[Pkg-voip-commits] [asterisk] 01/01: refresh DTLS-SRTP patch
Jeremy Lainé
sharky at moszumanska.debian.org
Tue Jun 24 16:17:27 UTC 2014
This is an automated email from the git hooks/post-receive script.
sharky pushed a commit to branch dtls-srtp-patch
in repository asterisk.
commit c10dee37c6d1decafa0cc522020519a81e39d122
Author: Jeremy Lainé <jeremy.laine at m4x.org>
Date: Tue Jun 24 18:17:15 2014 +0200
refresh DTLS-SRTP patch
---
debian/patches/dtls_srtp.patch | 132 +++++++++++++++++++++--------------------
1 file changed, 68 insertions(+), 64 deletions(-)
diff --git a/debian/patches/dtls_srtp.patch b/debian/patches/dtls_srtp.patch
index d7c0c9b..552684d 100644
--- a/debian/patches/dtls_srtp.patch
+++ b/debian/patches/dtls_srtp.patch
@@ -1,5 +1,5 @@
diff --git a/channels/chan_sip.c b/channels/chan_sip.c
-index 72a7165..9fc7c74 100644
+index 72a7165..df18a2c 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -1387,7 +1387,7 @@ static int process_sdp_a_text(const char *a, struct sip_pvt *p, struct ast_rtp_c
@@ -455,7 +455,7 @@ index b84951a..9a790f1 100644
dst_cfg->pvtfile = ast_strdup(src_cfg->pvtfile);
dst_cfg->cipher = ast_strdup(src_cfg->cipher);
diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
-index 4853a0f..3bd24a8 100644
+index 4853a0f..73933c4 100644
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -288,11 +288,13 @@ struct ast_rtp {
@@ -538,7 +538,7 @@ index 4853a0f..3bd24a8 100644
static void ast_rtp_ice_add_cand(struct ast_rtp *rtp, unsigned comp_id, unsigned transport_id, pj_ice_cand_type type, pj_uint16_t local_pref,
const pj_sockaddr_t *addr, const pj_sockaddr_t *base_addr, const pj_sockaddr_t *rel_addr, int addr_len)
{
-@@ -779,20 +812,67 @@ static struct ast_rtp_engine_ice ast_rtp_ice = {
+@@ -779,20 +812,74 @@ static struct ast_rtp_engine_ice ast_rtp_ice = {
.get_password = ast_rtp_ice_get_password,
.get_local_candidates = ast_rtp_ice_get_local_candidates,
.ice_lite = ast_rtp_ice_lite,
@@ -549,19 +549,19 @@ index 4853a0f..3bd24a8 100644
#ifdef HAVE_OPENSSL_SRTP
-static void dtls_info_callback(const SSL *ssl, int where, int ret)
+static int dtls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-+{
+ {
+- struct ast_rtp *rtp = SSL_get_ex_data(ssl, 0);
+ /* We don't want to actually verify the certificate so just accept what they have provided */
+ return 1;
+}
-+
-+static int dtls_setup_rtcp(struct ast_rtp_instance *instance)
- {
-- struct ast_rtp *rtp = SSL_get_ex_data(ssl, 0);
-+ struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
- /* We only care about alerts */
- if (!(where & SSL_CB_ALERT)) {
- return;
++static int dtls_setup_rtcp(struct ast_rtp_instance *instance)
++{
++ struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
++
+ if (!rtp->ssl_ctx) {
+ return 0;
+ }
@@ -578,19 +578,26 @@ index 4853a0f..3bd24a8 100644
+ ast_log(LOG_ERROR, "Failed to allocate memory for inbound SSL traffic on RTCP of RTP instance '%p'\n",
+ instance);
+ goto error;
- }
++ }
+ BIO_set_mem_eof_return(rtp->rtcp->read_bio, -1);
-
-- rtp->dtls_failure = 1;
++
+ if (!(rtp->rtcp->write_bio = BIO_new(BIO_s_mem()))) {
