[asterisk-bugs] [JIRA] (ASTERISK-27800) One way audio when calling from Asterisk(sip trunk) to another number where both are connected to a SBC using TLS+SRTP

Artur Pires (JIRA) noreply at issues.asterisk.org
Thu Apr 12 15:12:51 CDT 2018 

Artur Pires created ASTERISK-27800:
--------------------------------------

             Summary: One way audio when calling from Asterisk(sip trunk) to another number where both are connected to a SBC using TLS+SRTP
                 Key: ASTERISK-27800
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27800
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: .Release/Targets
    Affects Versions: 15.3.0
            Reporter: Artur Pires


Hi,

I'm doing some tests with Asterisk 15.3.0(Ip=10.9.0.94) connected to a SBC[which has two parties: SIP message(Ip=192.168.12.18 using TLS) and Media Message(Ip=192.168.12.192 using SRTP)] 
For sip message works fine using TLS over TCP with the key generated on Asterisk and uploaded it to SBC(sip message). 
So when I call from my extension(100 - Ip=10.8.15.45) connected to Asterisk to a number(4509615003) connected to SBC we have one way audio. 
Basically SRTP connects to SBC media(Ip=192.168.12.192). Please see the attached picture

It looks like Asterisk is using the wrong key to encrypt traffic when it's offered the SDP.
By replaying a packet captured on SBC(media message - SRTP) and configuring a connection, it was discovered that using the key offered to Asterisk to decrypt the traffic actually worked. 
According to RFC 4568, the key provided in the SDP is used to encrypt traffic generated by the provider of the SDP. 
Hence, Asterisk device should use the key provides in the answer SDP to encrypt traffic but our tests show it's using the key generated by SBC(SIP message)

Please let me know if you need further details about this issue,

Remarks: 

1) Part of RFC 4568 which explains what I noticed(section 5.1.1) :

   The crypto-suite always applies to media in the directions supported
   by the media stream (e.g., send and receive).  The key(s), however,
   apply to data packets (e.g., SRTP and SRTCP packets) that will be
   sent by the same party that generated the SDP.  That is, each
   endpoint determines its own transmission keys and sends those keys,
   in SDP, to the other endpoint. 

   The inline parameter conveys the SRTP master key used by an endpoint
   to encrypt the SRTP and SRTCP streams transmitted by that endpoint.
   The same key is used by the recipient to decrypt those streams.

   However, the receiver MUST NOT use that same key for the SRTP or
   SRTCP packets that it sends to the session because the default SRTP
   cipher and mode is insecure when the master key is reused across
   distinct SRTP streams.


2) Logs are attached

Thanks,
Artur



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list