined(HAVE_SRTP_256) && defined(ENABLE_SRTP_AES_256)</span><br><span> } else if (!strcmp(suite, "AES_256_CM_HMAC_SHA1_80")) {</span><br><span> suite_val = AST_AES_CM_256_HMAC_SHA1_80;</span><br><span> ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_80);</span><br><span>@@ -930,21 +931,24 @@</span><br><span> ast_set_flag(srtp, AST_SRTP_CRYPTO_OLD_NAME);</span><br><span> key_len_expected = 46;</span><br><span> #endif</span><br><span style="color: hsl(0, 100%, 40%);">-#ifdef HAVE_SRTP_GCM</span><br><span style="color: hsl(120, 100%, 40%);">+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM)</span><br><span> } else if (!strcmp(suite, "AEAD_AES_128_GCM")) {</span><br><span> suite_val = AST_AES_GCM_128;</span><br><span> ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_16);</span><br><span> key_len_expected = AES_128_GCM_KEYSIZE_WSALT;</span><br><span style="color: hsl(120, 100%, 40%);">+ /* RFC contained a (too) short auth tag for RTP media, some still use that */</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (!strcmp(suite, "AEAD_AES_128_GCM_8")) {</span><br><span style="color: hsl(120, 100%, 40%);">+ suite_val = AST_AES_GCM_128_8;</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);</span><br><span style="color: hsl(120, 100%, 40%);">+ key_len_expected = AES_128_GCM_KEYSIZE_WSALT;</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) && defined(ENABLE_SRTP_AES_256)</span><br><span> } else if (!strcmp(suite, "AEAD_AES_256_GCM")) {</span><br><span> suite_val = AST_AES_GCM_256;</span><br><span> ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_16);</span><br><span> ast_set_flag(srtp, AST_SRTP_CRYPTO_AES_256);</span><br><span> key_len_expected = AES_256_GCM_KEYSIZE_WSALT;</span><br><span> /* RFC contained a (too) short auth tag for RTP media, some still use that */</span><br><span style="color: hsl(0, 100%, 40%);">- } else if (!strcmp(suite, "AEAD_AES_128_GCM_8")) {</span><br><span style="color: hsl(0, 100%, 40%);">- suite_val = AST_AES_GCM_128_8;</span><br><span style="color: hsl(0, 100%, 40%);">- ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);</span><br><span style="color: hsl(0, 100%, 40%);">- key_len_expected = AES_128_GCM_KEYSIZE_WSALT;</span><br><span> } else if (!strcmp(suite, "AEAD_AES_256_GCM_8")) {</span><br><span> suite_val = AST_AES_GCM_256_8;</span><br><span> ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/16408">change 16408</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/16408"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 16 </div>
<div style="display:none"> Gerrit-Change-Id: I7dafb29be1cdaabdc984002573f4bea87520533a </div>
<div style="display:none"> Gerrit-Change-Number: 16408 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Jasper Hafkenscheid <jasper.hafkenscheid@wearespindle.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>