+ ast_log(LOG_ERROR, "Failed to allocate memory for outbound SSL traffic on RTCP of RTP instance '%p'\n",
+ instance);
+ goto error;
-+ }
+ }
+ BIO_set_mem_eof_return(rtp->rtcp->write_bio, -1);
-+
+
+- rtp->dtls_failure = 1;
+ SSL_set_bio(rtp->rtcp->ssl, rtp->rtcp->read_bio, rtp->rtcp->write_bio);
+
++ if (rtp->rtcp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
++ SSL_set_accept_state(rtp->rtcp->ssl);
++ } else {
++ SSL_set_connect_state(rtp->rtcp->ssl);
++ }
++ rtp->rtcp->connection = AST_RTP_DTLS_CONNECTION_NEW;
++
+ return 0;
+
+error:
@@ -612,7 +619,7 @@ index 4853a0f..3bd24a8 100644
}
static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, const struct ast_rtp_dtls_cfg *dtls_cfg)
-@@ -811,7 +891,11 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
+@@ -811,7 +898,11 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
return -1;
}
@@ -625,7 +632,7 @@ index 4853a0f..3bd24a8 100644
if (dtls_cfg->suite == AST_AES_CM_128_HMAC_SHA1_80) {
SSL_CTX_set_tlsext_use_srtp(rtp->ssl_ctx, "SRTP_AES128_CM_SHA1_80");
-@@ -822,10 +906,13 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
+@@ -822,10 +913,13 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
goto error;
}
@@ -639,7 +646,7 @@ index 4853a0f..3bd24a8 100644
unsigned int size, i;
unsigned char fingerprint[EVP_MAX_MD_SIZE];
char *local_fingerprint = rtp->local_fingerprint;
-@@ -849,9 +936,19 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
+@@ -849,9 +943,19 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
goto error;
}
@@ -660,7 +667,7 @@ index 4853a0f..3bd24a8 100644
!size) {
ast_log(LOG_ERROR, "Could not produce fingerprint from certificate '%s' for RTP instance '%p'\n",
dtls_cfg->certfile, instance);
-@@ -895,9 +992,6 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
+@@ -895,9 +999,6 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
goto error;
}
@@ -670,22 +677,15 @@ index 4853a0f..3bd24a8 100644
if (!(rtp->read_bio = BIO_new(BIO_s_mem()))) {
ast_log(LOG_ERROR, "Failed to allocate memory for inbound SSL traffic on RTP instance '%p'\n",
instance);
-@@ -914,14 +1008,6 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
-
- SSL_set_bio(rtp->ssl, rtp->read_bio, rtp->write_bio);
-
-- if (rtp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
-- SSL_set_accept_state(rtp->ssl);
-- } else {
-- SSL_set_connect_state(rtp->ssl);
-- }
--
-- rtp->connection = AST_RTP_DTLS_CONNECTION_NEW;
+@@ -919,7 +1020,6 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
+ } else {
+ SSL_set_connect_state(rtp->ssl);
+ }
-
- return 0;
+ rtp->connection = AST_RTP_DTLS_CONNECTION_NEW;
- error:
-@@ -966,19 +1052,26 @@ static void ast_rtp_dtls_stop(struct ast_rtp_instance *instance)
+ return 0;
+@@ -966,19 +1066,26 @@ static void ast_rtp_dtls_stop(struct ast_rtp_instance *instance)
SSL_free(rtp->ssl);
rtp->ssl = NULL;
}
@@ -717,7 +717,7 @@ index 4853a0f..3bd24a8 100644
}
static enum ast_rtp_dtls_connection ast_rtp_dtls_get_connection(struct ast_rtp_instance *instance)
-@@ -995,26 +1088,25 @@ static enum ast_rtp_dtls_setup ast_rtp_dtls_get_setup(struct ast_rtp_instance *i
