Update README to contain more information on encrypted streams (HLS-20)
Update README to contain more information on encrypted streams (HLS-20)

--- a/HLS-Stream-Creator.sh
+++ b/HLS-Stream-Creator.sh
@@ -50,8 +50,8 @@
 # Video codec for the output video. Will be used as an value for the -vcodec argument
 VIDEO_CODEC=${VIDEO_CODEC:-"libx264"}
 
-# Video codec for the output video. Will be used as an value for the -acodec argument
-AUDIO_CODEC=${AUDIO_CODEC:-"libfdk_aac"}
+# Audio codec for the output video. Will be used as an value for the -acodec argument
+AUDIO_CODEC=${AUDIO_CODEC:-"aac"}
 
 # Additional flags for ffmpeg
 FFMPEG_FLAGS=${FFMPEG_FLAGS:-""}
@@ -95,6 +95,10 @@
 	-p	Playlist filename
 	-t	Segment filename prefix
 	-S	Segment directory name (default none)
+	-e	Encrypt the HLS segments (default none)
+	-2	2-pass encoding
+	-q	Quality (changes to CRF)
+	-C	Constant Bit Rate (CBR as opposed to AVB)
 
 Deprecated Legacy usage:
 	HLS-Stream-Creator.sh inputfile segmentlength(seconds) [outputdir='./output']
@@ -116,8 +120,26 @@
 bitrate="$3"
 infile="$4"
 
+local PASSVAR=
+if $TWOPASS; then
+	local LOGFILE="$OUTPUT_DIRECTORY/bitrate$br"
+	PASSVAR="-passlogfile \"$LOGFILE\" -pass 2"
+
+	$FFMPEG -i "$infile" \
+		-pass 1 \
+		-passlogfile "$LOGFILE" \
+		-an \
+		-vcodec libx264 \
+		-f mpegts \
+		$bitrate \
+		$FFMPEG_ADDITIONAL \
+		-loglevel error -y \
+		/dev/null
+fi
+
 $FFMPEG -i "$infile" \
-    -loglevel error -y \
+    $PASSVAR \
+    -loglevel verbose -y \
     -vcodec "$VIDEO_CODEC" \
     -acodec "$AUDIO_CODEC" \
     -threads "$NUMTHREADS" \
@@ -167,15 +189,66 @@
 	  if ! kill -0 ${PIDS[$i]} 2> /dev/null
 	  then
 		echo "Encoding for bitrate ${BITRATE_PROCESSES[$i]}k completed"
+
+		if [ "$LIVE_STREAM" == "1" ] && [ `grep 'EXT-X-ENDLIST' "$OUTPUT_DIRECTORY/${PLAYLIST_PREFIX}_${BITRATE_PROCESSES[$i]}.m3u8" | wc -l ` == "0" ]
+		then
+		    # Correctly terminate the manifest. See HLS-15 for info on why
+		    echo "#EXT-X-ENDLIST" >> "$OUTPUT_DIRECTORY/${PLAYLIST_PREFIX}_${BITRATE_PROCESSES[$i]}.m3u8"
+		fi
+
 		unset BITRATE_PROCESSES[$i]
 		unset PIDS[$i]
 	  fi
     done
     PIDS=("${PIDS[@]}") # remove any nulls
+    BITRATE_PROCESSES=("${BITRATE_PROCESSES[@]}") # remove any nulls
     sleep 1
 done
 }
 
