Thank you for the feedback. I have been trying to get RTSPS cert validation incorporated for several weeks. I would greatly appreciate someone on the core team helping me guide this to completion. Please find your questions answered below.
> the get_file_handle extensions should be in a spererate patch than > the rtsp changes I am process agnostic, but the RTSP changes are dependent on the TLS changes. There is a check for peer addr in RTSP that is based on the file descriptor. > also is it safe for all to use the input file handle that way ? > for example if one used a fifo the input state would not match the > relevant output neccessarily I do not think the peer addr check is necessary. My goal is a minimal patch, making RTSPS work with basic TLS options. Ideally, RTSPS would work with `rtsp://` scheme by recognizing TLS negotiation. I view this patch as an initial step. Thank you. Jay On Sat, Oct 15, 2016 at 3:04 PM Michael Niedermayer <mich...@niedermayer.cc> wrote: > On Sat, Oct 01, 2016 at 04:20:39PM -0400, jayri...@gmail.com wrote: > > > From: Jay Ridgeway <jayri...@gmail.com> > > > > > > > > > This patch enables TLS args for RTSPS. This is necessary for client > > > certificates and cert validation. > > > > > > Squash changes from feedback into one patch. > > > > > > --- > > > libavformat/rtsp.c | 19 ++++++++++++++++--- > > > libavformat/rtsp.h | 8 ++++++++ > > > libavformat/tls_gnutls.c | 7 +++++++ > > > libavformat/tls_openssl.c | 7 +++++++ > > > libavformat/tls_schannel.c | 7 +++++++ > > > libavformat/tls_securetransport.c | 7 +++++++ > > > 6 files changed, 52 insertions(+), 3 deletions(-) > > > > > > diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c > > > index c6292c5..53ecb6c 100644 > > > --- a/libavformat/rtsp.c > > > +++ b/libavformat/rtsp.c > > > @@ -78,6 +78,7 @@ > > > { "reorder_queue_size", "set number of packets to buffer for > handling of reordered packets", OFFSET(reordering_queue_size), > AV_OPT_TYPE_INT, { .i64 = -1 }, -1, INT_MAX, DEC }, \ > > > { "buffer_size", "Underlying protocol send/receive buffer > size", OFFSET(buffer_size), AV_OPT_TYPE_INT, { > .i64 = -1 }, -1, INT_MAX, DEC|ENC } \ > > > > > > +#define NONNULLSTR(s) (s ? s : "") > > > > > > const AVOption ff_rtsp_options[] = { > > > { "initial_pause", "do not start playing the stream immediately", > OFFSET(initial_pause), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DEC }, > > > @@ -97,6 +98,10 @@ const AVOption ff_rtsp_options[] = { > > > { "stimeout", "set timeout (in microseconds) of socket TCP I/O > operations", OFFSET(stimeout), AV_OPT_TYPE_INT, {.i64 = 0}, INT_MIN, > INT_MAX, DEC }, > > > COMMON_OPTS(), > > > { "user-agent", "override User-Agent header", OFFSET(user_agent), > AV_OPT_TYPE_STRING, {.str = LIBAVFORMAT_IDENT}, 0, 0, DEC }, > > > + { "ca_file", "Certificate Authority database file", > OFFSET(ca_file), AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC }, > > > + { "tls_verify", "verify the peer certificate", OFFSET(verify), > AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DEC|ENC}, > > > + { "cert_file", "certificate file", OFFSET(cert_file), > AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC }, > > > + { "key_file", "private key file", OFFSET(key_file), > AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC }, > > > { NULL }, > > > }; > > > > > > @@ -1812,9 +1817,17 @@ redirect: > > > } else { > > > int ret; > > > /* open the tcp connection */ > > > - ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL, > > > - host, port, > > > - "?timeout=%d", rt->stimeout); > > > + if (strcmp("tls", lower_rtsp_proto) == 0) { > > > + ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, > NULL, > > > + host, port, > > > + > "?timeout=%d&verify=%d&cafile=%s&cert_file=%s&key_file=%s", > > > + rt->stimeout, rt->verify, > NONNULLSTR(rt->ca_file), > > > + NONNULLSTR(rt->cert_file), > NONNULLSTR(rt->key_file)); > > > + } else { > > > + ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, > NULL, > > > + host, port, > > > + "?timeout=%d", rt->stimeout); > > > + } > > > if ((ret = ffurl_open_whitelist(&rt->rtsp_hd, tcpname, > AVIO_FLAG_READ_WRITE, > > > &s->interrupt_callback, NULL, > s->protocol_whitelist, s->protocol_blacklist, NULL)) < 0) { > > > err = ret; > > > diff --git a/libavformat/rtsp.h b/libavformat/rtsp.h > > > index 852fd67..fa872a8 100644 > > > --- a/libavformat/rtsp.h > > > +++ b/libavformat/rtsp.h > > > @@ -408,6 +408,14 @@ typedef struct RTSPState { > > > > > > char default_lang[4]; > > > int buffer_size; > > > + > > > + /** The following are used for RTSPS streams */ > > > + //@{ > > > + char *ca_file; > > > + int verify; > > > + char *cert_file; > > > + char *key_file; > > > + //@} > > > } RTSPState; > > > > > > #define RTSP_FLAG_FILTER_SRC 0x1 /**< Filter incoming UDP packets - > > > diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c > > > index 991b36b..ecc80bf 100644 > > > --- a/libavformat/tls_gnutls.c > > > +++ b/libavformat/tls_gnutls.c > > > @@ -235,6 +235,12 @@ static int tls_write(URLContext *h, const uint8_t > *buf, int size) > > > return print_tls_error(h, ret); > > > } > > > > > > +static int tls_get_file_handle(URLContext *h) > > > +{ > > > + TLSContext *c = h->priv_data; > > > + return ffurl_get_file_handle(c->tls_shared.tcp); > > > +} > > > + > > > static const AVOption options[] = { > > > TLS_COMMON_OPTIONS(TLSContext, tls_shared), > > > { NULL } > > > @@ -253,6 +259,7 @@ const URLProtocol ff_tls_gnutls_protocol = { > > > .url_read = tls_read, > > > .url_write = tls_write, > > > .url_close = tls_close, > > > + .url_get_file_handle = tls_get_file_handle, > > > .priv_data_size = sizeof(TLSContext), > > > .flags = URL_PROTOCOL_FLAG_NETWORK, > > > .priv_data_class = &tls_class, > > > > > diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c > > > index 46eb3e6..1455392 100644 > > > --- a/libavformat/tls_openssl.c > > > +++ b/libavformat/tls_openssl.c > > > @@ -283,6 +283,12 @@ static int tls_write(URLContext *h, const uint8_t > *buf, int size) > > > return print_tls_error(h, ret); > > > } > > > > > > +static int tls_get_file_handle(URLContext *h) > > > +{ > > > + TLSContext *c = h->priv_data; > > > + return ffurl_get_file_handle(c->tls_shared.tcp); > > > +} > > > > the get_file_handle extensions should be in a spererate patch than > > the rtsp changes > > > > also is it safe for all to use the input file handle that way ? > > for example if one used a fifo the input state would not match the > > relevant output neccessarily > > > > [...] > > -- > > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > > > Let us carefully observe those good qualities wherein our enemies excel us > > and endeavor to excel them, by avoiding what is faulty, and imitating what > > is excellent in them. -- Plutarch > > _______________________________________________ > > ffmpeg-devel mailing list > > ffmpeg-devel@ffmpeg.org > > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel