rtsp+rtmp: Forward warning added to tls-validation-flags to our users

With the 2.72 release, glib-networking developers have decided that TLS certificate validation cannot be implemented correctly by them, so they've deprecated it. In a nutshell: a cert can have several validation errors, but there are no guarantees that the TLS backend will return all those errors, and things are made even more complicated by the fact that the list of errors might refer to certs that are added for backwards-compat and won't actually be used by the TLS library. Our best option is to ignore the deprecation and pass the warning onto users so they can make an appropriate security decision regarding this. We can't deprecate the tls-validation-flags property because it is very useful when connecting to RTSP cameras that will never get updates to fix certificate errors. Relevant upstream merge requests / issues: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2214 https://gitlab.gnome.org/GNOME/glib-networking/-/issues/179 https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/193 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2494>
2024-06-26 01:40:38 +00:00 · 2022-05-25 18:40:30 +05:30 · 2022-05-25 18:40:30 +05:30 · 5da9f62313
parent 11ecda9d73
commit 5da9f62313
5 changed files with 61 additions and 1 deletions
--- a/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c
+++ b/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c
@ -84,6 +84,22 @@ gst_rtmp_location_handler_default_init (GstRtmpLocationHandlerInterface * iface)
  g_object_interface_install_property (iface, g_param_spec_uint ("timeout",
          "Timeout", "RTMP timeout in seconds", 0, G_MAXUINT, DEFAULT_TIMEOUT,
          G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
+  /**
+   * GstRtmpLocationHandler::tls-validation-flags:
+   *
+   * TLS certificate validation flags used to validate server
+   * certificate.
+   *
+   * GLib guarantees that if certificate verification fails, at least one
+   * error will be set, but it does not guarantee that all possible errors
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error.
+   *
+   * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+   * you want to allow expired certificates, because this could potentially be
+   * the only error flag set even if other problems exist with the
+   * certificate.
+   */
  g_object_interface_install_property (iface,
      g_param_spec_flags ("tls-validation-flags", "TLS validation flags",
          "TLS validation flags to use", G_TYPE_TLS_CERTIFICATE_FLAGS,
--- a/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c
+++ b/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c
@ -426,8 +426,10 @@ socket_connect (GTask * task)
      GST_DEBUG ("Configuring TLS, validation flags 0x%02x",
          data->location.tls_flags);
      g_socket_client_set_tls (socket_client, TRUE);
+      G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
      g_socket_client_set_tls_validation_flags (socket_client,
          data->location.tls_flags);
+      G_GNUC_END_IGNORE_DEPRECATIONS;
      break;

    default:
--- a/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c
@ -643,6 +643,15 @@ gst_rtsp_connection_get_tls (GstRTSPConnection * conn, GError ** error)
 * Sets the TLS validation flags to be used to verify the peer
 * certificate when a TLS connection is established.
 *
+ * GLib guarantees that if certificate verification fails, at least one error
+ * will be set, but it does not guarantee that all possible errors will be
+ * set. Accordingly, you may not safely decide to ignore any particular type
+ * of error.
+ *
+ * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+ * you want to allow expired certificates, because this could potentially be
+ * the only error flag set even if other problems exist with the certificate.
+ *
 * Returns: TRUE if the validation flags are set correctly, or FALSE if
 * @conn is NULL or is not a TLS connection.
 *
@ -657,8 +666,10 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
  g_return_val_if_fail (conn != NULL, FALSE);

  res = g_socket_client_get_tls (conn->client);
+  G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
  if (res)
    g_socket_client_set_tls_validation_flags (conn->client, flags);
+  G_GNUC_END_IGNORE_DEPRECATIONS;

  return res;
 }
@ -670,7 +681,16 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
 * Gets the TLS validation flags used to verify the peer certificate
 * when a TLS connection is established.
 *
- * Returns: the validationg flags.
+ * GLib guarantees that if certificate verification fails, at least one error
+ * will be set, but it does not guarantee that all possible errors will be
+ * set. Accordingly, you may not safely decide to ignore any particular type
+ * of error.
+ *
+ * For example, it would be incorrect to ignore %G_TLS_CERTIFICATE_EXPIRED if
+ * you want to allow expired certificates, because this could potentially be
+ * the only error flag set even if other problems exist with the certificate.
+ *
+ * Returns: the validation flags.
 *
 * Since: 1.2.1
 */
@ -679,7 +699,9 @@ gst_rtsp_connection_get_tls_validation_flags (GstRTSPConnection * conn)
 {
  g_return_val_if_fail (conn != NULL, 0);

+  G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
  return g_socket_client_get_tls_validation_flags (conn->client);
+  G_GNUC_END_IGNORE_DEPRECATIONS;
 }

 /**
--- a/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c
+++ b/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c
@ -812,6 +812,16 @@ gst_rtspsrc_class_init (GstRTSPSrcClass * klass)
   * TLS certificate validation flags used to validate server
   * certificate.
   *
+   * GLib guarantees that if certificate verification fails, at least one
+   * error will be set, but it does not guarantee that all possible errors
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error.
+   *
+   * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+   * you want to allow expired certificates, because this could potentially be
+   * the only error flag set even if other problems exist with the
+   * certificate.
+   *
   * Since: 1.2.1
   */
  g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,
--- a/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c
+++ b/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c
@ -666,6 +666,16 @@ gst_rtsp_client_sink_class_init (GstRTSPClientSinkClass * klass)
   * TLS certificate validation flags used to validate server
   * certificate.
   *
+   * GLib guarantees that if certificate verification fails, at least one
+   * error will be set, but it does not guarantee that all possible errors
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error.
+   *
+   * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+   * you want to allow expired certificates, because this could potentially be
+   * the only error flag set even if other problems exist with the
+   * certificate.
+   *
   */
  g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,
      g_param_spec_flags ("tls-validation-flags", "TLS validation flags",