1 /*
2 * TLS/SSL Protocol
3 * Copyright (c) 2011 Martin Storsjo
4 *
5 * This file is part of FFmpeg.
6 *
7 * FFmpeg is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * FFmpeg is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with FFmpeg; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include <errno.h>
23
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26
27 #include "avformat.h"
28 #include "internal.h"
29 #include "network.h"
30 #include "os_support.h"
31 #include "url.h"
32 #include "tls.h"
33 #include "libavcodec/internal.h"
34 #include "libavutil/avstring.h"
35 #include "libavutil/opt.h"
36 #include "libavutil/parseutils.h"
37
38 #ifndef GNUTLS_VERSION_NUMBER
39 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
40 #endif
41
42 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
43 #include <gcrypt.h>
44 #include "libavutil/thread.h"
45 GCRY_THREAD_OPTION_PTHREAD_IMPL;
46 #endif
47
48 typedef struct TLSContext {
49 const AVClass *class;
50 TLSShared tls_shared;
51 gnutls_session_t session;
52 gnutls_certificate_credentials_t cred;
53 int need_shutdown;
54 int io_err;
55 } TLSContext;
56
ff_gnutls_init(void)57 void ff_gnutls_init(void)
58 {
59 ff_lock_avformat();
60 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
61 if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
62 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
63 #endif
64 gnutls_global_init();
65 ff_unlock_avformat();
66 }
67
ff_gnutls_deinit(void)68 void ff_gnutls_deinit(void)
69 {
70 ff_lock_avformat();
71 gnutls_global_deinit();
72 ff_unlock_avformat();
73 }
74
print_tls_error(URLContext * h,int ret)75 static int print_tls_error(URLContext *h, int ret)
76 {
77 TLSContext *c = h->priv_data;
78 switch (ret) {
79 case GNUTLS_E_AGAIN:
80 return AVERROR(EAGAIN);
81 case GNUTLS_E_INTERRUPTED:
82 #ifdef GNUTLS_E_PREMATURE_TERMINATION
83 case GNUTLS_E_PREMATURE_TERMINATION:
84 #endif
85 break;
86 case GNUTLS_E_WARNING_ALERT_RECEIVED:
87 av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
88 break;
89 default:
90 av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
91 break;
92 }
93 if (c->io_err) {
94 av_log(h, AV_LOG_ERROR, "IO error: %s\n", av_err2str(c->io_err));
95 ret = c->io_err;
96 c->io_err = 0;
97 return ret;
98 }
99 return AVERROR(EIO);
100 }
101
tls_close(URLContext * h)102 static int tls_close(URLContext *h)
103 {
104 TLSContext *c = h->priv_data;
105 if (c->need_shutdown)
106 gnutls_bye(c->session, GNUTLS_SHUT_WR);
107 if (c->session)
108 gnutls_deinit(c->session);
109 if (c->cred)
110 gnutls_certificate_free_credentials(c->cred);
111 ffurl_closep(&c->tls_shared.tcp);
112 ff_gnutls_deinit();
113 return 0;
114 }
115
gnutls_url_pull(gnutls_transport_ptr_t transport,void * buf,size_t len)116 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
117 void *buf, size_t len)
118 {
119 TLSContext *c = (TLSContext*) transport;
120 int ret = ffurl_read(c->tls_shared.tcp, buf, len);
121 if (ret >= 0)
122 return ret;
123 if (ret == AVERROR_EXIT)
124 return 0;
125 if (ret == AVERROR(EAGAIN)) {
126 errno = EAGAIN;
127 } else {
128 errno = EIO;
129 c->io_err = ret;
130 }
131 return -1;
132 }
133
gnutls_url_push(gnutls_transport_ptr_t transport,const void * buf,size_t len)134 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
135 const void *buf, size_t len)
136 {
137 TLSContext *c = (TLSContext*) transport;
138 int ret = ffurl_write(c->tls_shared.tcp, buf, len);
139 if (ret >= 0)
140 return ret;
141 if (ret == AVERROR_EXIT)
142 return 0;
143 if (ret == AVERROR(EAGAIN)) {
144 errno = EAGAIN;
145 } else {
146 errno = EIO;
147 c->io_err = ret;
148 }
149 return -1;
150 }
151
tls_open(URLContext * h,const char * uri,int flags,AVDictionary ** options)152 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
153 {
154 TLSContext *p = h->priv_data;
155 TLSShared *c = &p->tls_shared;
156 int ret;
157
158 ff_gnutls_init();
159
160 if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
161 goto fail;
162
163 gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
164 if (!c->listen && !c->numerichost)
165 gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
166 gnutls_certificate_allocate_credentials(&p->cred);
167 if (c->ca_file) {
168 ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
169 if (ret < 0)
170 av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
171 }
172 #if GNUTLS_VERSION_NUMBER >= 0x030020
173 else
174 gnutls_certificate_set_x509_system_trust(p->cred);
175 #endif
176 gnutls_certificate_set_verify_flags(p->cred, c->verify ?
