[prev in list] [next in list] [prev in thread] [next in thread] 

List:       asterisk-dev
Subject:    [asterisk-dev] [BOUNTY] offered : Allow 256 bit SRTP cipher suites
From:       Kevin Long <kevin.long () haloprivacy ! com>
Date:       2016-06-07 18:19:34
Message-ID: DFFB3CCE-DDA3-4F38-AB1C-4E5412FE3EC9 () haloprivacy ! com
[Download RAW message or body]


Greetings,


Some modern SIP apps and even some SIP desk phones allow the use of stronger SRTP \
cipher suites than Asterisk currently allows.

In res_srtp.c ,  there is a switch/case statement which looks like it simply rejects \
calls asking for cipher suites for SRTP,  besides two AES-128 suites implemented long \
ago.


libsrtp supports the stronger cipher suites already, so I *believe* only Asterisk \
source code needs minor changes.



When I attempt to enable a stronger SRTP cipher suite in my SIP phone (Groundwire SIP \
app) I get the the error message "Invalid crypto suite" in my Asterisk log (see \
existing code snippet from asterisk below)




Desired cipher suites:
> > AES_CM_256_HMAC_SHA1_32
> > AES_CM_256_HMAC_SHA1_80



Please contact me back via the list or at my email directly if interested in picking \
up this work.  We will need to discuss how this works with chan_sip  vs pjsip  etc.






static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite suite)
{
      switch (suite) {
      case AST_AES_CM_128_HMAC_SHA1_80:
              p->cipher_type = AES_128_ICM;
              p->cipher_key_len = 30;
              p->auth_type = HMAC_SHA1;
              p->auth_key_len = 20;
              p->auth_tag_len = 10;
              p->sec_serv = sec_serv_conf_and_auth;
              return 0;

      case AST_AES_CM_128_HMAC_SHA1_32:
              p->cipher_type = AES_128_ICM;
              p->cipher_key_len = 30;
              p->auth_type = HMAC_SHA1;
              p->auth_key_len = 20;
              p->auth_tag_len = 4;
              p->sec_serv = sec_serv_conf_and_auth;
              return 0;

      default:
              ast_log(LOG_ERROR, "Invalid crypto suite: %u\n", suite);



Thank you,

Kevin Long




-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic