external/srs
1
0
Fork 0
mirror of https://github.com/ossrs/srs.git synced 2025-03-09 15:49:59 +00:00
Code Issues Releases Wiki Activity

Upgrade libsrt to v1.5.3. v5.0.183 v6.0.81 (#3808)

Browse source 
fix https://github.com/ossrs/srs/issues/3155
Build srt-1-fit fails with `standard attributes in middle of
decl-specifiers` on GCC 12,Arch Linux.

See https://github.com/Haivision/srt/releases/tag/v1.5.3
This commit is contained in:
Haibo Chen 2023-09-21 22:23:56 +08:00 committed by GitHub
parent f9bba0a9b0
commit c5e067fb0b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
94 changed files with 5974 additions and 6273 deletions
Download patch file Download diff file Expand all files Collapse all files

110
trunk/3rdparty/srt-1-fit/srtcore/crypto.cpp vendored
View file

@ -57,11 +57,18 @@ std::string KmStateStr(SRT_KM_STATE state)
TAKE(SECURING);
TAKE(NOSECRET);
TAKE(BADSECRET);
#ifdef ENABLE_AEAD_API_PREVIEW
TAKE(BADCRYPTOMODE);
#endif
#undef TAKE
default:
{
char buf[256];
sprintf(buf, "??? (%d)", state);
#if defined(_MSC_VER) && _MSC_VER < 1900
_snprintf(buf, sizeof(buf) - 1, "??? (%d)", state);
#else
snprintf(buf, sizeof(buf), "??? (%d)", state);
#endif
return buf;
}
}
@ -79,6 +86,15 @@ void srt::CCryptoControl::globalInit()
#endif
}
bool srt::CCryptoControl::isAESGCMSupported()
{
#ifdef SRT_ENABLE_ENCRYPTION
return HaiCrypt_IsAESGCM_Supported() != 0;
#else
return false;
#endif
}
#if ENABLE_LOGGING
std::string srt::CCryptoControl::FormatKmMessage(std::string hdr, int cmd, size_t srtlen)
{
@ -112,7 +128,7 @@ void srt::CCryptoControl::createFakeSndContext()
if (!m_iSndKmKeyLen)
m_iSndKmKeyLen = 16;
if (!createCryptoCtx(m_iSndKmKeyLen, HAICRYPT_CRYPTO_DIR_TX, (m_hSndCrypto)))
if (!createCryptoCtx((m_hSndCrypto), m_iSndKmKeyLen, HAICRYPT_CRYPTO_DIR_TX, false))
{
HLOGC(cnlog.Debug, log << "Error: Can't create fake crypto context for sending - sending will return ERROR!");
m_hSndCrypto = 0;
@ -139,7 +155,7 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
// what has called this function. The HSv5 handshake only enforces bidirectional
// connection.
bool bidirectional = hsv > CUDT::HS_VERSION_UDT4;
const bool bidirectional = hsv > CUDT::HS_VERSION_UDT4;
// Local macro to return rejection appropriately.
// CHANGED. The first version made HSv5 reject the connection.
@ -152,6 +168,10 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
bool wasb4 SRT_ATR_UNUSED = false;
size_t sek_len = 0;
const bool bUseGCM =
(m_iCryptoMode == CSrtConfig::CIPHER_MODE_AUTO && kmdata[HCRYPT_MSG_KM_OFS_CIPHER] == HCRYPT_CIPHER_AES_GCM) ||
(m_iCryptoMode == CSrtConfig::CIPHER_MODE_AES_GCM);
// What we have to do:
// If encryption is on (we know that by having m_KmSecret nonempty), create
// the crypto context (if bidirectional, create for both sending and receiving).
@ -199,13 +219,16 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
}
wasb4 = m_hRcvCrypto;
if (!createCryptoCtx(m_iRcvKmKeyLen, HAICRYPT_CRYPTO_DIR_RX, (m_hRcvCrypto)))
if (!createCryptoCtx((m_hRcvCrypto), m_iRcvKmKeyLen, HAICRYPT_CRYPTO_DIR_RX, bUseGCM))
{
LOGC(cnlog.Error, log << "processSrtMsg_KMREQ: Can't create RCV CRYPTO CTX - must reject...");
m_RcvKmState = SRT_KM_S_NOSECRET;
KMREQ_RESULT_REJECTION();
}
// Deduce resulting mode.
m_iCryptoMode = bUseGCM ? CSrtConfig::CIPHER_MODE_AES_GCM : CSrtConfig::CIPHER_MODE_AES_CTR;
if (!wasb4)
{
HLOGC(cnlog.Debug, log << "processSrtMsg_KMREQ: created RX ENC with KeyLen=" << m_iRcvKmKeyLen);
@ -230,6 +253,15 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
w_srtlen = 1;
LOGC(cnlog.Warn, log << "KMREQ/rcv: (snd) Rx process failure - BADSECRET");
break;
case HAICRYPT_ERROR_CIPHER:
#ifdef ENABLE_AEAD_API_PREVIEW
m_RcvKmState = m_SndKmState = SRT_KM_S_BADCRYPTOMODE;
#else
m_RcvKmState = m_SndKmState = SRT_KM_S_BADSECRET; // Use "bad secret" as a fallback.
#endif
w_srtlen = 1;
LOGC(cnlog.Warn, log << "KMREQ/rcv: (snd) Rx process failure - BADCRYPTOMODE");
break;
case HAICRYPT_ERROR: //Other errors
default:
m_RcvKmState = m_SndKmState = SRT_KM_S_NOSECRET;
@ -244,7 +276,6 @@ int srt::CCryptoControl::processSrtMsg_KMREQ(
// until the next KMREQ is received as a key regeneration.
m_bErrorReported = false;
if (w_srtlen == 1)
goto HSv4_ErrorReport;
@ -379,6 +410,14 @@ int srt::CCryptoControl::processSrtMsg_KMRSP(const uint32_t* srtdata, size_t len
m_SndKmState = SRT_KM_S_UNSECURED;
retstatus = 0;
break;
#ifdef ENABLE_AEAD_API_PREVIEW
case SRT_KM_S_BADCRYPTOMODE:
// The peer expects to use a different cryptographic mode (e.g. AES-GCM, not AES-CTR).
m_RcvKmState = SRT_KM_S_BADCRYPTOMODE;
m_SndKmState = SRT_KM_S_BADCRYPTOMODE;
retstatus = -1;
break;
#endif
default:
LOGC(cnlog.Fatal, log << "processSrtMsg_KMRSP: IPE: unknown peer error state: "
@ -427,8 +466,9 @@ int srt::CCryptoControl::processSrtMsg_KMRSP(const uint32_t* srtdata, size_t len
return retstatus;
}
void srt::CCryptoControl::sendKeysToPeer(CUDT* sock SRT_ATR_UNUSED, int iSRTT SRT_ATR_UNUSED, Whether2RegenKm regen SRT_ATR_UNUSED)
void srt::CCryptoControl::sendKeysToPeer(CUDT* sock SRT_ATR_UNUSED, int iSRTT SRT_ATR_UNUSED)
{
sync::ScopedLock lck(m_mtxLock);
if (!m_hSndCrypto || m_SndKmState == SRT_KM_S_UNSECURED)
{
HLOGC(cnlog.Debug, log << "sendKeysToPeer: NOT sending/regenerating keys: "
@ -461,21 +501,13 @@ void srt::CCryptoControl::sendKeysToPeer(CUDT* sock SRT_ATR_UNUSED, int iSRTT SR
}
}
}
if (regen)
{
regenCryptoKm(
sock, // send UMSG_EXT + SRT_CMD_KMREQ to the peer using this socket
false // Do not apply the regenerated key to the to the receiver context
); // regenerate and send
}
#endif
}
#ifdef SRT_ENABLE_ENCRYPTION
void srt::CCryptoControl::regenCryptoKm(CUDT* sock, bool bidirectional)
