[FFmpeg-devel] [PATCH] RTSP: pass TLS args for RTSPS

Jay jayridge at gmail.com
Sat Oct 15 23:31:23 EEST 2016 

Thank you for the feedback. I have been trying to get RTSPS cert validation
incorporated for several weeks. I would greatly appreciate someone on the
core team helping me guide this to completion. Please find your questions
answered below.

> the get_file_handle extensions should be in a spererate patch than
> the rtsp changes

I am process agnostic, but the RTSP changes are dependent on the TLS
changes. There is a check for peer addr in RTSP that is based on the file
descriptor.

> also is it safe for all to use the input file handle that way ?
> for example if one used a fifo the input state would not match the
> relevant output neccessarily

I do not think the peer addr check is necessary. My goal is a minimal
patch, making RTSPS work with basic TLS options.

Ideally, RTSPS would work with `rtsp://` scheme by recognizing TLS
negotiation. I view this patch as an initial step.

Thank you.
Jay

On Sat, Oct 15, 2016 at 3:04 PM Michael Niedermayer <michael at niedermayer.cc>
wrote:

> On Sat, Oct 01, 2016 at 04:20:39PM -0400, jayridge at gmail.com wrote:
>
> > From: Jay Ridgeway <jayridge at gmail.com>
>
> >
>
> >
>
> > This patch enables TLS args for RTSPS. This is necessary for client
>
> > certificates and cert validation.
>
> >
>
> > Squash changes from feedback into one patch.
>
> >
>
> > ---
>
> >  libavformat/rtsp.c                | 19 ++++++++++++++++---
>
> >  libavformat/rtsp.h                |  8 ++++++++
>
> >  libavformat/tls_gnutls.c          |  7 +++++++
>
> >  libavformat/tls_openssl.c         |  7 +++++++
>
> >  libavformat/tls_schannel.c        |  7 +++++++
>
> >  libavformat/tls_securetransport.c |  7 +++++++
>
> >  6 files changed, 52 insertions(+), 3 deletions(-)
>
> >
>
> > diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
>
> > index c6292c5..53ecb6c 100644
>
> > --- a/libavformat/rtsp.c
>
> > +++ b/libavformat/rtsp.c
>
> > @@ -78,6 +78,7 @@
>
> >      { "reorder_queue_size", "set number of packets to buffer for
> handling of reordered packets", OFFSET(reordering_queue_size),
> AV_OPT_TYPE_INT, { .i64 = -1 }, -1, INT_MAX, DEC }, \
>
> >      { "buffer_size",        "Underlying protocol send/receive buffer
> size",                  OFFSET(buffer_size),           AV_OPT_TYPE_INT, {
> .i64 = -1 }, -1, INT_MAX, DEC|ENC } \
>
> >
>
> > +#define NONNULLSTR(s) (s ? s : "")
>
> >
>
> >  const AVOption ff_rtsp_options[] = {
>
> >      { "initial_pause",  "do not start playing the stream immediately",
> OFFSET(initial_pause), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DEC },
>
> > @@ -97,6 +98,10 @@ const AVOption ff_rtsp_options[] = {
>
> >      { "stimeout", "set timeout (in microseconds) of socket TCP I/O
> operations", OFFSET(stimeout), AV_OPT_TYPE_INT, {.i64 = 0}, INT_MIN,
> INT_MAX, DEC },
>
> >      COMMON_OPTS(),
>
> >      { "user-agent", "override User-Agent header", OFFSET(user_agent),
> AV_OPT_TYPE_STRING, {.str = LIBAVFORMAT_IDENT}, 0, 0, DEC },
>
> > +    { "ca_file", "Certificate Authority database file",
> OFFSET(ca_file), AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC },
>
> > +    { "tls_verify", "verify the peer certificate", OFFSET(verify),
> AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DEC|ENC},
>
> > +    { "cert_file", "certificate file", OFFSET(cert_file),
> AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC },
>
> > +    { "key_file", "private key file", OFFSET(key_file),
> AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC },
>
> >      { NULL },
>
> >  };
>
> >
>
> > @@ -1812,9 +1817,17 @@ redirect:
>
> >      } else {
>
> >          int ret;
>
> >          /* open the tcp connection */
>
> > -        ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
>
> > -                    host, port,
