FFmpeg
tls_mbedtls.c
Go to the documentation of this file.
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2018 Thomas Volkert
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include <mbedtls/certs.h>
23 #include <mbedtls/config.h>
24 #include <mbedtls/ctr_drbg.h>
25 #include <mbedtls/entropy.h>
26 #include <mbedtls/net_sockets.h>
27 #include <mbedtls/platform.h>
28 #include <mbedtls/ssl.h>
29 #include <mbedtls/x509_crt.h>
30 
31 #include "avformat.h"
32 #include "internal.h"
33 #include "url.h"
34 #include "tls.h"
35 #include "libavutil/parseutils.h"
36 
37 typedef struct TLSContext {
38  const AVClass *class;
40  mbedtls_ssl_context ssl_context;
41  mbedtls_ssl_config ssl_config;
42  mbedtls_entropy_context entropy_context;
43  mbedtls_ctr_drbg_context ctr_drbg_context;
44  mbedtls_x509_crt ca_cert;
45  mbedtls_x509_crt own_cert;
46  mbedtls_pk_context priv_key;
47  char *priv_key_pw;
48 } TLSContext;
49 
50 #define OFFSET(x) offsetof(TLSContext, x)
51 
52 static int tls_close(URLContext *h)
53 {
54  TLSContext *tls_ctx = h->priv_data;
55 
56  mbedtls_ssl_close_notify(&tls_ctx->ssl_context);
57  mbedtls_pk_free(&tls_ctx->priv_key);
58  mbedtls_x509_crt_free(&tls_ctx->ca_cert);
59  mbedtls_x509_crt_free(&tls_ctx->own_cert);
60  mbedtls_ssl_free(&tls_ctx->ssl_context);
61  mbedtls_ssl_config_free(&tls_ctx->ssl_config);
62  mbedtls_ctr_drbg_free(&tls_ctx->ctr_drbg_context);
63  mbedtls_entropy_free(&tls_ctx->entropy_context);
64 
65  return 0;
66 }
67 
68 static int handle_transport_error(URLContext *h, const char* func_name, int react_on_eagain, int ret)
69 {
70  switch (ret) {
71  case AVERROR(EAGAIN):
72  return react_on_eagain;
73  case AVERROR_EXIT:
74  return 0;
75  case AVERROR(EPIPE):
76  case AVERROR(ECONNRESET):
77  return MBEDTLS_ERR_NET_CONN_RESET;
78  default:
79  av_log(h, AV_LOG_ERROR, "%s returned 0x%x\n", func_name, ret);
80  errno = EIO;
81  return MBEDTLS_ERR_NET_SEND_FAILED;
82  }
83 }
84 
85 static int mbedtls_send(void *ctx, const unsigned char *buf, size_t len)
86 {
87  URLContext *h = (URLContext*) ctx;
88  int ret = ffurl_write(h, buf, len);
89  if (ret >= 0)
90  return ret;
91 
92  if (h->max_packet_size && len > h->max_packet_size)
93  return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
94 
95  return handle_transport_error(h, "ffurl_write", MBEDTLS_ERR_SSL_WANT_WRITE, ret);
96 }
97 
98 static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
99 {
100  URLContext *h = (URLContext*) ctx;
101  int ret = ffurl_read(h, buf, len);
102  if (ret >= 0)
103  return ret;
104 
105  if (h->max_packet_size && len > h->max_packet_size)
106  return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
107 
108  return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret);
109 }
110 
112 {
113  switch (ret) {
114  case MBEDTLS_ERR_PK_FILE_IO_ERROR:
115  av_log(h, AV_LOG_ERROR, "Read of key file failed. Is it actually there, are the access permissions correct?\n");
116  break;
117  case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
118  av_log(h, AV_LOG_ERROR, "A password for the private key is missing.\n");
119  break;
120  case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
121  av_log(h, AV_LOG_ERROR, "The given password for the private key is wrong.\n");
122  break;
123  default:
124  av_log(h, AV_LOG_ERROR, "mbedtls_pk_parse_key returned -0x%x\n", -ret);
125  break;
126  }
127 }
128 
130 {
131  switch (ret) {
132  case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
133  av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n");
134  break;
135  case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
