diff options
author | twilson <twilson@f38db490-d61c-443f-a65b-d21fe96a405b> | 2010-06-08 05:29:08 +0000 |
---|---|---|
committer | twilson <twilson@f38db490-d61c-443f-a65b-d21fe96a405b> | 2010-06-08 05:29:08 +0000 |
commit | 9b1a36a294342fc418d9a359a4cf06bd90c4acb9 (patch) | |
tree | ecc27fc0db142ea1cd335a74cd1265f993fecd11 /res | |
parent | 5f87b66641d86dbe7afec3b083016b2b1aceafc7 (diff) |
Add SRTP support for Asterisk
After 5 years in mantis and over a year on reviewboard, SRTP support is finally
being comitted. This includes generic CHANNEL dialplan functions that work for
getting the status of whether a call has secure media or signaling as defined
by the underlying channel technology and for setting whether or not a new
channel being bridged to a calling channel should have secure signaling or
media. See doc/tex/secure-calls.tex for examples.
Original patch by mikma, updated for trunk and revised by me.
(closes issue #5413)
Reported by: mikma
Tested by: twilson, notthematrix, hemanshurpatel
Review: https://reviewboard.asterisk.org/r/191/
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@268894 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'res')
-rw-r--r-- | res/res_rtp_asterisk.c | 89 | ||||
-rw-r--r-- | res/res_srtp.c | 403 | ||||
-rw-r--r-- | res/res_srtp.exports.in | 4 |
3 files changed, 478 insertions, 18 deletions
diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c index 07f7bf392..d388856bb 100644 --- a/res/res_rtp_asterisk.c +++ b/res/res_rtp_asterisk.c @@ -78,6 +78,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #define ZFONE_PROFILE_ID 0x505a +extern struct ast_srtp_res *res_srtp; static int dtmftimeout = DEFAULT_DTMF_TIMEOUT; static int rtpstart = DEFAULT_RTP_START; /*!< First port for RTP sessions (set in rtp.conf) */ @@ -328,6 +329,57 @@ static inline int rtcp_debug_test_addr(struct sockaddr_in *addr) return 1; } +static int __rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t size, int flags, struct sockaddr *sa, socklen_t *salen, int rtcp) +{ + int len; + struct ast_rtp *rtp = ast_rtp_instance_get_data(instance); + struct ast_srtp *srtp = ast_rtp_instance_get_srtp(instance); + + if ((len = recvfrom(rtcp ? rtp->rtcp->s : rtp->s, buf, size, flags, sa, salen)) < 0) { + return len; + } + + if (res_srtp && srtp && res_srtp->unprotect(srtp, buf, &len, rtcp) < 0) { + return -1; + } + + return len; +} + +static int rtcp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t size, int flags, struct sockaddr *sa, socklen_t *salen) +{ + return __rtp_recvfrom(instance, buf, size, flags, sa, salen, 1); +} + +static int rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t size, int flags, struct sockaddr *sa, socklen_t *salen) +{ + return __rtp_recvfrom(instance, buf, size, flags, sa, salen, 0); +} + +static int __rtp_sendto(struct ast_rtp_instance *instance, void *buf, size_t size, int flags, struct sockaddr *sa, socklen_t salen, int rtcp) +{ + int len = size; + void *temp = buf; + struct ast_rtp *rtp = ast_rtp_instance_get_data(instance); + struct ast_srtp *srtp = ast_rtp_instance_get_srtp(instance); + + if (res_srtp && srtp && res_srtp->protect(srtp, &temp, &len, rtcp) < 0) { + return -1; + } + + return sendto(rtcp ? rtp->rtcp->s : rtp->s, temp, len, flags, sa, salen); +} + +static