• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2015 Hendrik Leppkes
3  *
4  * This file is part of FFmpeg.
5  *
6  * FFmpeg is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * FFmpeg is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with FFmpeg; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
19  */
20 
21 /** Based on the CURL SChannel module */
22 
23 #include "avformat.h"
24 #include "internal.h"
25 #include "network.h"
26 #include "os_support.h"
27 #include "url.h"
28 #include "tls.h"
29 
30 #define SECURITY_WIN32
31 #include <windows.h>
32 #include <security.h>
33 #include <schnlsp.h>
34 
35 #define SCHANNEL_INITIAL_BUFFER_SIZE   4096
36 #define SCHANNEL_FREE_BUFFER_SIZE      1024
37 
38 /* mingw does not define this symbol */
39 #ifndef SECBUFFER_ALERT
40 #define SECBUFFER_ALERT                17
41 #endif
42 
43 typedef struct TLSContext {
44     const AVClass *class;
45     TLSShared tls_shared;
46 
47     CredHandle cred_handle;
48     TimeStamp cred_timestamp;
49 
50     CtxtHandle ctxt_handle;
51     TimeStamp ctxt_timestamp;
52 
53     ULONG request_flags;
54     ULONG context_flags;
55 
56     uint8_t *enc_buf;
57     int enc_buf_size;
58     int enc_buf_offset;
59 
60     uint8_t *dec_buf;
61     int dec_buf_size;
62     int dec_buf_offset;
63 
64     SecPkgContext_StreamSizes sizes;
65 
66     int connected;
67     int connection_closed;
68     int sspi_close_notify;
69 } TLSContext;
70 
init_sec_buffer(SecBuffer * buffer,unsigned long type,void * data,unsigned long size)71 static void init_sec_buffer(SecBuffer *buffer, unsigned long type,
72                             void *data, unsigned long size)
73 {
74     buffer->cbBuffer   = size;
75     buffer->BufferType = type;
76     buffer->pvBuffer   = data;
77 }
78 
init_sec_buffer_desc(SecBufferDesc * desc,SecBuffer * buffers,unsigned long buffer_count)79 static void init_sec_buffer_desc(SecBufferDesc *desc, SecBuffer *buffers,
80                                  unsigned long buffer_count)
81 {
82     desc->ulVersion = SECBUFFER_VERSION;
83     desc->pBuffers = buffers;
84     desc->cBuffers = buffer_count;
85 }
86 
tls_shutdown_client(URLContext * h)87 static int tls_shutdown_client(URLContext *h)
88 {
89     TLSContext *c = h->priv_data;
90     TLSShared *s = &c->tls_shared;
91     int ret;
92 
93     if (c->connected) {
94         SecBufferDesc BuffDesc;
95         SecBuffer Buffer;
96         SECURITY_STATUS sspi_ret;
97         SecBuffer outbuf;
98         SecBufferDesc outbuf_desc;
99 
100         DWORD dwshut = SCHANNEL_SHUTDOWN;
101         init_sec_buffer(&Buffer, SECBUFFER_TOKEN, &dwshut, sizeof(dwshut));
102         init_sec_buffer_desc(&BuffDesc, &Buffer, 1);
103 
104         sspi_ret = ApplyControlToken(&c->ctxt_handle, &BuffDesc);
105         if (sspi_ret != SEC_E_OK)
106             av_log(h, AV_LOG_ERROR, "ApplyControlToken failed\n");
107 
108         init_sec_buffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
109         init_sec_buffer_desc(&outbuf_desc, &outbuf, 1);
110 
111         sspi_ret = InitializeSecurityContext(&c->cred_handle, &c->ctxt_handle, s->host,
112                                              c->request_flags, 0, 0, NULL, 0, &c->ctxt_handle,
113                                              &outbuf_desc, &c->context_flags, &c->ctxt_timestamp);
114         if (sspi_ret == SEC_E_OK || sspi_ret == SEC_I_CONTEXT_EXPIRED) {
115             ret = ffurl_write(s->tcp, outbuf.pvBuffer, outbuf.cbBuffer);
116             FreeContextBuffer(outbuf.pvBuffer);
117             if (ret < 0 || ret != outbuf.cbBuffer)
118                 av_log(h, AV_LOG_ERROR, "Failed to send close message\n");
119         }
120 
121         c->connected = 0;
122     }
123     return 0;
124 }
125 
tls_close(URLContext * h)126 static int tls_close(URLContext *h)
127 {
128     TLSContext *c = h->priv_data;
129 
130     tls_shutdown_client(h);
131 
132     DeleteSecurityContext(&c->ctxt_handle);
133     FreeCredentialsHandle(&c->cred_handle);
134 
135     av_freep(&c->enc_buf);
136     c->enc_buf_size = c->enc_buf_offset = 0;
137 
138     av_freep(&c->dec_buf);
