Hi folks, At least several endpoints (soft phone and desk phones) are supporting various 256 bit ciphers for SRTP these days. I *believe* libsrtp has been updated to allow this, and that only the code in Asterisk has not been been updated to allow these stronger ciphers. Would anyone with the know-how be willing/able to submit a patch ? Thank you, Kevin Long
Some more information (would love some thoughts on this, I have never submitted
a patch yet).
Groundwire (Popular SIP app) supports the following cipher suites for SRTP:
AES_CM_128_HMAC_SHA1_32
AES_CM_128_HMAC_SHA1_80
AES_CM_192_HMAC_SHA1_32
AES_CM_192_HMAC_SHA1_80
AES_CM_256_HMAC_SHA1_32
AES_CM_256_HMAC_SHA1_80
AEAD_AES_128_GCM
AEAD_AES_256_GCM
I see in the asterisk 13.9.1 source tarsal, in res/res_srtp.c :
Could adding support for the above cipher suites be as simple as adding more
options to this switch/case statement with the appropriate parameters or is
there more to it?
Thank you!
static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite suite)
{
switch (suite) {
case AST_AES_CM_128_HMAC_SHA1_80:
p->cipher_type = AES_128_ICM;
p->cipher_key_len = 30;
p->auth_type = HMAC_SHA1;
p->auth_key_len = 20;
p->auth_tag_len = 10;
p->sec_serv = sec_serv_conf_and_auth;
return 0;
case AST_AES_CM_128_HMAC_SHA1_32:
p->cipher_type = AES_128_ICM;
p->cipher_key_len = 30;
p->auth_type = HMAC_SHA1;
p->auth_key_len = 20;
p->auth_tag_len = 4;
p->sec_serv = sec_serv_conf_and_auth;
return 0;
default:
ast_log(LOG_ERROR, "Invalid crypto suite: %u\n",
suite);
> On May 30, 2016, at 11:49 AM, Kevin Long <kevin.long at
haloprivacy.com> wrote:
>
>
>
> Hi folks,
>
>
> At least several endpoints (soft phone and desk phones) are supporting
various 256 bit ciphers for SRTP these days. I *believe* libsrtp has been
updated to allow this, and that only the code in Asterisk has not been been
updated to allow these stronger ciphers.
>
> Would anyone with the know-how be willing/able to submit a patch ?
>
>
> Thank you,
>
> Kevin Long
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
Kevin Long wrote:> > Some more information (would love some thoughts on this, I have never > submitted a patch yet). > > Groundwire (Popular SIP app) supports the following cipher suites for > SRTP: > > > AES_CM_128_HMAC_SHA1_32 AES_CM_128_HMAC_SHA1_80 > AES_CM_192_HMAC_SHA1_32 AES_CM_192_HMAC_SHA1_80 > AES_CM_256_HMAC_SHA1_32 AES_CM_256_HMAC_SHA1_80 AEAD_AES_128_GCM > AEAD_AES_256_GCM > > > > I see in the asterisk 13.9.1 source tarsal, in res/res_srtp.c : > > > Could adding support for the above cipher suites be as simple as > adding more options to this switch/case statement with the > appropriate parameters or is there more to it? > > Thank you! > > > > static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite > suite) { switch (suite) { case AST_AES_CM_128_HMAC_SHA1_80: > p->cipher_type = AES_128_ICM; p->cipher_key_len = 30; p->auth_type > HMAC_SHA1; p->auth_key_len = 20; p->auth_tag_len = 10; p->sec_serv > sec_serv_conf_and_auth; return 0; > > case AST_AES_CM_128_HMAC_SHA1_32: p->cipher_type = AES_128_ICM; > p->cipher_key_len = 30; p->auth_type = HMAC_SHA1; p->auth_key_len > 20; p->auth_tag_len = 4; p->sec_serv = sec_serv_conf_and_auth; return > 0; > > default: ast_log(LOG_ERROR, "Invalid crypto suite: %u\n", suite);It could maybe be as simple as that, but until it is attempted it's unknown what other stuff may need to be adjusted. Cheers, -- Joshua Colp Digium, Inc. | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org