chan_sip: Add support for setting DTLS configuration in the general section.

Configuration of DTLS in the general section will be applied to any users
or peers. If configuration exists at their level it overrides the general
section values.

ASTERISK-24128 #close
Reported by: Michael K.
patches:
  dtls_default_settings.patch submitted by Michael K. (license 6621)

Review: https://reviewboard.asterisk.org/r/3867/


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@427950 65c4cc65-6c06-0410-ace0-fbb531ad65f3

3 files changed, 27 insertions, 1 deletions

diff --git a/CHANGES b/CHANGES
index 3191b6f49..f780d7a75 100644
--- a/CHANGES
+++ b/CHANGES
@@ -20,6 +20,9 @@ chan_sip
  * New 'rtpbindaddr' global setting. This allows a user to define which
    ipaddress to bind the rtpengine to. For example, chan_sip might bind
    to eth0 (10.0.0.2) but rtpengine to eth1 (192.168.1.10).
+ * DTLS related configuration options can now be set at a general level.
+   Enabling DTLS support, though, requires enabling it at the user
+   or peer level.
 
 chan_pjsip
 ------------------
diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index f2cb0d4d2..7af98cca4 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -2305,6 +2305,9 @@ static struct ast_tls_config sip_tls_cfg;
 /*! \brief Default TLS connection configuration */
 static struct ast_tls_config default_tls_cfg;
 
+/*! \brief Default DTLS connection configuration */
+static struct ast_rtp_dtls_cfg default_dtls_cfg;
+
 /*! \brief The TCP server definition */
 static struct ast_tcptls_session_args sip_tcp_desc = {
 	.accept_fd = -1,
@@ -30398,6 +30401,10 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v, str
 	peer->named_callgroups = ast_unref_namedgroups(peer->named_callgroups);
 	peer->named_pickupgroups = ast_unref_namedgroups(peer->named_pickupgroups);
 
+	/* Set the default DTLS settings from default_tls_cfg */
+	ast_rtp_dtls_cfg_free(&peer->dtls_cfg);
+	ast_rtp_dtls_cfg_copy(&default_dtls_cfg, &peer->dtls_cfg);
+
 	for (; v || ((v = alt) && !(alt=NULL)); v = v->next) {
 		if (!devstate_only) {
 			if (handle_common_options(&peerflags[0], &mask[0], v)) {
@@ -31172,6 +31179,7 @@ static int reload_config(enum channelreloadreason reason)
 	sip_cfg.contact_acl = ast_free_acl_list(sip_cfg.contact_acl);
 
 	default_tls_cfg.enabled = FALSE;		/* Default: Disable TLS */
+	default_dtls_cfg.enabled = FALSE;		/* Default: Disable DTLS too */
 
 	if (reason != CHANNEL_MODULE_LOAD) {
 		ast_debug(4, "--------------- SIP reload started\n");
@@ -31190,19 +31198,26 @@ static int reload_config(enum channelreloadreason reason)
 		ao2_t_callback(peers, OBJ_NODATA, peer_markall_func, NULL, "callback to mark all peers");
 	}
 
-	/* Reset certificate handling for TLS sessions */
+	/* Reset certificate handling for TLS and DTLS sessions */
 	if (reason != CHANNEL_MODULE_LOAD) {
 		ast_free(default_tls_cfg.certfile);
 		ast_free(default_tls_cfg.pvtfile);
 		ast_free(default_tls_cfg.cipher);
 		ast_free(default_tls_cfg.cafile);
 		ast_free(default_tls_cfg.capath);
+		ast_rtp_dtls_cfg_free(&default_dtls_cfg);
 	}
 	default_tls_cfg.certfile = ast_strdup(AST_CERTFILE); /*XXX Not sure if this is useful */
 	default_tls_cfg.pvtfile = ast_strdup("");
 	default_tls_cfg.cipher = ast_strdup("");
 	default_tls_cfg.cafile = ast_strdup("");
 	default_tls_cfg.capath = ast_strdup("");
+	/* Using the same idea fro DTLS as the code block above for TLS */
+	default_dtls_cfg.certfile = ast_strdup("");
+	default_dtls_cfg.pvtfile = ast_strdup("");
+	default_dtls_cfg.cipher = ast_strdup("");
+	default_dtls_cfg.cafile = ast_strdup("");
+	default_dtls_cfg.capath = ast_strdup("");
 
 	/* Initialize copy of current sip_cfg.regcontext for later use in removing stale contexts */
 	ast_copy_string(oldcontexts, sip_cfg.regcontext, sizeof(oldcontexts));
@@ -31373,6 +31388,9 @@ static int reload_config(enum channelreloadreason reason)
 			continue;
 		}
 
+		/* Load default dtls configuration */
+		ast_rtp_dtls_cfg_parse(&default_dtls_cfg, v->name, v->value);
+
 		/* handle tls conf, don't allow setting of tlsverifyclient as it isn't supported by chan_sip */
 		if (!strcasecmp(v->name, "tlsverifyclient")) {
 			ast_log(LOG_WARNING, "Ignoring unsupported option 'tlsverifyclient'\n");
@@ -34578,6 +34596,8 @@ static int unload_module(void)
 	ast_free(default_tls_cfg.cafile);
 	ast_free(default_tls_cfg.capath);
 
+	ast_rtp_dtls_cfg_free(&default_dtls_cfg);
+
 	cleanup_all_regs();
 	ao2_cleanup(registry_list);
 
diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample
index 0e4b6d64e..c45d0cc70 100644
--- a/configs/samples/sip.conf.sample
+++ b/configs/samples/sip.conf.sample
@@ -1319,6 +1319,9 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;
 ; DTLS-SRTP support is available if the underlying RTP engine in use supports it.
 ;
+; Note that all configuration options except dtlsenable can be set at the general level.
+; If set they will be present on the user or peer unless overridden with a different value.
+;
 ; dtlsenable = yes                   ; Enable or disable DTLS-SRTP support
 ; dtlsverify = yes                   ; Verify that provided peer certificate and fingerprint are valid
 ;				     ; A value of 'yes' will perform both certificate and fingerprint verification