Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SDES key missmatch #2726

Closed
adigeo opened this issue Jul 5, 2021 · 7 comments
Closed

SDES key missmatch #2726

adigeo opened this issue Jul 5, 2021 · 7 comments
Labels
pr-exists

Comments

@adigeo
Copy link

adigeo commented Jul 5, 2021

SDP offer from outside (Blink SIP client)

a=crypto:1 AES_256_CM_HMAC_SHA1_80 inline:PFCjc9NibGzxCMyO2/bYWGfY2og2/jNTZggkVDfBA7ge3/cnw3Ut4SfslzPjmA==
a=crypto:2 AES_256_CM_HMAC_SHA1_32 inline:dvMYLB+oPGqfuId3VCW7Cderg3jcscK2LPvcx1tJQaHSPf468mGVL2R0AyJaCg==
a=crypto:3 AES_CM_128_HMAC_SHA1_80 inline:1m2Zz8946vM0C0tFXRhf0zWLKymH507MoL99d8TD
a=crypto:4 AES_CM_128_HMAC_SHA1_32 inline:ZaLtdcssRkMO+jtRqRWcng1MkTbhYRCJuS8T9/BF

SDP answer (Janus/Sofia plugin)

a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:WaYm9EyO2YB5o+tXTLpC6UwP+4xSJCgH3FnEIzOI

The crypto line should match the offer (Notice the “1" instead of correct 3) the line should read:

a=crypto:3 AES_CM_128...
@lminiero
Copy link
Member

lminiero commented Jul 5, 2021

Yeah it looks like we have 1 hardcoded in a couple of places:

https://github.com/meetecho/janus-gateway/blob/master/plugins/janus_sip.c#L6111
https://github.com/meetecho/janus-gateway/blob/master/plugins/janus_sip.c#L6120

so that would need to be fixed. Do you have a SIPp script that we can use to replicate the issue, to verify it works if/when we come up with a fix?

@adigeo
Copy link
Author

adigeo commented Jul 5, 2021

Hm, I do not know how to do it with sipp. But you can reproduce this using a SIP comand line tool which has control over the encryption types used for the SRTP stream.

Add the debian repo depending on your distro:

https://docs-new.sipthor.net/w/debian_package_repositories/

sudo apt-get install sipclients3

Force encryption to SDES:

sip-settings3 -a set bonjour rtp.encryption.key_negotiation=sdes_optional

Then start a SIP audio session to somewhere where Janus plugin listens:

sip-audio-session3 -s username@janus_ip

You will see the SIP offer and answer in the console.

Or I can do the testing if I know where your listen?

@lminiero
Copy link
Member

lminiero commented Jul 5, 2021

I'll work locally so my server will not be available externally. I'm not familiar with that command-line client, tomorrow I'll check if it's available on Fedora too.

@adigeo
Copy link
Author

adigeo commented Jul 5, 2021

Something unrelated or not, perhaps.

If no SDES cyphers are comonly agreed (the 200 OK from sofia has no crypto lines) what we experience is that calling SIP end-point ca hear the web browser mic, but the web browser does not hear the SIP end-point.

Perhaps the browser always expects to have an encrypted stream? Any idea what the bahviour should be without SDES?

@lminiero
Copy link
Member

lminiero commented Jul 6, 2021

The SRTP on the WebRTC side has nothing to do with the one on the SIP side, they're separate contexts.

lminiero added a commit that referenced this issue Jul 6, 2021
@lminiero
Better SRTP-SDES negotiation in SIP/NoSIP plugins (fixes #2726)
28031f3
@lminiero lminiero mentioned this issue Jul 6, 2021
Merged
@lminiero
Copy link
Member

lminiero commented Jul 6, 2021

@adigeo please test the PR above.

@adigeo
Copy link
Author

adigeo commented Sep 8, 2021

I have tested this and I confirm that it works.

Many thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pr-exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lminiero @adigeo