kenmirrors
/
freeswitch
mirror of https://github.com/signalwire/freeswitch.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Only hangup after too many SRTP errors if SWITCH_RTP_FLAG_SRTP_HANGUP_ON_ERROR. Remove fix-specific diagnostics

This commit is contained in:
Andy Newlands 2022-08-18 16:39:38 +01:00
parent 015b77fed7
commit 235b6c030b
1 changed files with 75 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
src/switch_rtp.c
View File

@ -649,13 +649,6 @@ static handle_rfc2833_result_t handle_rfc2833(switch_rtp_t *rtp_session, switch_
in_digit_seq = ntohs((uint16_t) rtp_session->last_rtp_hdr.seq); in_digit_seq = ntohs((uint16_t) rtp_session->last_rtp_hdr.seq);
ts = htonl(rtp_session->last_rtp_hdr.ts); ts = htonl(rtp_session->last_rtp_hdr.ts);
#ifdef DEBUG_2833
if (key == 0) {
if ((channel = switch_core_session_get_channel(rtp_session->session)) != NULL)
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "Invalid DTMF characters detected on Call-ID: %s, DTMF: 0x%02x (actual: 0x%02x) Duration: %u\n", switch_channel_get_variable(channel, "call_uuid"), key, packet[0], duration);
}
#endif
if (rtp_session->flags[SWITCH_RTP_FLAG_PASS_RFC2833]) { if (rtp_session->flags[SWITCH_RTP_FLAG_PASS_RFC2833]) {
if (end) { if (end) {
@ -5891,88 +5884,84 @@ static switch_size_t do_flush(switch_rtp_t *rtp_session, int force, switch_size_
switch_socket_recvfrom(rtp_session->from_addr, rtp_session->sock_input, 0, (void *) &rtp_session->recv_msg, &bytes); switch_socket_recvfrom(rtp_session->from_addr, rtp_session->sock_input, 0, (void *) &rtp_session->recv_msg, &bytes);
#ifdef ENABLE_SRTP #ifdef ENABLE_SRTP
// Ensure we decrypt BEFORE attempting to decode DTMF payload
// (the following code was copied, verbatim (apart from the "goto" destination), from read_rtp_packet()
switch_mutex_lock(rtp_session->ice_mutex);
if (rtp_session->flags[SWITCH_RTP_FLAG_SECURE_RECV] && rtp_session->has_rtp &&
(check_recv_payload(rtp_session) ||
rtp_session->last_rtp_hdr.pt == rtp_session->recv_te ||
rtp_session->last_rtp_hdr.pt == rtp_session->cng_pt)) {
//if (rtp_session->flags[SWITCH_RTP_FLAG_SECURE_RECV] && (!rtp_session->ice.ice_user || rtp_session->has_rtp)) {
int sbytes = (int) *bytes;
srtp_err_status_t stat = 0;
if (rtp_session->flags[SWITCH_RTP_FLAG_SECURE_RECV] && rtp_session->has_rtp && if (rtp_session->flags[SWITCH_RTP_FLAG_SECURE_RECV_RESET] || !rtp_session->recv_ctx[rtp_session->srtp_idx_rtp]) {
(check_recv_payload(rtp_session) || switch_rtp_clear_flag(rtp_session, SWITCH_RTP_FLAG_SECURE_RECV_RESET);
rtp_session->last_rtp_hdr.pt == rtp_session->recv_te || srtp_dealloc(rtp_session->recv_ctx[rtp_session->srtp_idx_rtp]);
rtp_session->last_rtp_hdr.pt == rtp_session->cng_pt)) { rtp_session->recv_ctx[rtp_session->srtp_idx_rtp] = NULL;
int sbytes = (int) bytes; if ((stat = srtp_create(&rtp_session->recv_ctx[rtp_session->srtp_idx_rtp],
srtp_err_status_t stat = 0; &rtp_session->recv_policy[rtp_session->srtp_idx_rtp])) || !rtp_session->recv_ctx[rtp_session->srtp_idx_rtp]) {
if (rtp_session->recv_ctx[rtp_session->srtp_idx_rtp]) { rtp_session->flags[SWITCH_RTP_FLAG_SECURE_RECV] = 0;
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_ERROR, "Error! RE-Activating Secure RTP RECV\n");
rtp_session->flags[SWITCH_RTP_FLAG_SECURE_RECV] = 0;
switch_mutex_unlock(rtp_session->ice_mutex);
return SWITCH_STATUS_FALSE;
} else {
#ifdef DEBUG_SRTP_FLUSH switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_INFO, "RE-Activating Secure RTP RECV\n");
if (sbytes) { rtp_session->srtp_errs[rtp_session->srtp_idx_rtp] = 0;
