Add detection of encrypted output and disable encrypted output by default

With this commit if tsdecrypt detects that the stream is still
encrypted after passing it through decryption it doesn't output it.

You can enable the output of encrypted streams using --output-enc-pass
option.

ChangeLog

    races if the scripts are used for logging.
  * Start passing _INPUT_ADDR and _OUTPUT_ADDR variables to notify script.
  * Add --status-file (-0) option. This file keeps latest program status.
+ * Add two new notification messages - OUTPUT_ENCRYPTED and OUTPUT_OK
+ * Do not output the stream if it can not be decrypted. You can still
+   enable the output (ignorring encrypt detection) by using
+   --output-enc-pass option.
 
 2013-09-12 : Version 10.0
  * Add --ecm-only (-v) option. This allows processing of ECMs but without

README

  -g --output-tos <tos>      | Set TOS value of output packets. Default: none
  -u --no-output-on-error    | Do not output data when the code word is missing.
  -p --no-output-filter      | Disable output filtering. Default: enabled
+ -3 --output-enc-pass       | Output the stream even if can not be decrypted.
  -y --output-nit-pass       | Pass through NIT.
  -w --output-eit-pass       | Pass through EIT (EPG).
  -x --output-tdt-pass       | Pass through TDT/TOT.

bitstream.h

+/*
+ * TS bitstream functions
+ * The following functions are copied from bitstream/mpeg.ts and bitstream/mpeg/pes.h
+
+ * Copyright (c) 2010-2011 VideoLAN
+
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject
+ * to the following conditions:
+
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef BITSTREAM_H
+#define BITSTREAM_H
+
+#include <stdbool.h>
+#include <inttypes.h>
+
+#define TS_SIZE                     188
+#define TS_HEADER_SIZE              4
+#define PES_HEADER_SIZE_PTS         14
+#define PES_HEADER_SIZE_PTSDTS      19
+#define PES_STREAM_ID_MIN           0xbc
+#define PES_STREAM_ID_PRIVATE_2     0xbf
+
+static inline bool ts_validate(const uint8_t *p_ts)
+{
+    return p_ts[0] == 0x47;
+}
+
+static inline bool ts_get_unitstart(const uint8_t *p_ts)
+{
+    return !!(p_ts[1] & 0x40);
+}
+
+static inline bool ts_has_payload(const uint8_t *p_ts)
+{
+    return !!(p_ts[3] & 0x10);
+}
+
+static inline bool ts_has_adaptation(const uint8_t *p_ts)
+{
+    return !!(p_ts[3] & 0x20);
+}
+
+static inline uint8_t ts_get_adaptation(const uint8_t *p_ts)
+{
+    return p_ts[4];
+}
+
+static inline uint8_t pes_get_streamid(const uint8_t *p_pes)
+{
+    return p_pes[3];
+}
+
+static inline bool pes_validate(const uint8_t *p_pes)
+{
+    return (p_pes[0] == 0x0 && p_pes[1] == 0x0 && p_pes[2] == 0x1
+             && p_pes[3] >= PES_STREAM_ID_MIN);
+}
+
+static inline bool pes_validate_header(const uint8_t *p_pes)
+{
+    return ((p_pes[6] & 0xc0) == 0x80);
+}
+
+static inline bool pes_has_pts(const uint8_t *p_pes)
+{
+    return !!(p_pes[7] & 0x80);
+}
+
+static inline bool pes_has_dts(const uint8_t *p_pes)
+{
+    return (p_pes[7] & 0xc0) == 0xc0;
+}
+
+static inline bool pes_validate_pts(const uint8_t *p_pes)
+{
+    return ((p_pes[9] & 0xe1) == 0x21)
+            && (p_pes[11] & 0x1) && (p_pes[13] & 0x1);
+}
+
+static inline bool pes_validate_dts(const uint8_t *p_pes)
+{
+    return (p_pes[9] & 0x10) && ((p_pes[14] & 0xf1) == 0x11)
+            && (p_pes[16] & 0x1) && (p_pes[18] & 0x1);
+}
+
+#endif

data.c

 #include "data.h"
 #include "csa.h"
 #include "camd.h"
+#include "util.h"
 
 void data_init(struct ts *ts) {
 	memset(ts, 0, sizeof(struct ts));
 	ts->cw_last_warn= ts->cw_last_warn + ts->cw_warn_sec;
 	ts->key.ts      = time(NULL);
 
