TT#48800 add option to disable individual SDES crypto suites

closes #661 Change-Id: I3556977246d6e15bf134755e1d699e9165735886
7 years ago · 881e0dc2dc
parent 810bda1486
commit 881e0dc2dc
6 changed files with 48 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -1403,7 +1403,8 @@ Optionally included keys are:
 	A list of strings controlling the behaviour regarding SDES. The default is to offer SDES without any
 	session parameters when encryption is desired, and to accept it when DTLS-SRTP is unavailable. If two
 	SDES endpoints are connected to each other, then the default is to offer SDES with the same options
-	as were received from the other endpoint.
+	as were received from the other endpoint. Additionally, all other supported SDES crypto suites are
+	added to the outgoing offer by default.

 	These options can also be put into the `flags` list using a prefix of `SDES-`. All options controlling
 	SDES session parameters can be used either in all lower case or in all upper case.
@ -1422,6 +1423,14 @@ Optionally included keys are:
 		Negates the respective option. This is useful if one of the session parameters was offered by
 		an SDES endpoint, but it should not be offered on the far side if this endpoint also speaks SDES.

+	- `no-`*SUITE*
+
+		Exclude individual crypto suites from being included in the offer. For example,
+		`no-NULL_HMAC_SHA1_32` would exclude the crypto suite `NULL_HMAC_SHA1_32` from
+		the offer. This has two effects: if a given crypto suite was present in a received
+		offer, it will be removed and will be missing in the outgoing offer; and if a given crypto
+		suite was not present in the received offer, it will not be added to it.
+
 * `record call`

 	Contains one of the strings `yes`, `no`, `on` or `off`. This tells the rtpengine
--- a/daemon/call.c
+++ b/daemon/call.c
@ -1368,6 +1368,15 @@ static void __generate_crypto(const struct sdp_ng_flags *flags, struct call_medi
 			for (GList *l = offered_cpq->head; l; l = l->next) {
 				struct crypto_params_sdes *offered_cps = l->data;

+				if (flags->sdes_no && g_hash_table_lookup(flags->sdes_no,
+							&offered_cps->params.crypto_suite->name_str))
+				{
+					ilog(LOG_DEBUG, "Dropping offered crypto suite '%s' from offer "
+							"due to 'SDES-no' option",
+							offered_cps->params.crypto_suite->name);
+					continue;
+				}
+
 				struct crypto_params_sdes *cps = g_slice_alloc0(sizeof(*cps));
 				g_queue_push_tail(cpq, cps);

@ -1388,6 +1397,15 @@ static void __generate_crypto(const struct sdp_ng_flags *flags, struct call_medi
 				if ((types_offered & (1 << i)))
 					continue;

+				if (flags->sdes_no && g_hash_table_lookup(flags->sdes_no,
+							&crypto_suites[i].name_str))
+				{
+					ilog(LOG_DEBUG, "Not offering crypto suite '%s' "
+							"due to 'SDES-no' option",
+							crypto_suites[i].name);
+					continue;
+				}
+
 				struct crypto_params_sdes *cps = g_slice_alloc0(sizeof(*cps));
 				g_queue_push_tail(cpq, cps);

--- a/daemon/call_interfaces.c
+++ b/daemon/call_interfaces.c
@ -38,6 +38,11 @@ int trust_address_def;
 int dtls_passive_def;


+INLINE int call_ng_flags_prefix(struct sdp_ng_flags *out, str *s_ori, const char *prefix,
+		void (*cb)(struct sdp_ng_flags *, str *, void *), void *ptr);
+static void call_ng_flags_str_ht(struct sdp_ng_flags *out, str *s, void *htp);
+
+
 static int call_stream_address_gstring(GString *o, struct packet_stream *ps, enum stream_address_format format) {
 	int len, ret;
 	char buf[64]; /* 64 bytes ought to be enough for anybody */
@ -500,6 +505,9 @@ INLINE char *bencode_get_alt(bencode_item_t *i, const char *one, const char *two
 }

