| Summary: | ASTERISK-16298: [patch] SRTP (SRTP unprotect: authentication failure) | ||
| Reporter: | Alexcr (alexcr) | Labels: | |
| Date Opened: | 2010-06-29 04:04:01 | Date Closed: | 2010-09-15 17:28:33 |
| Priority: | Blocker | Regression? | No |
| Status: | Closed/Complete | Components: | Resources/res_srtp |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) asterisk.log ( 1) asterisk2.log ( 2) AsteriskLog ( 3) res_srtp.c.patch ( 4) sdp_crypto.c.patch ( 5) sip_show_peer ( 6) SIPLog ( 7) srtp.diff ( 8) srtp-read-error.pcap ( 9) tcpdump_srtp_1_no_tls (10) tcpdump_srtp_1_tls (11) tcpdump_srtp_2_no_tls (12) tcpdump_srtp_2_tls | |
| Description: | I setup asterisk-trunk with res_srtp Test with Snom320 and Eyalink T26P is failed with error [Jun 24 17:08:08] DEBUG[629] res_srtp.c: SRTP unprotect: authentication failure [Jun 24 17:08:08] WARNING[629] res_rtp_asterisk.c: RTCP Read error: Success. Hanging up. with eyebeam-1.5 all work fine if add TLS support on both. ****** ADDITIONAL INFORMATION ****** asterisk-trunk srtp-1.4.4 Linux 2.6.29-gentoo-r5 | ||
| Comments: | By: Paul Belanger (pabelanger) 2010-06-29 06:37:29 We require a complete debug log to help triage the issue. This document will provide instructions on how to collect debugging logs from an Asterisk machine for the purpose of helping bug marshals troubleshoot an issue: http://svn.digium.com/svn/asterisk/trunk/doc/HOWTO_collect_debug_information.txt By: Alexcr (alexcr) 2010-06-29 09:21:37 asterisk.log -> asterisk call to T26P eyalink asterisk2.log -> T26P eyalink call to asterisk By: Leif Madsen (lmadsen) 2010-06-29 14:16:17 Could you provide a pcap packet capture with all the packet information? Terry is saying it looks like something to do with the RTCP possibly not getting encrypted and would need to see all of that information. You can capture it with something like wireshark and upload the resulting file here. By: Alexcr (alexcr) 2010-06-30 05:16:58 I upload file captured with tcpdump. By: Kristijan Vrban (vrban) 2010-07-13 17:12:35 there is allready a workaround for this issue: https://issues.asterisk.org/file_download.php?file_id=24216&type=bug By: Stefan Tichy (st) 2010-07-20 10:10:31 This workaround was usefull with Snom 3x0 phones and the SRTP branch nearly a year ago. For some reasons I do not understand the decryption of only the first paket failed. Using Asterisk trunk (19.07.2010) and Snom 360 (7.3.30) the sitiation is different. Snom calling Asterisk and listening to some Playback() : fine Asterisk (call file) calling Snom: Error message or silence if workaround is used What confuses me is that it does work for some phone types and fails if others are used. By: Sebastian Fritsch (sfritsch) 2010-07-25 16:48:36 The attachment res_srtp.c.patch is a modified version of the workaround mentioned in comment 0124536 compatible to asterisk-1.8-beta1. Using Snom 370 (8.2.35) TLS + SRTP setup worked fine. Make sure to select "SRTP Auth-tag: AES-80" in Snom RTP configuration. Selecting AES-32 failed ("res_srtp.c:306 ast_srtp_unprotect: SRTP unprotect: authentication failure"). By: Stefan Tichy (st) 2010-07-26 05:07:14 You are right. If Snom setting AES-32 is used, the workaround causes confusion. It is necessary to select AES-80 in snoms rtp config. I used the patch mentioned by vrban because I did not find "res_srtp.c.patch". By: Alexcr (alexcr) 2010-07-27 14:54:47 I test patch with asterisk 1.8-beta : Snom 320 work fine with AES-80 (TLS=on and TLS off) IP.Matika (yealink) IP-T26 work fine (TLS=on and TLS