+function encrypt(){
+# Encrypt the generated segments with AES-128 bits
+
+
+    # Only run the encryption routine if it's been enabled  (and not blocked)
+    if [ ! "$ENCRYPT" == "1" ] || [ "$LIVE_STREAM" == "1" ]
+    then
+        return
+    fi
+
+    echo "Generating Encryption Key"
+    KEY_FILE="$OUTPUT_DIRECTORY/${PLAYLIST_PREFIX}.key"
+
+    openssl rand 16 > $KEY_FILE
+    ENCRYPTION_KEY=$(cat $KEY_FILE | hexdump -e '16/1 "%02x"')
+
+    echo "Encrypting Segments"
+    for file in ${OUTPUT_DIRECTORY}/*.ts
+    do
+        SEG_NO=$( echo "$file" | grep -o -P '_[0-9]+\.ts' | tr -dc '0-9' )
+        ENC_FILENAME="$OUTPUT_DIRECTORY/${SEGMENT_PREFIX}_enc_${SEG_NO}".ts
+
+        # Strip leading 0's so printf doesn't think it's octal
+        #SEG_NO=${SEG_NO##+(0)} # Doesn't work for some reason - need to check shopt to look further into it
+        SEG_NO=$(echo $SEG_NO | sed 's/^0*//' )
+        
+        # Convert the segment number to an IV. 
+	INIT_VECTOR=$(printf '%032x' $SEG_NO)
+	openssl aes-128-cbc -e -in $file -out $ENC_FILENAME -nosalt -iv $INIT_VECTOR -K $ENCRYPTION_KEY
+
+        # Move encrypted file to the original filename, so that the m3u8 file does not have to be changed
+        mv $ENC_FILENAME $file
+        
+    done
+
+    echo "Updating Manifests"
+    # this isn't technically correct as we needn't write into the master, but should still work
+    for manifest in ${OUTPUT_DIRECTORY}/*.m3u8
+    do
+        # Insert the KEY at the 5'th line in the m3u8 file
+        sed -i "5i #EXT-X-KEY:METHOD=AES-128,URI="${PLAYLIST_PREFIX}.key "$manifest"
+    done
+}
 
 # This is used internally, if the user wants to specify their own flags they should be
 # setting FFMPEG_FLAGS
@@ -184,13 +257,16 @@
 IS_FIFO=0
 TMPDIR=${TMPDIR:-"/tmp"}
 MYPID=$$
+TWOPASS=false
+QUALITY=
+CONSTANT=false
 # Get the input data
 
 # This exists to maintain b/c
 LEGACY_ARGS=1
 
 # If even one argument is supplied, switch off legacy argument style
-while getopts "i:o:s:c:b:p:t:S:lf" flag
+while getopts "i:o:s:c:b:p:t:S:q:Clfe2" flag
 do
 	LEGACY_ARGS=0
         case "$flag" in
@@ -204,6 +280,10 @@
 		p) PLAYLIST_PREFIX="$OPTARG";;
 		t) SEGMENT_PREFIX="$OPTARG";;
 		S) SEGMENT_DIRECTORY="$OPTARG";;
+		e) ENCRYPT=1;;
+		2) TWOPASS=true;;
+		q) QUALITY="$OPTARG";;
+		C) CONSTANT=true;;
         esac
 done
 
@@ -260,7 +340,8 @@
 
     if [ "$LIVE_SEGMENT_COUNT" -gt 0 ]
     then
-	FFMPEG_ADDITIONAL+=" -segment_list_size $LIVE_SEGMENT_COUNT"
+	WRAP_POINT=$(($LIVE_SEGMENT_COUNT * 2)) # Wrap the segment numbering after 2 manifest lengths - prevents disks from filling
+	FFMPEG_ADDITIONAL+=" -segment_list_size $LIVE_SEGMENT_COUNT -segment_wrap $WRAP_POINT"
     fi
 fi
 
@@ -300,7 +381,7 @@
       createVariantPlaylist "$OUTPUT_DIRECTORY/${PLAYLIST_PREFIX}_master.m3u8"
       for br in $OP_BITRATES
       do
-	    appendVariantPlaylistentry "$OUTPUT_DIRECTORY/${SEGMENT_DIRECTORY}${PLAYLIST_PREFIX}_master.m3u8" "${PLAYLIST_PREFIX}_${br}.m3u8" "$br"
+	    appendVariantPlaylistentry "$OUTPUT_DIRECTORY/${PLAYLIST_PREFIX}_master.m3u8" "${SEGMENT_DIRECTORY}${PLAYLIST_PREFIX}_${br}.m3u8" "$br"
       done
 
