; connected. This option is set to 4 by default.
; probation=8
;
+; Enable sRTP replay protection. Buggy SIP user agents (UAs) reset the
+; sequence number (RTP-SEQ) on a re-INVITE, for example, with Session Timers
+; or on Call Hold/Resume, but keep the synchronization source (RTP-SSRC). If
+; the new RTP-SEQ is higher than the previous one, the call continues if the
+; roll-over counter (sRTP-ROC) is zero (the call lasted less than 22 minutes).
+; In all other cases, the call faces one-way audio or even no audio at all.
+; "replay check failed (index too old)" gets printed continuously. This is a
+; software bug. You have to report this to the creator of that UA. Until it is
+; fixed, you could disable sRTP replay protection (see RFC 3711 section 3.3.2).
+; This option is enabled by default.
+; srtpreplayprotection=yes
+;
; Whether to enable or disable ICE support. This option is enabled by default.
; icesupport=false
;
#define STRICT_RTP_LEARN_TIMEOUT 5000
#define DEFAULT_STRICT_RTP STRICT_RTP_YES /*!< Enabled by default */
+#define DEFAULT_SRTP_REPLAY_PROTECTION 1
#define DEFAULT_ICESUPPORT 1
#define DEFAULT_DTLS_MTU 1200
static int strictrtp = DEFAULT_STRICT_RTP; /*!< Only accept RTP frames from a defined source. If we receive an indication of a changing source, enter learning mode. */
static int learning_min_sequential = DEFAULT_LEARNING_MIN_SEQUENTIAL; /*!< Number of sequential RTP frames needed from a single source during learning mode to accept new source. */
static int learning_min_duration = DEFAULT_LEARNING_MIN_DURATION; /*!< Lowest acceptable timeout between the first and the last sequential RTP frame. */
+static int srtp_replay_protection = DEFAULT_SRTP_REPLAY_PROTECTION;
#if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10001000L) && !defined(OPENSSL_NO_SRTP)
static int dtls_mtu = DEFAULT_DTLS_MTU;
#endif
/* If this is encrypted then decrypt the payload */
if ((*rtcpheader & 0xC0) && res_srtp && srtp && res_srtp->unprotect(
- srtp, rtcpheader, &len, 1) < 0) {
+ srtp, rtcpheader, &len, 1 | (srtp_replay_protection << 1)) < 0) {
return &ast_null_frame;
}
/* If this payload is encrypted then decrypt it using the given SRTP instance */
if ((*read_area & 0xC0) && res_srtp && srtp && res_srtp->unprotect(
- srtp, read_area, &res, 0) < 0) {
+ srtp, read_area, &res, 0 | (srtp_replay_protection << 1)) < 0) {
return &ast_null_frame;
}
if (strictrtp) {
ast_cli(a->fd, " Probation: %d frames\n", learning_min_sequential);
}
+
+ ast_cli(a->fd, " Replay Protect: %s\n", AST_CLI_YESNO(srtp_replay_protection));
#ifdef HAVE_PJPROJECT
ast_cli(a->fd, " ICE support: %s\n", AST_CLI_YESNO(icesupport));
#endif
strictrtp = DEFAULT_STRICT_RTP;
learning_min_sequential = DEFAULT_LEARNING_MIN_SEQUENTIAL;
learning_min_duration = DEFAULT_LEARNING_MIN_DURATION;
+ srtp_replay_protection = DEFAULT_SRTP_REPLAY_PROTECTION;
/** This resource is not "reloaded" so much as unloaded and loaded again.
* In the case of the TURN related variables, the memory referenced by a
}
learning_min_duration = CALC_LEARNING_MIN_DURATION(learning_min_sequential);
}
+ if ((s = ast_variable_retrieve(cfg, "general", "srtpreplayprotection"))) {
+ srtp_replay_protection = ast_true(s);
+ }
#ifdef HAVE_PJPROJECT
if ((s = ast_variable_retrieve(cfg, "general", "icesupport"))) {
icesupport = ast_true(s);
}
/* Vtable functions */
-static int ast_srtp_unprotect(struct ast_srtp *srtp, void *buf, int *len, int rtcp)
+static int ast_srtp_unprotect(struct ast_srtp *srtp, void *buf, int *len, int flags)
{
int res = 0;
int i;
- int retry = 0;
+ int rtcp = (flags & 0x01) >> 0;
+ int retry = (flags & 0x02) >> 1;
struct ast_rtp_instance_stats stats = {0,};
tryagain:
projects / thirdparty / asterisk.git / commitdiff
