From d8ffb2055f0e0fcb5d025bab72eb19c2a886c125 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 26 May 2015 19:25:41 +0200 Subject: lavf: split tls.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the OpenSSL and GnuTLS implementations to their own files. Other than the connection code (including options) and some boilerplate, no code is actually shared. Signed-off-by: Martin Storsjö --- libavformat/Makefile | 3 +- libavformat/allformats.c | 3 +- libavformat/rtspdec.c | 1 + libavformat/tls.c | 375 ++-------------------------------------------- libavformat/tls.h | 54 +++++++ libavformat/tls_gnutls.c | 228 ++++++++++++++++++++++++++++ libavformat/tls_openssl.c | 233 ++++++++++++++++++++++++++++ 7 files changed, 534 insertions(+), 363 deletions(-) create mode 100644 libavformat/tls.h create mode 100644 libavformat/tls_gnutls.c create mode 100644 libavformat/tls_openssl.c (limited to 'libavformat') diff --git a/libavformat/Makefile b/libavformat/Makefile index 73b9f63ba9..dc4cfea75e 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -400,7 +400,8 @@ OBJS-$(CONFIG_RTP_PROTOCOL) += rtpproto.o OBJS-$(CONFIG_SCTP_PROTOCOL) += sctp.o OBJS-$(CONFIG_SRTP_PROTOCOL) += srtpproto.o srtp.o OBJS-$(CONFIG_TCP_PROTOCOL) += tcp.o -OBJS-$(CONFIG_TLS_PROTOCOL) += tls.o +OBJS-$(CONFIG_TLS_GNUTLS_PROTOCOL) += tls_gnutls.o tls.o +OBJS-$(CONFIG_TLS_OPENSSL_PROTOCOL) += tls_openssl.o tls.o OBJS-$(CONFIG_UDP_PROTOCOL) += udp.o OBJS-$(CONFIG_UNIX_PROTOCOL) += unix.o diff --git a/libavformat/allformats.c b/libavformat/allformats.c index f4be81a458..ff296cb8ae 100644 --- a/libavformat/allformats.c +++ b/libavformat/allformats.c @@ -291,7 +291,8 @@ void av_register_all(void) REGISTER_PROTOCOL(SCTP, sctp); REGISTER_PROTOCOL(SRTP, srtp); REGISTER_PROTOCOL(TCP, tcp); - REGISTER_PROTOCOL(TLS, tls); + REGISTER_PROTOCOL(TLS_GNUTLS, tls_gnutls); + REGISTER_PROTOCOL(TLS_OPENSSL, tls_openssl); REGISTER_PROTOCOL(UDP, udp); REGISTER_PROTOCOL(UNIX, unix); diff --git a/libavformat/rtspdec.c b/libavformat/rtspdec.c index 4b4ae9c794..6c92c6946e 100644 --- a/libavformat/rtspdec.c +++ b/libavformat/rtspdec.c @@ -32,6 +32,7 @@ #include "rtpproto.h" #include "rtsp.h" #include "rdt.h" +#include "tls.h" #include "url.h" static const struct RTSPStatusMessage { diff --git a/libavformat/tls.c b/libavformat/tls.c index 00fe876a42..eee3fc3d7d 100644 --- a/libavformat/tls.c +++ b/libavformat/tls.c @@ -20,209 +20,28 @@ */ #include "avformat.h" +#include "internal.h" +#include "network.h" +#include "os_support.h" #include "url.h" +#include "tls.h" #include "libavutil/avstring.h" #include "libavutil/opt.h" #include "libavutil/parseutils.h" -#if CONFIG_GNUTLS -#include -#include -#define TLS_read(c, buf, size) gnutls_record_recv(c->session, buf, size) -#define TLS_write(c, buf, size) gnutls_record_send(c->session, buf, size) -#define TLS_shutdown(c) gnutls_bye(c->session, GNUTLS_SHUT_RDWR) -#define TLS_free(c) do { \ - if (c->session) \ - gnutls_deinit(c->session); \ - if (c->cred) \ - gnutls_certificate_free_credentials(c->cred); \ - } while (0) - -static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, - void *buf, size_t len) -{ - URLContext *h = (URLContext*) transport; - int ret = ffurl_read(h, buf, len); - if (ret >= 0) - return ret; - if (ret == AVERROR_EXIT) - return 0; - errno = EIO; - return -1; -} -static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport, - const void *buf, size_t len) -{ - URLContext *h = (URLContext*) transport; - int ret = ffurl_write(h, buf, len); - if (ret >= 0) - return ret; - if (ret == AVERROR_EXIT) - return 0; - errno = EIO; - return -1; -} -#elif CONFIG_OPENSSL -#include -#include -#include -#define TLS_read(c, buf, size) SSL_read(c->ssl, buf, size) -#define TLS_write(c, buf, size) SSL_write(c->ssl, buf, size) -#define