[asterisk-users] Need stronger SRTP ciphers (256 bit)

Kevin Long kevin.long at haloprivacy.com
Tue May 31 00:53:43 CDT 2016 


Some more information (would love some thoughts on this, I have never submitted a patch yet).

Groundwire (Popular SIP app) supports the following cipher suites for SRTP:


AES_CM_128_HMAC_SHA1_32
AES_CM_128_HMAC_SHA1_80
AES_CM_192_HMAC_SHA1_32
AES_CM_192_HMAC_SHA1_80
AES_CM_256_HMAC_SHA1_32
AES_CM_256_HMAC_SHA1_80
AEAD_AES_128_GCM
AEAD_AES_256_GCM



I see in the asterisk 13.9.1 source tarsal,  in res/res_srtp.c :


Could adding support for the above cipher suites be as simple as adding more options to this switch/case statement with the appropriate parameters or is there more to it? 

Thank you!



static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite suite)
{
        switch (suite) {
        case AST_AES_CM_128_HMAC_SHA1_80:
                p->cipher_type = AES_128_ICM;
                p->cipher_key_len = 30;
                p->auth_type = HMAC_SHA1;
                p->auth_key_len = 20;
                p->auth_tag_len = 10;
                p->sec_serv = sec_serv_conf_and_auth;
                return 0;

        case AST_AES_CM_128_HMAC_SHA1_32:
                p->cipher_type = AES_128_ICM;
                p->cipher_key_len = 30;
                p->auth_type = HMAC_SHA1;
                p->auth_key_len = 20;
                p->auth_tag_len = 4;
                p->sec_serv = sec_serv_conf_and_auth;
                return 0;

        default:
                ast_log(LOG_ERROR, "Invalid crypto suite: %u\n", suite);








> On May 30, 2016, at 11:49 AM, Kevin Long <kevin.long at haloprivacy.com> wrote:
> 
> 
> 
> Hi folks,
> 
> 
> At least several endpoints (soft phone and desk phones) are supporting various 256 bit ciphers for SRTP these days.   I *believe* libsrtp has been updated to allow this,   and that only the code in Asterisk has not been been updated to allow these stronger ciphers.
> 
> Would anyone with the know-how be willing/able to submit a patch ?
> 
> 
> Thank you, 
> 
> Kevin Long
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list