avformat/whip: require remote DTLS fingerprint in SDP answer

WHIP relies on the SDP a=fingerprint to bind the peer identity to
the SRTP keying material (RFC 8842 §§ 5.1, 5.3). parse_answer()
walks the SDP body looking for `a=ice-lite`, `a=ice-ufrag:`,
`a=ice-pwd:`, and `a=candidate:` lines and ignores everything else,
including `a=fingerprint`. WHIP intentionally runs the OpenSSL DTLS
backend with s->verify=0 (DTLS-SRTP uses self-signed certs by
design, so a CA chain check would be meaningless); the peer cert is
accepted regardless of identity. The spec's compensating identity
control — verifying the DTLS peer cert against the SDP a=fingerprint
hash — is missing, so the SRTP keys are derived from a session
whose peer identity was never authenticated. Any on-path attacker,
or a malicious WHIP server URL, can substitute their own DTLS
material and the publisher's RTP stream will be encrypted to them.

The full fix is a two-step process:
  (a) Require a=fingerprint to be present in the SDP answer
      (RFC 8842 § 5.3 MUST).
  (b) After DTLS handshake, compute the peer-cert hash and compare
      against the stored fingerprint (RFC 8842 § 5.1 MUST); tear
      down the session on mismatch.
This patch implements step (a) only; step (b) requires plumbing
the cert hash out of dtls_start() through the openssl TLS context
and is left as a follow-up.

Add a remote_fingerprint field to WHIPContext, extract the
a=fingerprint value from the SDP answer in parse_answer(), and
return AVERROR(EINVAL) when it is absent. This raises the bar from
"no fingerprint required" to "any fingerprint required"; the
follow-up patch will raise it again to "fingerprint MUST hash-match
the DTLS peer cert."

Found-by: Claude (Anthropic). Human-verified and reported by
Omkhar Arasaratnam <omkhar@linkedin.com>.
Signed-off-by: Omkhar Arasaratnam <omkhar@linkedin.com>

libavformat/whip.c

@@ -290,6 +290,8 @@ typedef struct WHIPContext {
     char key_buf[MAX_CERTIFICATE_SIZE];
     /* The fingerprint of certificate, used in SDP offer. */
     char *dtls_fingerprint;
+    /* remote DTLS cert fingerprint from SDP answer (sha-256). */
+    char *remote_fingerprint;
     /**
      * This represents the material used to build the SRTP master key. It is
      * generated by DTLS and has the following layout:
@@ -921,6 +923,17 @@ static int parse_answer(AVFormatContext *s)
                 ret = AVERROR(ENOMEM);
                 goto end;
             }
+        } else if (av_strstart(line, "a=fingerprint:", &ptr) && !whip->remote_fingerprint) {
+            /* SDP a=fingerprint format is "<algo> <hex:hex:...>". Skip
+             * the algo token, store the hex string for post-handshake compare. */
+            const char *space = strchr(ptr, ' ');
+            if (space) {
+                whip->remote_fingerprint = av_strdup(space + 1);
+                if (!whip->remote_fingerprint) {
+                    ret = AVERROR(ENOMEM);
+                    goto end;
+                }
+            }
         } else if (av_strstart(line, "a=candidate:", &ptr) && !whip->ice_protocol) {
             if (ptr && av_stristr(ptr, "host")) {
                 /* Refer to RFC 5245 15.1 */
@@ -970,6 +983,17 @@ static int parse_answer(AVFormatContext *s)
         goto end;
     }
 
+    /* per RFC 8829/8842, SDP answer MUST carry a=fingerprint and that
+     * fingerprint MUST match the DTLS peer certificate. Without it, an
+     * on-path attacker can complete DTLS with an arbitrary self-signed
+     * certificate and the resulting SRTP session is unauthenticated. */
+    if (!whip->remote_fingerprint || !strlen(whip->remote_fingerprint)) {
+        av_log(whip, AV_LOG_ERROR,
+               "No remote DTLS fingerprint in SDP answer; refusing unauthenticated session\n");
+        ret = AVERROR(EINVAL);
+        goto end;
+    }
+
     if (whip->state < WHIP_STATE_NEGOTIATED)
         whip->state = WHIP_STATE_NEGOTIATED;
     whip->whip_answer_time = av_gettime_relative();
@@ -2130,6 +2154,7 @@ static av_cold void whip_deinit(AVFormatContext *s)
     ffurl_closep(&whip->dtls_uc);
     ffurl_closep(&whip->udp);
     av_freep(&whip->dtls_fingerprint);
+    av_freep(&whip->remote_fingerprint);
 }
 
 static int whip_check_bitstream(AVFormatContext *s, AVStream *st, const AVPacket *pkt)