mirror of
https://github.com/ossrs/srs.git
synced 2025-03-09 15:49:59 +00:00
Upgrade libsrt to v1.5.3. v5.0.183 v6.0.81 (#3808)
fix https://github.com/ossrs/srs/issues/3155 Build srt-1-fit fails with `standard attributes in middle of decl-specifiers` on GCC 12,Arch Linux. See https://github.com/Haivision/srt/releases/tag/v1.5.3
This commit is contained in:
parent
f9bba0a9b0
commit
c5e067fb0b
94 changed files with 5974 additions and 6273 deletions
110
trunk/3rdparty/srt-1-fit/srtcore/crypto.cpp
vendored
110
trunk/3rdparty/srt-1-fit/srtcore/crypto.cpp
vendored
|
@ -57,11 +57,18 @@ std::string KmStateStr(SRT_KM_STATE state)
|
|||
TAKE(SECURING);
|
||||
TAKE(NOSECRET);
|
||||
TAKE(BADSECRET);
|
||||
#ifdef ENABLE_AEAD_API_PREVIEW
|
||||
TAKE(BADCRYPTOMODE);
|
||||
#endif
|
||||
#undef TAKE
|
||||
default:
|
||||
{
|
||||
char buf[256];
|
||||
sprintf(buf, "??? (%d)", state);
|
||||
#if defined(_MSC_VER) && _MSC_VER < 1900
|
||||
_snprintf(buf, sizeof(buf) - 1, "??? (%d)", state);
|
||||
#else
|
||||
snprintf(buf, sizeof(buf), "??? (%d)", state);
|
||||
#endif
|
||||
return buf;
|
||||
}
|
||||
}
|
||||
|
@ -79,6 +86,15 @@ void srt::CCryptoControl::globalInit()
|
|||
#endif
|
||||
}
|
||||
|
||||
bool srt::CCryptoControl::isAESGCMSupported()
|
||||
{
|
||||
#ifdef SRT_ENABLE_ENCRYPTION
|
||||
return HaiCrypt_IsAESGCM_Supported() != 0;
|
||||
#else
|
||||
return false;
|
||||
#endif
|
||||
}
|
||||
|
||||
#if ENABLE_LOGGING
|
||||
std::string srt::CCryptoControl::FormatKmMessage(std::string hdr, int cmd, size_t srtlen)
|
||||
{
|
||||
|
@ -112,7 +128,7 @@ void srt::CCryptoControl::createFakeSndContext()
|
|||
if (!m_iSndKmKeyLen)
|
||||
m_iSndKmKeyLen = 16;
|
||||
|
||||
if (!createCryptoCtx(m_iSndKmKeyLen, HAICRYPT_CRYPTO_DIR_TX, (m_hSndCrypto)))
|
||||
if (!createCryptoCtx((m_hSndCrypto), m_iSndKmKeyLen, HAICRYPT_CRYPTO_DIR_TX, false))
|
||||
{
|
||||
HLOGC(cnlog.Debug, log << "Error: Can't create fake crypto context for sending - sending will return ERROR!");
|
||||
m_hSndCrypto = 0;
|
||||
|
@ -139,7 +155,7 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
|
|||
// what has called this function. The HSv5 handshake only enforces bidirectional
|
||||
// connection.
|
||||
|
||||
bool bidirectional = hsv > CUDT::HS_VERSION_UDT4;
|
||||
const bool bidirectional = hsv > CUDT::HS_VERSION_UDT4;
|
||||
|
||||
// Local macro to return rejection appropriately.
|
||||
// CHANGED. The first version made HSv5 reject the connection.
|
||||
|
@ -152,6 +168,10 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
|
|||
bool wasb4 SRT_ATR_UNUSED = false;
|
||||
size_t sek_len = 0;
|
||||
|
||||
const bool bUseGCM =
|
||||
(m_iCryptoMode == CSrtConfig::CIPHER_MODE_AUTO && kmdata[HCRYPT_MSG_KM_OFS_CIPHER] == HCRYPT_CIPHER_AES_GCM) ||
|
||||
(m_iCryptoMode == CSrtConfig::CIPHER_MODE_AES_GCM);
|
||||
|
||||
// What we have to do:
|
||||
// If encryption is on (we know that by having m_KmSecret nonempty), create
|
||||
// the crypto context (if bidirectional, create for both sending and receiving).