139     c->dec_buf_size = c->dec_buf_offset = 0;
140 
141     ffurl_closep(&c->tls_shared.tcp);
142     return 0;
143 }
144 
tls_client_handshake_loop(URLContext * h,int initial)145 static int tls_client_handshake_loop(URLContext *h, int initial)
146 {
147     TLSContext *c = h->priv_data;
148     TLSShared *s = &c->tls_shared;
149     SECURITY_STATUS sspi_ret;
150     SecBuffer outbuf[3] = { 0 };
151     SecBufferDesc outbuf_desc;
152     SecBuffer inbuf[2];
153     SecBufferDesc inbuf_desc;
154     int i, ret = 0, read_data = initial;
155 
156     if (c->enc_buf == NULL) {
157         c->enc_buf_offset = 0;
158         ret = av_reallocp(&c->enc_buf, SCHANNEL_INITIAL_BUFFER_SIZE);
159         if (ret < 0)
160             goto fail;
161         c->enc_buf_size = SCHANNEL_INITIAL_BUFFER_SIZE;
162     }
163 
164     if (c->dec_buf == NULL) {
165         c->dec_buf_offset = 0;
166         ret = av_reallocp(&c->dec_buf, SCHANNEL_INITIAL_BUFFER_SIZE);
167         if (ret < 0)
168             goto fail;
169         c->dec_buf_size = SCHANNEL_INITIAL_BUFFER_SIZE;
170     }
171 
172     while (1) {
173         if (c->enc_buf_size - c->enc_buf_offset < SCHANNEL_FREE_BUFFER_SIZE) {
174             c->enc_buf_size = c->enc_buf_offset + SCHANNEL_FREE_BUFFER_SIZE;
175             ret = av_reallocp(&c->enc_buf, c->enc_buf_size);
176             if (ret < 0) {
177                 c->enc_buf_size = c->enc_buf_offset = 0;
178                 goto fail;
179             }
180         }
181 
182         if (read_data) {
183             ret = ffurl_read(c->tls_shared.tcp, c->enc_buf + c->enc_buf_offset,
184                              c->enc_buf_size - c->enc_buf_offset);
185             if (ret < 0) {
186                 av_log(h, AV_LOG_ERROR, "Failed to read handshake response\n");
187                 goto fail;
188             }
189             c->enc_buf_offset += ret;
190         }
191 
192         /* input buffers */
193         init_sec_buffer(&inbuf[0], SECBUFFER_TOKEN, av_malloc(c->enc_buf_offset), c->enc_buf_offset);
194         init_sec_buffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
195         init_sec_buffer_desc(&inbuf_desc, inbuf, 2);
196 
197         if (inbuf[0].pvBuffer == NULL) {
198             av_log(h, AV_LOG_ERROR, "Failed to allocate input buffer\n");
199             ret = AVERROR(ENOMEM);
200             goto fail;
201         }
202 
203         memcpy(inbuf[0].pvBuffer, c->enc_buf, c->enc_buf_offset);
204 
205         /* output buffers */
206         init_sec_buffer(&outbuf[0], SECBUFFER_TOKEN, NULL, 0);
207         init_sec_buffer(&outbuf[1], SECBUFFER_ALERT, NULL, 0);
208         init_sec_buffer(&outbuf[2], SECBUFFER_EMPTY, NULL, 0);
209         init_sec_buffer_desc(&outbuf_desc, outbuf, 3);
210 
211         sspi_ret = InitializeSecurityContext(&c->cred_handle, &c->ctxt_handle, s->host, c->request_flags,
212                                              0, 0, &inbuf_desc, 0, NULL, &outbuf_desc, &c->context_flags,
213                                              &c->ctxt_timestamp);
214         av_freep(&inbuf[0].pvBuffer);
215 
216         if (sspi_ret == SEC_E_INCOMPLETE_MESSAGE) {
217             av_log(h, AV_LOG_DEBUG, "Received incomplete handshake, need more data\n");
218             read_data = 1;
219             continue;
220         }
221 
222         /* remote requests a client certificate - attempt to continue without one anyway */
223         if (sspi_ret == SEC_I_INCOMPLETE_CREDENTIALS &&
224             !(c->request_flags & ISC_REQ_USE_SUPPLIED_CREDS)) {
225             av_log(h, AV_LOG_VERBOSE, "Client certificate has been requested, ignoring\n");
226             c->request_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
227             read_data = 0;
228             continue;
229         }
230 
231         /* continue handshake */
232         if (sspi_ret == SEC_I_CONTINUE_NEEDED || sspi_ret == SEC_E_OK) {
233             for (i = 0; i < 3; i++) {
234                 if (outbuf[i].BufferType == SECBUFFER_TOKEN && outbuf[i].cbBuffer > 0) {
235                     ret = ffurl_write(c->tls_shared.tcp, outbuf[i].pvBuffer, outbuf[i].cbBuffer);
