hudamalmsteen / csipsimple

Automatically exported from code.google.com/p/csipsimple
0 stars 0 forks source link

Add support for ZRTP #262

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Not a bug - enhancement 

please add ZRTP support this allows for a more secure handling of handset to 
handset key exchanges.   Two linux softphones I know of built on pjsip allow 
SRTP and ZRTP, allow using them at the same time.

other pjsip implementations:
http://www.sflphone.org/
http://twinklephone.com/

Original issue reported on code.google.com by wheresau...@lavabit.com on 5 Oct 2010 at 10:52

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
AFAIK, twinkle & sflphone are not built on pjsip. I've already studied their 
source code and both has their own sip implementation independent from pjsip.

However, on pjsip mailing list somebody talked once of an existing port of 
libzrtp that he did and want to release.... But nothing were released...
The only thing I found is this project : 
http://code.google.com/p/smartcryptovoip/
Seems to be recent, but having a closer look on the code and it seems to be not 
really completely implemented... or maybe I missed something on the code ! 
In this project I see the import of pjsip & the import of a zrtp lib... but 
nothing that make the glue between the zrtp lib and the pjsip lib...
So I'll try to contact the author of the project to see what his his 
advancement on this point.

If he don't support his project, he may have some good starting points for the 
pjsip integration. 
Anyway, yes ZRTP is a "must have" since really more suitable than srtp (zrtp is 
negociated inside the rtp stream while srtp is done on the sip sdp which make 
exchanges more complicated). 
Using something existing could save me a lot of time... but if I have to code 
it myself, I'll do.

Original comment by r3gis...@gmail.com on 7 Oct 2010 at 8:23

GoogleCodeExporter commented 9 years ago
Mhhh, finally I'm not so sure that sflphone is not based on pjsip... twinkle 
that's sure.. but finally there is maybe some dependancy on sflphone... I'll 
dive a little bit more in their implementation :)

Original comment by r3gis...@gmail.com on 7 Oct 2010 at 8:31

GoogleCodeExporter commented 9 years ago
Well, sflphone used some parts of pjsip, but everything related to rtp / srtp & 
zrtp is done on their side and that's not integrated to pjsip-ua module  : 
they directly use some parts of pjsip (such as sending a sdp, sending a sip 
msg) without using the wrapping object... 
That's the reason why I didn't seen the link with pjsip the first time I looked 
the code.
So it would be hard to integrate directly.

Original comment by r3gis...@gmail.com on 7 Oct 2010 at 9:54

GoogleCodeExporter commented 9 years ago
Sorry for the bad info.. and making it sound so easy.  r3gis.3R thanks for 
doing this research.

Original comment by wheresau...@lavabit.com on 7 Oct 2010 at 8:20

GoogleCodeExporter commented 9 years ago
zrtp on android, that would be so awesome. i'll send flowers and pizza to the 
developer if that ever becomes true! really.

Original comment by nilsjan...@gmail.com on 28 Oct 2010 at 1:56

GoogleCodeExporter commented 9 years ago
found this, thought it may help with getting things running on android

GNU ZRTP is a Java implementation of Phil Zimmermann's ZRTP specification
http://www.gnutelephony.org/index.php/GNU_ZRTP4J

it is being used by this project
http://www.sip-communicator.org/

Original comment by wheresau...@lavabit.com on 1 Nov 2010 at 5:01

GoogleCodeExporter commented 9 years ago
Also really interesting project : 
https://projects.savoirfairelinux.com/repositories/entry/sflphone/sflphone-commo
n/src/audio/audiortp/AudioZrtpSession.cpp

They use pjsip too, but not at the user agent level (just for sip messages 
treatment). But still interesting.
Besides their project support iax which is also really interesting. 

Original comment by r3gis...@gmail.com on 1 Nov 2010 at 5:33

GoogleCodeExporter commented 9 years ago
perhaps recrute werner? :) 
http://code.google.com/p/sipdroid/issues/detail?id=63 

Original comment by nilsjan...@gmail.com on 11 Nov 2010 at 3:06

GoogleCodeExporter commented 9 years ago
great idea :)

Original comment by r3gis...@gmail.com on 11 Nov 2010 at 3:36

GoogleCodeExporter commented 9 years ago
Just to inform about the good news :
http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/2010-November/012174.html

Werner has sent a great proposal for zrtp inside pjsip ! (which indirectly mean 
that it could be available on CSipSimple too ;) ).

