oss-sec mailing list archives

Re: CVE for crypto_get_random() from libsrtp

From: Michael Samuel <mik () miknet net>
Date: Fri, 21 Aug 2015 12:58:11 +1000

Hi,

On 11 August 2015 at 17:51, Adam Maris <amaris () redhat com> wrote:

The weakest method it provides uses no encryption at all, just HMAC-SHA1
with 80 bit authentication tag:

http://srtp.sourcearchive.com/documentation/1.4.2.dfsg/group__SRTP_g94d0056e812802ac2920aa474bc5b59b.html

That's only for SRTP packets - the PRNG itself seems not obviously broken
(again - unless it's used by multiple threads).

Regards,
  Michael

Current thread:

CVE for crypto_get_random() from libsrtp Adam Maris (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Scott Arciszewski (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 01)
  - Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
    - Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
    - Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
    - Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
    - Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 20)