236                     if (ret < 0 || ret != outbuf[i].cbBuffer) {
237                         av_log(h, AV_LOG_VERBOSE, "Failed to send handshake data\n");
238                         ret = AVERROR(EIO);
239                         goto fail;
240                     }
241                 }
242 
243                 if (outbuf[i].pvBuffer != NULL) {
244                     FreeContextBuffer(outbuf[i].pvBuffer);
245                     outbuf[i].pvBuffer = NULL;
246                 }
247             }
248         } else {
249             if (sspi_ret == SEC_E_WRONG_PRINCIPAL)
250                 av_log(h, AV_LOG_ERROR, "SNI or certificate check failed\n");
251             else
252                 av_log(h, AV_LOG_ERROR, "Creating security context failed (0x%lx)\n", sspi_ret);
253             ret = AVERROR_UNKNOWN;
254             goto fail;
255         }
256 
257         if (inbuf[1].BufferType == SECBUFFER_EXTRA && inbuf[1].cbBuffer > 0) {
258             if (c->enc_buf_offset > inbuf[1].cbBuffer) {
259                 memmove(c->enc_buf, (c->enc_buf + c->enc_buf_offset) - inbuf[1].cbBuffer,
260                         inbuf[1].cbBuffer);
261                 c->enc_buf_offset = inbuf[1].cbBuffer;
262                 if (sspi_ret == SEC_I_CONTINUE_NEEDED) {
263                     read_data = 0;
264                     continue;
265                 }
266             }
267         } else {
268             c->enc_buf_offset  = 0;
269         }
270 
271         if (sspi_ret == SEC_I_CONTINUE_NEEDED) {
272             read_data = 1;
273             continue;
274         }
275 
276         break;
277     }
278 
279     return 0;
280 
281 fail:
282     /* free any remaining output data */
283     for (i = 0; i < 3; i++) {
284         if (outbuf[i].pvBuffer != NULL) {
285             FreeContextBuffer(outbuf[i].pvBuffer);
286             outbuf[i].pvBuffer = NULL;
287         }
288     }
289 
290     return ret;
291 }
292 
tls_client_handshake(URLContext * h)293 static int tls_client_handshake(URLContext *h)
294 {
295     TLSContext *c = h->priv_data;
296     TLSShared *s = &c->tls_shared;
297     SecBuffer outbuf;
298     SecBufferDesc outbuf_desc;
299     SECURITY_STATUS sspi_ret;
300     int ret;
301 
302     init_sec_buffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
303     init_sec_buffer_desc(&outbuf_desc, &outbuf, 1);
304 
305     c->request_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |
306                        ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY |
307                        ISC_REQ_STREAM;
308 
309     sspi_ret = InitializeSecurityContext(&c->cred_handle, NULL, s->host, c->request_flags, 0, 0,
310                                          NULL, 0, &c->ctxt_handle, &outbuf_desc, &c->context_flags,
311                                          &c->ctxt_timestamp);
312     if (sspi_ret != SEC_I_CONTINUE_NEEDED) {
313         av_log(h, AV_LOG_ERROR, "Unable to create initial security context (0x%lx)\n", sspi_ret);
314         ret = AVERROR_UNKNOWN;
315         goto fail;
316     }
317 
318     ret = ffurl_write(s->tcp, outbuf.pvBuffer, outbuf.cbBuffer);
319     FreeContextBuffer(outbuf.pvBuffer);
320     if (ret < 0 || ret != outbuf.cbBuffer) {
321         av_log(h, AV_LOG_ERROR, "Failed to send initial handshake data\n");
322         ret = AVERROR(EIO);
323         goto fail;
324     }
325 
326     return tls_client_handshake_loop(h, 1);
327 
328 fail:
329     DeleteSecurityContext(&c->ctxt_handle);
330     return ret;
331 }
332 
tls_open(URLContext * h,const char * uri,int flags,AVDictionary ** options)333 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
334 {
335     TLSContext *c = h->priv_data;
336     TLSShared *s = &c->tls_shared;
337     SECURITY_STATUS sspi_ret;
338     SCHANNEL_CRED schannel_cred = { 0 };
339     int ret;
340 
341     if ((ret = ff_tls_open_underlying(s, h, uri, options)) < 0)
342         goto fail;
343 
344     if (s->listen) {
345         av_log(h, AV_LOG_ERROR, "TLS Listen Sockets with SChannel is not implemented.\n");
