[asterisk-dev] [Code Review] Add ability to reload SRTP policies

Matt Jordan reviewboard at asterisk.org
Thu Feb 23 09:32:44 CST 2012


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/1741/
-----------------------------------------------------------

(Updated Feb. 23, 2012, 9:32 a.m.)


Review request for Asterisk Developers, Joshua Colp, Mark Michelson, and otherwiseguy.


Changes
-------

Clarified the local/remote policy comment a bit.  I didn't modify the change to the SRTP API, as I still think its the correct way to fix this problem and prevent unintentionally adding the policies in the wrong order, thereby mucking up res_srtp.

Ran additional tests using a slightly beefier version of sip_srtp in the Asterisk Test Suite.  Confirmed that in a simple, nominal call setup between two UAs supporting SRTP, sessions are set up and torn down correctly, and that the RTP stream is protected/unprotected.

Testing by the issue reporter confirmed that the code change also works in a simple, nominal situation, and that it also properly handles changing of the remote policy by the endpoint during a blind transfer (which sent the re-INVITE with the new crypto key that caused this whole thing in the first place)


Summary
-------

Currently, when using res_srtp, once the SRTP policy has been added to the current session the policy is locked into place.  Any attempt to replace an existing policy, which would be needed if the remote endpoint negotiated a new cryptographic key, is instead rejected in res_srtp.  We thus need to have a mechanism to replace an existing policy associated with either a local or remote endpoint.

If we needed to change the key for a local policy (which we don't do, but its a hypothetical situation), changing the crytographic key is easy.  The old stream associated with the local SSRC is removed, and a new stream is added.  The libsrtp library has straightforward calls for this.

However, for the remote policy, it isn't as easy.  Because our remote policy uses a wildcard type to match on any inbound SSRC value, it can't be replaced.  The libsrtp library explicitly disallows changing wildcard policies (as the policies are applied to all streams matching the respective inbound/outbound direction, so replacing a wildcard policy would entail replacing all streams associated with that policy).  As such, the only thing that can be done is to deallocate the old session and create a new session.

The replaces one problem with another - while we can replace the old session with a new session and a new remote policy, we would effectively destroy our local policy / stream when we do that.  Currently, there is not an imposed order on when the local/remote policies are added (and in fact, we add the local one before the remote one currently).  Thus, when replacing an SRTP session with a new one, the order in which things are done has to be:
1) Destroy the old SRTP session
2) Create a new SRTP session and add one of the two policies
3) Add the other policy
If we don't add both policies at the same time, we could end up in a situation where we set the local policy, and then set the remote policy, blowing out the previously added local policy.  Good times.

This patch does the following:
1) It combines the adding of remote/local policies onto an SRTP session.  Although this changes the rtp_engine API, in effect its minor, as the two were always added at the same time anyway by users of the API.  This allows us to control the order in which things are added in res_srtp, and users of the API don't have to worry.
2) It adds a new virtual method to the res_srtp API, replace.  This combines the destroy/create methods.
3) We now check for the type of stream we are adding.  If we are adding a policy for a specific SSRC, we replace the existing stream.  If we are adding a policy for a wildcard, we bail out if we already have a policy existing for that wildcard; otherwise we add it.

This patch does some other cleanup in unprotect and unload module, including toning down the log statements and shutting down the libsrtp library on unload.


Diffs (updated)
-----

  /branches/1.8/channels/sip/sdp_crypto.c 356289 
  /branches/1.8/include/asterisk/res_srtp.h 356289 
  /branches/1.8/include/asterisk/rtp_engine.h 356289 
  /branches/1.8/main/rtp_engine.c 356289 
  /branches/1.8/res/res_srtp.c 356289 

Diff: https://reviewboard.asterisk.org/r/1741/diff


Testing
-------

Made sure that the initial patch didn't break the SRTP test in the TestSuite.  Made sure that the module could be loaded and unloaded.

More testing is needed to make sure that the whole thing actually works.


Thanks,

Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20120223/7a5cd11e/attachment-0001.htm>


More information about the asterisk-dev mailing list