[asterisk-commits] file: branch file/sha256-a-harsh-reality r416637 - in /team/file/sha256-a-har...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Jun 18 12:52:02 CDT 2014
Author: file
Date: Wed Jun 18 12:51:58 2014
New Revision: 416637
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=416637
Log:
Add the ability to configure which hash to use for the fingerprint and add SHA-256 support.
Modified:
team/file/sha256-a-harsh-reality/channels/chan_sip.c
team/file/sha256-a-harsh-reality/configs/sip.conf.sample
team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h
team/file/sha256-a-harsh-reality/main/rtp_engine.c
team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c
Modified: team/file/sha256-a-harsh-reality/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/channels/chan_sip.c?view=diff&rev=416637&r1=416636&r2=416637
==============================================================================
--- team/file/sha256-a-harsh-reality/channels/chan_sip.c (original)
+++ team/file/sha256-a-harsh-reality/channels/chan_sip.c Wed Jun 18 12:51:58 2014
@@ -11020,7 +11020,7 @@
{
struct ast_rtp_engine_dtls *dtls;
int found = FALSE;
- char value[256], hash[6];
+ char value[256], hash[32];
if (!instance || !p->dtls_cfg.enabled || !(dtls = ast_rtp_instance_get_dtls(instance))) {
return found;
@@ -11052,11 +11052,13 @@
ast_log(LOG_WARNING, "Unsupported connection attribute value '%s' received on dialog '%s'\n",
value, p->callid);
}
- } else if (sscanf(a, "fingerprint: %5s %255s", hash, value) == 2) {
+ } else if (sscanf(a, "fingerprint: %31s %255s", hash, value) == 2) {
found = TRUE;
if (!strcasecmp(hash, "sha-1")) {
dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1, value);
+ } else if (!strcasecmp(hash, "sha-256")) {
+ dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA256, value);
} else {
ast_log(LOG_WARNING, "Unsupported fingerprint hash type '%s' received on dialog '%s'\n",
hash, p->callid);
@@ -12711,6 +12713,7 @@
static void add_dtls_to_sdp(struct ast_rtp_instance *instance, struct ast_str **a_buf)
{
struct ast_rtp_engine_dtls *dtls;
+ enum ast_rtp_dtls_hash hash;
const char *fingerprint;
if (!instance || !(dtls = ast_rtp_instance_get_dtls(instance)) || !dtls->active(instance)) {
@@ -12745,8 +12748,11 @@
break;
}
- if ((fingerprint = dtls->get_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1))) {
- ast_str_append(a_buf, 0, "a=fingerprint:SHA-1 %s\r\n", fingerprint);
+ hash = dtls->get_fingerprint_hash(instance);
+ fingerprint = dtls->get_fingerprint(instance);
+ if (fingerprint && (hash == AST_RTP_DTLS_HASH_SHA1 || hash == AST_RTP_DTLS_HASH_SHA256)) {
+ ast_str_append(a_buf, 0, "a=fingerprint:%s %s\r\n", hash == AST_RTP_DTLS_HASH_SHA1 ? "SHA-1" : "SHA-256",
+ fingerprint);
}
}
Modified: team/file/sha256-a-harsh-reality/configs/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/configs/sip.conf.sample?view=diff&rev=416637&r1=416636&r2=416637
==============================================================================
--- team/file/sha256-a-harsh-reality/configs/sip.conf.sample (original)
+++ team/file/sha256-a-harsh-reality/configs/sip.conf.sample Wed Jun 18 12:51:58 2014
@@ -1281,6 +1281,7 @@
; dtlscafile
; dtlscapath
; dtlssetup
+; dtlsfingerprint
;
;------------------------------------------------------------------------------