136  av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n");
137  break;
138  case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED:
139  av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to operate. Was the CA correctly set?\n");
140  break;
141  case MBEDTLS_ERR_NET_CONN_RESET:
142  av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n");
143  break;
144  default:
145  av_log(h, AV_LOG_ERROR, "mbedtls_ssl_handshake returned -0x%x\n", -ret);
146  break;
147  }
148 }
149 
150 static void parse_options(TLSContext *tls_ctxc, const char *uri)
151 {
152  char buf[1024];
153  const char *p = strchr(uri, '?');
154  if (!p)
155  return;
156 
157  if (!tls_ctxc->priv_key_pw && av_find_info_tag(buf, sizeof(buf), "key_password", p))
158  tls_ctxc->priv_key_pw = av_strdup(buf);
159 }
160 
161 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
162 {
163  TLSContext *tls_ctx = h->priv_data;
164  TLSShared *shr = &tls_ctx->tls_shared;
165  uint32_t verify_res_flags;
166  int ret;
167 
168  // parse additional options
169  parse_options(tls_ctx, uri);
170 
171  if ((ret = ff_tls_open_underlying(shr, h, uri, options)) < 0)
172  goto fail;
173 
174  mbedtls_ssl_init(&tls_ctx->ssl_context);
175  mbedtls_ssl_config_init(&tls_ctx->ssl_config);
176  mbedtls_entropy_init(&tls_ctx->entropy_context);
177  mbedtls_ctr_drbg_init(&tls_ctx->ctr_drbg_context);
178  mbedtls_x509_crt_init(&tls_ctx->ca_cert);
179  mbedtls_pk_init(&tls_ctx->priv_key);
180 
181  // load trusted CA
182  if (shr->ca_file) {
183  if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) {
184  av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for CA cert returned %d\n", ret);
185  goto fail;
186  }
187  }
188 
189  // load own certificate
190  if (shr->cert_file) {
191  if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->own_cert, shr->cert_file)) != 0) {
192  av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for own cert returned %d\n", ret);
193  goto fail;
194  }
195  }
196 
197  // load key file
198  if (shr->key_file) {
199  if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
200  shr->key_file,
201  tls_ctx->priv_key_pw)) != 0) {
202  handle_pk_parse_error(h, ret);
203  goto fail;
204  }
205  }
206 
207  // seed the random number generator
208  if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context,
209  mbedtls_entropy_func,
210  &tls_ctx->entropy_context,
211  NULL, 0)) != 0) {
212  av_log(h, AV_LOG_ERROR, "mbedtls_ctr_drbg_seed returned %d\n", ret);
213  goto fail;
214  }
215 
216  if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config,
217  shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
218  MBEDTLS_SSL_TRANSPORT_STREAM,
219  MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
220  av_log(h, AV_LOG_ERROR, "mbedtls_ssl_config_defaults returned %d\n", ret);
221  goto fail;
222  }
223 
224  mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
225  shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
226  mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
227  mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);
228 
229  // set own certificate and private key
230  if ((ret = mbedtls_ssl_conf_own_cert(&tls_ctx->ssl_config, &tls_ctx->own_cert, &tls_ctx->priv_key)) != 0) {
231  av_log(h, AV_LOG_ERROR, "mbedtls_ssl_conf_own_cert returned %d\n", ret);
232  goto fail;
233  }
234 
235  if ((ret = mbedtls_ssl_setup(&tls_ctx->ssl_context, &tls_ctx->ssl_config)) != 0) {
236  av_log(h, AV_LOG_ERROR, "mbedtls_ssl_setup returned %d\n", ret);
237  goto fail;
238  }
239 
240  if (!shr->listen && !shr->numerichost) {
