Changeset 6118

Timestamp:

Dec 16, 2019 12:37:57 PM (5 years ago)

Author:

riza

Message:

Close #2257: Filter SRTP crypto setting for DTLS-SRTP profile.

Location:

pjproject/trunk/pjmedia

Files:

• include/pjmedia/errno.h (modified) (1 diff)
• src/pjmedia/errno.c (modified) (1 diff)
• src/pjmedia/transport_srtp_dtls.c (modified) (7 diffs)

pjproject/trunk/pjmedia/include/pjmedia/errno.h

@@ -657 +657 @@
 #define PJMEDIA_SRTP_DTLS_ENOFPRINT (PJMEDIA_ERRNO_START+243)   /* 220243 */
 
+/**
+ * @hideinitializer
+ * No valid SRTP protection profile for DTLS.
+ */
+#define PJMEDIA_SRTP_DTLS_ENOPROFILE (PJMEDIA_ERRNO_START+244)   /* 220244 */
+
 #endif /* PJMEDIA_HAS_SRTP */
 

pjproject/trunk/pjmedia/src/pjmedia/errno.c

@@ -171 +171 @@
     PJ_BUILD_ERR( PJMEDIA_SRTP_DTLS_EPEERNOCERT,"No certificate supplied by peer in DTLS nego" ),
     PJ_BUILD_ERR( PJMEDIA_SRTP_DTLS_EFPNOTMATCH,"Fingerprint from signalling not match to actual fingerprint" ),
-    PJ_BUILD_ERR( PJMEDIA_SRTP_DTLS_ENOFPRINT,  "Fingerprint not found" )
+    PJ_BUILD_ERR( PJMEDIA_SRTP_DTLS_ENOFPRINT,  "Fingerprint not found" ),
+    PJ_BUILD_ERR( PJMEDIA_SRTP_DTLS_ENOPROFILE, "No valid SRTP protection profile found" )
 #endif
 

pjproject/trunk/pjmedia/src/pjmedia/transport_srtp_dtls.c

@@ -136 +136 @@
 static const pj_str_t ID_FINGERPRINT  = { "fingerprint", 11 };
 
+/* Map of OpenSSL-pjmedia SRTP cryptos. Currently OpenSSL seems to
+ * support few cryptos only (based on ssl/d1_srtp.c of OpenSSL 1.1.0c).
+ */
+#define OPENSSL_PROFILE_NUM 4
+
+static char* ossl_profiles[OPENSSL_PROFILE_NUM] =
+{
+     "SRTP_AES128_CM_SHA1_80",
+     "SRTP_AES128_CM_SHA1_32",
+     "SRTP_AEAD_AES_256_GCM",
+     "SRTP_AEAD_AES_128_GCM"
+};
+static char* pj_profiles[OPENSSL_PROFILE_NUM] =
+{
+    "AES_CM_128_HMAC_SHA1_80",
+    "AES_CM_128_HMAC_SHA1_32",
+    "AEAD_AES_256_GCM",
+    "AEAD_AES_128_GCM"
+};
+
+/* This will store the valid OpenSSL profiles which is mapped from 
+ * OpenSSL-pjmedia SRTP cryptos.
+ */
+static char *valid_pj_profiles_list[OPENSSL_PROFILE_NUM];
+static char *valid_ossl_profiles_list[OPENSSL_PROFILE_NUM];
+static unsigned valid_profiles_cnt;
+
 
 /* Certificate & private key */
@@ -162 +189 @@
     }
 
+    if (valid_profiles_cnt == 0) {
+        unsigned n, j;
+        int rc;
+        char *p, *end, buf[OPENSSL_PROFILE_NUM*25];
+
+        /* Create DTLS context */
+        SSL_CTX *ctx = SSL_CTX_new(DTLS_method());
+        if (ctx == NULL) {
+            return PJ_ENOMEM;
+        }
+
+        p = buf;
+        end = buf + sizeof(buf);
+        for (j=0; j<PJ_ARRAY_SIZE(ossl_profiles); ++j) {
+            rc = SSL_CTX_set_tlsext_use_srtp(ctx, ossl_profiles[j]);
+            if (rc == 0) {
+                valid_pj_profiles_list[valid_profiles_cnt] =
+                    pj_profiles[j];
+                valid_ossl_profiles_list[valid_profiles_cnt++] =
+                    ossl_profiles[j];
+
+                n = pj_ansi_snprintf(p, end - p, ":%s", pj_profiles[j]);
+                p += n;
+            }
+        }
+        SSL_CTX_free(ctx);
+
+        if (valid_profiles_cnt > 0) {
+            PJ_LOG(4,("DTLS-SRTP", "%s profile is supported", buf));
+        } else {
+            PJ_PERROR(4, ("DTLS-SRTP", PJMEDIA_SRTP_DTLS_ENOPROFILE,
+                          "Error getting SRTP profile"));
+
+            return PJMEDIA_SRTP_DTLS_ENOPROFILE;
+        }
+    }
+
     return PJ_SUCCESS;
 }
@@ -174 +238 @@
         dtls_priv_key = NULL;
     }
+
+    valid_profiles_cnt = 0;
 }
 
@@ -352 +418 @@
 }
 
-
-/* Map of OpenSSL-pjmedia SRTP cryptos. Currently OpenSSL seems to
- * support few cryptos only (based on ssl/d1_srtp.c of OpenSSL 1.1.0c).
- */
-static char* ossl_profiles[] =
-{
-     "SRTP_AES128_CM_SHA1_80",
-     "SRTP_AES128_CM_SHA1_32",
-     "SRTP_AEAD_AES_256_GCM",
-     "SRTP_AEAD_AES_128_GCM"
-};
-static char* pj_profiles[] =
-{
-    "AES_CM_128_HMAC_SHA1_80",
-    "AES_CM_128_HMAC_SHA1_32",
-    "AEAD_AES_256_GCM",
-    "AEAD_AES_128_GCM"
-};
-
-
 /* Create and initialize new SSL context and instance */
 static pj_status_t ssl_create(dtls_srtp *ds)
@@ -387 +433 @@
     if (ctx == NULL) {
         return GET_SSL_STATUS(ds);
+    }
+
+    if (valid_profiles_cnt == 0) {      
+        return PJMEDIA_SRTP_DTLS_ENOPROFILE;
     }
 
@@ -399 +449 @@
             pjmedia_srtp_crypto *crypto = &ds->srtp->setting.crypto[i];
             unsigned j;
-            for (j=0; j<PJ_ARRAY_SIZE(pj_profiles); ++j) {
-                if (!pj_ansi_strcmp(crypto->name.ptr, pj_profiles[j])) {
-                    n = pj_ansi_snprintf(p, end-p, ":%s", ossl_profiles[j]);
+            for (j=0; j < valid_profiles_cnt; ++j) {
+                if (!pj_ansi_strcmp(crypto->name.ptr,
+                                    valid_pj_profiles_list[j]))
+                {
+                    n = pj_ansi_snprintf(p, end-p, ":%s",
+                                         valid_ossl_profiles_list[j]);
                     p += n;
                     break;
@@ -410 +463 @@
         rc = SSL_CTX_set_tlsext_use_srtp(ctx, buf+1);
         PJ_LOG(4,(ds->base.name, "Setting crypto [%s], errcode=%d", buf, rc));
-        pj_assert(rc == 0);
+        if (rc != 0) {
+            SSL_CTX_free(ctx);
+            return GET_SSL_STATUS(ds);
+        }
     }