Require RTSP encryption when encryption mode is set to mandatory

This also lets us provide a friendly error to the client when it is rejected.
2025-08-10 00:52:16 +00:00 · 2024-02-03 13:57:43 -06:00
parent f80b23750b
commit 3578727ff9
4 changed files with 49 additions and 16 deletions
--- a/src/network.cpp
+++ b/src/network.cpp
@@ -3,6 +3,7 @@
 * @brief todo
 */
 #include "network.h"
+#include "config.h"
 #include "utility.h"
 #include <algorithm>

@@ -174,6 +175,22 @@ namespace net {
    }
  }

+  /**
+   * @brief Returns the encryption mode for the given remote endpoint address.
+   * @param address The address used to look up the desired encryption mode.
+   * @return The WAN or LAN encryption mode, based on the provided address.
+   */
+  int
+  encryption_mode_for_address(boost::asio::ip::address address) {
+    auto nettype = net::from_address(address.to_string());
+    if (nettype == net::net_e::PC || nettype == net::net_e::LAN) {
+      return config::stream.lan_encryption_mode;
+    }
+    else {
+      return config::stream.wan_encryption_mode;
+    }
+  }
+
  host_t
  host_create(af_e af, ENetAddress &addr, std::size_t peers, std::uint16_t port) {
    static std::once_flag enet_init_flag;
--- a/src/network.h
+++ b/src/network.h
@@ -84,4 +84,12 @@ namespace net {
   */
  std::string
  addr_to_url_escaped_string(boost::asio::ip::address address);
+
+  /**
+   * @brief Returns the encryption mode for the given remote endpoint address.
+   * @param address The address used to look up the desired encryption mode.
+   * @return The WAN or LAN encryption mode, based on the provided address.
+   */
+  int
+  encryption_mode_for_address(boost::asio::ip::address address);
 }  // namespace net
--- a/src/nvhttp.cpp
+++ b/src/nvhttp.cpp
@@ -820,6 +820,17 @@ namespace nvhttp {
    host_audio = util::from_view(get_arg(args, "localAudioPlayMode"));
    auto launch_session = make_launch_session(host_audio, args);

+    auto encryption_mode = net::encryption_mode_for_address(request->remote_endpoint().address());
+    if (!launch_session->rtsp_cipher && encryption_mode == config::ENCRYPTION_MODE_MANDATORY) {
+      BOOST_LOG(error) << "Rejecting client that cannot comply with mandatory encryption requirement"sv;
+
+      tree.put("root.<xmlattr>.status_code", 403);
+      tree.put("root.<xmlattr>.status_message", "Encryption is mandatory for this host but unsupported by the client");
+      tree.put("root.gamesession", 0);
+
+      return;
+    }
+
    if (appid > 0) {
      auto err = proc::proc.execute(appid, launch_session);
      if (err) {
@@ -906,6 +917,17 @@ namespace nvhttp {

    auto launch_session = make_launch_session(host_audio, args);

+    auto encryption_mode = net::encryption_mode_for_address(request->remote_endpoint().address());
+    if (!launch_session->rtsp_cipher && encryption_mode == config::ENCRYPTION_MODE_MANDATORY) {
+      BOOST_LOG(error) << "Rejecting client that cannot comply with mandatory encryption requirement"sv;
+
+      tree.put("root.<xmlattr>.status_code", 403);
+      tree.put("root.<xmlattr>.status_message", "Encryption is mandatory for this host but unsupported by the client");
+      tree.put("root.gamesession", 0);
+
+      return;
+    }
+
    tree.put("root.<xmlattr>.status_code", 200);
    tree.put("root.sessionUrl0", launch_session->rtsp_url_scheme +
                                   net::addr_to_url_escaped_string(request->local_endpoint().address()) + ':' +
--- a/src/rtsp.cpp
+++ b/src/rtsp.cpp
@@ -789,14 +789,7 @@ namespace rtsp_stream {
    uint32_t encryption_flags_requested = SS_ENC_CONTROL_V2;

    // Determine the encryption desired for this remote endpoint
-    auto nettype = net::from_address(sock.remote_endpoint().address().to_string());
-    int encryption_mode;
-    if (nettype == net::net_e::PC || nettype == net::net_e::LAN) {
-      encryption_mode = config::stream.lan_encryption_mode;
-    }
-    else {
-      encryption_mode = config::stream.wan_encryption_mode;
-    }
+    auto encryption_mode = net::encryption_mode_for_address(sock.remote_endpoint().address());
    if (encryption_mode != config::ENCRYPTION_MODE_NEVER) {
      // Advertise support for video encryption if it's not disabled
      encryption_flags_supported |= SS_ENC_VIDEO;
@@ -1080,14 +1073,7 @@ namespace rtsp_stream {
    }

    // Check that any required encryption is enabled
-    auto nettype = net::from_address(sock.remote_endpoint().address().to_string());
-    int encryption_mode;
-    if (nettype == net::net_e::PC || nettype == net::net_e::LAN) {
-      encryption_mode = config::stream.lan_encryption_mode;
-    }
-    else {
-      encryption_mode = config::stream.wan_encryption_mode;
-    }
+    auto encryption_mode = net::encryption_mode_for_address(sock.remote_endpoint().address());
    if (encryption_mode == config::ENCRYPTION_MODE_MANDATORY &&
        (config.encryptionFlagsEnabled & (SS_ENC_VIDEO | SS_ENC_AUDIO)) != (SS_ENC_VIDEO | SS_ENC_AUDIO)) {
      BOOST_LOG(error) << "Rejecting client that cannot comply with mandatory encryption requirement"sv;