From patchwork Sat Sep 24 14:20:03 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jay X-Patchwork-Id: 702 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.140.66 with SMTP id o63csp1091422vsd; Sat, 24 Sep 2016 07:20:25 -0700 (PDT) X-Received: by 10.194.162.162 with SMTP id yb2mr10920914wjb.38.1474726825510; Sat, 24 Sep 2016 07:20:25 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id f1si900465wmi.89.2016.09.24.07.20.23; Sat, 24 Sep 2016 07:20:25 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 54AB7689DFA; Sat, 24 Sep 2016 17:20:05 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-yw0-f170.google.com (mail-yw0-f170.google.com [209.85.161.170]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D4D44689DEC for ; Sat, 24 Sep 2016 17:19:58 +0300 (EEST) Received: by mail-yw0-f170.google.com with SMTP id i129so133639762ywb.0 for ; Sat, 24 Sep 2016 07:20:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=afQIhlAOJNg5llTJBhoE0gkKk0KwYg6Hr6f/AVlTrbM=; b=jSsF+4eddhRJYxqK9fbGSXnPwAeFCpRDrMn/oNy+2HooZiupyh7iNZE3cr2Gw64hVv Rg3i1Ai8a+Mb6XpjyVOpDHEcgs9mb8glae9nDmJuhbf19mipDWWmThj4Iosj/2pLI0Zm tFqwuh89U0gatiOk4I8GmWAXRsRINcaBhc2LA2qhYiGCmbV7CWHHObkorT2BpleTpFDx 9PFjgYtC0NjoEMkHjAYv+w8Nv8upPIomI0AILI9D0ZFoiAKRNJXdm+BC15KnKy8CEqWT 9OjWoLQv7IUcF2yYcncf06URtk4zV5V7s/X0KhoD8q0c49F4EqUvAqMwD4xIOFNK9I06 FByQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=afQIhlAOJNg5llTJBhoE0gkKk0KwYg6Hr6f/AVlTrbM=; b=DHafi+8OfrcZnMbA0hVMpPouPkUYI3F23gNzoWhik/7a1fJXkcqOY7HtdtA5rSDfKr uIP2KV3vYdn5rSnpSw1Ti6/RsGIwyIH8GEXWRBDIYKo12DGfM9anOHlFDt178NWMs1qN LLq05kmYF/l6Pz9qFky47poZG6SesxBhei6BxHk/SyNxYeLu2BMLnCIhOg+mHfsyC/F6 W7jPoivRed7S4L1nlqgA9dZOCzY0yXkYV161uds+LURTiXg9dppFW1Jo3WLhJtp0EAe1 h7FNHY3hQG3szVyUmNMUEP6odcWnstWpykPG/7IcIqGlFgk1mGsRBQ1Az1TeufZa2hm+ p2Rw== X-Gm-Message-State: AE9vXwOJP2pGTl8gBlnQTScNOyuwxG+5cI7KyYzOMr+27fAVd00pMB/dHOwHZUCWd745EbBaBv92F0j6kckfMg== X-Received: by 10.13.225.211 with SMTP id k202mr11104846ywe.322.1474726813852; Sat, 24 Sep 2016 07:20:13 -0700 (PDT) MIME-Version: 1.0 From: Jay Date: Sat, 24 Sep 2016 14:20:03 +0000 Message-ID: To: ffmpeg-devel@ffmpeg.org X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FFmpeg-devel] Secure RTSP X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Hi. I am working on a project that requires RTSP over TLS with cafile support. I patched 3.1.3 to work with openssl. If this is something of interest, I am happy to finish out the patch - please advise if a different approach is preferred. Thank you. Jay Ridgeway diff -x '*.[oda]' -Naur ffmpeg-3.1.3/libavformat/tls_openssl.c ffmpeg-3.1.3_patched/libavformat/tls_openssl.c --- ffmpeg-3.1.3/libavformat/tls_openssl.c 2016-06-26 19:54:30.000000000 -0400 +++ ffmpeg-3.1.3_patched/libavformat/tls_openssl.c 2016-09-23 11:38:19.000000000 -0400 @@ -283,6 +283,12 @@ return print_tls_error(h, ret); } +static int tls_get_file_handle(URLContext *h) +{ + TLSContext *c = h->priv_data; + return ffurl_get_file_handle(c->tls_shared.tcp); +} + static const AVOption options[] = { TLS_COMMON_OPTIONS(TLSContext, tls_shared), { NULL } @@ -301,6 +307,7 @@ .url_read = tls_read, .url_write = tls_write, .url_close = tls_close, + .url_get_file_handle = tls_get_file_handle, .priv_data_size = sizeof(TLSContext), .flags = URL_PROTOCOL_FLAG_NETWORK, .priv_data_class = &tls_class, diff -x '*.[oda]' -Naur ffmpeg-3.1.3/libavformat/rtsp.c ffmpeg-3.1.3_patched/libavformat/rtsp.c --- ffmpeg-3.1.3/libavformat/rtsp.c 2016-06-26 19:54:30.000000000 -0400 +++ ffmpeg-3.1.3_patched/libavformat/rtsp.c 2016-09-23 11:36:51.000000000 -0400 @@ -97,6 +97,8 @@ { "stimeout", "set timeout (in microseconds) of socket TCP I/O operations", OFFSET(stimeout), AV_OPT_TYPE_INT, {.i64 = 0}, INT_MIN, INT_MAX, DEC }, COMMON_OPTS(), { "user-agent", "override User-Agent header", OFFSET(user_agent), AV_OPT_TYPE_STRING, {.str = LIBAVFORMAT_IDENT}, 0, 0, DEC }, + { "ca_file", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, DEC|ENC }, + { "tls_verify", "Verify the peer certificate", OFFSET(verify), AV_OPT_TYPE_INT, {.i64 = 0}, 0, 1, DEC|ENC}, { NULL }, }; @@ -1803,9 +1805,25 @@ } else { int ret; /* open the tcp connection */ - ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL, - host, port, - "?timeout=%d", rt->stimeout); + if (strncmp("tls", lower_rtsp_proto, 3) == 0) { + if (rt->ca_file != NULL) { + ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL, + host, port, + "?timeout=%d&verify=%d&cafile=%s", + rt->stimeout, rt->verify, rt->ca_file); + } else { + ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL, + host, port, + "?timeout=%d&verify=%d", + rt->stimeout, rt->verify); + } + } else { + ff_url_join(tcpname, sizeof(tcpname), lower_rtsp_proto, NULL, + host, port, + "?timeout=%d", rt->stimeout); + } + av_log(NULL, AV_LOG_INFO, "tcpname='%s'\n", tcpname); + if ((ret = ffurl_open_whitelist(&rt->rtsp_hd, tcpname, AVIO_FLAG_READ_WRITE, &s->interrupt_callback, NULL, s->protocol_whitelist, s->protocol_blacklist, NULL)) < 0) { err = ret; diff -x '*.[oda]' -Naur ffmpeg-3.1.3/libavformat/rtsp.h ffmpeg-3.1.3_patched/libavformat/rtsp.h --- ffmpeg-3.1.3/libavformat/rtsp.h 2016-06-26 19:54:30.000000000 -0400 +++ ffmpeg-3.1.3_patched/libavformat/rtsp.h 2016-09-22 17:04:48.000000000 -0400 @@ -408,6 +408,9 @@ char default_lang[4]; int buffer_size; + + char *ca_file; + int verify; } RTSPState; #define RTSP_FLAG_FILTER_SRC 0x1 /**< Filter incoming UDP packets -