<p>Jenkins2 <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/6521">View Change</a></p><div style="white-space:pre-wrap">Approvals:
  Richard Mudgett: Looks good to me, but someone else must approve
  Joshua Colp: Looks good to me, approved
  Jenkins2: Approved for Submit

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_srtp: lower log level of auth failures<br><br>Previously, sRTP authentication failures were reported on log level WARNING.<br>When such failures happen, each RT(C)P packet is affected, spamming the log.<br>Now, those failures are reported at log level VERBOSE 2. Furthermore, the<br>amount is further reduced (previously all two seconds, now all three seconds).<br>Additionally, the new log entry informs whether media (RTP) or statistics (RTCP)<br>are affected.<br><br>ASTERISK-16898 #close<br><br>Change-Id: I6c98d46b711f56e08655abeb01c951ab8e8d7fa0<br>---<br>M res/res_srtp.c<br>1 file changed, 19 insertions(+), 4 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_srtp.c b/res/res_srtp.c<br>index caedfb6..295c332 100644<br>--- a/res/res_srtp.c<br>+++ b/res/res_srtp.c<br>@@ -446,11 +446,26 @@<br>  }<br> <br>  if (res != err_status_ok && res != err_status_replay_fail ) {<br>-                if ((srtp->warned >= 10) && !((srtp->warned - 10) % 100)) {<br>-                 ast_log(AST_LOG_WARNING, "SRTP unprotect failed with: %s %d\n", srtp_errstr(res), srtp->warned);<br>-                        srtp->warned = 11;<br>+                /*<br>+            * Authentication failures happen when an active attacker tries to<br>+            * insert malicious RTP packets. Furthermore, authentication failures<br>+                 * happen, when the other party encrypts the sRTP data in an unexpected<br>+               * way. This happens quite often with RTCP. Therefore, when you see<br>+           * authentication failures, try to identify the implementation<br>+                * (author and product name) used by your other party. Try to investigate<br>+             * whether they use a custom library or an outdated version of libSRTP.<br>+               */<br>+          if (rtcp) {<br>+                  ast_verb(2, "SRTCP unprotect failed on SSRC %u because of %s\n",<br>+                           ast_rtp_instance_get_ssrc(srtp->rtp), srtp_errstr(res));<br>           } else {<br>-                     srtp->warned++;<br>+                   if ((srtp->warned >= 10) && !((srtp->warned - 10) % 150)) {<br>+                         ast_verb(2, "SRTP unprotect failed on SSRC %u because of %s %d\n",<br>+                                 ast_rtp_instance_get_ssrc(srtp->rtp), srtp_errstr(res), srtp->warned);<br>+                         srtp->warned = 11;<br>+                        } else {<br>+                             srtp->warned++;<br>+                   }<br>             }<br>             errno = EAGAIN;<br>               return -1;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/6521">change 6521</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/6521"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I6c98d46b711f56e08655abeb01c951ab8e8d7fa0 </div>
<div style="display:none"> Gerrit-Change-Number: 6521 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Alexander Traud <pabstraud@compuserve.com> </div>
<div style="display:none"> Gerrit-Reviewer: Alexander Traud <pabstraud@compuserve.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins2 </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Richard Mudgett <rmudgett@digium.com> </div>