From 5da9f6231337b75da34baac8c70f2c511958c2b8 Mon Sep 17 00:00:00 2001 From: Nirbheek Chauhan Date: Wed, 25 May 2022 18:40:30 +0530 Subject: [PATCH] rtsp+rtmp: Forward warning added to tls-validation-flags to our users With the 2.72 release, glib-networking developers have decided that TLS certificate validation cannot be implemented correctly by them, so they've deprecated it. In a nutshell: a cert can have several validation errors, but there are no guarantees that the TLS backend will return all those errors, and things are made even more complicated by the fact that the list of errors might refer to certs that are added for backwards-compat and won't actually be used by the TLS library. Our best option is to ignore the deprecation and pass the warning onto users so they can make an appropriate security decision regarding this. We can't deprecate the tls-validation-flags property because it is very useful when connecting to RTSP cameras that will never get updates to fix certificate errors. Relevant upstream merge requests / issues: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2214 https://gitlab.gnome.org/GNOME/glib-networking/-/issues/179 https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/193 Part-of: --- .../gst/rtmp2/gstrtmp2locationhandler.c | 16 +++++++++++++ .../gst/rtmp2/rtmp/rtmpclient.c | 2 ++ .../gst-libs/gst/rtsp/gstrtspconnection.c | 24 ++++++++++++++++++- .../gst-plugins-good/gst/rtsp/gstrtspsrc.c | 10 ++++++++ .../gst/rtsp-sink/gstrtspclientsink.c | 10 ++++++++ 5 files changed, 61 insertions(+), 1 deletion(-) diff --git a/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c b/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c index 2e421c8e97..67df9a6b18 100644 --- a/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c +++ b/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c @@ -84,6 +84,22 @@ gst_rtmp_location_handler_default_init (GstRtmpLocationHandlerInterface * iface) g_object_interface_install_property (iface, g_param_spec_uint ("timeout", "Timeout", "RTMP timeout in seconds", 0, G_MAXUINT, DEFAULT_TIMEOUT, G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS)); + /** + * GstRtmpLocationHandler::tls-validation-flags: + * + * TLS certificate validation flags used to validate server + * certificate. + * + * GLib guarantees that if certificate verification fails, at least one + * error will be set, but it does not guarantee that all possible errors + * will be set. Accordingly, you may not safely decide to ignore any + * particular type of error. + * + * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if + * you want to allow expired certificates, because this could potentially be + * the only error flag set even if other problems exist with the + * certificate. + */ g_object_interface_install_property (iface, g_param_spec_flags ("tls-validation-flags", "TLS validation flags", "TLS validation flags to use", G_TYPE_TLS_CERTIFICATE_FLAGS, diff --git a/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c b/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c index 2a20b5b742..f743637a64 100644 --- a/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c +++ b/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c @@ -426,8 +426,10 @@ socket_connect (GTask * task) GST_DEBUG ("Configuring TLS, validation flags 0x%02x", data->location.tls_flags); g_socket_client_set_tls (socket_client, TRUE); + G_GNUC_BEGIN_IGNORE_DEPRECATIONS; g_socket_client_set_tls_validation_flags (socket_client, data->location.tls_flags); + G_GNUC_END_IGNORE_DEPRECATIONS; break; default: diff --git a/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c b/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c index 42bd4101a7..1dfeed1c23 100644 --- a/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c +++ b/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c @@ -643,6 +643,15 @@ gst_rtsp_connection_get_tls (GstRTSPConnection * conn, GError ** error) * Sets the TLS validation flags to be used to verify the peer * certificate when a TLS connection is established. * + * GLib guarantees that if certificate verification fails, at least one error + * will be set, but it does not guarantee that all possible errors will be + * set. Accordingly, you may not safely decide to ignore any particular type + * of error. + * + * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if + * you want to allow expired certificates, because this could potentially be + * the only error flag set even if other problems exist with the certificate. + * * Returns: TRUE if the validation flags are set correctly, or FALSE if * @conn is NULL or is not a TLS connection. * @@ -657,8 +666,10 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn, g_return_val_if_fail (conn != NULL, FALSE); res = g_socket_client_get_tls (conn->client); + G_GNUC_BEGIN_IGNORE_DEPRECATIONS; if (res) g_socket_client_set_tls_validation_flags (conn->client, flags); + G_GNUC_END_IGNORE_DEPRECATIONS; return res; } @@ -670,7 +681,16 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn, * Gets the TLS validation flags used to verify the peer certificate * when a TLS connection is established. * - * Returns: the validationg flags. + * GLib guarantees that if certificate verification fails, at least one error + * will be set, but it does not guarantee that all possible errors will be + * set. Accordingly, you may not safely decide to ignore any particular type + * of error. + * + * For example, it would be incorrect to ignore %G_TLS_CERTIFICATE_EXPIRED if + * you want to allow expired certificates, because this could potentially be + * the only error flag set even if other problems exist with the certificate. + * + * Returns: the validation flags. * * Since: 1.2.1 */ @@ -679,7 +699,9 @@ gst_rtsp_connection_get_tls_validation_flags (GstRTSPConnection * conn) { g_return_val_if_fail (conn != NULL, 0); + G_GNUC_BEGIN_IGNORE_DEPRECATIONS; return g_socket_client_get_tls_validation_flags (conn->client); + G_GNUC_END_IGNORE_DEPRECATIONS; } /** diff --git a/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c b/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c index e41c7b7f3f..ca95536471 100644 --- a/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c +++ b/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c @@ -812,6 +812,16 @@ gst_rtspsrc_class_init (GstRTSPSrcClass * klass) * TLS certificate validation flags used to validate server * certificate. * + * GLib guarantees that if certificate verification fails, at least one + * error will be set, but it does not guarantee that all possible errors + * will be set. Accordingly, you may not safely decide to ignore any + * particular type of error. + * + * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if + * you want to allow expired certificates, because this could potentially be + * the only error flag set even if other problems exist with the + * certificate. + * * Since: 1.2.1 */ g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS, diff --git a/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c b/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c index bb3953c5ed..0c24542d04 100644 --- a/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c +++ b/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c @@ -666,6 +666,16 @@ gst_rtsp_client_sink_class_init (GstRTSPClientSinkClass * klass) * TLS certificate validation flags used to validate server * certificate. * + * GLib guarantees that if certificate verification fails, at least one + * error will be set, but it does not guarantee that all possible errors + * will be set. Accordingly, you may not safely decide to ignore any + * particular type of error. + * + * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if + * you want to allow expired certificates, because this could potentially be + * the only error flag set even if other problems exist with the + * certificate. + * */ g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS, g_param_spec_flags ("tls-validation-flags", "TLS validation flags",