search

sipwise / rtpengine

The Sipwise media proxy for Kamailio
GNU General Public License v3.0
786 stars 369 forks source link

Problem with SRTP negotiation between rtpengine and Cisco #1220

Closed kertor closed 3 years ago

kertor commented 3 years ago

Hello! Have the problem with SRTP negotiation between rtpengine and Cisco. 1) rtpengine process offer (initial INVITE from Cisco) with crypto parameters:

a=crypto:1 AEAD_AES_256_GCM inline:aJf7nhxitD0igClOgk4SdfHd+w7o1RvJANngkS6gj1/XP7v2DtwoxJwdygo=

aJf7nhxitD0igClOgk4SdfHd+w7o1RvJANngkS6gj1/XP7v2DtwoxJwdygo= in binary representation have 480 bits:

011000010100101001100110001101110110111001101000011110000110100101110100010001000011000001101001011001110100001101101100010011110110011101101011001101000101001101100100011001100100100001100100001010110111011100110111011011110011000101010010011101100100101001000001010011100110111001100111011010110101001100110110011001110110101000110001001011110101100001010000001101110111011000110010010001000111010001110111011011110111100001001010011101110110010001111001011001110110111100111101

So we can do clear base64 decode operation, because 480 / 6 = 80

2) rtpengine process answer (180 response to Cisco) and add this cypto suit in SDP:

a=crypto:1 AEAD_AES_256_GCM inline:IgAD5nXmg8I9I70aTx1+W7xZLSSkZU+UbGkFu9IXjpzERSQ2AgRivWPR+4c|2^31

IgAD5nXmg8I9I70aTx1+W7xZLSSkZU+UbGkFu9IXjpzERSQ2AgRivWPR+4c in binary representation have 472 bits:

0100100101100111010000010100010000110101011011100101100001101101011001110011100001001001001110010100100100110111001100000110000101010100011110000011000100101011010101110011011101111000010110100100110001010011010100110110101101011010010101010010101101010101011000100100011101101011010001100111010100111001010010010101100001101010011100000111101001000101010100100101001101010001001100100100000101100111010100100110100101110110010101110101000001010010001010110011010001100011

And here we can not do clear base64 decode operation, because 472 / 6 = 78.666..

Looks like cisco want to do clear base64 decode operation. As far as i understand, rtpengine did not add padding symbol in end of encoded "key+salt" data.

I can provide rtpengine logs and pcap file directly to you, if you need this. OS is: "Ubuntu 20.04.2 LTS". rtpengine Version: 9.4.0.0~20210303~def813c-1 git-master-def813cf Could you check please? Thank you!

rfuchs commented 3 years ago

Add pad-crypto option (or SDES=pad) to work around this.

kertor commented 3 years ago

Thank you, all works perfect!