[asterisk-dev] [Code Review] Allow Setting Auth Tag Bit length and make SRTP optional chan_sip

Olle E Johansson reviewboard at asterisk.org
Fri Aug 26 10:10:01 CDT 2011


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/1173/#review4142
-----------------------------------------------------------


First, I don't like to have a security setting that may downgrade a connection. That has to be controlled by the dial plan and not just happen hidden in the code. So the "try" option should go away in my opinion. Secondly, don't overload configuration options with two settings in one option, separate them. It's not extensible in the future and very confusing to teach people. /O

- Olle E


On July 24, 2011, 6:45 a.m., irroot wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/1173/
> -----------------------------------------------------------
> 
> (Updated July 24, 2011, 6:45 a.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Summary
> -------
> 
> change the encruption option to tristate with optional bit setting
> also make this a global option.
> 
> qwell sugests a second option for bitlen have no problem with that.
> 
> 4.1 Crypto-suites 
>     
>    A crypto-suite value appears as the first parameter in a=crypto. The 
>    CRYPTO-SUITE value MAY be different for SRTP and SRTCP as described 
>    in Section 4.2. If a receiver does not support the particular 
>    crypto-suite, then the receiver MUST NOT participate in the media 
>    stream and SHOULD log an "unrecognized crypto-suite" condition 
>    unless the receiver is participating in an Offer/Answer exchange 
>    (Section 5).  RTP/SAVP has four crypto-suites as described below. 
>     
> 4.1.1 AES_CM_128_HMAC_SHA1_80 
>     
>    This is the SRTP default AES Counter Mode cipher and HMAC-SHA1 
>    message authentication having a 80-bit authentication tag.  The 
>    encryption and authentication key lengths are 128 bits.  The master 
>    salt value is 112 bits and the session salt value is 112 bits.  The 
>    PRF is the default SRTP pseudo-random function that uses AES Counter 
>    Mode with a 128-bit key length.   
>  
> 4.1.2 AES_CM_128_HMAC_SHA1_32 
>     
>    The SRTP AES Counter Mode cipher is used with HMAC-SHA1 message 
>    authentication having an 32-bit authentication tag.  The encryption 
>    and authentication key lengths are 128 bits.  The master salt value 
>    is 112 bits and the session salt value is 112 bits.  These values 
>    apply to SRTP and to SRTCP.  The PRF is the default SRTP pseudo-
>    random function that uses AES Counter Mode with a 128-bit key 
>    length.  
>  
> 4.1.3 F8_128_HMAC_SHA1_80 
>     
>    The SRTP f8 cipher is used with HMAC-SHA1 message authentication 
>    having a 80-bit authentication tag.  The encryption and 
>    authentication key lengths are 128 bits.  The master salt value is 
>    112 bits and the session salt value is 112 bits.  The PRF is the 
>    default SRTP pseudo-random function that uses AES Counter Mode with 
>    a 128-bit key length.  
>     
> 4.1.4 F8_128_HMAC_SHA1_32 
>     
>    The SRTP f8 cipher is used with HMAC-SHA1 message authentication 
>    having a 32-bit authentication tag.  The encryption and  
>    authentication key lengths are 128 bits.  The master salt value is 
>    112 bits and the session salt value is 112 bits.  The PRF is the 
>    default SRTP pseudo-random function that uses AES Counter Mode with 
>    a 128-bit key length.  
> 
> 
> This addresses bug 19335.
>     https://issues.asterisk.org/jira/browse/19335
> 
> 
> Diffs
> -----
> 
>   /trunk/channels/sip/include/sdp_crypto.h 329388 
>   /trunk/channels/sip/include/sip.h 329388 
>   /trunk/channels/sip/include/srtp.h 329388 
>   /trunk/channels/sip/sdp_crypto.c 329388 
>   /trunk/CHANGES 329388 
>   /trunk/channels/chan_sip.c 329388 
>   /trunk/configs/sip.conf.sample 329388 
> 
> Diff: https://reviewboard.asterisk.org/r/1173/diff
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> irroot
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20110826/94709e91/attachment.htm>


More information about the asterisk-dev mailing list