I hope that pjsip guys will help to him on the mailing list and anyway you can 
encourage the effort and say on the mailing list that it is a very interesting 
improvement for the sip stack ;).

Original comment by r3gis...@gmail.com on 22 Nov 2010 at 10:16

GoogleCodeExporter commented 9 years ago
Good news #2 :

I've just made my first ZRTP call using CSipSimple + pjsip + the excellent work 
of Werner Dittmann to a twinkle phone in SIP direct (local to local).

It's with hardcoded stuff everywhere but... it worked :)...
Next step is to get the latest code organization up to date with Werner's work, 
and add the UI to allow you to accept ZRTP :)

Original comment by r3gis...@gmail.com on 7 Dec 2010 at 2:13

GoogleCodeExporter commented 9 years ago

Original comment by r3gis...@gmail.com on 8 Dec 2010 at 10:54

GoogleCodeExporter commented 9 years ago
Exciting news! Any way I can pitch in to help with the UI or testing? Just 
getting up to speed on your effort here.

Side note - I am the lead on an open-source effort to bring as many security 
features to Android as possible. So far we have Tor, OTR IM and a few others, 
and are just eager to support anyone working in this area. You can see what we 
are up to at https://guardianproject.info and find us on #guardianproject on 
freenode.

Keep up the great work and happy new year!

Original comment by nathanfr...@gmail.com on 29 Dec 2010 at 11:10

GoogleCodeExporter commented 9 years ago
Just for info, I do not forget this issue ;). I had hard time with some hot 
bugs and trying to refactor the call screen UI.
Good news is that with android 2.3 it's possible to build ZRTP with official 
NDK which would make thing easier for the future.

I'll try to introduce the very first step of ZRTP (without any UI integration) 
in future nightly builds.

Really sorry for the delay.

Original comment by r3gis...@gmail.com on 1 Feb 2011 at 7:16

GoogleCodeExporter commented 9 years ago
thanks for the update!  looking forward to testing coming nightly builds :D

Original comment by wheresau...@lavabit.com on 1 Feb 2011 at 7:36

GoogleCodeExporter commented 9 years ago
Revision 632 ship a first usable integration of ZRTP :
http://nightlies.csipsimple.com/tls/CSipSimple-r632-tls.apk

UI is not fancy but at least it will allow to use the great work done by Werner 
on ZRTP4PJ.

Tested quickly with Twinkle on the other side and seems to work correctly. I 
did no wireshark trace to check but feed back from twinkle and zrtp4pj.

For now known limitation (due to my bad) : 
 * You need a sdcard (mounted on /sdcard/)
 * Only one session at a time (anyway for "now" CSipSimple does not handle multiple calls)

Original comment by r3gis...@gmail.com on 13 Feb 2011 at 4:45

GoogleCodeExporter commented 9 years ago
Im having trouble with this, I went and created a few fresh accounts on 
create.tanstagi.net . Loaded them in both twinkle and csisimple.  turned zrtp 
on, in settings on both.  But as far as I can tell neither are using zrtp.  Is 
there a particular way csisimple needs to be configured, or is this strange and 
should I be sending you my logCat..

Original comment by wheresau...@lavabit.com on 13 Feb 2011 at 5:29

GoogleCodeExporter commented 9 years ago
Oh yes sorry, forgot to say :

You have to go in settings > network > Security > on the bottom, Use ZRTP. 
Change the value of the option ;)

Original comment by r3gis...@gmail.com on 13 Feb 2011 at 6:07

GoogleCodeExporter commented 9 years ago
Hi Regis,

great stuff - thanks for integrating it. I had a quick look at the code 
(very quick indeed) and it looks great for the first shot. As Niklaus Wirth
said: program development by stepwise refinement :-) .

Regis, please keep in mind that the PJSUA callback structuce/name changes as 
soon
as Benny implements his proposal to add transports in a more generic way. I did 
that
(simulated) in my sandbox, no big changes in your structure - just another name
of the pjsua callback mainly, the rest stays the same.

@comment #18: you need to enable ZRTP in Twinkle as well and make sure Twinkle 
uses
a decent ZRTP library, I propose to use 1.6.0. Some distributions have 0.9.0 or
1.2, 1.3. These libzrtpcpp versions will not work because the ZRTP specification
changed in the meantime. You may check your libzrtpcpp.so files.

Regards,
Werner

Original comment by werner...@googlemail.com on 13 Feb 2011 at 7:28

GoogleCodeExporter commented 9 years ago
ok, didnt get farther with twinkle.  is there any way for me to tell if zrtp at 
this point by just using csipsimple between two handsets?   I have 
everything(TLS,SRTP,ZRTP) turned on, on fresh csipsimple installs..  and srtp 
is set to manditory still(is this ok?).  I havnt been able to tell from my logs 
if anything is working.. calls are crystal clear.. and srtp under the info 
button is reporting null.  It would be great if the zrtp handshake 'shared 
phrase' could be included under the info button for now.. in order to avoid 
drastic overhauls to the UI.

Original comment by wheresau...@lavabit.com on 14 Feb 2011 at 12:44

GoogleCodeExporter commented 9 years ago
Yes, as I said, the UI integration for now is not what should be finally done. 

There is some ongoing refactoring on the call screen. I previously hoped to be 
able release the new UI screen before but it took me too much time and that's 
not yet finished. 
As I didn't want to let you wait anymore for testing ZRTP, I decided to have 
this weird UI integration to allow to test while final call screen is not 
finished. But the true support of ZRTP (when this issue will be marked as 
closed), the UI integration will be fancier (much more like what is done in 
twinkle or sipcommunicator).

But if you get the little alert dialog, it and click Ok, it means that the ZRTP 
is activated then. (There is no more feedback for now when using between two 
CSipSimple -- reason why I test between CSipSimple and Twinkle where the 
integration with the softphone give a good feedback about what is happening - 
also logs of CSipSimple can inform you about what is happening).

Just thought, I think that you should disabled SRTP when using ZRTP. I didn't 
test with SRTP activated in addition to ZRTP but if you have ZRTP, you probably 
don't need SRTP anymore.
Maybe Werner could confirm this point.

Original comment by r3gis...@gmail.com on 14 Feb 2011 at 7:43

GoogleCodeExporter commented 9 years ago
Yes! Werner du bist ein Held. Will start testing tonight. Already switched from 
sipdroid to
 Csipsimple. :) awesome!

Original comment by nilsjan...@gmail.com on 14 Feb 2011 at 11:19

GoogleCodeExporter commented 9 years ago
@comment 21, 22: Regis is right: the 'normal' SRTP where the keys are exchanged 
via SIP,mode must be switched off. This is what ZRTP is for: negotiating the
encryption algorithms and exchange key data. Even the users of the call don't 
know the
keys and after the call the keys are destroyed and not recoverable (except you 
modify
the source to store them somewhere :-) ). When you use ZRTP you don't need 
SIP/TLS
(SIPS) but I reommend that also if your SIP provider supports this.

During the next days I prepare a small ZRTP FAQ and send it to Regis so he can
put it in the Wiki.

Regards,
Werner

Original comment by werner...@googlemail.com on 14 Feb 2011 at 11:38

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
just tested the nightlie CSipSimple-r632-tls.apk on a motorola defy (with 
froyo) and zrtp worked. At least Twinkle said so. Yippieee!!! Thank you so much 
Werner and r3gis.3R. This is a huge step. 

But the ui hang already after seconds with this error: "Tut uns leid! 
Aktivität CSipsimple (in Anwendung CSipSimple) reagiert nicht. [Schließen] 
[Warten]" Shall i translate? And i could only hang up in twinkle, which wasnt 
recognized on csipsimple. But this happened also with zrtp deactivated, so 
probably not related...

Original comment by nilsjan...@gmail.com on 14 Feb 2011 at 7:39

GoogleCodeExporter commented 9 years ago
@r3gis.3R is there a way to automaticly get updates for the latest nightly.apk? 
I know some people who are only waiting for this feature running stable before 
they get an android device... 

Or which issue do i have to subscribe to if i want to get a mail when your call 
screen ui rewriting is finished? It hangs after every call now. Also the green 
active call icon in the topbar...

