AES-192 (ICM) approach B #170
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
enable AES-192 and AES-256 for SRTCP
allow AES_256_ICM as policy cipher_type prominent examples like jfigus/PJSIP@eb1b22c suggest that usage, therefore allow it backport of b8cb577
|
Prefer this approach as it is more consistent with rest of code for now. |
|
Hi @traud , any chance of get this this against master? We are planing on a 2.1 release and would be good to get it in. If I don't hear back soon I might try to apply to master myself. |
|
It would be good if test code was added for AES-192. There is a test for 256 (srtp_validate_aes_256()) and having a version for 192 would be good. |
pabuhler
pushed a commit
to pabuhler/libsrtp
that referenced
this pull request
Feb 21, 2017
Apply pull request cisco#170 on to master
|
Fine. There should be a release note that AES-192 only works with libSRTP 2.1 or newer; and only when OpenSSL was configured. Furthermore, there should be a note with the next libSRTP 1.5.x that AES-192 does not work with that. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the original libSRTP (without OpenSSL), support for AES-256 was added in May 2010 with commit 5df951a, but AES-192 was not implemented (see
crypto/cipher/aes.c:aes_expand_encryption_key). Since 2013 with OpenSSL enabled (see pull request #34), libSRTP supports AES-192 as well. Or stated differently:If you want the crypto suite
AES_192_CM_HMAC_SHA1_80in your VoIP application, you have to go for./configure --enable-opensslotherwise, just AES-256 and AES-128 work. As a side-effect, you get AES-NI and AES-GCM.
Even with the current source code, AES-192 works only between VoIP applications which use the same library (for example locally on the same computer). I did not squash the two commits on purpose, hopefully to make the overall pull request easier to understand.
This is approach/alternative B to solve this issue. Because I am just a contributor and not a member of the team, I cannot decide whether the approach A or B is the correct one. If you do not like the other approach A, please, consider this simpler change-set here for inclusion, especially because several VoIP/SIP clients leverage AES-192 already (like Acrobits Groundwire and Media5-fone).