#401: SRTP not working correctly (Fixed)

Back to ticket list | See last change
May 29 2008 * 08:51
Reported by: Release: 1.2
Priority: Normal Milestone: 1.2.1
Component: SIP Assigned to: wildzero-cw

Seems that even if you enable SRTP support, it doesnt work.

*CLI> May 29 01:43:38 WARNING[3058166672]: chan_sip.c:4850 process_sdp: Error in codec string '=audio 5004 RTP/SAVP 0 8 4 18 2 97 9 3 101'
$ ./configure --enable-srtp
...
checking srtp/srtp.h usability... no
checking srtp/srtp.h presence... no
checking for srtp/srtp.h... no
checking for srtp_init in -lsrtp... no
...

Anyone have this missing files laying around?

CallWeaver 1.2.0.1 SVN branches/rel/1.2 r4780

Changelog:

Modified by Jun 07 2008 * 13:28

libsrtp needs to be installed. You might have it in your distro, or you can get the source from sourceforge.net. However, when you have installed that library, I don’t think the implementation is currently complete.

Modified by Jun 15 2008 * 19:33

configure reports ‘yes’ to those after installing libsrtp, so try again. we should fix autocrap so that if—enable-srtp is given, it should fail if libsrtp isn’t found

Modified by Jun 15 2008 * 19:34
Modified by Jul 24 2008 * 21:56

what is with this two years old work on srtp?: http://www.callweaver.org/changeset/1256

I seems ready to use, but i cant compile it, because i needs spandsp-0.3.0pre5 wich is not longer available.

Modified by Aug 03 2008 * 16:27

hello, this is the first part of the cw modification for the ast_srtp6.patch (this one is for *1.2) from http://bugs.digium.com/view.php?id=5413

Modified by Aug 03 2008 * 16:34

ups…, use this :)

Modified by Aug 05 2008 * 15:43

Hello, this patch is ported from the ast_srtp6.patch. I does work 50%. The phone and callweaver does the key negotiate, and the srtp audio from the phone can be decrypted by CW. (For test i do Record(/tmp/test.wav)) But the srtp audio CW->Phone is not ok. On the phone you get white noise. There must be one silly detail i haved found yet.

Modified by Aug 05 2008 * 23:18

Ok, it’s working now.

Modified by Aug 29 2008 * 17:56

Thanks to Kristijan, his last patch is almost sane. But RTP is encrypted only from caller to callweaver; the called side RTP data is not encrypted.

Modified by Aug 31 2008 * 15:06

Hello Andrey, to make outgoing SIP calls with srtp add Set(_SIP_SRTP_SDES=1) to your dialplan before Dial.

Please use the srtp_tls branch to test srtp: http://www.callweaver.org/browse/callweaver/branches/srtp_tls/

Modified by Oct 18 2008 * 15:53
  • Component: set to SIP

Branch does not compile correctly on my machine: Ubuntu Hardy Heron 8.04 LTS 32-bits. svn co http://svn.callweaver.org/callweaver/branches/srtp_tls/ callweaver-srtp

Here is the detailed error:

make3: Entering directory `/usr/src/callweaver-srtp/corelib’ /bin/bash ../libtool—tag=CC —mode=compile gcc -DHAVE_CONFIG_H -include ../include/confdefs.h -I. -I../include -fomit-frame-pointer -D_REENTRANT -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -DTEMP_STORE=2 -DTHREADSAFE=1 -DSQLITE_OMIT_CURSOR -DNO_TCL -I../sqlite3-embedded -I../sqlite3-embedded -DOS_UNIX -I.. -I../include -g -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/openssl -DHAVE_SSL -g -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -MT libcallweaver_la-callerid.lo -MD -MP -MF .deps/libcallweaver_la-callerid.Tpo -c -o libcallweaver_la-callerid.lo `test -f ‘callerid.c’ || echo ’./’`callerid.c gcc -DHAVE_CONFIG_H -include ../include/confdefs.h -I. -I../include -fomit-frame-pointer -D_REENTRANT -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -DTEMP_STORE=2 -DTHREADSAFE=1 -DSQLITE_OMIT_CURSOR -DNO_TCL -I../sqlite3-embedded -I../sqlite3-embedded -DOS_UNIX -I.. -I../include -g -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/openssl -DHAVE_SSL -g -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -MT libcallweaver_la-callerid.lo -MD -MP -MF .deps/libcallweaver_la-callerid.Tpo -c callerid.c -fPIC -DPIC -o .libs/libcallweaver_la-callerid.o callerid.c:65: error: field ‘rx’ has incomplete type callerid.c: In function ‘mate_generate’: callerid.c:154: error: storage size of ‘adsi’ isn’t known callerid.c:154: warning: unused variable ‘adsi’ callerid.c: In function ‘vmwi_generate’: callerid.c:173: error: storage size of ‘adsi’ isn’t known callerid.c:173: warning: unused variable ‘adsi’ callerid.c: In function ‘callerid_get’: callerid.c:207: error: dereferencing pointer to incomplete type callerid.c:282: error: dereferencing pointer to incomplete type callerid.c:286: error: dereferencing pointer to incomplete type callerid.c: In function ‘cw_callerid_generate’: callerid.c:392: error: storage size of ‘adsi’ isn’t known callerid.c:392: warning: unused variable ‘adsi’ callerid.c: In function ‘tdd_generate’: callerid.c:500: error: storage size of ‘adsi’ isn’t known callerid.c:500: warning: unused variable ‘adsi’ make3: * [libcallweaver_la-callerid.lo] Error 1 make3: Leaving directory `/usr/src/callweaver-srtp/corelib’ make2: [all-recursive] Error 1 make2: Leaving directory `/usr/src/callweaver-srtp/corelib’ make1: [all] Error 2 make1: Leaving directory `/usr/src/callweaver-srtp/corelib’ make: * [all-recursive] Error 1

I will try the branch on a previous date instead of trunk and let you know how it works.

