[asterisk-commits] file: trunk r427950 - in /trunk: ./ channels/ configs/samples/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Sat Nov 15 10:31:39 CST 2014 

Author: file
Date: Sat Nov 15 10:31:24 2014
New Revision: 427950

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=427950
Log:
chan_sip: Add support for setting DTLS configuration in the general section.

Configuration of DTLS in the general section will be applied to any users
or peers. If configuration exists at their level it overrides the general
section values.

ASTERISK-24128 #close
Reported by: Michael K.
patches:
  dtls_default_settings.patch submitted by Michael K. (license 6621)

Review: https://reviewboard.asterisk.org/r/3867/

Modified:
    trunk/CHANGES
    trunk/channels/chan_sip.c
    trunk/configs/samples/sip.conf.sample

Modified: trunk/CHANGES
URL: http://svnview.digium.com/svn/asterisk/trunk/CHANGES?view=diff&rev=427950&r1=427949&r2=427950
==============================================================================
--- trunk/CHANGES (original)
+++ trunk/CHANGES Sat Nov 15 10:31:24 2014
@@ -20,6 +20,9 @@
  * New 'rtpbindaddr' global setting. This allows a user to define which
    ipaddress to bind the rtpengine to. For example, chan_sip might bind
    to eth0 (10.0.0.2) but rtpengine to eth1 (192.168.1.10).
+ * DTLS related configuration options can now be set at a general level.
+   Enabling DTLS support, though, requires enabling it at the user
+   or peer level.
 
 chan_pjsip
 ------------------

Modified: trunk/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/trunk/channels/chan_sip.c?view=diff&rev=427950&r1=427949&r2=427950
==============================================================================
--- trunk/channels/chan_sip.c (original)
+++ trunk/channels/chan_sip.c Sat Nov 15 10:31:24 2014
@@ -2305,6 +2305,9 @@
 /*! \brief Default TLS connection configuration */
 static struct ast_tls_config default_tls_cfg;
 
+/*! \brief Default DTLS connection configuration */
+static struct ast_rtp_dtls_cfg default_dtls_cfg;
+
 /*! \brief The TCP server definition */
 static struct ast_tcptls_session_args sip_tcp_desc = {
 	.accept_fd = -1,
@@ -30397,6 +30400,10 @@
 	/* clear named callgroup and named pickup group container */
 	peer->named_callgroups = ast_unref_namedgroups(peer->named_callgroups);
 	peer->named_pickupgroups = ast_unref_namedgroups(peer->named_pickupgroups);
+
+	/* Set the default DTLS settings from default_tls_cfg */
+	ast_rtp_dtls_cfg_free(&peer->dtls_cfg);
+	ast_rtp_dtls_cfg_copy(&default_dtls_cfg, &peer->dtls_cfg);
 
 	for (; v || ((v = alt) && !(alt=NULL)); v = v->next) {
 		if (!devstate_only) {
@@ -31172,6 +31179,7 @@
 	sip_cfg.contact_acl = ast_free_acl_list(sip_cfg.contact_acl);
 
 	default_tls_cfg.enabled = FALSE;		/* Default: Disable TLS */
+	default_dtls_cfg.enabled = FALSE;		/* Default: Disable DTLS too */
 
 	if (reason != CHANNEL_MODULE_LOAD) {
 		ast_debug(4, "--------------- SIP reload started\n");
@@ -31190,19 +31198,26 @@
 		ao2_t_callback(peers, OBJ_NODATA, peer_markall_func, NULL, "callback to mark all peers");
 	}
 
-	/* Reset certificate handling for TLS sessions */
+	/* Reset certificate handling for TLS and DTLS sessions */
 	if (reason != CHANNEL_MODULE_LOAD) {
 		ast_free(default_tls_cfg.certfile);
 		ast_free(default_tls_cfg.pvtfile);
 		ast_free(default_tls_cfg.cipher);
 		ast_free(default_tls_cfg.cafile);
 		ast_free(default_tls_cfg.capath);
+		ast_rtp_dtls_cfg_free(&default_dtls_cfg);
 	}
 	default_tls_cfg.certfile = ast_strdup(AST_CERTFILE); /*XXX Not sure if this is useful */
 	default_tls_cfg.pvtfile = ast_strdup("");
 	default_tls_cfg.cipher = ast_strdup("");
 	default_tls_cfg.cafile = ast_strdup("");
 	default_tls_cfg.capath = ast_strdup("");
+	/* Using the same idea fro DTLS as the code block above for TLS */
+	default_dtls_cfg.certfile = ast_strdup("");
+	default_dtls_cfg.pvtfile = ast_strdup("");
+	default_dtls_cfg.cipher = ast_strdup("");
+	default_dtls_cfg.cafile = ast_strdup("");
+	default_dtls_cfg.capath = ast_strdup("");
 
 	/* Initialize copy of current sip_cfg.regcontext for later use in removing stale contexts */
 	ast_copy_string(oldcontexts, sip_cfg.regcontext, sizeof(oldcontexts));
@@ -31372,6 +31387,9 @@
 		if (!ast_jb_read_conf(&global_jbconf, v->name, v->value)) {
 			continue;
 		}
+
+		/* Load default dtls configuration */
+		ast_rtp_dtls_cfg_parse(&default_dtls_cfg, v->name, v->value);
 
 		/* handle tls conf, don't allow setting of tlsverifyclient as it isn't supported by chan_sip */
 		if (!strcasecmp(v->name, "tlsverifyclient")) {
@@ -34578,6 +34596,8 @@
 	ast_free(default_tls_cfg.cafile);
 	ast_free(default_tls_cfg.capath);
 
+	ast_rtp_dtls_cfg_free(&default_dtls_cfg);
+
 	cleanup_all_regs();
 	ao2_cleanup(registry_list);
 

Modified: trunk/configs/samples/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/trunk/configs/samples/sip.conf.sample?view=diff&rev=427950&r1=427949&r2=427950
==============================================================================
--- trunk/configs/samples/sip.conf.sample (original)
+++ trunk/configs/samples/sip.conf.sample Sat Nov 15 10:31:24 2014
@@ -1319,6 +1319,9 @@
 ;
 ; DTLS-SRTP support is available if the underlying RTP engine in use supports it.
 ;
+; Note that all configuration options except dtlsenable can be set at the general level.
+; If set they will be present on the user or peer unless overridden with a different value.
+;
 ; dtlsenable = yes                   ; Enable or disable DTLS-SRTP support
 ; dtlsverify = yes                   ; Verify that provided peer certificate and fingerprint are valid
 ;				     ; A value of 'yes' will perform both certificate and fingerprint verification

More information about the asterisk-commits mailing list