TLS_shutdown(c) SSL_shutdown(c->ssl) -#define TLS_free(c) do { \ - if (c->ssl) \ - SSL_free(c->ssl); \ - if (c->ctx) \ - SSL_CTX_free(c->ctx); \ - } while (0) - -static int url_bio_create(BIO *b) -{ - b->init = 1; - b->ptr = NULL; - b->flags = 0; - return 1; -} - -static int url_bio_destroy(BIO *b) -{ - return 1; -} - -static int url_bio_bread(BIO *b, char *buf, int len) -{ - URLContext *h = b->ptr; - int ret = ffurl_read(h, buf, len); - if (ret >= 0) - return ret; - BIO_clear_retry_flags(b); - if (ret == AVERROR_EXIT) - return 0; - return -1; -} - -static int url_bio_bwrite(BIO *b, const char *buf, int len) -{ - URLContext *h = b->ptr; - int ret = ffurl_write(h, buf, len); - if (ret >= 0) - return ret; - BIO_clear_retry_flags(b); - if (ret == AVERROR_EXIT) - return 0; - return -1; -} -static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr) +int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options) { - if (cmd == BIO_CTRL_FLUSH) { - BIO_clear_retry_flags(b); - return 1; - } - return 0; -} - -static int url_bio_bputs(BIO *b, const char *str) -{ - return url_bio_bwrite(b, str, strlen(str)); -} - -static BIO_METHOD url_bio_method = { - .type = BIO_TYPE_SOURCE_SINK, - .name = "urlprotocol bio", - .bwrite = url_bio_bwrite, - .bread = url_bio_bread, - .bputs = url_bio_bputs, - .bgets = NULL, - .ctrl = url_bio_ctrl, - .create = url_bio_create, - .destroy = url_bio_destroy, -}; - -#endif -#include "network.h" -#include "os_support.h" -#include "internal.h" -#if HAVE_POLL_H -#include -#endif - -typedef struct TLSContext { - const AVClass *class; - URLContext *tcp; -#if CONFIG_GNUTLS - gnutls_session_t session; - gnutls_certificate_credentials_t cred; -#elif CONFIG_OPENSSL - SSL_CTX *ctx; - SSL *ssl; -#endif - char *ca_file; - int verify; - char *cert_file; - char *key_file; - int listen; -} TLSContext; - -#define OFFSET(x) offsetof(TLSContext, x) -#define D AV_OPT_FLAG_DECODING_PARAM -#define E AV_OPT_FLAG_ENCODING_PARAM -static const AVOption options[] = { - {"ca_file", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, .flags = D|E }, - {"tls_verify", "Verify the peer certificate", OFFSET(verify), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E }, - {"cert_file", "Certificate file", OFFSET(cert_file), AV_OPT_TYPE_STRING, .flags = D|E }, - {"key_file", "Private key file", OFFSET(key_file), AV_OPT_TYPE_STRING, .flags = D|E }, - {"listen", "Listen for incoming connections", OFFSET(listen), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E }, - { NULL } -}; - -static const AVClass tls_class = { - .class_name = "tls", - .item_name = av_default_item_name, - .option = options, - .version = LIBAVUTIL_VERSION_INT, -}; - -static int print_tls_error(URLContext *h, int ret) -{ -#if CONFIG_GNUTLS - switch (ret) { - case GNUTLS_E_AGAIN: - case GNUTLS_E_INTERRUPTED: - break; - case GNUTLS_E_WARNING_ALERT_RECEIVED: - av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret)); - break; - default: - av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret)); - break; - } -#elif CONFIG_OPENSSL - av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); -#endif - return AVERROR(EIO); -} - -static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options) -{ - TLSContext *c = h->priv_data; - int ret; int port; const char *p; - char buf[200], host[200], opts[50] = ""; - int numerichost = 0; + char buf[200], opts[50] = ""; struct addrinfo hints = { 0 }, *ai = NULL; const char *proxy_path; int use_proxy; -#if CONFIG_OPENSSL && !CONFIG_GNUTLS - BIO *bio; -#endif - - ff_tls_init(); if (c->listen) snprintf(opts, sizeof(opts), "?listen=1"); - av_url_split(NULL, 0, NULL, 0, host, sizeof(host), &port, NULL, 0, uri); + av_url_split(NULL, 0, NULL, 0, c->host, sizeof(c->host), &port, NULL, 