rtmp: add rtmps (tls) support (#195)

alfredh · richaas · commit 6b0e7d296e6b · 2019-04-26T09:09:39.000+02:00
diff --git a/include/re_rtmp.h b/include/re_rtmp.h
@@ -57,6 +57,7 @@ enum rtmp_event_type {
 
 
 /* forward declarations */
+struct tls;
 struct dnsc;
 struct odict;
 struct tcp_sock;
@@ -75,9 +76,11 @@ typedef void (rtmp_command_h)(const struct odict *msg, void *arg);
 typedef void (rtmp_close_h)(int err, void *arg);
 
 int rtmp_connect(struct rtmp_conn **connp, struct dnsc *dnsc, const char *uri,
+		 struct tls *tls,
 		 rtmp_estab_h *estabh, rtmp_command_h *cmdh,
 		 rtmp_close_h *closeh, void *arg);
 int rtmp_accept(struct rtmp_conn **connp, struct tcp_sock *ts,
+		struct tls *tls,
 		rtmp_command_h *cmdh, rtmp_close_h *closeh, void *arg);
 int rtmp_control(const struct rtmp_conn *conn,
 		 enum rtmp_packet_type type, ...);
diff --git a/include/re_tls.h b/include/re_tls.h
@@ -55,6 +55,7 @@ int tls_srtp_keyinfo(const struct tls_conn *tc, enum srtp_suite *suite,
 const char *tls_cipher_name(const struct tls_conn *tc);
 int tls_set_ciphers(struct tls *tls, const char *cipherv[], size_t count);
 int tls_set_servername(struct tls_conn *tc, const char *servername);
+int tls_set_verify_server(struct tls_conn *tc, const char *host);
 
 
 /* TCP */
diff --git a/src/rtmp/conn.c b/src/rtmp/conn.c
@@ -12,6 +12,8 @@
 #include <re_sa.h>
 #include <re_list.h>
 #include <re_tcp.h>
+#include <re_srtp.h>
+#include <re_tls.h>
 #include <re_sys.h>
 #include <re_odict.h>
 #include <re_dns.h>
@@ -38,6 +40,7 @@ static void conn_destructor(void *data)
 	mem_deref(conn->dnsq6);
 	mem_deref(conn->dnsq4);
 	mem_deref(conn->dnsc);
+	mem_deref(conn->sc);
 	mem_deref(conn->tc);
 	mem_deref(conn->mb);
 	mem_deref(conn->dechunk);
@@ -358,6 +361,7 @@ static void conn_close(struct rtmp_conn *conn, int err)
 {
 	rtmp_close_h *closeh;
 
+	conn->sc = mem_deref(conn->sc);
 	conn->tc = mem_deref(conn->tc);
 	conn->dnsq6 = mem_deref(conn->dnsq6);
 	conn->dnsq4 = mem_deref(conn->dnsq4);
@@ -688,13 +692,25 @@ static int req_connect(struct rtmp_conn *conn)
 		conn->last_ack = 0;
 		conn->total_bytes = 0;
 		conn->mb = mem_deref(conn->mb);
+		conn->sc = mem_deref(conn->sc);
 		conn->tc = mem_deref(conn->tc);
 
 		rtmp_dechunker_set_chunksize(conn->dechunk,
 					     RTMP_DEFAULT_CHUNKSIZE);
 
 		err = tcp_connect(&conn->tc, addr, tcp_estab_handler,
 				  tcp_recv_handler, tcp_close_handler, conn);
+
+#ifdef USE_TLS
+		if (conn->tls && !err) {
+			err = tls_start_tcp(&conn->sc, conn->tls,
+					    conn->tc, 0);
+			if (!err)
+				err = tls_set_verify_server(conn->sc,
+							    conn->host);
+		}
+#endif
+
 		if (!err)
 			break;
 	}
@@ -764,6 +780,7 @@ static void query_handler(int err, const struct dnshdr *hdr, struct list *ansl,
  * @param connp  Pointer to allocated RTMP connection object
  * @param dnsc   DNS Client for resolving FQDN uris
  * @param uri    RTMP uri to connect to
+ * @param tls    TLS Context (optional)
  * @param estabh Established handler
  * @param cmdh   Incoming command handler
  * @param closeh Close handler
@@ -777,35 +794,56 @@ static void query_handler(int err, const struct dnshdr *hdr, struct list *ansl,
  *     rtmp://[::1]/vod/mp4:sample.mp4
  */
 int rtmp_connect(struct rtmp_conn **connp, struct dnsc *dnsc, const char *uri,
+		 struct tls *tls,
 		 rtmp_estab_h *estabh, rtmp_command_h *cmdh,
 		 rtmp_close_h *closeh, void *arg)
 {
 	struct rtmp_conn *conn;
+	struct pl pl_scheme;
 	struct pl pl_hostport;
 	struct pl pl_host;
 	struct pl pl_port;
 	struct pl pl_app;
 	struct pl pl_stream;
+	uint16_t defport;
 	int err;
 
 	if (!connp || !uri)
 		return EINVAL;
 
