22 #include <mbedtls/certs.h> 23 #include <mbedtls/config.h> 24 #include <mbedtls/ctr_drbg.h> 25 #include <mbedtls/entropy.h> 26 #include <mbedtls/net_sockets.h> 27 #include <mbedtls/platform.h> 28 #include <mbedtls/ssl.h> 29 #include <mbedtls/x509_crt.h> 50 #define OFFSET(x) offsetof(TLSContext, x) 58 mbedtls_x509_crt_free(&tls_ctx->
ca_cert);
59 mbedtls_x509_crt_free(&tls_ctx->
own_cert);
72 return react_on_eagain;
77 return MBEDTLS_ERR_NET_CONN_RESET;
81 return MBEDTLS_ERR_NET_SEND_FAILED;
93 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
106 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
114 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
115 av_log(h,
AV_LOG_ERROR,
"Read of key file failed. Is it actually there, are the access permissions correct?\n");
117 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
120 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
132 case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
133 av_log(h,
AV_LOG_ERROR,
"None of the common ciphersuites is usable. Was the local certificate correctly set?\n");
135 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
136 av_log(h,
AV_LOG_ERROR,
"A fatal alert message was received from the peer, has the peer a correct certificate?\n");
138 case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED:
139 av_log(h,
AV_LOG_ERROR,
"No CA chain is set, but required to operate. Was the CA correctly set?\n");
141 case MBEDTLS_ERR_NET_CONN_RESET:
153 const char *p = strchr(uri,
'?');
165 uint32_t verify_res_flags;
175 mbedtls_ssl_config_init(&tls_ctx->
ssl_config);
178 mbedtls_x509_crt_init(&tls_ctx->
ca_cert);
179 mbedtls_pk_init(&tls_ctx->
priv_key);
183 if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->
ca_cert, shr->
ca_file)) != 0) {
184 av_log(h,
AV_LOG_ERROR,
"mbedtls_x509_crt_parse_file for CA cert returned %d\n", ret);
191 if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->
own_cert, shr->
cert_file)) != 0) {
192 av_log(h,
AV_LOG_ERROR,
"mbedtls_x509_crt_parse_file for own cert returned %d\n", ret);
199 if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->
priv_key,
209 mbedtls_entropy_func,
216 if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->
ssl_config,
217 shr->
listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
218 MBEDTLS_SSL_TRANSPORT_STREAM,
219 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
224 mbedtls_ssl_conf_authmode(&tls_ctx->
ssl_config,
225 shr->
ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
241 if ((ret = mbedtls_ssl_set_hostname(&tls_ctx->
ssl_context, shr->
host)) != 0) {
251 while ((ret = mbedtls_ssl_handshake(&tls_ctx->
ssl_context)) != 0) {
252 if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
260 if ((verify_res_flags = mbedtls_ssl_get_verify_result(&tls_ctx->
ssl_context)) != 0) {
262 "with the certificate verification, returned flags: %u\n",
264 if (verify_res_flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
265 av_log(h,
AV_LOG_ERROR,
"The certificate is not correctly signed by the trusted CA.\n");
280 case MBEDTLS_ERR_SSL_WANT_READ:
281 case MBEDTLS_ERR_SSL_WANT_WRITE:
283 case MBEDTLS_ERR_NET_SEND_FAILED:
284 case MBEDTLS_ERR_NET_RECV_FAILED:
286 case MBEDTLS_ERR_NET_CONN_RESET:
287 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
301 if ((ret = mbedtls_ssl_read(&tls_ctx->
ssl_context, buf, size)) > 0) {
314 if ((ret = mbedtls_ssl_write(&tls_ctx->
ssl_context, buf, size)) > 0) {
350 .priv_data_class = &tls_class,
#define URL_PROTOCOL_FLAG_NETWORK
static int handle_tls_error(URLContext *h, const char *func_name, int ret)
#define AV_LOG_WARNING
Something somehow does not look correct.
#define LIBAVUTIL_VERSION_INT
int ffurl_write(URLContext *h, const unsigned char *buf, int size)
Write size bytes from buf to the resource accessed by h.
mbedtls_ssl_config ssl_config
const char * av_default_item_name(void *ptr)
Return the context name.
static void parse_options(TLSContext *tls_ctxc, const char *uri)
static const AVOption options[]
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
static int mbedtls_send(void *ctx, const unsigned char *buf, size_t len)
static void handle_handshake_error(URLContext *h, int ret)
static int tls_read(URLContext *h, uint8_t *buf, int size)
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
static int tls_get_file_handle(URLContext *h)
#define AVERROR_EOF
End of file.
int av_find_info_tag(char *arg, int arg_size, const char *tag1, const char *info)
Attempt to find a specific tag in a URL.
static int tls_write(URLContext *h, const uint8_t *buf, int size)
mbedtls_ctr_drbg_context ctr_drbg_context
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
static const AVClass tls_class
static int handle_transport_error(URLContext *h, const char *func_name, int react_on_eagain, int ret)
mbedtls_pk_context priv_key
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
mbedtls_ssl_context ssl_context
mbedtls_x509_crt own_cert
#define TLS_COMMON_OPTIONS(pstruct, options_field)
mbedtls_entropy_context entropy_context
static int tls_close(URLContext *h)
int ffurl_get_file_handle(URLContext *h)
Return the file descriptor associated with this URL.
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
char * av_strdup(const char *s)
Duplicate a string.
Describe the class of an AVClass context structure.
#define flags(name, subs,...)
const URLProtocol ff_tls_protocol
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
static void handle_pk_parse_error(URLContext *h, int ret)
static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
int max_packet_size
if non zero, the stream is packetized with this max packet size
unbuffered private I/O API
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later.That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another.Frame references ownership and permissions
int ffurl_read(URLContext *h, unsigned char *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf...
1.8.11