346         ret = AVERROR(EINVAL);
347         goto fail;
348     }
349 
350     /* SChannel Options */
351     schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
352 
353     if (s->verify)
354         schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION |
355                                 SCH_CRED_REVOCATION_CHECK_CHAIN;
356     else
357         schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION |
358                                 SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
359                                 SCH_CRED_IGNORE_REVOCATION_OFFLINE;
360 
361     /* Get credential handle */
362     sspi_ret = AcquireCredentialsHandle(NULL, (TCHAR *)UNISP_NAME, SECPKG_CRED_OUTBOUND,
363                                         NULL,  &schannel_cred, NULL, NULL, &c->cred_handle,
364                                         &c->cred_timestamp);
365     if (sspi_ret != SEC_E_OK) {
366         av_log(h, AV_LOG_ERROR, "Unable to acquire security credentials (0x%lx)\n", sspi_ret);
367         ret = AVERROR_UNKNOWN;
368         goto fail;
369     }
370 
371     ret = tls_client_handshake(h);
372     if (ret < 0)
373         goto fail;
374 
375     c->connected = 1;
376 
377     return 0;
378 
379 fail:
380     tls_close(h);
381     return ret;
382 }
383 
tls_read(URLContext * h,uint8_t * buf,int len)384 static int tls_read(URLContext *h, uint8_t *buf, int len)
385 {
386     TLSContext *c = h->priv_data;
387     TLSShared *s = &c->tls_shared;
388     SECURITY_STATUS sspi_ret = SEC_E_OK;
389     SecBuffer inbuf[4];
390     SecBufferDesc inbuf_desc;
391     int size, ret;
392     int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE;
393 
394     /* If we have some left-over data from previous network activity,
395      * return it first in case it is enough. It may contain
396      * data that is required to know whether this connection
397      * is still required or not, esp. in case of HTTP keep-alive
398      * connections. */
399     if (c->dec_buf_offset > 0)
400         goto cleanup;
401 
402     if (c->sspi_close_notify)
403         goto cleanup;
404 
405     if (!c->connection_closed) {
406         size = c->enc_buf_size - c->enc_buf_offset;
407         if (size < SCHANNEL_FREE_BUFFER_SIZE || c->enc_buf_size < min_enc_buf_size) {
408             c->enc_buf_size = c->enc_buf_offset + SCHANNEL_FREE_BUFFER_SIZE;
409             if (c->enc_buf_size < min_enc_buf_size)
410                 c->enc_buf_size = min_enc_buf_size;
411             ret = av_reallocp(&c->enc_buf, c->enc_buf_size);
412             if (ret < 0) {
413                 c->enc_buf_size = c->enc_buf_offset = 0;
414                 return ret;
415             }
416         }
417 
418         ret = ffurl_read(s->tcp, c->enc_buf + c->enc_buf_offset,
419                          c->enc_buf_size - c->enc_buf_offset);
420         if (ret == AVERROR_EOF) {
421             c->connection_closed = 1;
422             ret = 0;
423         } else if (ret < 0) {
424             av_log(h, AV_LOG_ERROR, "Unable to read from socket\n");
425             return ret;
426         }
427 
428         c->enc_buf_offset += ret;
429     }
430 
431     while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK) {
432         /*  input buffer */
433         init_sec_buffer(&inbuf[0], SECBUFFER_DATA, c->enc_buf, c->enc_buf_offset);
434 
435         /* additional buffers for possible output */
436         init_sec_buffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
437         init_sec_buffer(&inbuf[2], SECBUFFER_EMPTY, NULL, 0);
438         init_sec_buffer(&inbuf[3], SECBUFFER_EMPTY, NULL, 0);
439         init_sec_buffer_desc(&inbuf_desc, inbuf, 4);
440 
441         sspi_ret = DecryptMessage(&c->ctxt_handle, &inbuf_desc, 0, NULL);
442         if (sspi_ret == SEC_E_OK || sspi_ret == SEC_I_RENEGOTIATE ||
443             sspi_ret == SEC_I_CONTEXT_EXPIRED) {
444             /* handle decrypted data */
445             if (inbuf[1].BufferType == SECBUFFER_DATA) {
446                 /* grow buffer if needed */
447                 size = inbuf[1].cbBuffer > SCHANNEL_FREE_BUFFER_SIZE ?