 INLINE void ng_sdes_option(struct sdp_ng_flags *out, str *s, void *dummy) {
+	if (call_ng_flags_prefix(out, s, "no-", call_ng_flags_str_ht, &out->sdes_no))
+		return;
+
 	switch (__csh_lookup(s)) {
 		case CSH_LOOKUP("no"):
 		case CSH_LOOKUP("off"):
@ -593,7 +601,7 @@ static void call_ng_flags_codec_list(struct sdp_ng_flags *out, str *s, void *qp)
 	*s_copy = *s;
 	g_queue_push_tail((GQueue *) qp, s_copy);
 }
-static void call_ng_flags_codec_ht(struct sdp_ng_flags *out, str *s, void *htp) {
+static void call_ng_flags_str_ht(struct sdp_ng_flags *out, str *s, void *htp) {
 	str *s_copy;
 	s_copy = g_slice_alloc(sizeof(*s_copy));
 	*s_copy = *s;
@ -677,9 +685,11 @@ static void call_ng_flags_flags(struct sdp_ng_flags *out, str *s, void *dummy) {
 			break;
 		default:
 			// handle values aliases from other dictionaries
+			if (call_ng_flags_prefix(out, s, "SDES-no-", call_ng_flags_str_ht, &out->sdes_no))
+				return;
 			if (call_ng_flags_prefix(out, s, "SDES-", ng_sdes_option, NULL))
 				return;
-			if (call_ng_flags_prefix(out, s, "codec-strip-", call_ng_flags_codec_ht, &out->codec_strip))
+			if (call_ng_flags_prefix(out, s, "codec-strip-", call_ng_flags_str_ht, &out->codec_strip))
 				return;
 			if (call_ng_flags_prefix(out, s, "codec-offer-", call_ng_flags_codec_list, &out->codec_offer))
 				return;
@ -689,7 +699,7 @@ static void call_ng_flags_flags(struct sdp_ng_flags *out, str *s, void *dummy) {
 			if (call_ng_flags_prefix(out, s, "codec-transcode-", call_ng_flags_codec_list,
 						&out->codec_transcode))
 				return;
-			if (call_ng_flags_prefix(out, s, "codec-mask-", call_ng_flags_codec_ht, &out->codec_mask))
+			if (call_ng_flags_prefix(out, s, "codec-mask-", call_ng_flags_str_ht, &out->codec_mask))
 				return;
 #endif

@ -781,11 +791,11 @@ static void call_ng_process_flags(struct sdp_ng_flags *out, bencode_item_t *inpu
 	}

 	if ((dict = bencode_dictionary_get_expect(input, "codec", BENCODE_DICTIONARY))) {
-		call_ng_flags_list(out, dict, "strip", call_ng_flags_codec_ht, &out->codec_strip);
+		call_ng_flags_list(out, dict, "strip", call_ng_flags_str_ht, &out->codec_strip);
 		call_ng_flags_list(out, dict, "offer", call_ng_flags_codec_list, &out->codec_offer);
 #ifdef WITH_TRANSCODING
 		call_ng_flags_list(out, dict, "transcode", call_ng_flags_codec_list, &out->codec_transcode);
-		call_ng_flags_list(out, dict, "mask", call_ng_flags_codec_ht, &out->codec_mask);
+		call_ng_flags_list(out, dict, "mask", call_ng_flags_str_ht, &out->codec_mask);
 #endif
 	}
 }
@ -794,6 +804,8 @@ static void call_ng_free_flags(struct sdp_ng_flags *flags) {
 		g_hash_table_destroy(flags->codec_strip);
 	if (flags->codec_mask)
 		g_hash_table_destroy(flags->codec_mask);
+	if (flags->sdes_no)
+		g_hash_table_destroy(flags->sdes_no);
 	g_queue_clear_full(&flags->codec_offer, str_slice_free);
 	g_queue_clear_full(&flags->codec_transcode, str_slice_free);
 }
--- a/daemon/crypto.c
+++ b/daemon/crypto.c
@ -735,6 +735,7 @@ void crypto_init_main() {
 	for (unsigned int i = 0; i < num_crypto_suites; i++) {
 		cs = &__crypto_suites[i];
 		cs->idx = i;
+		str_init(&cs->name_str, (char *) cs->name);
 		switch(cs->master_key_len) {
 		case 16:
 			cs->lib_cipher_ptr = EVP_aes_128_ecb();
--- a/include/call_interfaces.h
+++ b/include/call_interfaces.h
@ -37,6 +37,7 @@ struct sdp_ng_flags {
 	GQueue codec_transcode;
 	GHashTable *codec_mask;
 	int ptime;
+	GHashTable *sdes_no;
 	int asymmetric:1,
 	    no_redis_update:1,
 	    unidirectional:1,
--- a/include/crypto.h
+++ b/include/crypto.h
@ -58,6 +58,7 @@ struct crypto_suite {
 	//const char *dtls_profile_code; // unused
 	const void *lib_cipher_ptr;
 	unsigned int idx; // filled in during crypto_init_main()
+	str name_str; // same as `name`
 };

 struct crypto_session_params {