|
||||
|
@ -199,13 +219,16 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
|
|||
}
|
||||
wasb4 = m_hRcvCrypto;
|
||||
|
||||
if (!createCryptoCtx(m_iRcvKmKeyLen, HAICRYPT_CRYPTO_DIR_RX, (m_hRcvCrypto)))
|
||||
if (!createCryptoCtx((m_hRcvCrypto), m_iRcvKmKeyLen, HAICRYPT_CRYPTO_DIR_RX, bUseGCM))
|
||||
{
|
||||
LOGC(cnlog.Error, log << "processSrtMsg_KMREQ: Can't create RCV CRYPTO CTX - must reject...");
|
||||
m_RcvKmState = SRT_KM_S_NOSECRET;
|
||||
KMREQ_RESULT_REJECTION();
|
||||
}
|
||||
|
||||
// Deduce resulting mode.
|
||||
m_iCryptoMode = bUseGCM ? CSrtConfig::CIPHER_MODE_AES_GCM : CSrtConfig::CIPHER_MODE_AES_CTR;
|
||||
|
||||
if (!wasb4)
|
||||
{
|
||||
HLOGC(cnlog.Debug, log << "processSrtMsg_KMREQ: created RX ENC with KeyLen=" << m_iRcvKmKeyLen);
|
||||
|
@ -230,6 +253,15 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
|
|||
w_srtlen = 1;
|
||||
LOGC(cnlog.Warn, log << "KMREQ/rcv: (snd) Rx process failure - BADSECRET");
|
||||
break;
|
||||
case HAICRYPT_ERROR_CIPHER:
|
||||
#ifdef ENABLE_AEAD_API_PREVIEW
|
||||
m_RcvKmState = m_SndKmState = SRT_KM_S_BADCRYPTOMODE;
|
||||
#else
|
||||
m_RcvKmState = m_SndKmState = SRT_KM_S_BADSECRET; // Use "bad secret" as a fallback.
|
||||
#endif
|
||||
w_srtlen = 1;
|
||||
LOGC(cnlog.Warn, log << "KMREQ/rcv: (snd) Rx process failure - BADCRYPTOMODE");
|
||||
break;
|
||||
case HAICRYPT_ERROR: //Other errors
|
||||
default:
|
||||
m_RcvKmState = m_SndKmState = SRT_KM_S_NOSECRET;
|
||||
|
@ -244,7 +276,6 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
|
|||
// until the next KMREQ is received as a key regeneration.
|
||||
m_bErrorReported = false;
|
||||
|
||||
|
||||
if (w_srtlen == 1)
|
||||
goto HSv4_ErrorReport;
|
||||
|
||||
|
@ -379,6 +410,14 @@ int srt::CCryptoControl::processSrtMsg_KMRSP(const uint32_t* srtdata, size_t len
|
|||
m_SndKmState = SRT_KM_S_UNSECURED;
|
||||
retstatus = 0;
|
||||
break;
|
||||
#ifdef ENABLE_AEAD_API_PREVIEW
|
||||
case SRT_KM_S_BADCRYPTOMODE:
|
||||
// The peer expects to use a different cryptographic mode (e.g. AES-GCM, not AES-CTR).
