[asterisk-dev] [Code Review] Allow Setting Auth Tag Bit length and make SRTP optional chan_sip

irroot reviewboard at asterisk.org
Thu May 26 03:00:41 CDT 2011



> On 2011-05-25 15:29:39, Tilghman Lesher wrote:
> > /trunk/channels/chan_sip.c, lines 26223-26225
> > <https://reviewboard.asterisk.org/r/1173/diff/6/?file=16640#file16640line26223>
> >
> >     This new option needs corresponding documentation in configs/sip.conf.sample.

Done.


> On 2011-05-25 15:29:39, Tilghman Lesher wrote:
> > /trunk/channels/chan_sip.c, lines 26230-26232
> > <https://reviewboard.asterisk.org/r/1173/diff/6/?file=16640#file16640line26230>
> >
> >     Document this in the config file, too.

Done


> On 2011-05-25 15:29:39, Tilghman Lesher wrote:
> > /trunk/channels/chan_sip.c, line 28908
> > <https://reviewboard.asterisk.org/r/1173/diff/6/?file=16640#file16640line28908>
> >
> >     The additional parentheses around *srtp are unnecessary (in the second case) when you're just passing the pointer.

Done


> On 2011-05-25 15:29:39, Tilghman Lesher wrote:
> > /trunk/channels/sip/sdp_crypto.c, line 289
> > <https://reviewboard.asterisk.org/r/1173/diff/6/?file=16644#file16644line289>
> >
> >     space after comma

Done


> On 2011-05-25 15:29:39, Tilghman Lesher wrote:
> > /trunk/channels/chan_sip.c, lines 11073-11079
> > <https://reviewboard.asterisk.org/r/1173/diff/6/?file=16640#file16640line11073>
> >
> >     Shouldn't you reverse these (i.e. prefer 32-bit taglen, if it's specified in the request, even if an 80-bit taglen is specified in the config file)?

SRTP_CRYPTO_TAG_XX is set on INVITE request received 
SIP_PAGE3_SRTP_TAG_32 is the config option ...

i should favor the request in response and only outbound INVITE should use the config option.

the above -

uses 80 ALWAYS in RESPONSE to INVITE when INVITE was 80
uses 32 ALWAYS in RESPONSE to INVITE when INVITE was 32
uses 80 for outbound INVITE when there is no config of 32.

please check i believe it is as you commented above.


- irroot


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/1173/#review3622
-----------------------------------------------------------


On 2011-05-26 02:59:41, irroot wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/1173/
> -----------------------------------------------------------
> 
> (Updated 2011-05-26 02:59:41)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Summary
> -------
> 
> change the encruption option to tristate with optional bit setting
> also make this a global option.
> 
> qwell sugests a second option for bitlen have no problem with that.
> 
> 4.1 Crypto-suites 
>     
>    A crypto-suite value appears as the first parameter in a=crypto. The 
>    CRYPTO-SUITE value MAY be different for SRTP and SRTCP as described 
>    in Section 4.2. If a receiver does not support the particular 
>    crypto-suite, then the receiver MUST NOT participate in the media 
>    stream and SHOULD log an "unrecognized crypto-suite" condition 
>    unless the receiver is participating in an Offer/Answer exchange 
>    (Section 5).  RTP/SAVP has four crypto-suites as described below. 
>     
> 4.1.1 AES_CM_128_HMAC_SHA1_80 
>     
>    This is the SRTP default AES Counter Mode cipher and HMAC-SHA1 
>    message authentication having a 80-bit authentication tag.  The 
>    encryption and authentication key lengths are 128 bits.  The master 
>    salt value is 112 bits and the session salt value is 112 bits.  The 
>    PRF is the default SRTP pseudo-random function that uses AES Counter 
>    Mode with a 128-bit key length.   
>  
> 4.1.2 AES_CM_128_HMAC_SHA1_32 
>     
>    The SRTP AES Counter Mode cipher is used with HMAC-SHA1 message 
>    authentication having an 32-bit authentication tag.  The encryption 
>    and authentication key lengths are 128 bits.  The master salt value 
>    is 112 bits and the session salt value is 112 bits.  These values 
>    apply to SRTP and to SRTCP.  The PRF is the default SRTP pseudo-
>    random function that uses AES Counter Mode with a 128-bit key 
>    length.  
>  
> 4.1.3 F8_128_HMAC_SHA1_80 
>     
>    The SRTP f8 cipher is used with HMAC-SHA1 message authentication 
>    having a 80-bit authentication tag.  The encryption and 
>    authentication key lengths are 128 bits.  The master salt value is 
>    112 bits and the session salt value is 112 bits.  The PRF is the 
>    default SRTP pseudo-random function that uses AES Counter Mode with 
>    a 128-bit key length.  
>     
> 4.1.4 F8_128_HMAC_SHA1_32 
>     
>    The SRTP f8 cipher is used with HMAC-SHA1 message authentication 
>    having a 32-bit authentication tag.  The encryption and  
>    authentication key lengths are 128 bits.  The master salt value is 
>    112 bits and the session salt value is 112 bits.  The PRF is the 
>    default SRTP pseudo-random function that uses AES Counter Mode with 
>    a 128-bit key length.  
> 
> 
> This addresses bug 19335.
>     https://issues.asterisk.org/view.php?id=19335
> 
> 
> Diffs
> -----
> 
>   /trunk/CHANGES 320770 
>   /trunk/channels/chan_sip.c 320770 
>   /trunk/channels/sip/include/sdp_crypto.h 320770 
>   /trunk/channels/sip/include/sip.h 320770 
>   /trunk/channels/sip/include/srtp.h 320770 
>   /trunk/channels/sip/sdp_crypto.c 320770 
>   /trunk/configs/sip.conf.sample 320770 
> 
> Diff: https://reviewboard.asterisk.org/r/1173/diff
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> irroot
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20110526/05cc2595/attachment-0001.htm>


More information about the asterisk-dev mailing list