<div>Bugs get filed at <a href="https://feeeswitch.org/jira">https://feeeswitch.org/jira</a> </div><div><br></div><div>if this is an issue in upstream libsrtp please file it to them as well. I'm going to be updating libsrtp soon so we should address this as soon as possible so they have a chance to get a new libsrtp release out with the fix.</div><div><br><div class="gmail_quote"><div>On Sun, Mar 5, 2017 at 3:56 PM Richard Chan <<a href="mailto:richard@treeboxsolutions.com">richard@treeboxsolutions.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg"><div class="gmail_msg">RFC-6188 violation when FreeSWITCH is compiled with libs/srtp to use OpenSSL?</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">The cipher_id_type_t is set to AES_256_ICM, (if OpenSSL is NOT used then the cipher_id_type_t is set to AES_ICM).<br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">This means that in srtp.c: srtp_protect_rtcp() and srtp_unprotect_rtcp() the wrong code path will be chosen for the ICM nonce and keystream will be reused on consecutive RTCP packets.</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">srtp_protect_rtcp() also srtp_unprotect_rtcp():</div><div class="gmail_msg"><div class="gmail_msg"> /* </div><div class="gmail_msg"> * if we're using rindael counter mode, set nonce and seq </div><div class="gmail_msg"> */</div><div class="gmail_msg"> if (stream->rtcp_cipher->type->id == AES_ICM) {</div><div class="gmail_msg"> v128_t iv;</div><div class="gmail_msg"> </div><div class="gmail_msg"> iv.v32[0] = 0;</div></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">As a result FS 1.6.15 is generating invalid SRTCP packets when AES-256 is being used (and libs/srtp is compiled to use OpenSSL).</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">Note: RTP explicitly checks for AES_ICM and AES_256_ICM so it is not affected. It will be affected if AES-192 is chosen. This is also seems to be in upstream.</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div>-- <br class="gmail_msg"><div class="m_-403994607154124473gmail_signature gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><font color="#000000" face="Droid Sans" class="gmail_msg"><span style="font-size:15px" class="gmail_msg">Richard Chan</span></font></div><div class="gmail_msg"><br class="gmail_msg"></div></div></div></div>
</div>
_________________________________________________________________________<br class="gmail_msg">
Professional FreeSWITCH Consulting Services:<br class="gmail_msg">
<a href="mailto:consulting@freeswitch.org" class="gmail_msg" target="_blank">consulting@freeswitch.org</a><br class="gmail_msg">
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" class="gmail_msg" target="_blank">http://www.freeswitchsolutions.com</a><br class="gmail_msg">
<br class="gmail_msg">
Official FreeSWITCH Sites<br class="gmail_msg">
<a href="http://www.freeswitch.org" rel="noreferrer" class="gmail_msg" target="_blank">http://www.freeswitch.org</a><br class="gmail_msg">
<a href="http://confluence.freeswitch.org" rel="noreferrer" class="gmail_msg" target="_blank">http://confluence.freeswitch.org</a><br class="gmail_msg">
<a href="http://www.cluecon.com" rel="noreferrer" class="gmail_msg" target="_blank">http://www.cluecon.com</a><br class="gmail_msg">
<br class="gmail_msg">
FreeSWITCH-users mailing list<br class="gmail_msg">
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" class="gmail_msg" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br class="gmail_msg">
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br class="gmail_msg">
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br class="gmail_msg">
<a href="http://www.freeswitch.org" rel="noreferrer" class="gmail_msg" target="_blank">http://www.freeswitch.org</a></blockquote></div></div>