177 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
178 if (c->cert_file && c->key_file) {
179 ret = gnutls_certificate_set_x509_key_file(p->cred,
180 c->cert_file, c->key_file,
181 GNUTLS_X509_FMT_PEM);
182 if (ret < 0) {
183 av_log(h, AV_LOG_ERROR,
184 "Unable to set cert/key files %s and %s: %s\n",
185 c->cert_file, c->key_file, gnutls_strerror(ret));
186 ret = AVERROR(EIO);
187 goto fail;
188 }
189 } else if (c->cert_file || c->key_file)
190 av_log(h, AV_LOG_ERROR, "cert and key required\n");
191 gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
192 gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
193 gnutls_transport_set_push_function(p->session, gnutls_url_push);
194 gnutls_transport_set_ptr(p->session, p);
195 gnutls_set_default_priority(p->session);
196 do {
197 if (ff_check_interrupt(&h->interrupt_callback)) {
198 ret = AVERROR_EXIT;
199 goto fail;
200 }
201
202 ret = gnutls_handshake(p->session);
203 if (gnutls_error_is_fatal(ret)) {
204 ret = print_tls_error(h, ret);
205 goto fail;
206 }
207 } while (ret);
208 p->need_shutdown = 1;
209 if (c->verify) {
210 unsigned int status, cert_list_size;
211 gnutls_x509_crt_t cert;
212 const gnutls_datum_t *cert_list;
213 if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
214 av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
215 gnutls_strerror(ret));
216 ret = AVERROR(EIO);
217 goto fail;
218 }
219 if (status & GNUTLS_CERT_INVALID) {
220 av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
221 ret = AVERROR(EIO);
222 goto fail;
223 }
224 if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
225 av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
226 ret = AVERROR(EIO);
227 goto fail;
228 }
229 gnutls_x509_crt_init(&cert);
230 cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
231 gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
232 ret = gnutls_x509_crt_check_hostname(cert, c->host);
233 gnutls_x509_crt_deinit(cert);
234 if (!ret) {
235 av_log(h, AV_LOG_ERROR,
236 "The certificate's owner does not match hostname %s\n", c->host);
237 ret = AVERROR(EIO);
238 goto fail;
239 }
240 }
241
242 return 0;
243 fail:
244 tls_close(h);
245 return ret;
246 }
247
tls_read(URLContext * h,uint8_t * buf,int size)248 static int tls_read(URLContext *h, uint8_t *buf, int size)
249 {
250 TLSContext *c = h->priv_data;
251 int ret;
252 // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
253 c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
254 c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
255 ret = gnutls_record_recv(c->session, buf, size);
256 if (ret > 0)
257 return ret;
258 if (ret == 0)
259 return AVERROR_EOF;
260 return print_tls_error(h, ret);
261 }
262
tls_write(URLContext * h,const uint8_t * buf,int size)263 static int tls_write(URLContext *h, const uint8_t *buf, int size)
264 {
265 TLSContext *c = h->priv_data;
266 int ret;
267 // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
268 c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
269 c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
270 ret = gnutls_record_send(c->session, buf, size);
271 if (ret > 0)
272 return ret;
273 if (ret == 0)
274 return AVERROR_EOF;
275 return print_tls_error(h, ret);
276 }
277
tls_get_file_handle(URLContext * h)278 static int tls_get_file_handle(URLContext *h)
279 {
280 TLSContext *c = h->priv_data;
281 return ffurl_get_file_handle(c->tls_shared.tcp);
282 }
283
tls_get_short_seek(URLContext * h)284 static int tls_get_short_seek(URLContext *h)
285 {
286 TLSContext *s = h->priv_data;
287 return ffurl_get_short_seek(s->tls_shared.tcp);
288 }
289
290 static const AVOption options[] = {
291 TLS_COMMON_OPTIONS(TLSContext, tls_shared),
292 { NULL }
293 };
294
295 static const AVClass tls_class = {
296 .class_name = "tls",
297 .item_name = av_default_item_name,
298 .option = options,
299 .version = LIBAVUTIL_VERSION_INT,
300 };
301
302 const URLProtocol ff_tls_protocol = {
303 .name = "tls",
304 .url_open2 = tls_open,
305 .url_read = tls_read,
306 .url_write = tls_write,
307 .url_close = tls_close,
308 .url_get_file_handle = tls_get_file_handle,
309 .url_get_short_seek = tls_get_short_seek,
310 .priv_data_size = sizeof(TLSContext),
311 .flags = URL_PROTOCOL_FLAG_NETWORK,
312 .priv_data_class = &tls_class,
313 };
314