diff options
| -rw-r--r-- | CHANGES | 3 | ||||
| -rw-r--r-- | channels/chan_sip.c | 22 | ||||
| -rw-r--r-- | configs/samples/sip.conf.sample | 3 |
3 files changed, 27 insertions, 1 deletions
@@ -20,6 +20,9 @@ chan_sip * New 'rtpbindaddr' global setting. This allows a user to define which ipaddress to bind the rtpengine to. For example, chan_sip might bind to eth0 (10.0.0.2) but rtpengine to eth1 (192.168.1.10). + * DTLS related configuration options can now be set at a general level. + Enabling DTLS support, though, requires enabling it at the user + or peer level. chan_pjsip ------------------ diff --git a/channels/chan_sip.c b/channels/chan_sip.c index f2cb0d4d2..7af98cca4 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -2305,6 +2305,9 @@ static struct ast_tls_config sip_tls_cfg; /*! \brief Default TLS connection configuration */ static struct ast_tls_config default_tls_cfg; +/*! \brief Default DTLS connection configuration */ +static struct ast_rtp_dtls_cfg default_dtls_cfg; + /*! \brief The TCP server definition */ static struct ast_tcptls_session_args sip_tcp_desc = { .accept_fd = -1, @@ -30398,6 +30401,10 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v, str peer->named_callgroups = ast_unref_namedgroups(peer->named_callgroups); peer->named_pickupgroups = ast_unref_namedgroups(peer->named_pickupgroups); + /* Set the default DTLS settings from default_tls_cfg */ + ast_rtp_dtls_cfg_free(&peer->dtls_cfg); + ast_rtp_dtls_cfg_copy(&default_dtls_cfg, &peer->dtls_cfg); + for (; v || ((v = alt) && !(alt=NULL)); v = v->next) { if (!devstate_only) { if (handle_common_options(&peerflags[0], &mask[0], v)) { @@ -31172,6 +31179,7 @@ static int reload_config(enum channelreloadreason reason) sip_cfg.contact_acl = ast_free_acl_list(sip_cfg.contact_acl); default_tls_cfg.enabled = FALSE; /* Default: Disable TLS */ + default_dtls_cfg.enabled = FALSE; /* Default: Disable DTLS too */ if (reason != CHANNEL_MODULE_LOAD) { ast_debug(4, "--------------- SIP reload started\n"); @@ -31190,19 +31198,26 @@ static int reload_config(enum channelreloadreason reason) ao2_t_callback(peers, OBJ_NODATA, peer_markall_func, NULL, "callback to mark all peers"); } - /* Reset certificate handling for TLS sessions */ + /* Reset certificate handling for TLS and DTLS sessions */ if (reason != CHANNEL_MODULE_LOAD) { ast_free(default_tls_cfg.certfile); ast_free(default_tls_cfg.pvtfile); ast_free(default_tls_cfg.cipher); ast_free(default_tls_cfg.cafile); ast_free(default_tls_cfg.capath); + ast_rtp_dtls_cfg_free(&default_dtls_cfg); } default_tls_cfg.certfile = ast_strdup(AST_CERTFILE); /*XXX Not sure if this is useful */ default_tls_cfg.pvtfile = ast_strdup(""); default_tls_cfg.cipher = ast_strdup(""); default_tls_cfg.cafile = ast_strdup(""); default_tls_cfg.capath = ast_strdup(""); + /* Using the same idea fro DTLS as the code block above for TLS */ + default_dtls_cfg.certfile = ast_strdup(""); + default_dtls_cfg.pvtfile = ast_strdup(""); + default_dtls_cfg.cipher = ast_strdup(""); + default_dtls_cfg.cafile = ast_strdup(""); + default_dtls_cfg.capath = ast_strdup(""); /* Initialize copy of current sip_cfg.regcontext for later use in removing stale contexts */ ast_copy_string(oldcontexts, sip_cfg.regcontext, sizeof(oldcontexts)); @@ -31373,6 +31388,9 @@ static int reload_config(enum channelreloadreason reason) continue; } + /* Load default dtls configuration */ + ast_rtp_dtls_cfg_parse(&default_dtls_cfg, v->name, v->value); + /* handle tls conf, don't allow setting of tlsverifyclient as it isn't supported by chan_sip */ if (!strcasecmp(v->name, "tlsverifyclient")) { ast_log(LOG_WARNING, "Ignoring unsupported option 'tlsverifyclient'\n"); @@ -34578,6 +34596,8 @@ static int unload_module(void) ast_free(default_tls_cfg.cafile); ast_free(default_tls_cfg.capath); + ast_rtp_dtls_cfg_free(&default_dtls_cfg); + cleanup_all_regs(); ao2_cleanup(registry_list); diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample index 0e4b6d64e..c45d0cc70 100644 --- a/configs/samples/sip.conf.sample +++ b/configs/samples/sip.conf.sample @@ -1319,6 +1319,9 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; ; DTLS-SRTP support is available if the underlying RTP engine in use supports it. ; +; Note that all configuration options except dtlsenable can be set at the general level. +; If set they will be present on the user or peer unless overridden with a different value. +; ; dtlsenable = yes ; Enable or disable DTLS-SRTP support ; dtlsverify = yes ; Verify that provided peer certificate and fingerprint are valid ; ; A value of 'yes' will perform both certificate and fingerprint verification |