@@ -1304,6 +1305,7 @@
; ; accept connections only), and actpass (we will do both). This value will be used in
; ; the outgoing SDP when offering and for incoming SDP offers when the remote party sends
; ; actpass
+; dtlsfingerprint = sha-1 ; The hash to use for the fingerprint in SDP (valid options are sha-1 and sha-256)
;[sip_proxy]
; For incoming calls only. Example: FWD (Free World Dialup)
Modified: team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h?view=diff&rev=416637&r1=416636&r2=416637
==============================================================================
--- team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h (original)
+++ team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h Wed Jun 18 12:51:58 2014
@@ -369,13 +369,14 @@
/*! \brief DTLS connection states */
enum ast_rtp_dtls_connection {
- AST_RTP_DTLS_CONNECTION_NEW, /*!< Endpoint wants to use a new connection */
+ AST_RTP_DTLS_CONNECTION_NEW, /*!< Endpoint wants to use a new connection */
AST_RTP_DTLS_CONNECTION_EXISTING, /*!< Endpoint wishes to use existing connection */
};
/*! \brief DTLS fingerprint hashes */
enum ast_rtp_dtls_hash {
- AST_RTP_DTLS_HASH_SHA1, /*!< SHA-1 fingerprint hash */
+ AST_RTP_DTLS_HASH_SHA256, /*!< SHA-256 fingerprint hash */
+ AST_RTP_DTLS_HASH_SHA1, /*!< SHA-1 fingerprint hash */
};
/*! \brief DTLS configuration structure */
@@ -385,6 +386,7 @@
unsigned int rekey; /*!< Interval at which to renegotiate and rekey - defaults to 0 (off) */
enum ast_rtp_dtls_setup default_setup; /*!< Default setup type to use for outgoing */
enum ast_srtp_suite suite; /*!< Crypto suite in use */
+ enum ast_rtp_dtls_hash hash; /*!< Hash to use for fingerprint */
char *certfile; /*!< Certificate file */
char *pvtfile; /*!< Private key file */
char *cipher; /*!< Cipher to use */
@@ -410,8 +412,10 @@
void (*set_setup)(struct ast_rtp_instance *instance, enum ast_rtp_dtls_setup setup);
/*! Set the remote fingerprint */
void (*set_fingerprint)(struct ast_rtp_instance *instance, enum ast_rtp_dtls_hash hash, const char *fingerprint);
+ /*! Get the local fingerprint hash type */
+ enum ast_rtp_dtls_hash (*get_fingerprint_hash)(struct ast_rtp_instance *instance);
/*! Get the local fingerprint */
- const char *(*get_fingerprint)(struct ast_rtp_instance *instance, enum ast_rtp_dtls_hash hash);
+ const char *(*get_fingerprint)(struct ast_rtp_instance *instance);
};
/*! Structure that represents an RTP stack (engine) */
Modified: team/file/sha256-a-harsh-reality/main/rtp_engine.c
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/main/rtp_engine.c?view=diff&rev=416637&r1=416636&r2=416637
==============================================================================
--- team/file/sha256-a-harsh-reality/main/rtp_engine.c (original)
+++ team/file/sha256-a-harsh-reality/main/rtp_engine.c Wed Jun 18 12:51:58 2014
@@ -2137,6 +2137,12 @@
} else if (!strcasecmp(value, "actpass")) {
dtls_cfg->default_setup = AST_RTP_DTLS_SETUP_ACTPASS;
}
+ } else if (!strcasecmp(name, "dtlsfingerprint")) {
+ if (!strcasecmp(value, "sha-256")) {
+ dtls_cfg->hash = AST_RTP_DTLS_HASH_SHA256;
+ } else if (!strcasecmp(value, "sha-1")) {
+ dtls_cfg->hash = AST_RTP_DTLS_HASH_SHA1;
+ }
} else {
return -1;
}
@@ -2150,6 +2156,7 @@
dst_cfg->verify = src_cfg->verify;