q = 0; }
bytes_buf[0] = 0; }
for(i = 0; sbytes && i < sbytes; i++) {
sprintf(bytes_buf + q, "0x%02x ", ((u_char *)(&rtp_session->recv_msg))[i]);
q = strlen(bytes_buf);
}
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "do_flush loop BEFORE decryption: bytes = %d\nData: %s\n", sbytes, bytes_buf);
}
#endif
// Ensure we properly decrypt SRPT before reading DTMF if (!(*flags & SFF_PLC) && rtp_session->recv_ctx[rtp_session->srtp_idx_rtp]) {
if (!rtp_session->flags[SWITCH_RTP_FLAG_SECURE_RECV_MKI]) { if (!rtp_session->flags[SWITCH_RTP_FLAG_SECURE_RECV_MKI]) {
stat = srtp_unprotect(rtp_session->recv_ctx[rtp_session->srtp_idx_rtp], &rtp_session->recv_msg.header, &sbytes); stat = srtp_unprotect(rtp_session->recv_ctx[rtp_session->srtp_idx_rtp], &rtp_session->recv_msg.header, &sbytes);
} else { } else {
stat = srtp_unprotect_mki(rtp_session->recv_ctx[rtp_session->srtp_idx_rtp], &rtp_session->recv_msg.header, &sbytes, 1); stat = srtp_unprotect_mki(rtp_session->recv_ctx[rtp_session->srtp_idx_rtp], &rtp_session->recv_msg.header, &sbytes, 1);
} }
#ifdef DEBUG_SRTP_FLUSH if (rtp_session->flags[SWITCH_RTP_FLAG_NACK] && stat == srtp_err_status_replay_fail) {
if (sbytes) { /* false alarm nack */
q = 0; switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_DEBUG1, "REPLAY ERR, FALSE NACK\n");
bytes_buf[0] = 0; sbytes = 0;
for(i = 0; sbytes && i < sbytes; i++) { *bytes = 0;
sprintf(bytes_buf + q, "0x%02x ", ((u_char *)(&rtp_session->recv_msg))[i]); if (rtp_session->stats.rtcp.pkt_count) {
q = strlen(bytes_buf); rtp_session->stats.rtcp.period_pkt_count--;
} rtp_session->stats.rtcp.pkt_count--;
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "do_flush loop AFTER decryption: bytes = %d\nData: %s\n", sbytes, bytes_buf); }
} switch_mutex_unlock(rtp_session->ice_mutex);
#endif goto done_srtp;
}
}
if (rtp_session->flags[SWITCH_RTP_FLAG_NACK] && stat == srtp_err_status_replay_fail) { if (stat && rtp_session->recv_msg.header.pt != rtp_session->recv_te && rtp_session->recv_msg.header.pt != rtp_session->cng_pt) {
/* false alarm nack */ int errs = ++rtp_session->srtp_errs[rtp_session->srtp_idx_rtp];
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_DEBUG1, "REPLAY ERR, FALSE NACK\n"); if (rtp_session->flags[SWITCH_RTP_FLAG_SRTP_HANGUP_ON_ERROR] && stat != srtp_err_status_replay_old) {
sbytes = 0; char *msg;
bytes = 0; switch_srtp_err_to_txt(stat, &msg);
if (rtp_session->stats.rtcp.pkt_count) { if (errs >= MAX_SRTP_ERRS) {
rtp_session->stats.rtcp.period_pkt_count--; switch_channel_t *channel = switch_core_session_get_channel(rtp_session->session);
rtp_session->stats.rtcp.pkt_count--; switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_WARNING,
} "SRTP %s unprotect failed with code %d (%s) %ld bytes %d errors\n",
goto done_srtp; rtp_type(rtp_session), stat, msg, (long)*bytes, errs);
} switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_WARNING,
} "Ending call due to SRTP error\n");
switch_channel_hangup(channel, SWITCH_CAUSE_SRTP_READ_ERROR);
} else if (errs >= WARN_SRTP_ERRS && !(errs % WARN_SRTP_ERRS)) {
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_WARNING,
"SRTP %s unprotect failed with code %d (%s) %ld bytes %d errors\n",
rtp_type(rtp_session), stat, msg, (long)*bytes, errs);
}
}
sbytes = 0;
} else {
rtp_session->srtp_errs[rtp_session->srtp_idx_rtp] = 0;
}
if (stat && rtp_session->recv_msg.header.pt != rtp_session->recv_te && rtp_session->recv_msg.header.pt != rtp_session->cng_pt) { *bytes = sbytes;
int errs = ++rtp_session->srtp_errs[rtp_session->srtp_idx_rtp]; }
