chan_sip: Add support for setting DTLS configuration in the general section.

Configuration of DTLS in the general section will be applied to any users or peers. If configuration exists at their level it overrides the general section values. ASTERISK-24128 #close Reported by: Michael K. patches: dtls_default_settings.patch submitted by Michael K. (license 6621) Review: https://reviewboard.asterisk.org/r/3867/ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@427950 65c4cc65-6c06-0410-ace0-fbb531ad65f3
11 years ago · d0523b4b3c
parent 3268544907
commit d0523b4b3c
3 changed files with 27 additions and 1 deletions
--- a/3
+++ b/3
@ -20,6 +20,9 @@ chan_sip
 * New 'rtpbindaddr' global setting. This allows a user to define which
   ipaddress to bind the rtpengine to. For example, chan_sip might bind
   to eth0 (10.0.0.2) but rtpengine to eth1 (192.168.1.10).
+ * DTLS related configuration options can now be set at a general level.
+   Enabling DTLS support, though, requires enabling it at the user
+   or peer level.

 chan_pjsip
 ------------------
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@ -2305,6 +2305,9 @@ static struct ast_tls_config sip_tls_cfg;
 /*! \brief Default TLS connection configuration */
 static struct ast_tls_config default_tls_cfg;

+/*! \brief Default DTLS connection configuration */
+static struct ast_rtp_dtls_cfg default_dtls_cfg;
+
 /*! \brief The TCP server definition */
 static struct ast_tcptls_session_args sip_tcp_desc = {
 	.accept_fd = -1,
@ -30398,6 +30401,10 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v, str
 	peer->named_callgroups = ast_unref_namedgroups(peer->named_callgroups);
 	peer->named_pickupgroups = ast_unref_namedgroups(peer->named_pickupgroups);

+	/* Set the default DTLS settings from default_tls_cfg */
+	ast_rtp_dtls_cfg_free(&peer->dtls_cfg);
+	ast_rtp_dtls_cfg_copy(&default_dtls_cfg, &peer->dtls_cfg);
+
 	for (; v || ((v = alt) && !(alt=NULL)); v = v->next) {
 		if (!devstate_only) {
 			if (handle_common_options(&peerflags[0], &mask[0], v)) {
@ -31172,6 +31179,7 @@ static int reload_config(enum channelreloadreason reason)
 	sip_cfg.contact_acl = ast_free_acl_list(sip_cfg.contact_acl);

 	default_tls_cfg.enabled = FALSE;		/* Default: Disable TLS */
+	default_dtls_cfg.enabled = FALSE;		/* Default: Disable DTLS too */

 	if (reason != CHANNEL_MODULE_LOAD) {
 		ast_debug(4, "--------------- SIP reload started\n");
@ -31190,19 +31198,26 @@ static int reload_config(enum channelreloadreason reason)
 		ao2_t_callback(peers, OBJ_NODATA, peer_markall_func, NULL, "callback to mark all peers");
 	}

-	/* Reset certificate handling for TLS sessions */
+	/* Reset certificate handling for TLS and DTLS sessions */
 	if (reason != CHANNEL_MODULE_LOAD) {
 		ast_free(default_tls_cfg.certfile);
 		ast_free(default_tls_cfg.pvtfile);
 		ast_free(default_tls_cfg.cipher);
 		ast_free(default_tls_cfg.cafile);
 		ast_free(default_tls_cfg.capath);
+		ast_rtp_dtls_cfg_free(&default_dtls_cfg);
 	}
 	default_tls_cfg.certfile = ast_strdup(AST_CERTFILE); /*XXX Not sure if this is useful */
 	default_tls_cfg.pvtfile = ast_strdup("");
 	default_tls_cfg.cipher = ast_strdup("");
 	default_tls_cfg.cafile = ast_strdup("");
 	default_tls_cfg.capath = ast_strdup("");
+	/* Using the same idea fro DTLS as the code block above for TLS */
+	default_dtls_cfg.certfile = ast_strdup("");
+	default_dtls_cfg.pvtfile = ast_strdup("");
+	default_dtls_cfg.cipher = ast_strdup("");
+	default_dtls_cfg.cafile = ast_strdup("");
+	default_dtls_cfg.capath = ast_strdup("");

 	/* Initialize copy of current sip_cfg.regcontext for later use in removing stale contexts */
 	ast_copy_string(oldcontexts, sip_cfg.regcontext, sizeof(oldcontexts));
@ -31373,6 +31388,9 @@ static int reload_config(enum channelreloadreason reason)
 			continue;
 		}

+		/* Load default dtls configuration */
+		ast_rtp_dtls_cfg_parse(&default_dtls_cfg, v->name, v->value);
+
 		/* handle tls conf, don't allow setting of tlsverifyclient as it isn't supported by chan_sip */
 		if (!strcasecmp(v->name, "tlsverifyclient")) {
 			ast_log(LOG_WARNING, "Ignoring unsupported option 'tlsverifyclient'\n");
@ -34578,6 +34596,8 @@ static int unload_module(void)
 	ast_free(default_tls_cfg.cafile);
 	ast_free(default_tls_cfg.capath);

+	ast_rtp_dtls_cfg_free(&default_dtls_cfg);
+
 	cleanup_all_regs();
 	ao2_cleanup(registry_list);

--- a/configs/samples/sip.conf.sample
+++ b/configs/samples/sip.conf.sample
@ -1319,6 +1319,9 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;
 ; DTLS-SRTP support is available if the underlying RTP engine in use supports it.
 ;
+; Note that all configuration options except dtlsenable can be set at the general level.
+; If set they will be present on the user or peer unless overridden with a different value.
+;
 ; dtlsenable = yes                   ; Enable or disable DTLS-SRTP support
 ; dtlsverify = yes                   ; Verify that provided peer certificate and fingerprint are valid
 ;				     ; A value of 'yes' will perform both certificate and fingerprint verification