[asterisk-bugs] [JIRA] (ASTERISK-29128) res_srtp: Authentication failure after hold/unhold

Alexander Traud (JIRA) noreply at issues.asterisk.org
Wed Dec 16 07:40:17 CST 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-29128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=253117#comment-253117 ] 

Alexander Traud commented on ASTERISK-29128:
--------------------------------------------

No need to answer my questions because I was able to reproduce the issue with my production system (Asterisk 13.38.0/chan_sip, libSRTP 2.3.0, Snom 10.1.64.14). Thank you for reporting this issue! The trick is, the Snom must be called. Snom accepts either authentication-tag length but puts the call on hold with the configured tag length. If those tag lengths differ, Asterisk gets ‘confused’.

At least, we have two possible workarounds. Now, I am investigating if such a mid-call tag-length-change-with-the-same-crypto-key is ‘allowed’ by RFCs. Even if not, the next step is to determine whether this can be ‘accepted’ by Asterisk. By the way, the latter is not that easy as it sounds either because there might be scenarios (sRTP-ROC larger than zero) in which this scenario might have worked never. In any case, I am going to file a feature request with Snom not to change the tag-length mid-call.

> res_srtp: Authentication failure after hold/unhold
> --------------------------------------------------
>
>                 Key: ASTERISK-29128
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29128
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_srtp
>    Affects Versions: 16.13.0
>            Reporter: laszlovl
>         Attachments: filtered.log, snom-srtp-debug-filtered.log
>
>
> As simple as the title indicates. Put an SRTP call on hold, unhold it, and Asterisk starts logging "SRTP unprotect failed on SSRC 1509410849 because of authentication failure" afterwards. No more audio is transmitted.
> Traced the problem to commit https://github.com/asterisk/asterisk/commit/c00b032bbfc14f40537989477229f189a1b529d7 (ASTERISK-28903), without it everything works fine.
> Asterisk 16.13, libsrtp 1.5.4.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list