dst_cfg->rekey = src_cfg->rekey;
dst_cfg->suite = src_cfg->suite;
+ dst_cfg->hash = src_cfg->hash;
dst_cfg->certfile = ast_strdup(src_cfg->certfile);
dst_cfg->pvtfile = ast_strdup(src_cfg->pvtfile);
dst_cfg->cipher = ast_strdup(src_cfg->cipher);
Modified: team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c?view=diff&rev=416637&r1=416636&r2=416637
==============================================================================
--- team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c (original)
+++ team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c Wed Jun 18 12:51:58 2014
@@ -289,7 +289,9 @@
ast_mutex_t dtls_timer_lock; /*!< Lock for synchronization purposes */
enum ast_rtp_dtls_setup dtls_setup; /*!< Current setup state */
enum ast_srtp_suite suite; /*!< SRTP crypto suite */
+ enum ast_rtp_dtls_hash local_hash; /*!< Local hash used for the fingerprint */
char local_fingerprint[160]; /*!< Fingerprint of our certificate */
+ enum ast_rtp_dtls_hash remote_hash; /*!< Remote hash used for the fingerprint */
unsigned char remote_fingerprint[EVP_MAX_MD_SIZE]; /*!< Fingerprint of the peer certificate */
enum ast_rtp_dtls_connection connection; /*!< Whether this is a new or existing connection */
unsigned int dtls_failure:1; /*!< Failure occurred during DTLS negotiation */
@@ -822,10 +824,13 @@
goto error;
}
+ rtp->local_hash = dtls_cfg->hash;
+
if (!ast_strlen_zero(dtls_cfg->certfile)) {
char *private = ast_strlen_zero(dtls_cfg->pvtfile) ? dtls_cfg->certfile : dtls_cfg->pvtfile;
BIO *certbio;
X509 *cert;
+ const EVP_MD *type;
unsigned int size, i;
unsigned char fingerprint[EVP_MAX_MD_SIZE];
char *local_fingerprint = rtp->local_fingerprint;
@@ -849,9 +854,19 @@
goto error;
}
+ if (rtp->local_hash == AST_RTP_DTLS_HASH_SHA1) {
+ type = EVP_sha1();
+ } else if (rtp->local_hash == AST_RTP_DTLS_HASH_SHA256) {
+ type = EVP_sha256();
+ } else {
+ ast_log(LOG_ERROR, "Unsupported fingerprint hash type on RTP instance '%p'\n",
+ instance);
+ goto error;
+ }
+
if (!BIO_read_filename(certbio, dtls_cfg->certfile) ||
!(cert = PEM_read_bio_X509(certbio, NULL, 0, NULL)) ||
- !X509_digest(cert, EVP_sha1(), fingerprint, &size) ||
+ !X509_digest(cert, type, fingerprint, &size) ||
!size) {
ast_log(LOG_ERROR, "Could not produce fingerprint from certificate '%s' for RTP instance '%p'\n",
dtls_cfg->certfile, instance);
@@ -1055,13 +1070,16 @@
}
}
-static const char *ast_rtp_dtls_get_fingerprint(struct ast_rtp_instance *instance, enum ast_rtp_dtls_hash hash)
-{
- struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
-
- if (hash != AST_RTP_DTLS_HASH_SHA1) {
- return NULL;
- }
+static enum ast_rtp_dtls_hash ast_rtp_dtls_get_fingerprint_hash(struct ast_rtp_instance *instance)
+{
+ struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
+
+ return rtp->local_hash;
+}
+
+static const char *ast_rtp_dtls_get_fingerprint(struct ast_rtp_instance *instance)
+{
+ struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
return rtp->local_fingerprint;
}
@@ -1076,6 +1094,7 @@
.get_setup = ast_rtp_dtls_get_setup,
.set_setup = ast_rtp_dtls_set_setup,
.set_fingerprint = ast_rtp_dtls_set_fingerprint,
+ .get_fingerprint_hash = ast_rtp_dtls_get_fingerprint_hash,
.get_fingerprint = ast_rtp_dtls_get_fingerprint,
};
More information about the asterisk-commits
mailing list