Hi Nitesh,
my chan_sip is rather messy right now, as I changed several things due to
other experiments as well. I tried to prepare a patch that only allegedly
covers the DTLS experiments: just beware that it is for asterisk-11.1.2 and
so you may need to tweak it a bit for your case. Anyway, what I did with
respect to DTLS in chan_sip as you can see wasn't much (as I explained in
that report, most of the SDP manipulation I did in my webapp), so just to
summarize:
1. I moved the DTLS initialization after the RTCP stuff, for the reasons
explained in the report;
2. I made sure that sha-256 fingerprints (sent by Chrome and Firefox)
were accepted by the parser, and that sha-256 fingerprints were added in
the reply too (this needs a change in the RTP engine, of course, which by
default generates sha-1 fingerprints);
3. a couple of fixes to an incorrect SAVPF behaviour (the wrong crypto
context was used);
4. an ugly hack to force DTLS if it is disabled in the configuration,
but you get a fingerprint in the SDP: I chose to do it this way as enabling
it in the configuration forces DTLS for all calls, which I didn't want.
Hope that helps, let me know if you need any further help.
Lorenzo
2013/12/4 nitesh bansal <nitesh.ban...@gmail.com>
> Hi Lorenzo,
>
> Thanks for your response. Can you share your patch on chan_sip.
>
> Regards,
> Nitesh Bansal
>
>
> On Mon, Dec 2, 2013 at 4:09 PM, Lorenzo Miniero <lmini...@gmail.com>wrote:
>
>> 2013/12/2 Mark Michelson <mmichel...@digium.com>
>>
>>> On 12/02/2013 05:29 AM, nitesh bansal wrote:
>>>
>>>> Hello everybody,
>>>>
>>>> I want to setup a basic Demo of WebRTC using Asterisk as WebServer and
>>>> SRTP-DTLS.
>>>> I got the demo setup using SRTP-DES with chrome, chrome is porpoising
>>>> both DTLS and DES,
>>>> Asterisk responds with DES abd call is connected.
>>>> But i want asterisk to propose DTLS also in its response, can you
>>>> please tell me if asterisk supports DTLS and if yes, is there a wiki page
>>>> with the documentation?
>>>> I could not find any relevant wikipage.
>>>>
>>>> Regards,
>>>> Nitesh
>>>>
>>>>
>>> Asterisk supports DTLS. Your best bet for documentation at the moment is
>>> to look at configs/sip.conf.sample in Asterisk 11 and grep for "DTLS-SRTP
>>> CONFIGURATION". That will direct you to a section that explains the various
>>> DTLS-related configuration options for chan_sip.
>>>
>>> Mark Michelson
>>>
>>>
>>
>> Just as an additional cue point, you may also refer to the report I wrote
>> a few months ago on making DTLS work in my case. I don't know whether or
>> not some of those points eventually made it to the documentation, and some
>> of them may be obsolete (e.g., you definitely don't need the fake crypto
>> anymore), but they may be oh help nonetheless:
>>
>> http://lists.digium.com/pipermail/asterisk-dev/2013-May/060435.html
>>
>> Lorenzo
>>
>>
>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> asterisk-dev mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-dev
>>>
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> asterisk-dev mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-dev
>>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
