Summary:ASTERISK-28903: res_srtp: Answered Crypto Suite might be wrong in SDP/SDES.
Reporter:Alexander Traud (traud)Labels:patch
Date Opened:2020-05-18 10:12:23Date Closed:2020-05-20 10:13:28
Versions:16.10.0 17.4.0 Frequency of
causesASTERISK-29128 res_srtp: Authentication failure after hold/unhold
Environment:Attachments:( 0) srtp.patch
Description:Fixing my own code. ASTERISK-26190 introduced the support for additional Crypto Suites in SDES-sRTP. Normally, one would expect that the UAS = Asterisk simply copies the name of the very first supported Crypto Suite.

In Asterisk, {{ast_sdp_srtp_get_attrib(.)}} is called long time after the Crypto Suite are accepted via {{ast_sdp_crypto_process(.)}}. However, instead of a string, my code uses flags, one for the tag length for authentication, one for the AES size, and one flag whether an old—flipped—name for the Crypto Suite is used. This avoids the creation/deletion of one additional dynamic string buffer.

However, {{res_sdp_crypto_parse_offer(.)}} might have parsed the name of the Crypto Suite, set those flags but not accept the Crypto Suite for other reasons, for example:
WARNING: sdp_srtp.c:1050: SRTP descriptions key length is '48', not '46'
This happens, when the UAC has a faulty SDES-sRTP implementation. For example, desk phones from [Atcom|https://www.atcom.cn] allow not only AES-128 but also AES-256. However, the provided key is too long. With those, the current implementation in Asterisk answers:
a=crypto:3 AES_CM_256_HMAC_SHA1_80 inline: …
The result is a call with broken audio although the Crypto Suite at index 3, AES_CM_*128*_HMAC_SHA1_80 has the correct key length and works great.

This happens, because the ‘object’, where the flags are set, gets reused by the channel, here chan_sip. In other words: The flag for AES-256 is still set from the previous parsing of the Crypto Suite name. The trick is to clear all flags before any new parsing/selection happens. The attached patch does this.
Comments:By: Asterisk Team (asteriskteam) 2020-05-18 10:12:24.028-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

By: Friendly Automation (friendly-automation) 2020-05-20 10:13:28.969-0500

Change 14428 merged by Friendly Automation:
res_srtp: Set all possible flags while selecting the Crypto Suite.


By: Friendly Automation (friendly-automation) 2020-05-20 10:47:44.890-0500

Change 14415 merged by Friendly Automation:
res_srtp: Set all possible flags while selecting the Crypto Suite.


By: Friendly Automation (friendly-automation) 2020-05-20 10:51:03.991-0500

Change 14427 merged by Joshua Colp:
res_srtp: Set all possible flags while selecting the Crypto Suite.