       OUTPUT_DIRECTORY+=$SEGMENT_DIRECTORY
@@ -308,7 +389,19 @@
       # Now for the longer running bit, transcode the video
       for br in $OP_BITRATES
       do
-	      BITRATE="-b:v ${br}k -bufsize ${br}k"
+              if [ -z $QUALITY ]; then
+		if $CONSTANT; then
+	          BITRATE="-b:v ${br}k -bufsize ${br}k -minrate ${br}k -maxrate ${br}k"
+		else
+	          BITRATE="-b:v ${br}k"
+		fi
+	      else
+	        BITRATE="-crf $QUALITY -maxrate ${br}k -bufsize ${br}k"
+                if [ $VIDEO_CODEC = "libx265" ]; then
+                  BITRATE="$BITRATE -x265-params --vbv-maxrate ${br}k --vbv-bufsize ${br}k"
+                fi
+	      fi
+	      echo "Bitrate options: $BITRATE"
 	      # Finally, lets build the output filename format
 	      OUT_NAME="${SEGMENT_PREFIX}_${br}_%05d.ts"
 	      PLAYLIST_NAME="$OUTPUT_DIRECTORY/${PLAYLIST_PREFIX}_${br}.m3u8"
@@ -348,6 +441,9 @@
 	    # Monitor the background tasks for completion
 	    echo "All transcoding processes started, awaiting completion"
 	    awaitCompletion
+	    
+	    # As of HLS-20 encrypt will only run if the relevant vars are set
+	    encrypt
       fi
 
       if [ "$IS_FIFO" == "1" ]
@@ -375,6 +471,7 @@
 
   createStream "$PLAYLIST_NAME" "$OUT_NAME" "$BITRATE" "$INPUTFILE"
 
-
-fi
-
+  # As of HLS-20 encrypt will only run if the relevant vars are set
+  encrypt
+fi
+

file:a/README.md -> file:b/README.md
--- a/README.md
+++ b/README.md
@@ -36,18 +36,22 @@
     Mandatory Arguments:
 
 	-i [file]	Input file
-	-s [s]  	Segment length (seconds)
+	-s [s]		Segment length (seconds)
 
     Optional Arguments:
 
 	-o [directory]	Output directory (default: ./output)
 	-c [count]	Number of segments to include in playlist (live streams only) - 0 is no limit
+	-e      	Encrypt the HLS segments (a key will be generated automatically)
 	-b [bitrates]	Output video Bitrates in kb/s (comma seperated list for adaptive streams)
 	-p [name]	Playlist filename prefix
 	-t [name]	Segment filename prefix
 	-l		Input is a live stream
 	-f		Foreground encoding only (adaptive non-live streams only)
 	-S		Name of a subdirectory to put segments into
+	-2		Use two-pass encoding
+	-q [quality]	Change encoding to CFR with [quality]
+	-C		Use constant bitrate as opposed to variable bitrate
 ```
 
 
@@ -69,6 +73,34 @@
 ```
 
 In either case, in accordance with the HLS spec, the audio bitrate will remain unchanged
+
+
+
+Encrypted Streams
+-------------------
+
+HLS-Stream-Creator can also create encrypted HLS streams, it's enabled by passing *-e*
+
+```
+./HLS-Stream-Creator.sh -i example.avi -e -s 10 -b 28,64,128,256
+
+```
+
+The script will generate a 128 bit key and save it to a *.key* file in the same directory as the segments. Each segment will be AES-128 encrypted using an IV which corresponds to it's segment number (the [default behaviour](https://developer.apple.com/library/content/technotes/tn2288/_index.html#//apple_ref/doc/uid/DTS40012238-CH1-ENCRYPT) for HLS).
+
+The manifests will then be updated to include the necessary `EXT-X-KEY` tag:
+
+```
+#EXTM3U
+#EXT-X-VERSION:3
+#EXT-X-MEDIA-SEQUENCE:0
+#EXT-X-ALLOW-CACHE:YES
+#EXT-X-KEY:METHOD=AES-128,URI=big_buck_bunny_720p_stereo.avi.key
+#EXT-X-TARGETDURATION:17
+#EXTINF:10.500000,
+big_buck_bunny_720p_stereo.avi_1372_00000.ts
+```
+
 
 
 Output
@@ -102,6 +134,12 @@
 ```
 
 
+H265 details
+------------
+
+Check has been added for libx265 to enforce bitrate limits for H265 since it uses additional parameters.
+
+
 Additional Environment Variables
 -------------------------------
 

--- /dev/null
+++ b/output/false_master.m3u8
@@ -1,1 +1,8 @@
+#EXTM3U
+#EXT-X-STREAM-INF:BANDWIDTH=436000
+false_436.m3u8
+#EXT-X-STREAM-INF:BANDWIDTH=128000
+false_128.m3u8
+#EXT-X-STREAM-INF:BANDWIDTH=512000
+false_512.m3u8