[Asterisk-code-review] res_srtp: Disable parsing of not enabled cryptos (asterisk[master])

Fri Sep 3 00:40:36 CDT 2021

Jasper Hafkenscheid has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/16437 )


Change subject: res_srtp: Disable parsing of not enabled cryptos
......................................................................

res_srtp: Disable parsing of not enabled cryptos

When compiled without extended srtp crypto suites also disable parsing
these from received SDP. This prevents using these, as some client
implementations are not stable.

ASTERISK-29625

Change-Id: I7dafb29be1cdaabdc984002573f4bea87520533a
---
M res/res_srtp.c
1 file changed, 18 insertions(+), 14 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/37/16437/1

diff --git a/res/res_srtp.c b/res/res_srtp.c
index 3519def..cdd95af 100644
--- a/res/res_srtp.c
+++ b/res/res_srtp.c
@@ -275,7 +275,7 @@
 		crypto_policy_set_aes_cm_128_hmac_sha1_32(p);
 		return 0;
 
-#ifdef HAVE_SRTP_192
+#if defined(HAVE_SRTP_192) && defined(ENABLE_SRTP_AES_192)
 	case AST_AES_CM_192_HMAC_SHA1_80:
 		crypto_policy_set_aes_cm_192_hmac_sha1_80(p);
 		return 0;
@@ -284,7 +284,7 @@
 		crypto_policy_set_aes_cm_192_hmac_sha1_32(p);
 		return 0;
 #endif
-#ifdef HAVE_SRTP_256
+#if defined(HAVE_SRTP_256) && defined(ENABLE_SRTP_AES_256)
 	case AST_AES_CM_256_HMAC_SHA1_80:
 		crypto_policy_set_aes_cm_256_hmac_sha1_80(p);
 		return 0;
@@ -293,18 +293,19 @@
 		crypto_policy_set_aes_cm_256_hmac_sha1_32(p);
 		return 0;
 #endif
-#ifdef HAVE_SRTP_GCM
+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM)
 	case AST_AES_GCM_128:
 		crypto_policy_set_aes_gcm_128_16_auth(p);
 		return 0;
 
-	case AST_AES_GCM_256:
-		crypto_policy_set_aes_gcm_256_16_auth(p);
-		return 0;
-
 	case AST_AES_GCM_128_8:
 		crypto_policy_set_aes_gcm_128_8_auth(p);
 		return 0;
+#endif
+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) && defined(ENABLE_SRTP_AES_256)
+	case AST_AES_GCM_256:
+		crypto_policy_set_aes_gcm_256_16_auth(p);
+		return 0;
 
 	case AST_AES_GCM_256_8:
 		crypto_policy_set_aes_gcm_256_8_auth(p);
@@ -880,7 +881,7 @@
 		suite_val = AST_AES_CM_128_HMAC_SHA1_32;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_32);
 		key_len_expected = 30;
-#ifdef HAVE_SRTP_192
+#if defined(HAVE_SRTP_192) && defined(ENABLE_SRTP_AES_192)
 	} else if (!strcmp(suite, "AES_192_CM_HMAC_SHA1_80")) {
 		suite_val = AST_AES_CM_192_HMAC_SHA1_80;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_80);
@@ -905,7 +906,7 @@
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_OLD_NAME);
 		key_len_expected = 38;
 #endif
-#ifdef HAVE_SRTP_256
+#if defined(HAVE_SRTP_256) && defined(ENABLE_SRTP_AES_256)
 	} else if (!strcmp(suite, "AES_256_CM_HMAC_SHA1_80")) {
 		suite_val = AST_AES_CM_256_HMAC_SHA1_80;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_80);
@@ -930,21 +931,24 @@
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_OLD_NAME);
 		key_len_expected = 46;
 #endif
-#ifdef HAVE_SRTP_GCM
+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM)
 	} else if (!strcmp(suite, "AEAD_AES_128_GCM")) {
 		suite_val = AST_AES_GCM_128;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_16);
 		key_len_expected = AES_128_GCM_KEYSIZE_WSALT;
+	/* RFC contained a (too) short auth tag for RTP media, some still use that */
+	} else if (!strcmp(suite, "AEAD_AES_128_GCM_8")) {
+		suite_val = AST_AES_GCM_128_8;
+		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);
+		key_len_expected = AES_128_GCM_KEYSIZE_WSALT;
+#endif
+#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) && defined(ENABLE_SRTP_AES_256)
 	} else if (!strcmp(suite, "AEAD_AES_256_GCM")) {
 		suite_val = AST_AES_GCM_256;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_16);
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_AES_256);
 		key_len_expected = AES_256_GCM_KEYSIZE_WSALT;
 	/* RFC contained a (too) short auth tag for RTP media, some still use that */
-	} else if (!strcmp(suite, "AEAD_AES_128_GCM_8")) {
-		suite_val = AST_AES_GCM_128_8;
-		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);
-		key_len_expected = AES_128_GCM_KEYSIZE_WSALT;
 	} else if (!strcmp(suite, "AEAD_AES_256_GCM_8")) {
 		suite_val = AST_AES_GCM_256_8;
 		ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/16437
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: I7dafb29be1cdaabdc984002573f4bea87520533a
Gerrit-Change-Number: 16437
Gerrit-PatchSet: 1
Gerrit-Owner: Jasper Hafkenscheid <jasper.hafkenscheid at wearespindle.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20210903/3020c2a0/attachment-0001.html>
