[asterisk-commits] irroot: branch irroot/distrotech-customers-trunk r320443 - in /team/irroot/di...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Sun May 22 08:00:47 CDT 2011
Author: irroot
Date: Sun May 22 08:00:35 2011
New Revision: 320443
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=320443
Log:
SRTP optional and make authtag configrable.
Always use right tag len in response based on INVITE
Modified:
team/irroot/distrotech-customers-trunk/channels/chan_sip.c
team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h
team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h
team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h
team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c
Modified: team/irroot/distrotech-customers-trunk/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/chan_sip.c?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/chan_sip.c (original)
+++ team/irroot/distrotech-customers-trunk/channels/chan_sip.c Sun May 22 08:00:35 2011
@@ -5436,17 +5436,23 @@
if (p->rtp && !p->srtp && setup_srtp(&p->srtp) < 0) {
ast_log(LOG_WARNING, "SRTP audio setup failed\n");
- return -1;
+ if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+ return -1;
+ }
}
if (p->vrtp && !p->vsrtp && setup_srtp(&p->vsrtp) < 0) {
ast_log(LOG_WARNING, "SRTP video setup failed\n");
- return -1;
+ if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+ return -1;
+ }
}
if (p->trtp && !p->vsrtp && setup_srtp(&p->tsrtp) < 0) {
ast_log(LOG_WARNING, "SRTP text setup failed\n");
- return -1;
+ if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+ return -1;
+ }
}
}
@@ -8975,32 +8981,48 @@
if (secure_audio && !(p->srtp && (ast_test_flag(p->srtp, SRTP_CRYPTO_OFFER_OK)))) {
ast_log(LOG_WARNING, "Can't provide secure audio requested in SDP offer\n");
- res = -4;
- goto process_sdp_cleanup;
+ if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+ res = -4;
+ goto process_sdp_cleanup;
+ }
}
if (!secure_audio && p->srtp) {
ast_log(LOG_WARNING, "We are requesting SRTP, but they responded without it!\n");
- res = -4;
- goto process_sdp_cleanup;
+ if (ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+ sip_srtp_destroy(p->srtp);
+ p->srtp = NULL;
+ } else {
+ res = -4;
+ goto process_sdp_cleanup;
+ }
}
if (secure_video && !(p->vsrtp && (ast_test_flag(p->vsrtp, SRTP_CRYPTO_OFFER_OK)))) {
ast_log(LOG_WARNING, "Can't provide secure video requested in SDP offer\n");
- res = -4;
- goto process_sdp_cleanup;
+ if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+ res = -4;
+ goto process_sdp_cleanup;
+ }
}
if (!p->novideo && !secure_video && p->vsrtp) {
ast_log(LOG_WARNING, "We are requesting SRTP, but they responded without it!\n");
- res = -4;
- goto process_sdp_cleanup;
+ if (ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+ sip_srtp_destroy(p->vsrtp);
+ p->vsrtp = NULL;
+ } else {
+ res = -4;
+ goto process_sdp_cleanup;
+ }
}
if (!(secure_audio || secure_video) && ast_test_flag(&p->flags[1], SIP_PAGE2_USE_SRTP)) {
ast_log(LOG_WARNING, "Matched device setup to use SRTP, but request was not!\n");
- res = -4;
- goto process_sdp_cleanup;
+ if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+ res = -4;
+ goto process_sdp_cleanup;
+ }
}
if (udptlportno == -1) {
@@ -11055,14 +11077,25 @@
}
}
-static void get_crypto_attrib(struct sip_srtp *srtp, const char **a_crypto)
-{
+static void get_crypto_attrib(struct sip_pvt *p, struct sip_srtp *srtp, const char **a_crypto)
+{
+ int bitlen = 80;
+
/* Set encryption properties */
if (srtp) {
if (!srtp->crypto) {
srtp->crypto = sdp_crypto_setup();
}
- if (srtp->crypto && (sdp_crypto_offer(srtp->crypto) >= 0)) {
+
+ /* set the key length based on INVITE or settings */
+ if (ast_test_flag(srtp, SRTP_CRYPTO_TAG_80)) {
+ bitlen = 80;
+ } else if (ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TAG_32) ||
+ ast_test_flag(srtp, SRTP_CRYPTO_TAG_32)) {
+ bitlen = 32;
+ }
+
+ if (srtp->crypto && (sdp_crypto_offer(srtp->crypto, bitlen) >= 0)) {
*a_crypto = sdp_crypto_attrib(srtp->crypto);
}
@@ -11230,7 +11263,7 @@
/* Ok, we need video. Let's add what we need for video and set codecs.
