[svn-commits] twilson: branch group/srtp r166768 - /team/group/srtp/channels/chan_sip.c

SVN commits to the Digium repositories svn-commits at lists.digium.com
Wed Dec 24 12:56:50 CST 2008 

Author: twilson
Date: Wed Dec 24 12:56:49 2008
New Revision: 166768

URL: http://svn.digium.com/view/asterisk?view=rev&rev=166768
Log:
Ok, for now I am removing the SIPSRTP=optional setting as there is no standard way to provisionally offer SRTP that I can find.  The way that were were doing it was the way that snom supports, but it causes the Polycom to choke.  Instead, what I now have is a sip.conf peer option srtpenable=yes|no and have added the ability to check this option with the SIPPEER() dialplan function.  Now, if the value of SIPSRTP evaluates to false, then encryption will not be offered, otherwise it will.  Also gone is the SIPSRTP_CRYPTO dialplan variable since 1) We don't have MIKEY support here right now and 2) If we did, I think it would be better to just signal whether or not you want to encrypt via the dialplan and leave the choice of how to encrypt to a sip.conf variable.

An quick/short example of how to offer SRTP only to devices that are capable would be something like:

[default]
exten => _600X,1,Set(_SIPSRTP=${SIPPEER(${EXTEN},srtpcapable)})
exten => _600X,n,Dial(SIP/${EXTEN})

Modified:
    team/group/srtp/channels/chan_sip.c

Modified: team/group/srtp/channels/chan_sip.c
URL: http://svn.digium.com/view/asterisk/team/group/srtp/channels/chan_sip.c?view=diff&rev=166768&r1=166767&r2=166768
==============================================================================
--- team/group/srtp/channels/chan_sip.c (original)
+++ team/group/srtp/channels/chan_sip.c Wed Dec 24 12:56:49 2008
@@ -1324,6 +1324,7 @@
 #define SIP_PAGE2_RTCACHEFRIENDS	(1 << 0)	/*!< GP: Should we keep RT objects in memory for extended time? */
 #define SIP_PAGE2_RTAUTOCLEAR		(1 << 2)	/*!< GP: Should we clean memory from peers after expiry? */
 /* Space for addition of other realtime flags in the future */
+#define SIP_PAGE2_SRTPCAPABLE       (1 << 8)	/*!< DP: Are we capable of handling SRTP? */
 #define SIP_PAGE2_STATECHANGEQUEUE	(1 << 9)	/*!< D: Unsent state pending change exists */
 
 #define SIP_PAGE2_VIDEOSUPPORT		(1 << 14)	/*!< DP: Video supported if offered? */
@@ -4895,6 +4896,10 @@
 			/* We're replacing a call. */
 			p->options->replaces = ast_var_value(current);
 		} else if (!strcasecmp(ast_var_name(current), "SIPSRTP")) {
+			if (ast_false(ast_var_value(current))) {
+				continue;
+			}
+
 			if (ast_test_flag(&p->flags[0], SIP_CAN_REINVITE)) {
 				ast_debug(1, "Reinviting not possible when using SRTP, ignoring canreinvite setting\n");
 			}
@@ -4902,23 +4907,6 @@
 			if (!p->srtp && setup_srtp(p) < 0) {
 				ast_log(LOG_WARNING, "SRTP setup failed\n");
 				return -1;
-			}
-
-			if (!strcasecmp(ast_var_value(current), "optional")) {
-				ast_set_flag(p->srtp, SRTP_ENCR_OPTIONAL);
-			}
-		} else if (!strcasecmp(ast_var_name(current), "SIPSRTP_CRYPTO")) {
-			if (!p->srtp && setup_srtp(p) < 0) {
-				ast_log(LOG_WARNING, "SRTP setup failed\n");
-				return -1;
-			}
-
-			if (!strcasecmp(ast_var_value(current), "enable")) {
-				ast_set_flag(p->srtp, SRTP_CRYPTO_ENABLE);
-			} else if (!strcasecmp(ast_var_value(current), "disable")) {
-				ast_clear_flag(p->srtp, SRTP_CRYPTO_ENABLE);
-			} else {
-				ast_log(LOG_WARNING,"Invalid SIPSRTP_CRYPTO value (%s), enable or disable expected\n", ast_var_value(current));
 			}
 		} else if (!strcasecmp(ast_var_name(current), "T38CALL")) {
 			p->t38.state = T38_LOCAL_DIRECT;
@@ -7764,6 +7752,11 @@
 
 	if (secure_audio && !(p->srtp && (ast_test_flag(p->srtp, SRTP_CRYPTO_OFFER_OK)))) {
 		ast_log(LOG_WARNING, "Can't provide secure audio requested in SDP offer\n");
+		return -2;
+	}
+
+	if (!secure_audio && p->srtp) {
+		ast_log(LOG_WARNING, "We are requesting SRTP, but they responded without it!\n");
 		return -2;
 	}
 	
