From 7f8df6f21fe217d35411ede1eaeab6564db39a38 Mon Sep 17 00:00:00 2001
From: winlin <winlin@vip.126.com>
Date: Thu, 11 Mar 2021 08:15:20 +0800
Subject: [PATCH 1/4] Build: Refine script for SRTP.

Because we have upgraded to openssl-1.1.1d and libsrtp-2.3,
so it's able to enable ASM for SRTP for not only openssl-1.0,
because libsrtp-2.3 fixed the capacity bug.
---
 trunk/auto/depends.sh | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/trunk/auto/depends.sh b/trunk/auto/depends.sh
index 23ec86081..9033ef7e3 100755
--- a/trunk/auto/depends.sh
+++ b/trunk/auto/depends.sh
@@ -552,18 +552,6 @@ fi
 #####################################################################################
 # srtp
 #####################################################################################
-# For openssl-1.1.*, we should disable SRTP ASM, because SRTP only works with openssl-1.0.*
-if [[ $SRS_SRTP_ASM == YES ]]; then
-    echo "  #include <openssl/ssl.h>                              " > ${SRS_OBJS}/_tmp_srtp_asm_detect.c
-    echo "  #if OPENSSL_VERSION_NUMBER >= 0x10100000L // v1.1.x   " >> ${SRS_OBJS}/_tmp_srtp_asm_detect.c
-    echo "  #error \"SRTP only works with openssl-1.0.*\"         " >> ${SRS_OBJS}/_tmp_srtp_asm_detect.c
-    echo "  #endif                                                " >> ${SRS_OBJS}/_tmp_srtp_asm_detect.c
-    ${SRS_TOOL_CC} -c ${SRS_OBJS}/_tmp_srtp_asm_detect.c -I${SRS_OBJS}/openssl/include -o /dev/null >/dev/null 2>&1
-    if [[ $? -ne 0 ]]; then
-        SRS_SRTP_ASM=NO && echo "Warning: Disable SRTP-ASM optimization, please update docker";
-    fi
-    rm -f ${SRS_OBJS}/_tmp_srtp_asm_detect.c
-fi;
 SRTP_CONFIG="echo SRTP without openssl(ASM) optimization" && SRTP_OPTIONS=""
 # If use ASM for SRTP, we enable openssl(with ASM).
 if [[ $SRS_SRTP_ASM == YES ]]; then

From d53b5b3f2eff6b1135ffd96cef9665e8e937b1c4 Mon Sep 17 00:00:00 2001
From: winlin <winlin@vip.126.com>
Date: Thu, 11 Mar 2021 12:31:15 +0800
Subject: [PATCH 2/4] Security: Support CodeQL analysis

---
 .github/workflows/codeql-analysis.yml | 66 +++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 .github/workflows/codeql-analysis.yml

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 000000000..1dfdd79c1
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,66 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ 4.0release, develop ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ 4.0release, develop ]
+  schedule:
+    - cron: '43 11 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      #- name: Autobuild
+      #  uses: github/codeql-action/autobuild@v1
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
+      - name: Build SRS
+        run: |
+         ./configure && make
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1

From 197fe1031036c0ad719d08b2bffdb5ec32f41984 Mon Sep 17 00:00:00 2001
From: winlin <winlin@vip.126.com>
Date: Thu, 11 Mar 2021 12:33:01 +0800
Subject: [PATCH 3/4] Security: Support CodeQL analysis

---
 .github/workflows/codeql-analysis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 1dfdd79c1..3447c962f 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -60,7 +60,7 @@ jobs:
       #    uses a compiled language
       - name: Build SRS
         run: |
-         ./configure && make
+         cd trunk && ./configure && make
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v1

From a53fe451ffa871f70a4c6c189349bf1ad814650c Mon Sep 17 00:00:00 2001
From: winlin <winlin@vip.126.com>
Date: Thu, 11 Mar 2021 16:48:29 +0800
Subject: [PATCH 4/4] RTC: Feed TWCC then drop the specified PT packet.

1. Sometimes we might drop RTP packets, by PT(payload type).
2. For example, the padding packets from client.
3. We should feed these packets to TWCC, then drop it.
---
 trunk/src/app/srs_app_rtc_conn.cpp | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/trunk/src/app/srs_app_rtc_conn.cpp b/trunk/src/app/srs_app_rtc_conn.cpp
index c82241052..e6afab909 100644
--- a/trunk/src/app/srs_app_rtc_conn.cpp
+++ b/trunk/src/app/srs_app_rtc_conn.cpp
@@ -1116,14 +1116,6 @@ srs_error_t SrsRtcPublishStream::on_rtp(char* data, int nb_data)
         return err;
     }
 
-    // If payload type is configed to drop, ignore this packet.
-    if (pt_to_drop_) {
-        uint8_t pt = srs_rtp_fast_parse_pt(data, nb_data);
-        if (pt_to_drop_ == pt) {
-            return err;
-        }
-    }
-
     // Decode the header first.
     if (twcc_id_) {
         // We must parse the TWCC from RTP header before SRTP unprotect, because:
@@ -1140,6 +1132,14 @@ srs_error_t SrsRtcPublishStream::on_rtp(char* data, int nb_data)
         }
     }
 
+    // If payload type is configed to drop, ignore this packet.
+    if (pt_to_drop_) {
+        uint8_t pt = srs_rtp_fast_parse_pt(data, nb_data);
+        if (pt_to_drop_ == pt) {
+            return err;
+        }
+    }
+
     // Decrypt the cipher to plaintext RTP data.
     char* plaintext = data;
     int nb_plaintext = nb_data;