|
||||
m_RcvKmState = SRT_KM_S_BADCRYPTOMODE;
|
||||
m_SndKmState = SRT_KM_S_BADCRYPTOMODE;
|
||||
retstatus = -1;
|
||||
break;
|
||||
#endif
|
||||
|
||||
default:
|
||||
LOGC(cnlog.Fatal, log << "processSrtMsg_KMRSP: IPE: unknown peer error state: "
|
||||
|
@ -427,8 +466,9 @@ int srt::CCryptoControl::processSrtMsg_KMRSP(const uint32_t* srtdata, size_t len
|
|||
return retstatus;
|
||||
}
|
||||
|
||||
void srt::CCryptoControl::sendKeysToPeer(CUDT* sock SRT_ATR_UNUSED, int iSRTT SRT_ATR_UNUSED, Whether2RegenKm regen SRT_ATR_UNUSED)
|
||||
void srt::CCryptoControl::sendKeysToPeer(CUDT* sock SRT_ATR_UNUSED, int iSRTT SRT_ATR_UNUSED)
|
||||
{
|
||||
sync::ScopedLock lck(m_mtxLock);
|
||||
if (!m_hSndCrypto || m_SndKmState == SRT_KM_S_UNSECURED)
|
||||
{
|
||||
HLOGC(cnlog.Debug, log << "sendKeysToPeer: NOT sending/regenerating keys: "
|
||||
|
@ -461,21 +501,13 @@ void srt::CCryptoControl::sendKeysToPeer(CUDT* sock SRT_ATR_UNUSED, int iSRTT SR
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (regen)
|
||||
{
|
||||
regenCryptoKm(
|
||||
sock, // send UMSG_EXT + SRT_CMD_KMREQ to the peer using this socket
|
||||
false // Do not apply the regenerated key to the to the receiver context
|
||||
); // regenerate and send
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef SRT_ENABLE_ENCRYPTION
|
||||
void srt::CCryptoControl::regenCryptoKm(CUDT* sock, bool bidirectional)
|
||||
void srt::CCryptoControl::regenCryptoKm(CUDT* sock SRT_ATR_UNUSED, bool bidirectional SRT_ATR_UNUSED)
|
||||
{
|
||||
#ifdef SRT_ENABLE_ENCRYPTION
|
||||
sync::ScopedLock lck(m_mtxLock);
|
||||
if (!m_hSndCrypto)
|
||||
return;
|
||||
|
||||
|
@ -549,8 +581,8 @@ void srt::CCryptoControl::regenCryptoKm(CUDT* sock, bool bidirectional)
|
|||
|
||||
if (sent)
|
||||
m_SndKmLastTime = srt::sync::steady_clock::now();
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
srt::CCryptoControl::CCryptoControl(SRTSOCKET id)
|
||||
: m_SocketID(id)
|
||||
|
@ -560,9 +592,9 @@ srt::CCryptoControl::CCryptoControl(SRTSOCKET id)
|
|||
, m_RcvKmState(SRT_KM_S_UNSECURED)
|
||||
, m_KmRefreshRatePkt(0)
|
||||
, m_KmPreAnnouncePkt(0)
|
||||
, m_iCryptoMode(CSrtConfig::CIPHER_MODE_AUTO)
|
||||
, m_bErrorReported(false)
|
||||
{
|
||||
|
||||
m_KmSecret.len = 0;
|
||||
//send
|
||||
m_SndKmMsg[0].MsgLen = 0;
|
||||
|
@ -587,6 +619,19 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
|
|||
|
||||
// Set UNSECURED state as default
|
||||
m_RcvKmState = SRT_KM_S_UNSECURED;
|
||||
m_iCryptoMode = cfg.iCryptoMode;
|
||||
|
||||
#ifdef SRT_ENABLE_ENCRYPTION
|
||||
if (!cfg.bTSBPD && m_iCryptoMode == CSrtConfig::CIPHER_MODE_AUTO)
|
||||
m_iCryptoMode = CSrtConfig::CIPHER_MODE_AES_CTR;
|
||||
const bool bUseGCM = m_iCryptoMode == CSrtConfig::CIPHER_MODE_AES_GCM;
|
||||
|
||||
if (bUseGCM && !isAESGCMSupported())
|
||||
{
|
||||
LOGC(cnlog.Warn, log << "CCryptoControl: AES GCM is not supported by the crypto service provider.");
|
||||
return false;
|
||||
}
|
||||
#endif
|
||||
|
||||
// Set security-pending state, if a password was set.
