From 6f953e3dcd4a912077decb1ea52e13b542b4a204 Mon Sep 17 00:00:00 2001 From: Sektor van Skijlen Date: Mon, 14 Dec 2020 17:39:35 +0100 Subject: [PATCH] [docs] Fixed wrong description concerning passphrase (#1701) --- docs/APISocketOptions.md | 23 +++++++++++++---------- srtcore/srt.h | 4 ++-- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/docs/APISocketOptions.md b/docs/APISocketOptions.md index 82da159cf..5e7313526 100644 --- a/docs/APISocketOptions.md +++ b/docs/APISocketOptions.md @@ -867,20 +867,23 @@ For details, see [Packet Filtering & FEC](packet-filtering-and-fec.md). | `SRTO_PASSPHRASE` | 0.0.0 | pre | `string` | | "" |[10..79]| W | GSD | Sets the passphrase for encryption. This enables encryption on this party (or -disables it, if an empty passphrase is passed). +disables it, if an empty passphrase is passed). The password must be minimum +10 and maximum 79 characters long. The passphrase is the shared secret between the sender and the receiver. It is used to generate the Key Encrypting Key using [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2) -(Password-Based Key Derivation Function 2). It is used on the receiver only if -the received data is encrypted. +(Password-Based Key Derivation Function 2). + +When a socket with configured passphrase is being connected, the peer must +have the same password set, or the connection is rejected. This behavior can be +changed by [`SRTO_ENFORCEDENCRYPTION`](#SRTO_ENFORCEDENCRYPTION). Note that since the introduction of bidirectional support, there's only one -initial SEK to encrypt the stream (new keys after refreshing will be updated -independently), and there's no distinction between "service party that defines -the password" and "client party that is required to set matching password" - both -parties are equivalent, and in order to have a working encrypted connection, they -have to simply set the same passphrase. Otherwise the connection is rejected by -default (see also [`SRTO_ENFORCEDENCRYPTION`](#SRTO_ENFORCEDENCRYPTION)). +initial encryption key to encrypt the stream (new keys after refreshing will be +updated independently), and there's no distinction between "service party that +defines the password" and "client party that is required to set matching +password" - both parties are equivalent, and in order to have a working +encrypted connection, they have to simply set the same passphrase. [Return to list](#list-of-options) @@ -911,7 +914,7 @@ For File mode: Default value is 0 and it's recommended not to be changed. | -------------------- | ----- | ------- | ---------- | ------- | -------- | ------ | --- | ------ | | `SRTO_PBKEYLEN` | 0.0.0 | pre | `int32_t` | bytes | 0 | * | RW | GSD | -Sender encryption key length. +Encryption key length. Possible values: diff --git a/srtcore/srt.h b/srtcore/srt.h index f3a5becdc..f0a8b233a 100644 --- a/srtcore/srt.h +++ b/srtcore/srt.h @@ -206,8 +206,8 @@ typedef enum SRT_SOCKOPT { SRTO_LATENCY = 23, // NOT RECOMMENDED. SET: to both SRTO_RCVLATENCY and SRTO_PEERLATENCY. GET: same as SRTO_RCVLATENCY. SRTO_INPUTBW = 24, // Estimated input stream rate. SRTO_OHEADBW, // MaxBW ceiling based on % over input stream rate. Applies when UDT_MAXBW=0 (auto). - SRTO_PASSPHRASE = 26, // Crypto PBKDF2 Passphrase size[0,10..64] 0:disable crypto - SRTO_PBKEYLEN, // Crypto key len in bytes {16,24,32} Default: 16 (128-bit) + SRTO_PASSPHRASE = 26, // Crypto PBKDF2 Passphrase (must be 10..79 characters, or empty to disable encryption) + SRTO_PBKEYLEN, // Crypto key len in bytes {16,24,32} Default: 16 (AES-128) SRTO_KMSTATE, // Key Material exchange status (UDT_SRTKmState) SRTO_IPTTL = 29, // IP Time To Live (passthru for system sockopt IPPROTO_IP/IP_TTL) SRTO_IPTOS, // IP Type of Service (passthru for system sockopt IPPROTO_IP/IP_TOS)