--- chan_sip.c 2013-12-04 11:04:57.217704862 +0100
+++ chan_sip_DTLS.c 2013-12-04 11:09:58.016737554 +0100
@@ -5850,9 +5850,9 @@
ice->stop(dialog->rtp);
}
- if (dialog_initialize_dtls_srtp(dialog, dialog->rtp, &dialog->srtp)) {
- return -1;
- }
+ //~ if (dialog_initialize_dtls_srtp(dialog, dialog->rtp, &dialog->srtp)) {
+ //~ return -1;
+ //~ }
if (ast_test_flag(&dialog->flags[1], SIP_PAGE2_VIDEOSUPPORT_ALWAYS) ||
(ast_test_flag(&dialog->flags[1], SIP_PAGE2_VIDEOSUPPORT) && (ast_format_cap_has_type(dialog->caps, AST_FORMAT_TYPE_VIDEO)))) {
@@ -5864,9 +5864,9 @@
ice->stop(dialog->vrtp);
}
- if (dialog_initialize_dtls_srtp(dialog, dialog->vrtp, &dialog->vsrtp)) {
- return -1;
- }
+ //~ if (dialog_initialize_dtls_srtp(dialog, dialog->vrtp, &dialog->vsrtp)) {
+ //~ return -1;
+ //~ }
ast_rtp_instance_set_timeout(dialog->vrtp, dialog->rtptimeout);
ast_rtp_instance_set_hold_timeout(dialog->vrtp, dialog->rtpholdtimeout);
@@ -5874,6 +5874,11 @@
ast_rtp_instance_set_prop(dialog->vrtp, AST_RTP_PROPERTY_RTCP, 1);
ast_rtp_instance_set_qos(dialog->vrtp, global_tos_video, global_cos_video, "SIP VIDEO");
+
+ /* Meetecho: moving DTLS setup after RTCP */
+ if (dialog_initialize_dtls_srtp(dialog, dialog->vrtp, &dialog->vsrtp)) {
+ return -1;
+ }
}
if (ast_test_flag(&dialog->flags[1], SIP_PAGE2_TEXTSUPPORT)) {
@@ -5885,14 +5890,19 @@
ice->stop(dialog->trtp);
}
- if (dialog_initialize_dtls_srtp(dialog, dialog->trtp, &dialog->tsrtp)) {
- return -1;
- }
+ //~ if (dialog_initialize_dtls_srtp(dialog, dialog->trtp, &dialog->tsrtp)) {
+ //~ return -1;
+ //~ }
/* Do not timeout text as its not constant*/
ast_rtp_instance_set_keepalive(dialog->trtp, dialog->rtpkeepalive);
ast_rtp_instance_set_prop(dialog->trtp, AST_RTP_PROPERTY_RTCP, 1);
+
+ /* Meetecho: moving DTLS setup after RTCP */
+ if (dialog_initialize_dtls_srtp(dialog, dialog->trtp, &dialog->tsrtp)) {
+ return -1;
+ }
}
ast_rtp_instance_set_timeout(dialog->rtp, dialog->rtptimeout);
@@ -5903,6 +5913,11 @@
ast_rtp_instance_set_prop(dialog->rtp, AST_RTP_PROPERTY_DTMF, ast_test_flag(&dialog->flags[0], SIP_DTMF) == SIP_DTMF_RFC2833);
ast_rtp_instance_set_prop(dialog->rtp, AST_RTP_PROPERTY_DTMF_COMPENSATE, ast_test_flag(&dialog->flags[1], SIP_PAGE2_RFC2833_COMPENSATE));
+ /* Meetecho: moving DTLS setup after RTCP */
+ if (dialog_initialize_dtls_srtp(dialog, dialog->rtp, &dialog->srtp)) {
+ return -1;
+ }
+
ast_rtp_instance_set_qos(dialog->rtp, global_tos_audio, global_cos_audio, "SIP RTP");
do_setnat(dialog);
@@ -10915,7 +10930,8 @@
} else if (sscanf(a, "fingerprint: %5s %255s", hash, value) == 2) {
found = TRUE;
- if (!strcasecmp(hash, "sha-1")) {
+ /* Meetecho: add support for sha-256 in negotiation */
+ if (!strcasecmp(hash, "sha-1") || !strcasecmp(hash, "sha-2")) {
dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1, value);
} else {
ast_log(LOG_WARNING, "Unsupported fingerprint hash type '%s' received on dialog '%s'\n",
@@ -11068,6 +11084,7 @@
ast_rtp_codecs_payloads_unset(newvideortp, NULL, codec);
}
}
+
}
return found;
@@ -12551,7 +12568,9 @@
}
if ((fingerprint = dtls->get_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1))) {
- ast_str_append(a_buf, 0, "a=fingerprint:SHA-1 %s\r\n", fingerprint);
