[FFmpeg-devel] [PATCH] RTSP: pass TLS args for RTSPS
Jay
jayridge at gmail.com
Sat Oct 15 23:31:23 EEST 2016
Thank you for the feedback. I have been trying to get RTSPS cert validation
incorporated for several weeks. I would greatly appreciate someone on the
core team helping me guide this to completion. Please find your questions
answered below.
> the get_file_handle extensions should be in a spererate patch than
> the rtsp changes
I am process agnostic, but the RTSP changes are dependent on the TLS
changes. There is a check for peer addr in RTSP that is based on the file
descriptor.
> also is it safe for all to use the input file handle that way ?
> for example if one used a fifo the input state would not match the
> relevant output neccessarily
I do not think the peer addr check is necessary. My goal is a minimal
patch, making RTSPS work with basic TLS options.
Ideally, RTSPS would work with `rtsp://` scheme by recognizing TLS
negotiation. I view this patch as an initial step.
Thank you.
Jay
On Sat, Oct 15, 2016 at 3:04 PM Michael Niedermayer <michael at niedermayer.cc>
wrote:
> On Sat, Oct 01, 2016 at 04:20:39PM -0400, jayridge at gmail.com wrote:
>
> > From: Jay Ridgeway <jayridge at gmail.com>
>
> >
>
> >
>
> > This patch enables TLS args for RTSPS. This is necessary for client
>
> > certificates and cert validation.
>
> >
>
> > Squash changes from feedback into one patch.
>
> >
>
> > ---
>
> > libavformat/rtsp.c | 19 ++++++++++++++++---
>
> > libavformat/rtsp.h | 8 ++++++++
>
> > libavformat/tls_gnutls.c | 7 +++++++
>
> > libavformat/tls_openssl.c | 7 +++++++
>
> > libavformat/tls_schannel.c | 7 +++++++
>
> > libavformat/tls_securetransport.c | 7 +++++++
>
> > 6 files changed, 52 insertions(+), 3 deletions(-)
>
> >
>
> > diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
>
> > index c6292c5..53ecb6c 100644
>
> > --- a/libavformat/rtsp.c
>
> > +++ b/libavformat/rtsp.c
>
> > @@ -78,6 +78,7 @@
>
> > { "reorder_queue_size", "set number of packets to buffer for
> handling of reordered packets", OFFSET(reordering_queue_size),
> AV_OPT_TYPE_INT, { .i64 = -1 }, -1, INT_MAX, DEC }, \
>
> > { "buffer_size", "Underlying protocol send/receive buffer
> size", OFFSET(buffer_size), AV_OPT_TYPE_INT, {
> .i64 = -1 }, -1, INT_MAX, DEC|ENC } \
>
> >
>
> > +#define NONNULLSTR(s) (s ? s : "")
>
> >
>
> > const AVOption ff_rtsp_options[] = {
>
> > { "initial_pause", "do not start playing the stream immediately",
> OFFSET(initial_pause), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DEC },
>
> > @@ -97,6 +98,10 @@ const AVOption ff_rtsp_options[] = {
>
> > { "stimeout", "set timeout (in microseconds) of socket TCP I/O
> operations", OFFSET(stimeout), AV_OPT_TYPE_INT, {.i64 = 0}, INT_MIN,
> INT_MAX, DEC },
>
> > COMMON_OPTS(),
>
> > { "user-agent", "override User-Agent header", OFFSET(user_agent),
> AV_OPT_TYPE_STRING, {.str = LIBAVFORMAT_IDENT}, 0, 0, DEC },
>
> > + { "ca_file", "Certificate Authority database file",
> OFFSET(ca_file), AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC },
>
> > + { "tls_verify", "verify the peer certificate", OFFSET(verify),
> AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DEC|ENC},
>
> > + { "cert_file", "certificate file", OFFSET(cert_file),
> AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC },
>
> > + { "key_file", "private key file", OFFSET(key_file),
> AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC },
>
> > { NULL },
>
> > };
>
> >
>
> > @@ -1812,9 +1817,17 @@ redirect:
>
> > } else {
>
> > int ret;
>
> > /* open the tcp connection */
