diff options
author | wm4 <nfxjfg@googlemail.com> | 2015-05-26 19:25:41 +0200 |
---|---|---|
committer | Martin Storsjö <martin@martin.st> | 2015-05-26 21:48:32 +0300 |
commit | d8ffb2055f0e0fcb5d025bab72eb19c2a886c125 (patch) | |
tree | 9769a4538d60f880e6d55af599e18da77904a534 /libavformat/tls.c | |
parent | cf1f3d837e1266034a487de5b575bd76426c6b10 (diff) | |
download | ffmpeg-d8ffb2055f0e0fcb5d025bab72eb19c2a886c125.tar.gz |
lavf: split tls.c
Move the OpenSSL and GnuTLS implementations to their own files. Other
than the connection code (including options) and some boilerplate, no
code is actually shared.
Signed-off-by: Martin Storsjö <martin@martin.st>
Diffstat (limited to 'libavformat/tls.c')
-rw-r--r-- | libavformat/tls.c | 375 |
1 files changed, 14 insertions, 361 deletions
diff --git a/libavformat/tls.c b/libavformat/tls.c index 00fe876a42..eee3fc3d7d 100644 --- a/libavformat/tls.c +++ b/libavformat/tls.c @@ -20,209 +20,28 @@ */ #include "avformat.h" +#include "internal.h" +#include "network.h" +#include "os_support.h" #include "url.h" +#include "tls.h" #include "libavutil/avstring.h" #include "libavutil/opt.h" #include "libavutil/parseutils.h" -#if CONFIG_GNUTLS -#include <gnutls/gnutls.h> -#include <gnutls/x509.h> -#define TLS_read(c, buf, size) gnutls_record_recv(c->session, buf, size) -#define TLS_write(c, buf, size) gnutls_record_send(c->session, buf, size) -#define TLS_shutdown(c) gnutls_bye(c->session, GNUTLS_SHUT_RDWR) -#define TLS_free(c) do { \ - if (c->session) \ - gnutls_deinit(c->session); \ - if (c->cred) \ - gnutls_certificate_free_credentials(c->cred); \ - } while (0) - -static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, - void *buf, size_t len) -{ - URLContext *h = (URLContext*) transport; - int ret = ffurl_read(h, buf, len); - if (ret >= 0) - return ret; - if (ret == AVERROR_EXIT) - return 0; - errno = EIO; - return -1; -} -static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport, - const void *buf, size_t len) -{ - URLContext *h = (URLContext*) transport; - int ret = ffurl_write(h, buf, len); - if (ret >= 0) - return ret; - if (ret == AVERROR_EXIT) - return 0; - errno = EIO; - return -1; -} -#elif CONFIG_OPENSSL -#include <openssl/bio.h> -#include <openssl/ssl.h> -#include <openssl/err.h> -#define TLS_read(c, buf, size) SSL_read(c->ssl, buf, size) -#define TLS_write(c, buf, size) SSL_write(c->ssl, buf, size) -#define TLS_shutdown(c) SSL_shutdown(c->ssl) -#define TLS_free(c) do { \ - if (c->ssl) \ - SSL_free(c->ssl); \ - if (c->ctx) \ - SSL_CTX_free(c->ctx); \ - } while (0) - -static int url_bio_create(BIO *b) -{ - b->init = 1; - b->ptr = NULL; - b->flags = 0; - return 1; -} - -static int url_bio_destroy(BIO *b) -{ - return 1; -} - -static int url_bio_bread(BIO *b, char *buf, int len) -{ - URLContext *h = b->ptr; - int ret = ffurl_read(h, buf, len); - if (ret >= 0) - return ret; - BIO_clear_retry_flags(b); - if (ret == AVERROR_EXIT) - return 0; - return -1; -} - -static int url_bio_bwrite(BIO *b, const char *buf, int len) -{ - URLContext *h = b->ptr; - int ret = ffurl_write(h, buf, len); - if (ret >= 0) - return ret; - BIO_clear_retry_flags(b); - if (ret == AVERROR_EXIT) - return 0; - return -1; -} -static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr) +int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options) { - if (cmd == BIO_CTRL_FLUSH) { - BIO_clear_retry_flags(b); - return 1; - } - return 0; -} - -static int url_bio_bputs(BIO *b, const char *str) -{ - return url_bio_bwrite(b, str, strlen(str)); -} - -static BIO_METHOD url_bio_method = { - .type = BIO_TYPE_SOURCE_SINK, - .name = "urlprotocol bio", - .bwrite = url_bio_bwrite, - .bread = url_bio_bread, - .bputs = url_bio_bputs, - .bgets = NULL, - .ctrl = url_bio_ctrl, - .create = url_bio_create, - .destroy = url_bio_destroy, -}; - -#endif -#include "network.h" -#include "os_support.h" -#include "internal.h" -#if HAVE_POLL_H -#include <poll.h> -#endif - -typedef struct TLSContext { - const AVClass *class; - URLContext *tcp; -#if CONFIG_GNUTLS - gnutls_session_t session; - gnutls_certificate_credentials_t cred; -#elif CONFIG_OPENSSL - SSL_CTX *ctx; - SSL *ssl; -#endif - char *ca_file; - int verify; - char *cert_file; - char *key_file; - int listen; -} TLSContext; - -#define OFFSET(x) offsetof(TLSContext, x) -#define D AV_OPT_FLAG_DECODING_PARAM -#define E AV_OPT_FLAG_ENCODING_PARAM -static const AVOption options[] = { - {"ca_file", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, .flags = D|E }, - {"tls_verify", "Verify the peer certificate", OFFSET(verify), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E }, - {"cert_file", "Certificate file", OFFSET(cert_file), AV_OPT_TYPE_STRING, .flags = D|E }, - {"key_file", "Private key file", OFFSET(key_file), AV_OPT_TYPE_STRING, .flags = D|E }, - {"listen", "Listen for incoming connections", OFFSET(listen), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E }, - { NULL } -}; - -static const AVClass tls_class = { - .class_name = "tls", - .item_name = av_default_item_name, - .option = options, - .version = LIBAVUTIL_VERSION_INT, -}; - -static int print_tls_error(URLContext *h, int ret) -{ -#if CONFIG_GNUTLS - switch (ret) { - case GNUTLS_E_AGAIN: - case GNUTLS_E_INTERRUPTED: - break; - case GNUTLS_E_WARNING_ALERT_RECEIVED: - av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret)); - break; - default: - av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret)); - break; - } -#elif CONFIG_OPENSSL - av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); -#endif - return AVERROR(EIO); -} - -static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options) -{ - TLSContext *c = h->priv_data; - int ret; int port; const char *p; - char buf[200], host[200], opts[50] = ""; - int numerichost = 0; + char buf[200], opts[50] = ""; struct addrinfo hints = { 0 }, *ai = NULL; const char *proxy_path; int use_proxy; -#if CONFIG_OPENSSL && !CONFIG_GNUTLS - BIO *bio; -#endif - - ff_tls_init(); if (c->listen) snprintf(opts, sizeof(opts), "?listen=1"); - av_url_split(NULL, 0, NULL, 0, host, sizeof(host), &port, NULL, 0, uri); + av_url_split(NULL, 0, NULL, 0, c->host, sizeof(c->host), &port, NULL, 0, uri); p = strchr(uri, '?'); @@ -233,16 +52,16 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op c->listen = 1; } - ff_url_join(buf, sizeof(buf), "tcp", NULL, host, port, "%s", p); + ff_url_join(buf, sizeof(buf), "tcp", NULL, c->host, port, "%s", p); hints.ai_flags = AI_NUMERICHOST; - if (!getaddrinfo(host, NULL, &hints, &ai)) { - numerichost = 1; + if (!getaddrinfo(c->host, NULL, &hints, &ai)) { + c->numerichost = 1; freeaddrinfo(ai); } proxy_path = getenv("http_proxy"); - use_proxy = !ff_http_match_no_proxy(getenv("no_proxy"), host) && + use_proxy = !ff_http_match_no_proxy(getenv("no_proxy"), c->host) && proxy_path && av_strstart(proxy_path, "http://", NULL); if (use_proxy) { @@ -251,177 +70,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op av_url_split(NULL, 0, proxy_auth, sizeof(proxy_auth), proxy_host, sizeof(proxy_host), &proxy_port, NULL, 0, proxy_path); - ff_url_join(dest, sizeof(dest), NULL, NULL, host, port, NULL); + ff_url_join(dest, sizeof(dest), NULL, NULL, c->host, port, NULL); ff_url_join(buf, sizeof(buf), "httpproxy", proxy_auth, proxy_host, proxy_port, "/%s", dest); } - ret = ffurl_open(&c->tcp, buf, AVIO_FLAG_READ_WRITE, - &h->interrupt_callback, options); - if (ret) - goto fail; - -#if CONFIG_GNUTLS - gnutls_init(&c->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT); - if (!c->listen && !numerichost) - gnutls_server_name_set(c->session, GNUTLS_NAME_DNS, host, strlen(host)); - gnutls_certificate_allocate_credentials(&c->cred); - if (c->ca_file) - gnutls_certificate_set_x509_trust_file(c->cred, c->ca_file, GNUTLS_X509_FMT_PEM); -#if GNUTLS_VERSION_MAJOR >= 3 - else - gnutls_certificate_set_x509_system_trust(c->cred); -#endif - gnutls_certificate_set_verify_flags(c->cred, c->verify ? - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0); - if (c->cert_file && c->key_file) { - ret = gnutls_certificate_set_x509_key_file(c->cred, - c->cert_file, c->key_file, - GNUTLS_X509_FMT_PEM); - if (ret < 0) { - av_log(h, AV_LOG_ERROR, - "Unable to set cert/key files %s and %s: %s\n", - c->cert_file, c->key_file, gnutls_strerror(ret)); - ret = AVERROR(EIO); - goto fail; - } - } - gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, c->cred); - gnutls_transport_set_pull_function(c->session, gnutls_url_pull); - gnutls_transport_set_push_function(c->session, gnutls_url_push); - gnutls_transport_set_ptr(c->session, c->tcp); - gnutls_priority_set_direct(c->session, "NORMAL", NULL); - ret = gnutls_handshake(c->session); - if (ret) { - ret = print_tls_error(h, ret); - goto fail; - } - if (c->verify) { - unsigned int status, cert_list_size; - gnutls_x509_crt_t cert; - const gnutls_datum_t *cert_list; - if ((ret = gnutls_certificate_verify_peers2(c->session, &status)) < 0) { - av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n", - gnutls_strerror(ret)); - ret = AVERROR(EIO); - goto fail; - } - if (status & GNUTLS_CERT_INVALID) { - av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n"); - ret = AVERROR(EIO); - goto fail; - } - if (gnutls_certificate_type_get(c->session) != GNUTLS_CRT_X509) { - av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n"); - ret = AVERROR(EIO); - goto fail; - } - gnutls_x509_crt_init(&cert); - cert_list = gnutls_certificate_get_peers(c->session, &cert_list_size); - gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER); - ret = gnutls_x509_crt_check_hostname(cert, host); - gnutls_x509_crt_deinit(cert); - if (!ret) { - av_log(h, AV_LOG_ERROR, - "The certificate's owner does not match hostname %s\n", host); - ret = AVERROR(EIO); - goto fail; - } - } -#elif CONFIG_OPENSSL - c->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method()); - if (!c->ctx) { - av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); - ret = AVERROR(EIO); - goto fail; - } - if (c->ca_file) - SSL_CTX_load_verify_locations(c->ctx, c->ca_file, NULL); - if (c->cert_file && !SSL_CTX_use_certificate_chain_file(c->ctx, c->cert_file)) { - av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n", - c->cert_file, ERR_error_string(ERR_get_error(), NULL)); - ret = AVERROR(EIO); - goto fail; - } - if (c->key_file && !SSL_CTX_use_PrivateKey_file(c->ctx, c->key_file, SSL_FILETYPE_PEM)) { - av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n", - c->key_file, ERR_error_string(ERR_get_error(), NULL)); - ret = AVERROR(EIO); - goto fail; - } - // Note, this doesn't check that the peer certificate actually matches - // the requested hostname. - if (c->verify) - SSL_CTX_set_verify(c->ctx, SSL_VERIFY_PEER, NULL); - c->ssl = SSL_new(c->ctx); - if (!c->ssl) { - av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); - ret = AVERROR(EIO); - goto fail; - } - bio = BIO_new(&url_bio_method); - bio->ptr = c->tcp; - SSL_set_bio(c->ssl, bio, bio); - if (!c->listen && !numerichost) - SSL_set_tlsext_host_name(c->ssl, host); - ret = c->listen ? SSL_accept(c->ssl) : SSL_connect(c->ssl); - if (ret == 0) { - av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n"); - ret = AVERROR(EIO); - goto fail; - } else if (ret < 0) { - ret = print_tls_error(h, ret); - goto fail; - } -#endif - return 0; -fail: - TLS_free(c); - if (c->tcp) - ffurl_close(c->tcp); - ff_tls_deinit(); - return ret; -} - -static int tls_read(URLContext *h, uint8_t *buf, int size) -{ - TLSContext *c = h->priv_data; - int ret = TLS_read(c, buf, size); - if (ret > 0) - return ret; - if (ret == 0) - return AVERROR_EOF; - return print_tls_error(h, ret); + return ffurl_open(&c->tcp, buf, AVIO_FLAG_READ_WRITE, + &parent->interrupt_callback, options); } - -static int tls_write(URLContext *h, const uint8_t *buf, int size) -{ - TLSContext *c = h->priv_data; - int ret = TLS_write(c, buf, size); - if (ret > 0) - return ret; - if (ret == 0) - return AVERROR_EOF; - return print_tls_error(h, ret); -} - -static int tls_close(URLContext *h) -{ - TLSContext *c = h->priv_data; - TLS_shutdown(c); - TLS_free(c); - ffurl_close(c->tcp); - ff_tls_deinit(); - return 0; -} - -URLProtocol ff_tls_protocol = { - .name = "tls", - .url_open2 = tls_open, - .url_read = tls_read, - .url_write = tls_write, - .url_close = tls_close, - .priv_data_size = sizeof(TLSContext), - .flags = URL_PROTOCOL_FLAG_NETWORK, - .priv_data_class = &tls_class, -}; |