diff mbox

[FFmpeg-devel] Secure RTSP

Message ID CAGO8X80zOrRWAiDxXKRwTEUFOsii5nYf0re=rwofF7g7Vty_Ww@mail.gmail.com
State Superseded
Headers show

Commit Message

Jay Sept. 24, 2016, 2:20 p.m. UTC 
Hi. I am working on a project that requires RTSP over TLS with cafile
support. I patched 3.1.3 to work with openssl. If this is something of
interest, I am happy to finish out the patch - please advise if a different
approach is preferred.

Thank you.
Jay Ridgeway

diff -x '*.[oda]' -Naur ffmpeg-3.1.3/libavformat/tls_openssl.c
ffmpeg-3.1.3_patched/libavformat/tls_openssl.c
--- ffmpeg-3.1.3/libavformat/tls_openssl.c	2016-06-26 19:54:30.000000000 -0400
+++ ffmpeg-3.1.3_patched/libavformat/tls_openssl.c	2016-09-23
11:38:19.000000000 -0400
@@ -283,6 +283,12 @@
     return print_tls_error(h, ret);
 }

+static int tls_get_file_handle(URLContext *h)
+{
+    TLSContext *c = h->priv_data;
+    return ffurl_get_file_handle(c->tls_shared.tcp);
+}
+
 static const AVOption options[] = {
     TLS_COMMON_OPTIONS(TLSContext, tls_shared),
     { NULL }
@@ -301,6 +307,7 @@
     .url_read       = tls_read,
     .url_write      = tls_write,
     .url_close      = tls_close,
+    .url_get_file_handle = tls_get_file_handle,
     .priv_data_size = sizeof(TLSContext),
     .flags          = URL_PROTOCOL_FLAG_NETWORK,
     .priv_data_class = &tls_class,

Comments

Carl Eugen Hoyos Sept. 24, 2016, 3:30 p.m. UTC | #1 
2016-09-24 16:20 GMT+02:00 Jay <jayridge@gmail.com>:
> Hi. I am working on a project that requires RTSP over TLS with cafile
> support. I patched 3.1.3 to work with openssl. If this is something of

Can't this also work with the various other ssl implementations in
FFmpeg?

> interest, I am happy to finish out the patch

Patches are always welcome here (even if they do not get applied
for one reason or another), please remember that only patches
that apply to current git head are useful.

Thank you, Carl Eugen
Jay Sept. 24, 2016, 7:07 p.m. UTC | #2 
This approach should work with the other SSL implementations. They need to
provide an implementation of `ffurl_get_file_handle` for getpeername. I
will submit a patch according to the instructions I found here (
https://www.ffmpeg.org/developer.html#Submitting-patches-1 ).

On Sat, Sep 24, 2016 at 11:30 AM Carl Eugen Hoyos <ceffmpeg@gmail.com>
wrote:

> 2016-09-24 16:20 GMT+02:00 Jay <jayridge@gmail.com>:
> > Hi. I am working on a project that requires RTSP over TLS with cafile
> > support. I patched 3.1.3 to work with openssl. If this is something of
>
> Can't this also work with the various other ssl implementations in
> FFmpeg?
>
> > interest, I am happy to finish out the patch
>
> Patches are always welcome here (even if they do not get applied
> for one reason or another), please remember that only patches
> that apply to current git head are useful.
>
> Thank you, Carl Eugen
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
diff mbox

Patch

diff -x '*.[oda]' -Naur ffmpeg-3.1.3/libavformat/rtsp.c
ffmpeg-3.1.3_patched/libavformat/rtsp.c
--- ffmpeg-3.1.3/libavformat/rtsp.c	2016-06-26 19:54:30.000000000 -0400
+++ ffmpeg-3.1.3_patched/libavformat/rtsp.c	2016-09-23 11:36:51.000000000 -0400
@@ -97,6 +97,8 @@ 
     { "stimeout", "set timeout (in microseconds) of socket TCP I/O
operations", OFFSET(stimeout), AV_OPT_TYPE_INT, {.i64 = 0}, INT_MIN,
INT_MAX, DEC },
     COMMON_OPTS(),
     { "user-agent", "override User-Agent header", OFFSET(user_agent),
AV_OPT_TYPE_STRING, {.str = LIBAVFORMAT_IDENT}, 0, 0, DEC },
+    { "ca_file", "Certificate Authority database file",
OFFSET(ca_file), AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC },
+    { "tls_verify", "Verify the peer certificate", OFFSET(verify),
AV_OPT_TYPE_INT, {.i64 = 0}, 0, 1, DEC|ENC},
     { NULL },
 };

@@ -1803,9 +1805,25 @@ 
     } else {
         int ret;
         /* open the tcp connection */
-        ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
-                    host, port,
-                    "?timeout=%d", rt->stimeout);
+        if (strncmp("tls", lower_rtsp_proto, 3) == 0) {
+            if (rt->ca_file != NULL) {
+                ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
+                            host, port,
+                            "?timeout=%d&verify=%d&cafile=%s",
+                            rt->stimeout, rt->verify, rt->ca_file);
+            } else {
+                ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
+                                host, port,
+                                "?timeout=%d&verify=%d",
+                                rt->stimeout, rt->verify);
+            }
+        } else {
+            ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL,
+                        host, port,
+                        "?timeout=%d", rt->stimeout);
+        }
+        av_log(NULL, AV_LOG_INFO, "tcpname='%s'\n", tcpname);
+
         if ((ret = ffurl_open_whitelist(&rt->rtsp_hd, tcpname,
AVIO_FLAG_READ_WRITE,
                        &s->interrupt_callback, NULL,
s->protocol_whitelist, s->protocol_blacklist, NULL)) < 0) {
             err = ret;
diff -x '*.[oda]' -Naur ffmpeg-3.1.3/libavformat/rtsp.h
ffmpeg-3.1.3_patched/libavformat/rtsp.h
--- ffmpeg-3.1.3/libavformat/rtsp.h	2016-06-26 19:54:30.000000000 -0400
+++ ffmpeg-3.1.3_patched/libavformat/rtsp.h	2016-09-22 17:04:48.000000000 -0400
@@ -408,6 +408,9 @@ 

     char default_lang[4];
     int buffer_size;
+
+    char *ca_file;
+    int verify;
 } RTSPState;

 #define RTSP_FLAG_FILTER_SRC  0x1    /**< Filter incoming UDP packets -