join validation of TLS fingerprints (#2071)

3 years ago · 3967caa530
3 changed files with 43 additions and 47 deletions
--- a/internal/core/hls_source.go
+++ b/internal/core/hls_source.go
@ -2,12 +2,7 @@ package core
 import (
 	"context"
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/hex"
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/bluenviron/gohlslib"
@ -52,31 +47,11 @@ func (s *hlsSource) run(ctx context.Context, cnf *conf.PathConf, reloadConf chan
 		}
 	}()
 	var tlsConfig *tls.Config
 	if cnf.SourceFingerprint != "" {
 		tlsConfig = &tls.Config{
 			InsecureSkipVerify: true,
 			VerifyConnection: func(cs tls.ConnectionState) error {
 				h := sha256.New()
 				h.Write(cs.PeerCertificates[0].Raw)
 				hstr := hex.EncodeToString(h.Sum(nil))
 				fingerprintLower := strings.ToLower(cnf.SourceFingerprint)
 				if hstr != fingerprintLower {
 					return fmt.Errorf("server fingerprint do not match: expected %s, got %s",
 						fingerprintLower, hstr)
 				}
 				return nil
 			},
 		}
 	}
 	c := &gohlslib.Client{
 		URI: cnf.Source,
 		HTTPClient: &http.Client{
 			Transport: &http.Transport{
-				TLSClientConfig: tlsConfig,
+				TLSClientConfig: tlsConfigForFingerprint(cnf.SourceFingerprint),
 			},
 		},
 		Log: func(level gohlslib.LogLevel, format string, args ...interface{}) {
--- a/internal/core/rtmp_source.go
+++ b/internal/core/rtmp_source.go
@ -2,13 +2,10 @@ package core
 import (
 	"context"
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/hex"
 	"fmt"
 	"net"
 	"net/url"
 	"strings"
 	"time"
 	"github.com/bluenviron/gortsplib/v3/pkg/formats"
@ -71,24 +68,9 @@ func (s *rtmpSource) run(ctx context.Context, cnf *conf.PathConf, reloadConf cha
 			return (&net.Dialer{}).DialContext(ctx2, "tcp", u.Host)
 		}
-		tlsConfig := &tls.Config{
+		return (&tls.Dialer{
-			InsecureSkipVerify: true,
+			Config: tlsConfigForFingerprint(cnf.SourceFingerprint),
-			VerifyConnection: func(cs tls.ConnectionState) error {
+		}).DialContext(ctx2, "tcp", u.Host)
 				h := sha256.New()
 				h.Write(cs.PeerCertificates[0].Raw)
 				hstr := hex.EncodeToString(h.Sum(nil))
 				fingerprintLower := strings.ToLower(cnf.SourceFingerprint)
 				if hstr != fingerprintLower {
 					return fmt.Errorf("server fingerprint do not match: expected %s, got %s",
 						fingerprintLower, hstr)
 				}
 				return nil
 			},
 		}
 		return (&tls.Dialer{Config: tlsConfig}).DialContext(ctx2, "tcp", u.Host)
 	}()
 	if err != nil {
 		return err
--- a/internal/core/tls_fingerprint.go
+++ b/internal/core/tls_fingerprint.go
@ -0,0 +1,39 @@
 package core
 import (
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/hex"
 	"fmt"
 	"strings"
 )
 type fingerprintValidatorFunc func(tls.ConnectionState) error
 func fingerprintValidator(fingerprint string) fingerprintValidatorFunc {
 	fingerprintLower := strings.ToLower(fingerprint)
 	return func(cs tls.ConnectionState) error {
 		h := sha256.New()
 		h.Write(cs.PeerCertificates[0].Raw)
 		hstr := hex.EncodeToString(h.Sum(nil))
 		if hstr != fingerprintLower {
 			return fmt.Errorf("source fingerprint does not match: expected %s, got %s",
 				fingerprintLower, hstr)
 		}
 		return nil
 	}
 }
 func tlsConfigForFingerprint(fingerprint string) *tls.Config {
 	if fingerprint == "" {
 		return nil
 	}
 	return &tls.Config{
 		InsecureSkipVerify: true,
 		VerifyConnection:   fingerprintValidator(fingerprint),
 	}
 }