<p>Alexander Traud has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/6523">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_srtp: lower log level of auth failures<br><br>Previously, sRTP authentication failures were reported on log level WARNING.<br>When such failures happen, each RT(C)P packet is affected, spamming the log.<br>Now, those failures are reported at log level VERBOSE 2. Furthermore, the<br>amount is further reduced (previously all two seconds, now all three seconds).<br>Additionally, the new log entry informs whether media (RTP) or statistics (RTCP)<br>are affected.<br><br>ASTERISK-16898 #close<br><br>Change-Id: I6c98d46b711f56e08655abeb01c951ab8e8d7fa0<br>---<br>M res/res_srtp.c<br>1 file changed, 19 insertions(+), 4 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/23/6523/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_srtp.c b/res/res_srtp.c<br>index caedfb6..1c8c329 100644<br>--- a/res/res_srtp.c<br>+++ b/res/res_srtp.c<br>@@ -446,11 +446,26 @@<br> }<br> <br> if (res != err_status_ok && res != err_status_replay_fail ) {<br>- if ((srtp->warned >= 10) && !((srtp->warned - 10) % 100)) {<br>- ast_log(AST_LOG_WARNING, "SRTP unprotect failed with: %s %d\n", srtp_errstr(res), srtp->warned);<br>- srtp->warned = 11;<br>+ /*<br>+ * Authentication failures happen when an active attacker tries to<br>+ * insert malicious RTP packets. Furthermore, authentication failures<br>+ * happen, when the other party encrypts the sRTP data in an unexpected<br>+ * way. This happens quite often with RTCP. Therefore, when you see<br>+ * authentication failures, try to identify the implementation<br>+ * (author and product name) used by your other party. Try to investigate<br>+ * whether they use a custom library or an outdated version of libSRTP.<br>+ */<br>+ if (rtcp) {<br>+ ast_verb(2, "SRTCP unprotect failed on SSRC %d because of %s\n",<br>+ ast_rtp_instance_get_ssrc(srtp->rtp), srtp_errstr(res));<br> } else {<br>- srtp->warned++;<br>+ if ((srtp->warned >= 10) && !((srtp->warned - 10) % 150)) {<br>+ ast_verb(2, "SRTP unprotect failed on SSRC %d because of %s %d\n",<br>+ ast_rtp_instance_get_ssrc(srtp->rtp), srtp_errstr(res), srtp->warned);<br>+ srtp->warned = 11;<br>+ } else {<br>+ srtp->warned++;<br>+ }<br> }<br> errno = EAGAIN;<br> return -1;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/6523">change 6523</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/6523"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 15 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I6c98d46b711f56e08655abeb01c951ab8e8d7fa0 </div>
<div style="display:none"> Gerrit-Change-Number: 6523 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Alexander Traud <pabstraud@compuserve.com> </div>