241  if ((ret = mbedtls_ssl_set_hostname(&tls_ctx->ssl_context, shr->host)) != 0) {
242  av_log(h, AV_LOG_ERROR, "mbedtls_ssl_set_hostname returned %d\n", ret);
243  goto fail;
244  }
245  }
246 
247  // set I/O functions to use FFmpeg internal code for transport layer
248  mbedtls_ssl_set_bio(&tls_ctx->ssl_context, shr->tcp, mbedtls_send, mbedtls_recv, NULL);
249 
250  // ssl handshake
251  while ((ret = mbedtls_ssl_handshake(&tls_ctx->ssl_context)) != 0) {
252  if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
253  handle_handshake_error(h, ret);
254  goto fail;
255  }
256  }
257 
258  if (shr->verify) {
259  // check the result of the certificate verification
260  if ((verify_res_flags = mbedtls_ssl_get_verify_result(&tls_ctx->ssl_context)) != 0) {
261  av_log(h, AV_LOG_ERROR, "mbedtls_ssl_get_verify_result reported problems "\
262  "with the certificate verification, returned flags: %u\n",
263  verify_res_flags);
264  if (verify_res_flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
265  av_log(h, AV_LOG_ERROR, "The certificate is not correctly signed by the trusted CA.\n");
266  goto fail;
267  }
268  }
269 
270  return 0;
271 
272 fail:
273  tls_close(h);
274  return AVERROR(EIO);
275 }
276 
277 static int handle_tls_error(URLContext *h, const char* func_name, int ret)
278 {
279  switch (ret) {
280  case MBEDTLS_ERR_SSL_WANT_READ:
281  case MBEDTLS_ERR_SSL_WANT_WRITE:
282  return AVERROR(EAGAIN);
283  case MBEDTLS_ERR_NET_SEND_FAILED:
284  case MBEDTLS_ERR_NET_RECV_FAILED:
285  return AVERROR(EIO);
286  case MBEDTLS_ERR_NET_CONN_RESET:
287  case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
288  av_log(h, AV_LOG_WARNING, "%s reported connection reset by peer\n", func_name);
289  return AVERROR_EOF;
290  default:
291  av_log(h, AV_LOG_ERROR, "%s returned -0x%x\n", func_name, -ret);
292  return AVERROR(EIO);
293  }
294 }
295 
296 static int tls_read(URLContext *h, uint8_t *buf, int size)
297 {
298  TLSContext *tls_ctx = h->priv_data;
299  int ret;
300 
301  if ((ret = mbedtls_ssl_read(&tls_ctx->ssl_context, buf, size)) > 0) {
302  // return read length
303  return ret;
304  }
305 
306  return handle_tls_error(h, "mbedtls_ssl_read", ret);
307 }
308 
309 static int tls_write(URLContext *h, const uint8_t *buf, int size)
310 {
311  TLSContext *tls_ctx = h->priv_data;
312  int ret;
313 
314  if ((ret = mbedtls_ssl_write(&tls_ctx->ssl_context, buf, size)) > 0) {
315  // return written length
316  return ret;
317  }
318 
319  return handle_tls_error(h, "mbedtls_ssl_write", ret);
320 }
321 
323 {
324  TLSContext *c = h->priv_data;
326 }
327 
328 static const AVOption options[] = {
330  {"key_password", "Password for the private key file", OFFSET(priv_key_pw), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
331  { NULL }
332 };
333 
334 static const AVClass tls_class = {
335  .class_name = "tls",
336  .item_name = av_default_item_name,
337  .option = options,
338  .version = LIBAVUTIL_VERSION_INT,
339 };
340 
342  .name = "tls",
343  .url_open2 = tls_open,
344  .url_read = tls_read,
345  .url_write = tls_write,
346  .url_close = tls_close,
347  .url_get_file_handle = tls_get_file_handle,
348  .priv_data_size = sizeof(TLSContext),
350  .priv_data_class = &tls_class,
351 };
#define NULL
Definition: coverity.c:32
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:34
AVOption.
Definition: opt.h:246
int verify
Definition: tls.h:31
static int handle_tls_error(URLContext *h, const char *func_name, int ret)
Definition: tls_mbedtls.c:277
#define AV_LOG_WARNING
Something somehow does not look correct.
