Re: SRTP DTLS with AES GCM 128 --> no SRTP Stream

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Franz

The problem from my side is not the compilation of pjProject. I think its true that OpenSSL1.0.2h supports AES GCM but not for SRTP. My Problem is that when I want to establish a call the DTLS Hello Client message includes not extension for “use_srtp” because of the case that openssl not support gcm for srtp.

 

Best regards

Harald

 

From: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx> On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 11:57 AM
To: pjsip list <pjsip@xxxxxxxxxxxxxxx>
Subject: Re: SRTP DTLS with AES GCM 128 --> no SRTP Stream

 

Hi Harald,

state statement, that openssl 1.0.2h won't support or even has a problem with AES_GCM ciphers is wrong.

Check the Changelog for details.

It's clear to me, that omitting the "#define OPENSSL 1", librtc won't include the AES_GCM ciphers:

snippet:

e.g. srtp.c at the header it begins:

#ifdef OPENSSL
#include "aes_gcm_ossl.h"    /* for AES GCM mode  */
# ifdef OPENSSL_KDF
# include <openssl/kdf.h>
# include "aes_icm_ossl.h"    /* for AES GCM mode  */
# endif

 

The current srtp_config.h doesn't honor the PJSIP AES flags at all.

To overcome such situations i strongly recommend to use and updat2date OS (e.g. Debian 10) and external-lib support !

libsrtp in the bundled source is a prerelease whenreas DEBIAN provides a well maintained version 2.2.0-1.

 

Best regards

 

Franz Skale
Rechenzentrum-Services

 


Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria


Von: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx> im Auftrag von Schuster Harald <hsc@xxxxxxxxxxxxxxxxxxxx>
Gesendet: Donnerstag, 12.
Dezember 2019 10:11
An: pjsip list
Betreff: Re: SRTP DTLS with AES GCM 128 --> no SRTP Stream

 

Hi Franz

Thanks for your answer. I was yesterday able to compile everything fine with –with-ssl but it doesn’t work and the developer from PjProject wrote me that it is a problem with OpenSSL 1.0.2h.

 

We can see on the latest code (OpenSSL/d1_srtp.c here), it supports AES_GCM. However, on 1.0.2h it doesn't have that.

 

But I will try the solution with the defines in libsrtp config and will give you a feedback!

 

Best regards

Harald

 

From: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx> On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 9:34 AM
To:
pjsip@xxxxxxxxxxxxxxx
Subject: Re: SRTP DTLS with AES GCM 128 --> no SRTP Stream

 

Hi Harald,

libsrtp requires to have OPENSSL defined, but the srtp_config.h lacks of an ifdef to check, whether PJSIP was configured to use OPENSSL !

I also don't understand, why i have to add the configure flag --with-ssl when it should be autoconfigured when available.

There are two issues here,

1.) The core developers should outline in the docs how to enable DTLS GCM support as well as config.h options needed to enable it.

2.) The core developers should check the aconfigure.ac why i have to supply --with-ssl to enable gcm cipher support in the srtp lib.

Without --with-ssl, the buildprocess won't complete as there are unresovled symbols (No define of OPENSSL 1).

Libsrtp NEEDS "#define OPENSSL 1" to include gcm cipher support or it will fail with unresolved symbols.

 

TRY !!!:

add these lines to the file build/srtp/srtp_config.h (NO LINEBREAKS !!! in the if defined clause !)

#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128)&&(PJMEDIA_SRTP_HAS_AES_GCM_128!=0)||defined(PJMEDIA_SRTP_HAS_AES_GCM_256)&&(PJMEDIA_SRTP_HAS_AES_GCM_256!=0)
#define OPENSSL 1
#endif

 

I used these config_site.h flags:

/*SRTP CIPHERS */
#define PJ_SSL_SOCK_IMP                              PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK                      1
#define PJMEDIA_HAS_SRTP                     1
#define PJMEDIA_SRTP_HAS_SDES                1
#define PJMEDIA_SRTP_HAS_DTLS                1
#define PJMEDIA_SRTP_HAS_AES_CM_256          1
#define PJMEDIA_SRTP_HAS_AES_CM_128          1
#define PJMEDIA_SRTP_HAS_AES_GCM_256         1
#define PJMEDIA_SRTP_HAS_AES_GCM_128         1

 

Be sure to use --with-ssl at configure time.

I was able to compile but not to test, so please report back !

 

Symbols:

nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description

 

 

Best regards


Franz Skale
Rechenzentrum-Services

 

cid:image001.jpg@01D5B0E8.2EDB8FA0


Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria


Von: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx> im Auftrag von Schuster Harald <hsc@xxxxxxxxxxxxxxxxxxxx>
Gesendet: Mittwoch, 11.
Dezember 2019 20:30
An:
pjsip@xxxxxxxxxxxxxxx
Betreff: SRTP DTLS with AES GCM 128 --> no SRTP Stream

 

Hi

I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself. A normal call and a call with SRTP works fine but a call with DTLS doesn’t work. ­When the two lines with AES_GCM are removed from the config also the DTLS call works.

 

I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no “use_srtp” extension. It stops with the “heartbeat” extension. When AES_GCM is removed the “use_srtp” extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?

 

In the makefile is use –with-ssl so that the installation of openssl is checked.­­

 

 

config_site.h

#define PJ_SSL_SOCK_IMP                              PJ_SSL_SOCK_IMP_OPENSSL

#define PJ_HAS_SSL_SOCK                      1

#define PJMEDIA_HAS_SRTP                     1

#define PJMEDIA_SRTP_HAS_SDES                1

#define PJMEDIA_SRTP_HAS_DTLS                1

 

#define PJMEDIA_SRTP_HAS_AES_CM_256          1

#define PJMEDIA_SRTP_HAS_AES_CM_128          1

#define PJMEDIA_SRTP_HAS_AES_GCM_256         1

#define PJMEDIA_SRTP_HAS_AES_GCM_128         1

 

PJ Logs:

2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)

2019-12-11 14:32:57.095349: [debug]  pjsua_media.c  Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)

 

Configure:

checking for OpenSSL installations..

pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...

pjproject-2.9-r2 do_configure: yes

checking openssl/ssl.h presence...

pjproject-2.9-r2 do_configure: yes

checking for openssl/ssl.h...

pjproject-2.9-r2 do_configure: yes

checking for ERR_load_BIO_strings in -lcrypto...

pjproject-2.9-r2 do_configure: yes

checking for SSL_CTX_new in -lssl...

pjproject-2.9-r2 do_configure: yes

pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled

pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...

pjproject-2.9-r2 do_configure: yes

pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL

pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes

 

Best regards

Harald

 

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux