[asterisk-bugs] [JIRA] (ASTERISK-24291) res_srtp module stops working after about 35.000 processed calls

Hiroaki Komatsu (JIRA) noreply at issues.asterisk.org
Wed Oct 15 20:59:30 CDT 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223045#comment-223045 ] 

Hiroaki Komatsu commented on ASTERISK-24291:
--------------------------------------------

Similar problems in my environment has occurred.

◎Environment
・OS
 centOS 6.5 64bit
・asterisk version
 certified-asterisk-11.2-cert1
・srtp library version
 srtp-1.4.2
 
◎How to reproduce
・our uac connects to asterisk using TLS/SRTP.
 Asterisk can process this offer at first, but when asterisk asterisk processed over
 17,000 calls(we checked by 'core show channels'),
 asterisk responds with the return code 488, and call invoked by the uac failed.
 but other (unencrypted) RTP connections are still working.

 When this happens, one asterisk machine shows:
 {noformat}
 [2014-10-09 01:51:11] WARNING[19056][C-00004422] chan_sip.c: No SRTP key management enabled
 [2014-10-09 01:51:11] WARNING[1533][C-00004423] chan_sip.c: Can't provide secure audio requested in SDP offer
 {noformat}
 
 {noformat}
 CLI>core show channels
 Channel              Location             State   Application(Data)
 0 active channels
 0 of 500 max active calls ( 0.00% of capacity)
 17415 calls processed
 {noformat}
 
◎analysis
・As a result of investigating the problem areas to add logs to the srtp library and asterisk,
 errors occurred at the following processing route of srtp library.
 {code:title=srtp/crypto/cipher/aes_icm.c|borderStyle=solid}
  err_status_t
  aes_icm_encrypt_ismacryp(aes_icm_ctx_t *c,
               unsigned char *buf, unsigned int *enc_len,
               int forIsmacryp) {
  ・
  ・
   /* check that there's enough segment left but not for ismacryp*/
  if (!forIsmacryp && (bytes_to_encr + htons(c->counter.v16[7])) > 0xffff)
    return err_status_terminus;
  {code}
 As a result, it becomes NULL return by the following processing 
 of sdp_crypto_setup within the function as asterisk, 
 it had been an error output above.
 {code:title=certified-asterisk-11.2-cert1/channels/sip/sdp_crypto.c|borderStyle=solid}
  struct sdp_crypto *sdp_crypto_setup(void)
  {
  ・
  ・
    if (res_srtp->get_random(p->local_key, sizeof(p->local_key)) < 0) {
                sdp_crypto_destroy(p);
                return NULL;
        }
  {code}
I think the buffer area of the encryption key has been depleted.
But we do not know whether in the library or at a asterisk is the cause.
I am currently checking the buffer release opportunity and buffer release function.
Please share it if something information.

> res_srtp module stops working after about 35.000 processed calls
> ----------------------------------------------------------------
>
>                 Key: ASTERISK-24291
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24291
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Resources/res_srtp
>    Affects Versions: 1.8.23.1, 11.11.0, 11.12.0
>         Environment: Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-34-generic x86_64) running on HP DL360 G6/7, latest  libsrtp0 version 1.4.4+20100615~dfsg-1build, SIP only environment
>            Reporter: Robert Hirschmann
>            Assignee: Robert Hirschmann
>            Severity: Critical
>         Attachments: issue_24291_full_log.14.txt
>
>
> When using encryption for RTP streams, asterisk does not accept any calls after about 35k calls (reproducable) have been processed correctly.
> All further inbound and outbound calls are rejected with a 
> "488 - Not Acceptable Here".
> When this happens, one asterisk machine shows:
> {noformat}
> [2014-08-29 17:32:23.807] DEBUG[28500][C-00009387]: chan_sip.c:10530 process_sdp: Processing media-level (audio) SDP a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:cYswzW2zYpdgsVkKgQWvdbUSLedzlE8nByMqEYiI... UNSUPPORTED OR FAILED.
> [2014-08-29 17:32:23.807] WARNING[28500][C-00009387]: chan_sip.c:10535 process_sdp: Rejecting secure audio stream without encryption details: audio 11070 RTP/SAVP 8 0 101
> {noformat}
> the destination asterisk shows:
> {noformat}
> WARNING[10222][C-0000883a]: chan_sip.c:12925 get_crypto_attrib: No SRTP key management enabled
> {noformat}
> Active srtp calls are not affected when this issue occurs, but all further Invites are rejected with the 488 response, so no more calls can be processed.
> The only solution at the moment is to restart asterisk or to wait until no more SRTP calls are active and then unload res_srtp.so followed by loading the module again.
> add info:
> - problem occurs regardless of using SIP over TLS or SIP without TLS
> - other (unencrypted) RTP connections are still working  
> If you need further info, just let me know.
> Thanks for checking into this!
> Robert
>     



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list