Hello,
I'm working on a patch to add support for MKI in res_srtp.
For those who may not be familiar with the subject, MKI is a re-keying
mechanism for SRTP which involves appending a Master Key Identifier
(MKI) inside each SRTP packet in order to change the master key in use.
Master key and MKI negotiation is out of scope of this patch.
Before going forward, I'd like to submit to you the changes I plan in
res_srtp's API, just to know if I'm going in the right direction or if I
should design it another way.
First, I would add a method in *ast_srtp_policy_res* to add several
master keys (together with their MKI) to the SRTP policy. It returns the
index at which the key was inserted, which can be used later to
reference the master key:
*struct ast_srtp_policy_res {
[...]
+ int (*add_master_key)(struct ast_srtp_policy *policy, const
unsigned char *key, size_t key_len, const unsigned char *salt, size_t
salt_len, const unsigned char *mki, size_t mki_len);
};*
Second, I would add two methods in *ast_srtp_res* to enable or disable
MKI usage for incoming and outgoing SRTP packets. The MKI to use for
outgoing packets is referenced by its index, as returned by
*ast_srtp_policy_res.**add_master_key* :
*struct ast_srtp_res {
[...]
+ int (*use_inbound_mki)(struct ast_srtp *srtp, int enable);**
**+ int (*use_outbound_mki)(struct ast_srtp *srtp, int enable, int
mki_index);
};*
Also attached a patch file summarizing these changes.
Any feedback will be appreciated!
Regards,
Jean
diff --git a/include/asterisk/res_srtp.h b/include/asterisk/res_srtp.h
index 741d4f9ac0..f075c6507c 100644
--- a/include/asterisk/res_srtp.h
+++ b/include/asterisk/res_srtp.h
@@ -50,6 +50,27 @@ struct ast_srtp_res {
int (*protect)(struct ast_srtp *srtp, void **buf, int *size, int rtcp);
/* Obtain a random cryptographic key */
int (*get_random)(unsigned char *key, size_t len);
+ /*!
+ * \brief Configure the SRTP session to use or ignore the MKI field in incoming SRTP packets
+ *
+ * \param srtp the SRTP session to configure
+ * \param enable whether or not enabling incoming MKI usage
+ *
+ * \retval 0 success
+ * \retval -1 failure
+ */
+ int (*use_inbound_mki)(struct ast_srtp *srtp, int enable);
+ /*!
+ * \brief Configure the SRTP session to enable or not MKI usage in outgoing SRTP packets
+ *
+ * \param srtp the SRTP session to configure
+ * \param enable whether or not enabling MKI usage
+ * \param mki_index the index of the MKI to use; ignored if enable = 0
+ *
+ * \retval 0 success
+ * \retval -1 failure
+ */
+ int (*use_outbound_mki)(struct ast_srtp *srtp, int enable, int mki_index);
};
/* Crypto suites */
@@ -72,6 +93,13 @@ struct ast_srtp_policy_res {
void (*destroy)(struct ast_srtp_policy *policy);
int (*set_suite)(struct ast_srtp_policy *policy, enum ast_srtp_suite suite);
int (*set_master_key)(struct ast_srtp_policy *policy, const unsigned char *key, size_t key_len, const unsigned char *salt, size_t salt_len);
+ /*!
+ * \brief Add a master key with its MKI to the SRTP policy
+ *
+ * \retval -1 failure
+ * \retval >= 0 index at which the key was inserted
+ */
+ int (*add_master_key)(struct ast_srtp_policy *policy, const unsigned char *key, size_t key_len, const unsigned char *salt, size_t salt_len, const unsigned char *mki, size_t mki_len);
void (*set_ssrc)(struct ast_srtp_policy *policy, unsigned long ssrc, int inbound);
};
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