int rtcp_sendto(struct ast_rtp_instance *instance, void *buf, size_t size, int flags, struct sockaddr *sa, socklen_t salen) +{ + return __rtp_sendto(instance, buf, size, flags, sa, salen, 1); +} + +static int rtp_sendto(struct ast_rtp_instance *instance, void *buf, size_t size, int flags, struct sockaddr *sa, socklen_t salen) +{ + return __rtp_sendto(instance, buf, size, flags, sa, salen, 0); +} + static int rtp_get_rate(format_t subclass) { return (subclass == AST_FORMAT_G722) ? 8000 : ast_format_rate(subclass); @@ -529,7 +581,7 @@ static int ast_rtp_dtmf_begin(struct ast_rtp_instance *instance, char digit) /* Actually send the packet */ for (i = 0; i < 2; i++) { rtpheader[3] = htonl((digit << 24) | (0xa << 16) | (rtp->send_duration)); - res = sendto(rtp->s, (void *) rtpheader, hdrlen + 4, 0, (struct sockaddr *) &remote_address, sizeof(remote_address)); + res = rtp_sendto(instance, (void *) rtpheader, hdrlen + 4, 0, (struct sockaddr *) &remote_address, sizeof(remote_address)); if (res < 0) { ast_log(LOG_ERROR, "RTP Transmission error to %s:%u: %s\n", ast_inet_ntoa(remote_address.sin_addr), ntohs(remote_address.sin_port), strerror(errno)); @@ -575,7 +627,7 @@ static int ast_rtp_dtmf_continuation(struct ast_rtp_instance *instance) rtpheader[0] = htonl((2 << 30) | (rtp->send_payload << 16) | (rtp->seqno)); /* Boom, send it on out */ - res = sendto(rtp->s, (void *) rtpheader, hdrlen + 4, 0, (struct sockaddr *) &remote_address, sizeof(remote_address)); + res = rtp_sendto(instance, (void *) rtpheader, hdrlen + 4, 0, (struct sockaddr *) &remote_address, sizeof(remote_address)); if (res < 0) { ast_log(LOG_ERROR, "RTP Transmission error to %s:%d: %s\n", ast_inet_ntoa(remote_address.sin_addr), @@ -638,7 +690,7 @@ static int ast_rtp_dtmf_end(struct ast_rtp_instance *instance, char digit) /* Send it 3 times, that's the magical number */ for (i = 0; i < 3; i++) { - res = sendto(rtp->s, (void *) rtpheader, hdrlen + 4, 0, (struct sockaddr *) &remote_address, sizeof(remote_address)); + res = rtp_sendto(instance, (void *) rtpheader, hdrlen + 4, 0, (struct sockaddr *) &remote_address, sizeof(remote_address)); if (res < 0) { ast_log(LOG_ERROR, "RTP Transmission error to %s:%d: %s\n", ast_inet_ntoa(remote_address.sin_addr), @@ -714,9 +766,9 @@ static void timeval2ntp(struct timeval tv, unsigned int *msw, unsigned int *lsw) } /*! \brief Send RTCP recipient's report */ -static int ast_rtcp_write_rr(const void *data) +static int ast_rtcp_write_rr(struct ast_rtp_instance *instance) { - struct ast_rtp *rtp = (struct ast_rtp *)data; + struct ast_rtp *rtp = ast_rtp_instance_get_data(instance); int res; int len = 32; unsigned int lost; @@ -789,7 +841,7 @@ static int ast_rtcp_write_rr(const void *data) rtcpheader[(len/4)+2] = htonl(0x01 << 24); /* Empty for the moment */ len += 12; - res = sendto(rtp->rtcp->s, (unsigned int *)rtcpheader, len, 0, (struct sockaddr *)&rtp->rtcp->them, sizeof(rtp->rtcp->them)); + res = rtcp_sendto(instance, (unsigned int *)rtcpheader, len, 0, (struct sockaddr *)&rtp->rtcp->them, sizeof(rtp->rtcp->them)); if (res < 0) { ast_log(LOG_ERROR, "RTCP RR transmission error, rtcp halted: %s\n",strerror(errno)); @@ -817,9 +869,9 @@ static int ast_rtcp_write_rr(const void *data) } /*! \brief Send RTCP sender's report */ -static int ast_rtcp_write_sr(const void *data) +static int ast_rtcp_write_sr(struct ast_rtp_instance *instance) { - struct ast_rtp *rtp = (struct ast_rtp *)data; + struct ast_rtp *rtp = ast_rtp_instance_get_data(instance); int res; int len = 0; struct timeval now; @@ -889,7 +941,7 @@ static int ast_rtcp_write_sr(const void *data) rtcpheader[(len/4)+2] = htonl(0x01 << 24); /* Empty for the moment */ len += 12; - res = sendto(rtp->rtcp->s, (unsigned int *)rtcpheader, len, 0, (struct sockaddr *)&rtp->rtcp->them, sizeof(rtp->rtcp->them)); + res =rtcp_sendto(instance, (unsigned int *)rtcpheader, len, 0, (struct sockaddr *)&rtp->rtcp->them, sizeof(rtp->rtcp->them)); if (res < 0) { ast_log(LOG_ERROR, "RTCP SR transmission error to %s:%d, rtcp halted %s\n",ast_inet_ntoa(rtp->rtcp->them.sin_addr), ntohs(rtp->rtcp->them.sin_port), strerror(errno)); AST_SCHED_DEL(rtp->sched, rtp->rtcp->schedid); @@ -947,16 +999,17 @@ static int ast_rtcp_write_sr(const void *data) * RR is sent if we have not sent any rtp packets in the previous interval */ static int ast_rtcp_write(const void *data) { - struct ast_rtp *rtp = (struct ast_rtp *)data; + struct ast_rtp_instance *instance = (struct ast_rtp_instance *) data; + struct ast_rtp *rtp = ast_rtp_instance_get_data(instance); int res; if (!rtp || !rtp->rtcp) return 0; if (rtp->txcount > rtp->rtcp->lastsrtxcount) - res = ast_rtcp_write_sr(data); + res = ast_rtcp_write_sr(instance); else - res = ast_rtcp_write_rr(data); + res = ast_rtcp_write_rr(instance); return res; } @@ -1049,7 +1102,7 @@ static int ast_rtp_raw_write(struct ast_rtp_instance *instance, struct ast_frame put_unaligned_uint32(rtpheader + 4, htonl(rtp->lastts)); put_unaligned_uint32(rtpheader + 8, htonl(rtp->ssrc)); - if ((res = sendto(rtp->s, (void *)rtpheader, frame->datalen + hdrlen, 0, (struct sockaddr *)&remote_address, sizeof(remote_address))) < 0) { + if ((res = rtp_sendto(instance, (void *)rtpheader, frame->datalen + hdrlen, 0, (struct sockaddr *)&remote_address, sizeof(remote_address))) < 0) { if (!ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT) || (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT) && (ast_test_flag(rtp, FLAG_NAT_ACTIVE) == FLAG_NAT_ACTIVE))) { ast_debug(1, "RTP Transmission error of packet %d to %s:%d: %s\n", rtp->seqno, ast_inet_ntoa(remote_address.sin_addr), ntohs(remote_address.sin_port), strerror(errno)); } else if (((ast_test_flag(rtp, FLAG_NAT_ACTIVE) == FLAG_NAT_INACTIVE) || rtpdebug) && !ast_test_flag(rtp, FLAG_NAT_INACTIVE_NOWARN)) { @@ -1064,7 +1117,7 @@ static int ast_rtp_raw_write(struct ast_rtp_instance *instance, struct ast_frame if (rtp->rtcp && rtp->rtcp->schedid < 1) { ast_debug(1, "Starting RTCP transmission on RTP instance '%p'\n", instance); - rtp->rtcp->schedid = ast_sched_add(rtp->sched, ast_rtcp_calc_interval(rtp), ast_rtcp_write, rtp); + rtp->rtcp->schedid = ast_sched_add(rtp->sched, ast_rtcp_calc_interval(rtp), ast_rtcp_write, instance); } } @@ -1564,7 +1617,7 @@ static struct ast_frame *ast_rtcp_read(struct ast_rtp_instance *instance) struct ast_frame *f = &ast_null_frame; /* Read in RTCP data from the socket */ - if ((res = recvfrom(rtp->rtcp->s, rtcpdata + AST_FRIENDLY_OFFSET, sizeof(rtcpdata) - sizeof(unsigned int) * AST_FRIENDLY_OFFSET, 0, (struct sockaddr *)&sin, &len)) < 0) { + if ((res = rtcp_recvfrom(instance, rtcpdata + AST_FRIENDLY_OFFSET, sizeof(rtcpdata) - sizeof(unsigned int) * AST_FRIENDLY_OFFSET, 0, (struct sockaddr *)&sin, &len)) < 0) { ast_assert(errno != EBADF); if (errno != EAGAIN) { ast_log(LOG_WARNING, "RTCP Read error: %s. Hanging up.