FFmpeg
tls_gnutls.c
Go to the documentation of this file.
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include <errno.h>
23 
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26 
27 #include "avformat.h"
28 #include "internal.h"
29 #include "network.h"
30 #include "os_support.h"
31 #include "url.h"
32 #include "tls.h"
33 #include "libavcodec/internal.h"
34 #include "libavutil/avstring.h"
35 #include "libavutil/opt.h"
36 #include "libavutil/parseutils.h"
37 
38 #ifndef GNUTLS_VERSION_NUMBER
39 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
40 #endif
41 
42 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
43 #include <gcrypt.h>
44 #include "libavutil/thread.h"
45 GCRY_THREAD_OPTION_PTHREAD_IMPL;
46 #endif
47 
48 typedef struct TLSContext {
49  const AVClass *class;
50  TLSShared tls_shared;
51  gnutls_session_t session;
52  gnutls_certificate_credentials_t cred;
53  int need_shutdown;
54 } TLSContext;
55 
56 void ff_gnutls_init(void)
57 {
58  ff_lock_avformat();
59 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
60  if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
61  gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
62 #endif
63  gnutls_global_init();
64  ff_unlock_avformat();
65 }
66 
67 void ff_gnutls_deinit(void)
68 {
69  ff_lock_avformat();
70  gnutls_global_deinit();
71  ff_unlock_avformat();
72 }
73 
74 static int print_tls_error(URLContext *h, int ret)
75 {
76  switch (ret) {
77  case GNUTLS_E_AGAIN:
78  return AVERROR(EAGAIN);
79  case GNUTLS_E_INTERRUPTED:
80 #ifdef GNUTLS_E_PREMATURE_TERMINATION
81  case GNUTLS_E_PREMATURE_TERMINATION:
82 #endif
83  break;
84  case GNUTLS_E_WARNING_ALERT_RECEIVED:
85  av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
86  break;
87  default:
88  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
89  break;
90  }
91  return AVERROR(EIO);
92 }
93 
94 static int tls_close(URLContext *h)
95 {
96  TLSContext *c = h->priv_data;
97  if (c->need_shutdown)
98  gnutls_bye(c->session, GNUTLS_SHUT_WR);
99  if (c->session)
100  gnutls_deinit(c->session);
101  if (c->cred)
102  gnutls_certificate_free_credentials(c->cred);
103  if (c->tls_shared.tcp)
104  ffurl_close(c->tls_shared.tcp);
105  ff_gnutls_deinit();
106  return 0;
107 }
108 
109 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
110  void *buf, size_t len)
111 {
112  URLContext *h = (URLContext*) transport;
113  int ret = ffurl_read(h, buf, len);
114  if (ret >= 0)
115  return ret;
116  if (ret == AVERROR_EXIT)
117  return 0;
118  if (ret == AVERROR(EAGAIN))
119  errno = EAGAIN;
120  else
121  errno = EIO;
122  return -1;
123 }
124 
125 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
126  const void *buf, size_t len)
127 {
128  URLContext *h = (URLContext*) transport;
129  int ret = ffurl_write(h, buf, len);
130  if (ret >= 0)
131  return ret;
132  if (ret == AVERROR_EXIT)
133  return 0;
134  if (ret == AVERROR(EAGAIN))
135  errno = EAGAIN;
136  else
137  errno = EIO;
138  return -1;
139 }
140 
141 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
142 {
143  TLSContext *p = h->priv_data;
144  TLSShared *c = &p->tls_shared;
145  int ret;
146 
147  ff_gnutls_init();
148 
149  if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
150  goto fail;
151 
152  gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
153  if (!c->listen && !c->numerichost)
154  gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
155  gnutls_certificate_allocate_credentials(&p->cred);
156  if (c->ca_file) {
157  ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
158  if (ret < 0)
159  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
160  }
161 #if GNUTLS_VERSION_NUMBER >= 0x030020
162  else
163  gnutls_certificate_set_x509_system_trust(p->cred);
164 #endif
165  gnutls_certificate_set_verify_flags(p->cred, c->verify ?
