[asterisk-bugs] [JIRA] (ASTERISK-30343) res_crypto: ast_sign_bin fails

Tue Dec 13 11:57:52 CST 2022

    [ https://issues.asterisk.org/jira/browse/ASTERISK-30343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=260901#comment-260901 ] 

Michael Newton commented on ASTERISK-30343:
-------------------------------------------

Any dundi commands that involve talking with another peer trigger the issue. I'm on Alma Linux 9, currently OpenSSL 3.0.1.43. The keys were generated years ago, but I expect they were done with the standard astkeygen script.

Here's the key
{noformat}
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC/EIbx93PN/VbNY98Kbg8wEmkB9pjPAZFognaSK23bO30i8cme
R29U58oqi1Dn+MOfvHzWUo2uez4rAVbO0lUDKSDZZIzYPVwbzMkNtyy2Ej36ySb0
m/WGvMCpEprbUYs4jY/Q1KM5o74Qv2Aywy032Q3UWh9cMmsdWZ046ndPBwIDAQAB
AoGAXaRD/yNAZpzbhh6EmiAG4ZCkVon9qrciBQ6r/ke6t9AYLKBEKIbqUbqoouFU
7dxGRGuk44XiWrmcZodpfEQp1WGIdtrWlZ7NOIp5kA5FO9uUcX5hfCxZH9h68j1L
cdNgb3tZDLjBMT6oipxEyEOcxjvkIaIL11zyx0SqCndoxUECQQDrK39wiUnYjDQW
1fEPjrRX/zk7kOWKa5Zt6fj5BqctmHHhDD7hyFAwVwcOeSmQZm2yPoakLXBrQPCi
v0kdoEvDAkEAz/zvktzZhmQ33FEjmyRFLhimfvYP+nqaSB8ZPV4DkGM6PgMXYsWp
4eLJowHoKsQpJmiKbPV6+on5Q4NW49TvbQJAIBGxcj42hMIxxD9ufQmfzDQwsM/E
jYi4Xcq/Oe5PU+dq+B58YLu5O65SdwXMxjVBlkHyiGbt4qJbbkYZiWG3kwJBAJnA
Ul4P0uHtLfo5JQgn7NghstsCDVfN0EVmb+MUn6/aGpEC+gOzOV1ZqFNPMpCCyCSz
fTkE0y9oVZLaAZ6Up5UCQQCwFq9xZ+Co0xCN4r8hvY3DCUIYK8GwyqJZno4w975E
tiWZkGKsuJpHPUJAGzs/t9s7h73/oXybE77YLtqHTy3/
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/EIbx93PN/VbNY98Kbg8wEmkB
9pjPAZFognaSK23bO30i8cmeR29U58oqi1Dn+MOfvHzWUo2uez4rAVbO0lUDKSDZ
ZIzYPVwbzMkNtyy2Ej36ySb0m/WGvMCpEprbUYs4jY/Q1KM5o74Qv2Aywy032Q3U
Wh9cMmsdWZ046ndPBwIDAQAB
-----END PUBLIC KEY-----
{noformat}

And the config. Pretty basic; we've patched dundi in a very rudimentary way so it works with pjsip, but that didn't involve any changes to the crypto code at all.
{noformat}
[general]
organization=Example Inc.
locality=Toronto
stateprov=ON
country=CA
email=info at example.com
phone=+18445551212

bindaddr = 10.10.241.120
port = 4520
tos = ef 
cachetime = 1800
ttl = 1
autokill = yes
secretpath = gateway
storehistory = yes

[mappings]
; how we answer queries from the PBXs
; context => ast context,weight,tech,destination,option,option...
outbound => outbound-dundi-lookup,5,PJSIP,${NUMBER}@Gateway_1,nopartial

[dundi-default](!)
; template for PBX entries
qualify=yes
model=symmetric
order=primary
inkey=pbx
outkey=gateway
permit=all
include=all

[00:50:56:ae:26:74](dundi-default)
host=10.10.241.21
{noformat}

> res_crypto: ast_sign_bin fails
> ------------------------------
>
>                 Key: ASTERISK-30343
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-30343
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_crypto
>    Affects Versions: 16.29.0, 18.15.1, 20.0.1
>         Environment: Alma Linux 9.1
>            Reporter: Michael Newton
>            Assignee: Michael Newton
>            Severity: Major
>
> After upgrade from 16.28 to 16.29 our dundi queries stopped working with this error output:
> {noformat}
> WARNING[100840]: res_crypto.c:384 ast_sign_bin: RSA Signature (key gateway) failed -1
> NOTICE[100840]: pbx_dundi.c:1366 update_key: Failed to sign key (-1)!
> NOTICE[100840]: pbx_dundi.c:3376 dundi_send: Failed to send packet to '00:50:56:ae:13:23'
> {noformat}
> This appears to be a regression resulting from changes in ASTERISK-30046.

--
This message was sent by Atlassian JIRA
(v6.2#6252)