SIP:calls_sdp_crypto_context_generate_answer() accept the first supporetd a=crypto: line (!675) · Merge requests · GNOME / Calls

Дилян Палаузов requested to merge dilyan.palauzov/calls:sip_prefer_first_a_crypto_line into main Feb 10, 2023

According to RFC 4568 SDP - Security Descriptions for Media Streams - Generating the Initial Offer - Unicast Streams :

The ordering of multiple "a=crypto" lines is significant: the most preferred crypto line is listed first. Each crypto attribute describes the crypto-suite, key(s), and possibly session parameters offered for the media stream. In general, a "more preferred" crypto-suite SHOULD be cryptographically stronger than a "less preferred" crypto-suite.

Next section 5.1.2 Generating the Initial Answer - Unicast Streams says:

When selecting one of the valid crypto attributes, the answerer SHOULD select the most preferred crypto attribute it can support, i.e., the first valid supported crypto attribute in the list, according to the answerer's capabilities and security policies.

The current code has selected on answer the last supported a=crypto, which was offered by the caller.

Moreover, for each ignored and supported a=crypto gnome-calls created memory leak. (value returned by calls_srtp_crypto_attribute_new() was not freed).

SIP:calls_sdp_crypto_context_generate_answer() accept the first supporetd a=crypto: line

Merge request reports