166  GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
167  if (c->cert_file && c->key_file) {
168  ret = gnutls_certificate_set_x509_key_file(p->cred,
169  c->cert_file, c->key_file,
170  GNUTLS_X509_FMT_PEM);
171  if (ret < 0) {
172  av_log(h, AV_LOG_ERROR,
173  "Unable to set cert/key files %s and %s: %s\n",
174  c->cert_file, c->key_file, gnutls_strerror(ret));
175  ret = AVERROR(EIO);
176  goto fail;
177  }
178  } else if (c->cert_file || c->key_file)
179  av_log(h, AV_LOG_ERROR, "cert and key required\n");
180  gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
181  gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
182  gnutls_transport_set_push_function(p->session, gnutls_url_push);
183  gnutls_transport_set_ptr(p->session, c->tcp);
184  gnutls_priority_set_direct(p->session, "NORMAL", NULL);
185  do {
186  if (ff_check_interrupt(&h->interrupt_callback)) {
187  ret = AVERROR_EXIT;
188  goto fail;
189  }
190 
191  ret = gnutls_handshake(p->session);
192  if (gnutls_error_is_fatal(ret)) {
193  ret = print_tls_error(h, ret);
194  goto fail;
195  }
196  } while (ret);
197  p->need_shutdown = 1;
198  if (c->verify) {
199  unsigned int status, cert_list_size;
200  gnutls_x509_crt_t cert;
201  const gnutls_datum_t *cert_list;
202  if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
203  av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
204  gnutls_strerror(ret));
205  ret = AVERROR(EIO);
206  goto fail;
207  }
208  if (status & GNUTLS_CERT_INVALID) {
209  av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
210  ret = AVERROR(EIO);
211  goto fail;
212  }
213  if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
214  av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
215  ret = AVERROR(EIO);
216  goto fail;
217  }
218  gnutls_x509_crt_init(&cert);
219  cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
220  gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
221  ret = gnutls_x509_crt_check_hostname(cert, c->host);
222  gnutls_x509_crt_deinit(cert);
223  if (!ret) {
224  av_log(h, AV_LOG_ERROR,
225  "The certificate's owner does not match hostname %s\n", c->host);
226  ret = AVERROR(EIO);
227  goto fail;
228  }
229  }
230 
231  return 0;
232 fail:
233  tls_close(h);
234  return ret;
235 }
236 
237 static int tls_read(URLContext *h, uint8_t *buf, int size)
238 {
239  TLSContext *c = h->priv_data;
240  int ret;
241  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
242  c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
243  c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
244  ret = gnutls_record_recv(c->session, buf, size);
245  if (ret > 0)
246  return ret;
247  if (ret == 0)
248  return AVERROR_EOF;
249  return print_tls_error(h, ret);
250 }
251 
252 static int tls_write(URLContext *h, const uint8_t *buf, int size)
253 {
254  TLSContext *c = h->priv_data;
255  int ret;
256  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
257  c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
258  c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
259  ret = gnutls_record_send(c->session, buf, size);
260  if (ret > 0)
261  return ret;
262  if (ret == 0)
263  return AVERROR_EOF;
264  return print_tls_error(h, ret);
265 }
266 
267 static int tls_get_file_handle(URLContext *h)
268 {
269  TLSContext *c = h->priv_data;
270  return ffurl_get_file_handle(c->tls_shared.tcp);
271 }
272 
273 static const AVOption options[] = {
274  TLS_COMMON_OPTIONS(TLSContext, tls_shared),
275  { NULL }
276 };
277 
278 static const AVClass tls_class = {
279  .class_name = "tls",
280  .item_name = av_default_item_name,
281  .option = options,
282  .version = LIBAVUTIL_VERSION_INT,
283 };
284 
285 const URLProtocol ff_tls_protocol = {
286  .name = "tls",
287  .url_open2 = tls_open,
288  .url_read = tls_read,
289  .url_write = tls_write,
290  .url_close = tls_close,
291  .url_get_file_handle = tls_get_file_handle,
292  .priv_data_size = sizeof(TLSContext),
293  .flags = URL_PROTOCOL_FLAG_NETWORK,
294  .priv_data_class = &tls_class,
295 };
ff_gnutls_init
void ff_gnutls_init(void)
Definition: tls_gnutls.c:56
AV_LOG_WARNING
#define AV_LOG_WARNING
Something somehow does not look correct.
