FFmpeg: libavformat/tls_gnutls.c Source File

FFmpeg

[フレーム]

libavformat

tls_gnutls.c

Go to the documentation of this file.

1 /*

2 * TLS/SSL Protocol

4 *

5 * This file is part of FFmpeg.

6 *

7 * FFmpeg is free software; you can redistribute it and/or

8 * modify it under the terms of the GNU Lesser General Public

9 * License as published by the Free Software Foundation; either

10 * version 2.1 of the License, or (at your option) any later version.

11 *

12 * FFmpeg is distributed in the hope that it will be useful,

13 * but WITHOUT ANY WARRANTY; without even the implied warranty of

14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

15 * Lesser General Public License for more details.

16 *

17 * You should have received a copy of the GNU Lesser General Public

18 * License along with FFmpeg; if not, write to the Free Software

19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

20 */

22 #include <errno.h>

24 #include <gnutls/gnutls.h>

25 #include <gnutls/x509.h>

27 #include "avformat.h"

28 #include "internal.h"

29 #include "network.h"

30 #include "os_support.h"

31 #include "url.h"

32 #include "tls.h"

33 #include "libavcodec/internal.h"

34 #include "libavutil/avstring.h"

35 #include "libavutil/opt.h"

36 #include "libavutil/parseutils.h"

38 #ifndef GNUTLS_VERSION_NUMBER

39 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER

40 #endif

42 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00

43 #include <gcrypt.h>

44 #include "libavutil/thread.h"

45 GCRY_THREAD_OPTION_PTHREAD_IMPL;

46 #endif

48 typedef struct TLSContext {

49 const AVClass *class;

50 TLSShared tls_shared;

51 gnutls_session_t session;

52 gnutls_certificate_credentials_t cred;

53 int need_shutdown;

54 int io_err;

55 } TLSContext;

57 void ff_gnutls_init(void)

58 {

59 ff_lock_avformat();

60 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00

61 if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)

62 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);

63 #endif

64 gnutls_global_init();

65 ff_unlock_avformat();

66 }

68 void ff_gnutls_deinit(void)

69 {

70 ff_lock_avformat();

71 gnutls_global_deinit();

72 ff_unlock_avformat();

73 }

75 static int print_tls_error(URLContext *h, int ret)

76 {

77 TLSContext *c = h->priv_data;

78 switch (ret) {

79 case GNUTLS_E_AGAIN:

80 return AVERROR(EAGAIN);

81 case GNUTLS_E_INTERRUPTED:

82 #ifdef GNUTLS_E_PREMATURE_TERMINATION

83 case GNUTLS_E_PREMATURE_TERMINATION:

84 #endif

85 break;

86 case GNUTLS_E_WARNING_ALERT_RECEIVED:

87 av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));

88 break;

89 default:

90 av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));

91 break;

92 }

93 if (c->io_err) {

94 av_log(h, AV_LOG_ERROR, "IO error: %s\n", av_err2str(c->io_err));

95 ret = c->io_err;

96 c->io_err = 0;

97 return ret;

98 }

99 return AVERROR(EIO);

100 }

101

102 static int tls_close(URLContext *h)

103 {

104 TLSContext *c = h->priv_data;

105 if (c->need_shutdown)

106 gnutls_bye(c->session, GNUTLS_SHUT_WR);

107 if (c->session)

108 gnutls_deinit(c->session);

109 if (c->cred)

110 gnutls_certificate_free_credentials(c->cred);

111 ffurl_closep(&c->tls_shared.tcp);

112 ff_gnutls_deinit();

113 return 0;

114 }

115

116 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,

117 void *buf, size_t len)

118 {

119 TLSContext *c = (TLSContext*) transport;

120 int ret = ffurl_read(c->tls_shared.tcp, buf, len);

121 if (ret >= 0)

122 return ret;

123 if (ret == AVERROR_EXIT)

124 return 0;

125 if (ret == AVERROR(EAGAIN)) {

126 errno = EAGAIN;

127 } else {

128 errno = EIO;

129 c->io_err = ret;

130 }

131 return -1;

132 }

133

134 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,

135 const void *buf, size_t len)

136 {

137 TLSContext *c = (TLSContext*) transport;

138 int ret = ffurl_write(c->tls_shared.tcp, buf, len);