0, uri); p = strchr(uri, '?'); @@ -233,16 +52,16 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op c->listen = 1; } - ff_url_join(buf, sizeof(buf), "tcp", NULL, host, port, "%s", p); + ff_url_join(buf, sizeof(buf), "tcp", NULL, c->host, port, "%s", p); hints.ai_flags = AI_NUMERICHOST; - if (!getaddrinfo(host, NULL, &hints, &ai)) { - numerichost = 1; + if (!getaddrinfo(c->host, NULL, &hints, &ai)) { + c->numerichost = 1; freeaddrinfo(ai); } proxy_path = getenv("http_proxy"); - use_proxy = !ff_http_match_no_proxy(getenv("no_proxy"), host) && + use_proxy = !ff_http_match_no_proxy(getenv("no_proxy"), c->host) && proxy_path && av_strstart(proxy_path, "http://", NULL); if (use_proxy) { @@ -251,177 +70,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op av_url_split(NULL, 0, proxy_auth, sizeof(proxy_auth), proxy_host, sizeof(proxy_host), &proxy_port, NULL, 0, proxy_path); - ff_url_join(dest, sizeof(dest), NULL, NULL, host, port, NULL); + ff_url_join(dest, sizeof(dest), NULL, NULL, c->host, port, NULL); ff_url_join(buf, sizeof(buf), "httpproxy", proxy_auth, proxy_host, proxy_port, "/%s", dest); } - ret = ffurl_open(&c->tcp, buf, AVIO_FLAG_READ_WRITE, - &h->interrupt_callback, options); - if (ret) - goto fail; - -#if CONFIG_GNUTLS - gnutls_init(&c->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT); - if (!c->listen && !numerichost) - gnutls_server_name_set(c->session, GNUTLS_NAME_DNS, host, strlen(host)); - gnutls_certificate_allocate_credentials(&c->cred); - if (c->ca_file) - gnutls_certificate_set_x509_trust_file(c->cred, c->ca_file, GNUTLS_X509_FMT_PEM); -#if GNUTLS_VERSION_MAJOR >= 3 - else - gnutls_certificate_set_x509_system_trust(c->cred); -#endif - gnutls_certificate_set_verify_flags(c->cred, c->verify ? - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0); - if (c->cert_file && c->key_file) { - ret = gnutls_certificate_set_x509_key_file(c->cred, - c->cert_file, c->key_file, - GNUTLS_X509_FMT_PEM); - if (ret < 0) { - av_log(h, AV_LOG_ERROR, - "Unable to set cert/key files %s and %s: %s\n", - c->cert_file, c->key_file, gnutls_strerror(ret)); - ret = AVERROR(EIO); - goto fail; - } - } - gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, c->cred); - gnutls_transport_set_pull_function(c->session, gnutls_url_pull); - gnutls_transport_set_push_function(c->session, gnutls_url_push); - gnutls_transport_set_ptr(c->session, c->tcp); - gnutls_priority_set_direct(c->session, "NORMAL", NULL); - ret = gnutls_handshake(c->session); - if (ret) { - ret = print_tls_error(h, ret); - goto fail; - } - if (c->verify) { - unsigned int status, cert_list_size; - gnutls_x509_crt_t cert; - const gnutls_datum_t *cert_list; - if ((ret = gnutls_certificate_verify_peers2(c->session, &status)) < 0) { - av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n", - gnutls_strerror(ret)); - ret = AVERROR(EIO); - goto fail; - } - if (status & GNUTLS_CERT_INVALID) { - av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n"); - ret = AVERROR(EIO); - goto fail; - } - if (gnutls_certificate_type_get(c->session) != GNUTLS_CRT_X509) { - av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n"); - ret = AVERROR(EIO); - goto fail; - } - gnutls_x509_crt_init(&cert); - cert_list = gnutls_certificate_get_peers(c->session, &cert_list_size); - gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER); - ret = gnutls_x509_crt_check_hostname(cert, host); - gnutls_x509_crt_deinit(cert); - if (!ret) { - av_log(h, AV_LOG_ERROR, - "The certificate's owner does not match hostname %s\n", host); - ret = AVERROR(EIO); - goto fail; - } - } -#elif CONFIG_OPENSSL - c->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method()); - if (!c->ctx) { - av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); - ret = AVERROR(EIO); - goto fail; - } - if (c->ca_file) - SSL_CTX_load_verify_locations(c->ctx, c->ca_file, NULL); - if (c->cert_file && !SSL_CTX_use_certificate_chain_file(c->ctx, c->cert_file)) { - av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n", - c->cert_file, ERR_error_string(ERR_get_error(), NULL)); - ret = AVERROR(EIO); - goto fail; - } - if (c->key_file && !SSL_CTX_use_PrivateKey_file(c->ctx, c->key_file, SSL_FILETYPE_PEM)) { - av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n", - c->key_file, ERR_error_string(ERR_get_error(), NULL)); - ret = AVERROR(EIO); - goto fail; - } - // Note, this doesn't check that the peer certificate actually matches - // the requested hostname. - if (c->verify) - SSL_CTX_set_verify(c->ctx, SSL_VERIFY_PEER, NULL); - c->ssl = SSL_new(c->ctx); - if (!c->ssl) { - av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); - ret = AVERROR(EIO); - goto fail; - } - bio = BIO_new(&url_bio_method); - bio->ptr = c->tcp; - SSL_set_bio(c->ssl, bio, bio); - if (!c->listen && !numerichost) - SSL_set_tlsext_host_name(c->ssl, host); - ret = c->listen ? SSL_accept(c->ssl) : SSL_connect(c->ssl); - if (ret == 0) { - av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n"); - ret = AVERROR(EIO); - goto fail; - } else if (ret < 0) { - ret = print_tls_error(h, ret); - goto fail; - } -#endif - return 0; -fail: - TLS_free(c); - if (c->tcp) - ffurl_close(c->tcp); - ff_tls_deinit(); - return ret; -} - -static int tls_read(URLContext *h, uint8_t *buf, int size) -{ - TLSContext *c = h->priv_data; - int ret = TLS_read(c, buf, size); - if (ret > 0) - return ret; - if (ret == 0) - return AVERROR_EOF; - return print_tls_error(h, ret); + return ffurl_open(&c->tcp, buf, AVIO_FLAG_READ_WRITE, + &parent->interrupt_callback, options); } - -static int tls_write(URLContext *h, const uint8_t *buf, int size) -{ - TLSContext *c = h->priv_data; - int ret = TLS_write(c, buf, size); - if (ret > 0) - return ret; - if (ret == 0) - return AVERROR_EOF; - return print_tls_error(h, ret); -} - -static int tls_close(URLContext *h) -{ - TLSContext *c = h->priv_data; - TLS_shutdown(c); - TLS_free(c); - ffurl_close(c->tcp); - ff_tls_deinit(); - return 0; -} - -URLProtocol ff_tls_protocol = { - .name = "tls", - .url_open2 = tls_open, - .url_read = tls_read, - .url_write = tls_write, - .url_close = tls_close, - .priv_data_size = sizeof(TLSContext), - .flags = URL_PROTOCOL_FLAG_NETWORK, - .priv_data_class = &tls_class, -}; diff --git a/libavformat/tls.h b/libavformat/tls.h new file mode 100644 index 0000000000..cf5aadb4d9 --- /dev/null +++ b/libavformat/tls.h @@ -0,0 +1,54 @@ +/* + * TLS/SSL Protocol + * Copyright (c) 2011 Martin Storsjo + * + * This file is part of Libav. + * + * Libav is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * Libav is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Libav; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef AVFORMAT_TLS_H +#define AVFORMAT_TLS_H + +#include "config.h" +#include "url.h" +#include "libavutil/opt.h" + +#define CONFIG_TLS_PROTOCOL (CONFIG_TLS_GNUTLS_PROTOCOL | CONFIG_TLS_OPENSSL_PROTOCOL) + +typedef struct TLSShared { + char *ca_file; + int verify; + char *cert_file; + char *key_file; + int listen; + + char host[200]; + int numerichost; + + URLContext *tcp; +} TLSShared; + +#define TLS_OPTFL (AV_OPT_FLAG_DECODING_PARAM | AV_OPT_FLAG_ENCODING_PARAM) +#define TLS_COMMON_OPTIONS(pstruct, options_field) \ + {"ca_file", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ + {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \ + {"cert_file", "Certificate file", offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ + {"key_file", "Private key file", offsetof(pstruct, options_field . key_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ + {"listen", "Listen for incoming connections", offsetof(pstruct, options_field . listen), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL } + +int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options); + +#endif /* AVFORMAT_TLS_H */ diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c new file mode 100644 index 0000000000..e8037fa44e --- /dev/null +++ b/libavformat/tls_gnutls.c @@ -0,0 +1,228 @@ +/* + * TLS/SSL Protocol + * Copyright (c) 2011 Martin Storsjo + * + * This file is part of Libav. + * + * Libav is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * Libav is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Libav; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include +#include + +#include "avformat.h" +#include "internal.h" +#include "network.h" +#include "os_support.h" +#include "url.h" +#include "tls.h" +#include "libavutil/avstring.h" +#include "libavutil/opt.h" +#include "libavutil/parseutils.h" + +typedef struct TLSContext { + const AVClass *class; + TLSShared tls_shared; + gnutls_session_t session; + gnutls_certificate_credentials_t cred; + int need_shutdown; +} TLSContext; + +static int print_tls_error(URLContext *h, int ret) +{ + switch (ret) { + case GNUTLS_E_AGAIN: + case GNUTLS_E_INTERRUPTED: + break; + case GNUTLS_E_WARNING_ALERT_RECEIVED: + av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret)); + break; + default: + av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret)); + break; + } + return AVERROR(EIO); +} + +static int tls_close(URLContext *h) +{ + TLSContext *c = h->priv_data; + if (c->need_shutdown) + gnutls_bye(c->session, GNUTLS_SHUT_RDWR); + if (c->session) + gnutls_deinit(c->session); + if (c->cred) + gnutls_certificate_free_credentials(c->cred); + if (c->tls_shared.tcp) + ffurl_close(c->tls_shared.tcp); + ff_tls_deinit(); + return 0; +} + +static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, + void *buf, size_t len) +{ + URLContext *h = (URLContext*) transport; + int ret = ffurl_read(h, buf, len); + if (ret >= 0) + return ret; + if (ret == AVERROR_EXIT) + return 0; + errno = EIO; + return -1; +} + +static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport, + const void *buf, size_t len) +{ + URLContext *h = (URLContext*) transport; + int ret = ffurl_write(h, buf, len); + if (ret >= 0) + return ret; + if (ret == AVERROR_EXIT) + return 0; + errno = EIO; + return -1; +} + +static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options) +{ + TLSContext *p = h->priv_data; + TLSShared *c = &p->tls_shared; + int ret; + + ff_tls_init(); + + if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0) + goto fail; + + gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT); + if (!c->listen && !c->numerichost) + gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host)); + gnutls_certificate_allocate_credentials(&p->cred); + if (c->ca_file) + gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM); +#if GNUTLS_VERSION_MAJOR >= 3 + else + gnutls_certificate_set_x509_system_trust(p->cred); +#endif + gnutls_certificate_set_verify_flags(p->cred, c->verify ? + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0); + if (c->cert_file && c->key_file) { + ret = gnutls_certificate_set_x509_key_file(p->cred, + c->cert_file, c->key_file, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + av_log(h, AV_LOG_ERROR, + "Unable to set cert/key files %s and %s: %s\n", + c->cert_file, c->key_file, gnutls_strerror(ret)); + ret = AVERROR(EIO); + goto fail; + } + } + gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred); + gnutls_transport_set_pull_function(p->session, gnutls_url_pull); + gnutls_transport_set_push_function(p->session, gnutls_url_push); + gnutls_transport_set_ptr(p->session, c->tcp); + gnutls_priority_set_direct(p->session, "NORMAL", NULL); + ret = gnutls_handshake(p->session); + if (ret) { + ret = print_tls_error(h, ret); + goto fail; + } + p->need_shutdown = 1; + if (c->verify) { + unsigned int status, cert_list_size; + gnutls_x509_crt_t cert; + const gnutls_datum_t *cert_list; + if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) { + av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n", + gnutls_strerror(ret)); + ret = AVERROR(EIO); + goto fail; + } + if (status & GNUTLS_CERT_INVALID) { + av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n"); + ret = AVERROR(EIO); + goto fail; + } + if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) { + av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n"); + ret = AVERROR(EIO); + goto fail; + } + gnutls_x509_crt_init(&cert); + cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size); + gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER); + ret = gnutls_x509_crt_check_hostname(cert, c->host); + gnutls_x509_crt_deinit(cert); + if (!ret) { + av_log(h, AV_LOG_ERROR, + "The certificate's owner does not match hostname %s\n", c->host); + ret = AVERROR(EIO); + goto fail; + } + } + + return 0; +fail: + tls_close(h); + return ret; +} + +static int tls_read(URLContext *h, uint8_t *buf, int size) +{ + TLSContext *c = h->priv_data; + int ret = gnutls_record_recv(c->session, buf, size); + if (ret > 0) + return ret; + if (ret == 0) + return AVERROR_EOF; + return print_tls_error(h, ret); +} + +static int tls_write(URLContext *h, const uint8_t *buf, int size) +{ + TLSContext *c = h->priv_data; + int ret = gnutls_record_send(c->session, buf, size); + if (ret > 0) + return ret; + if (ret == 0) + return AVERROR_EOF; + return print_tls_error(h, ret); +} + +static const AVOption options[] = { + TLS_COMMON_OPTIONS(TLSContext, tls_shared), + { NULL } +}; + +static const AVClass tls_class = { + .class_name = "tls", + .item_name = av_default_item_name, + .option = options, + .version = LIBAVUTIL_VERSION_INT, +}; + +URLProtocol ff_tls_gnutls_protocol = { + .name = "tls", + .url_open2 = tls_open, + .url_read = tls_read, + .url_write = tls_write, + .url_close = tls_close, + .priv_data_size = sizeof(TLSContext), + .flags = URL_PROTOCOL_FLAG_NETWORK, + .priv_data_class = &tls_class, +}; diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c new file mode 100644 index 0000000000..0fc4122394 --- /dev/null +++ b/libavformat/tls_openssl.c @@ -0,0 +1,233 @@ +/* + * TLS/SSL Protocol + * Copyright (c) 2011 Martin Storsjo + * + * This file is part of Libav. + * + * Libav is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * Libav is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Libav; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "avformat.h" +#include "internal.h" +#include "network.h" +#include "os_support.h" +#include "url.h" +#include "tls.h" +#include "libavutil/avstring.h" +#include "libavutil/opt.h" +#include "libavutil/parseutils.h" + +#include +#include +#include + +typedef struct TLSContext { + const AVClass *class; + TLSShared tls_shared; + SSL_CTX *ctx; + SSL *ssl; +} TLSContext; + +static int print_tls_error(URLContext *h, int ret) +{ + av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); + return AVERROR(EIO); +} + +static int tls_close(URLContext *h) +{ + TLSContext *c = h->priv_data; + if (c->ssl) { + SSL_shutdown(c->ssl); + SSL_free(c->ssl); + } + if (c->ctx) + SSL_CTX_free(c->ctx); + if (c->tls_shared.tcp) + ffurl_close(c->tls_shared.tcp); + ff_tls_deinit(); + return 0; +} + +static int url_bio_create(BIO *b) +{ + b->init = 1; + b->ptr = NULL; + b->flags = 0; + return 1; +} + +static int url_bio_destroy(BIO *b) +{ + return 1; +} + +static int url_bio_bread(BIO *b, char *buf, int len) +{ + URLContext *h = b->ptr; + int