>
> > -                    "?timeout=%d", rt->stimeout);
>
> > +        if (strcmp("tls", lower_rtsp_proto) == 0) {
>
> > +            ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto,
> NULL,
>
> > +                        host, port,
>
> > +
> "?timeout=%d&verify=%d&cafile=%s&cert_file=%s&key_file=%s",
>
> > +                        rt->stimeout, rt->verify,
> NONNULLSTR(rt->ca_file),
>
> > +                        NONNULLSTR(rt->cert_file),
> NONNULLSTR(rt->key_file));
>
> > +        } else {
>
> > +            ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto,
> NULL,
>
> > +                        host, port,
>
> > +                        "?timeout=%d", rt->stimeout);
>
> > +        }
>
> >          if ((ret = ffurl_open_whitelist(&rt->rtsp_hd, tcpname,
> AVIO_FLAG_READ_WRITE,
>
> >                         &s->interrupt_callback, NULL,
> s->protocol_whitelist, s->protocol_blacklist, NULL)) < 0) {
>
> >              err = ret;
>
> > diff --git a/libavformat/rtsp.h b/libavformat/rtsp.h
>
> > index 852fd67..fa872a8 100644
>
> > --- a/libavformat/rtsp.h
>
> > +++ b/libavformat/rtsp.h
>
> > @@ -408,6 +408,14 @@ typedef struct RTSPState {
>
> >
>
> >      char default_lang[4];
>
> >      int buffer_size;
>
> > +
>
> > +    /** The following are used for RTSPS streams */
>
> > +    //@{
>
> > +    char *ca_file;
>
> > +    int verify;
>
> > +    char *cert_file;
>
> > +    char *key_file;
>
> > +    //@}
>
> >  } RTSPState;
>
> >
>
> >  #define RTSP_FLAG_FILTER_SRC  0x1    /**< Filter incoming UDP packets -
>
> > diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c
>
> > index 991b36b..ecc80bf 100644
>
> > --- a/libavformat/tls_gnutls.c
>
> > +++ b/libavformat/tls_gnutls.c
>
> > @@ -235,6 +235,12 @@ static int tls_write(URLContext *h, const uint8_t
> *buf, int size)
>
> >      return print_tls_error(h, ret);
>
> >  }
>
> >
>
> > +static int tls_get_file_handle(URLContext *h)
>
> > +{
>
> > +    TLSContext *c = h->priv_data;
>
> > +    return ffurl_get_file_handle(c->tls_shared.tcp);
>
> > +}
>
> > +
>
> >  static const AVOption options[] = {
>
> >      TLS_COMMON_OPTIONS(TLSContext, tls_shared),
>
> >      { NULL }
>
> > @@ -253,6 +259,7 @@ const URLProtocol ff_tls_gnutls_protocol = {
>
> >      .url_read       = tls_read,
>
> >      .url_write      = tls_write,
>
> >      .url_close      = tls_close,
>
> > +    .url_get_file_handle = tls_get_file_handle,
>
> >      .priv_data_size = sizeof(TLSContext),
>
> >      .flags          = URL_PROTOCOL_FLAG_NETWORK,
>
> >      .priv_data_class = &tls_class,
>
>
>
> > diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
>
> > index 46eb3e6..1455392 100644
>
> > --- a/libavformat/tls_openssl.c
>
> > +++ b/libavformat/tls_openssl.c
>
> > @@ -283,6 +283,12 @@ static int tls_write(URLContext *h, const uint8_t
> *buf, int size)
>
> >      return print_tls_error(h, ret);
>
> >  }
>
> >
>
> > +static int tls_get_file_handle(URLContext *h)
>
> > +{
>
> > +    TLSContext *c = h->priv_data;
>
> > +    return ffurl_get_file_handle(c->tls_shared.tcp);
>
> > +}
>
>
>
> the get_file_handle extensions should be in a spererate patch than
>
> the rtsp changes
>
>
>
> also is it safe for all to use the input file handle that way ?
>
> for example if one used a fifo the input state would not match the
>
> relevant output neccessarily
>
>
>
> [...]
>
> --
>
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
>
>
> Let us carefully observe those good qualities wherein our enemies excel us
>
> and endeavor to excel them, by avoiding what is faulty, and imitating what
>
> is excellent in them. -- Plutarch
>
> _______________________________________________
>
> ffmpeg-devel mailing list
>
> ffmpeg-devel at ffmpeg.org
>
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>

More information about the ffmpeg-devel mailing list