diff options
| author | Alexander Traud <pabstraud@compuserve.com> | 2016-07-19 16:41:44 +0200 |
|---|---|---|
| committer | Joshua Colp <jcolp@digium.com> | 2016-09-07 11:45:23 +0000 |
| commit | 7a12355dbdf7ee49713746d993c653f91b0fcbd0 (patch) | |
| tree | 2841526be7bb9695f0c267f18e4b49cd3ad72933 | |
| parent | e6cad17d6dd4e335632ec27478ccee40bb574cc3 (diff) | |
chan_sip: Allow Preferred sRTP.
Following the Encrypt-all-the-things paradigm:
The user enters his SIP-URI and password. Thanks to DNS-NAPTR, the phone
determines SIP-over-TLS as preferred transport. In SIP/SDP, the phone starts
the call with a crypto attribute, but not as RTP/sAVP but the RTP/AVP profile
(sRTP is preferred aka optional; not mandatory). If the VoIP server does not
support sRTP and TLS, the phone shows an open padlock icon.
This paradigm is supported by several VoIP/SIP clients on default. Some
implementations even cannot be changed to RTP/sAVP. Therefore here, this
change allows Preferred sRTP for ingress. For egress, please, create a dial
plan which starts with RTP/SAVP, and when rejected tries again with RTP/AVP.
ASTERISK-20234 #close
Reported by: tootai
Tested by: tootai, Alexander Traud
patches:
srtp_patches.diff submitted by Matt Jordan
Change-Id: I42cb779df3a9c7b3dd03a629fb3a296aa4ceb0fd
| -rw-r--r-- | CHANGES | 7 | ||||
| -rw-r--r-- | channels/chan_sip.c | 35 |
2 files changed, 20 insertions, 22 deletions
@@ -12,6 +12,13 @@ --- Functionality changes from Asterisk 14 to Asterisk 15 -------------------- ------------------------------------------------------------------------------ +chan_sip +------------------ + * If an offer is received with optional SRTP (a media stream with RTP/AVP but + which contains a crypto line) chan_sip will now accept it and enable SRTP. + If you would like to do optional SRTP on outbound you will need to create + a dialplan that dials with it enabled initially and if it fails fall back to + without. ------------------------------------------------------------------------------ --- Functionality changes from Asterisk 14.0.0 to Asterisk 14.1.0 ---------- diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 6a18aa36b..1d70e8975 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -1480,7 +1480,7 @@ static void handle_response(struct sip_pvt *p, int resp, const char *rest, struc /*------ SRTP Support -------- */ static int process_crypto(struct sip_pvt *p, struct ast_rtp_instance *rtp, struct ast_sdp_srtp **srtp, - const char *a, int secure_transport); + const char *a); /*------ T38 Support --------- */ static int transmit_response_with_t38_sdp(struct sip_pvt *p, char *msg, struct sip_request *req, int retrans); @@ -10610,9 +10610,13 @@ static int process_sdp(struct sip_pvt *p, struct sip_request *req, int t38action } } else if (process_sdp_a_sendonly(value, &sendonly)) { processed = TRUE; - } else if (!processed_crypto && process_crypto(p, p->rtp, &p->srtp, value, secure_audio)) { + } else if (!processed_crypto && process_crypto(p, p->rtp, &p->srtp, value)) { processed_crypto = TRUE; processed = TRUE; + if (secure_audio == FALSE) { + ast_log(AST_LOG_NOTICE, "Processed audio crypto attribute without SAVP specified; accepting anyway\n"); + secure_audio = TRUE; + } } else if (process_sdp_a_audio(value, p, &newaudiortp, &last_rtpmap_codec)) { processed = TRUE; } @@ -10627,9 +10631,13 @@ static int process_sdp(struct sip_pvt *p, struct sip_request *req, int t38action if (p->vsrtp) { ast_set_flag(p->vsrtp, AST_SRTP_CRYPTO_OFFER_OK); } - } else if (!processed_crypto && process_crypto(p, p->vrtp, &p->vsrtp, value, secure_video)) { + } else if (!processed_crypto && process_crypto(p, p->vrtp, &p->vsrtp, value)) { processed_crypto = TRUE; processed = TRUE; + if (secure_video == FALSE) { + ast_log(AST_LOG_NOTICE, "Processed video crypto attribute without SAVP specified; accepting anyway\n"); + secure_video = TRUE; + } } else if (process_sdp_a_video(value, p, &newvideortp, &last_rtpmap_codec)) { processed = TRUE; } @@ -10640,7 +10648,7 @@ static int process_sdp(struct sip_pvt *p, struct sip_request *req, int t38action processed = TRUE; } else if (process_sdp_a_text(value, p, &newtextrtp, red_fmtp, &red_num_gen, red_data_pt, &last_rtpmap_codec)) { processed = TRUE; - } else if (!processed_crypto && process_crypto(p, p->trtp, &p->tsrtp, value, 1)) { + } else if (!processed_crypto && process_crypto(p, p->trtp, &p->tsrtp, value)) { processed_crypto = TRUE; processed = TRUE; } @@ -33752,7 +33760,7 @@ static void sip_send_all_mwi_subscriptions(void) } static int process_crypto(struct sip_pvt *p, struct ast_rtp_instance *rtp, struct ast_sdp_srtp **srtp, - const char *a, int secure_transport) + const char *a) { struct ast_rtp_engine_dtls *dtls; @@ -33768,23 +33776,6 @@ static int process_crypto(struct sip_pvt *p, struct ast_rtp_instance *rtp, struc /* skip "crypto:" */ a += strlen("crypto:"); - if (!secure_transport) { - /* > The Secure Real-time Transport Protocol (SRTP) - * > [RFC3711] provides security services for RTP media - * > and is signaled by use of secure RTP transport (e.g., - * > "RTP/SAVP" or "RTP/SAVPF") in an SDP media (m=) line. - * > ... - * > The "crypto" attribute MUST only appear at the SDP - * > media level (not at the session level). - * - * Ergo, we can trust RTP/(S)AVP to be read from the m= - * line before we get here. If it was RTP/AVP, then this - * is SNOM-specific optional SRTP. Ignore it. - */ - ast_log(LOG_WARNING, "Ignoring crypto attribute in SDP because RTP transport is insecure\n"); - return FALSE; - } - if (!*srtp) { if (ast_test_flag(&p->flags[0], SIP_OUTGOING)) { ast_log(LOG_WARNING, "Ignoring unexpected crypto attribute in SDP answer\n"); |