add DTLS=passive option

fixes #44

README.md

@@ -727,13 +727,22 @@ Optionally included keys are:
 	used TOS value is left unchanged. If this key is not present or its value is too large (256 or more), then
 	the TOS value is reverted to the default (as per `--tos` command line).
 
+* `DTLS`
+
+	Contains a string and influences the behaviour of DTLS-SRTP. Currently the only recognized option
+	is `passive`, which instructs *rtpengine* to prefer the passive (i.e. server) role for the DTLS
+	handshake. The default is to take the active (client) role if possible. This is useful in cases where
+	the SRTP endpoint isn't able to receive or process the DTLS handshake packets, for example when it's
+	behind NAT or needs to finish ICE processing first.
+
 An example of a complete `offer` request dictionary could be (SDP body abbreviated):
 
 	{ "command": "offer", "call-id": "cfBXzDSZqhYNcXM", "from-tag": "mS9rSAn0Cr",
 	"sdp": "v=0\r\no=...", "via-branch": "5KiTRPZHH1nL6",
 	"flags": [ "trust address" ], "replace": [ "origin", "session connection" ],
 	"address family": "IP6", "received-from": [ "IP4", "10.65.31.43" ],
-	"ICE": "force", "transport protocol": "RTP/SAVPF", "media address": "2001:d8::6f24:65b" }
+	"ICE": "force", "transport protocol": "RTP/SAVPF", "media address": "2001:d8::6f24:65b",
+	"DTLS": "passive" }
 
 The response message only contains the key `sdp` in addition to `result`, which contains the re-written
 SDP body that the SIP proxy should insert into the SIP message.

daemon/call.c

@@ -1884,6 +1884,8 @@ static void __generate_crypto(const struct sdp_ng_flags *flags, struct call_medi
 		MEDIA_SET(this, SETUP_ACTIVE);
 	}
 	else {
+		if (flags->dtls_passive && MEDIA_ISSET(this, SETUP_PASSIVE))
+			MEDIA_CLEAR(this, SETUP_ACTIVE);
 		/* if we can be active, we will, otherwise we'll be passive */
 		if (MEDIA_ISSET(this, SETUP_ACTIVE))
 			MEDIA_CLEAR(this, SETUP_PASSIVE);
@@ -2167,6 +2169,10 @@ int monologue_offer_answer(struct call_monologue *other_ml, GQueue *streams,
 				&& (tmp & (MEDIA_FLAG_SETUP_ACTIVE | MEDIA_FLAG_SETUP_PASSIVE))
 				== MEDIA_FLAG_SETUP_PASSIVE)
 			MEDIA_CLEAR(other_media, SETUP_ACTIVE);
+		/* if passive mode is requested, honour it if we can */
+		if (flags->dtls_passive && MEDIA_ISSET(other_media, SETUP_PASSIVE))
+			MEDIA_CLEAR(other_media, SETUP_ACTIVE);
+
 		if (memcmp(&other_media->fingerprint, &sp->fingerprint, sizeof(sp->fingerprint))) {
 			__fingerprint_changed(other_media);
 			other_media->fingerprint = sp->fingerprint;

daemon/call_interfaces.c

@@ -530,6 +530,14 @@ static void call_ng_process_flags(struct sdp_ng_flags *out, bencode_item_t *inpu
 					STR_FMT(&s));
 	}
 
+	if (bencode_dictionary_get_str(input, "DTLS", &s)) {
+		if (!str_cmp(&s, "passive"))
+			out->dtls_passive = 1;
+		else
+			ilog(LOG_WARN, "Unknown 'DTLS' flag encountered: '"STR_FORMAT"'",
+					STR_FMT(&s));
+	}
+
 	if ((list = bencode_dictionary_get_expect(input, "rtcp-mux", BENCODE_LIST))) {
 		for (it = list->child; it; it = it->sibling) {
 			if (!bencode_strcmp(it, "offer"))

daemon/sdp.h

@@ -31,7 +31,8 @@ struct sdp_ng_flags {
 	    rtcp_mux_accept:1,
 	    rtcp_mux_reject:1,
 	    strict_source:1,
-	    media_handover:1;
+	    media_handover:1,
+	    dtls_passive:1;
 };
 
 struct sdp_chopper {

utils/ng-client

@@ -29,6 +29,7 @@ GetOptions(
 	'sdp=s'				=> \$options{'sdp'},
 	'sdp-file=s'			=> \$options{'sdp-file'},
 	'ICE=s'				=> \$options{'ICE'},
+	'DTLS=s'			=> \$options{'DTLS'},
 	'rtcp-mux-offer'		=> \$options{'rtcp-mux-offer'},
 	'rtcp-mux-demux'		=> \$options{'rtcp-mux-demux'},
 	'rtcp-mux-accept'		=> \$options{'rtcp-mux-accept'},
@@ -46,7 +47,7 @@ my $cmd = shift(@ARGV) or die;
 
 my %packet = (command => $cmd);
 
-for my $x (split(',', 'from-tag,to-tag,call-id,transport protocol,media address,ICE,address family,TOS')) {
+for my $x (split(',', 'from-tag,to-tag,call-id,transport protocol,media address,ICE,address family,TOS,DTLS')) {
 	defined($options{$x}) and $packet{$x} = $options{$x};
 }
 for my $x (split(',', 'trust address,symmetric,asymmetric,force,strict source,media handover')) {