void srt::CCryptoControl::regenCryptoKm(CUDT* sock SRT_ATR_UNUSED, bool bidirectional SRT_ATR_UNUSED)
{
#ifdef SRT_ENABLE_ENCRYPTION
sync::ScopedLock lck(m_mtxLock);
if (!m_hSndCrypto)
return;
@ -549,8 +581,8 @@ void srt::CCryptoControl::regenCryptoKm(CUDT* sock, bool bidirectional)
if (sent)
m_SndKmLastTime = srt::sync::steady_clock::now();
}
#endif
}
srt::CCryptoControl::CCryptoControl(SRTSOCKET id)
: m_SocketID(id)
@ -560,9 +592,9 @@ srt::CCryptoControl::CCryptoControl(SRTSOCKET id)
, m_RcvKmState(SRT_KM_S_UNSECURED)
, m_KmRefreshRatePkt(0)
, m_KmPreAnnouncePkt(0)
, m_iCryptoMode(CSrtConfig::CIPHER_MODE_AUTO)
, m_bErrorReported(false)
{
m_KmSecret.len = 0;
//send
m_SndKmMsg[0].MsgLen = 0;
@ -587,6 +619,19 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
// Set UNSECURED state as default
m_RcvKmState = SRT_KM_S_UNSECURED;
m_iCryptoMode = cfg.iCryptoMode;
#ifdef SRT_ENABLE_ENCRYPTION
if (!cfg.bTSBPD && m_iCryptoMode == CSrtConfig::CIPHER_MODE_AUTO)
m_iCryptoMode = CSrtConfig::CIPHER_MODE_AES_CTR;
const bool bUseGCM = m_iCryptoMode == CSrtConfig::CIPHER_MODE_AES_GCM;
if (bUseGCM && !isAESGCMSupported())
{
LOGC(cnlog.Warn, log << "CCryptoControl: AES GCM is not supported by the crypto service provider.");
return false;
}
#endif
// Set security-pending state, if a password was set.
m_SndKmState = hasPassphrase() ? SRT_KM_S_SECURING : SRT_KM_S_UNSECURED;
@ -594,7 +639,7 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
m_KmPreAnnouncePkt = cfg.uKmPreAnnouncePkt;
m_KmRefreshRatePkt = cfg.uKmRefreshRatePkt;
if ( side == HSD_INITIATOR )
if (side == HSD_INITIATOR)
{
if (hasPassphrase())
{
@ -605,13 +650,13 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
m_iSndKmKeyLen = 16;
}
bool ok = createCryptoCtx(m_iSndKmKeyLen, HAICRYPT_CRYPTO_DIR_TX, (m_hSndCrypto));
bool ok = createCryptoCtx((m_hSndCrypto), m_iSndKmKeyLen, HAICRYPT_CRYPTO_DIR_TX, bUseGCM);
HLOGC(cnlog.Debug, log << "CCryptoControl::init: creating SND crypto context: " << ok);
if (ok && bidirectional)
{
m_iRcvKmKeyLen = m_iSndKmKeyLen;
int st = HaiCrypt_Clone(m_hSndCrypto, HAICRYPT_CRYPTO_DIR_RX, &m_hRcvCrypto);
const int st = HaiCrypt_Clone(m_hSndCrypto, HAICRYPT_CRYPTO_DIR_RX, &m_hRcvCrypto);
HLOGC(cnlog.Debug, log << "CCryptoControl::init: creating CLONED RCV crypto context: status=" << st);
ok = st == 0;
}
@ -630,12 +675,14 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
NULL, // Do not send the key (the KM msg will be attached to the HSv5 handshake)
bidirectional // replicate the key to the receiver context, if bidirectional
);
m_iCryptoMode = bUseGCM ? CSrtConfig::CIPHER_MODE_AES_GCM : CSrtConfig::CIPHER_MODE_AES_CTR;
#else
// This error would be a consequence of setting the passphrase, while encryption
// is turned off at compile time. Setting the password itself should be not allowed
// so this could only happen as a consequence of an IPE.
LOGC(cnlog.Error, log << "CCryptoControl::init: IPE: encryption not supported");
return true;
return false;
#endif
}
else
@ -654,6 +701,7 @@ bool srt::CCryptoControl::init(HandshakeSide side, const CSrtConfig& cfg, bool b
void srt::CCryptoControl::close()
{
/* Wipeout secrets */
sync::ScopedLock lck(m_mtxLock);
memset(&m_KmSecret, 0, sizeof(m_KmSecret));
}
@ -691,9 +739,8 @@ static std::string CryptoFlags(int flg)
} // namespace srt
#endif // ENABLE_HEAVY_LOGGING
bool srt::CCryptoControl::createCryptoCtx(size_t keylen, HaiCrypt_CryptoDir cdir, HaiCrypt_Handle& w_hCrypto)
bool srt::CCryptoControl::createCryptoCtx(HaiCrypt_Handle& w_hCrypto, size_t keylen, HaiCrypt_CryptoDir cdir, bool bAESGCM)
{
if (w_hCrypto)
{
// XXX You can check here if the existing handle represents
@ -715,7 +762,7 @@ bool srt::CCryptoControl::createCryptoCtx(size_t keylen, HaiCrypt_CryptoDir cdir
m_KmRefreshRatePkt = 2000;
m_KmPreAnnouncePkt = 500;
#endif
crypto_cfg.flags = HAICRYPT_CFG_F_CRYPTO | (cdir == HAICRYPT_CRYPTO_DIR_TX ? HAICRYPT_CFG_F_TX : 0);
crypto_cfg.flags = HAICRYPT_CFG_F_CRYPTO | (cdir == HAICRYPT_CRYPTO_DIR_TX ? HAICRYPT_CFG_F_TX : 0) | (bAESGCM ? HAICRYPT_CFG_F_GCM : 0);
crypto_cfg.xport = HAICRYPT_XPT_SRT;
crypto_cfg.cryspr = HaiCryptCryspr_Get_Instance();
crypto_cfg.key_len = (size_t)keylen;
@ -724,7 +771,6 @@ bool srt::CCryptoControl::createCryptoCtx(size_t keylen, HaiCrypt_CryptoDir cdir
crypto_cfg.km_refresh_rate_pkt = m_KmRefreshRatePkt == 0 ? HAICRYPT_DEF_KM_REFRESH_RATE : m_KmRefreshRatePkt;
crypto_cfg.km_pre_announce_pkt = m_KmPreAnnouncePkt == 0 ? SRT_CRYPT_KM_PRE_ANNOUNCE : m_KmPreAnnouncePkt;
crypto_cfg.secret = m_KmSecret;
//memcpy(&crypto_cfg.secret, &m_KmSecret, sizeof(crypto_cfg.secret));
HLOGC(cnlog.Debug, log << "CRYPTO CFG: flags=" << CryptoFlags(crypto_cfg.flags) << " xport=" << crypto_cfg.xport << " cryspr=" << crypto_cfg.cryspr
<< " keylen=" << crypto_cfg.key_len << " passphrase_length=" << crypto_cfg.secret.len);
@ -740,7 +786,7 @@ bool srt::CCryptoControl::createCryptoCtx(size_t keylen, HaiCrypt_CryptoDir cdir
return true;
}
#else
bool srt::CCryptoControl::createCryptoCtx(size_t, HaiCrypt_CryptoDir, HaiCrypt_Handle&)
bool srt::CCryptoControl::createCryptoCtx(HaiCrypt_Handle&, size_t, HaiCrypt_CryptoDir, bool)
{
return false;
}
@ -754,6 +800,8 @@ srt::EncryptionStatus srt::CCryptoControl::encrypt(CPacket& w_packet SRT_ATR_UNU
if ( getSndCryptoFlags() == EK_NOENC )
return ENCS_CLEAR;
// Note that in case of GCM the header has to zero Retransmitted Packet Flag (R).
// If TSBPD is disabled, timestamp also has to be zeroed.
int rc = HaiCrypt_Tx_Data(m_hSndCrypto, ((uint8_t*)w_packet.getHeader()), ((uint8_t*)w_packet.m_pcData), w_packet.getLength());
if (rc < 0)
{
@ -826,10 +874,10 @@ srt::EncryptionStatus srt::CCryptoControl::decrypt(CPacket& w_packet SRT_ATR_UNU
return ENCS_FAILED;
}
int rc = HaiCrypt_Rx_Data(m_hRcvCrypto, ((uint8_t *)w_packet.getHeader()), ((uint8_t *)w_packet.m_pcData), w_packet.getLength());
if ( rc <= 0 )
const int rc = HaiCrypt_Rx_Data(m_hRcvCrypto, ((uint8_t *)w_packet.getHeader()), ((uint8_t *)w_packet.m_pcData), w_packet.getLength());
if (rc <= 0)
{
LOGC(cnlog.Error, log << "decrypt ERROR (IPE): HaiCrypt_Rx_Data failure=" << rc << " - returning failed decryption");
LOGC(cnlog.Note, log << "decrypt ERROR: HaiCrypt_Rx_Data failure=" << rc << " - returning failed decryption");
// -1: decryption failure
// 0: key not received yet
return ENCS_FAILED;