Asterisk 18 with aes 256

hello guys,

how could i enable aes 256 with asterisk 18?
exactly aes_256_cm_hmac_sha1_80

in linphone when i configure my endpoints to use aes_256_cm_hmac_sha1_80 as the only crypto suite, the call get rejected by the sip server (503 service unavailable)!

it seems like this crypto suite is yet not enabled in asterisk 18.0.0!

I’m pretty sure that the enabled suites are determined by openSSL, not by Asterisk.

so the suites that are listed in pjsip list ciphers are the only ciphers that would be enabled?
although when i access res_srtp.c i can see the aes_256_cm_hmac_sha1_80!

this is stated in srtp.c

*** If you want to enable one of those defines, please, go for**
**			 * CFLAGS='-DENABLE_SRTP_AES_GCM' ./configure && sudo make install**
**			 */**
				{ len, 0, 30 },
#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM)
				{ AST_SRTP_CRYPTO_TAG_16, 0, AES_128_GCM_KEYSIZE_WSALT },
#endif
#if defined(HAVE_SRTP_256) && defined(ENABLE_SRTP_AES_256)
				{ len, AST_SRTP_CRYPTO_AES_256, 46 },
#endif
#if defined(HAVE_SRTP_GCM) && defined(ENABLE_SRTP_AES_GCM) && defined(ENABLE_SRTP_AES_256)
				{ AST_SRTP_CRYPTO_TAG_16, AST_SRTP_CRYPTO_AES_256, AES_256_GCM_KEYSIZE_WSALT },
#endif
#if defined(HAVE_SRTP_192) && defined(ENABLE_SRTP_AES_192)
				{ len, AST_SRTP_CRYPTO_AES_192, 38 },
#endif

So have you rebuilt it with the CFLAG added?

yes, many errors appeared in srtp.c

         ast_clear_flag(srtp, AST_SRTP_CRYPTO_TAG_8);
	ast_clear_flag(srtp, AST_SRTP_CRYPTO_TAG_16);
	ast_clear_flag(srtp, AST_SRTP_CRYPTO_TAG_32);
	ast_clear_flag(srtp, AST_SRTP_CRYPTO_TAG_80);
	ast_clear_flag(srtp, AST_SRTP_CRYPTO_AES_192);
	ast_clear_flag(srtp, AST_SRTP_CRYPTO_AES_256);
	ast_clear_flag(srtp, AST_SRTP_CRYPTO_OLD_NAME);

some of these line codes appeared to be first time defined and never used before.
so, it did not complete the build successfully.

You appear to need version 1 of libsrtp tor those those to be defined.

I’m not sufficiently up to date on safe encryption suites to know whether your problem is trying to use a suite that is no longer considered safe, or whether it safe, but asterisk/srtp_compat.h doesn’t completely cover what was lost when going from the Asterisk provided srtp.h to the libsrtp one.

so maybe if i just remove them from the file then it might not effect the process?

I wouldn’t want to make symptomatic fixes to crypto code without a much deeper understanding, as it would be too easy to introduce vulnerabilities.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.