|
||||
m_SndKmState = hasPassphrase() ? SRT_KM_S_SECURING : SRT_KM_S_UNSECURED;
|
||||
|
@ -594,7 +639,7 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
|
|||
m_KmPreAnnouncePkt = cfg.uKmPreAnnouncePkt;
|
||||
m_KmRefreshRatePkt = cfg.uKmRefreshRatePkt;
|
||||
|
||||
if ( side == HSD_INITIATOR )
|
||||
if (side == HSD_INITIATOR)
|
||||
{
|
||||
if (hasPassphrase())
|
||||
{
|
||||
|
@ -605,13 +650,13 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
|
|||
m_iSndKmKeyLen = 16;
|
||||
}
|
||||
|
||||
bool ok = createCryptoCtx(m_iSndKmKeyLen, HAICRYPT_CRYPTO_DIR_TX, (m_hSndCrypto));
|
||||
bool ok = createCryptoCtx((m_hSndCrypto), m_iSndKmKeyLen, HAICRYPT_CRYPTO_DIR_TX, bUseGCM);
|
||||
HLOGC(cnlog.Debug, log << "CCryptoControl::init: creating SND crypto context: " << ok);
|
||||
|
||||
if (ok && bidirectional)
|
||||
{
|
||||
m_iRcvKmKeyLen = m_iSndKmKeyLen;
|
||||
int st = HaiCrypt_Clone(m_hSndCrypto, HAICRYPT_CRYPTO_DIR_RX, &m_hRcvCrypto);
|
||||
const int st = HaiCrypt_Clone(m_hSndCrypto, HAICRYPT_CRYPTO_DIR_RX, &m_hRcvCrypto);
|
||||
HLOGC(cnlog.Debug, log << "CCryptoControl::init: creating CLONED RCV crypto context: status=" << st);
|
||||
ok = st == 0;
|
||||
}
|
||||
|
@ -630,12 +675,14 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
|
|||
NULL, // Do not send the key (the KM msg will be attached to the HSv5 handshake)
|
||||
bidirectional // replicate the key to the receiver context, if bidirectional
|
||||
);
|
||||
|
||||
m_iCryptoMode = bUseGCM ? CSrtConfig::CIPHER_MODE_AES_GCM : CSrtConfig::CIPHER_MODE_AES_CTR;
|
||||
#else
|
||||
// This error would be a consequence of setting the passphrase, while encryption
|
||||
// is turned off at compile time. Setting the password itself should be not allowed
|
||||
// so this could only happen as a consequence of an IPE.
|
||||
LOGC(cnlog.Error, log << "CCryptoControl::init: IPE: encryption not supported");
|
||||
return true;
|
||||
return false;
|
||||
#endif
|
||||
}
|
||||
else
|
||||
|
@ -654,6 +701,7 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
|
|||
void srt::CCryptoControl::close()
|
||||
{
|
||||
/* Wipeout secrets */
|
||||
sync::ScopedLock lck(m_mtxLock);
|
||||
memset(&m_KmSecret, 0, sizeof(m_KmSecret));
|
||||
}
|
||||
|
||||
|
@ -691,9 +739,8 @@ static std::string CryptoFlags(int flg)
|
|||
} // namespace srt
|
||||
#endif // ENABLE_HEAVY_LOGGING
|
||||
|
||||
bool srt::CCryptoControl::createCryptoCtx(size_t keylen, HaiCrypt_CryptoDir cdir, HaiCrypt_Handle& w_hCrypto)
|
||||
bool srt::CCryptoControl::createCryptoCtx(HaiCrypt_Handle& w_hCrypto, size_t keylen, HaiCrypt_CryptoDir cdir, bool bAESGCM)
|
||||
{
|
||||
|
||||
if (w_hCrypto)
|
||||
{
|
||||
// XXX You can check here if the existing handle represents
|
||||
|
@ -715,7 +762,7 @@ bool srt::CCryptoControl::createCryptoCtx(size_t keylen, HaiCrypt_CryptoDir cdir
|
|||
m_KmRefreshRatePkt = 2000;
|
||||
