crypto suites AES_CM_256_HMAC_SHA1_80 & AEAD_AES_256_GCM_8 is not being processed correctly

[vbog1]

The problem I wrote here is not fixed in version 1.10.6. Freeswitch does not include line "a=crypto:" in SDP if "rtp_secure_media_suites=AES_CM_256_HMAC_SHA1_80" (or AEAD_AES_256_GCM_8) is set in dialplan. INVALID SUITE SUPPLIED

send 1156 bytes to tls/[2a02:2f8:2:3::40]:5061 at 13:29:07.748410:
------------------------------------------------------------------------
INVITE sip:00000@sipnet.ru:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS [2a02:1c41:3e5a:6a7b::3]:5061;branch=z9hG4bK0e756m968m9ZB
Max-Forwards: 69
From: "00********" <sip:00********@sipnet.ru>;tag=rKyrK50gec8rQ
To: <sip:00000@sipnet.ru:5061>
Call-ID: abab76f0-581e-123a-79a4-00003e4d9b7a
CSeq: 38186681 INVITE
Contact: <sip:gw+sipnet_ipv6@[2a02:1c41:3e5a:6a7b::3]:5061;transport=tls;gw=sipnet_ipv6>
User-Agent: FreeSWITCH-mod_sofia/1.10.6-release+git~20210325T131609Z~1ff9d0a60e~64bit
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, outbound, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 265
X-FS-Support: update_display,send_info
Remote-Party-ID: "00********" <sip:00********@sipnet.ru>;party=calling;screen=yes;privacy=off

v=0
o=FreeSWITCH 1625458911 1625458912 IN IP6 2a02:1c41:3e5a:6a7b::3
s=FreeSWITCH
c=IN IP6 2a02:1c41:3e5a:6a7b::3
t=0 0
m=audio 22036 RTP/SAVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20

[vbog1]

This is the most unusual case I've seen before. I rewrote the dialplan as follows

<extension name="sipnet_test">
          <condition field="destination_number" expression="^5(00000|00)$">
               <action application="set" data="effective_caller_id_name=0012345678"/>
               <action application="set" data="effective_caller_id_number=0012345678"/>
               <action application="export" data="absolute_codec_string=PCMA,PCMU"/>
               <action application="export" data="rtp_secure_media=mandatory:AES_CM_128_HMAC_SHA1_80:AEAD_AES_256_GCM_8"/>
               <action application="bridge" data="sofia/gateway/sipnet_ipv6/$1"/>
          </condition>
</extension>

and FreeSwich started to include the line "a=crypto: 1 AEAD_AES_256_GCM_8" in the SDP. I didn't make any more changes.

2021-07-11 08:58:12.817579 [DEBUG] sofia_glue.c:1624 sofia/sipnet-ipv6/00000 sending invite version: 1.10.6-release git 1ff9d0a 2021-03-25 13:16:09Z 64bit
Local SDP:
v=0
o=FreeSWITCH 1625950786 1625950787 IN IP6 2a02:1c41:3e5a:6a7b::3
s=FreeSWITCH
c=IN IP6 2a02:1c41:3e5a:6a7b::3
t=0 0
m=audio 32306 RTP/SAVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:7 AES_CM_128_HMAC_SHA1_80 inline:FXD6qrhVugkvVitP8oJcPIFkWo3a2SJsmCZnb+ux
a=crypto:1 AEAD_AES_256_GCM_8 inline:SC0xbPLWan2gC2jNqCohFU3hDXfETwNtz5SYYyWYGynyHUYUeNlttM14tkA=
a=ptime:20
a=sendrecv

The previous dialplan was like this

<extension name="sipnet_test">
      <condition field="destination_number" expression="^5(00000|00)$">
               <action application="export" data="nolocal:absolute_codec_string=PCMA,PCMU"/>
               <action application="set" data="rtp_secure_media=mandatory:AES_CM_128_HMAC_SHA1_80"/>
               <action application="export" data="nolocal:rtp_secure_media=mandatory"/>
               <action application="export" data="nolocal:rtp_secure_media_suites=AES_CM_256_HMAC_SHA1_80"/>
               <action application="bridge" data="{ignore_sdp_ice=true}[sip_cid_type=pid]sofia/gateway/sipnet_ipv6/$1"/>
       </condition>
</extension>

I don't see any fatal errors here.

[nathanleyton]

We are also facing this issue.

[Absolute93]

The fix is to use AES_256_CM_HMAC_SHA180 instead of AESCM_256_HMAC_SHA1_80, the docu is just wrong.