Re: SRTP DTLS with AES GCM 128 --> no SRTP Stream

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Harald,

libsrtp requires to have OPENSSL defined, but the srtp_config.h lacks of an ifdef to check, whether PJSIP was configured to use OPENSSL !

I also don't understand, why i have to add the configure flag --with-ssl when it should be autoconfigured when available.

There are two issues here,

1.) The core developers should outline in the docs how to enable DTLS GCM support as well as config.h options needed to enable it.

2.) The core developers should check the aconfigure.ac why i have to supply --with-ssl to enable gcm cipher support in the srtp lib.

Without --with-ssl, the buildprocess won't complete as there are unresovled symbols (No define of OPENSSL 1).

Libsrtp NEEDS "#define OPENSSL 1" to include gcm cipher support or it will fail with unresolved symbols.


TRY !!!:

add these lines to the file build/srtp/srtp_config.h (NO LINEBREAKS !!! in the if defined clause !)

#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128)&&(PJMEDIA_SRTP_HAS_AES_GCM_128!=0)||defined(PJMEDIA_SRTP_HAS_AES_GCM_256)&&(PJMEDIA_SRTP_HAS_AES_GCM_256!=0)
#define OPENSSL 1
#endif


I used these config_site.h flags:

/*SRTP CIPHERS */
#define PJ_SSL_SOCK_IMP                              PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK                      1
#define PJMEDIA_HAS_SRTP                     1
#define PJMEDIA_SRTP_HAS_SDES                1
#define PJMEDIA_SRTP_HAS_DTLS                1
#define PJMEDIA_SRTP_HAS_AES_CM_256          1
#define PJMEDIA_SRTP_HAS_AES_CM_128          1
#define PJMEDIA_SRTP_HAS_AES_GCM_256         1
#define PJMEDIA_SRTP_HAS_AES_GCM_128         1


Be sure to use --with-ssl at configure time.

I was able to compile but not to test, so please report back !


Symbols:

nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description



Best regards


Franz Skale
Rechenzentrum-Services


https://www.citycom-austria.com/rel2018/wp-content/themes/citycom/assets/img/citycom_logo.png


Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria


Von: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx> im Auftrag von Schuster Harald <hsc@xxxxxxxxxxxxxxxxxxxx>
Gesendet: Mittwoch, 11. Dezember 2019 20:30
An: pjsip@xxxxxxxxxxxxxxx
Betreff: SRTP DTLS with AES GCM 128 --> no SRTP Stream
 

Hi

I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself. A normal call and a call with SRTP works fine but a call with DTLS doesn’t work. ­When the two lines with AES_GCM are removed from the config also the DTLS call works.

 

I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no “use_srtp” extension. It stops with the “heartbeat” extension. When AES_GCM is removed the “use_srtp” extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?

 

In the makefile is use –with-ssl so that the installation of openssl is checked.­­

 

 

config_site.h

#define PJ_SSL_SOCK_IMP                              PJ_SSL_SOCK_IMP_OPENSSL

#define PJ_HAS_SSL_SOCK                      1

#define PJMEDIA_HAS_SRTP                     1

#define PJMEDIA_SRTP_HAS_SDES                1

#define PJMEDIA_SRTP_HAS_DTLS                1

 

#define PJMEDIA_SRTP_HAS_AES_CM_256          1

#define PJMEDIA_SRTP_HAS_AES_CM_128          1

#define PJMEDIA_SRTP_HAS_AES_GCM_256         1

#define PJMEDIA_SRTP_HAS_AES_GCM_128         1

 

PJ Logs:

2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)

2019-12-11 14:32:57.095349: [debug]  pjsua_media.c  Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)

 

Configure:

checking for OpenSSL installations..

pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...

pjproject-2.9-r2 do_configure: yes

checking openssl/ssl.h presence...

pjproject-2.9-r2 do_configure: yes

checking for openssl/ssl.h...

pjproject-2.9-r2 do_configure: yes

checking for ERR_load_BIO_strings in -lcrypto...

pjproject-2.9-r2 do_configure: yes

checking for SSL_CTX_new in -lssl...

pjproject-2.9-r2 do_configure: yes

pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled

pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...

pjproject-2.9-r2 do_configure: yes

pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL

pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes

 

Best regards

Harald

 

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux