Commit graph

88 commits

Author SHA1 Message Date
Sebastian Dröge
3864c9f97f gstdtlsconnection: Propagate errors from key export to the caller
Otherwise the DTLS connection silently does nothing instead of reporting
an error via the elements.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1156>
2020-06-26 10:20:04 +03:00
Miguel Paris
3dd2bbf23c dtlsconnection: do not set keys_exported flag if actually not exported
keys_exported flag should be set only if keys are actually exported.
For that the next conditions are needed:
  1 - SSL_export_keying_material on success
  2 - SSL_get_selected_srtp_profile returns a valid profile
  3 - The profile ID is SRTP_AES128_CM_SHA1_80 or SRTP_AES128_CM_SHA1_32

Also don't crash if NULL is returned as profile.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1156>
2020-06-26 10:19:28 +03:00
Mathieu Duponchelle
6baffc2931 docs: mark more types as plugin API 2020-06-23 12:10:17 -04:00
Mathieu Duponchelle
a048ce81d4 plugins: uddate gst_type_mark_as_plugin_api() calls 2020-06-06 00:40:42 +02:00
Sebastian Dröge
74f2f733be plugins: Use gst_type_mark_as_plugin_api() for all non-element plugin types 2020-06-04 13:33:16 -04:00
Matthew Waters
8da177c0bf dtls/connection: fix EOF handling with openssl 1.1.1e
openssl 1.1.1e does some stricker EOF handling and will throw an error
if the EOF is unexpected (like in the middle of a record).  As we are
streaming data into openssl here, it is entirely possible that we push
data from multiple buffers/packets into openssl separately.

From the openssl changelog:

 Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
  *) Properly detect EOF while reading in libssl. Previously if we hit an EOF
     while reading in libssl then we would report an error back to the
     application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
     an error to the stack (which means we instead return SSL_ERROR_SSL) and
     therefore give a hint as to what went wrong.
     [Matt Caswell]

We can relax the EOF signalling to only return TRUE when we have stopped
for any reason (EOS, error).

Will also remove a spurious EOF error from previous openssl version.
2020-03-27 11:43:53 +11:00
Jan Schmidt
0c72a41767 gstdtlsrtpenc: Add rtp-sync property
Add an rtp-sync property which synchronises RTP streams
to the pipeline clock before passing them to funnel for
merging with RTCP.

https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/issues/1212
2020-02-27 12:30:32 +00:00
Sebastian Dröge
cc8b90967b dtls: Set a random serial number and issuer/subject in the self-signed certificates
This is also what Chrome and Firefox are doing, citing privacy concerns.
Also putting OpenWebRTC from Sweden as issuer/subject is rather
confusing.
2020-02-27 08:27:19 +00:00
Sebastian Dröge
7fcfb6c6c5 dtls: Keep track of the connection state and signal it through all the layers
This allows the application to keep track of the underlying DTLS
connection state and act accordingly.
2020-01-19 11:16:34 +00:00
Sebastian Dröge
d66aa872ca dtls: Handle errors/close_notify at all steps and propagate through the layers properly
Previously we simply logged errors but never reported them to elements
or even to the user. Fatal errors are now properly reported.

Additionally proper connection closing is implemented based on EOS:
- dtlsenc: EOS will cause close_notify to be sent to the peer and only
           if the peer also sent back close_notify we will forward the
           EOS event.
- dtlsdec: EOS will be forwarded normally, this only means that the
           unterlying transport was closed. On receiving a DTLS packet
           containing close_notify, return EOS and send EOS downstream.
2020-01-19 11:16:34 +00:00
Sebastian Dröge
a132138f1c dtls: Propagate write errors backwards through dtlsenc/dtlsconnection 2020-01-19 11:16:34 +00:00
Sebastian Dröge
ee55dac8d4 dtls: Use a plain function pointer instead of a GClosure for the send callback
There's not point in using GClosure and going through all the
GValue/libffi infrastructure for each DTLS packet.
2020-01-19 11:16:34 +00:00
Sebastian Dröge
e59962850a dtlsenc: Don't warn on GST_FLOW_FLUSHING or GST_FLOW_EOS
Only warn if pushing a buffer returns an actual error to not pollute
logs with confusing warnings.
2019-12-30 11:09:46 +00:00
Niels De Graef
d8f61515d8 Don't pass default GLib marshallers for signals
By passing NULL to `g_signal_new` instead of a marshaller, GLib will
actually internally optimize the signal (if the marshaller is available
in GLib itself) by also setting the valist marshaller. This makes the
signal emission a bit more performant than the regular marshalling,
which still needs to box into `GValue` and call libffi in case of a
generic marshaller.

Note that for custom marshallers, one would use
`g_signal_set_va_marshaller()` with the valist marshaller instead.
2019-11-06 14:27:46 +00:00
Aaron Boxer
6d3429af34 documentation: fixed a heap o' typos 2019-11-05 09:11:25 -05:00
Tim-Philipp Müller
f218ec2794 Remove autotools build system 2019-10-14 13:54:27 +01:00
Sebastian Dröge
060e72e370 Revert "dtls: fix generated cert dtls agent leak"
This reverts commit e5585b1bde
2019-07-26 06:35:53 +00:00
Ilya Smelykh
e5585b1bde dtls: fix generated cert dtls agent leak
The generated certificate dtls agent was refed two times on the first call.
2019-07-25 20:03:02 +07:00
Ilya Smelykh
aa0dea09d6 dtls: fix dtls connection object leak 2019-07-25 10:21:29 +00:00
Juan Navarro
d289608a99 dtlsagent: Clear the certificate upon finalize
Cleaning this up was likely just forgotten
2019-06-25 20:37:57 +02:00
Juan Navarro
8317112883 dtlsdec: Avoid duplicate ref when passing certificate property
The agent itself will take a ref on the property setter, so we'll be
left with two references to the certificate object, when actually there
should be only one
2019-06-25 20:37:38 +02:00
Jose Antonio Santos Cadenas
8a6f0a7e45 dtlsagent: Do not overwrite openssl locking callbacks 2019-05-14 07:36:15 +00:00
Thibault Saunier
47a49f3381 docs: Build documentation with hotdoc 2019-05-13 17:00:00 -04:00
Thibault Saunier
5a2b9357c9 Mark some properties as DOC_SHOW_DEFAULT 2019-05-13 11:36:32 -04:00
Edward Hervey
06b18defc7 dtls: Don't abort on non-fatal issues
OpenSSL will take care of returning valid context if there are
only non-fatal issues. Don't abort in those cases and instead just
print out the issues

Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/issues/811
2019-02-13 17:48:46 +00:00
Jordan Petridis
1f562870ee Run gst-indent through the files
This is required before we enabled an indent test in the CI.

https://gitlab.freedesktop.org/gstreamer/gstreamer-project/issues/33
2018-11-28 14:18:26 +00:00
Rosen Penev
29d48ce8a1 dtls: Fix compilation without deprecated APIs on OpenSSL 1.1.x 2018-11-14 14:55:37 -08:00
Jan Alexander Steffens (heftig)
84d3f58c4a
dtls: Link against winsock2 on Windows
Should fix the Windows build after
b1509b1047.
2018-11-06 18:48:44 +01:00
Jan Alexander Steffens (heftig)
b1509b1047 dtlsconnection: Print out errno info for syscall errors
As suggested in [the SSL_get_error manpage][1]. Upgrade the message to a
warning if the errno isn't 0 (success). The latter apparently means the
transport encountered an EOF (shutdown) without the shut down handshake
on the (D)TLS level. This happens quite often for otherwise normal DTLS
connections.

[1]: https://www.openssl.org/docs/man1.1.1/man3/SSL_get_error.html
2018-11-06 16:23:50 +00:00
Andreas Frisch
51f0307900 dtls: Properly display all errors/warnings from ERR queue
Print out all errors from the OpenSSL error queue instead of just
looking at the topmost error. Using the callback interface also removes
the need for formatting using a buffer on the stack.
2018-11-06 16:23:50 +00:00
Jan Alexander Steffens (heftig)
7bb6ce352b dtlsconnection: Replace if-else chain with switch
A more idiomatic construct for testing a bunch of integers.
2018-11-06 16:23:50 +00:00
Jan Alexander Steffens (heftig)
49cc7b8091 dtlsconnection: Clear error queue before SSL_do_handshake
As documented on [the SSL_get_error manpage][1] we need to empty the
error queue before making any call that we check with SSL_get_error.

[1]: https://www.openssl.org/docs/man1.1.1/man3/SSL_get_error.html
2018-11-06 16:23:50 +00:00
Jan Alexander Steffens (heftig)
fa92909d0d dtlsconnection: Lower BIO error log level to DEBUG
Periodic SSL_ERROR_SYSCALL errors with errno == 0 seem to be normal
behavior for DTLS connections.

Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/issues/677
2018-11-06 16:23:50 +00:00
Jan Alexander Steffens (heftig)
a9b9994738 dtlsconnection: Run gst-indent 2018-11-06 16:23:50 +00:00
Nirbheek Chauhan
b55dfb5313 Add feature options for almost all plugins
The only plugins remaining are those that haven't been ported to Meson
yet, and msdk. Also, the tests are still automagic.

https://bugzilla.gnome.org/show_bug.cgi?id=795107
2018-07-27 19:04:38 +05:30
Tim-Philipp Müller
3c6f642fa6 dtls: Update for g_type_class_add_private() deprecation in recent GLib 2018-06-24 01:06:24 +02:00
Xavier Claessens
83d0623293 Meson: Generate pc file for all plugins in bad
https://bugzilla.gnome.org/show_bug.cgi?id=794568
2018-04-25 11:08:09 +01:00
Matthew Waters
eaef193d08 dtls: drop upstream segment and stream-start events
Fixes tests with GstHarness

