search

cisco / libsrtp

Library for SRTP (Secure Realtime Transport Protocol)
Other
1.19k stars 470 forks source link

Writeup of the when Openssl is required, and which operations/modes are affected? #620

Closed cameronelliott closed 1 year ago

cameronelliott commented 1 year ago

Update:

I didn't really understand how ./configure --open-ssl affected both AES CM and AES GM behavior. I did some testing/benchmarking I summarized my learning in a comment future down: https://github.com/cisco/libsrtp/issues/620#issuecomment-1331439669

Maybe I overlooked the docs explaining how ./configure --open-ssl affects the library performance/support, but if not, I could offer to update/PR the Readme, or create a new .md that explains a little about ./configure --open-ssl in relation to both AES-CM, and AES-GM.

Thanks!! Cameron

----- old text: poor, incorrect understanding of ./configure --open-ssl -----

Would @pabuhler or another contributor consider writing a summary of how and when Openssl is needed or used with libsrtp?

It seems like it might have been needed for AES GCM, for example: warning about AES GCM

But it seems it is not required these days for AES GCM, I believe I have done some GCM testing using libsrtp without openssl.

I think the openssl flag would be clearer to outsiders if we had two things:

  1. An explanation of what, if any, operations/modes cannot be performed without the --enable-openssl flag.
  2. An explanation of which internal-libsrtp code will be switched to openssl code with the --enable-openssl flag. (for example, my testing/timing indicates AES GCM can be done both internally in libsrtp, or using openssl)

If we had a short writeup, it would be great to have it linked from the Readme or even inside the Readme.

I don't know enough to write this up, but let me know if I could help somehow. Maybe a review or comments.

cameronelliott commented 1 year ago

For example, this is an area of confusion for me, especially since the libsrtp codebase seems to currently contain warnings about the use of GCM requiring --enable-openssl. warning link

It seems many or all of these operations did require --enable-openssl ? (in older versions of libsrtp?), But that no longer seems to be true, as maybe libsrtp was enhanced to contain all these??

        aes_cm_192_hmac_sha1_80
        aes_cm_192_hmac_sha1_32
        aes_cm_192_null_auth
        aes_gcm_128_8_auth
        aes_gcm_256_8_auth
        aes_gcm_128_8_only_auth
        aes_gcm_256_8_only_auth
        aes_gcm_128_16_auth
        aes_gcm_256_16_auth

So, I'm scratching my head wondering, "if all these methods are now included in libsrtp", what is the purpose or function of linking or enabling Openssl?. Thanks

cameronelliott commented 1 year ago

Ok, So I have done some more homework, and I'm back! here is what I have discovered:

Using AES CM protect without ./configure --open-ssl : will link & work, but is relatively slower (~~10x slower) Using AES CM protect with ./configure --open-ssl : will link & work, but is relatively faster (~~10x faster) Using AES GCM protect without ./configure --open-ssl : will link, but fail at srtp_create(&session, &policy) Using AES GCM protect with ./configure --open-ssl : will link & and work

I haven't really explored the 192 bit options.

Please feel free to close this issue.

pabuhler commented 1 year ago

Will follow up on this and update ReadMe next week

pabuhler commented 1 year ago

Have add some comments, probably could do more, input welcome.