off) Thank all for help. By: alextom (alekstom) 2010-07-28 05:42:18 I have same problem like Alexcr but using SPA942 Linksys phones and Asterisk 1.8-beta. When i applied patch res_srtp.c.patch call get connected but no audio (AsteriskLog attached). I can hear 3 beeps that linksys phones generate when certificates are ok. I used latest firmware for SPA942 phones with s-descriptor option.When only tls is defined everything works ok. Any solutin for this? By: Alexcr (alexcr) 2010-07-28 05:56:24 encryption=yes transport=tls forceencrypt=yes You use this option in sip.conf ? in my log I view srtp=OK : [Jul 27 17:47:32] DEBUG[2651] sip/sdp_crypto.c: local_key64 TVrnyWMUDkkXnxGgb6D1JPKDsZ/KGbsy2+mYNvW2 len 40 [Jul 27 17:47:32] DEBUG[2651] sip/sdp_crypto.c: SRTP policy activated [Jul 27 17:47:32] DEBUG[2651] chan_sip.c: Processing media-level (audio) SDP a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:t9v5ScaOP7O/dY/5pI/FLCPe3fKNGrfDVmfTMHVv... OK. By: Sebastian Fritsch (sfritsch) 2010-07-28 06:03:44 This is from your log: [Jul 28 12:14:26] DEBUG[14287] sip/sdp_crypto.c: local_key64 P8cJePk3WFz5Qk6DfEIqFrPQ8oHq7wCiKmjYzduM len 40 [Jul 28 12:14:26] DEBUG[14287] sip/sdp_crypto.c: SRTP policy activated [Jul 28 12:14:26] DEBUG[14287] chan_sip.c: Processing media-level (audio) SDP a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:e0v5vPHwr86LtCDkk55yxqVMekysb6h+pHn/9P2z... OK. [Jul 28 12:14:26] DEBUG[14287] sip/sdp_crypto.c: SRTP policy activated [Jul 28 12:14:26] DEBUG[14287] chan_sip.c: Processing media-level (audio) SDP a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:e0v5vPHwr86LtCDkk55yxqVMekysb6h+pHn/9P2z... OK. It seems your SPA942 allows the other side to choose the crypto-suite. Try to disable AES_CM_128_HMAC_SHA1_32 crypto-suite in your configuration and test again. By: alextom (alekstom) 2010-07-28 06:10:45 (to Alexcr) Tried but no result. Also in log says: [Jul 28 12:14:26] DEBUG[14287] sip/sdp_crypto.c: local_key64 P8cJePk3WFz5Qk6DfEIqFrPQ8oHq7wCiKmjYzduM len 40 [Jul 28 12:14:26] DEBUG[14287] sip/sdp_crypto.c: SRTP policy activated [Jul 28 12:14:26] DEBUG[14287] chan_sip.c: Processing media-level (audio) SDP a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:e0v5vPHwr86LtCDkk55yxqVMekysb6h+pHn/9P2z... OK. [Jul 28 12:14:26] DEBUG[14287] sip/sdp_crypto.c: SRTP policy activated [Jul 28 12:14:26] DEBUG[14287] chan_sip.c: Processing media-level (audio) SDP a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:e0v5vPHwr86LtCDkk55yxqVMekysb6h+pHn/9P2z... OK. By: Alexcr (alexcr) 2010-07-28 06:29:28 ECHO test from SPA942 work ? By: alextom (alekstom) 2010-07-28 07:24:03 No ECHO test also get "connected" but no audio and [Jul 28 14:18:08] DEBUG[15322]: pbx.c:4051 pbx_extension_helper: Launching 'Echo' -- Executing [0002@srtp:2] Echo("SIP/0001-00000001", "") in new stack [Jul 28 14:18:08] DEBUG[15322]: res_srtp.c:306 ast_srtp_unprotect: SRTP unprotect: authentication failure [Jul 28 14:18:08] DEBUG[15322]: res_srtp.c:306 ast_srtp_unprotect: SRTP unprotect: authentication failure [Jul 28 14:18:08] DEBUG[15322]: res_srtp.c:306 ast_srtp_unprotect: SRTP unprotect: authentication failure repeats forever ... By: alextom (alekstom) 2010-07-28 07:31:11 (to sfritsch) "It seems your SPA942 allows the other side to choose the crypto-suite. Try to disable AES_CM_128_HMAC_SHA1_32 crypto-suite in your configuration and test again." How can I do this? On phones or in asterisk? I do not see that option in phone settings. By: Sebastian Fritsch (sfritsch) 2010-07-28 07:39:18 I don't