docs: add SRP for Advanced Profile, update THANKS and Roadmap

- Add SRP passphrase exchange to the Advanced Profile feature list
  in README and NEWS (already functional, was not documented).
- Remove SRP Auth from the Planned section (already implemented).
- Add 4 AP+SRP integration tests (auth success, missing creds,
  password mismatch).
- Clone EAP context during AP peer initialization so SRP works
  when the first packet from a connecting peer is Type 8.
- Update THANKS.md with all contributors from git history.
This commit is contained in:
Sergio Ammirata
2026-05-29 21:56:15 -04:00
parent 76d4eabfe2
commit 5f3dfe77eb
5 changed files with 33 additions and 5 deletions
+4 -2
View File
@@ -48,6 +48,8 @@ New Features:
- PSK encryption mode 1 (AES-CTR, Main Profile compatible) with
per-packet Nonce/IV in the AP header.
- Future Nonce Announcement (CI=0x8011) for zero-latency key rotation.
- SRP (Secure Remote Password) passphrase exchange, reusing the EAP-SRP
state machine from Main Profile over Type 8 encapsulated EAPOL.
- Flow ID field (I flag): virt_dst_port and virt_src_port map to/from
the AP Outer/Inner Flow ID hierarchy on the wire.
- LZ4 payload compression (LPC=1): sender compresses before encryption,
@@ -60,8 +62,8 @@ New Features:
to the application.
- Baseline.Direct conformance for single-flow encrypted point-to-point
RIST transport with ARQ.
- 18 integration tests (basic, packet loss, encryption, mismatch,
flow-id, lz4, lz4+encryption, flow-attr).
- 22 integration tests (basic, packet loss, encryption, mismatch,
flow-id, lz4, lz4+encryption, flow-attr, SRP auth).
- 187 unit tests (wire format, timestamp, seq_index, Type 8, PSK modes,
Flow ID mapping, LZ4 roundtrip, flow-attr control roundtrip).
+2 -1
View File
@@ -29,6 +29,7 @@ The goal of this project is to provide a RIST library for **most platforms**.
- Native control plane (Keep-Alive, RTT Echo, NACK Bitmask/Range)
- Full 32-bit sequence numbering
- PSK encryption (AES-CTR mode 1, per-packet Nonce/IV)
- SRP (Secure Remote Password) passphrase exchange
- Future Nonce Announcement for zero-latency key rotation
- Flow ID hierarchy (Outer/Inner/Sub) mapped to stream-id
- LZ4 payload compression with automatic receiver detection
@@ -93,7 +94,7 @@ If you have an application that needs to operate outside the sweet spot describe
### Planned
- VSF TR-06-3 (Advanced Profile) additional conformance levels (DTLS, SRP Auth, Fragmentation)
- VSF TR-06-3 (Advanced Profile) additional conformance levels (DTLS, Fragmentation)
# Tools
+10 -2
View File
@@ -16,5 +16,13 @@ SipRadius LLC for funding this project.
And all the librist Authors (git shortlog -sn), including:
Sergio Ammirata, Kuldeep Singh Dhaka, Daniele Lacamera, Antonio Cardace, Gijs Peskens, James Hurley,
Marvin Scholz, Stephan Mueller
Sergio Ammirata, James Hurley, Daniele Lacamera,
Yannick Le Roux, Thierry Lelegard, Carson Riker, Anders Cedronius,
Zhao Zhili, Matthew Edge, Peter Kovář, Steve Lhomme, Heiko Nickerl,
David Holroyd, Tristan Matthews, RossWang, Christopher Degawa,
Dave Evans, Manuel, Samuel Thibault, Reno Dakota, Olivier Crête,
Kevin Wang, Kevin Pan, Johan Lescure, Gyan Doshi, Florian Ernst,
Derek Prestegard, Denis Slobodskoy, Daisuke Matsunami, Brian Keane,
Bill Roberts, Azamat H. Hackimov, Alyssa Ross, Alexandre Janniaux,
Alexander Podrezenko, Alex Converse, Kuldeep Singh Dhaka,
Antonio Cardace, Marvin Scholz, Stephan Mueller
+9
View File
@@ -2643,6 +2643,15 @@ static void rist_peer_recv(struct evsocket_ctx *evctx, int fd, short revents, vo
}
}
peer_append(p);
#if HAVE_SRP_SUPPORT
eap_clone_ctx(peer->eap_ctx, p);
{
char ip_buf[INET6_ADDRSTRLEN];
char *ip = get_ip_str(&p->u.address, ip_buf, INET6_ADDRSTRLEN);
if (ip)
eap_set_ip_string(p->eap_ctx, ip_buf);
}
#endif
} else {
return;
}
+8
View File
@@ -99,6 +99,14 @@ test('Advanced profile LZ4 compression client mode', test_send_receive, args: ['
test('Advanced profile LZ4 compression + 10% loss', test_send_receive, args: ['2', 'rist://@127.0.0.1:7052', 'rist://127.0.0.1:7052?compression=1', '10'],suite: ['advanced', 'unicast', 'server', 'lz4'])
test('Advanced profile LZ4 + AES128 server mode', test_send_receive, args: ['2', 'rist://@127.0.0.1:7053?secret=12345678&aes-type=128', 'rist://127.0.0.1:7053?secret=12345678&aes-type=128&compression=1', '0'],suite: ['advanced', 'unicast', 'server', 'lz4', 'encryption'])
###SRP authentication (Advanced Profile)
if have_srp
test('Advanced profile SRP auth server mode AES128', test_send_receive, args: ['2', 'rist://@127.0.0.1:7070?secret=12345678&aes-type=128&username=testuser&password=testpassword', 'rist://127.0.0.1:7070?secret=12345678&aes-type=128&username=testuser&password=testpassword', '0'],suite: ['advanced', 'unicast', 'server', 'encryption', 'srp'], should_fail: false)
test('Advanced profile SRP auth client mode AES128', test_send_receive, args: ['2', 'rist://127.0.0.1:7071?secret=12345678&aes-type=128&username=testuser&password=testpassword', 'rist://@127.0.0.1:7071?secret=12345678&aes-type=128&username=testuser&password=testpassword', '0'],suite: ['advanced', 'unicast', 'client', 'encryption', 'srp'], should_fail: false)
test('Advanced profile SRP auth client no SRP (should fail)', test_send_receive, args: ['2', 'rist://127.0.0.1:7072?secret=12345678&aes-type=128', 'rist://@127.0.0.1:7072?secret=12345678&aes-type=128&username=testuser&password=testpassword', '0'], suite: ['advanced', 'unicast', 'server', 'encryption', 'srp'], should_fail: true)
test('Advanced profile SRP auth password mismatch (should fail)', test_send_receive, args: ['2', 'rist://127.0.0.1:7073?secret=12345678&aes-type=128&username=testuser&password=wrongpassword', 'rist://@127.0.0.1:7073?secret=12345678&aes-type=128&username=testuser&password=testpassword', '0'],suite: ['advanced', 'unicast', 'server', 'encryption', 'srp'], should_fail: true)
endif
#Encryption tests where 1 side has enabled encryption these should fail
test('Main profile encryption receive server mode unencrypted, sender client mode', test_send_receive, args: ['1', 'rist://@127.0.0.1:6003', 'rist://127.0.0.1:6003?secret=12345678&aes-type=128', '0'], should_fail: true)
test('Main profile encryption receive server mode, sender client mode unencrypted', test_send_receive, args: ['1', 'rist://@127.0.0.1:6004?secret=12345678&aes-type=128', 'rist://127.0.0.1:6004', '0'], should_fail: true)