Skip to content

extractaudio: add support for AES-192/256-CM and AES-GCM SRTP suites#176

Merged
sobomax merged 1 commit into
sippy:masterfrom
pksml85:extractaudio-srtp-suites
Jul 12, 2026
Merged

extractaudio: add support for AES-192/256-CM and AES-GCM SRTP suites#176
sobomax merged 1 commit into
sippy:masterfrom
pksml85:extractaudio-srtp-suites

Conversation

@pksml85

@pksml85 pksml85 commented Jul 11, 2026

Copy link
Copy Markdown

Summary

Extends the crypto suite table in eaud_crypto.c to support:

  • AES_192_CM_HMAC_SHA1_32 / _80
  • AES_256_CM_HMAC_SHA1_32 / _80
  • AEAD_AES_128_GCM / AEAD_AES_128_GCM_8
  • AEAD_AES_256_GCM / AEAD_AES_256_GCM_8

Previously only AES_CM_128_HMAC_SHA1_32/_80 were supported.

Implementation notes

Suites are now mapped directly to the corresponding libsrtp2 policy-setter
functions instead of hand-patching a default policy. This also fixes the
base64 key/salt length validation, which previously rejected any key
whose encoded length required standard padding (i.e. any suite whose
key+salt size isn't a multiple of 3 bytes) -- which is all of the new
suites above except the original 128-bit ones.

Testing

Applied against a real-world pair of SRTP-encrypted PCAPs
(AEAD_AES_256_GCM_8) and confirmed it produces a correctly
channel-mapped stereo output file.

Additionally validated during development via synthetic round-trip tests (encrypting test packets with libsrtp2 directly and confirming correct decryption) across one representative suite from each cipher family (128-bit CM, 192-bit CM, 256-bit GCM), plus a regression check against the original 128-bit CM suite.

Extends the crypto suite table in eaud_crypto.c to support:
  - AES_192_CM_HMAC_SHA1_32/80
  - AES_256_CM_HMAC_SHA1_32/80
  - AEAD_AES_128_GCM / AEAD_AES_128_GCM_8
  - AEAD_AES_256_GCM / AEAD_AES_256_GCM_8

Previously only AES_CM_128_HMAC_SHA1_32/80 were supported. Suites are
now mapped directly to the corresponding libsrtp2 policy-setter
functions instead of hand-patching a default policy, and the base64
key/salt length validation is fixed to correctly handle key sizes
that require standard base64 padding (anything not a multiple of 3
bytes), which the old code rejected outright.
@sobomax sobomax merged commit 630f75e into sippy:master Jul 12, 2026
93 checks passed
@sobomax

sobomax commented Jul 12, 2026

Copy link
Copy Markdown
Member

@pksml85 thanks for submission! Would be nice if you can make a follow-up PR with some pre-captured test recording using newly supported algorithms to extend tests/extractaudio.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants