From 8a1b420af3a4342f2e6e940bff8bcfe64d8492ef Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Fri, 2 May 2025 08:51:45 -0400
Subject: [PATCH] MT#62735 add `recrypt` flag

Change-Id: Ia2779bf51c155df473e523d30bd018ce54bea900
---
 daemon/call.c               |  6 ++++++
 daemon/call_interfaces.c    |  3 +++
 daemon/media_socket.c       |  2 +-
 docs/ng_control_protocol.md | 21 +++++++++++++++++++++
 include/call.h              |  1 +
 include/call_interfaces.h   |  1 +
 6 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/daemon/call.c b/daemon/call.c
index 26eefd82a..53f1a0826 100644
--- a/daemon/call.c
+++ b/daemon/call.c
@@ -3004,6 +3004,12 @@ static void __media_init_from_flags(struct call_media *other_media, struct call_
 	other_media->sdp_media_bandwidth = sp->media_session_bandiwdth;
 
 	other_media->sdp_information = call_str_cpy(&sp->sdp_information);
+
+	if (flags->recrypt) {
+		MEDIA_SET(other_media, RECRYPT);
+		if (media)
+			MEDIA_SET(media, RECRYPT);
+	}
 }
 
 unsigned int proto_num_ports(unsigned int sp_ports, struct call_media *media, sdp_ng_flags *flags,
diff --git a/daemon/call_interfaces.c b/daemon/call_interfaces.c
index 6d1671990..c320311c1 100644
--- a/daemon/call_interfaces.c
+++ b/daemon/call_interfaces.c
@@ -1271,6 +1271,9 @@ void call_ng_flags_flags(str *s, unsigned int idx, helper_arg arg) {
 		case CSH_LOOKUP("recording announcement"):
 			out->recording_announcement = true;
 			break;
+		case CSH_LOOKUP("recrypt"):
+			out->recrypt = true;
+			break;
 		case CSH_LOOKUP("reorder-codecs"):
 		case CSH_LOOKUP("reorder codecs"):
 			ilog(LOG_INFO, "Ignoring obsolete flag `reorder-codecs`");
diff --git a/daemon/media_socket.c b/daemon/media_socket.c
index eb20409ec..c4363c689 100644
--- a/daemon/media_socket.c
+++ b/daemon/media_socket.c
@@ -2047,7 +2047,7 @@ static const struct streamhandler *__determine_handler(struct packet_stream *in,
 		must_recrypt = true;
 	else if (dtmf_do_logging(in->call, false))
 		must_recrypt = true;
-	else if (MEDIA_ISSET(in->media, DTLS) || (out && MEDIA_ISSET(out->media, DTLS)))
+	else if (MEDIA_ISSET2(in->media, DTLS, RECRYPT) || (out && MEDIA_ISSET2(out->media, DTLS, RECRYPT)))
 		must_recrypt = true;
 	else if (ML_ISSET(in->media->monologue, INJECT_DTMF) || (out && ML_ISSET(out->media->monologue, INJECT_DTMF)))
 		must_recrypt = true;
diff --git a/docs/ng_control_protocol.md b/docs/ng_control_protocol.md
index b1b0491a4..52f6f73a5 100644
--- a/docs/ng_control_protocol.md
+++ b/docs/ng_control_protocol.md
@@ -1126,6 +1126,27 @@ Spaces in each string may be replaced by hyphens.
     flag must be set for all call parties which are meant to hear the
     announcement.
 
+* `recrypt`
+
+    If set, forces decryption and re-encryption of all SRTP, even if
+    passthrough is possible.
+
+    Without this flag set, in situations where SRTP is in use on both sides of
+    a call, and if the SRTP keys are the same on both sides (commonly the case
+    with SDES), and if no other media manipulations are required, *rtpengine*
+    would simply pass through all media packets directly, without getting
+    involved in the encryption. This saves CPU time as there's no point in
+    decypting each packet, only to encrypt it again using the same SRTP key.
+    The side effect is that even non-SRTP packets, as well as SRTP packets with
+    an invalid encryption, are passed through, as no verification of the SRTP
+    encryption takes place. This can have security implications, as then any
+    and all media packets are considered for endpoint learning purposes,
+    regardless of whether they have an intact SRTP authentication tag.
+
+    Setting this flag forces decryption and re-encryption of all SRTP packets,
+    validating the authentication tag in the process, and discarding packets
+    without a valid tag.
+
 * `reject ICE`
 
 	Useful for `offer` messages that advertise support for ICE.
diff --git a/include/call.h b/include/call.h
index 488ec911e..f32770a3f 100644
--- a/include/call.h
+++ b/include/call.h
@@ -214,6 +214,7 @@ enum {
  */
 #define MEDIA_FLAG_REAL_SENDONLY		(1LL << 35)
 #define MEDIA_FLAG_SELECT_PT			(1LL << 36)
+#define MEDIA_FLAG_RECRYPT			(1LL << 37)
 
 /* struct call_monologue */
 #define ML_FLAG_REC_FORWARDING			(1LL << 16)
diff --git a/include/call_interfaces.h b/include/call_interfaces.h
index e400358a5..9168a5f41 100644
--- a/include/call_interfaces.h
+++ b/include/call_interfaces.h
@@ -274,6 +274,7 @@ RTPE_NG_FLAGS_STR_CASE_HT_PARAMS
 	             sdes_static:1,
 	             sdes_nonew:1,
 	             sdes_prefer:1,
+		     recrypt:1,
 	             drop_traffic_start:1,
 	             drop_traffic_stop:1,
 	             passthrough_on:1,