MT#62735 add `recrypt` flag

Change-Id: Ia2779bf51c155df473e523d30bd018ce54bea900

daemon/call.c

@@ -3004,6 +3004,12 @@ static void __media_init_from_flags(struct call_media *other_media, struct call_
 	other_media->sdp_media_bandwidth = sp->media_session_bandiwdth;
 
 	other_media->sdp_information = call_str_cpy(&sp->sdp_information);
+
+	if (flags->recrypt) {
+		MEDIA_SET(other_media, RECRYPT);
+		if (media)
+			MEDIA_SET(media, RECRYPT);
+	}
 }
 
 unsigned int proto_num_ports(unsigned int sp_ports, struct call_media *media, sdp_ng_flags *flags,

daemon/call_interfaces.c

@@ -1271,6 +1271,9 @@ void call_ng_flags_flags(str *s, unsigned int idx, helper_arg arg) {
 		case CSH_LOOKUP("recording announcement"):
 			out->recording_announcement = true;
 			break;
+		case CSH_LOOKUP("recrypt"):
+			out->recrypt = true;
+			break;
 		case CSH_LOOKUP("reorder-codecs"):
 		case CSH_LOOKUP("reorder codecs"):
 			ilog(LOG_INFO, "Ignoring obsolete flag `reorder-codecs`");

daemon/media_socket.c

@@ -2047,7 +2047,7 @@ static const struct streamhandler *__determine_handler(struct packet_stream *in,
 		must_recrypt = true;
 	else if (dtmf_do_logging(in->call, false))
 		must_recrypt = true;
-	else if (MEDIA_ISSET(in->media, DTLS) || (out && MEDIA_ISSET(out->media, DTLS)))
+	else if (MEDIA_ISSET2(in->media, DTLS, RECRYPT) || (out && MEDIA_ISSET2(out->media, DTLS, RECRYPT)))
 		must_recrypt = true;
 	else if (ML_ISSET(in->media->monologue, INJECT_DTMF) || (out && ML_ISSET(out->media->monologue, INJECT_DTMF)))
 		must_recrypt = true;

docs/ng_control_protocol.md

@@ -1126,6 +1126,27 @@ Spaces in each string may be replaced by hyphens.
     flag must be set for all call parties which are meant to hear the
     announcement.
 
+* `recrypt`
+
+    If set, forces decryption and re-encryption of all SRTP, even if
+    passthrough is possible.
+
+    Without this flag set, in situations where SRTP is in use on both sides of
+    a call, and if the SRTP keys are the same on both sides (commonly the case
+    with SDES), and if no other media manipulations are required, *rtpengine*
+    would simply pass through all media packets directly, without getting
+    involved in the encryption. This saves CPU time as there's no point in
+    decypting each packet, only to encrypt it again using the same SRTP key.
+    The side effect is that even non-SRTP packets, as well as SRTP packets with
+    an invalid encryption, are passed through, as no verification of the SRTP
+    encryption takes place. This can have security implications, as then any
+    and all media packets are considered for endpoint learning purposes,
+    regardless of whether they have an intact SRTP authentication tag.
+
+    Setting this flag forces decryption and re-encryption of all SRTP packets,
+    validating the authentication tag in the process, and discarding packets
+    without a valid tag.
+
 * `reject ICE`
 
 	Useful for `offer` messages that advertise support for ICE.

include/call.h

@@ -214,6 +214,7 @@ enum {
  */
 #define MEDIA_FLAG_REAL_SENDONLY		(1LL << 35)
 #define MEDIA_FLAG_SELECT_PT			(1LL << 36)
+#define MEDIA_FLAG_RECRYPT			(1LL << 37)
 
 /* struct call_monologue */
 #define ML_FLAG_REC_FORWARDING			(1LL << 16)

include/call_interfaces.h

@@ -274,6 +274,7 @@ RTPE_NG_FLAGS_STR_CASE_HT_PARAMS
 	             sdes_static:1,
 	             sdes_nonew:1,
 	             sdes_prefer:1,
+		     recrypt:1,
 	             drop_traffic_start:1,
 	             drop_traffic_stop:1,
 	             passthrough_on:1,