have access to a SPA942, if you can configure this option it should be anywhere in SIP or RTP configuration. Try to start a call from asterisk consolse, e.g. originate sip/test1 application voicemailmain Can you here some audio? Have a look to the SIP messages, what crypto-suites are offered. By: alextom (alekstom) 2010-07-28 09:18:27 i have found this in sip messages : v=0 o=root 856083765 856083765 IN IP4 192.168.1.41 s=Asterisk PBX 1.8.0-beta1 c=IN IP4 192.168.1.41 t=0 0 m=audio 18776 RTP/SAVP 0 101 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=silenceSupp:off - - - - a=ptime:20 a=sendrecv a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:U/WphOLSt9AMQAYdvLrSUk+Jl+6RUds4bnRxyKQ7 i tested with eyebeam 1.5 ... it works with no problems. By: alextom (alekstom) 2010-07-28 09:31:59 Attched file SIPlog for spa 942. By: Sebastian Fritsch (sfritsch) 2010-07-28 10:29:46 (to Alekstom) You could test sdp_crypto.c.patch which removes accepting .._32 crypto suite on asterisk the side. After applying the patch and using .._32 crypto suite asterisk replies with SIP "488 Not acceptable here". In your case asterisk should accept the second offered crypto line. By: alextom (alekstom) 2010-07-28 10:36:48 Thank you! Unfortunately i will test tomorrow and report result. By: Leif Madsen (lmadsen) 2010-07-28 14:01:13 Upgrading to confirmed as a patch has been attached. By: alextom (alekstom) 2010-07-29 06:41:32 (to sfritsch) Patch is working! So asterisk 1.8-beta and SPA942 can do SRTP! I hope that patches will be included in final version. By: Terry Wilson (twilson) 2010-08-12 11:07:21 Disabling AST_AES_CM_128_HMAC_SHA1_32 doesn't seem like a good solution. If there is something wrong on our side when we get an SHA1_32 offer, then we should fix it. This could be an issue related to getting two crypto offers as opposed to SHA1_32 being broken as well. I'll see what happens if I offer both on my polycom. By: Terry Wilson (twilson) 2010-08-26 01:33:54 I have uploaded a patch against svn branches/1.8 that I believe fixes several underlying issues w/o hacking out support for AST_AES_CM_128_HMAC_SHA1_32. I would appreciate it if some people wouldn't mind checking out a fresh branches/1.8 and applying srtp.diff and letting me know if it works for you. Thanks! By: Terry Wilson (twilson) 2010-09-01 12:24:34 anybody testing? By: D KULL (kulldominique) 2010-09-01 13:37:57 I can confirm that this patch (srtp.diff (7,863 bytes) 2010-08-26 01:31) resolves one-way audio issues I've had on 1.8-beta4. SRTP/TLS would cause one-way audio or noise (garbled) on bridged calls. I've tested Aastra 5xi series phones and Bria (Windows/iOS). I will gladly test with an SPA502G, but I am not sure how to force SRTP on that device. By: Digium Subversion (svnbot) 2010-09-01 13:44:37 Repository: asterisk Revision: 284477 U branches/1.8/channels/chan_sip.c U branches/1.8/include/asterisk/res_srtp.h U branches/1.8/main/rtp_engine.c U branches/1.8/res/res_rtp_asterisk.c U branches/1.8/res/res_srtp.c ------------------------------------------------------------------------ r284477 | twilson | 2010-09-01 13:44:37 -0500 (Wed, 01 Sep 2010) | 17 lines Fix SRTP for changing SSRC and multiple a=crypto SDP lines Adding code to Asterisk that changed the SSRC during bridges and masquerades broke SRTP functionality. Also broken was handling the situation where an incoming INVITE had more than one crypto offer. This patch caches the SRTP policies the we use so that we can change the ssrc and inform libsrtp of the new streams. It