+ //~ ast_str_append(a_buf, 0, "a=fingerprint:SHA-1 %s\r\n", fingerprint);
+ /* Meetecho: use SHA-256 for DTLS-SRTP Fingerprint (lower case sha) */
+ ast_str_append(a_buf, 0, "a=fingerprint:sha-256 %s\r\n", fingerprint);
}
}
@@ -12583,7 +12602,6 @@
} else /* I don't see how you couldn't have p->rtp, but good to check for and error out if not there like earlier code */
return;
ast_str_append(m_buf, 0, " %d", rtp_code);
- ast_str_append(a_buf, 0, "a=rtpmap:%d %s/%d\r\n", rtp_code, mime, rate);
ast_format_sdp_generate(format, rtp_code, a_buf);
@@ -13029,7 +13047,7 @@
if (needvideo) {
get_crypto_attrib(p, p->vsrtp, &v_a_crypto);
ast_str_append(&m_video, 0, "m=video %d %s", ast_sockaddr_port(&vdest),
- get_sdp_rtp_profile(p, a_crypto ? 1 : 0, p->vrtp));
+ get_sdp_rtp_profile(p, v_a_crypto ? 1 : 0, p->vrtp)); /* Meetecho: fix for SAVPF */
/* Build max bitrate string */
if (p->maxcallbitrate)
@@ -13054,7 +13072,7 @@
ast_verbose("Lets set up the text sdp\n");
get_crypto_attrib(p, p->tsrtp, &t_a_crypto);
ast_str_append(&m_text, 0, "m=text %d %s", ast_sockaddr_port(&tdest),
- get_sdp_rtp_profile(p, a_crypto ? 1 : 0, p->trtp));
+ get_sdp_rtp_profile(p, t_a_crypto ? 1 : 0, p->trtp)); /* Meetecho: fix for SAVPF */
if (debug) { /* XXX should I use tdest below ? */
ast_verbose("Text is at %s\n", ast_sockaddr_stringify(&taddr));
}
@@ -13252,6 +13270,7 @@
add_content(resp, bandwidth);
}
add_content(resp, session_time);
+
/* if this is a response to an invite, order our offers properly */
if (!AST_LIST_EMPTY(&p->offered_media)) {
AST_LIST_TRAVERSE(&p->offered_media, offer, next) {
@@ -25023,6 +25042,22 @@
/* Handle authentication if this is our first invite */
int cc_recall_core_id = -1;
set_pvt_allowed_methods(p, req);
+
+ /* Meetecho: enable DTLS if peer is asking for it (FIXME) */
+ if (!p->dtls_cfg.enabled && strlen(get_content_line(req, "a=fingerprint", ':')) > 1) {
+ ast_log(LOG_WARNING, "a=fingerprint found, creating DTLS configuration\n");
+ /* FIXME */
+ ast_rtp_dtls_cfg_parse(&p->dtls_cfg, "dtlsenable", "yes");
+ ast_rtp_dtls_cfg_parse(&p->dtls_cfg, "dtlsverify", "no");
+ ast_rtp_dtls_cfg_parse(&p->dtls_cfg, "dtlscipher", "ALL:NULL:eNULL:aNULL"); /* FIXME was SHA256... */
+ ast_rtp_dtls_cfg_parse(&p->dtls_cfg, "dtlscertfile", "/home/lminiero/workspace/code/mediactrl/0.5.0/src/stuff/mycert.pem");
+ ast_rtp_dtls_cfg_parse(&p->dtls_cfg, "dtlsprivatekey", "/home/lminiero/workspace/code/mediactrl/0.5.0/src/stuff/mycert.key");
+ //~ ast_rtp_dtls_cfg_parse(&p->dtls_cfg, "dtlscertfile", "/home/rain/Documenti/Laptop/workspace/code/tunnel/proxys/mycert.pem");
+ //~ ast_rtp_dtls_cfg_parse(&p->dtls_cfg, "dtlsprivatekey", "/home/rain/Documenti/Laptop/workspace/code/tunnel/proxys/mycert.key");
+ /* Apply the encryption tag length to the DTLS configuration, in case DTLS is in use */
+ p->dtls_cfg.suite = (ast_test_flag(&p->flags[2], SIP_PAGE3_SRTP_TAG_32) ? AST_AES_CM_128_HMAC_SHA1_32 : AST_AES_CM_128_HMAC_SHA1_80);
+ }
+
res = check_user_full(p, req, SIP_INVITE, e, XMIT_RELIABLE, addr, &authpeer);
if (res == AUTH_CHALLENGE_SENT) {
p->invitestate = INV_COMPLETED; /* Needs to restart in another INVITE transaction */
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