+@@ -995,26 +1102,25 @@ static enum ast_rtp_dtls_setup ast_rtp_dtls_get_setup(struct ast_rtp_instance *i
return rtp->dtls_setup;
}
@@ -751,7 +751,7 @@ index 4853a0f..3bd24a8 100644
break;
default:
/* This should never occur... if it does exit early as we don't know what state things are in */
-@@ -1022,46 +1114,64 @@ static void ast_rtp_dtls_set_setup(struct ast_rtp_instance *instance, enum ast_r
+@@ -1022,46 +1128,64 @@ static void ast_rtp_dtls_set_setup(struct ast_rtp_instance *instance, enum ast_r
}
/* If the setup state did not change we go on as if nothing happened */
@@ -827,7 +827,7 @@ index 4853a0f..3bd24a8 100644
return rtp->local_fingerprint;
}
-@@ -1076,6 +1186,7 @@ static struct ast_rtp_engine_dtls ast_rtp_dtls = {
+@@ -1076,6 +1200,7 @@ static struct ast_rtp_engine_dtls ast_rtp_dtls = {
.get_setup = ast_rtp_dtls_get_setup,
.set_setup = ast_rtp_dtls_set_setup,
.set_fingerprint = ast_rtp_dtls_set_fingerprint,
@@ -835,7 +835,7 @@ index 4853a0f..3bd24a8 100644
.get_fingerprint = ast_rtp_dtls_get_fingerprint,
};
-@@ -1122,7 +1233,34 @@ static void rtp_learning_seq_init(struct rtp_learning_info *info, uint16_t seq);
+@@ -1122,7 +1247,38 @@ static void rtp_learning_seq_init(struct rtp_learning_info *info, uint16_t seq);
#ifdef USE_PJPROJECT
static void ast_rtp_on_ice_complete(pj_ice_sess *ice, pj_status_t status)
{
@@ -845,25 +845,29 @@ index 4853a0f..3bd24a8 100644
+
+#ifdef HAVE_OPENSSL_SRTP
+ if (rtp->ssl) {
-+ SSL_clear(rtp->ssl);
-+ if (rtp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
-+ SSL_set_accept_state(rtp->ssl);
-+ } else {
-+ SSL_set_connect_state(rtp->ssl);
++ if (SSL_is_init_finished(rtp->ssl)) {
++ SSL_clear(rtp->ssl);
++ if (rtp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
++ SSL_set_accept_state(rtp->ssl);
++ } else {
++ SSL_set_connect_state(rtp->ssl);
++ }
++ rtp->connection = AST_RTP_DTLS_CONNECTION_NEW;
+ }
-+ rtp->connection = AST_RTP_DTLS_CONNECTION_NEW;
+ SSL_do_handshake(rtp->ssl);
+ dtls_srtp_check_pending(instance, rtp, 0);
+ }
+
+ if (rtp->rtcp && rtp->rtcp->ssl) {
-+ SSL_clear(rtp->rtcp->ssl);
-+ if (rtp->rtcp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
-+ SSL_set_accept_state(rtp->rtcp->ssl);
-+ } else {
-+ SSL_set_connect_state(rtp->rtcp->ssl);
++ if (SSL_is_init_finished(rtp->rtcp->ssl)) {
++ SSL_clear(rtp->rtcp->ssl);
++ if (rtp->rtcp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
++ SSL_set_accept_state(rtp->rtcp->ssl);
++ } else {
++ SSL_set_connect_state(rtp->rtcp->ssl);
++ }
++ rtp->rtcp->connection = AST_RTP_DTLS_CONNECTION_NEW;
+ }
-+ rtp->rtcp->connection = AST_RTP_DTLS_CONNECTION_NEW;
+ SSL_do_handshake(rtp->rtcp->ssl);
+ dtls_srtp_check_pending(instance, rtp, 1);
+ }
@@ -871,7 +875,7 @@ index 4853a0f..3bd24a8 100644
if (!strictrtp) {
return;
-@@ -1134,7 +1272,8 @@ static void ast_rtp_on_ice_complete(pj_ice_sess *ice, pj_status_t status)
+@@ -1134,7 +1290,8 @@ static void ast_rtp_on_ice_complete(pj_ice_sess *ice, pj_status_t status)
static void ast_rtp_on_ice_rx_data(pj_ice_sess *ice, unsigned comp_id, unsigned transport_id, void *pkt, pj_size_t size, const pj_sockaddr_t *src_addr, unsigned src_addr_len)
