Return codes when calling unprotect

cisco / libsrtp

Library for SRTP (Secure Realtime Transport Protocol)

Other

1.19k stars 469 forks source link

Return codes when calling unprotect #708

Closed MCFHTAGENTS closed 1 month ago

MCFHTAGENTS commented 2 months ago

Hi, Please can someone point me at the documentation for return codes when calling unprotect? I see a 10 and a 160 but can't explain what they relate to and which end of a link might be at fault? I have located https://github.com/cisco/libsrtp/blob/main/include/srtp.h

 @return
 *    - srtp_err_status_ok          if the RTCP packet is valid.
 *    - srtp_err_status_auth_fail   if the SRTCP packet failed the message
 *                             authentication check.
 *    - srtp_err_status_replay_fail if the SRTCP packet is a replay (e.g. has
 *                             already been processed and accepted).
 *    - srtp_err_status_bad_mki     if the MKI in the packet is not a known MKI
 *                                  id
 *    - [other]  if there has been an error in the cryptographic mechanisms.

160 falls into the other category - where is this documented?

Thank you

pabuhler commented 2 months ago

Hi @MCFHTAGENTS ,

I think all returns values should be one of the srtp_err_status_xxx, I will try to trackdown where this 160 comes from. The documentation should also be updated, my understand here is that it could be an other value from the srtp_err_status_xxx list.

What version and configuration of libSRTP are you using ? ie with OpenSSL or not.

MCFHTAGENTS commented 2 months ago

Thank you. version 2.5 but embedded in Asterisk 2.7. Am not 100% sure how to evidence whether OpenSSL is in use!

pabuhler commented 2 months ago

@MCFHTAGENTS , I have looked but can not find where the value 160 would be returned :( . As far as 10 well that is "srtp_err_status_replay_old", which means the seq number of the current packet is determined to be to far in the past. If you have captured a sequence of packets that create the error then it might be possible to reproduce and find the cause. Are you sure the error does not come from Asterisk?

MCFHTAGENTS commented 2 months ago

Thank you https://community.freepbx.org/t/documentation-of-error-codes/96259/5 They didn’t think it was Asterisk. My current hypothesis is it’s down to one end not supporting sips properly

pabuhler commented 2 months ago

Either way I have not found anywhere were we would not return a value not from the srtp_err_status_t list so the value of 160 is still a mystery. Are any of the received packets successfully unprotected? The return value 10, is about jumps, gaps & reordering of RTP sequence numbers, not specifically related to encryption. So to understand why you get that you need to look at the sequence of RTP packets that are being received.

MCFHTAGENTS commented 2 months ago

I would say yes. i have a full log from Asterisk and from the calling device but don't want to post it to a public forum Agreed re 10 - am wondering if it is a consequence of the 160

MCFHTAGENTS commented 1 month ago

ok - asterisk have confirmed the number is actually an error count not an error code. I need to confirm what is being used on the peer but am assuming it is related to SIPS not being used properly or old libraries.