Original comment by nilsjan...@gmail.com on 16 Feb 2011 at 3:36

GoogleCodeExporter commented 9 years ago
I'll update the issue when something more stable will be there. Unfortunately, 
for now no other way than subscribing the rss feed of code changes on the 
google code project to get updated of the nightlies build changes.

About the hang problem, did you try to reboot the phone? And make sure there is 
no pending registration. I know that pjsua has a possible dead lock when you 
get two simultaneous incoming sip calls (due to 2 registrations on the same 
server, that could be to a crash or a reinstall without unregister or due to 
what is explained in the FAQ entry about two simultaneous incoming calls -> if 
so the solution is explained in the FAQ).

If not due to that point, maybe could be interesting if you can describe me the 
scenario to reproduce so that I can have a look where it goes wrong.

Original comment by r3gis...@gmail.com on 16 Feb 2011 at 3:56

GoogleCodeExporter commented 9 years ago
@r3gis.3R about comment 22,24:
Will my RTP streams still be encrypted? if i disable SRTP option when using ZRTP

Original comment by dothangb...@gmail.com on 21 Feb 2011 at 4:47

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
@comment #29
 Please refer to comment #24 - the "normal" SRTP must be disabled. This SRTP
uses key that are exchanged via SIP and thus require an end-to-end secure SIP
which is a very rare case - if at all possible in the current infrastructure.

ZRTP uses it's own key negotiation mechanism and switches on SRTP automatically
once the SRTP keys are available and checked.

Regards,
Werner

Original comment by werner...@googlemail.com on 21 Feb 2011 at 8:35

GoogleCodeExporter commented 9 years ago

hi r3gis.3R,
This is great project, with TLS&ZRTP support! 
Can you share source code (and lib) of TLS&ZRTP version?

thanks!

Original comment by nguyentr...@gmail.com on 22 Feb 2011 at 10:51

GoogleCodeExporter commented 9 years ago
@werer & r3gis.3R:
thanks mans. I have tested your zrtp implement and the result is perfect. I 
install TCPdump on my android phone to capture data (in & out). When i disable 
zrtp, i can use wireshark to replay voice call (from captured data) and when i 
enable zrtp, i only hear noise.

Original comment by dothangb...@gmail.com on 22 Feb 2011 at 11:19

GoogleCodeExporter commented 9 years ago
The whole code isavailable in csipsimple's repository, also ZRTP (and it's 
associated
SRTP code) for PJSIP is available at github: https://github.com/wernerd/ZRTP4PJ 
.
Other implementations are available in Java and are also in use.

GNU ZRTP C++ and GNU ZRTP4J are the implementations for C++ and Java. PJSIP's 
ZRTP
is the same as GNU ZRTP C++ only C wrappers added and a PJSIP driver.

Regards,
Werner

Original comment by werner...@googlemail.com on 23 Feb 2011 at 12:27

GoogleCodeExporter commented 9 years ago
Can I suggest that it should be possible to have SRTP and ZRTP enabled?
You can not always influence what the other party uses. Of course only one can 
be used in each call, but amything is better than no encryption

Original comment by josef.schneider on 30 Mar 2011 at 3:50

GoogleCodeExporter commented 9 years ago
Just for info regarding the status of ZRTP in general:
ZRTP is now an official IETF RFC: RFC 6189 - 

Congratulations to Phil who did it again.

Regards,
Werner

Original comment by werner...@googlemail.com on 12 Apr 2011 at 6:34

GoogleCodeExporter commented 9 years ago
Can't make zrtp work :(

In the current nightlies,  using g729  codec and activateed "Create ZRTP" in 
secure transport options but when i sniff a call with wireshark i can decode 
the content :(

Any tips?

Original comment by francisc...@gmail.com on 3 May 2011 at 12:56

GoogleCodeExporter commented 9 years ago
Same here. Installed the latest nightly enabled ZRTP but somehow it seems not 
activiated. Do I mess something here?

Original comment by chhab...@gmail.com on 3 May 2011 at 4:51

GoogleCodeExporter commented 9 years ago
Thanks for the report, I'll have a look. I've maybe lost the alert popuo while 
refactoring ui.