{
@@ -881,7 +885,7 @@ index 4853a0f..3bd24a8 100644
/* Instead of handling the packet here (which really doesn't work with our architecture) we set a bit to indicate that it should be handled after pj_ice_sess_on_rx_pkt
* returns */
-@@ -1143,7 +1282,8 @@ static void ast_rtp_on_ice_rx_data(pj_ice_sess *ice, unsigned comp_id, unsigned
+@@ -1143,7 +1300,8 @@ static void ast_rtp_on_ice_rx_data(pj_ice_sess *ice, unsigned comp_id, unsigned
static pj_status_t ast_rtp_on_ice_tx_pkt(pj_ice_sess *ice, unsigned comp_id, unsigned transport_id, const void *pkt, pj_size_t size, const pj_sockaddr_t *dst_addr, unsigned dst_addr_len)
{
@@ -891,7 +895,7 @@ index 4853a0f..3bd24a8 100644
pj_status_t status = PJ_EINVALIDOP;
pj_ssize_t _size = (pj_ssize_t)size;
-@@ -1344,36 +1484,52 @@ static int dtls_srtp_handle_timeout(const void *data)
+@@ -1344,36 +1502,52 @@ static int dtls_srtp_handle_timeout(const void *data)
rtp->dtlstimerid = -1;
ast_mutex_unlock(&rtp->dtls_timer_lock);
@@ -950,7 +954,7 @@ index 4853a0f..3bd24a8 100644
/* Stop existing DTLS timer if running */
ast_mutex_lock(&rtp->dtls_timer_lock);
-@@ -1382,7 +1538,7 @@ static void dtls_srtp_check_pending(struct ast_rtp_instance *instance, struct as
+@@ -1382,7 +1556,7 @@ static void dtls_srtp_check_pending(struct ast_rtp_instance *instance, struct as
rtp->dtlstimerid = -1;
}
@@ -959,7 +963,7 @@ index 4853a0f..3bd24a8 100644
int timeout = dtls_timeout.tv_sec * 1000 + dtls_timeout.tv_usec / 1000;
ao2_ref(instance, +1);
if ((rtp->dtlstimerid = ast_sched_add(rtp->sched, timeout, dtls_srtp_handle_timeout, instance)) < 0) {
-@@ -1392,7 +1548,7 @@ static void dtls_srtp_check_pending(struct ast_rtp_instance *instance, struct as
+@@ -1392,7 +1566,7 @@ static void dtls_srtp_check_pending(struct ast_rtp_instance *instance, struct as
}
ast_mutex_unlock(&rtp->dtls_timer_lock);
@@ -968,7 +972,7 @@ index 4853a0f..3bd24a8 100644
}
}
-@@ -1403,7 +1559,13 @@ static int dtls_srtp_renegotiate(const void *data)
+@@ -1403,7 +1577,13 @@ static int dtls_srtp_renegotiate(const void *data)
SSL_renegotiate(rtp->ssl);
SSL_do_handshake(rtp->ssl);
@@ -983,7 +987,7 @@ index 4853a0f..3bd24a8 100644
rtp->rekeyid = -1;
ao2_ref(instance, -1);
-@@ -1419,7 +1581,7 @@ static int dtls_srtp_setup(struct ast_rtp *rtp, struct ast_srtp *srtp, struct as
+@@ -1419,7 +1599,7 @@ static int dtls_srtp_setup(struct ast_rtp *rtp, struct ast_srtp *srtp, struct as
struct ast_rtp_instance_stats stats = { 0, };
/* If a fingerprint is present in the SDP make sure that the peer certificate matches it */
@@ -992,7 +996,7 @@ index 4853a0f..3bd24a8 100644
X509 *certificate;
if (!(certificate = SSL_get_peer_certificate(rtp->ssl))) {
-@@ -1429,10 +1591,20 @@ static int dtls_srtp_setup(struct ast_rtp *rtp, struct ast_srtp *srtp, struct as
+@@ -1429,10 +1609,20 @@ static int dtls_srtp_setup(struct ast_rtp *rtp, struct ast_srtp *srtp, struct as
/* If a fingerprint is present in the SDP make sure that the peer certificate matches it */
if (rtp->remote_fingerprint[0]) {
