[asterisk-commits] irroot: branch irroot/distrotech-customers-trunk r320443 - in /team/irroot/di...

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Sun May 22 08:00:47 CDT 2011


Author: irroot
Date: Sun May 22 08:00:35 2011
New Revision: 320443

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=320443
Log:
SRTP optional and make authtag configrable.
Always use right tag len in response based on INVITE


Modified:
    team/irroot/distrotech-customers-trunk/channels/chan_sip.c
    team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h
    team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h
    team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h
    team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c

Modified: team/irroot/distrotech-customers-trunk/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/chan_sip.c?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/chan_sip.c (original)
+++ team/irroot/distrotech-customers-trunk/channels/chan_sip.c Sun May 22 08:00:35 2011
@@ -5436,17 +5436,23 @@
 
 		if (p->rtp && !p->srtp && setup_srtp(&p->srtp) < 0) {
 			ast_log(LOG_WARNING, "SRTP audio setup failed\n");
-			return -1;
+			if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+				return -1;
+			}
 		}
 
 		if (p->vrtp && !p->vsrtp && setup_srtp(&p->vsrtp) < 0) {
 			ast_log(LOG_WARNING, "SRTP video setup failed\n");
-			return -1;
+			if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+				return -1;
+			}
 		}
 
 		if (p->trtp && !p->vsrtp && setup_srtp(&p->tsrtp) < 0) {
 			ast_log(LOG_WARNING, "SRTP text setup failed\n");
-			return -1;
+			if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+				return -1;
+			}
 		}
 	}
 
@@ -8975,32 +8981,48 @@
 
 	if (secure_audio && !(p->srtp && (ast_test_flag(p->srtp, SRTP_CRYPTO_OFFER_OK)))) {
 		ast_log(LOG_WARNING, "Can't provide secure audio requested in SDP offer\n");
-		res = -4;
-		goto process_sdp_cleanup;
+		if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+			res = -4;
+			goto process_sdp_cleanup;
+		}
 	}
 
 	if (!secure_audio && p->srtp) {
 		ast_log(LOG_WARNING, "We are requesting SRTP, but they responded without it!\n");
-		res = -4;
-		goto process_sdp_cleanup;
+		if (ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+			sip_srtp_destroy(p->srtp);
+			p->srtp = NULL;
+		} else {
+			res = -4;
+			goto process_sdp_cleanup;
+		}
 	}
 
 	if (secure_video && !(p->vsrtp && (ast_test_flag(p->vsrtp, SRTP_CRYPTO_OFFER_OK)))) {
 		ast_log(LOG_WARNING, "Can't provide secure video requested in SDP offer\n");
-		res = -4;
-		goto process_sdp_cleanup;
+		if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+			res = -4;
+			goto process_sdp_cleanup;
+		}
 	}
 
 	if (!p->novideo && !secure_video && p->vsrtp) {
 		ast_log(LOG_WARNING, "We are requesting SRTP, but they responded without it!\n");
-		res = -4;
-		goto process_sdp_cleanup;
+		if (ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+			sip_srtp_destroy(p->vsrtp);
+			p->vsrtp = NULL;
+		} else {
+			res = -4;
+			goto process_sdp_cleanup;
+		}
 	}
 
 	if (!(secure_audio || secure_video) && ast_test_flag(&p->flags[1], SIP_PAGE2_USE_SRTP)) {
 		ast_log(LOG_WARNING, "Matched device setup to use SRTP, but request was not!\n");
-		res = -4;
-		goto process_sdp_cleanup;
+		if (!ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
+			res = -4;
+			goto process_sdp_cleanup;
+		}
 	}
 
 	if (udptlportno == -1) {
@@ -11055,14 +11077,25 @@
 	}
 }
 
-static void get_crypto_attrib(struct sip_srtp *srtp, const char **a_crypto)
-{
+static void get_crypto_attrib(struct sip_pvt *p, struct sip_srtp *srtp, const char **a_crypto)
+{
+	int bitlen = 80;
+
 	/* Set encryption properties */
 	if (srtp) {
 		if (!srtp->crypto) {
 			srtp->crypto = sdp_crypto_setup();
 		}
-		if (srtp->crypto && (sdp_crypto_offer(srtp->crypto) >= 0)) {
+
+		/* set the key length based on INVITE or settings */
+		if (ast_test_flag(srtp, SRTP_CRYPTO_TAG_80)) {
+			bitlen = 80;
+		} else if (ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TAG_32) ||
+		    ast_test_flag(srtp, SRTP_CRYPTO_TAG_32)) {
+			bitlen = 32;
+		}
+
+		if (srtp->crypto && (sdp_crypto_offer(srtp->crypto, bitlen) >= 0)) {
 			*a_crypto = sdp_crypto_attrib(srtp->crypto);
 		}
 