\n", strerror(errno)); @@ -1857,7 +1910,7 @@ static int bridge_p2p_rtp_write(struct ast_rtp_instance *instance, unsigned int ast_rtp_instance_get_remote_address(instance1, &remote_address); /* Send the packet back out */ - res = sendto(bridged->s, (void *)rtpheader, len, 0, (struct sockaddr *)&remote_address, sizeof(remote_address)); + res = rtp_sendto(instance1, (void *)rtpheader, len, 0, (struct sockaddr *)&remote_address, sizeof(remote_address)); if (res < 0) { if (!ast_rtp_instance_get_prop(instance1, AST_RTP_PROPERTY_NAT) || (ast_rtp_instance_get_prop(instance1, AST_RTP_PROPERTY_NAT) && (ast_test_flag(bridged, FLAG_NAT_ACTIVE) == FLAG_NAT_ACTIVE))) { ast_debug(1, "RTP Transmission error of packet to %s:%d: %s\n", ast_inet_ntoa(remote_address.sin_addr), ntohs(remote_address.sin_port), strerror(errno)); @@ -1899,7 +1952,7 @@ static struct ast_frame *ast_rtp_read(struct ast_rtp_instance *instance, int rtc } /* Actually read in the data from the socket */ - if ((res = recvfrom(rtp->s, rtp->rawdata + AST_FRIENDLY_OFFSET, sizeof(rtp->rawdata) - AST_FRIENDLY_OFFSET, 0, (struct sockaddr*)&sin, &len)) < 0) { + if ((res = rtp_recvfrom(instance, rtp->rawdata + AST_FRIENDLY_OFFSET, sizeof(rtp->rawdata) - AST_FRIENDLY_OFFSET, 0, (struct sockaddr*)&sin, &len)) < 0) { ast_assert(errno != EBADF); if (errno != EAGAIN) { ast_log(LOG_WARNING, "RTP Read error: %s. Hanging up.\n", strerror(errno)); @@ -2040,7 +2093,7 @@ static struct ast_frame *ast_rtp_read(struct ast_rtp_instance *instance, int rtc /* Do not schedule RR if RTCP isn't run */ if (rtp->rtcp && rtp->rtcp->them.sin_addr.s_addr && rtp->rtcp->schedid < 1) { /* Schedule transmission of Receiver Report */ - rtp->rtcp->schedid = ast_sched_add(rtp->sched, ast_rtcp_calc_interval(rtp), ast_rtcp_write, rtp); + rtp->rtcp->schedid = ast_sched_add(rtp->sched, ast_rtcp_calc_interval(rtp), ast_rtcp_write, instance); } if ((int)rtp->lastrxseqno - (int)seqno > 100) /* if so it would indicate that the sender cycled; allow for misordering */ rtp->cycles += RTP_SEQ_MOD; diff --git a/res/res_srtp.c b/res/res_srtp.c new file mode 100644 index 000000000..8b753ff87 --- /dev/null +++ b/res/res_srtp.c @@ -0,0 +1,403 @@ +/* + * Asterisk -- An open source telephony toolkit. + * + * Copyright (C) 2005, Mikael Magnusson + * + * Mikael Magnusson <mikma@users.sourceforge.net> + * + * See http://www.asterisk.org for more information about + * the Asterisk project. Please do not directly contact + * any of the maintainers of this project for assistance; + * the project provides a web site, mailing lists and IRC + * channels for your use. + * + * This program is free software, distributed under the terms of + * the GNU General Public License Version 2. See the LICENSE file + * at the top of the source tree. + * + * Builds on libSRTP http://srtp.sourceforge.net + */ + +/*! \file res_srtp.c + * + * \brief Secure RTP (SRTP) + * + * Secure RTP (SRTP) + * Specified in RFC 3711. + * + * \author Mikael Magnusson <mikma@users.sourceforge.net> + */ + +/*** MODULEINFO + <depend>srtp</depend> +***/ + +/* The SIP channel will automatically use sdescriptions if received in a SDP offer, + and res_srtp is loaded. SRTP with sdescriptions key exchange can be activated + in outgoing offers by setting _SIPSRTP_CRYPTO=enable in extension.conf before executing Dial + + The dial fails if the callee doesn't support SRTP and sdescriptions. + + exten => 2345,1,Set(_SIPSRTP_CRYPTO=enable) + exten => 2345,2,Dial(SIP/1001) +*/ + +#include "asterisk.h" + +ASTERISK_FILE_VERSION(__FILE__, "$Revision$") + +#include <srtp/srtp.h> + +#include "asterisk/lock.h" +#include "asterisk/sched.h" +#include "asterisk/module.h" +#include "asterisk/options.h" +#include "asterisk/rtp_engine.h" + +struct ast_srtp { + struct ast_rtp_instance *rtp; + srtp_t session; + const struct ast_srtp_cb *cb; + void *data; + unsigned char buf[8192 + AST_FRIENDLY_OFFSET]; + unsigned int has_stream:1; +}; + +struct ast_srtp_policy { + srtp_policy_t sp; +}; + +static int g_initialized = 0; + +/* SRTP functions */ +static int ast_srtp_create(struct ast_srtp **srtp, struct ast_rtp_instance *rtp, struct ast_srtp_policy *policy); +static void ast_srtp_destroy(struct ast_srtp *srtp); +static int ast_srtp_add_stream(struct ast_srtp *srtp, struct ast_srtp_policy *policy); + +static int ast_srtp_unprotect(struct ast_srtp *srtp, void *buf, int *len, int rtcp); +static int ast_srtp_protect(struct ast_srtp *srtp, void **buf, int *len, int rtcp); +static void ast_srtp_set_cb(struct ast_srtp *srtp, const struct ast_srtp_cb *cb, void *data); +static int ast_srtp_get_random(unsigned char *key, size_t len); + +/* Policy functions */ +static struct ast_srtp_policy *ast_srtp_policy_alloc(void); +static void ast_srtp_policy_destroy(struct ast_srtp_policy *policy); +static int ast_srtp_policy_set_suite(struct ast_srtp_policy *policy, enum ast_srtp_suite suite); +static int ast_srtp_policy_set_master_key(struct ast_srtp_policy *policy, const unsigned char *key, size_t key_len, const unsigned char *salt, size_t salt_len); +static void ast_srtp_policy_set_ssrc(struct ast_srtp_policy *policy, unsigned long ssrc, int inbound); + +static struct ast_srtp_res srtp_res = { + .create = ast_srtp_create, + .destroy = ast_srtp_destroy, + .add_stream = ast_srtp_add_stream, + .set_cb = ast_srtp_set_cb, + .unprotect = ast_srtp_unprotect, + .protect = ast_srtp_protect, + .get_random = ast_srtp_get_random +}; + +static struct ast_srtp_policy_res policy_res = { + .alloc = ast_srtp_policy_alloc, + .destroy = ast_srtp_policy_destroy, + .set_suite = ast_srtp_policy_set_suite, + .set_master_key = ast_srtp_policy_set_master_key, + .set_ssrc = ast_srtp_policy_set_ssrc +}; + +static const char *srtp_errstr(int err) +{ + switch(err) { + case err_status_ok: + return "nothing to report"; + case err_status_fail: + return "unspecified failure"; + case err_status_bad_param: + return "unsupported parameter"; + case err_status_alloc_fail: + return "couldn't allocate memory"; + case err_status_dealloc_fail: + return "couldn't deallocate properly"; + case err_status_init_fail: + return "couldn't initialize"; + case err_status_terminus: + return "can't process as much data as requested"; + case err_status_auth_fail: + return "authentication failure"; + case err_status_cipher_fail: + return "cipher failure"; + case err_status_replay_fail: + return "replay check failed (bad index)"; + case err_status_replay_old: + return "replay check failed (index too old)"; + case err_status_algo_fail: + return "algorithm failed test routine"; + case err_status_no_such_op: + return "unsupported operation"; + case err_status_no_ctx: + return "no appropriate context found"; + case err_status_cant_check: + return "unable to perform desired validation"; + case err_status_key_expired: + return "can't use key any more"; + default: + return "unknown"; + } +} + +static struct ast_srtp *res_srtp_new(void) +{ + struct ast_srtp *srtp; + + if (!(srtp = ast_calloc(1, sizeof(*srtp)))) { + ast_log(LOG_ERROR, "Unable to allocate memory for srtp\n"); + return NULL; + } + + return srtp; +} + +/* + struct ast_srtp_policy +*/ +static void srtp_event_cb(srtp_event_data_t *data) +{ + switch (data->event) { + case event_ssrc_collision: + ast_debug(1, "SSRC collision\n"); + break; + case event_key_soft_limit: + ast_debug(1, "event_key_soft_limit\n"); + break; + case event_key_hard_limit: + ast_debug(1, "event_key_hard_limit\n"); + break; + case event_packet_index_limit: + ast_debug(1, "event_packet_index_limit\n"); + break; + } +} + +static void ast_srtp_policy_set_ssrc(struct ast_srtp_policy *policy, + unsigned long ssrc, int inbound) +{ + if (ssrc) { + policy->sp.ssrc.type = ssrc_specific; + policy->sp.ssrc.value = ssrc; + } else { + policy->sp.ssrc.type = inbound ? ssrc_any_inbound : ssrc_any_outbound; + } +} + +static struct ast_srtp_policy *ast_srtp_policy_alloc() +{ + struct ast_srtp_policy *tmp; + + if (!(tmp = ast_calloc(1, sizeof(*tmp)))) { + ast_log(LOG_ERROR, "Unable to allocate memory for srtp_policy\n"); + } + + return tmp; +} + +static void ast_srtp_policy_destroy(struct ast_srtp_policy *policy) +{ + if (policy->sp.key) { + ast_free(policy->sp.key); + policy->sp.key = NULL; + } + ast_free(policy); +} + +static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite suite) +{ + switch (suite) { + case AST_AES_CM_128_HMAC_SHA1_80: + p->cipher_type = AES_128_ICM; + p->cipher_key_len = 30; + p->auth_type = HMAC_SHA1; + p->auth_key_len = 20; + p->auth_tag_len = 10; + p->sec_serv = sec_serv_conf_and_auth; + return 0; + + case AST_AES_CM_128_HMAC_SHA1_32: + p->cipher_type = AES_128_ICM; + p->cipher_key_len = 30; + p->auth_type = HMAC_SHA1; + p->auth_key_len = 20; + p->auth_tag_len = 4; + p->sec_serv = sec_serv_conf_and_auth; + return 0; + + default: + ast_log(LOG_ERROR, "Invalid crypto suite: %d\n", suite); + return -1; + } +} + +static int ast_srtp_policy_set_suite(struct ast_srtp_policy *policy, enum ast_srtp_suite suite) +{ + return policy_set_suite(&policy->sp.rtp, suite) | policy_set_suite(&policy->sp.rtcp, suite); +} + +static int ast_srtp_policy_set_master_key(struct ast_srtp_policy *policy, const unsigned char *key, size_t key_len, const unsigned char *salt, size_t salt_len) +{ + size_t size = key_len + salt_len; + unsigned char *master_key; + + if (policy->sp.key) { + ast_free(policy->sp.key); + policy->sp.key = NULL; + } + + if (!