Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#2096 closed defect (fixed)

Various updates in DTLS-SRTP

Reported by: nanang Owned by: nanang
Priority: normal Milestone: release-2.8
Component: pjmedia Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no


A place for any bug fixes or enhancements related to DTLS-SRTP.

Change History (17)

comment:1 Changed 6 years ago by nanang

  • Resolution set to fixed
  • Status changed from new to closed

In r5746:

  • Fixed re-INVITE scenario: always generate SRTP attr in SDP re-offer/answer as both offerer/answerer (as long as SRTP is not disabled of course), currently it does not generate SRTP attr if active session does not use SRTP.
  • Fixed bug in retrieving video stream info from SDP that caused DTLS transport (UDP/TLS/RTP/SAVP) getting rejected.
  • Added pjsua app param '--srtp-keying=0/1' to choose SRTP keying to be used in the outgoing offer (0=SDES (default), 1=DTLS-SRTP).
  • Few minors, e.g: adding transport_srtp_dtls/sdes.c to pjmedia MSVC2015 project.
Last edited 6 years ago by nanang (previous) (diff)

comment:2 Changed 6 years ago by nanang

In 5749:

Re #2096: Fixed assertion in SDP answerer when its SRTP is disabled. This is an SDES issue, but related to DTLS-SRTP works (all SRTP keyings have been refactored for DTLS implementation).

comment:3 Changed 6 years ago by nanang

In 5750:

Re #2096:

  • Fixed crash in media transport when application calls detach() while the transport only implements detach2().
  • Avoid assertion in UDP media transport when calling detach() without previously calling attach().

comment:4 Changed 6 years ago by riza

In 5780:

Re #2096: When checking hash algo, don't use case sensitive comparision.
Thanks to Christian Scheid for the report.

comment:5 Changed 6 years ago by nanang

In 5781:

Re #2096:

  • Fixed DTLS-SRTP issues with AEAD_AES_256_GCM crypto, e.g: material buffer length too short, silly mistake of missing comma in PJSIP-OpenSSL crypto map.
  • Fixed SRTP error PJMEDIA_SRTP_ESDPREQCRYPTO when crypto count is set to zero and SRTP is in mandatory mode.
  • Fixed SRTP transport attach where stream RTP/RTCP reception callbacks may be overriden by DTLS-SRTP.

comment:6 Changed 6 years ago by nanang

In r5782: added log about crypto setting.

comment:7 Changed 6 years ago by nanang

In 5783:

Re #2096: Start UDP transport earlier to allow early DTLS-SRTP nego.

comment:8 Changed 6 years ago by nanang

In 5794:

Re #2096:

  • Fixed memory leak due to not destroyed DTLS-SRTP keying (when it is not active).
  • DTLS-SRTP must not destroy itself, keying destroy must be initiated by SRTP.

comment:9 Changed 6 years ago by nanang

In 5823:

Re #2096:

  • For better interoperability, check remote support for DTLS-SRTP by inspecting SDP a=fingerprint availability instead of UDP/TLS/SRTP/SAVP.
  • Bailout DTLS-SRTP when SDP a=fingerprint is not available.

Thanks Wei-Wei Cheng for suggesting a=fingerprint check instead of UDP/TLS/SRTP/SAVP.

Last edited 6 years ago by nanang (previous) (diff)

comment:10 Changed 6 years ago by nanang

In 5824:

Re #2096: Fixed silly mistake of missing a comma in r5823.

comment:11 Changed 6 years ago by nanang

In 5845:

Re #2096:

  • Added new error code for sending RTP/RTCP failure when DTLS-SRTP nego is in progress.
  • When sending RTP/RTCP fails, only print error message once for consecutive same errors.

comment:12 Changed 6 years ago by nanang

In 5847:

Re #2096:

  • Updated DTLS-SRTP to ignore stray packet after DTLS nego has been completed.
  • Added few debugging logs.
  • Fixed false SSL error.

comment:13 Changed 6 years ago by ming

In 5852:

Re #2096: DTLS updates

  • Fix assertion when DTLS tries to attach transport, but the ICE transport's source RTP address hasn't been updated.
  • Fix DTLS transport attachment in dtls_media_start() which misses rtcp-mux checking, causing rtcp-mux to be disabled.

comment:14 Changed 6 years ago by ming

In r5853:

Re #2096: re r5852, fixed assertion in pj_sockaddr_cp() because the address can actually be zero if we haven't received any packets

comment:15 Changed 6 years ago by nanang

In r5855:

  • Answer with one SRTP keying only when offered both (thanks Wei-Wei for the feedback).

comment:16 Changed 6 years ago by nanang

In 5857:

Re #2096: Fixed bug of r5855, SRTP encode_sdp() should not reset bypass_srtp flag in reoffer/answer scenario.

comment:17 Changed 6 years ago by nanang

In 5860:

Re #2096: Fixed some compile warnings.

Note: See TracTickets for help on using tickets.