Video is handled differently than audio since we can not transcode. */
if (needvideo) {
- get_crypto_attrib(p->vsrtp, &v_a_crypto);
+ get_crypto_attrib(p, p->vsrtp, &v_a_crypto);
ast_str_append(&m_video, 0, "m=video %d RTP/%s", ast_sockaddr_port(&vdest),
v_a_crypto ? "SAVP" : "AVP");
@@ -11247,7 +11280,7 @@
if (needtext) {
if (sipdebug_text)
ast_verbose("Lets set up the text sdp\n");
- get_crypto_attrib(p->tsrtp, &t_a_crypto);
+ get_crypto_attrib(p, p->tsrtp, &t_a_crypto);
ast_str_append(&m_text, 0, "m=text %d RTP/%s", ast_sockaddr_port(&tdest),
t_a_crypto ? "SAVP" : "AVP");
if (debug) { /* XXX should I use tdest below ? */
@@ -11260,7 +11293,7 @@
/* We break with the "recommendation" and send our IP, in order that our
peer doesn't have to ast_gethostbyname() us */
- get_crypto_attrib(p->srtp, &a_crypto);
+ get_crypto_attrib(p, p->srtp, &a_crypto);
ast_str_append(&m_audio, 0, "m=audio %d RTP/%s", ast_sockaddr_port(&dest),
a_crypto ? "SAVP" : "AVP");
@@ -22514,7 +22547,8 @@
transmit_response_with_t38_sdp(p, "200 OK", req, (reinvite ? XMIT_RELIABLE : (req->ignore ? XMIT_UNRELIABLE : XMIT_CRITICAL)));
} else if ((p->t38.state == T38_DISABLED) || (p->t38.state == T38_REJECTED)) {
/* If this is not a re-invite or something to ignore - it's critical */
- if (p->srtp && !ast_test_flag(p->srtp, SRTP_CRYPTO_OFFER_OK)) {
+ if (p->srtp && !ast_test_flag(p->srtp, SRTP_CRYPTO_OFFER_OK) &&
+ !ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
ast_log(LOG_WARNING, "Target does not support required crypto\n");
transmit_response_reliable(p, "488 Not Acceptable Here (crypto)", req);
} else {
@@ -26196,6 +26230,27 @@
} else if (!strcasecmp(v->name, "buggymwi")) {
ast_set_flag(&mask[1], SIP_PAGE2_BUGGY_MWI);
ast_set2_flag(&flags[1], ast_true(v->value), SIP_PAGE2_BUGGY_MWI);
+ } else if (!strcasecmp(v->name, "encryption")) {
+ char *buf = ast_strdupa(v->value);
+ char *word, *next = buf;
+
+ ast_set_flag(&mask[1], SIP_PAGE2_USE_SRTP);
+ ast_set_flag(&mask[2], SIP_PAGE3_SRTP_TRY);
+ ast_set_flag(&mask[2], SIP_PAGE3_SRTP_TAG_32);
+ ast_clear_flag(&flags[2], SIP_PAGE3_SRTP_TAG_32);
+
+ while ((word = strsep(&next, ","))) {
+ if (!strcasecmp(word,"try")) {
+ ast_set_flag(&flags[1], SIP_PAGE2_USE_SRTP);
+ ast_set_flag(&flags[2], SIP_PAGE3_SRTP_TRY);
+ } else if (!strcasecmp(word,"32bit")) {
+ ast_set_flag(&flags[2], SIP_PAGE3_SRTP_TAG_32);
+ } else if (ast_true(word) || ast_false(word)) {
+ ast_set2_flag(&flags[1], ast_true(word), SIP_PAGE2_USE_SRTP);
+ ast_clear_flag(&flags[2], SIP_PAGE3_SRTP_TRY);
+ }
+ }
+
} else
res = 0;
@@ -26945,8 +27000,6 @@
ast_string_field_set(peer, unsolicited_mailbox, v->value);
} else if (!strcasecmp(v->name, "use_q850_reason")) {
ast_set2_flag(&peer->flags[1], ast_true(v->value), SIP_PAGE2_Q850_REASON);
- } else if (!strcasecmp(v->name, "encryption")) {
- ast_set2_flag(&peer->flags[1], ast_true(v->value), SIP_PAGE2_USE_SRTP);
} else if (!strcasecmp(v->name, "snom_aoc_enabled")) {
ast_set2_flag(&peer->flags[2], ast_true(v->value), SIP_PAGE3_SNOM_AOC);
}
@@ -28875,7 +28928,7 @@
return FALSE;
}
- if (sdp_crypto_process((*srtp)->crypto, a, rtp) < 0) {
+ if (sdp_crypto_process((*srtp)->crypto, a, rtp, (*srtp)) < 0) {
return FALSE;
}
Modified: team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h (original)