+	ts->allow_encrypted_output   = 0;
+	ts->output_is_encrypted      = 0;
+	ts->last_encrypted_output_ts = get_time();
+	ts->last_decrypted_output_ts = get_time();
+
 	ts->input.fd    = 0; // STDIN
 	ts->input.type  = FILE_IO;
 

data.h

 	time_t				last_not_scrambled_packet_ts;
 	time_t				last_not_scrambled_report_ts;
 
+	bool				allow_encrypted_output;
+	bool				output_is_encrypted;
+	int64_t				last_encrypted_output_ts;
+	int64_t				last_decrypted_output_ts;
+
 	unsigned int		pid_report;
 	unsigned int		pid_stats[MAX_PIDS];
 

process.c

 #include <string.h>
 #include <sys/uio.h>
 
+#include "bitstream.h"
 #include "data.h"
 #include "csa.h"
 #include "tables.h"
 	return NULL;
 }
 
+/*
+	Return value:
+		ret        == 0    - No valid payload was found
+		ret & 0x01 == 0x01 - PES was found
+		ret & 0x02 == 0x02 - PTS was found
+		ret & 0x04 == 0x04 - DTS was found
+*/
+static unsigned int ts_have_valid_pes(uint8_t *buf, unsigned int buffer_size) {
+	unsigned int ret = 0;
+	uint8_t *buf_end = buf + buffer_size;
+	while (buf < buf_end && ts_validate(buf)) {
+		uint16_t header_size = TS_HEADER_SIZE + (ts_has_adaptation(buf) ? 1 : 0) + ts_get_adaptation(buf);
+		if (ts_get_unitstart(buf) && ts_has_payload(buf) && header_size + PES_HEADER_SIZE_PTS <= TS_SIZE) {
+			//printf("Got payload\n");
+			if (pes_validate(buf + header_size) && pes_get_streamid(buf + header_size) != PES_STREAM_ID_PRIVATE_2 && pes_validate_header(buf + header_size)) {
+				//printf("Got PES\n");
+				ret |= 0x01;
+				if (pes_has_pts(buf + header_size) && pes_validate_pts(buf + header_size)) {
+					ret |= 0x02;
+					//printf("Got PTS\n");
+					if (header_size + PES_HEADER_SIZE_PTSDTS <= TS_SIZE && pes_has_dts(buf + header_size) && pes_validate_dts(buf + header_size)) {
+						//printf("Got DTS\n");
+						ret |= 0x04;
+					}
+				}
+			}
+		}
+		buf += TS_SIZE;
+	}
+	return ret;
+}
+
 static inline void output_write(struct ts *ts, uint8_t *data, unsigned int data_size) {
 	if (!data)
 		return;
 		return;
 	if (ts->no_output_on_error && !ts->camd.key->is_valid_cw)
 		return;
+	if (!ts->allow_encrypted_output) {
+		int64_t now = get_time();
+		int ret;
+		if ((ret = ts_have_valid_pes(data, data_size)) == 0) { // Is the output encrypted?
+			/* The output is encrypted, check if 1000 ms have passed and if such, notify that we probably have invalid key */
+			ts->last_encrypted_output_ts = now;
+			if (now > ts->last_decrypted_output_ts + 500000) {
+				if (!ts->output_is_encrypted) {
+					ts->output_is_encrypted = 1;
+					ts_LOGf("OUT | *ERR* The output is encrypted for %" PRId64 " ms, stopping output\n", (now - ts->last_decrypted_output_ts) / 1000);
+					notify(ts, "ENCRYPTED_OUTPUT", "The output can not be decrypted");
+				}
+			}
+		} else {
+			ts->last_decrypted_output_ts = now;
+			if (ts->output_is_encrypted) {
+				ts_LOGf("OUT | Got decrypted data: %s %s %s\n",
+					(ret & 0x01) == 0x01 ? "PES" : "   ",
+					(ret & 0x02) == 0x02 ? "PTS" : "   ",
+					(ret & 0x04) == 0x04 ? "DTS" : "   "
+				);
+				notify(ts, "OUTPUT_OK", "The output is decrypted");
+			}
+			ts->output_is_encrypted = 0;
+		}
+		if (ts->output_is_encrypted)
+			return;
+	}
+
 	if (!ts->rtp_output) {
 		if (write(ts->output.fd, data, data_size) < 0) {
 			perror("write(output_fd)");

tsdecrypt.1

 PAT/PMT/SDT and data packets are left in the output. Everything else not
 mentioned in PMT like NIT, EIT, TDT tables and unknown pids is removed.
 .TP
+\fB\-3\fR, \fB\-\-output\-enc\-pass\fR
+Output the stream even if it is encrypted. By default tsdecrypt detects
+if the stream is still encrypted after passing through decryption and
+does not output it.
+.TP
 \fB\-y\fR, \fB\-\-output\-nit\-pass\fR
 Pass through NIT packets when output filtering is enabled.
 .TP
 
   \fBINPUT_OK\fR        The data have appeared on the input.
 
+  \fBENCRYPTED_OUTPUT\fR The received keyword can not decrypt the stream
+
+  \fBOUTPUT_OK\fR       The stream that is beeing processed is decrypted
+
   \fBSTOP\fR            tsdecrypt was stopped.
 
 See \fBnotify\-script.example\fR for an example on how to create external

tsdecrypt.c

 		LOG(msg);
 }
 
-static const char short_options[] = "i:d:N:90:Sl:L:F:I:1:RzM:T:W:O:o:t:rk:g:upwxyc:C:Y:Q:A:s:U:P:B:46eZ:Ef:a:X:vqH:G:2:KJ:D:jbhVn:m:";
+static const char short_options[] = "i:d:N:90:Sl:L:F:I:1:RzM:T:W:O:o:t:rk:g:upwx3yc:C:Y:Q:A:s:U:P:B:46eZ:Ef:a:X:vqH:G:2:KJ:D:jbhVn:m:";
 
-// Unused short options: 3578
+// Unused short options: 578
 static const struct option long_options[] = {
 	{ "ident",				required_argument, NULL, 'i' },
 	{ "daemon",				required_argument, NULL, 'd' },
 	{ "output-nit-pass",	no_argument,       NULL, 'y' },
 	{ "output-eit-pass",	no_argument,       NULL, 'w' },
 	{ "output-tdt-pass",	no_argument,       NULL, 'x' },
+	{ "output-enc-pass",	no_argument,       NULL, '3' },
 
 	{ "ca-system",			required_argument, NULL, 'c' },
 	{ "caid",				required_argument, NULL, 'C' },
 	printf(" -g --output-tos <tos>      | Set TOS value of output packets. Default: none\n");
 	printf(" -u --no-output-on-error    | Do not output data when the code word is missing.\n");
 	printf(" -p --no-output-filter      | Disable output filtering. Default: %s\n", ts->pid_filter ? "enabled" : "disabled");
+	printf(" -3 --output-enc-pass       | Output the stream even if can not be decrypted.\n");
 	printf(" -y --output-nit-pass       | Pass through NIT.\n");
 	printf(" -w --output-eit-pass       | Pass through EIT (EPG).\n");
 	printf(" -x --output-tdt-pass       | Pass through TDT/TOT.\n");
 			case 'x': // --output-tdt-pass
 				ts->tdt_passthrough = !ts->tdt_passthrough;
 				break;
+			case '3': // --output-enc-pass
+				ts->allow_encrypted_output = !ts->allow_encrypted_output;
+				break;
 			case 'c': // --ca-system
 				if (strcasecmp("IRDETO", optarg) == 0)
 					ts->req_CA_sys = CA_IRDETO;