Modified by Oct 18 2008 * 15:55

Here is the error output in file-attach.

Modified by Oct 18 2008 * 16:35

Sorry about my building issues, you can ignore them. They were related to spandsp 0.0.6 (see other ticket #468).

Modified by Oct 18 2008 * 16:46

Please note that res/res_srtp.c needs in include if building against 1.4.4 (at least on my ubuntu 8.04 installation).

root@buildbox:/usr/src/callweaver-srtp# svn diff
Index: res/res_srtp.c
===================================================================
--- res/res_srtp.c    (revision 5209)
+++ res/res_srtp.c    (working copy)
@@ -27,6 +27,7 @@
  */

 #include <srtp/srtp.h>
+#include <srtp/srtp_priv.h>
 #include "callweaver.h" 

 #include "callweaver/lock.h" 
root@buildbox:/usr/src/callweaver-srtp# dpkg -l | grep srtp
ii  libsrtp1-dev                      1.4.4~dfsg-1                Secure RTP (SRTP) and UST Reference Implemen
root@buildbox:/usr/src/callweaver-srtp#

If not included, make complains about missing structures.

Modified by Oct 18 2008 * 17:02

Tested and working correctly with SRTP enabled and forced with a Grandstream GXP-2000 phone, firmware 1.1.6.16. Attached is a tcpdump of a call to the sample extension 1000.

Modified by Oct 18 2008 * 18:01

As I tested, you should also add

Set(_SIP_SRTP_SDES=1)

to your dialplan before Dial AND Answer command if you want your calls to be encrypted both ways. I tested the echo application and Wireshark could not correctly decode the SRTP data from both sides meaning it is correctly encrypted as opposed to orrectly decoding plain RTP data.

I will test outbound calls, bridging and more devices inter-operatibility later this week at work.

Modified by Mar 12 2009 * 12:02
  • Status: changed from Open to Fixed

all this srtp matters are fixed in 1.2

Modified by Apr 23 2009 * 20:22
  • Assigned user: set to kristija
  • Status: changed from Fixed to Open

REOPEN: Incomplete handshake for peers which do not announce SAVP and buggy:

Set(_SIP_SRTP_SDES=1) leads to initial INVITE with broken SRTP sdp announce to peer:

m=audio 10192 RTP/AVP 
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:...

Please fix for supporting remote peers not announcing SRTP by default, or the SRTP feature is only half-implemented, thx.

y tom

Modified by Apr 23 2009 * 20:25
  • Assigned user: changed from kristija to wildzero-cw
Modified by Apr 23 2009 * 20:33

INVITE to local net peer Twinkle/1.4.2 looks OK but it doesn’t like it but claims ZRTP/SRTP support:

m=audio 10116 RTP/SAVP 8 110 2 4 3 0 10 7
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:......

<-- Sip read from 192.168.0.101:5085:UDP 
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/UDP 192.168.0.1:5060;received=192.168.0.1;rport=5060;branch=z9hG4bK28952349
To: <sip:210@192.168.0.101:5085>;tag=uajbe
From: "201" <sip:201@192.168.0.1>;tag=as413b457b
Call-ID: 19d2cdb92808b50c6e9321d07e7c1366@192.168.0.1
CSeq: 102 INVITE
Server: Twinkle/1.4.2
Warning: 302 tom2 "Incompatible transport protocol" 
Content-Length: 0
Modified by Apr 24 2009 * 00:34

OK, Twinkle has got ZRTP support, but not SRTP.

And this occurs only on outgoing calls over NAT:

m=audio 10300 RTP/AVP 
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Qsn/rCju0dGPZu2Ukt1jBly63rFnRJ7OxtEulLRg

So it’s likely the SDP rewrite by STUN not handled for SRTP ;)

Modified by Apr 24 2009 * 02:13

Please check this patch (late night quick hack, don’t expect working).

Modified by Apr 24 2009 * 20:54

Not working, applied to the wrong fucntion().

Modified by Apr 24 2009 * 22:17

CLI sip no debug:

    -- Executing [510000@meine-telefone:2] Dial("SIP/xxxxx-e2a4", "SIP/10000@sipgate-de,,WTr")
add_sdp:SRTP ON
add_sdp:a_crypto OFF
add_sdp:SAVP ON
    -- Called 10000@sipgate-de
add_sdp:SRTP ON
add_sdp:a_crypto OFF
add_sdp:SAVP ON
    -- Got SIP response 488 "Not acceptable here" back from 217.10.79.9

CLI sip debug peer sipgate-de:

Non-codec capabilities: us - 0x1 (telephone-event), peer - 0x0 (nothing), combined - 0x0 (nothing)
    -- SIP/sipgate-de-0556 answered SIP/xxxxx-b260
add_sdp:SAVP OFF
Modified by Apr 24 2009 * 23:02

Hmm, no, the first INVITE’s sdp is still broken:

    m=audio 10256 RTP/AVP 
    a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:aQAuKiMGfwj1HW4LQyJVi7J/C+uriWBJBYWznSrs

The second INVITE after proxy auth is ok:

    m=audio 10256 RTP/SAVP 8
    a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:aQAuKiMGfwj1HW4LQyJVi7J/C+uriWBJBYWznSrs
Modified by Apr 25 2009 * 05:22
  • Status: changed from Open to Fixed

Seems to work ok with one of the DE providers supporting it, anyway.