Author: file Date: Sat Nov 15 10:31:24 2014 New Revision: 427950 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=427950 Log: chan_sip: Add support for setting DTLS configuration in the general section.
Configuration of DTLS in the general section will be applied to any users or peers. If configuration exists at their level it overrides the general section values. ASTERISK-24128 #close Reported by: Michael K. patches: dtls_default_settings.patch submitted by Michael K. (license 6621) Review: https://reviewboard.asterisk.org/r/3867/ Modified: trunk/CHANGES trunk/channels/chan_sip.c trunk/configs/samples/sip.conf.sample Modified: trunk/CHANGES URL: http://svnview.digium.com/svn/asterisk/trunk/CHANGES?view=diff&rev=427950&r1=427949&r2=427950 ============================================================================== --- trunk/CHANGES (original) +++ trunk/CHANGES Sat Nov 15 10:31:24 2014 @@ -20,6 +20,9 @@ * New 'rtpbindaddr' global setting. This allows a user to define which ipaddress to bind the rtpengine to. For example, chan_sip might bind to eth0 (10.0.0.2) but rtpengine to eth1 (192.168.1.10). + * DTLS related configuration options can now be set at a general level. + Enabling DTLS support, though, requires enabling it at the user + or peer level. chan_pjsip ------------------ Modified: trunk/channels/chan_sip.c URL: http://svnview.digium.com/svn/asterisk/trunk/channels/chan_sip.c?view=diff&rev=427950&r1=427949&r2=427950 ============================================================================== --- trunk/channels/chan_sip.c (original) +++ trunk/channels/chan_sip.c Sat Nov 15 10:31:24 2014 @@ -2305,6 +2305,9 @@ /*! \brief Default TLS connection configuration */ static struct ast_tls_config default_tls_cfg; +/*! \brief Default DTLS connection configuration */ +static struct ast_rtp_dtls_cfg default_dtls_cfg; + /*! \brief The TCP server definition */ static struct ast_tcptls_session_args sip_tcp_desc = { .accept_fd = -1, @@ -30397,6 +30400,10 @@ /* clear named callgroup and named pickup group container */ peer->named_callgroups = ast_unref_namedgroups(peer->named_callgroups); peer->named_pickupgroups = ast_unref_namedgroups(peer->named_pickupgroups); + + /* Set the default DTLS settings from default_tls_cfg */ + ast_rtp_dtls_cfg_free(&peer->dtls_cfg); + ast_rtp_dtls_cfg_copy(&default_dtls_cfg, &peer->dtls_cfg); for (; v || ((v = alt) && !(alt=NULL)); v = v->next) { if (!devstate_only) { @@ -31172,6 +31179,7 @@ sip_cfg.contact_acl = ast_free_acl_list(sip_cfg.contact_acl); default_tls_cfg.enabled = FALSE; /* Default: Disable TLS */ + default_dtls_cfg.enabled = FALSE; /* Default: Disable DTLS too */ if (reason != CHANNEL_MODULE_LOAD) { ast_debug(4, "--------------- SIP reload started\n"); @@ -31190,19 +31198,26 @@ ao2_t_callback(peers, OBJ_NODATA, peer_markall_func, NULL, "callback to mark all peers"); } - /* Reset certificate handling for TLS sessions */ + /* Reset certificate handling for TLS and DTLS sessions */ if (reason != CHANNEL_MODULE_LOAD) { ast_free(default_tls_cfg.certfile); ast_free(default_tls_cfg.pvtfile); ast_free(default_tls_cfg.cipher); ast_free(default_tls_cfg.cafile); ast_free(default_tls_cfg.capath); + ast_rtp_dtls_cfg_free(&default_dtls_cfg); } default_tls_cfg.certfile = ast_strdup(AST_CERTFILE); /*XXX Not sure if this is useful */ default_tls_cfg.pvtfile = ast_strdup(""); default_tls_cfg.cipher = ast_strdup(""); default_tls_cfg.cafile = ast_strdup(""); default_tls_cfg.capath = ast_strdup(""); + /* Using the same idea fro DTLS as the code block above for TLS */ + default_dtls_cfg.certfile = ast_strdup(""); + default_dtls_cfg.pvtfile = ast_strdup(""); + default_dtls_cfg.cipher = ast_strdup(""); + default_dtls_cfg.cafile = ast_strdup(""); + default_dtls_cfg.capath = ast_strdup(""); /* Initialize copy of current sip_cfg.regcontext for later use in removing stale contexts */ ast_copy_string(oldcontexts, sip_cfg.regcontext, sizeof(oldcontexts)); @@ -31372,6 +31387,9 @@ if (!ast_jb_read_conf(&global_jbconf, v->name, v->value)) { continue; } + + /* Load default dtls configuration */ + ast_rtp_dtls_cfg_parse(&default_dtls_cfg, v->name, v->value); /* handle tls conf, don't allow setting of tlsverifyclient as it isn't supported by chan_sip */ if (!strcasecmp(v->name, "tlsverifyclient")) { @@ -34578,6 +34596,8 @@ ast_free(default_tls_cfg.cafile); ast_free(default_tls_cfg.capath); + ast_rtp_dtls_cfg_free(&default_dtls_cfg); + cleanup_all_regs(); ao2_cleanup(registry_list); Modified: trunk/configs/samples/sip.conf.sample URL: http://svnview.digium.com/svn/asterisk/trunk/configs/samples/sip.conf.sample?view=diff&rev=427950&r1=427949&r2=427950 ============================================================================== --- trunk/configs/samples/sip.conf.sample (original) +++ trunk/configs/samples/sip.conf.sample Sat Nov 15 10:31:24 2014 @@ -1319,6 +1319,9 @@ ; ; DTLS-SRTP support is available if the underlying RTP engine in use supports it. ; +; Note that all configuration options except dtlsenable can be set at the general level. +; If set they will be present on the user or peer unless overridden with a different value. +; ; dtlsenable = yes ; Enable or disable DTLS-SRTP support ; dtlsverify = yes ; Verify that provided peer certificate and fingerprint are valid ; ; A value of 'yes' will perform both certificate and fingerprint verification -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