>
> > - ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
>
> > - host, port,
>
> > - "?timeout=%d", rt->stimeout);
>
> > + if (strcmp("tls", lower_rtsp_proto) == 0) {
>
> > + ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto,
> NULL,
>
> > + host, port,
>
> > +
> "?timeout=%d&verify=%d&cafile=%s&cert_file=%s&key_file=%s",
>
> > + rt->stimeout, rt->verify,
> NONNULLSTR(rt->ca_file),
>
> > + NONNULLSTR(rt->cert_file),
> NONNULLSTR(rt->key_file));
>
> > + } else {
>
> > + ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto,
> NULL,
>
> > + host, port,
>
> > + "?timeout=%d", rt->stimeout);
>
> > + }
>
> > if ((ret = ffurl_open_whitelist(&rt->rtsp_hd, tcpname,
> AVIO_FLAG_READ_WRITE,
>
> > &s->interrupt_callback, NULL,
> s->protocol_whitelist, s->protocol_blacklist, NULL)) < 0) {
>
> > err = ret;
>
> > diff --git a/libavformat/rtsp.h b/libavformat/rtsp.h
>
> > index 852fd67..fa872a8 100644
>
> > --- a/libavformat/rtsp.h
>
> > +++ b/libavformat/rtsp.h
>
> > @@ -408,6 +408,14 @@ typedef struct RTSPState {
>
> >
>
> > char default_lang[4];
>
> > int buffer_size;
>
> > +
>
> > + /** The following are used for RTSPS streams */
>
> > + //@{
>
> > + char *ca_file;
>
> > + int verify;
>
> > + char *cert_file;
>
> > + char *key_file;
>
> > + //@}
>
> > } RTSPState;
>
> >
>
> > #define RTSP_FLAG_FILTER_SRC 0x1 /**< Filter incoming UDP packets -
>
> > diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c
>
> > index 991b36b..ecc80bf 100644
>
> > --- a/libavformat/tls_gnutls.c
>
> > +++ b/libavformat/tls_gnutls.c
>
> > @@ -235,6 +235,12 @@ static int tls_write(URLContext *h, const uint8_t
> *buf, int size)
>
> > return print_tls_error(h, ret);
>
> > }
>
> >
>
> > +static int tls_get_file_handle(URLContext *h)
>
> > +{
>
> > + TLSContext *c = h->priv_data;
>
> > + return ffurl_get_file_handle(c->tls_shared.tcp);
>
> > +}
>
> > +
>
> > static const AVOption options[] = {
>
> > TLS_COMMON_OPTIONS(TLSContext, tls_shared),
>
> > { NULL }
>
> > @@ -253,6 +259,7 @@ const URLProtocol ff_tls_gnutls_protocol = {
>
> > .url_read = tls_read,
>
> > .url_write = tls_write,
>
> > .url_close = tls_close,
>
> > + .url_get_file_handle = tls_get_file_handle,
>
> > .priv_data_size = sizeof(TLSContext),
>
> > .flags = URL_PROTOCOL_FLAG_NETWORK,
>
> > .priv_data_class = &tls_class,
>
>
>
> > diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
>
> > index 46eb3e6..1455392 100644
>
> > --- a/libavformat/tls_openssl.c
>
> > +++ b/libavformat/tls_openssl.c
>
> > @@ -283,6 +283,12 @@ static int tls_write(URLContext *h, const uint8_t
> *buf, int size)
>
> > return print_tls_error(h, ret);
>
> > }
>
> >
>
> > +static int tls_get_file_handle(URLContext *h)
>
> > +{
>
> > + TLSContext *c = h->priv_data;
>
> > + return ffurl_get_file_handle(c->tls_shared.tcp);
>
> > +}
>
>
>
> the get_file_handle extensions should be in a spererate patch than
>
> the rtsp changes
>
>
>
> also is it safe for all to use the input file handle that way ?
>
> for example if one used a fifo the input state would not match the
>
> relevant output neccessarily
>
>
>
> [...]
>
> --
>
> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
>
>
> Let us carefully observe those good qualities wherein our enemies excel us
>
> and endeavor to excel them, by avoiding what is faulty, and imitating what
>
> is excellent in them. -- Plutarch
>
> _______________________________________________
>
> ffmpeg-devel mailing list
>
> ffmpeg-devel at ffmpeg.org
>
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>
More information about the ffmpeg-devel
mailing list