diff --git a/daemon/call.c b/daemon/call.c index 3fdce02d5..1f4e0f5ea 100644 --- a/daemon/call.c +++ b/daemon/call.c @@ -1780,24 +1780,12 @@ static void __generate_crypto(const struct sdp_ng_flags *flags, struct call_medi for (GList *l = offered_cpq ? offered_cpq->head : NULL; l; l = l->next) { struct crypto_params_sdes *offered_cps = l->data; - /* if we accept only certain SDES suites, then add only them, - * this takes precedence above the 'SDES-no-' flag(s). - * We mustn't check the 'flags->sdes_no' at all, if 'flags->sdes_only' is set. - */ - if (!flags->sdes_nonew && flags->sdes_only) { - if (!g_hash_table_lookup(flags->sdes_only, &offered_cps->params.crypto_suite->name_str)) { - ilogs(crypto, LOG_DEBUG, "'%s' crypto suite not added, because not one of 'SDES-only-'", - offered_cps->params.crypto_suite->name); - continue; - } - } - - /* SDES suites to be excluded */ - else if (!flags->sdes_nonew && flags->sdes_no && - g_hash_table_lookup(flags->sdes_no, &offered_cps->params.crypto_suite->name_str)) + if (!flags->sdes_nonew && + crypto_params_sdes_check_limitations(flags->sdes_only, flags->sdes_no, + offered_cps->params.crypto_suite)) { - ilogs(crypto, LOG_DEBUG, "Not offering crypto suite '%s' due to 'SDES-no' option", - offered_cps->params.crypto_suite->name); + ilogs(crypto, LOG_DEBUG, "Not offering crypto suite '%s'", + offered_cps->params.crypto_suite->name); continue; } @@ -1843,28 +1831,15 @@ static void __generate_crypto(const struct sdp_ng_flags *flags, struct call_medi * that weren't accepted before, instead of re-using the same keys (and * suites) that were previously offered but not accepted */ for (unsigned int i = 0; i < num_crypto_suites; i++) { + if ((types_offered & (1 << i))) continue; - /* if we accept only certain SDES suites, then add only them, - * this takes precedence above the 'SDES-no-' flag(s). - * We mustn't check the 'flags->sdes_no' at all, if 'flags->sdes_only' is set. - */ - if (flags->sdes_only) + if (crypto_params_sdes_check_limitations(flags->sdes_only, + flags->sdes_no, &crypto_suites[i])) { - if (!g_hash_table_lookup(flags->sdes_only, &crypto_suites[i].name_str)) { - ilogs(crypto, LOG_DEBUG, "'%s' crypto suite not added, because not one of 'SDES-only-'", - crypto_suites[i].name); - continue; - } - } - - /* SDES suites to be excluded */ - else if (flags->sdes_no && - g_hash_table_lookup(flags->sdes_no, &crypto_suites[i].name_str)) - { - ilogs(crypto, LOG_DEBUG, "Not offering crypto suite '%s' due to 'SDES-no' option", - crypto_suites[i].name); + ilogs(crypto, LOG_DEBUG, "Not offering crypto suite '%s'", + crypto_suites[i].name); continue; } @@ -1989,26 +1964,8 @@ static void __sdes_accept(struct call_media *media, const struct sdp_ng_flags *f while (l) { struct crypto_params_sdes *offered_cps = l->data; - /* if 'SDES-only-' flag(s) present, then - * accept only those SDES suites mentioned in the 'SDES-only-', - * all the rest will be dropped / not added. - * This takes precedence over 'SDES-no-'. - * - * We mustn't check the 'flags->sdes_no' at all, if 'flags->sdes_only' is set. */ - if (flags->sdes_only) - { - if (g_hash_table_lookup(flags->sdes_only, - &offered_cps->params.crypto_suite->name_str)) - { - l = l->prev; - continue; - } - } - - /* if 'SDES-no-' flag(s) present, then - * remove SDES-no suites from offered ones */ - else if (flags->sdes_no && !g_hash_table_lookup(flags->sdes_no, - &offered_cps->params.crypto_suite->name_str)) + if (!crypto_params_sdes_check_limitations(flags->sdes_only, + flags->sdes_no, offered_cps->params.crypto_suite)) { l = l->prev; continue; diff --git a/include/crypto.h b/include/crypto.h index 0b5ee48c9..014d2c9e1 100644 --- a/include/crypto.h +++ b/include/crypto.h @@ -10,7 +10,6 @@ #include "aux.h" - #define SRTP_MAX_MASTER_KEY_LEN 32 #define SRTP_MAX_MASTER_SALT_LEN 14 #define SRTP_MAX_SESSION_KEY_LEN 32 @@ -217,7 +216,36 @@ INLINE void crypto_params_sdes_queue_copy(GQueue *dst, const GQueue *src) { g_queue_push_tail(dst, cpy); } } +/** + * Checks whether to apply policies according to: sdes_no / sdes_only + * returns: 1 - to not apply / 0 - to apply + */ +INLINE int crypto_params_sdes_check_limitations(GHashTable * sdes_only, + GHashTable * sdes_no, + const struct crypto_suite *cps) { + + /* if 'SDES-only-' flag(s) present, then + * accept only those SDES suites mentioned in the 'SDES-only-', + * all the rest will be dropped / not added. + * This takes precedence over 'SDES-no-'. + * + * We mustn't check the 'flags->sdes_no' at all, if 'flags->sdes_only' is set. */ + if (sdes_only) + { + if (!g_hash_table_lookup(sdes_only, &cps->name_str)) + return 1; + } + + /* if 'SDES-no-' flag(s) present, then + * remove SDES-no suites from offered ones */ + else if (sdes_no && + g_hash_table_lookup(sdes_no, &cps->name_str)) + { + return 1; + } + return 0; +} #include "main.h" #include "log.h"