[asterisk-bugs] [JIRA] (ASTERISK-26979) [RTCP-MUX] / WebRTC - SRTP unprotect failed with authentication failure 10 or 110
Javier Riveros (JIRA)
noreply at issues.asterisk.org
Wed May 3 13:27:57 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-26979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Javier Riveros updated ASTERISK-26979:
---------------------------------------
Description:
As soon as I give it a try to RTCP-MUX in webRTC-land I start getting those warnings.
I take a look to srtp library and libsrtp error err_status_auth_fail (see crypto/include/err.h, enum err_status_t) for version 1.5.x . It usually means that a wrong key is used to decrypt or a packet is modified after encryption (so computed auth tag doesn't match the one from the packet) normally an "authentication failure".
So in asterisk looks like this warnning is being fire on 10 packets or 110 pkts
in res_srtp.c.
{code}
if (res != err_status_ok && res != err_status_replay_fail ) {
if ((srtp->warned >= 10) && !((srtp->warned - 10) % 100)) {
ast_log(AST_LOG_WARNING, "SRTP unprotect failed with: %s %d\n", srtp_errstr(res), srtp->warned);
srtp->warned = 11;
} else {
srtp->warned++;
}
errno = EAGAIN;
return -1;
}
{code}
Call example.
ASTERISK (tcp)-> (tcp) SIP-proxy (WS) -> (WS) WebRTC.
{code}
call start at : 2017-05-02T17:36:35Z
- First log (warining)
[2017-05-02 17:37:06.005] WARNING[25712] res_srtp.c: SRTP unprotect failed with: authentication failure 10
--second log (warining)
[2017-05-02 17:41:17.601] WARNING[25712] res_srtp.c: SRTP unprotect failed with: authentication failure 110
--call ends at
~2017-05-02T17:42:25Z
{code}
asterisk version: 13.15.0
libsrtp : libsrtp0-dev (1.5.0)
pjsip: (using pjsip bundle) v2.6
O.S : ubuntu 14.04.1
Browser: chrome 56,57,58 (windows/linux/mac)
I will attach the logs, config, packet captures.
If more info is needed let me know.
Thanks,
was:
As soon as I give it a try to RTCP-MUX in webRTC-land I start getting those warnings.
I take a look to srtp library and libsrtp error err_status_auth_fail (see crypto/include/err.h, enum err_status_t) for version 1.5.x . It usually means that a wrong key is used to decrypt or a packet is modified after encryption (so computed auth tag doesn't match the one from the packet) normally an "authentication failure".
So in asterisk looks like this warnning is being fire on 10 packets or 110 pkts
in res_srtp.c.
{code}
if (res != err_status_ok && res != err_status_replay_fail ) {
if ((srtp->warned >= 10) && !((srtp->warned - 10) % 100)) {
ast_log(AST_LOG_WARNING, "SRTP unprotect failed with: %s %d\n", srtp_errstr(res), srtp->warned);
srtp->warned = 11;
} else {
srtp->warned++;
}
errno = EAGAIN;
return -1;
}
{code}
Call example.
ASTERISK (tcp)-> (tcp) SIP-proxy (WS) -> (WS) WebRTC.
{code}
call start at : 2017-05-02T17:36:35Z
- First log (warining)
[2017-05-02 17:37:06.005] WARNING[25712] res_srtp.c: SRTP unprotect failed with: authentication failure 10
--second log (warining)
[2017-05-02 17:41:17.601] WARNING[25712] res_srtp.c: SRTP unprotect failed with: authentication failure 110
--call ends at
~2017-05-02T17:42:25Z
{code}
asterisk version: 13.15.0
libsrtp : libsrtp0-dev (1.5.0)
pjsip: (using pjsip bundle) v2.6
O.S : ubuntu 14.10
Browser: chrome 56,57,58 (windows/linux/mac)
I will attach the logs, config, packet captures.
If more info is needed let me know.
Thanks,
> [RTCP-MUX] / WebRTC - SRTP unprotect failed with authentication failure 10 or 110
> ---------------------------------------------------------------------------------
>
> Key: ASTERISK-26979
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-26979
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_srtp
> Affects Versions: 13.15.0
> Reporter: Javier Riveros
> Severity: Critical
> Attachments: Logs_config_packets_captures.zip
>
>
> As soon as I give it a try to RTCP-MUX in webRTC-land I start getting those warnings.
> I take a look to srtp library and libsrtp error err_status_auth_fail (see crypto/include/err.h, enum err_status_t) for version 1.5.x . It usually means that a wrong key is used to decrypt or a packet is modified after encryption (so computed auth tag doesn't match the one from the packet) normally an "authentication failure".
> So in asterisk looks like this warnning is being fire on 10 packets or 110 pkts
> in res_srtp.c.
> {code}
> if (res != err_status_ok && res != err_status_replay_fail ) {
> if ((srtp->warned >= 10) && !((srtp->warned - 10) % 100)) {
> ast_log(AST_LOG_WARNING, "SRTP unprotect failed with: %s %d\n", srtp_errstr(res), srtp->warned);
> srtp->warned = 11;
> } else {
> srtp->warned++;
> }
> errno = EAGAIN;
> return -1;
> }
> {code}
> Call example.
> ASTERISK (tcp)-> (tcp) SIP-proxy (WS) -> (WS) WebRTC.
> {code}
> call start at : 2017-05-02T17:36:35Z
> - First log (warining)
>
> [2017-05-02 17:37:06.005] WARNING[25712] res_srtp.c: SRTP unprotect failed with: authentication failure 10
> --second log (warining)
> [2017-05-02 17:41:17.601] WARNING[25712] res_srtp.c: SRTP unprotect failed with: authentication failure 110
> --call ends at
> ~2017-05-02T17:42:25Z
> {code}
> asterisk version: 13.15.0
> libsrtp : libsrtp0-dev (1.5.0)
> pjsip: (using pjsip bundle) v2.6
> O.S : ubuntu 14.04.1
> Browser: chrome 56,57,58 (windows/linux/mac)
> I will attach the logs, config, packet captures.
> If more info is needed let me know.
> Thanks,
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list