(master_key = ast_calloc(1, size))) { + return -1; + } + + memcpy(master_key, key, key_len); + memcpy(master_key + key_len, salt, salt_len); + + policy->sp.key = master_key; + + return 0; +} + +static int ast_srtp_get_random(unsigned char *key, size_t len) +{ + return crypto_get_random(key, len) != err_status_ok ? -1: 0; +} + +static void ast_srtp_set_cb(struct ast_srtp *srtp, const struct ast_srtp_cb *cb, void *data) +{ + if (!srtp) { + return; + } + + srtp->cb = cb; + srtp->data = data; +} + +/* Vtable functions */ +static int ast_srtp_unprotect(struct ast_srtp *srtp, void *buf, int *len, int rtcp) +{ + int res = 0; + int i; + struct ast_rtp_instance_stats stats = {0,}; + + for (i = 0; i < 2; i++) { + res = rtcp ? srtp_unprotect_rtcp(srtp->session, buf, len) : srtp_unprotect(srtp->session, buf, len); + if (res != err_status_no_ctx) { + break; + } + + if (srtp->cb && srtp->cb->no_ctx) { + if (ast_rtp_instance_get_stats(srtp->rtp, &stats, AST_RTP_INSTANCE_STAT_REMOTE_SSRC)) { + break; + } + if (srtp->cb->no_ctx(srtp->rtp, stats.remote_ssrc, srtp->data) < 0) { + break; + } + } else { + break; + } + } + + if (res != err_status_ok && res != err_status_replay_fail ) { + ast_debug(1, "SRTP unprotect: %s\n", srtp_errstr(res)); + return -1; + } + + return *len; +} + +static int ast_srtp_protect(struct ast_srtp *srtp, void **buf, int *len, int rtcp) +{ + int res; + + if ((*len + SRTP_MAX_TRAILER_LEN) > sizeof(srtp->buf)) { + return -1; + } + + memcpy(srtp->buf, *buf, *len); + + if ((res = rtcp ? srtp_protect_rtcp(srtp->session, srtp->buf, len) : srtp_protect(srtp->session, srtp->buf, len)) != err_status_ok && res != err_status_replay_fail) { + ast_debug(1, "SRTP protect: %s\n", srtp_errstr(res)); + return -1; + } + + *buf = srtp->buf; + return *len; +} + +static int ast_srtp_create(struct ast_srtp **srtp, struct ast_rtp_instance *rtp, struct ast_srtp_policy *policy) +{ + struct ast_srtp *temp; + + if (!(temp = res_srtp_new())) { + return -1; + } + + if (srtp_create(&temp->session, &policy->sp) != err_status_ok) { + return -1; + } + + temp->rtp = rtp; + *srtp = temp; + + return 0; +} + +static void ast_srtp_destroy(struct ast_srtp *srtp) +{ + if (srtp->session) { + srtp_dealloc(srtp->session); + } + + ast_free(srtp); +} + +static int ast_srtp_add_stream(struct ast_srtp *srtp, struct ast_srtp_policy *policy) +{ + if (!srtp->has_stream && srtp_add_stream(srtp->session, &policy->sp) != err_status_ok) { + return -1; + } + + srtp->has_stream = 1; + + return 0; +} + +static int res_srtp_init(void) +{ + if (g_initialized) { + return 0; + } + + if (srtp_init() != err_status_ok) { + return -1; + } + + srtp_install_event_handler(srtp_event_cb); + + return ast_rtp_engine_register_srtp(&srtp_res, &policy_res); +} + +/* + * Exported functions + */ + +static int load_module(void) +{ + return res_srtp_init(); +} + +static int unload_module(void) +{ + ast_rtp_engine_unregister_srtp(); + return 0; +} + +AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_GLOBAL_SYMBOLS, "Secure RTP (SRTP)", + .load = load_module, + .unload = unload_module, +); diff --git a/res/res_srtp.exports.in b/res/res_srtp.exports.in new file mode 100644 index 000000000..5e767549c --- /dev/null +++ b/res/res_srtp.exports.in @@ -0,0 +1,4 @@ +{ + local: + *; +}; |