From 0316fdfcf1d2a72d1bad5dc9646371159173f93f Mon Sep 17 00:00:00 2001
From: Corey Burke <corey@switch.co>
Date: Fri, 2 Oct 2015 06:56:51 -0700
Subject: [PATCH] FS-8281: Expose SRTP and SRTCP crypto keys as channel vars

New vars are srtp_{local,remote}_crypto_key and srtcp_{local,remote}_crypto_key.
Allows decrypting packet captured media streams for debugging.
---
 conf/vanilla/autoload_configs/switch.conf.xml |  6 +++++
 src/switch_core.c                             |  8 ++++++-
 src/switch_rtp.c                              | 22 +++++++++++++++++++
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/conf/vanilla/autoload_configs/switch.conf.xml b/conf/vanilla/autoload_configs/switch.conf.xml
index 4ffe878563..345a16c19e 100644
--- a/conf/vanilla/autoload_configs/switch.conf.xml
+++ b/conf/vanilla/autoload_configs/switch.conf.xml
@@ -152,6 +152,12 @@
 
     <param name="rtp-enable-zrtp" value="false"/>
 
+    <!--
+	 Store encryption keys for secure media in channel variables and call CDRs. Default: false.
+	 WARNING: If true, anyone with CDR access can decrypt secure media!
+    -->
+    <!-- <param name="rtp-retain-crypto-keys" value="true"/> -->
+
     <!-- <param name="core-db-dsn" value="pgsql://hostaddr=127.0.0.1 dbname=freeswitch user=freeswitch password='' options='-c client_min_messages=NOTICE'" /> -->
     <!-- <param name="core-db-dsn" value="dsn:username:password" /> -->
     <!-- 
diff --git a/src/switch_core.c b/src/switch_core.c
index e0c800e2bf..e0715289ca 100644
--- a/src/switch_core.c
+++ b/src/switch_core.c
@@ -2229,9 +2229,15 @@ static void switch_load_core_config(const char *file)
 				} else if (!strcasecmp(var, "rtp-enable-zrtp")) {
 					switch_core_set_variable("zrtp_enabled", val);
 #endif
-                } else if (!strcasecmp(var, "switchname") && !zstr(val)) {
+				} else if (!strcasecmp(var, "switchname") && !zstr(val)) {
 					runtime.switchname = switch_core_strdup(runtime.memory_pool, val);
                     switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_NOTICE, "Set switchname to %s\n", runtime.switchname);
+				} else if (!strcasecmp(var, "rtp-retain-crypto-keys")) {
+					if (switch_true(val)) {
+						switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING,
+										  "rtp-retain-crypto-keys enabled. Could be used to decrypt secure media.\n");
+					}
+					switch_core_set_variable("rtp_retain_crypto_keys", val);
 				}
 			}
 		}
diff --git a/src/switch_rtp.c b/src/switch_rtp.c
index 62e48e7d1c..6550952f1b 100644
--- a/src/switch_rtp.c
+++ b/src/switch_rtp.c
@@ -3393,11 +3393,33 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_crypto_key(switch_rtp_t *rtp_sess
 	switch_event_t *fsevent = NULL;
 	int idx = 0;
 	const char *var;
+	unsigned char b64_key[512] = "";
 
 	if (direction >= SWITCH_RTP_CRYPTO_MAX || keylen > SWITCH_RTP_MAX_CRYPTO_LEN) {
 		return SWITCH_STATUS_FALSE;
 	}
 
+	switch_b64_encode(key, keylen, b64_key, sizeof(b64_key));
+
+	if (switch_true(switch_core_get_variable("rtp_retain_crypto_keys"))) {
+		switch(direction) {
+			case SWITCH_RTP_CRYPTO_SEND:
+				switch_channel_set_variable(channel, "srtp_local_crypto_key", (const char *)b64_key);
+				break;
+			case SWITCH_RTP_CRYPTO_RECV:
+				switch_channel_set_variable(channel, "srtp_remote_crypto_key", (const char *)b64_key);
+				break;
+			case SWITCH_RTP_CRYPTO_SEND_RTCP:
+				switch_channel_set_variable(channel, "srtcp_local_crypto_key", (const char *)b64_key);
+				break;
+			case SWITCH_RTP_CRYPTO_RECV_RTCP:
+				switch_channel_set_variable(channel, "srtcp_remote_crypto_key", (const char *)b64_key);
+				break;
+			default:
+				break;
+		}
+	}
+
 	crypto_key = switch_core_alloc(rtp_session->pool, sizeof(*crypto_key));
 
 	if (direction == SWITCH_RTP_CRYPTO_RECV_RTCP) {