if (stat != 10) { switch_mutex_unlock(rtp_session->ice_mutex);
char *msg;
if (stat == srtp_err_status_replay_fail) msg="replay check failed (in do_flush)";
else if (stat == srtp_err_status_auth_fail) msg="auth check failed (in do_flush)";
else msg="";
if (errs >= MAX_SRTP_ERRS) {
switch_channel_t *channel = switch_core_session_get_channel(rtp_session->session);
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_WARNING,
"SRTP %s unprotect failed (in do_flush) with code %d (%s) %ld bytes %d errors\n",
rtp_type(rtp_session), stat, msg, (long)bytes, errs);
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_WARNING,
"Ending call due to SRTP error (in do_flush)\n");
switch_channel_hangup(channel, SWITCH_CAUSE_SRTP_READ_ERROR);
} else if (errs >= WARN_SRTP_ERRS && !(errs % WARN_SRTP_ERRS)) {
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_WARNING,
"SRTP %s unprotect failed (in do_flush) with code %d (%s) %ld bytes %d errors\n",
rtp_type(rtp_session), stat, msg, (long)bytes, errs);
}
}
sbytes = 0;
} else {
rtp_session->srtp_errs[rtp_session->srtp_idx_rtp] = 0;
}
bytes = sbytes;
}
done_srtp: done_srtp:
#endif #endif
@ -8874,8 +8863,8 @@ static int rtp_common_write(switch_rtp_t *rtp_session,
switch_rtp_clear_flag(rtp_session, SWITCH_RTP_FLAG_SECURE_SEND_RESET); switch_rtp_clear_flag(rtp_session, SWITCH_RTP_FLAG_SECURE_SEND_RESET);
srtp_dealloc(rtp_session->send_ctx[rtp_session->srtp_idx_rtp]); srtp_dealloc(rtp_session->send_ctx[rtp_session->srtp_idx_rtp]);
rtp_session->send_ctx[rtp_session->srtp_idx_rtp] = NULL; rtp_session->send_ctx[rtp_session->srtp_idx_rtp] = NULL;
if ((stat = srtp_create(&rtp_session->send_ctx[rtp_session->srtp_idx_rtp], if (srtp_create(&rtp_session->send_ctx[rtp_session->srtp_idx_rtp],
&rtp_session->send_policy[rtp_session->srtp_idx_rtp])) || !rtp_session->send_ctx[rtp_session->srtp_idx_rtp]) { &rtp_session->send_policy[rtp_session->srtp_idx_rtp]) || !rtp_session->send_ctx[rtp_session->srtp_idx_rtp]) {
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_ERROR, switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_ERROR,
"Error! RE-Activating %s Secure RTP SEND\n", rtp_type(rtp_session)); "Error! RE-Activating %s Secure RTP SEND\n", rtp_type(rtp_session));
rtp_session->flags[SWITCH_RTP_FLAG_SECURE_SEND] = 0; rtp_session->flags[SWITCH_RTP_FLAG_SECURE_SEND] = 0;
@ -9470,8 +9459,8 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_write_raw(switch_rtp_t *rtp_session,
switch_rtp_clear_flag(rtp_session, SWITCH_RTP_FLAG_SECURE_SEND_RESET); switch_rtp_clear_flag(rtp_session, SWITCH_RTP_FLAG_SECURE_SEND_RESET);
srtp_dealloc(rtp_session->send_ctx[rtp_session->srtp_idx_rtp]); srtp_dealloc(rtp_session->send_ctx[rtp_session->srtp_idx_rtp]);
rtp_session->send_ctx[rtp_session->srtp_idx_rtp] = NULL; rtp_session->send_ctx[rtp_session->srtp_idx_rtp] = NULL;
if ((stat = srtp_create(&rtp_session->send_ctx[rtp_session->srtp_idx_rtp], if (srtp_create(&rtp_session->send_ctx[rtp_session->srtp_idx_rtp],
&rtp_session->send_policy[rtp_session->srtp_idx_rtp])) || !rtp_session->send_ctx[rtp_session->srtp_idx_rtp]) { &rtp_session->send_policy[rtp_session->srtp_idx_rtp]) || !rtp_session->send_ctx[rtp_session->srtp_idx_rtp]) {
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_ERROR, "Error! RE-Activating Secure RTP SEND\n"); switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_ERROR, "Error! RE-Activating Secure RTP SEND\n");
rtp_session->flags[SWITCH_RTP_FLAG_SECURE_SEND] = 0; rtp_session->flags[SWITCH_RTP_FLAG_SECURE_SEND] = 0;
status = SWITCH_STATUS_FALSE; status = SWITCH_STATUS_FALSE;