FS-8281: Expose SRTP and SRTCP crypto keys as channel vars

New vars are srtp_{local,remote}_crypto_key and srtcp_{local,remote}_crypto_key.
Allows decrypting packet captured media streams for debugging.

diff --git a/conf/vanilla/autoload_configs/switch.conf.xml b/conf/vanilla/autoload_configs/switch.conf.xml
index 4ffe878563d046c2e747234e52c20ca0c3ad39e4..345a16c19e37749a4bb72e935e4ae6cff86c4b0f 100644 (file)
--- a/conf/vanilla/autoload_configs/switch.conf.xml
+++ b/conf/vanilla/autoload_configs/switch.conf.xml
@@ -152,6 +152,12 @@
 
     <param name="rtp-enable-zrtp" value="false"/>
 
+    <!--
+        Store encryption keys for secure media in channel variables and call CDRs. Default: false.
+        WARNING: If true, anyone with CDR access can decrypt secure media!
+    -->
+    <!-- <param name="rtp-retain-crypto-keys" value="true"/> -->
+
     <!-- <param name="core-db-dsn" value="pgsql://hostaddr=127.0.0.1 dbname=freeswitch user=freeswitch password='' options='-c client_min_messages=NOTICE'" /> -->
     <!-- <param name="core-db-dsn" value="dsn:username:password" /> -->
     <!-- 

diff --git a/src/switch_core.c b/src/switch_core.c
index e0c800e2bf9a63bc795c3b2f4496bd24a8ef5ac1..e0715289ca4f73b5a37d1c4a720b88bb128fed31 100644 (file)
--- a/src/switch_core.c
+++ b/src/switch_core.c
@@ -2229,9 +2229,15 @@ static void switch_load_core_config(const char *file)
                                } else if (!strcasecmp(var, "rtp-enable-zrtp")) {
                                        switch_core_set_variable("zrtp_enabled", val);
 #endif
-                } else if (!strcasecmp(var, "switchname") && !zstr(val)) {
+                               } else if (!strcasecmp(var, "switchname") && !zstr(val)) {
                                        runtime.switchname = switch_core_strdup(runtime.memory_pool, val);
                     switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_NOTICE, "Set switchname to %s\n", runtime.switchname);
+                               } else if (!strcasecmp(var, "rtp-retain-crypto-keys")) {
+                                       if (switch_true(val)) {
+                                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING,
+                                                                                 "rtp-retain-crypto-keys enabled. Could be used to decrypt secure media.\n");
+                                       }
+                                       switch_core_set_variable("rtp_retain_crypto_keys", val);
                                }
                        }
                }

diff --git a/src/switch_rtp.c b/src/switch_rtp.c
index 62e48e7d1cbba327565eea3dce4ebab7bcddeb80..6550952f1bd24aa0ff0e891df711abe07bcfb6df 100644 (file)
--- a/src/switch_rtp.c
+++ b/src/switch_rtp.c
@@ -3393,11 +3393,33 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_crypto_key(switch_rtp_t *rtp_sess
        switch_event_t *fsevent = NULL;
        int idx = 0;
        const char *var;
+       unsigned char b64_key[512] = "";
 
        if (direction >= SWITCH_RTP_CRYPTO_MAX || keylen > SWITCH_RTP_MAX_CRYPTO_LEN) {
                return SWITCH_STATUS_FALSE;
        }
 
+       switch_b64_encode(key, keylen, b64_key, sizeof(b64_key));
+
+       if (switch_true(switch_core_get_variable("rtp_retain_crypto_keys"))) {
+               switch(direction) {
+                       case SWITCH_RTP_CRYPTO_SEND:
+                               switch_channel_set_variable(channel, "srtp_local_crypto_key", (const char *)b64_key);
+                               break;
+                       case SWITCH_RTP_CRYPTO_RECV:
+                               switch_channel_set_variable(channel, "srtp_remote_crypto_key", (const char *)b64_key);
+                               break;
+                       case SWITCH_RTP_CRYPTO_SEND_RTCP:
+                               switch_channel_set_variable(channel, "srtcp_local_crypto_key", (const char *)b64_key);
+                               break;
+                       case SWITCH_RTP_CRYPTO_RECV_RTCP:
+                               switch_channel_set_variable(channel, "srtcp_remote_crypto_key", (const char *)b64_key);
+                               break;
+                       default:
+                               break;
+               }
+       }
+
        crypto_key = switch_core_alloc(rtp_session->pool, sizeof(*crypto_key));
 
        if (direction == SWITCH_RTP_CRYPTO_RECV_RTCP) {