139 if (ret >= 0)

140 return ret;

141 if (ret == AVERROR_EXIT)

142 return 0;

143 if (ret == AVERROR(EAGAIN)) {

144 errno = EAGAIN;

145 } else {

146 errno = EIO;

147 c->io_err = ret;

148 }

149 return -1;

150 }

151

152 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)

153 {

154 TLSContext *p = h->priv_data;

155 TLSShared *c = &p->tls_shared;

156 int ret;

157

158 ff_gnutls_init();

159

160 if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)

161 goto fail;

162

163 gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);

164 if (!c->listen && !c->numerichost)

165 gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));

166 gnutls_certificate_allocate_credentials(&p->cred);

167 if (c->ca_file) {

168 ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);

169 if (ret < 0)

170 av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));

171 }

172 #if GNUTLS_VERSION_NUMBER >= 0x030020

173 else

174 gnutls_certificate_set_x509_system_trust(p->cred);

175 #endif

176 gnutls_certificate_set_verify_flags(p->cred, c->verify ?

177 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);

178 if (c->cert_file && c->key_file) {

179 ret = gnutls_certificate_set_x509_key_file(p->cred,

180 c->cert_file, c->key_file,

181 GNUTLS_X509_FMT_PEM);

182 if (ret < 0) {

183 av_log(h, AV_LOG_ERROR,

184 "Unable to set cert/key files %s and %s: %s\n",

185 c->cert_file, c->key_file, gnutls_strerror(ret));

186 ret = AVERROR(EIO);

187 goto fail;

188 }

189 } else if (c->cert_file || c->key_file)

190 av_log(h, AV_LOG_ERROR, "cert and key required\n");

191 gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);

192 gnutls_transport_set_pull_function(p->session, gnutls_url_pull);

193 gnutls_transport_set_push_function(p->session, gnutls_url_push);

194 gnutls_transport_set_ptr(p->session, p);

195 gnutls_set_default_priority(p->session);

196 do {

197 if (ff_check_interrupt(&h->interrupt_callback)) {

198 ret = AVERROR_EXIT;

199 goto fail;

200 }

201

202 ret = gnutls_handshake(p->session);

203 if (gnutls_error_is_fatal(ret)) {

204 ret = print_tls_error(h, ret);

205 goto fail;

206 }

207 } while (ret);

208 p->need_shutdown = 1;

209 if (c->verify) {

210 unsigned int status, cert_list_size;

211 gnutls_x509_crt_t cert;

212 const gnutls_datum_t *cert_list;

213 if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {

214 av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",

215 gnutls_strerror(ret));

216 ret = AVERROR(EIO);

217 goto fail;

218 }

219 if (status & GNUTLS_CERT_INVALID) {

220 av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");

221 ret = AVERROR(EIO);

222 goto fail;

223 }

224 if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {

225 av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");

226 ret = AVERROR(EIO);

227 goto fail;

228 }

229 gnutls_x509_crt_init(&cert);

230 cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);

231 gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);

232 ret = gnutls_x509_crt_check_hostname(cert, c->host);

233 gnutls_x509_crt_deinit(cert);

234 if (!ret) {

235 av_log(h, AV_LOG_ERROR,

236 "The certificate's owner does not match hostname %s\n", c->host);

237 ret = AVERROR(EIO);

238 goto fail;

239 }

240 }

241

242 return 0;

243 fail:

244 tls_close(h);

245 return ret;

246 }

247

248 static int tls_read(URLContext *h, uint8_t *buf, int size)

249 {

250 TLSContext *c = h->priv_data;

251 int ret;

252 // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp

253 c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;

254 c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;

255 ret = gnutls_record_recv(c->session, buf, size);

256 if (ret > 0)

257 return ret;

258 if (ret == 0)

259 return AVERROR_EOF;

260 return print_tls_error(h, ret);

261 }

262

263 static int tls_write(URLContext *h, const uint8_t *buf, int size)

264 {

265 TLSContext *c = h->priv_data;

266 int ret;

267 // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp

268 c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;

269 c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;

270 ret = gnutls_record_send(c->session, buf, size);

271 if (ret > 0)

272 return ret;

273 if (ret == 0)

274 return AVERROR_EOF;

275 return print_tls_error(h, ret);