@@ -1014,7 +1018,7 @@ index 4853a0f..3bd24a8 100644
!size ||
memcmp(fingerprint, rtp->remote_fingerprint, size)) {
X509_free(certificate);
-@@ -1446,7 +1618,7 @@ static int dtls_srtp_setup(struct ast_rtp *rtp, struct ast_srtp *srtp, struct as
+@@ -1446,7 +1636,7 @@ static int dtls_srtp_setup(struct ast_rtp *rtp, struct ast_srtp *srtp, struct as
}
/* Ensure that certificate verification was successful */
@@ -1023,7 +1027,7 @@ index 4853a0f..3bd24a8 100644
ast_log(LOG_WARNING, "Peer certificate on RTP instance '%p' failed verification test\n",
instance);
return -1;
-@@ -1546,50 +1718,54 @@ static int __rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t s
+@@ -1546,50 +1736,54 @@ static int __rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t s
}
#ifdef HAVE_OPENSSL_SRTP
@@ -1108,7 +1112,7 @@ index 4853a0f..3bd24a8 100644
}
#endif
-@@ -1657,7 +1833,7 @@ static int __rtp_sendto(struct ast_rtp_instance *instance, void *buf, size_t siz
+@@ -1657,7 +1851,7 @@ static int __rtp_sendto(struct ast_rtp_instance *instance, void *buf, size_t siz
if (pj_ice_sess_send_data(rtp->ice, rtcp ? AST_RTP_ICE_COMPONENT_RTCP : AST_RTP_ICE_COMPONENT_RTP, temp, len) == PJ_SUCCESS) {
*ice = 1;
@@ -1117,7 +1121,7 @@ index 4853a0f..3bd24a8 100644
}
}
#endif
-@@ -1918,7 +2094,7 @@ static int ice_create(struct ast_rtp_instance *instance, struct ast_sockaddr *ad
+@@ -1918,7 +2112,7 @@ static int ice_create(struct ast_rtp_instance *instance, struct ast_sockaddr *ad
if (pj_ice_sess_create(&stun_config, NULL, PJ_ICE_SESS_ROLE_UNKNOWN, 2,
&ast_rtp_ice_sess_cb, &ufrag, &passwd, NULL, &rtp->ice) == PJ_SUCCESS) {
/* Make this available for the callbacks */
@@ -1126,7 +1130,7 @@ index 4853a0f..3bd24a8 100644
/* Add all of the available candidates to the ICE session */
rtp_add_candidates_to_ice(instance, rtp, addr, port, AST_RTP_ICE_COMPONENT_RTP,
-@@ -2055,6 +2231,11 @@ static int ast_rtp_destroy(struct ast_rtp_instance *instance)
+@@ -2055,6 +2249,11 @@ static int ast_rtp_destroy(struct ast_rtp_instance *instance)
* RTP instance while it's active.
*/
close(rtp->rtcp->s);
@@ -1138,7 +1142,7 @@ index 4853a0f..3bd24a8 100644
ast_free(rtp->rtcp);
}
-@@ -4131,6 +4312,10 @@ static void ast_rtp_prop_set(struct ast_rtp_instance *instance, enum ast_rtp_pro
+@@ -4131,6 +4330,10 @@ static void ast_rtp_prop_set(struct ast_rtp_instance *instance, enum ast_rtp_pro
}
#endif
@@ -1149,7 +1153,7 @@ index 4853a0f..3bd24a8 100644
return;
} else {
if (rtp->rtcp) {
-@@ -4146,6 +4331,11 @@ static void ast_rtp_prop_set(struct ast_rtp_instance *instance, enum ast_rtp_pro
+@@ -4146,6 +4349,11 @@ static void ast_rtp_prop_set(struct ast_rtp_instance *instance, enum ast_rtp_pro
rtp->rtcp->schedid = -1;
}
close(rtp->rtcp->s);
@@ -1161,7 +1165,7 @@ index 4853a0f..3bd24a8 100644
ast_free(rtp->rtcp);
rtp->rtcp = NULL;
}
-@@ -4442,13 +4632,35 @@ static int ast_rtp_activate(struct ast_rtp_instance *instance)
+@@ -4442,13 +4650,35 @@ static int ast_rtp_activate(struct ast_rtp_instance *instance)
{
struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git
More information about the Pkg-voip-commits
mailing list