[FFmpeg-devel] Secure RTSP

Jay jayridge at gmail.com
Sat Sep 24 17:20:03 EEST 2016


Hi. I am working on a project that requires RTSP over TLS with cafile
support. I patched 3.1.3 to work with openssl. If this is something of
interest, I am happy to finish out the patch - please advise if a different
approach is preferred.

Thank you.
Jay Ridgeway

diff -x '*.[oda]' -Naur ffmpeg-3.1.3/libavformat/rtsp.c
ffmpeg-3.1.3_patched/libavformat/rtsp.c
--- ffmpeg-3.1.3/libavformat/rtsp.c	2016-06-26 19:54:30.000000000 -0400
+++ ffmpeg-3.1.3_patched/libavformat/rtsp.c	2016-09-23 11:36:51.000000000 -0400
@@ -97,6 +97,8 @@
     { "stimeout", "set timeout (in microseconds) of socket TCP I/O
operations", OFFSET(stimeout), AV_OPT_TYPE_INT, {.i64 = 0}, INT_MIN,
INT_MAX, DEC },
     COMMON_OPTS(),
     { "user-agent", "override User-Agent header", OFFSET(user_agent),
AV_OPT_TYPE_STRING, {.str = LIBAVFORMAT_IDENT}, 0, 0, DEC },
+    { "ca_file", "Certificate Authority database file",
OFFSET(ca_file), AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC },
+    { "tls_verify", "Verify the peer certificate", OFFSET(verify),
AV_OPT_TYPE_INT, {.i64 = 0}, 0, 1, DEC|ENC},
     { NULL },
 };

@@ -1803,9 +1805,25 @@
     } else {
         int ret;
         /* open the tcp connection */
-        ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
-                    host, port,
-                    "?timeout=%d", rt->stimeout);
+        if (strncmp("tls", lower_rtsp_proto, 3) == 0) {
+            if (rt->ca_file != NULL) {
+                ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
+                            host, port,
+                            "?timeout=%d&verify=%d&cafile=%s",
+                            rt->stimeout, rt->verify, rt->ca_file);
+            } else {
+                ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
+                                host, port,
+                                "?timeout=%d&verify=%d",
+                                rt->stimeout, rt->verify);
+            }
+        } else {
+            ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
+                        host, port,
+                        "?timeout=%d", rt->stimeout);
+        }
+        av_log(NULL, AV_LOG_INFO, "tcpname='%s'\n", tcpname);
+
         if ((ret = ffurl_open_whitelist(&rt->rtsp_hd, tcpname,
AVIO_FLAG_READ_WRITE,
                        &s->interrupt_callback, NULL,
s->protocol_whitelist, s->protocol_blacklist, NULL)) < 0) {
             err = ret;
diff -x '*.[oda]' -Naur ffmpeg-3.1.3/libavformat/rtsp.h
ffmpeg-3.1.3_patched/libavformat/rtsp.h
--- ffmpeg-3.1.3/libavformat/rtsp.h	2016-06-26 19:54:30.000000000 -0400
+++ ffmpeg-3.1.3_patched/libavformat/rtsp.h	2016-09-22 17:04:48.000000000 -0400
@@ -408,6 +408,9 @@

     char default_lang[4];
     int buffer_size;
+
+    char *ca_file;
+    int verify;
 } RTSPState;

 #define RTSP_FLAG_FILTER_SRC  0x1    /**< Filter incoming UDP packets -
diff -x '*.[oda]' -Naur ffmpeg-3.1.3/libavformat/tls_openssl.c
ffmpeg-3.1.3_patched/libavformat/tls_openssl.c
--- ffmpeg-3.1.3/libavformat/tls_openssl.c	2016-06-26 19:54:30.000000000 -0400
+++ ffmpeg-3.1.3_patched/libavformat/tls_openssl.c	2016-09-23
11:38:19.000000000 -0400
@@ -283,6 +283,12 @@
     return print_tls_error(h, ret);
 }

+static int tls_get_file_handle(URLContext *h)
+{
+    TLSContext *c = h->priv_data;
+    return ffurl_get_file_handle(c->tls_shared.tcp);
+}
+
 static const AVOption options[] = {
     TLS_COMMON_OPTIONS(TLSContext, tls_shared),
     { NULL }
@@ -301,6 +307,7 @@
     .url_read       = tls_read,
     .url_write      = tls_write,
     .url_close      = tls_close,
+    .url_get_file_handle = tls_get_file_handle,
     .priv_data_size = sizeof(TLSContext),
     .flags          = URL_PROTOCOL_FLAG_NETWORK,
     .priv_data_class = &tls_class,


More information about the ffmpeg-devel mailing list