[asterisk-commits] irroot: branch 10 r336936 - in /branches/10: ./ channels/ channels/sip/ chann...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Tue Sep 20 11:52:09 CDT 2011
Author: irroot
Date: Tue Sep 20 11:51:59 2011
New Revision: 336936
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=336936
Log:
Allow Setting Auth Tag Bit length Based on invite or config option
Update the SIP SRTP API to allow use of 32 or 80 bit taglen.
Curently only 80 bit is supported.
The outgoing invite will use the taglen of the incoming invite preventing
one-way audio.
(Closes issue ASTERISK-17895)
Review: https://reviewboard.asterisk.org/r/1173/
Modified:
branches/10/CHANGES
branches/10/channels/chan_sip.c
branches/10/channels/sip/include/sdp_crypto.h
branches/10/channels/sip/include/sip.h
branches/10/channels/sip/include/srtp.h
branches/10/channels/sip/sdp_crypto.c
branches/10/configs/sip.conf.sample
Modified: branches/10/CHANGES
URL: http://svnview.digium.com/svn/asterisk/branches/10/CHANGES?view=diff&rev=336936&r1=336935&r2=336936
==============================================================================
--- branches/10/CHANGES (original)
+++ branches/10/CHANGES Tue Sep 20 11:51:59 2011
@@ -184,6 +184,7 @@
SIP Changes
-----------
* Add T38 support for REJECTED state where T.38 Negotiation is explicitly rejected.
+ * Add option encryption_taglen to set auth taglen only 32 and 80 are supported currently.
Queue changes
-------------
Modified: branches/10/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/chan_sip.c?view=diff&rev=336936&r1=336935&r2=336936
==============================================================================
--- branches/10/channels/chan_sip.c (original)
+++ branches/10/channels/chan_sip.c Tue Sep 20 11:51:59 2011
@@ -11117,14 +11117,25 @@
}
}
-static void get_crypto_attrib(struct sip_srtp *srtp, const char **a_crypto)
-{
+static void get_crypto_attrib(struct sip_pvt *p, struct sip_srtp *srtp, const char **a_crypto)
+{
+ int taglen = 80;
+
/* Set encryption properties */
if (srtp) {
if (!srtp->crypto) {
srtp->crypto = sdp_crypto_setup();
}
- if (srtp->crypto && (sdp_crypto_offer(srtp->crypto) >= 0)) {
+
+ /* set the key length based on INVITE or settings */
+ if (ast_test_flag(srtp, SRTP_CRYPTO_TAG_80)) {
+ taglen = 80;
+ } else if (ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TAG_32) ||
+ ast_test_flag(srtp, SRTP_CRYPTO_TAG_32)) {
+ taglen = 32;
+ }
+
+ if (srtp->crypto && (sdp_crypto_offer(srtp->crypto, taglen) >= 0)) {
*a_crypto = sdp_crypto_attrib(srtp->crypto);
}
@@ -11292,7 +11303,7 @@
/* Ok, we need video. Let's add what we need for video and set codecs.
Video is handled differently than audio since we can not transcode. */
if (needvideo) {
- get_crypto_attrib(p->vsrtp, &v_a_crypto);
+ get_crypto_attrib(p, p->vsrtp, &v_a_crypto);
ast_str_append(&m_video, 0, "m=video %d RTP/%s", ast_sockaddr_port(&vdest),
v_a_crypto ? "SAVP" : "AVP");
@@ -11309,7 +11320,7 @@
if (needtext) {
if (sipdebug_text)
ast_verbose("Lets set up the text sdp\n");
- get_crypto_attrib(p->tsrtp, &t_a_crypto);
+ get_crypto_attrib(p, p->tsrtp, &t_a_crypto);
ast_str_append(&m_text, 0, "m=text %d RTP/%s", ast_sockaddr_port(&tdest),
t_a_crypto ? "SAVP" : "AVP");
if (debug) { /* XXX should I use tdest below ? */
@@ -11322,7 +11333,7 @@
/* We break with the "recommendation" and send our IP, in order that our
peer doesn't have to ast_gethostbyname() us */
- get_crypto_attrib(p->srtp, &a_crypto);
+ get_crypto_attrib(p, p->srtp, &a_crypto);
ast_str_append(&m_audio, 0, "m=audio %d RTP/%s", ast_sockaddr_port(&dest),
a_crypto ? "SAVP" : "AVP");
@@ -27647,6 +27658,8 @@
ast_set2_flag(&peer->flags[1], ast_true(v->value), SIP_PAGE2_Q850_REASON);
} else if (!strcasecmp(v->name, "encryption")) {
ast_set2_flag(&peer->flags[1], ast_true(v->value), SIP_PAGE2_USE_SRTP);
+ } else if (!strcasecmp(v->name, "encryption_taglen")) {
+ ast_set2_flag(&peer->flags[2], !strcasecmp(v->value, "32"), SIP_PAGE3_SRTP_TAG_32);
} else if (!strcasecmp(v->name, "snom_aoc_enabled")) {
ast_set2_flag(&peer->flags[2], ast_true(v->value), SIP_PAGE3_SNOM_AOC);
}
@@ -29584,7 +29597,7 @@
return FALSE;
}
- if (sdp_crypto_process((*srtp)->crypto, a, rtp) < 0) {
+ if (sdp_crypto_process((*srtp)->crypto, a, rtp, *srtp) < 0) {
return FALSE;
}
Modified: branches/10/channels/sip/include/sdp_crypto.h
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/sip/include/sdp_crypto.h?view=diff&rev=336936&r1=336935&r2=336936
==============================================================================
--- branches/10/channels/sip/include/sdp_crypto.h (original)
+++ branches/10/channels/sip/include/sdp_crypto.h Tue Sep 20 11:51:59 2011
