Inspired by a patch by Jakob van Bethlehem. But instead of doing
an empty POST first to trigger the WWW-Authenticate header (which
would succeed if no auth actually was required), add an Expect:
100-continue header, which is meant to be used exactly for
cases like this.
The header is added if doing a post, and the user has specified
authentication but we don't know the auth method yet.
Not all common HTTP servers support the Expect: 100-continue header,
though, so we only try to use it when it really is needed. The user
can request it to be added for other POST requests as well via
an option - which would allow the caller to know immediately that
the POST has failed (e.g. if no auth was provided but the server
required it, or if the target URL simply doesn't exist).
This is only done for write mode posts (e.g. posts without pre-set
post_data) - for posts with pre-set data, we can just redo the post
if it failed due to 401.
Signed-off-by: Martin Storsjö <martin@martin.st>
The default is to autodetect the auth method. This does require one
extra request (and also closing and reopening the http connection).
For some cases such as HTTP POST, the autodetection is not handled
properly (yet).
No option is added for digest, since this method requires getting
nonce parameters from the server first and can't be used straight
away like Basic.
Signed-off-by: Martin Storsjö <martin@martin.st>
Also add options for specifying a certificate and key, which can
be used both when operating as client and as server.
Partially based on a patch by Peter Ross.
Signed-off-by: Martin Storsjö <martin@martin.st>
A file containing the trusted CA certificates needs to be
supplied via the ca_file AVOption, unless the TLS library
has got a system default file/database set up.
This doesn't check the hostname of the peer certificate with
openssl, which requires a non-trivial piece of code for
manually matching the desired hostname to the string provided
by the certificate, not provided as a library function.
That is, with openssl, this only validates that the received
certificate is signed with the right CA, but not that it is
the actual server we think we're talking to.
Verification is still disabled by default since we can't count
on a proper CA database existing at all times.
Signed-off-by: Martin Storsjö <martin@martin.st>
ASF markers only have a start time, so we lose the chapter end times,
but that is ASF for you
Signed-off-by: Vladimir Pantelic <vladoman@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This makes the output fragments independent of their position in
the output stream, making the output work better when streamed.
QuickTime Player doesn't support fragmented mp4 without the base
data offset, though.
Signed-off-by: Martin Storsjö <martin@martin.st>
This is enabled by default and can be disabled with
"-fflags -flush_packets".
Inspired by a patch from Nicolas George <nicolas.george@normalesup.org>.
Signed-off-by: Martin Storsjö <martin@martin.st>
Allow emitting the current cluster that is being written before
starting a new one, simplifying how to figure out where clusters
are positioned in the output stream (for live streaming).
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The handling of the environment variable no_proxy, present since
one of the initial commits (de6d9b6404), is inconsistent with
how many other applications and libraries interpret this
variable. Its bare presence does not indicate that the use of
proxies should be skipped, but it is some sort of pattern for
hosts that does not need using a proxy (e.g. for a local network).
As investigated by Rudolf Polzer, different libraries handle this
in different ways, some supporting IP address masks, some supporting
arbitrary globbing using *, some just checking that the pattern matches
the end of the hostname without regard for whether it actually is
the right domain or a domain that ends in the same string.
This simple logic should be pretty similar to the logic used by
lynx and curl.
Signed-off-by: Martin Storsjö <martin@martin.st>
Expose the current sequence number via an AVOption - this can
be used both for setting the initial sequence number, or for
querying the current number.
Signed-off-by: Martin Storsjö <martin@martin.st>
The main difference to the existing suites from RFC 4568 is
that the version with a 32 bit HMAC still uses 80 bit HMAC
for RTCP packets.
Signed-off-by: Martin Storsjö <martin@martin.st>
This is mostly useful for encryption together with the RTP muxer,
but could also be set up as IO towards the peer with the SDP
demuxer with custom IO.
Signed-off-by: Martin Storsjö <martin@martin.st>
This only takes care of decrypting incoming packets; the outgoing
RTCP packets are not encrypted. This is enough for some use cases,
and signalling crypto keys for use with outgoing RTCP packets
doesn't fit as simply into the API. If the SDP demuxer is hooked
up with custom IO, the return packets can be encrypted e.g. via the
SRTP protocol.
If the SRTP keys aren't available within the SDP, the decryption
can be handled externally as well (when using custom IO).
Signed-off-by: Martin Storsjö <martin@martin.st>
This sends NACK for missed packets and PLI (picture loss indication)
if a depacketizer indicates that it needs a new keyframe, according
to RFC 4585.
This is only enabled if the SDP indicated that feedback is supported
(via the AVPF or SAVPF profile names).
The feedback packets are throttled to a certain maximum interval
(currently 250 ms) to make sure the feedback packets don't eat up
too much bandwidth (which might be counterproductive). The RFC
specifies a more elaborate feedback packet scheduling.
The feedback packets are currently sent independently from normal
RTCP RR packets, which is not totally spec compliant, but works
fine in the environments I've tested it in. (RFC 5506 allows this,
but requires a SDP attribute for enabling it.)
Signed-off-by: Martin Storsjö <martin@martin.st>
To use this, set sdpflags=custom_io to the sdp demuxer. During
the avformat_open_input call, the SDP is read from the AVFormatContext
AVIOContext (ctx->pb) - after the avformat_open_input call,
during the av_read_frame() calls, the same ctx->pb is used for reading
packets (and sending back RTCP RR packets).
Normally, one would use this with a read-only AVIOContext for the
SDP during the avformat_open_input call, then close that one and
replace it with a read-write one for the packets after the
avformat_open_input call has returned.
This allows using the RTP depacketizers as "pure" demuxers, without
having them tied to the libavformat network IO.
Signed-off-by: Martin Storsjö <martin@martin.st>
Limelight is a not too uncommon CDN. The authentication scheme is
pretty similar to the adobe authentication, but is even closer to
normal http digest authentication (but not close enough to warrant
sharing code) than the adobe version.
Signed-off-by: Martin Storsjö <martin@martin.st>
This is mostly used to authenticate the client when publishing.
Tested with wowza and akamai.
Some but not all servers support resending a new connect invoke
within the same connection, so always reconnect for sending a new
connection attempt. This matches what other applications do as well.
The authentication scheme is structurally pretty similar to http
digest authentication, but uses base64 instead of hex strings.
Signed-off-by: Martin Storsjö <martin@martin.st>
This packetization scheme simply places the full packets into the
RTP packet without any extra header bytes.
Signed-off-by: Martin Storsjö <martin@martin.st>
This muxer splits the output from the ismv muxer into individual
files, in realtime.
The same can also be done by the standalone tool ismindex, but this
muxer is needed for doing it in realtime (especially for live
streams that need extra handling for updating the lookahead fields
in the fragment headers).
Using this muxer, one can deliver live smooth streaming from a
normal static file web server. (Using ismindex, one can deliver
premade smooth streaming files from a static file web server,
or prepare files for serving with IIS.)
Signed-off-by: Martin Storsjö <martin@martin.st>
Specifies how the server verifies client SWF files before allowing the
files to connect to an application. Verifying SWF files is a security
measure that prevents someone from creating their own SWF files that can
attempt to stream your resources.
Signed-off-by: Martin Storsjö <martin@martin.st>
According to its description, it is supposed to be the LCM of all the
frame durations. The usability of such a thing is vanishingly small,
especially since we cannot determine it with any amount of reliability.
Therefore get rid of it after the next bump.
Replace it with the average framerate where it makes sense.
FATE results for the wtv and xmv demux tests change. In the wtv case
this is caused by the file being corrupted (or possibly badly cut) and
containing invalid timestamps. This results in lavf estimating the
framerate wrong and making up wrong frame durations.
In the xmv case the file contains pts jumps, so again the estimated
framerate is far from anything sane and lavf again makes up different
frame durations.
In some other tests lavf starts making up frame durations from different
frame.
Useful in cases where a significant analyzeduration is
still needed, while minimizing buffering before output.
An example is processing low-latency streams where all
media types won't necessarily come in if the
analyzeduration is small.
Additional changes by Josh Allmann <joshua.allmann@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
It should be possible to specify usernames in http requests containing
urlencoded characters. This patch adds support for decoding the auth
strings.
Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
This adds two protocols, but one of them is an internal implementation
detail just used as an abstraction layer/generalization in the code. The
RTMPE protocol implementation uses ffrtmpcrypt:// as an alternative to the
tcp:// protocol. This allows moving most of the lower level logic out
from the higher level generic rtmp code.
Signed-off-by: Martin Storsjö <martin@martin.st>
Add a new option 'rtmp_flush_interval' that allows specifying the
number of packets to write before sending it off as a HTTP request.
This is mostly relevant for RTMPT - for plain RTMP, it only controls
how often we check the socket for incoming packets, which shouldn't
affect the performance in any noticeable way.
Signed-off-by: Martin Storsjö <martin@martin.st>
This requires all NAL units to fit within single RTP packets. It
doesn't change the actual packetization for packets that fit, but
errors out and gives a helpful hint if the NAL units would have to
be split, and signals the right packetization mode in the SDP.
Signed-off-by: Martin Storsjö <martin@martin.st>
This adds two protocols, but one of them is an internal implementation
detail just used as an abstraction layer/generalization in the code. The
RTMPT protocol implementation uses rtmphttp:// as an alternative to the
tcp:// protocol. This allows moving most of the lower level logic out
from the higher level generic rtmp code.
Signed-off-by: Martin Storsjö <martin@martin.st>
Keep the old protocol name around for backwards compatibility
until the next bump.
Deprecate the method of implicitly assuming the nested protocol.
For applehttp://server/path, it might have felt logical, but
supporting hls://server/path isn't quite as intuitive. Therefore
only support hls+http://server/path from now on.
Using this protocol at all is discouraged, since the hls demuxer
is more complete and fits into the architecture better. There
have been cases where the protocol implementation worked better
than the demuxer, but this should no longer be the case.
Signed-off-by: Martin Storsjö <martin@martin.st>
Martin Storsjö
Nicolas George
Vladimir Pantelic
Luca Barbato
Gavriloaie Eugen-Andrei
Anton Khirnov
Paul B Mahol
Victor Vasiliev
Nathan Caldwell
Dmitry Samonenko
Samuel Pitoiset
Stefano Sabatini
Jordi Ortiz
Antti Seppälä
Kostya Shishkov
Diego Biurrun
Mans Rullgard
James Zern