@@ -7883,6 +7876,11 @@
 		return -2;
 	}
 
+	if (!p->novideo && !secure_video && p->srtp) {
+		ast_log(LOG_WARNING, "We are requesting SRTP, but they responded without it!\n");
+		return -2;
+	}
+
 	/* Now gather all of the codecs that we are asked for: */
 	ast_rtp_get_current_formats(newaudiortp, &peercapability, &peernoncodeccapability);
 	ast_rtp_get_current_formats(newvideortp, &vpeercapability, &vpeernoncodeccapability);
@@ -9098,7 +9096,6 @@
 	int needvideo = FALSE;
 	int needtext = FALSE;
 	int debug = sip_debug_test_pvt(p);
-	const char a_encr_optional[] = "a=encryption:optional\r\n";
 	int min_audio_packet_size = 0;
 	int min_video_packet_size = 0;
 	int min_text_packet_size = 0;
@@ -9160,12 +9157,10 @@
 		if (srtp->crypto) {
 			a_crypto = sdp_crypto_attrib(srtp->crypto);
 		} else {
-			if (ast_test_flag(p->srtp, SRTP_CRYPTO_ENABLE)) {
-				srtp->crypto = sdp_crypto_setup();
-
-				if (srtp->crypto && (sdp_crypto_offer(srtp->crypto) >= 0)) {
-					a_crypto = sdp_crypto_attrib(srtp->crypto);
-				}
+			srtp->crypto = sdp_crypto_setup();
+
+			if (srtp->crypto && (sdp_crypto_offer(srtp->crypto) >= 0)) {
+				a_crypto = sdp_crypto_attrib(srtp->crypto);
 			}
 		}
 
@@ -9174,7 +9169,7 @@
 		}
 	}
 
-	if ((a_crypto) && !ast_test_flag(srtp, SRTP_ENCR_OPTIONAL)) {
+	if (a_crypto) {
 		protocol = "SAVP";
 	} else {
 		protocol = "AVP";
@@ -9347,9 +9342,6 @@
 
 	if (a_crypto) {
 		len += strlen(a_crypto);
-		if (ast_test_flag(srtp, SRTP_ENCR_OPTIONAL)) {
-			len += strlen(a_encr_optional);
-		}
 	}
 
 	add_header(resp, "Content-Type", "application/sdp");
@@ -9378,9 +9370,6 @@
 	}
 	if (a_crypto) {
 		add_line(resp, a_crypto);
-		if (ast_test_flag(srtp, SRTP_ENCR_OPTIONAL)) {
-			add_line(resp, a_encr_optional);
-		}
 	}
 
 	/* Update lastrtprx when we send our SDP */
@@ -15939,6 +15928,8 @@
 		ast_copy_string(buf, peer->cid_num, len);
 	} else  if (!strcasecmp(colname, "codecs")) {
 		ast_getformatname_multiple(buf, len -1, peer->capability);
+	} else if (!strcasecmp(colname, "srtpcapable")) {
+		snprintf(buf, len, "%d", ast_test_flag(&peer->flags[1], SIP_PAGE2_SRTPCAPABLE));
 	} else  if (!strncasecmp(colname, "chanvar[", 8)) {
 		char *chanvar=colname + 8;
 		struct ast_variable *v;
@@ -18934,6 +18925,10 @@
 						/* No bridged peer with T38 enabled*/
 					}
 				} 
+				if (p->srtp && !ast_test_flag(p->srtp, SRTP_CRYPTO_OFFER_OK)) {
+					transmit_response_reliable(p, "488 Not Acceptable Here (crypto)", req);
+					sendok = FALSE;
+				}
 				/* Respond to normal re-invite */
 				if (sendok) {
 					/* If this is not a re-invite or something to ignore - it's critical */
@@ -22382,6 +22377,8 @@
 			} else {
 				peer->stimer.st_ref = i;
 			}
+		} else if (!strcasecmp(v->name, "srtpcapable")) {
+			ast_set2_flag(&peer->flags[1], ast_true(v->value), SIP_PAGE2_SRTPCAPABLE);
 		}
 	}

More information about the svn-commits mailing list