We will push our own from the srcpad task.
2018-02-05 17:44:33 +11:00
Matthew Waters
dc452aa799 dtls: don't leak the system clock
Obtain and release it as needed.
2018-02-05 17:44:33 +11:00
Matthew Waters
18a62b144d dtlsenc: fix typo in is-client property description 2018-02-05 17:44:33 +11:00
Matthew Waters
94a7bf9ede dtls: remove reliance on a default GMainContext/Loop
By removing the indirection to the main loop completely when receiving
the peer certificate. For reference, the on-decoder-key signal does not
have a redirection.
2018-02-01 23:25:18 +11:00
Nicolas Dufresne
4261692187 Remove plugin specific static build option
Static and dynamic plugins now have the same interface. The standard
--enable-static/--enable-shared toggle are sufficient.
2017-05-16 14:05:52 -04:00
Scott D Phillips
1a43d57359 dtls: Set openssl's threadid the 1.0.x way
For pre-1.1.x openssl, a callback to set the thread id needs to be
provided to openssl. In 0.9.x the thread id was an unsigned long. In
1.0.x it was expanded to be able to hold a void*. Here we change to use
the 1.0.x API so that the thread id can always hold a GThread*, even on
platforms like msvc x64 where unsigned long is only 32 bits.

All of this is still #ifdef'd out of existence when building with
openssl 1.1.x or later which changed the thread API again, and does not
need a thread id callback.

https://bugzilla.gnome.org/show_bug.cgi?id=775292
2016-12-05 11:26:15 +02:00
Sebastian Dröge
3a069193e2 dtlscertificate: Fix error checking in RSA_generate_key_ex() usage
Was broken during the port for OpenSSL 1.1.

https://bugzilla.gnome.org/show_bug.cgi?id=774328
2016-11-14 11:32:17 +02:00
Sebastian Dröge
31317fd666 dtls: Fix compiler warnings with openssl 1.1 or newer
- DTLSv1_method() is deprecated, and since 1.0.2 replaced by
  DTLS_method().
- CRYPTO_set_locking_callback() and CRYPTO_set_id_callback() are
  no-ops (empty macros) since 1.1 and are not supposed to be used
  anymore.

gstdtlsagent.c: In function ‘gst_dtls_agent_init’:
gstdtlsagent.c:173:3: error: ‘DTLSv1_method’ is deprecated [-Werror=deprecated-declarations]
   priv->ssl_context = SSL_CTX_new (DTLSv1_method ());
   ^~~~
In file included from /usr/include/openssl/ct.h:13:0,
                 from /usr/include/openssl/ssl.h:61,
                 from gstdtlsagent.c:40:
/usr/include/openssl/ssl.h:1614:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_method(void)) /* DTLSv1.0 */
 ^
At top level:
gstdtlsagent.c:103:1: error: ‘ssl_thread_id_function’ defined but not used [-Werror=unused-function]
 ssl_thread_id_function (void)
 ^~~~~~~~~~~~~~~~~~~~~~
gstdtlsagent.c:73:1: error: ‘ssl_locking_function’ defined but not used [-Werror=unused-function]
 ssl_locking_function (gint mode, gint lock_num, const gchar * file, gint line)
 ^~~~~~~~~~~~~~~~~~~~
2016-11-02 14:04:19 +02:00
Olivier Crête
c35b918ce1 dtls: Downgrade locking debug 2016-11-01 14:57:21 -04:00
Daiki Ueno
e938933167 dtls: port to OpenSSL 1.1.0
Changes are:

- Use the wrapper functions to access opaque data types.  To preserve
  backward compatibility, define fallback definitions

- Remove the use of idiom "pqueue_size(ssl->d1->sent_messages)", since
  there is no replacement

- Use RSA_generate_key_ex instead of the deprecated RSA_generate_key

https://bugzilla.gnome.org/show_bug.cgi?id=773540
2016-10-31 12:49:11 +02:00
Nirbheek Chauhan
42af2d66d8 Add support for Meson as alternative/parallel build system
https://github.com/mesonbuild/meson

With contributions from:

Tim-Philipp Müller <tim@centricular.com>
Matej Knopp <matej.knopp@gmail.com>
Jussi Pakkanen <jpakkane@gmail.com> (original port)

Highlights of the features provided are:
* Faster builds on Linux (~40-50% faster)
* The ability to build with MSVC on Windows
* Generate Visual Studio project files
* Generate XCode project files
* Much faster builds on Windows (on-par with Linux)
* Seriously fast configure and building on embedded

... and many more. For more details see:

http://blog.nirbheek.in/2016/05/gstreamer-and-meson-new-hope.html
http://blog.nirbheek.in/2016/07/building-and-developing-gstreamer-using.html

Building with Meson should work on both Linux and Windows, but may
need a few more tweaks on other operating systems.
2016-08-20 11:35:54 +01:00
Raffaele Rossi
79f9c7671b dtsl: add some documentation
https://bugzilla.gnome.org/show_bug.cgi?id=760994
2016-04-18 12:35:40 +01:00
Santiago Carot-Nemesio
d2ef3a4c19 dtls: Use unique names for internal elements to ease debugging
https://bugzilla.gnome.org/show_bug.cgi?id=748651
2016-04-04 11:09:10 +01:00