Definition: log.h:182
TLSContext
Definition: tls_gnutls.c:48
status
they must not be accessed directly The fifo field contains the frames that are queued in the input for processing by the filter The status_in and status_out fields contains the queued status(EOF or error) of the link
AVERROR
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later. That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another. Frame references ownership and permissions
opt.h
URL_PROTOCOL_FLAG_NETWORK
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:34
gnutls_url_pull
static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, void *buf, size_t len)
Definition: tls_gnutls.c:109
thread.h
AVERROR_EOF
#define AVERROR_EOF
End of file.
Definition: error.h:55
internal.h
print_tls_error
static int print_tls_error(URLContext *h, int ret)
Definition: tls_gnutls.c:74
AVOption
AVOption.
Definition: opt.h:246
tls_class
static const AVClass tls_class
Definition: tls_gnutls.c:278
tls_write
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_gnutls.c:252
ffurl_close
int ffurl_close(URLContext *h)
Definition: avio.c:470
AVDictionary
Definition: dict.c:30
URLProtocol
Definition: url.h:54
os_support.h
ff_unlock_avformat
int ff_unlock_avformat(void)
Definition: utils.c:88
TLSContext::cred
gnutls_certificate_credentials_t cred
Definition: tls_gnutls.c:52
TLS_COMMON_OPTIONS
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:45
fail
#define fail()
Definition: checkasm.h:120
ff_check_interrupt
int ff_check_interrupt(AVIOInterruptCB *cb)
Check if the user has requested to interrupt a blocking function associated with cb.
Definition: avio.c:667
tls_open
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_gnutls.c:141
AV_LOG_ERROR
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
Definition: log.h:176
buf
void * buf
Definition: avisynth_c.h:766
tls_close
static int tls_close(URLContext *h)
Definition: tls_gnutls.c:94
LIBAVUTIL_VERSION_INT
#define LIBAVUTIL_VERSION_INT
Definition: version.h:85
AVClass
Describe the class of an AVClass context structure.
Definition: log.h:67
NULL
#define NULL
Definition: coverity.c:32
av_default_item_name
const char * av_default_item_name(void *ptr)
Return the context name.
Definition: log.c:191
parseutils.h
c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
size
int size
Definition: twinvq_data.h:11134
TLSContext::tls_shared
TLSShared tls_shared
Definition: tls_gnutls.c:50
URLProtocol::name
const char * name
Definition: url.h:55
ff_lock_avformat
int ff_lock_avformat(void)
Definition: utils.c:83
tls_get_file_handle
static int tls_get_file_handle(URLContext *h)
Definition: tls_gnutls.c:267
gnutls_url_push
static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport, const void *buf, size_t len)
Definition: tls_gnutls.c:125
URLContext
Definition: url.h:38
ff_tls_protocol
const URLProtocol ff_tls_protocol
Definition: tls_gnutls.c:285
url.h
uint8_t
uint8_t
Definition: audio_convert.c:194
len
int len
Definition: vorbis_enc_data.h:452
ff_tls_open_underlying
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:56
ret
ret
Definition: filter_design.txt:187
AVClass::class_name
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
Definition: log.h:72
avformat.h
network.h
tls.h
ffurl_read
int ffurl_read(URLContext *h, unsigned char *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf.
Definition: avio.c:410
ffurl_write
int ffurl_write(URLContext *h, const unsigned char *buf, int size)
Write size bytes from buf to the resource accessed by h.
Definition: avio.c:424
TLSContext::need_shutdown
int need_shutdown
Definition: tls_gnutls.c:53
options
static const AVOption options[]
Definition: tls_gnutls.c:273
tls_read
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_gnutls.c:237
TLSContext::session
gnutls_session_t session
Definition: tls_gnutls.c:51
TLSShared
Definition: tls.h:29
AVIO_FLAG_NONBLOCK
#define AVIO_FLAG_NONBLOCK
Use non-blocking mode.
Definition: avio.h:673
flags
#define flags(name, subs,...)
Definition: cbs_av1.c:565
av_log
#define av_log(a,...)
Definition: tableprint_vlc.h:28
h
h
Definition: vp9dsp_template.c:2038
AVERROR_EXIT
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
Definition: error.h:56
avstring.h
ff_gnutls_deinit
void ff_gnutls_deinit(void)
Definition: tls_gnutls.c:67
ffurl_get_file_handle
int ffurl_get_file_handle(URLContext *h)
Return the file descriptor associated with this URL.
Definition: avio.c:629
Generated on Wed Aug 24 2022 21:27:25 for FFmpeg by   doxygen 1.8.17