SUP-36185: Enable AEAD encryption for SRT.

kaltura · Feb 5, 2024 · 5850647 · 5850647
1 parent 6dab0a4
commit 5850647
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -170,6 +170,15 @@ Sets a passphrase for encryption, see the libsrt documentation of the `SRTO_PASS
 
 The parameter value can contain variables.
 
+#### cryptomode
+* **syntax**: `cryptomode expr;`
+* **default**: ``
+* **context**: `srt, server`
+
+Sets a cryptomode for encryption, see the libsrt documentation of the `SRTO_CRYPTOMODE` option for more details.
+
+The parameter value can contain variables.
+
 #### in_buf_size
 * **syntax**: `in_buf_size size;`
 * **default**: `64k`

diff --git a/src/ngx_srt.h b/src/ngx_srt.h
@@ -100,6 +100,7 @@ typedef struct {
 
     ngx_srt_conn_options_t         srt_opts;
     ngx_srt_complex_value_t       *passphrase;
+    ngx_srt_complex_value_t       *cryptomode;
 } ngx_srt_core_srv_conf_t;
 
 

diff --git a/src/ngx_srt_connection.c b/src/ngx_srt_connection.c
@@ -1824,6 +1824,7 @@ ngx_srt_listen_callback(void *data, SRTSOCKET ns, int hs_version,
     const struct sockaddr *peeraddr, const char *stream_id)
 {
     int                       socklen;
+    int                       cryptomode;
     int                       serr, serrno;
     ngx_str_t                 value;
     ngx_log_t                *log;
@@ -1912,6 +1913,52 @@ ngx_srt_listen_callback(void *data, SRTSOCKET ns, int hs_version,
         goto failed;
     }
 
+   if (cscf->cryptomode != NULL) {
+        /* evaluate the cryptomode */
+        if (ngx_srt_complex_value(s, cscf->cryptomode, &value) != NGX_OK) {
+            ngx_log_error(NGX_LOG_NOTICE, log, 0,
+                "ngx_srt_listen_callback: complex value failed");
+            goto failed;
+        }
+
+        if (value.len == 0) {
+            ngx_destroy_pool(c->pool);
+            return 0;
+        }
+
+        cryptomode = (int)ngx_atoi(value.data, value.len);
+
+        /* set the cryptomode */
+        if (cryptomode > 2) {
+            ngx_log_error(NGX_LOG_ERR, log, 0,
+                "ngx_srt_listen_callback: invalid cryptomode \"%d\"", cryptomode);
+            goto failed;
+        }
+
+        if (srt_setsockflag(ns, SRTO_CRYPTOMODE, &cryptomode, sizeof(cryptomode)) != 0) {
+            serr = srt_getlasterror(&serrno);
+            ngx_log_error(NGX_LOG_ERR, log, serrno,
+                "ngx_srt_listen_callback: "
+                "srt_setsockflag(SRTO_CRYPTOMODE) failed %d", serr);
+            goto failed;
+        }
+    }
+
+
+
+
+ /*   ngx_log_error(NGX_LOG_ERR, log, 0,
+        "ngx_srt_listen_callback: "
+        "srt_setsockflag(SRTO_CRYPTOMODE) lal");
+
+    if (srt_setsockflag(ns, SRTO_CRYPTOMODE,&blocking, sizeof (blocking)) != 0) {
+        serr = srt_getlasterror(&serrno);
+        ngx_log_error(NGX_LOG_ERR, log, serrno,
+            "ngx_srt_listen_callback: "
+            "srt_setsockflag(SRTO_CRYPTOMODE) failed %d", serr);
+        goto failed;
+    }*/
+
     ngx_destroy_pool(c->pool);
 
     return 0;

diff --git a/src/ngx_srt_core_module.c b/src/ngx_srt_core_module.c
@@ -134,6 +134,13 @@ static ngx_command_t  ngx_srt_core_commands[] = {
       offsetof(ngx_srt_core_srv_conf_t, passphrase),
       NULL },
 
+    { ngx_string("cryptomode"),
+      NGX_SRT_MAIN_CONF|NGX_SRT_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_srt_set_complex_value_slot,
+      NGX_SRT_SRV_CONF_OFFSET,
+      offsetof(ngx_srt_core_srv_conf_t, cryptomode),
+      NULL },
+
       ngx_null_command
 };
 
@@ -280,6 +287,10 @@ ngx_srt_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
         conf->passphrase = prev->passphrase;
     }
 
+    if (conf->cryptomode == NULL) {
+        conf->cryptomode = prev->cryptomode;
+    }
+
     return NGX_CONF_OK;
 }