Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: mod_sofia, RTP
    • Security Level: public
    • Labels:
      None
    • CPU Architecture:
      x86
    • Kernel:
      Linux
    • Userland:
      GNU/Linux
    • Compiler:
      gcc
    • FreeSWITCH GIT Revision:
      All
    • GIT Master Revision hash::
      Yes

      Description

      When libsrtp can be updated to use openssl and a version of libsrtp that supports AES-GCM:

      http://jira.freeswitch.org/browse/FS-5422

      FreeSWITCH will already be able to realize some performance improvements with CPUs that support AES-NI. However, the real win is using AES-GCM mode:

      https://github.com/cisco/libsrtp/pull/34

      http://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-10

      https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf

      I'm told there is already a patch to implement this for pjsip. It would be nice to get this implemented in FreeSWITCH as well.
      1. aead_aes_gcm.patch
        5 kB
        Kristian Kielhofner
      2. freeswitch_gcm.patch
        5 kB
        Kristian Kielhofner
      3. jfoley-pjsip-aead_aes-crypto-suites.patch
        0.9 kB
        Kristian Kielhofner
      4. pjsip_gcm.patch
        3 kB
        John Foley
      5. pjsip-jfigus-128_only.patch
        2 kB
        Kristian Kielhofner

        Activity

        Hide
        brian Brian West added a comment -
        Test and let us know how you like this.

        /b
        Show
        brian Brian West added a comment - Test and let us know how you like this. /b
        Hide
        krisk Kristian Kielhofner added a comment -
        Looks good, even selecting the offer on inbound using late negotiation works. I have noticed that the "big AES" crypto suites (192/256) seem broken in this version of pjsip, not sure what's up with that but I was able to successfully test AEAD_AES_256_GCM_8, AEAD_AES_128_GCM_8, AES_CM_128_HMAC_SHA1_80, and AES_CM_128_HMAC_SHA1_32.
        Show
        krisk Kristian Kielhofner added a comment - Looks good, even selecting the offer on inbound using late negotiation works. I have noticed that the "big AES" crypto suites (192/256) seem broken in this version of pjsip, not sure what's up with that but I was able to successfully test AEAD_AES_256_GCM_8, AEAD_AES_128_GCM_8, AES_CM_128_HMAC_SHA1_80, and AES_CM_128_HMAC_SHA1_32.
        Hide
        brian Brian West added a comment -
        Do you happen to know anything besides PJSIP that can do the "big AES" suites? I'll have to try those out, we for sure tested the original two again and the two AES_*_GCM methods added.

        /b
        Show
        brian Brian West added a comment - Do you happen to know anything besides PJSIP that can do the "big AES" suites? I'll have to try those out, we for sure tested the original two again and the two AES_*_GCM methods added. /b
        Hide
        krisk Kristian Kielhofner added a comment -
        Unfortunately I do not know of any other implementations.
        Show
        krisk Kristian Kielhofner added a comment - Unfortunately I do not know of any other implementations.
        Hide
        jfigus John Foley added a comment -
        It looks like my PJSIP fork had dyslexic SDES values for RFC6188 too (big AES). Sorry about that. Check my PJSIP fork for the fix. In my defense, they changed the convention between RFC4568 and RFC6188 when registering the crypto suite values with IANA.
        Show
        jfigus John Foley added a comment - It looks like my PJSIP fork had dyslexic SDES values for RFC6188 too (big AES). Sorry about that. Check my PJSIP fork for the fix. In my defense, they changed the convention between RFC4568 and RFC6188 when registering the crypto suite values with IANA.

          People

          • Assignee:
            anthm Anthony Minessale II
            Reporter:
            krisk Kristian Kielhofner
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development