@@ -11230,7 +11263,7 @@
 		/* Ok, we need video. Let's add what we need for video and set codecs.
 		   Video is handled differently than audio since we can not transcode. */
 		if (needvideo) {
-			get_crypto_attrib(p->vsrtp, &v_a_crypto);
+			get_crypto_attrib(p, p->vsrtp, &v_a_crypto);
 			ast_str_append(&m_video, 0, "m=video %d RTP/%s", ast_sockaddr_port(&vdest),
 				v_a_crypto ? "SAVP" : "AVP");
 
@@ -11247,7 +11280,7 @@
 		if (needtext) {
 			if (sipdebug_text)
 				ast_verbose("Lets set up the text sdp\n");
-			get_crypto_attrib(p->tsrtp, &t_a_crypto);
+			get_crypto_attrib(p, p->tsrtp, &t_a_crypto);
 			ast_str_append(&m_text, 0, "m=text %d RTP/%s", ast_sockaddr_port(&tdest),
 				t_a_crypto ? "SAVP" : "AVP");
 			if (debug) {  /* XXX should I use tdest below ? */
@@ -11260,7 +11293,7 @@
 		/* We break with the "recommendation" and send our IP, in order that our
 		   peer doesn't have to ast_gethostbyname() us */
 
-		get_crypto_attrib(p->srtp, &a_crypto);
+		get_crypto_attrib(p, p->srtp, &a_crypto);
 		ast_str_append(&m_audio, 0, "m=audio %d RTP/%s", ast_sockaddr_port(&dest),
 			a_crypto ? "SAVP" : "AVP");
 
@@ -22514,7 +22547,8 @@
 				transmit_response_with_t38_sdp(p, "200 OK", req, (reinvite ? XMIT_RELIABLE : (req->ignore ?  XMIT_UNRELIABLE : XMIT_CRITICAL)));
 			} else if ((p->t38.state == T38_DISABLED) || (p->t38.state == T38_REJECTED)) {
 				/* If this is not a re-invite or something to ignore - it's critical */
-				if (p->srtp && !ast_test_flag(p->srtp, SRTP_CRYPTO_OFFER_OK)) {
+				if (p->srtp && !ast_test_flag(p->srtp, SRTP_CRYPTO_OFFER_OK) &&
+				    !ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TRY)) {
 					ast_log(LOG_WARNING, "Target does not support required crypto\n");
 					transmit_response_reliable(p, "488 Not Acceptable Here (crypto)", req);
 				} else {
@@ -26196,6 +26230,27 @@
 	} else if (!strcasecmp(v->name, "buggymwi")) {
 		ast_set_flag(&mask[1], SIP_PAGE2_BUGGY_MWI);
 		ast_set2_flag(&flags[1], ast_true(v->value), SIP_PAGE2_BUGGY_MWI);
+	} else if (!strcasecmp(v->name, "encryption")) {
+		char *buf = ast_strdupa(v->value);
+		char *word, *next = buf;
+
+		ast_set_flag(&mask[1], SIP_PAGE2_USE_SRTP);
+		ast_set_flag(&mask[2], SIP_PAGE3_SRTP_TRY);
+		ast_set_flag(&mask[2], SIP_PAGE3_SRTP_TAG_32);
+		ast_clear_flag(&flags[2], SIP_PAGE3_SRTP_TAG_32);
+
+		while ((word = strsep(&next, ","))) {
+			if (!strcasecmp(word,"try")) {
+				ast_set_flag(&flags[1], SIP_PAGE2_USE_SRTP);
+				ast_set_flag(&flags[2], SIP_PAGE3_SRTP_TRY);
+			} else if (!strcasecmp(word,"32bit")) {
+				ast_set_flag(&flags[2], SIP_PAGE3_SRTP_TAG_32);
+			} else if (ast_true(word) || ast_false(word)) {
+				ast_set2_flag(&flags[1], ast_true(word), SIP_PAGE2_USE_SRTP);
+				ast_clear_flag(&flags[2], SIP_PAGE3_SRTP_TRY);
+			}
+		}
+
 	} else
 		res = 0;
 
@@ -26945,8 +27000,6 @@
 				ast_string_field_set(peer, unsolicited_mailbox, v->value);
 			} else if (!strcasecmp(v->name, "use_q850_reason")) {
 				ast_set2_flag(&peer->flags[1], ast_true(v->value), SIP_PAGE2_Q850_REASON);
-			} else if (!strcasecmp(v->name, "encryption")) {
-				ast_set2_flag(&peer->flags[1], ast_true(v->value), SIP_PAGE2_USE_SRTP);
 			} else if (!strcasecmp(v->name, "snom_aoc_enabled")) {
 				ast_set2_flag(&peer->flags[2], ast_true(v->value), SIP_PAGE3_SNOM_AOC);
 			}
@@ -28875,7 +28928,7 @@
 		return FALSE;
 	}
 
-	if (sdp_crypto_process((*srtp)->crypto, a, rtp) < 0) {
+	if (sdp_crypto_process((*srtp)->crypto, a, rtp, (*srtp)) < 0) {
 		return FALSE;
 	}
 