ret = ffurl_read(h, buf, len); + if (ret >= 0) + return ret; + BIO_clear_retry_flags(b); + if (ret == AVERROR_EXIT) + return 0; + return -1; +} + +static int url_bio_bwrite(BIO *b, const char *buf, int len) +{ + URLContext *h = b->ptr; + int ret = ffurl_write(h, buf, len); + if (ret >= 0) + return ret; + BIO_clear_retry_flags(b); + if (ret == AVERROR_EXIT) + return 0; + return -1; +} + +static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr) +{ + if (cmd == BIO_CTRL_FLUSH) { + BIO_clear_retry_flags(b); + return 1; + } + return 0; +} + +static int url_bio_bputs(BIO *b, const char *str) +{ + return url_bio_bwrite(b, str, strlen(str)); +} + +static BIO_METHOD url_bio_method = { + .type = BIO_TYPE_SOURCE_SINK, + .name = "urlprotocol bio", + .bwrite = url_bio_bwrite, + .bread = url_bio_bread, + .bputs = url_bio_bputs, + .bgets = NULL, + .ctrl = url_bio_ctrl, + .create = url_bio_create, + .destroy = url_bio_destroy, +}; + +static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options) +{ + TLSContext *p = h->priv_data; + TLSShared *c = &p->tls_shared; + BIO *bio; + int ret; + + ff_tls_init(); + + if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0) + goto fail; + + p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method()); + if (!p->ctx) { + av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); + ret = AVERROR(EIO); + goto fail; + } + if (c->ca_file) + SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL); + if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) { + av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n", + c->cert_file, ERR_error_string(ERR_get_error(), NULL)); + ret = AVERROR(EIO); + goto fail; + } + if (c->key_file && !SSL_CTX_use_PrivateKey_file(p->ctx, c->key_file, SSL_FILETYPE_PEM)) { + av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n", + c->key_file, ERR_error_string(ERR_get_error(), NULL)); + ret = AVERROR(EIO); + goto fail; + } + // Note, this doesn't check that the peer certificate actually matches + // the requested hostname. + if (c->verify) + SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER, NULL); + p->ssl = SSL_new(p->ctx); + if (!p->ssl) { + av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); + ret = AVERROR(EIO); + goto fail; + } + bio = BIO_new(&url_bio_method); + bio->ptr = c->tcp; + SSL_set_bio(p->ssl, bio, bio); + if (!c->listen && !c->numerichost) + SSL_set_tlsext_host_name(p->ssl, c->host); + ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl); + if (ret == 0) { + av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n"); + ret = AVERROR(EIO); + goto fail; + } else if (ret < 0) { + ret = print_tls_error(h, ret); + goto fail; + } + + return 0; +fail: + tls_close(h); + return ret; +} + +static int tls_read(URLContext *h, uint8_t *buf, int size) +{ + TLSContext *c = h->priv_data; + int ret = SSL_read(c->ssl, buf, size); + if (ret > 0) + return ret; + if (ret == 0) + return AVERROR_EOF; + return print_tls_error(h, ret); +} + +static int tls_write(URLContext *h, const uint8_t *buf, int size) +{ + TLSContext *c = h->priv_data; + int ret = SSL_write(c->ssl, buf, size); + if (ret > 0) + return ret; + if (ret == 0) + return AVERROR_EOF; + return print_tls_error(h, ret); +} + +static const AVOption options[] = { + TLS_COMMON_OPTIONS(TLSContext, tls_shared), + { NULL } +}; + +static const AVClass tls_class = { + .class_name = "tls", + .item_name = av_default_item_name, + .option = options, + .version = LIBAVUTIL_VERSION_INT, +}; + +URLProtocol ff_tls_openssl_protocol = { + .name = "tls", + .url_open2 = tls_open, + .url_read = tls_read, + .url_write = tls_write, + .url_close = tls_close, + .priv_data_size = sizeof(TLSContext), + .flags = URL_PROTOCOL_FLAG_NETWORK, + .priv_data_class = &tls_class, +}; -- cgit v1.2.3