448                        inbuf[1].cbBuffer : SCHANNEL_FREE_BUFFER_SIZE;
449                 if (c->dec_buf_size - c->dec_buf_offset < size || c->dec_buf_size < len)  {
450                     c->dec_buf_size = c->dec_buf_offset + size;
451                     if (c->dec_buf_size < len)
452                         c->dec_buf_size = len;
453                     ret = av_reallocp(&c->dec_buf, c->dec_buf_size);
454                     if (ret < 0) {
455                         c->dec_buf_size = c->dec_buf_offset = 0;
456                         return ret;
457                     }
458                 }
459 
460                 /* copy decrypted data to buffer */
461                 size = inbuf[1].cbBuffer;
462                 if (size) {
463                     memcpy(c->dec_buf + c->dec_buf_offset, inbuf[1].pvBuffer, size);
464                     c->dec_buf_offset += size;
465                 }
466             }
467             if (inbuf[3].BufferType == SECBUFFER_EXTRA && inbuf[3].cbBuffer > 0) {
468                 if (c->enc_buf_offset > inbuf[3].cbBuffer) {
469                     memmove(c->enc_buf, (c->enc_buf + c->enc_buf_offset) - inbuf[3].cbBuffer,
470                     inbuf[3].cbBuffer);
471                     c->enc_buf_offset = inbuf[3].cbBuffer;
472                 }
473             } else
474                 c->enc_buf_offset = 0;
475 
476             if (sspi_ret == SEC_I_RENEGOTIATE) {
477                 if (c->enc_buf_offset) {
478                     av_log(h, AV_LOG_ERROR, "Cannot renegotiate, encrypted data buffer not empty\n");
479                     ret = AVERROR_UNKNOWN;
480                     goto cleanup;
481                 }
482 
483                 av_log(h, AV_LOG_VERBOSE, "Re-negotiating security context\n");
484                 ret = tls_client_handshake_loop(h, 0);
485                 if (ret < 0) {
486                     goto cleanup;
487                 }
488                 sspi_ret = SEC_E_OK;
489                 continue;
490             } else if (sspi_ret == SEC_I_CONTEXT_EXPIRED) {
491                 c->sspi_close_notify = 1;
492                 if (!c->connection_closed) {
493                     c->connection_closed = 1;
494                     av_log(h, AV_LOG_VERBOSE, "Server closed the connection\n");
495                 }
496                 ret = 0;
497                 goto cleanup;
498             }
499         } else if (sspi_ret == SEC_E_INCOMPLETE_MESSAGE) {
500             ret = AVERROR(EAGAIN);
501             goto cleanup;
502         } else {
503             av_log(h, AV_LOG_ERROR, "Unable to decrypt message (error 0x%x)\n", (unsigned)sspi_ret);
504             ret = AVERROR(EIO);
505             goto cleanup;
506         }
507     }
508 
509     ret = 0;
510 
511 cleanup:
512     size = FFMIN(len, c->dec_buf_offset);
513     if (size) {
514         memcpy(buf, c->dec_buf, size);
515         memmove(c->dec_buf, c->dec_buf + size, c->dec_buf_offset - size);
516         c->dec_buf_offset -= size;
517 
518         return size;
519     }
520 
521     if (ret == 0 && !c->connection_closed)
522         ret = AVERROR(EAGAIN);
523 
524     return ret < 0 ? ret : AVERROR_EOF;
525 }
526 
tls_write(URLContext * h,const uint8_t * buf,int len)527 static int tls_write(URLContext *h, const uint8_t *buf, int len)
