[asterisk-dev] [BOUNTY] offered : Allow 256 bit SRTP cipher suites

[Kevin Long]

Greetings,


Some modern SIP apps and even some SIP desk phones allow the use of stronger SRTP cipher suites than Asterisk currently allows.

In res_srtp.c ,  there is a switch/case statement which looks like it simply rejects calls asking for cipher suites for SRTP,  besides two AES-128 suites implemented long ago.


libsrtp supports the stronger cipher suites already, so I *believe* only Asterisk source code needs minor changes.



When I attempt to enable a stronger SRTP cipher suite in my SIP phone (Groundwire SIP app) I get the the error message “Invalid crypto suite” in my Asterisk log (see existing code snippet from asterisk below)




Desired cipher suites:
>> AES_CM_256_HMAC_SHA1_32
>> AES_CM_256_HMAC_SHA1_80



Please contact me back via the list or at my email directly if interested in picking up this work.  We will need to discuss how this works with chan_sip  vs pjsip  etc.






static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite suite)
{
      switch (suite) {
      case AST_AES_CM_128_HMAC_SHA1_80:
              p->cipher_type = AES_128_ICM;
              p->cipher_key_len = 30;
              p->auth_type = HMAC_SHA1;
              p->auth_key_len = 20;
              p->auth_tag_len = 10;
              p->sec_serv = sec_serv_conf_and_auth;
              return 0;

      case AST_AES_CM_128_HMAC_SHA1_32:
              p->cipher_type = AES_128_ICM;
              p->cipher_key_len = 30;
              p->auth_type = HMAC_SHA1;
              p->auth_key_len = 20;
              p->auth_tag_len = 4;
              p->sec_serv = sec_serv_conf_and_auth;
              return 0;

      default:
              ast_log(LOG_ERROR, "Invalid crypto suite: %u\n", suite);



Thank you,

Kevin Long