[FFmpeg-devel] [PATCH 4/4] lavf/tls: verify TLS connections by default whenever possible

rcombs rcombs at rcombs.me
Sat May 30 06:57:53 EEST 2020 

---
 libavformat/tls.c | 13 +++++++++++++
 libavformat/tls.h |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/libavformat/tls.c b/libavformat/tls.c
index 10e0792e29..3cf24ca056 100644
--- a/libavformat/tls.c
+++ b/libavformat/tls.c
@@ -64,6 +64,19 @@ int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AV
 
     set_options(c, uri);
 
+    if (c->verify < 0) {
+        c->verify = c->listen;
+#if CONFIG_MBEDTLS
+        if (!c->listen && !c->ca_file) {
+            av_log(parent, AV_LOG_WARNING, "ffmpeg was configured with mbedTLS and no root CA store was provided,\n"
+                                           "so this connection will be made insecurely.\n"
+                                           "To make this connection securely, specify a path to a root bundle\n"
+                                           "with the 'ca_file' option.");
+            c->verify = 0;
+        }
+#endif
+    }
+
     if (c->listen)
         snprintf(opts, sizeof(opts), "?listen=1");
 
diff --git a/libavformat/tls.h b/libavformat/tls.h
index 6c2d025f6c..e4854c28da 100644
--- a/libavformat/tls.h
+++ b/libavformat/tls.h
@@ -45,7 +45,7 @@ typedef struct TLSShared {
 #define TLS_COMMON_OPTIONS(pstruct, options_field) \
     {"ca_file",    "Certificate Authority database file", offsetof(pstruct, options_field . ca_file),   AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"cafile",     "Certificate Authority database file", offsetof(pstruct, options_field . ca_file),   AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
-    {"tls_verify", "Verify the peer certificate",         offsetof(pstruct, options_field . verify),    AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
+    {"tls_verify", "Verify the peer certificate",         offsetof(pstruct, options_field . verify),    AV_OPT_TYPE_BOOL, { .i64 = -1 }, -1, 1, .flags = TLS_OPTFL }, \
     {"cert_file",  "Certificate file",                    offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"key_file",   "Private key file",                    offsetof(pstruct, options_field . key_file),  AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"listen",     "Listen for incoming connections",     offsetof(pstruct, options_field . listen),    AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
-- 
2.26.2

More information about the ffmpeg-devel mailing list