22 #include <mbedtls/certs.h> 23 #include <mbedtls/config.h> 24 #include <mbedtls/ctr_drbg.h> 25 #include <mbedtls/entropy.h> 26 #include <mbedtls/net_sockets.h> 27 #include <mbedtls/platform.h> 28 #include <mbedtls/ssl.h> 29 #include <mbedtls/x509_crt.h> 50 #define OFFSET(x) offsetof(TLSContext, x) 58 mbedtls_x509_crt_free(&tls_ctx->
ca_cert);
59 mbedtls_x509_crt_free(&tls_ctx->
own_cert);
73 return react_on_eagain;
78 return MBEDTLS_ERR_NET_CONN_RESET;
82 return MBEDTLS_ERR_NET_SEND_FAILED;
94 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
107 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
115 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
116 av_log(h,
AV_LOG_ERROR,
"Read of key file failed. Is it actually there, are the access permissions correct?\n");
118 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
121 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
133 case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
134 av_log(h,
AV_LOG_ERROR,
"None of the common ciphersuites is usable. Was the local certificate correctly set?\n");
136 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
137 av_log(h,
AV_LOG_ERROR,
"A fatal alert message was received from the peer, has the peer a correct certificate?\n");
139 case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED:
140 av_log(h,
AV_LOG_ERROR,
"No CA chain is set, but required to operate. Was the CA correctly set?\n");
142 case MBEDTLS_ERR_NET_CONN_RESET:
154 const char *p = strchr(uri,
'?');
166 uint32_t verify_res_flags;
176 mbedtls_ssl_config_init(&tls_ctx->
ssl_config);
179 mbedtls_x509_crt_init(&tls_ctx->
ca_cert);
180 mbedtls_pk_init(&tls_ctx->
priv_key);
184 if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->
ca_cert, shr->
ca_file)) != 0) {
185 av_log(h,
AV_LOG_ERROR,
"mbedtls_x509_crt_parse_file for CA cert returned %d\n", ret);
192 if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->
own_cert, shr->
cert_file)) != 0) {
193 av_log(h,
AV_LOG_ERROR,
"mbedtls_x509_crt_parse_file for own cert returned %d\n", ret);
200 if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->
priv_key,
210 mbedtls_entropy_func,
217 if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->
ssl_config,
218 shr->
listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
219 MBEDTLS_SSL_TRANSPORT_STREAM,
220 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
225 mbedtls_ssl_conf_authmode(&tls_ctx->
ssl_config,
226 shr->
ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
242 if ((ret = mbedtls_ssl_set_hostname(&tls_ctx->
ssl_context, shr->
host)) != 0) {
252 while ((ret = mbedtls_ssl_handshake(&tls_ctx->
ssl_context)) != 0) {
253 if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
261 if ((verify_res_flags = mbedtls_ssl_get_verify_result(&tls_ctx->
ssl_context)) != 0) {
263 "with the certificate verification, returned flags: %u\n",
265 if (verify_res_flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
266 av_log(h,
AV_LOG_ERROR,
"The certificate is not correctly signed by the trusted CA.\n");
281 case MBEDTLS_ERR_SSL_WANT_READ:
282 case MBEDTLS_ERR_SSL_WANT_WRITE:
284 case MBEDTLS_ERR_NET_SEND_FAILED:
285 case MBEDTLS_ERR_NET_RECV_FAILED:
287 case MBEDTLS_ERR_NET_CONN_RESET:
288 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
302 if ((ret = mbedtls_ssl_read(&tls_ctx->
ssl_context, buf, size)) > 0) {
315 if ((ret = mbedtls_ssl_write(&tls_ctx->
ssl_context, buf, size)) > 0) {
358 .priv_data_class = &tls_class,
#define URL_PROTOCOL_FLAG_NETWORK
static int handle_tls_error(URLContext *h, const char *func_name, int ret)
#define AV_LOG_WARNING
Something somehow does not look correct.
#define LIBAVUTIL_VERSION_INT
int ffurl_write(URLContext *h, const unsigned char *buf, int size)
Write size bytes from buf to the resource accessed by h.
mbedtls_ssl_config ssl_config
const char * av_default_item_name(void *ptr)
Return the context name.
static void parse_options(TLSContext *tls_ctxc, const char *uri)
static const AVOption options[]
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
static int mbedtls_send(void *ctx, const unsigned char *buf, size_t len)
static void handle_handshake_error(URLContext *h, int ret)
static int tls_read(URLContext *h, uint8_t *buf, int size)
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
static int tls_get_file_handle(URLContext *h)
#define AVERROR_EOF
End of file.
int av_find_info_tag(char *arg, int arg_size, const char *tag1, const char *info)
Attempt to find a specific tag in a URL.
static int tls_write(URLContext *h, const uint8_t *buf, int size)
mbedtls_ctr_drbg_context ctr_drbg_context
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
static const AVClass tls_class
static int handle_transport_error(URLContext *h, const char *func_name, int react_on_eagain, int ret)
mbedtls_pk_context priv_key
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
mbedtls_ssl_context ssl_context
int ffurl_get_short_seek(URLContext *h)
Return the current short seek threshold value for this URL.
mbedtls_x509_crt own_cert
#define TLS_COMMON_OPTIONS(pstruct, options_field)
mbedtls_entropy_context entropy_context
static int tls_close(URLContext *h)
int ffurl_get_file_handle(URLContext *h)
Return the file descriptor associated with this URL.
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
int ffurl_closep(URLContext **hh)
Close the resource accessed by the URLContext h, and free the memory used by it.
char * av_strdup(const char *s)
Duplicate a string.
Describe the class of an AVClass context structure.
#define flags(name, subs,...)
const URLProtocol ff_tls_protocol
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
static void handle_pk_parse_error(URLContext *h, int ret)
static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
int max_packet_size
if non zero, the stream is packetized with this max packet size
unbuffered private I/O API
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later.That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another.Frame references ownership and permissions
int ffurl_read(URLContext *h, unsigned char *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf...
static int tls_get_short_seek(URLContext *h)