Modified: team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h (original)
+++ team/irroot/distrotech-customers-trunk/channels/sip/include/sdp_crypto.h Sun May 22 08:00:35 2011
@@ -31,6 +31,7 @@
 #include <asterisk/rtp_engine.h>
 
 struct sdp_crypto;
+struct sip_srtp;
 
 /*! \brief Initialize an return an sdp_crypto struct
  *
@@ -51,11 +52,12 @@
  * \param p A valid sdp_crypto struct
  * \param attr the a:crypto line from SDP
  * \param rtp The rtp instance associated with the SDP being parsed
+ * \param srtp SRTP structure
  *
  * \retval 0 success
  * \retval nonzero failure
  */
-int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp);
+int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp);
 
 
 /*! \brief Generate an SRTP a=crypto offer
@@ -68,7 +70,7 @@
  * \retval 0 success
  * \retval nonzero failure
  */
-int sdp_crypto_offer(struct sdp_crypto *p);
+int sdp_crypto_offer(struct sdp_crypto *p, int bitlen);
 
 
 /*! \brief Return the a_crypto value of the sdp_crypto struct

Modified: team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h (original)
+++ team/irroot/distrotech-customers-trunk/channels/sip/include/sip.h Sun May 22 08:00:35 2011
@@ -350,9 +350,11 @@
 
 
 #define SIP_PAGE3_SNOM_AOC               (1 << 0)  /*!< DPG: Allow snom aoc messages */
+#define SIP_PAGE3_SRTP_TAG_32            (1 << 1)
+#define SIP_PAGE3_SRTP_TRY               (1 << 2)
 
 #define SIP_PAGE3_FLAGS_TO_COPY \
-	(SIP_PAGE3_SNOM_AOC)
+	(SIP_PAGE3_SNOM_AOC | SIP_PAGE3_SRTP_TAG_32 | SIP_PAGE3_SRTP_TRY)
 
 /*@}*/
 

Modified: team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h (original)
+++ team/irroot/distrotech-customers-trunk/channels/sip/include/srtp.h Sun May 22 08:00:35 2011
@@ -34,6 +34,8 @@
 #define SRTP_ENCR_OPTIONAL	(1 << 1)	/* SRTP encryption optional */
 #define SRTP_CRYPTO_ENABLE	(1 << 2)
 #define SRTP_CRYPTO_OFFER_OK	(1 << 3)
+#define SRTP_CRYPTO_TAG_32	(1 << 4)
+#define SRTP_CRYPTO_TAG_80	(1 << 5)
 
 /*! \brief structure for secure RTP audio */
 struct sip_srtp {

Modified: team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c
URL: http://svnview.digium.com/svn/asterisk/team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c?view=diff&rev=320443&r1=320442&r2=320443
==============================================================================
--- team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c (original)
+++ team/irroot/distrotech-customers-trunk/channels/sip/sdp_crypto.c Sun May 22 08:00:35 2011
@@ -32,6 +32,7 @@
 #include "asterisk/options.h"
 #include "asterisk/utils.h"
 #include "include/sdp_crypto.h"
+#include "include/srtp.h"
 
 #define SRTP_MASTER_LEN 30
 #define SRTP_MASTERKEY_LEN 16
@@ -188,7 +189,7 @@
 	return res;
 }
 
-int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp)
+int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp)
 {
 	char *str = NULL;
 	char *tag = NULL;
@@ -228,8 +229,10 @@
 
 	if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80")) {
 		suite_val = AST_AES_CM_128_HMAC_SHA1_80;
+		ast_set_flag(srtp, SRTP_CRYPTO_TAG_80);
 	} else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {
 		suite_val = AST_AES_CM_128_HMAC_SHA1_32;
+		ast_set_flag(srtp, SRTP_CRYPTO_TAG_32);
 	} else {
 		ast_log(LOG_WARNING, "Unsupported crypto suite: %s\n", suite);
 		return -1;
@@ -283,16 +286,16 @@
 	return 0;
 }
 
-int sdp_crypto_offer(struct sdp_crypto *p)
+int sdp_crypto_offer(struct sdp_crypto *p,int bitlen)
 {
 	char crypto_buf[128];
-	const char *crypto_suite = "AES_CM_128_HMAC_SHA1_80"; /* Crypto offer */
 
 	if (p->a_crypto) {
 		ast_free(p->a_crypto);
 	}
 
-	if (snprintf(crypto_buf, sizeof(crypto_buf), "a=crypto:1 %s inline:%s\r\n",  crypto_suite, p->local_key64) < 1) {
+	if (snprintf(crypto_buf, sizeof(crypto_buf), "a=crypto:1 AES_CM_128_HMAC_SHA1_%i inline:%s\r\n",
+			bitlen, p->local_key64) < 1) {
 		return -1;
 	}
 




More information about the asterisk-commits mailing list