+++ team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h Sun May 22 08:00:35 2011
@@ -31,6 +31,7 @@
#include <asterisk/rtp_engine.h>
struct sdp_crypto;
+struct sip_srtp;
/*! \brief Initialize an return an sdp_crypto struct
*
@@ -51,11 +52,12 @@
* \param p A valid sdp_crypto struct
* \param attr the a:crypto line from SDP
* \param rtp The rtp instance associated with the SDP being parsed
+ * \param srtp SRTP structure
*
* \retval 0 success
* \retval nonzero failure
*/
-int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp);
+int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp);
/*! \brief Generate an SRTP a=crypto offer
@@ -68,7 +70,7 @@
* \retval 0 success
* \retval nonzero failure
*/
-int sdp_crypto_offer(struct sdp_crypto *p);
+int sdp_crypto_offer(struct sdp_crypto *p, int bitlen);
/*! \brief Return the a_crypto value of the sdp_crypto struct
Modified: team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h (original)
+++ team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h Sun May 22 08:00:35 2011
@@ -350,9 +350,11 @@
#define SIP_PAGE3_SNOM_AOC (1 << 0) /*!< DPG: Allow snom aoc messages */
+#define SIP_PAGE3_SRTP_TAG_32 (1 << 1)
+#define SIP_PAGE3_SRTP_TRY (1 << 2)
#define SIP_PAGE3_FLAGS_TO_COPY \
- (SIP_PAGE3_SNOM_AOC)
+ (SIP_PAGE3_SNOM_AOC | SIP_PAGE3_SRTP_TAG_32 | SIP_PAGE3_SRTP_TRY)
/*@}*/
Modified: team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h (original)
+++ team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h Sun May 22 08:00:35 2011
@@ -34,6 +34,8 @@
#define SRTP_ENCR_OPTIONAL (1 << 1) /* SRTP encryption optional */
#define SRTP_CRYPTO_ENABLE (1 << 2)
#define SRTP_CRYPTO_OFFER_OK (1 << 3)
+#define SRTP_CRYPTO_TAG_32 (1 << 4)
+#define SRTP_CRYPTO_TAG_80 (1 << 5)
/*! \brief structure for secure RTP audio */
struct sip_srtp {
Modified: team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c (original)
+++ team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c Sun May 22 08:00:35 2011
@@ -32,6 +32,7 @@
#include "asterisk/options.h"
#include "asterisk/utils.h"
#include "include/sdp_crypto.h"
+#include "include/srtp.h"
#define SRTP_MASTER_LEN 30
#define SRTP_MASTERKEY_LEN 16
@@ -188,7 +189,7 @@
return res;
}
-int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp)
+int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp)
{
char *str = NULL;
char *tag = NULL;
@@ -228,8 +229,10 @@
if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80")) {
suite_val = AST_AES_CM_128_HMAC_SHA1_80;
+ ast_set_flag(srtp, SRTP_CRYPTO_TAG_80);
} else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {
suite_val = AST_AES_CM_128_HMAC_SHA1_32;
+ ast_set_flag(srtp, SRTP_CRYPTO_TAG_32);
} else {
ast_log(LOG_WARNING, "Unsupported crypto suite: %s\n", suite);
return -1;
@@ -283,16 +286,16 @@
return 0;
}
-int sdp_crypto_offer(struct sdp_crypto *p)
+int sdp_crypto_offer(struct sdp_crypto *p,int bitlen)
{
char crypto_buf[128];
- const char *crypto_suite = "AES_CM_128_HMAC_SHA1_80"; /* Crypto offer */
if (p->a_crypto) {
ast_free(p->a_crypto);
}
- if (snprintf(crypto_buf, sizeof(crypto_buf), "a=crypto:1 %s inline:%s\r\n", crypto_suite, p->local_key64) < 1) {
+ if (snprintf(crypto_buf, sizeof(crypto_buf), "a=crypto:1 AES_CM_128_HMAC_SHA1_%i inline:%s\r\n",
+ bitlen, p->local_key64) < 1) {
return -1;
}
More information about the asterisk-commits
mailing list