also uses the first acceptable a=crypto line from the incoming INVITE. (closes issue ASTERISK-16298) Reported by: Alexcr Patches: srtp.diff uploaded by twilson (license 396) Tested by: twilson Review: https://reviewboard.asterisk.org/r/878/ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=284477 By: Digium Subversion (svnbot) 2010-09-01 13:52:28 Repository: asterisk Revision: 284479 _U trunk/ U trunk/channels/chan_sip.c U trunk/include/asterisk/res_srtp.h U trunk/main/rtp_engine.c U trunk/res/res_rtp_asterisk.c U trunk/res/res_srtp.c ------------------------------------------------------------------------ r284479 | twilson | 2010-09-01 13:52:28 -0500 (Wed, 01 Sep 2010) | 24 lines Merged revisions 284477 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.8 ........ r284477 | twilson | 2010-09-01 13:44:36 -0500 (Wed, 01 Sep 2010) | 17 lines Fix SRTP for changing SSRC and multiple a=crypto SDP lines Adding code to Asterisk that changed the SSRC during bridges and masquerades broke SRTP functionality. Also broken was handling the situation where an incoming INVITE had more than one crypto offer. This patch caches the SRTP policies the we use so that we can change the ssrc and inform libsrtp of the new streams. It also uses the first acceptable a=crypto line from the incoming INVITE. (closes issue ASTERISK-16298) Reported by: Alexcr Patches: srtp.diff uploaded by twilson (license 396) Tested by: twilson Review: https://reviewboard.asterisk.org/r/878/ ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=284479 By: Russell Bryant (russell) 2010-09-10 06:46:47 Reopening at the request of m_c_le on IRC. By: Marcello Ceschia (marcelloceschia) 2010-09-13 02:36:21 after an phone (snom360) uptime of 21 hours, i will get: == Using SIP RTP CoS mark 5 -- Executing [600@from-sip:1] Playback("SIP/snom-00000005", "demo-echotest") in new stack [Sep 13 09:30:02] WARNING[14147]: res_rtp_asterisk.c:1642 ast_rtcp_read: RTCP Read error: Success. Hanging up. == Spawn extension (from-sip, 600, 1) exited non-zero on 'SIP/snom-00000005' -- Incoming call: Got SIP response 403 "Use Proxy" back from 172.17.3.101:2048 wireshark dump attached: srtp-read-error.pcap aterisk version: Asterisk SVN-trunk-r286342 By: Digium Subversion (svnbot) 2010-09-15 17:17:18 Repository: asterisk Revision: 287056 U branches/1.8/res/res_srtp.c ------------------------------------------------------------------------ r287056 | twilson | 2010-09-15 17:17:18 -0500 (Wed, 15 Sep 2010) | 10 lines Don't hang up a call on an SRTP unprotect failure Also make it more obvious when there is an issue en/decrypting. (closes issue ASTERISK-16298) Reported by: Alexcr Patches: res_srtp.c.patch uploaded by sfritsch (license 1089) Tested by: twilson ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=287056 By: Digium Subversion (svnbot) 2010-09-15 17:28:30 Repository: asterisk Revision: 287057 _U trunk/ U trunk/res/res_srtp.c ------------------------------------------------------------------------ r287057 | twilson | 2010-09-15 17:28:30 -0500 (Wed, 15 Sep 2010) | 17 lines Merged revisions 287056 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.8 ........ r287056 | twilson | 2010-09-15 17:17:17 -0500 (Wed, 15 Sep 2010) | 10 lines Don't hang up a call on an SRTP unprotect failure Also make it more obvious when there is an issue en/decrypting. (closes issue ASTERISK-16298) Reported by: Alexcr Patches: res_srtp.c.patch uploaded by sfritsch (license 1089) Tested by: twilson ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=287057 | ||