528 {
529     TLSContext *c = h->priv_data;
530     TLSShared *s = &c->tls_shared;
531     SECURITY_STATUS sspi_ret;
532     int ret = 0, data_size;
533     uint8_t *data = NULL;
534     SecBuffer outbuf[4];
535     SecBufferDesc outbuf_desc;
536 
537     if (c->sizes.cbMaximumMessage == 0) {
538         sspi_ret = QueryContextAttributes(&c->ctxt_handle, SECPKG_ATTR_STREAM_SIZES, &c->sizes);
539         if (sspi_ret != SEC_E_OK)
540             return AVERROR_UNKNOWN;
541     }
542 
543     /* limit how much data we can consume */
544     len = FFMIN(len, c->sizes.cbMaximumMessage);
545 
546     data_size = c->sizes.cbHeader + len + c->sizes.cbTrailer;
547     data = av_malloc(data_size);
548     if (data == NULL)
549         return AVERROR(ENOMEM);
550 
551     init_sec_buffer(&outbuf[0], SECBUFFER_STREAM_HEADER,
552                   data, c->sizes.cbHeader);
553     init_sec_buffer(&outbuf[1], SECBUFFER_DATA,
554                   data + c->sizes.cbHeader, len);
555     init_sec_buffer(&outbuf[2], SECBUFFER_STREAM_TRAILER,
556                   data + c->sizes.cbHeader + len,
557                   c->sizes.cbTrailer);
558     init_sec_buffer(&outbuf[3], SECBUFFER_EMPTY, NULL, 0);
559     init_sec_buffer_desc(&outbuf_desc, outbuf, 4);
560 
561     memcpy(outbuf[1].pvBuffer, buf, len);
562 
563     sspi_ret = EncryptMessage(&c->ctxt_handle, 0, &outbuf_desc, 0);
564     if (sspi_ret == SEC_E_OK)  {
565         len = outbuf[0].cbBuffer + outbuf[1].cbBuffer + outbuf[2].cbBuffer;
566         ret = ffurl_write(s->tcp, data, len);
567         if (ret < 0 || ret != len) {
568             ret = AVERROR(EIO);
569             av_log(h, AV_LOG_ERROR, "Writing encrypted data to socket failed\n");
570             goto done;
571         }
572     } else {
573         av_log(h, AV_LOG_ERROR, "Encrypting data failed\n");
574         if (sspi_ret == SEC_E_INSUFFICIENT_MEMORY)
575             ret = AVERROR(ENOMEM);
576         else
577             ret = AVERROR(EIO);
578         goto done;
579     }
580 
581 done:
582     av_freep(&data);
583     return ret < 0 ? ret : outbuf[1].cbBuffer;
584 }
585 
tls_get_file_handle(URLContext * h)586 static int tls_get_file_handle(URLContext *h)
587 {
588     TLSContext *c = h->priv_data;
589     return ffurl_get_file_handle(c->tls_shared.tcp);
590 }
591 
tls_get_short_seek(URLContext * h)592 static int tls_get_short_seek(URLContext *h)
593 {
594     TLSContext *s = h->priv_data;
595     return ffurl_get_short_seek(s->tls_shared.tcp);
596 }
597 
598 static const AVOption options[] = {
599     TLS_COMMON_OPTIONS(TLSContext, tls_shared),
600     { NULL }
601 };
602 
603 static const AVClass tls_class = {
604     .class_name = "tls",
605     .item_name  = av_default_item_name,
606     .option     = options,
607     .version    = LIBAVUTIL_VERSION_INT,
608 };
609 
610 const URLProtocol ff_tls_protocol = {
611     .name           = "tls",
612     .url_open2      = tls_open,
613     .url_read       = tls_read,
614     .url_write      = tls_write,
615     .url_close      = tls_close,
616     .url_get_file_handle = tls_get_file_handle,
617     .url_get_short_seek  = tls_get_short_seek,
618     .priv_data_size = sizeof(TLSContext),
619     .flags          = URL_PROTOCOL_FLAG_NETWORK,
620     .priv_data_class = &tls_class,
621 };
622