Thanks to visit codestin.com
Credit goes to www.ffmpeg.org

FFmpeg
tls.h
Go to the documentation of this file.
1 /*
2  * TLS/DTLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  * Copyright (c) 2025 Jack Lau
5  *
6  * This file is part of FFmpeg.
7  *
8  * FFmpeg is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public
10  * License as published by the Free Software Foundation; either
11  * version 2.1 of the License, or (at your option) any later version.
12  *
13  * FFmpeg is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public
19  * License along with FFmpeg; if not, write to the Free Software
20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21  */
22 
23 #ifndef AVFORMAT_TLS_H
24 #define AVFORMAT_TLS_H
25 
26 #include "libavutil/bprint.h"
27 #include "libavutil/opt.h"
28 #include "version.h"
29 
30 #include "url.h"
31 
32 /**
33  * Maximum size limit of a certificate and private key size.
34  */
35 #define MAX_CERTIFICATE_SIZE 8192
36 
37 /**
38  * The DTLS content type.
39  * See https://tools.ietf.org/html/rfc2246#section-6.2.1
40  * change_cipher_spec(20), alert(21), handshake(22), application_data(23)
41  */
42 #define DTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC 20
43 /**
44  * The DTLS record layer header has a total size of 13 bytes, consisting of
45  * ContentType (1 byte), ProtocolVersion (2 bytes), Epoch (2 bytes),
46  * SequenceNumber (6 bytes), and Length (2 bytes).
47  * See https://datatracker.ietf.org/doc/html/rfc9147#section-4
48  */
49 #define DTLS_RECORD_LAYER_HEADER_LEN 13
50 /**
51  * The DTLS version number, which is 0xfeff for DTLS 1.0, or 0xfefd for DTLS 1.2.
52  * See https://datatracker.ietf.org/doc/html/rfc9147#name-the-dtls-record-layer
53  */
54 #define DTLS_VERSION_10 0xfeff
55 #define DTLS_VERSION_12 0xfefd
56 
57 typedef struct TLSShared {
58  const AVClass *class;
59  char *ca_file;
60  int verify;
61  char *cert_file;
62  char *key_file;
63  int listen;
64 
65  char *host;
66  char *http_proxy;
67 
68  char underlying_host[200];
69  int numerichost;
70 
71  int external_sock;
72  URLContext *udp;
73  URLContext *tcp;
74 
75  int is_dtls;
76  int use_srtp;
77 
78  /* The certificate and private key content used for DTLS handshake */
79  char* cert_buf;
80  char* key_buf;
81 
82  /**
83  * The size of RTP packet, should generally be set to MTU.
84  * Note that pion requires a smaller value, for example, 1200.
85  */
86  int mtu;
87 } TLSShared;
88 
89 #define TLS_OPTFL (AV_OPT_FLAG_DECODING_PARAM | AV_OPT_FLAG_ENCODING_PARAM)
90 
91 #if FF_API_NO_DEFAULT_TLS_VERIFY
92 #define TLS_VERIFY_DEFAULT 0
93 #else
94 #define TLS_VERIFY_DEFAULT 1
95 #endif
96 
97 #define FF_TLS_CLIENT_OPTIONS(pstruct, options_field) \
98  {"ca_file", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
99  {"cafile", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
100  {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = TLS_VERIFY_DEFAULT }, 0, 1, .flags = TLS_OPTFL }, \
101  {"verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = TLS_VERIFY_DEFAULT }, 0, 1, .flags = TLS_OPTFL }, \
102  {"cert_file", "Certificate file", offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
103  {"cert", "Certificate file", offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
104  {"key_file", "Private key file", offsetof(pstruct, options_field . key_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
105  {"key", "Private key file", offsetof(pstruct, options_field . key_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
106  {"verifyhost", "Verify against a specific hostname", offsetof(pstruct, options_field . host), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }
107 
108 #define TLS_COMMON_OPTIONS(pstruct, options_field) \
109  {"listen", "Listen for incoming connections", offsetof(pstruct, options_field . listen), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
110  {"http_proxy", "Set proxy to tunnel through", offsetof(pstruct, options_field . http_proxy), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
111  {"external_sock", "Use external socket", offsetof(pstruct, options_field . external_sock), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
112  {"use_srtp", "Enable use_srtp DTLS extension", offsetof(pstruct, options_field . use_srtp), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
113  {"mtu", "Maximum Transmission Unit", offsetof(pstruct, options_field . mtu), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, INT_MAX, .flags = TLS_OPTFL}, \
114  {"cert_pem", "Certificate PEM string", offsetof(pstruct, options_field . cert_buf), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
115  {"key_pem", "Private key PEM string", offsetof(pstruct, options_field . key_buf), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
116  FF_TLS_CLIENT_OPTIONS(pstruct, options_field)
117 
118 int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options);
119 
120 int ff_url_read_all(const char *url, AVBPrint *bp);
121 
122 int ff_tls_set_external_socket(URLContext *h, URLContext *sock);
123 
124 int ff_dtls_export_materials(URLContext *h, char *dtls_srtp_materials, size_t materials_sz);
125 
126 int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint);
127 
128 int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint);
129 
130 void ff_gnutls_init(void);
131 void ff_gnutls_deinit(void);
132 
133 int ff_openssl_init(void);
134 void ff_openssl_deinit(void);
135 
136 /**
137  * Whether the packet is a DTLS packet, as defined by RFC 5764 Section 5.1.2.
138  */
139 int ff_is_dtls_packet(const uint8_t *buf, int size);
140 
141 #endif /* AVFORMAT_TLS_H */
opt.h
ff_gnutls_init
void ff_gnutls_init(void)
Definition: tls_gnutls.c:345
AVDictionary
Definition: dict.c:32
TLSShared::verify
int verify
Definition: tls.h:60
TLSShared::listen
int listen
Definition: tls.h:63
ff_gnutls_deinit
void ff_gnutls_deinit(void)
Definition: tls_gnutls.c:356
ff_openssl_deinit
void ff_openssl_deinit(void)
ff_openssl_init
int ff_openssl_init(void)
TLSShared::underlying_host
char underlying_host[200]
Definition: tls.h:68
AVClass
Describe the class of an AVClass context structure.
Definition: log.h:76
options
Definition: swscale.c:45
c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
TLSShared::host
char * host
Definition: tls.h:65
TLSShared::cert_buf
char * cert_buf
Definition: tls.h:79
TLSShared::external_sock
int external_sock
Definition: tls.h:71
size
int size
Definition: twinvq_data.h:10344
ff_url_read_all
int ff_url_read_all(const char *url, AVBPrint *bp)
Read all data from the given URL url and store it in the given buffer bp.
Definition: tls.c:117
TLSShared::http_proxy
char * http_proxy
Definition: tls.h:66
ff_is_dtls_packet
int ff_is_dtls_packet(const uint8_t *buf, int size)
Whether the packet is a DTLS packet, as defined by RFC 5764 Section 5.1.2.
Definition: tls.c:156
TLSShared::key_buf
char * key_buf
Definition: tls.h:80
bprint.h
URLContext
Definition: url.h:35
url.h
TLSShared::cert_file
char * cert_file
Definition: tls.h:61
version.h
TLSShared::is_dtls
int is_dtls
Definition: tls.h:75
TLSShared::ca_file
char * ca_file
Definition: tls.h:59
ff_dtls_export_materials
int ff_dtls_export_materials(URLContext *h, char *dtls_srtp_materials, size_t materials_sz)
Definition: tls_gnutls.c:376
TLSShared::key_file
char * key_file
Definition: tls.h:62
ff_tls_set_external_socket
int ff_tls_set_external_socket(URLContext *h, URLContext *sock)
Definition: tls_gnutls.c:363
TLSShared::use_srtp
int use_srtp
Definition: tls.h:76
ff_ssl_read_key_cert
int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint)
Definition: tls_gnutls.c:112
TLSShared::mtu
int mtu
The size of RTP packet, should generally be set to MTU.
Definition: tls.h:86
TLSShared
Definition: tls.h:57
ff_ssl_gen_key_cert
int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint)
Definition: tls_gnutls.c:296
TLSShared::udp
URLContext * udp
Definition: tls.h:72
TLSShared::numerichost
int numerichost
Definition: tls.h:69
h
h
Definition: vp9dsp_template.c:2070
TLSShared::tcp
URLContext * tcp
Definition: tls.h:73
ff_tls_open_underlying
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:35
Generated on Tue May 12 2026 19:23:35 for FFmpeg by   doxygen 1.8.17