Definition: log.h:182
#define LIBAVUTIL_VERSION_INT
Definition: version.h:85
int ffurl_write(URLContext *h, const unsigned char *buf, int size)
Write size bytes from buf to the resource accessed by h.
Definition: avio.c:420
mbedtls_ssl_config ssl_config
Definition: tls_mbedtls.c:41
const char * av_default_item_name(void *ptr)
Return the context name.
Definition: log.c:191
int listen
Definition: tls.h:34
#define TLS_OPTFL
Definition: tls.h:44
static void parse_options(TLSContext *tls_ctxc, const char *uri)
Definition: tls_mbedtls.c:150
static const AVOption options[]
Definition: tls_mbedtls.c:328
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
Definition: log.h:72
static int mbedtls_send(void *ctx, const unsigned char *buf, size_t len)
Definition: tls_mbedtls.c:85
static void handle_handshake_error(URLContext *h, int ret)
Definition: tls_mbedtls.c:129
uint8_t
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_mbedtls.c:296
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
static int tls_get_file_handle(URLContext *h)
Definition: tls_mbedtls.c:322
Definition: tls.h:29
#define AVERROR_EOF
End of file.
Definition: error.h:55
int av_find_info_tag(char *arg, int arg_size, const char *tag1, const char *info)
Attempt to find a specific tag in a URL.
Definition: parseutils.c:749
ptrdiff_t size
Definition: opengl_enc.c:100
#define av_log(a,...)
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_mbedtls.c:309
mbedtls_ctr_drbg_context ctr_drbg_context
Definition: tls_mbedtls.c:43
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
Definition: log.h:176
#define OFFSET(x)
Definition: tls_mbedtls.c:50
static const AVClass tls_class
Definition: tls_mbedtls.c:334
#define fail()
Definition: checkasm.h:122
char * host
Definition: tls.h:36
static int handle_transport_error(URLContext *h, const char *func_name, int react_on_eagain, int ret)
Definition: tls_mbedtls.c:68
mbedtls_pk_context priv_key
Definition: tls_mbedtls.c:46
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_mbedtls.c:161
mbedtls_x509_crt ca_cert
Definition: tls_mbedtls.c:44
mbedtls_ssl_context ssl_context
Definition: tls_mbedtls.c:40
mbedtls_x509_crt own_cert
Definition: tls_mbedtls.c:45
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:45
mbedtls_entropy_context entropy_context
Definition: tls_mbedtls.c:42
static int tls_close(URLContext *h)
Definition: tls_mbedtls.c:52
char * cert_file
Definition: tls.h:32
int ffurl_get_file_handle(URLContext *h)
Return the file descriptor associated with this URL.
Definition: avio.c:625
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
Definition: error.h:56
char * ca_file
Definition: tls.h:30
char * av_strdup(const char *s)
Duplicate a string.
Definition: mem.c:251
TLSShared tls_shared
Definition: tls_gnutls.c:50
void * buf
Definition: avisynth_c.h:766
Definition: url.h:38
Describe the class of an AVClass context structure.
Definition: log.h:67
void * priv_data
Definition: url.h:41
char * priv_key_pw
Definition: tls_mbedtls.c:47
misc parsing utilities
const char * name
Definition: url.h:55
#define flags(name, subs,...)
Definition: cbs_av1.c:561
Main libavformat public API header.
const URLProtocol ff_tls_protocol
Definition: tls_mbedtls.c:341
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:56
struct tls * ctx
Definition: tls_libtls.c:37
static void handle_pk_parse_error(URLContext *h, int ret)
Definition: tls_mbedtls.c:111
URLContext * tcp
Definition: tls.h:41
int numerichost
Definition: tls.h:39
static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
Definition: tls_mbedtls.c:98
int len
int max_packet_size
if non zero, the stream is packetized with this max packet size
Definition: url.h:44
unbuffered private I/O API
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later.That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another.Frame references ownership and permissions
int ffurl_read(URLContext *h, unsigned char *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf...
Definition: avio.c:406
char * key_file
Definition: tls.h:33