-
Notifications
You must be signed in to change notification settings - Fork 842
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] HSv5 accepts HSv4 connection with bad passphrase #1977
Comments
HSv4 does not have the information about the key to be used (Key Material message as HS extension). Instead, a separate control packet with the key is expected to arrive later on. Therefore, there is no way to determine if the peer has the correct key at the stage of handshaking to reject the connection. It could be determined later, waiting for several seconds for the follow-up KM message and breaking the connection if none arrives. But it would complicate the logic and bring some unclear heuristics in the process. A corresponding note on this limitation needs to be added to the docs. |
The Also in HSv4 supporting versions there wasn't any possibility to reject a connection at all. Therefore, the listener will not reject the connection no matter what, and this cannot be fixed now with the old version. This applies also to newer versions, unfortunately, because the connection mechanism with HSv4 is different than with HSv5 and if at least one side doesn't support HSv5, the connection will be done in the frames of HSv4, and this procedure doesn't support rejection as well. There possibly could be made something to change it in a newer version, but the problem is that the HSv4 handshake does only a "bare" handskaking - doesn't exchange any data beside the basic ones needed for connection, which means that the encryption state is not even known until the connection is complete and therefore there is no reason to reject a connection whatsoever. Worseover, at the moment when this parameter is known, the terms of "caller" and "listener" no longer exist, only "sender" and "receiver". Theoretically it could be possible that in HSv5 agent (no matter if listener or caller) that has been connected using HSv4 due to requirements of the peer, the RECEIVER that is receiving packets, they are encrypted, the encryption phase has been finished,
I personally think that the only thing that could be done to make things better is that |
The SRT sender knows an HSv4 receiver does not have the right passphrase from the KMrsp message. It cannot reject the connection in the handshake but can close the established connection in that case, limiting the period of packets transmitted to RTT, and freeing the port to permit a legit peer to connect and receive stream. |
Ah, ok right - except the fact that UMSG_EXT messages are not granted delivery, so it can't be done 100% reliably. And still the case of a password of correct length is true. Actually the idea behind having SRTO_ENFORCEDENCRYPTION true by default was to not allow a listener that is password-protected receive an unencrypted stream. But in order to enforce that protection in full length the application should as well set the minimum version (SRTO_MINVERSION) to 1.3.0, in which case 1.2.0 version SRT will be rejected always. This is the only way how it can be fully protected because if you allow connections from 1.2.0 callers, you must allow a "bare" handshake that is unknown as to whether it will ever send KMX messages (which can be also send AFTER some data packets). At best it could be done possibly something like that it should wait up to 1 second since the first data packet and:
Not sure if this is a good idea, but maybe better than it is now. |
Describe the bug
Versions of SRT that use HSv5 blindly accept incoming connections using HSv4. This behavior is contrary to what is described in SRT's documentation.
This is relevant because the version of SRT used in VLC appears to use HSv4.
Thus, connecting to an encrypted SRT socket from VLC with the wrong passphrase results in the connection being accepted, and VLC receiving encrypted packets that it cannot decrypt. Additionally, this blocks other incoming connections that may have the correct passphrase.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expect the SRT socket using HSv5 to reach the SRT_KM_S_BADSECRET state and reject the incoming HSv4 connection.
Desktop (please provide the following information):
Additional context
If this is an irreconcilable difference between HSv4 and HSv5, then please add this case to the documentation so I can point to it when I make a request to VLC to support newer versions of SRT.
If a newer version of VLC has already provided support for newer versions of SRT (couldn't find any info on this in VLC's docs), then please let me know.
Attachments
I have a pcap from the listening SRT process, but it's larger than 10MB when gzipped so I can't attach it here. If you think it would be useful I can trim it or upload it elsewhere.
I have attached a debug log from the listener as well.
debug_log.tar.gz
The text was updated successfully, but these errors were encountered: