srtpenc

gstrtpenc acts as an encoder that adds security to RTP and RTCP packets in the form of encryption and authentication. It outs SRTP and SRTCP.

An application can request multiple RTP and RTCP pads to protect, but every sink pad requested must receive packets from the same source (identical SSRC). If a packet received contains a different SSRC, a warning is emitted and the valid SSRC is forced on the packet.

This element uses libsrtp library. When receiving the first packet, the library is initialized with a new stream (based on the SSRC). It uses the default RTP and RTCP encryption and authentication mechanisms, unless the user has set the relevant properties first. It also uses a master key that MUST be set by property (key) at the beginning. The master key must be of a maximum length of 46 characters (14 characters for the salt plus the key). The encryption and authentication mechanisms available are :

Encryption (properties rtp-cipher and rtcp-cipher)

  • AES_ICM 256 bits (maximum security)
  • AES_ICM 128 bits (default)
  • NULL

Authentication (properties rtp-auth and rtcp-auth)

  • HMAC_SHA1 80 bits (default, maximum protection)
  • HMAC_SHA1 32 bits
  • NULL

Note that for SRTP protection, authentication is mandatory (non-null) if encryption is used (non-null).

When requested to create a sink pad, a linked source pad is created. Each packet received is first analysed (checked for valid SSRC) then its buffer is protected with libsrtp, then pushed on the source pad. If protection failed or the stream could not be created, the buffer is dropped and a warning is emitted. The packets pushed on the source pad are of type 'application/x-srtp' or 'application/x-srtcp'.

When the maximum usage of the master key is reached, a soft-limit signal is sent to the user. The user must then set a new master key by property. If the hard limit is reached, a flag is set and every subsequent packet is dropped, until a new key is set and the stream has been updated.

If a stream is to be shared between multiple clients it is also possible to request the internal SRTP rollover counter for a given SSRC. The rollover counter should be then transmitted and used by the clients to authenticate and decrypt the packets. Failing to do that the clients will start with a rollover counter of 0 which will probably be incorrect if the stream has been transmitted for a while to other clients.

This element supports sending with a single Master Key, it is possible to set the Master Key Identifier (MKI) using the "mki" property. If this property is set, the MKI will be added to every buffer.

Hierarchy

GObject
    ╰──GInitiallyUnowned
        ╰──GstObject
            ╰──GstElement
                ╰──srtpenc

Factory details

Authors: – Gabriel Millaire

Classification:Filter/Network/SRTP

Rank – none

Plugin – srtp

Package – GStreamer Bad Plug-ins

Pad Templates

rtcp_sink_%u

application/x-rtcp:

Presencerequest

Directionsink

Object typeGstPad


rtcp_src_%u

application/x-srtcp:

Presencesometimes

Directionsrc

Object typeGstPad


rtp_sink_%u

application/x-rtp:

Presencerequest

Directionsink

Object typeGstPad


rtp_src_%u

application/x-srtp:

Presencesometimes

Directionsrc

Object typeGstPad


Signals

soft-limit

soft_limit_callback (GstElement * gstsrtpenc,
                     gpointer udata)
def soft_limit_callback (gstsrtpenc, udata):
    #python callback for the 'soft-limit' signal
function soft_limit_callback(gstsrtpenc: GstElement * gstsrtpenc, udata: gpointer udata): {
    // javascript callback for the 'soft-limit' signal
}

Signal emitted when the stream with ssrc has reached the soft limit of utilisation of it's master encryption key. User should provide a new key by setting the GstSrtpEnc:key property.

Parameters:

gstsrtpenc

the element on which the signal is emitted

udata
No description available

Flags: Run Last


Properties

allow-repeat-tx

“allow-repeat-tx” gboolean

Whether retransmissions of packets with the same sequence number are allowed(Note that such repeated transmissions must have the same RTP payload, or a severe security weakness is introduced!)

Flags : Read / Write

Default value : false


key

“key” GstBuffer *

Master key (minimum of 30 and maximum of 46 bytes)

Flags : Read / Write


mki

“mki” GstBuffer *

Master key Identifier (NULL means no MKI)

Flags : Read / Write


random-key

“random-key” gboolean

Generate a random key if TRUE

Flags : Read / Write

Default value : false


replay-window-size

“replay-window-size” guint

Size of the replay protection window

Flags : Read / Write

Default value : 128


rtcp-auth

“rtcp-auth” GstSrtpAuthType *

RTCP Authentication

Flags : Read / Write

Default value : hmac-sha1-80 (2)


rtcp-cipher

“rtcp-cipher” GstSrtpCipherType *

RTCP Cipher

Flags : Read / Write

Default value : aes-128-icm (1)


rtp-auth

“rtp-auth” GstSrtpAuthType *

RTP Authentication

Flags : Read / Write

Default value : hmac-sha1-80 (2)


rtp-cipher

“rtp-cipher” GstSrtpCipherType *

RTP Cipher

Flags : Read / Write

Default value : aes-128-icm (1)


stats

“stats” GstStructure *

Various statistics

Flags : Read

Default value :

application/x-srtp-encoder-stats, streams=(int)<  >;

Named constants

GstSrtpAuthType

Members

null (0) – GST_SRTP_AUTH_NULL
hmac-sha1-32 (1) – GST_SRTP_AUTH_HMAC_SHA1_32
hmac-sha1-80 (2) – GST_SRTP_AUTH_HMAC_SHA1_80

GstSrtpCipherType

Members

null (0) – GST_SRTP_CIPHER_NULL
aes-128-icm (1) – GST_SRTP_CIPHER_AES_128_ICM
aes-256-icm (2) – GST_SRTP_CIPHER_AES_256_ICM
aes-128-gcm (3) – GST_SRTP_CIPHER_AES_128_GCM
aes-256-gcm (4) – GST_SRTP_CIPHER_AES_256_GCM

The results of the search are