[Secure-testing-team] Bug#793971: asterisk: should use SP800-90 compliant DRBG, not libsrtp crypto_get_random()
Jonas Smedegaard
dr at jones.dk
Wed Jul 29 13:34:26 UTC 2015
Package: asterisk
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Asterisk uses libsrtp crypto_get_random() call in res_srtp.c:
https://sources.debian.net/src/asterisk/1:13.1.0~dfsg-1.1/res/res_srtp.c/?hl=308#L308
Libsrtp developers will drop that call in next major release of libsrtp:
https://github.com/cisco/libsrtp/commit/339b61d
Since the reason is described as that the implementation is mediocre, it
would probably be wise - not only for future compatibility but also to
improve security - to patch (or discuss with your upstream) to use a
different source for randomness.
- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVuNZfAAoJECx8MUbBoAEhA4IP/j1QD2GAMIJWDb7xCnPVn0T+
0+/pEWniBu2vtt0ITgIH3+NB4lz5CmE/wE7DAUQ1NJaRtn4TgBM3Rt98iUz0RAqs
PD3/3ZYf4cFFhssXBG3SVfNSIWET8hSZq19o8mB+XlaR5uGcdYtC9IaccZBflRmJ
nFRkSnuKFdrub7VwosE5GsRG+Pq8N8T1OwkeMVPR4yq+GhvfKAcyJTi1sZaXLxKD
1QXilZTrISBVr5a72ZufaVQWWpe2ZS5PtfUt9CthKIiIyg46De0zoVs+mQb/TWD3
nNC/yHIEJJ7cekG2CJuWdM9vLUaBEaIVG5DdZp4bNYYycgF1S/IemlBAlXVvm1xP
e6qYFyHs0PLYVjyOIh82MKnNwb5KGfFQ1oSoNxN699905VWamPICppuStyGhYkNz
XaxmFe0sS50zEvmjN9+UQm8C7mkKLp/x3epc8ncu71+DEqfcneOHQEfdPT0NOGwu
I3y+PEcLDsJ00fR7tZU6n9PulUXyVMTooy5JaNYojDyIQPuntOwkGPVPckhFUClP
zUVvztRt1uoKPVHQPsAFoYcHc245S5eOhVbZ6x6ObgZY7c4FOOUBrywOQHpVwq7z
3udSkg3YwIPlqZcdfl7VaOwLRqwSqUuqqUzsgiaWOHCohs3ilDoj/UhoDwDrXG/1
QlVkR4qJU//B7N02G+//
=KA64
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list