From c1a575907b2b25d712e28b641c905b33398f41ae Mon Sep 17 00:00:00 2001 From: Jasper Hafkenscheid Date: Fri, 3 Sep 2021 07:30:59 +0200 Subject: [PATCH] res_srtp: Disable parsing of not enabled cryptos When compiled without extended srtp crypto suites also disable parsing these from received SDP. This prevents using these, as some client implementations are not stable. ASTERISK-29625 Change-Id: I7dafb29be1cdaabdc984002573f4bea87520533a --- res/res_srtp.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/res/res_srtp.c b/res/res_srtp.c index 3519def7ed..cdd95af3a3 100644 --- a/res/res_srtp.c +++ b/res/res_srtp.c @@ -275,7 +275,7 @@ static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite suite) crypto_policy_set_aes_cm_128_hmac_sha1_32(p); return 0; -#ifdef HAVE_SRTP_192 +#if defined(HAVE_SRTP_192) && defined(ENABLE_SRTP_AES_192) case AST_AES_CM_192_HMAC_SHA1_80: crypto_policy_set_aes_cm_192_hmac_sha1_80(p); return 0; @@ -284,7 +284,7 @@ static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite suite) crypto_policy_set_aes_cm_192_hmac_sha1_32(p); return 0; #endif -#ifdef HAVE_SRTP_256 +#if defined(HAVE_SRTP_256) && defined(ENABLE_SRTP_AES_256) case AST_AES_CM_256_HMAC_SHA1_80: crypto_policy_set_aes_cm_256_hmac_sha1_80(p); return 0; @@ -293,18 +293,19 @@ static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite suite) crypto_policy_set_aes_cm_256_hmac_sha1_32(p); return 0; #endif -#ifdef HAVE_SRTP_GCM +#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) case AST_AES_GCM_128: crypto_policy_set_aes_gcm_128_16_auth(p); return 0; - case AST_AES_GCM_256: - crypto_policy_set_aes_gcm_256_16_auth(p); - return 0; - case AST_AES_GCM_128_8: crypto_policy_set_aes_gcm_128_8_auth(p); return 0; +#endif +#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) && defined(ENABLE_SRTP_AES_256) + case AST_AES_GCM_256: + crypto_policy_set_aes_gcm_256_16_auth(p); + return 0; case AST_AES_GCM_256_8: crypto_policy_set_aes_gcm_256_8_auth(p); @@ -880,7 +881,7 @@ static int res_sdp_crypto_parse_offer(struct ast_rtp_instance *rtp, struct ast_s suite_val = AST_AES_CM_128_HMAC_SHA1_32; ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_32); key_len_expected = 30; -#ifdef HAVE_SRTP_192 +#if defined(HAVE_SRTP_192) && defined(ENABLE_SRTP_AES_192) } else if (!strcmp(suite, "AES_192_CM_HMAC_SHA1_80")) { suite_val = AST_AES_CM_192_HMAC_SHA1_80; ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_80); @@ -905,7 +906,7 @@ static int res_sdp_crypto_parse_offer(struct ast_rtp_instance *rtp, struct ast_s ast_set_flag(srtp, AST_SRTP_CRYPTO_OLD_NAME); key_len_expected = 38; #endif -#ifdef HAVE_SRTP_256 +#if defined(HAVE_SRTP_256) && defined(ENABLE_SRTP_AES_256) } else if (!strcmp(suite, "AES_256_CM_HMAC_SHA1_80")) { suite_val = AST_AES_CM_256_HMAC_SHA1_80; ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_80); @@ -930,21 +931,24 @@ static int res_sdp_crypto_parse_offer(struct ast_rtp_instance *rtp, struct ast_s ast_set_flag(srtp, AST_SRTP_CRYPTO_OLD_NAME); key_len_expected = 46; #endif -#ifdef HAVE_SRTP_GCM +#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) } else if (!strcmp(suite, "AEAD_AES_128_GCM")) { suite_val = AST_AES_GCM_128; ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_16); key_len_expected = AES_128_GCM_KEYSIZE_WSALT; + /* RFC contained a (too) short auth tag for RTP media, some still use that */ + } else if (!strcmp(suite, "AEAD_AES_128_GCM_8")) { + suite_val = AST_AES_GCM_128_8; + ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8); + key_len_expected = AES_128_GCM_KEYSIZE_WSALT; +#endif +#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) && defined(ENABLE_SRTP_AES_256) } else if (!strcmp(suite, "AEAD_AES_256_GCM")) { suite_val = AST_AES_GCM_256; ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_16); ast_set_flag(srtp, AST_SRTP_CRYPTO_AES_256); key_len_expected = AES_256_GCM_KEYSIZE_WSALT; /* RFC contained a (too) short auth tag for RTP media, some still use that */ - } else if (!strcmp(suite, "AEAD_AES_128_GCM_8")) { - suite_val = AST_AES_GCM_128_8; - ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8); - key_len_expected = AES_128_GCM_KEYSIZE_WSALT; } else if (!strcmp(suite, "AEAD_AES_256_GCM_8")) { suite_val = AST_AES_GCM_256_8; ast_set_flag(srtp, AST_SRTP_CRYPTO_TAG_8);