Original comment by r3gis...@gmail.com on 3 May 2011 at 7:01

GoogleCodeExporter commented 9 years ago
please post updates here if you get the problem fixed :-)

also, it would be nice to have a stable release that has ZRTP

btw, great work with csipsimple :-)

Original comment by francisc...@gmail.com on 3 May 2011 at 9:44

GoogleCodeExporter commented 9 years ago
Revision 825 re-integrate ZRTP popup dialog to call screen. 
It will be built tonight, let me know how it goes.

Original comment by r3gis...@gmail.com on 3 May 2011 at 10:08

GoogleCodeExporter commented 9 years ago
unfortunately, i have never seen the ZRTP popup dialog but i just tested r825 
and it's similar behavior to the previous nightlies.

although I haven't been able to sniff the traffic right now to check if it's 
encrypted, when I select "create ZRTP" it just does nothing and in-call there 
is no sign of ZRTP presence.

I'm going to try and sniff the traffic but I think the changes weren't 
effective as i supose i should see ZRTP related dialogs, even in the options, 
which i don't :(

Cheers

Original comment by francisc...@gmail.com on 4 May 2011 at 7:34

GoogleCodeExporter commented 9 years ago
can you tell me which was the last release with working zrtp? I want to 
wireshark it
Thanks

Original comment by miklosb...@gmail.com on 5 May 2011 at 10:29

GoogleCodeExporter commented 9 years ago
r829 should work (http://nightlies.csipsimple.com/tls/). At least I did a test 
yesterday and it was working.
Normally if both side supports ZRTP a popup should appear that allow you to 
confirm SAS.

For now there is no other visual feedback but it should be enough to give you 
feedback about the fact ZRTP is taken into account once you press ok on this 
popup.

Just additional note : do not hold the call else it will not work after 
retrieve. And do not multiple calls at the same time (no conference with ZRTP 
yet).

Original comment by r3gis...@gmail.com on 5 May 2011 at 11:30

GoogleCodeExporter commented 9 years ago
I just tried it between a nexus s and a htc desire with the r829, and I couldnt 
manage to get the popup. Im using a self configured asterisk server placed in a 
university network. As I know, for the zrtp theres no need to configure 
anything extra in the asterisk. Am I right?

Do you have any suggestion? For example can you give me some step-by-step guide 
to the setup that enables using it?(who knows probably I forgot to set 
something up)

Original comment by miklosb...@gmail.com on 5 May 2011 at 12:10

GoogleCodeExporter commented 9 years ago
I confirm that ZRTP is working now, I even sniffed in Wireshark to compare.

but I now have a weird issue that I'm not sure if it's csipsimple related.

i have 2 phones that are exactly the same, even the same firmware (from stock) 
and same customizations. On the network menu, one phone has the "Secure 
transport" submenu and the other one doesn't.

both of them have the r829-tls branch installed :-(

@miklos did you go to "Settings" -> "Network" -> "Secure Transport" -> "ZRTP 
Mode" -> select "Create ZRTP" and that should be enough.

Original comment by francisc...@gmail.com on 5 May 2011 at 6:17

GoogleCodeExporter commented 9 years ago
I just found out the solution to my problem, if by some chance you don't see 
the "Secure Transport" option. try and configure a valid SIP account somewhere 
and when the account is "registered" on the sip server, that option on the menu 
WILL show up.

also, make sure SRTP is disabled.

build r829-tls worked fine.

ZRTP+G.729 works wonders :-) csipsimple rox!

Original comment by francisc...@gmail.com on 5 May 2011 at 6:50

GoogleCodeExporter commented 9 years ago
@miklos

Be careful is Asterisk is somehow in the media communication (RTP) path. Most 
often
Asterisk modifies the RTP packets or even encodes/decodes them. ZRTP requires a 
transparent end-to-end RTP connection, no intermediate system shall deal with 
the
RTP packet - only forward them.

Regards,
Werner

Original comment by werner...@googlemail.com on 6 May 2011 at 11:04

GoogleCodeExporter commented 9 years ago
Tested ZRTP and it works, I didn't find any issue. But I have a question: can 
you change the "Settings" -> "Network" -> "Secure Transport" -> "ZRTP Mode" 
menu so that we can choose between "Disabled", "Optional" and "Mandatory"?

This would be nice 1) for consistency with the "SRTP Mode" and 2) because users 
can have mandatory encryption if they want it.

Original comment by jtaylor...@gmail.com on 7 May 2011 at 3:03