m_KmPreAnnouncePkt = 500;
|
||||
#endif
|
||||
crypto_cfg.flags = HAICRYPT_CFG_F_CRYPTO | (cdir == HAICRYPT_CRYPTO_DIR_TX ? HAICRYPT_CFG_F_TX : 0);
|
||||
crypto_cfg.flags = HAICRYPT_CFG_F_CRYPTO | (cdir == HAICRYPT_CRYPTO_DIR_TX ? HAICRYPT_CFG_F_TX : 0) | (bAESGCM ? HAICRYPT_CFG_F_GCM : 0);
|
||||
crypto_cfg.xport = HAICRYPT_XPT_SRT;
|
||||
crypto_cfg.cryspr = HaiCryptCryspr_Get_Instance();
|
||||
crypto_cfg.key_len = (size_t)keylen;
|
||||
|
@ -724,7 +771,6 @@ bool srt::CCryptoControl::createCryptoCtx(size_t keylen, HaiCrypt_CryptoDir cdir
|
|||
crypto_cfg.km_refresh_rate_pkt = m_KmRefreshRatePkt == 0 ? HAICRYPT_DEF_KM_REFRESH_RATE : m_KmRefreshRatePkt;
|
||||
crypto_cfg.km_pre_announce_pkt = m_KmPreAnnouncePkt == 0 ? SRT_CRYPT_KM_PRE_ANNOUNCE : m_KmPreAnnouncePkt;
|
||||
crypto_cfg.secret = m_KmSecret;
|
||||
//memcpy(&crypto_cfg.secret, &m_KmSecret, sizeof(crypto_cfg.secret));
|
||||
|
||||
HLOGC(cnlog.Debug, log << "CRYPTO CFG: flags=" << CryptoFlags(crypto_cfg.flags) << " xport=" << crypto_cfg.xport << " cryspr=" << crypto_cfg.cryspr
|
||||
<< " keylen=" << crypto_cfg.key_len << " passphrase_length=" << crypto_cfg.secret.len);
|
||||
|
@ -740,7 +786,7 @@ bool srt::CCryptoControl::createCryptoCtx(size_t keylen, HaiCrypt_CryptoDir cdir
|
|||
return true;
|
||||
}
|
||||
#else
|
||||
bool srt::CCryptoControl::createCryptoCtx(size_t, HaiCrypt_CryptoDir, HaiCrypt_Handle&)
|
||||
bool srt::CCryptoControl::createCryptoCtx(HaiCrypt_Handle&, size_t, HaiCrypt_CryptoDir, bool)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
@ -754,6 +800,8 @@ srt::EncryptionStatus srt::CCryptoControl::encrypt(CPacket& w_packet SRT_ATR_UNU
|
|||
if ( getSndCryptoFlags() == EK_NOENC )
|
||||
return ENCS_CLEAR;
|
||||
|
||||
// Note that in case of GCM the header has to zero Retransmitted Packet Flag (R).
|
||||
// If TSBPD is disabled, timestamp also has to be zeroed.
|
||||
int rc = HaiCrypt_Tx_Data(m_hSndCrypto, ((uint8_t*)w_packet.getHeader()), ((uint8_t*)w_packet.m_pcData), w_packet.getLength());
|
||||
if (rc < 0)
|
||||
{
|
||||
|
@ -826,10 +874,10 @@ srt::EncryptionStatus srt::CCryptoControl::decrypt(CPacket& w_packet SRT_ATR_UNU
|
|||
return ENCS_FAILED;
|
||||
}
|
||||
|
||||
int rc = HaiCrypt_Rx_Data(m_hRcvCrypto, ((uint8_t *)w_packet.getHeader()), ((uint8_t *)w_packet.m_pcData), w_packet.getLength());
|
||||
if ( rc <= 0 )
|
||||
const int rc = HaiCrypt_Rx_Data(m_hRcvCrypto, ((uint8_t *)w_packet.getHeader()), ((uint8_t *)w_packet.m_pcData), w_packet.getLength());
|
||||
if (rc <= 0)
|
||||
{
|
||||
LOGC(cnlog.Error, log << "decrypt ERROR (IPE): HaiCrypt_Rx_Data failure=" << rc << " - returning failed decryption");
|
||||
LOGC(cnlog.Note, log << "decrypt ERROR: HaiCrypt_Rx_Data failure=" << rc << " - returning failed decryption");
|
||||
// -1: decryption failure
|
||||
// 0: key not received yet
|
||||
return ENCS_FAILED;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue