webrtc: add support for insecure tls connections

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-rs/-/merge_requests/1553>
This commit is contained in:
Robert Ayrapetyan 2024-04-24 19:52:26 +00:00
parent c282bc1bca
commit bac5845be1

View file

@ -24,6 +24,8 @@ use url::Url;
use super::CAT; use super::CAT;
const DEFAULT_INSECURE_TLS: bool = false;
#[derive(Debug, Eq, PartialEq, Clone, Copy, glib::Enum, Default)] #[derive(Debug, Eq, PartialEq, Clone, Copy, glib::Enum, Default)]
#[repr(u32)] #[repr(u32)]
#[enum_type(name = "GstRSWebRTCSignallerRole")] #[enum_type(name = "GstRSWebRTCSignallerRole")]
@ -40,6 +42,7 @@ pub struct Settings {
cafile: Option<String>, cafile: Option<String>,
role: WebRTCSignallerRole, role: WebRTCSignallerRole,
headers: Option<gst::Structure>, headers: Option<gst::Structure>,
insecure_tls: bool,
} }
impl Default for Settings { impl Default for Settings {
@ -50,6 +53,7 @@ impl Default for Settings {
cafile: Default::default(), cafile: Default::default(),
role: Default::default(), role: Default::default(),
headers: None, headers: None,
insecure_tls: DEFAULT_INSECURE_TLS,
} }
} }
} }
@ -107,23 +111,36 @@ impl Signaller {
} }
async fn connect(&self) -> Result<(), Error> { async fn connect(&self) -> Result<(), Error> {
let obj = self.obj(); let (cafile, insecure_tls, role) = {
let settings = self.settings.lock().unwrap();
(
settings.cafile.clone(),
settings.insecure_tls,
settings.role,
)
};
let role = self.settings.lock().unwrap().role;
if let super::WebRTCSignallerRole::Consumer = role { if let super::WebRTCSignallerRole::Consumer = role {
self.producer_peer_id() self.producer_peer_id()
.ok_or_else(|| anyhow!("No target producer peer id set"))?; .ok_or_else(|| anyhow!("No target producer peer id set"))?;
} }
let connector = if let Some(path) = obj.property::<Option<String>>("cafile") { let mut connector_builder = tokio_native_tls::native_tls::TlsConnector::builder();
if let Some(path) = cafile {
let cert = tokio::fs::read_to_string(&path).await?; let cert = tokio::fs::read_to_string(&path).await?;
let cert = tokio_native_tls::native_tls::Certificate::from_pem(cert.as_bytes())?; let cert = tokio_native_tls::native_tls::Certificate::from_pem(cert.as_bytes())?;
let mut connector_builder = tokio_native_tls::native_tls::TlsConnector::builder(); connector_builder.add_root_certificate(cert);
let connector = connector_builder.add_root_certificate(cert).build()?; }
Some(tokio_native_tls::TlsConnector::from(connector))
} else { if insecure_tls {
None connector_builder.danger_accept_invalid_certs(true);
}; gst::warning!(CAT, imp: self, "insecure tls connections are allowed");
}
let connector = Some(tokio_native_tls::TlsConnector::from(
connector_builder.build()?,
));
let mut uri = self.uri(); let mut uri = self.uri();
uri.set_query(None); uri.set_query(None);
@ -522,6 +539,17 @@ impl ObjectImpl for Signaller {
.blurb("HTTP headers sent during the connection handshake") .blurb("HTTP headers sent during the connection handshake")
.flags(glib::ParamFlags::READWRITE) .flags(glib::ParamFlags::READWRITE)
.build(), .build(),
/**
* GstWebRTCSignaller::insecure-tls:
*
* Enables insecure TLS connections. Disabled by default.
*/
glib::ParamSpecBoolean::builder("insecure-tls")
.nick("Insecure TLS")
.blurb("Whether insecure TLS connections are allowed")
.default_value(DEFAULT_INSECURE_TLS)
.flags(glib::ParamFlags::READWRITE)
.build(),
] ]
}); });
@ -565,6 +593,10 @@ impl ObjectImpl for Signaller {
.get::<Option<gst::Structure>>() .get::<Option<gst::Structure>>()
.expect("type checked upstream") .expect("type checked upstream")
} }
"insecure-tls" => {
self.settings.lock().unwrap().insecure_tls =
value.get::<bool>().expect("type checked upstream")
}
_ => unimplemented!(), _ => unimplemented!(),
} }
} }
@ -588,6 +620,7 @@ impl ObjectImpl for Signaller {
"role" => settings.role.to_value(), "role" => settings.role.to_value(),
"client-id" => self.state.lock().unwrap().client_id.to_value(), "client-id" => self.state.lock().unwrap().client_id.to_value(),
"headers" => settings.headers.to_value(), "headers" => settings.headers.to_value(),
"insecure-tls" => settings.insecure_tls.to_value(),
_ => unimplemented!(), _ => unimplemented!(),
} }
} }