276 }

277

278 static int tls_get_file_handle(URLContext *h)

279 {

280 TLSContext *c = h->priv_data;

281 return ffurl_get_file_handle(c->tls_shared.tcp);

282 }

283

284 static int tls_get_short_seek(URLContext *h)

285 {

286 TLSContext *s = h->priv_data;

287 return ffurl_get_short_seek(s->tls_shared.tcp);

288 }

289

290 static const AVOption options[] = {

291 TLS_COMMON_OPTIONS(TLSContext, tls_shared),

292 { NULL }

293 };

294

295 static const AVClass tls_class = {

296 .class_name = "tls",

297 .item_name = av_default_item_name,

298 .option = options,

299 .version = LIBAVUTIL_VERSION_INT,

300 };

301

302 const URLProtocol ff_tls_protocol = {

303 .name = "tls",

304 .url_open2 = tls_open,

305 .url_read = tls_read,

306 .url_write = tls_write,

307 .url_close = tls_close,

308 .url_get_file_handle = tls_get_file_handle,

309 .url_get_short_seek = tls_get_short_seek,

310 .priv_data_size = sizeof(TLSContext),

311 .flags = URL_PROTOCOL_FLAG_NETWORK,

312 .priv_data_class = &tls_class,

313 };

ff_gnutls_init

void ff_gnutls_init(void)

Definition: tls_gnutls.c:57

AV_LOG_WARNING

#define AV_LOG_WARNING

Something somehow does not look correct.

Definition: log.h:186

TLSContext

Definition: tls_gnutls.c:48

status

they must not be accessed directly The fifo field contains the frames that are queued in the input for processing by the filter The status_in and status_out fields contains the queued status(EOF or error) of the link

AVERROR

Filter the word "frame" indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later. That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another. Frame references ownership and permissions

opt.h

URL_PROTOCOL_FLAG_NETWORK

#define URL_PROTOCOL_FLAG_NETWORK

Definition: url.h:33

gnutls_url_pull

static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, void *buf, size_t len)

Definition: tls_gnutls.c:116

thread.h

AVERROR_EOF

#define AVERROR_EOF

End of file.

Definition: error.h:57

internal.h

print_tls_error

static int print_tls_error(URLContext *h, int ret)

Definition: tls_gnutls.c:75

AVOption

AVOption.

Definition: opt.h:251

tls_class

static const AVClass tls_class

Definition: tls_gnutls.c:295

tls_write

static int tls_write(URLContext *h, const uint8_t *buf, int size)

Definition: tls_gnutls.c:263

AVDictionary

Definition: dict.c:30

URLProtocol

Definition: url.h:53

os_support.h

ff_unlock_avformat

int ff_unlock_avformat(void)

Definition: utils.c:53

TLSContext::cred

gnutls_certificate_credentials_t cred

Definition: tls_gnutls.c:52

TLS_COMMON_OPTIONS

#define TLS_COMMON_OPTIONS(pstruct, options_field)

Definition: tls.h:46

fail

#define fail()

Definition: checkasm.h:131

ff_check_interrupt

int ff_check_interrupt(AVIOInterruptCB *cb)

Check if the user has requested to interrupt a blocking function associated with cb.

Definition: avio.c:658

tls_open

static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)

Definition: tls_gnutls.c:152

AV_LOG_ERROR

#define AV_LOG_ERROR

Something went wrong and cannot losslessly be recovered.

Definition: log.h:180

#define s(width, name)

Definition: cbs_vp9.c:256

tls_close

static int tls_close(URLContext *h)

Definition: tls_gnutls.c:102

LIBAVUTIL_VERSION_INT

#define LIBAVUTIL_VERSION_INT

Definition: version.h:85

AVClass

Describe the class of an AVClass context structure.

Definition: log.h:66

NULL

#define NULL

Definition: coverity.c:32

av_default_item_name

const char * av_default_item_name(void *ptr)

Return the context name.

Definition: log.c:237

parseutils.h

Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c

Definition: undefined.txt:32

av_err2str

#define av_err2str(errnum)

Convenience macro, the return value should be used only directly in function arguments but never stan...

Definition: error.h:121

size

int size

Definition: twinvq_data.h:10344

TLSContext::tls_shared

TLSShared tls_shared

Definition: tls_gnutls.c:50

URLProtocol::name