-	if (re_regex(uri, strlen(uri), "rtmp://[^/]+/[^/]+/[^]+",
-		     &pl_hostport, &pl_app, &pl_stream))
+	if (re_regex(uri, strlen(uri), "[a-z]+://[^/]+/[^/]+/[^]+",
+		     &pl_scheme, &pl_hostport, &pl_app, &pl_stream))
 		return EINVAL;
 
+	if (!pl_strcasecmp(&pl_scheme, "rtmp")) {
+		tls     = NULL;
+		defport = RTMP_PORT;
+	}
+#ifdef USE_TLS
+	else if (!pl_strcasecmp(&pl_scheme, "rtmps")) {
+
+		if (!tls)
+			return EINVAL;
+
+		defport = 443;
+	}
+#endif
+	else
+		return ENOTSUP;
+
 	if (uri_decode_hostport(&pl_hostport, &pl_host, &pl_port))
 		return EINVAL;
 
 	conn = rtmp_conn_alloc(true, estabh, cmdh, closeh, arg);
 	if (!conn)
 		return ENOMEM;
 
-	conn->port = pl_isset(&pl_port) ? pl_u32(&pl_port) : RTMP_PORT;
+	conn->port = pl_isset(&pl_port) ? pl_u32(&pl_port) : defport;
+	conn->tls = tls;
 
 	err  = pl_strdup(&conn->app, &pl_app);
 	err |= pl_strdup(&conn->stream, &pl_stream);
+	err |= pl_strdup(&conn->host, &pl_host);
 	err |= str_dup(&conn->uri, uri);
 	if (err)
 		goto out;
@@ -828,10 +866,6 @@ int rtmp_connect(struct rtmp_conn **connp, struct dnsc *dnsc, const char *uri,
 			goto out;
 		}
 
-		err = pl_strdup(&conn->host, &pl_host);
-		if (err)
-			goto out;
-
 		conn->dnsc = mem_ref(dnsc);
 
 		err = dnsc_query(&conn->dnsq4, dnsc, conn->host, DNS_TYPE_A,
@@ -866,13 +900,15 @@ int rtmp_connect(struct rtmp_conn **connp, struct dnsc *dnsc, const char *uri,
  *
  * @param connp  Pointer to allocated RTMP connection object
  * @param ts     TCP socket with pending connection
+ * @param tls    TLS Context (optional)
  * @param cmdh   Incoming command handler
  * @param closeh Close handler
  * @param arg    Handler argument
  *
  * @return 0 if success, otherwise errorcode
  */
 int rtmp_accept(struct rtmp_conn **connp, struct tcp_sock *ts,
+		struct tls *tls,
 		rtmp_command_h *cmdh, rtmp_close_h *closeh, void *arg)
 {
 	struct rtmp_conn *conn;
@@ -890,6 +926,14 @@ int rtmp_accept(struct rtmp_conn **connp, struct tcp_sock *ts,
 	if (err)
 		goto out;
 
+#ifdef USE_TLS
+	if (tls) {
+		err = tls_start_tcp(&conn->sc, tls, conn->tc, 0);
+		if (err)
+			goto out;
+	}
+#endif
+
  out:
 	if (err)
 		mem_deref(conn);
diff --git a/src/rtmp/rtmp.h b/src/rtmp/rtmp.h
@@ -33,6 +33,7 @@ struct rtmp_conn {
 	struct list streaml;
 	struct rtmp_dechunker *dechunk;
 	struct tcp_conn *tc;
+	struct tls_conn *sc;
 	struct mbuf *mb;                        /* TCP reassembly buffer */
 	enum rtmp_handshake_state state;
 	size_t total_bytes;
@@ -53,6 +54,7 @@ struct rtmp_conn {
 	struct dns_query *dnsq6;
 	struct list ctransl;
 	struct sa srvv[16];
+	struct tls *tls;
 	unsigned srvc;
 	uint64_t tid_counter;
 	uint16_t port;
diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c
@@ -10,6 +10,7 @@
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <re_types.h>
 #include <re_fmt.h>
 #include <re_mem.h>
@@ -876,6 +877,40 @@ int tls_set_servername(struct tls_conn *tc, const char *servername)
 }
 
 
+/**
+ * Enable verification of server certificate and hostname
+ *
+ * @param tc   TLS Connection
+ * @param host Server hostname
+ *
+ * @return 0 if success, otherwise errorcode
+ */
+int tls_set_verify_server(struct tls_conn *tc, const char *host)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+	!defined(LIBRESSL_VERSION_NUMBER)
+
+	if (!tc || !host)
+		return EINVAL;
+
+	SSL_set_hostflags(tc->ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+	if (!SSL_set1_host(tc->ssl, host)) {
+		ERR_clear_error();
+		return EPROTO;
+	}
+
+	SSL_set_verify(tc->ssl, SSL_VERIFY_PEER, NULL);
+
+	return 0;
+#else
+	(void)tc;
+	(void)host;
+
+	return ENOSYS;
+#endif
+}
+
+
 static int print_error(const char *str, size_t len, void *unused)
 {
 	(void)unused;