@@ -31,6 +31,7 @@
#include <asterisk/rtp_engine.h>
struct sdp_crypto;
+struct sip_srtp;
/*! \brief Initialize an return an sdp_crypto struct
*
@@ -51,11 +52,12 @@
* \param p A valid sdp_crypto struct
* \param attr the a:crypto line from SDP
* \param rtp The rtp instance associated with the SDP being parsed
+ * \param srtp SRTP structure
*
* \retval 0 success
* \retval nonzero failure
*/
-int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp);
+int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp);
/*! \brief Generate an SRTP a=crypto offer
@@ -68,7 +70,7 @@
* \retval 0 success
* \retval nonzero failure
*/
-int sdp_crypto_offer(struct sdp_crypto *p);
+int sdp_crypto_offer(struct sdp_crypto *p, int taglen);
/*! \brief Return the a_crypto value of the sdp_crypto struct
Modified: branches/10/channels/sip/include/sip.h
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/sip/include/sip.h?view=diff&rev=336936&r1=336935&r2=336936
==============================================================================
--- branches/10/channels/sip/include/sip.h (original)
+++ branches/10/channels/sip/include/sip.h Tue Sep 20 11:51:59 2011
@@ -353,9 +353,10 @@
#define SIP_PAGE3_SNOM_AOC (1 << 0) /*!< DPG: Allow snom aoc messages */
+#define SIP_PAGE3_SRTP_TAG_32 (1 << 1) /*!< DP: Use a 32bit auth tag in INVITE not 80bit */
#define SIP_PAGE3_FLAGS_TO_COPY \
- (SIP_PAGE3_SNOM_AOC)
+ (SIP_PAGE3_SNOM_AOC | SIP_PAGE3_SRTP_TAG_32)
/*@}*/
Modified: branches/10/channels/sip/include/srtp.h
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/sip/include/srtp.h?view=diff&rev=336936&r1=336935&r2=336936
==============================================================================
--- branches/10/channels/sip/include/srtp.h (original)
+++ branches/10/channels/sip/include/srtp.h Tue Sep 20 11:51:59 2011
@@ -34,6 +34,8 @@
#define SRTP_ENCR_OPTIONAL (1 << 1) /* SRTP encryption optional */
#define SRTP_CRYPTO_ENABLE (1 << 2)
#define SRTP_CRYPTO_OFFER_OK (1 << 3)
+#define SRTP_CRYPTO_TAG_32 (1 << 4)
+#define SRTP_CRYPTO_TAG_80 (1 << 5)
/*! \brief structure for secure RTP audio */
struct sip_srtp {
Modified: branches/10/channels/sip/sdp_crypto.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/sip/sdp_crypto.c?view=diff&rev=336936&r1=336935&r2=336936
==============================================================================
--- branches/10/channels/sip/sdp_crypto.c (original)
+++ branches/10/channels/sip/sdp_crypto.c Tue Sep 20 11:51:59 2011
@@ -32,6 +32,7 @@
#include "asterisk/options.h"
#include "asterisk/utils.h"
#include "include/sdp_crypto.h"
+#include "include/srtp.h"
#define SRTP_MASTER_LEN 30
#define SRTP_MASTERKEY_LEN 16
@@ -188,7 +189,7 @@
return res;
}
-int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp)
+int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp)
{
char *str = NULL;
char *tag = NULL;
@@ -228,8 +229,10 @@
if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80")) {
suite_val = AST_AES_CM_128_HMAC_SHA1_80;
+ ast_set_flag(srtp, SRTP_CRYPTO_TAG_80);
} else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {
suite_val = AST_AES_CM_128_HMAC_SHA1_32;
+ ast_set_flag(srtp, SRTP_CRYPTO_TAG_32);
} else {
ast_log(LOG_WARNING, "Unsupported crypto suite: %s\n", suite);
return -1;
@@ -283,16 +286,16 @@
return 0;
}
-int sdp_crypto_offer(struct sdp_crypto *p)
+int sdp_crypto_offer(struct sdp_crypto *p, int taglen)
{
char crypto_buf[128];
- const char *crypto_suite = "AES_CM_128_HMAC_SHA1_80"; /* Crypto offer */
if (p->a_crypto) {
ast_free(p->a_crypto);
}
- if (snprintf(crypto_buf, sizeof(crypto_buf), "a=crypto:1 %s inline:%s\r\n", crypto_suite, p->local_key64) < 1) {
+ if (snprintf(crypto_buf, sizeof(crypto_buf), "a=crypto:1 AES_CM_128_HMAC_SHA1_%i inline:%s\r\n",
+ taglen, p->local_key64) < 1) {
return -1;
}
Modified: branches/10/configs/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/branches/10/configs/sip.conf.sample?view=diff&rev=336936&r1=336935&r2=336936
==============================================================================
--- branches/10/configs/sip.conf.sample (original)
+++ branches/10/configs/sip.conf.sample Tue Sep 20 11:51:59 2011
@@ -901,6 +901,7 @@
;encryption=no ; Whether to offer SRTP encrypted media (and only SRTP encrypted media)
; on outgoing calls to a peer. Calls will fail with HANGUPCAUSE=58 if
; the peer does not support SRTP. Defaults to no.
+;encryption_taglen=80 ; Set the auth tag length offered in the INVITE either 32/80 default 80
;----------------------------------------- REALTIME SUPPORT ------------------------
; For additional information on ARA, the Asterisk Realtime Architecture,
More information about the asterisk-commits
mailing list