[asterisk-dev] [Code Review]: Add ability to reload SRTP policies

Matt Jordan reviewboard at asterisk.org
Thu Feb 16 17:05:48 CST 2012 


> On Feb. 16, 2012, 4:50 p.m., Mark Michelson wrote:
> > I'm with the idea in spirit, but API and ABI changes like these should not happen in the midst of a release series. My feelings on this are the same as I had on an issue of Terry's recently. If you can make the change by adding to the API without having to change existing functions, that would be preferred. I also feel like you should withhold from adding to the ast_srtp_res if at all possible in the release branches.

I won't say that I can't make the change without an API change, but I'd disagree with that approach.

The problem is that the old API assumes that you can add a policy to a session in any order.  You can't.  If you add or update a local policy and then add or update a remote policy, you'll lose the local policy.  There isn't any mechanism for users of the API to know that it occurs either - they can't check to see what policies are currently in use, nor - to them - is there any difference between a local or remote policy.  The fact that libsrtp chooses to require you to blow away your session if you need to remove a policy with no SSRC (wildcard) is transparent to the users of the SRTP API - as it should be, really.  Its the APIs job to manage that stuff for you, but it shouldn't give you obvious ways to shoot yourself in the foot.

So, we've got two choices:
1) Go with the API change, which keeps the ordering of things under the hood
2) Put a comment in sdp_crypto that the order the policies are added matters, and that adding a remote policy will destroy any local policies in effect.

I think the first option keeps the likelihood of subtle programming errors low, and, since the only user of the API is sdp_crypto, it isn't that invasive of a change.


> On Feb. 16, 2012, 4:50 p.m., Mark Michelson wrote:
> > /branches/1.8/include/asterisk/rtp_engine.h, lines 1840-1841
> > <https://reviewboard.asterisk.org/r/1741/diff/2/?file=24291#file24291line1840>
> >
> >     Typo on line 1841. Should be "local" instead of "remote"

Not quite, although I should probably change the comments.
* remote_policy is the policy given to us by the remote endpoint (their key)
* local_policy is the policy we've generated that we'll send to the remote endpoint (our key)

So its technically correct, just not very well worded.  I'll make it clearer.


- Matt


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/1741/#review5541
-----------------------------------------------------------


On Feb. 16, 2012, 11:39 a.m., Matt Jordan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/1741/
> -----------------------------------------------------------
> 
> (Updated Feb. 16, 2012, 11:39 a.m.)
> 
> 
> Review request for Asterisk Developers, Joshua Colp, Mark Michelson, and otherwiseguy.
> 
> 
> Summary
> -------
> 
> Currently, when using res_srtp, once the SRTP policy has been added to the current session the policy is locked into place.  Any attempt to replace an existing policy, which would be needed if the remote endpoint negotiated a new cryptographic key, is instead rejected in res_srtp.  We thus need to have a mechanism to replace an existing policy associated with either a local or remote endpoint.
> 
> If we needed to change the key for a local policy (which we don't do, but its a hypothetical situation), changing the crytographic key is easy.  The old stream associated with the local SSRC is removed, and a new stream is added.  The libsrtp library has straightforward calls for this.
> 
> However, for the remote policy, it isn't as easy.  Because our remote policy uses a wildcard type to match on any inbound SSRC value, it can't be replaced.  The libsrtp library explicitly disallows changing wildcard policies (as the policies are applied to all streams matching the respective inbound/outbound direction, so replacing a wildcard policy would entail replacing all streams associated with that policy).  As such, the only thing that can be done is to deallocate the old session and create a new session.
> 
> The replaces one problem with another - while we can replace the old session with a new session and a new remote policy, we would effectively destroy our local policy / stream when we do that.  Currently, there is not an imposed order on when the local/remote policies are added (and in fact, we add the local one before the remote one currently).  Thus, when replacing an SRTP session with a new one, the order in which things are done has to be:
> 1) Destroy the old SRTP session
> 2) Create a new SRTP session and add one of the two policies
> 3) Add the other policy
> If we don't add both policies at the same time, we could end up in a situation where we set the local policy, and then set the remote policy, blowing out the previously added local policy.  Good times.
> 
> This patch does the following:
> 1) It combines the adding of remote/local policies onto an SRTP session.  Although this changes the rtp_engine API, in effect its minor, as the two were always added at the same time anyway by users of the API.  This allows us to control the order in which things are added in res_srtp, and users of the API don't have to worry.
> 2) It adds a new virtual method to the res_srtp API, replace.  This combines the destroy/create methods.
> 3) We now check for the type of stream we are adding.  If we are adding a policy for a specific SSRC, we replace the existing stream.  If we are adding a policy for a wildcard, we bail out if we already have a policy existing for that wildcard; otherwise we add it.
> 
> This patch does some other cleanup in unprotect and unload module, including toning down the log statements and shutting down the libsrtp library on unload.
> 
> 
> Diffs
> -----
> 
>   /branches/1.8/include/asterisk/res_srtp.h 354547 
>   /branches/1.8/include/asterisk/rtp_engine.h 354547 
>   /branches/1.8/main/rtp_engine.c 354547 
>   /branches/1.8/res/res_srtp.c 354547 
>   /branches/1.8/channels/sip/sdp_crypto.c 354547 
> 
> Diff: https://reviewboard.asterisk.org/r/1741/diff
> 
> 
> Testing
> -------
> 
> Made sure that the initial patch didn't break the SRTP test in the TestSuite.  Made sure that the module could be loaded and unloaded.
> 
> More testing is needed to make sure that the whole thing actually works.
> 
> 
> Thanks,
> 
> Matt
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20120216/ab915dcf/attachment-0001.htm>

More information about the asterisk-dev mailing list