FFmpeg
tls_gnutls.c
Go to the documentation of this file.
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include <errno.h>
23 
24 #include <gnutls/gnutls.h>
25 #include <gnutls/dtls.h>
26 #include <gnutls/x509.h>
27 
28 #include "avformat.h"
29 #include "network.h"
30 #include "os_support.h"
31 #include "url.h"
32 #include "tls.h"
33 #include "libavutil/opt.h"
34 #include "libavutil/thread.h"
35 
36 #ifndef GNUTLS_VERSION_NUMBER
37 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
38 #endif
39 
40 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
41 #include <gcrypt.h>
42 GCRY_THREAD_OPTION_PTHREAD_IMPL;
43 #endif
44 
45 typedef struct TLSContext {
46  TLSShared tls_shared;
47  gnutls_session_t session;
48  gnutls_certificate_credentials_t cred;
49  int need_shutdown;
50  int io_err;
51 } TLSContext;
52 
53 static AVMutex gnutls_mutex = AV_MUTEX_INITIALIZER;
54 
55 void ff_gnutls_init(void)
56 {
57  ff_mutex_lock(&gnutls_mutex);
58 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
59  if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
60  gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
61 #endif
62  gnutls_global_init();
63  ff_mutex_unlock(&gnutls_mutex);
64 }
65 
66 void ff_gnutls_deinit(void)
67 {
68  ff_mutex_lock(&gnutls_mutex);
69  gnutls_global_deinit();
70  ff_mutex_unlock(&gnutls_mutex);
71 }
72 
73 static int print_tls_error(URLContext *h, int ret)
74 {
75  TLSContext *c = h->priv_data;
76  switch (ret) {
77  case GNUTLS_E_AGAIN:
78  return AVERROR(EAGAIN);
79  case GNUTLS_E_INTERRUPTED:
80 #ifdef GNUTLS_E_PREMATURE_TERMINATION
81  case GNUTLS_E_PREMATURE_TERMINATION:
82 #endif
83  break;
84  case GNUTLS_E_WARNING_ALERT_RECEIVED:
85  av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
86  break;
87  default:
88  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
89  break;
90  }
91  if (c->io_err) {
92  av_log(h, AV_LOG_ERROR, "IO error: %s\n", av_err2str(c->io_err));
93  ret = c->io_err;
94  c->io_err = 0;
95  return ret;
96  }
97  return AVERROR(EIO);
98 }
99 
100 static int tls_close(URLContext *h)
101 {
102  TLSContext *c = h->priv_data;
103  TLSShared *s = &c->tls_shared;
104  if (c->need_shutdown)
105  gnutls_bye(c->session, GNUTLS_SHUT_WR);
106  if (c->session)
107  gnutls_deinit(c->session);
108  if (c->cred)
109  gnutls_certificate_free_credentials(c->cred);
110  if (!s->external_sock)
111  ffurl_closep(s->is_dtls ? &s->udp : &s->tcp);
112  ff_gnutls_deinit();
113  return 0;
114 }
115 
116 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
117  void *buf, size_t len)
118 {
119  TLSContext *c = (TLSContext*) transport;
120  int ret = ffurl_read(c->tls_shared.tcp, buf, len);
121  if (ret >= 0)
122  return ret;
123  if (ret == AVERROR_EXIT)
124  return 0;
125  if (ret == AVERROR(EAGAIN)) {
126  errno = EAGAIN;
127  } else {
128  errno = EIO;
129  c->io_err = ret;
130  }
131  return -1;
132 }
133 
134 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
135  const void *buf, size_t len)
136 {
137  TLSContext *c = (TLSContext*) transport;
138  int ret = ffurl_write(c->tls_shared.tcp, buf, len);
139  if (ret >= 0)
140  return ret;
141  if (ret == AVERROR_EXIT)
142  return 0;
143  if (ret == AVERROR(EAGAIN)) {
144  errno = EAGAIN;
145  } else {
146  errno = EIO;
147  c->io_err = ret;
148  }
149  return -1;
150 }
151 
152 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
153 {
154  TLSContext *c = h->priv_data;
155  TLSShared *s = &c->tls_shared;
156  uint16_t gnutls_flags = 0;
157  int ret;
158 
159  ff_gnutls_init();
160 
161  if ((ret = ff_tls_open_underlying(s, h, uri, options)) < 0)
162  goto fail;
163 
164  if (s->is_dtls)
165  gnutls_flags |= GNUTLS_DATAGRAM;
166 
167  if (s->listen)
168  gnutls_flags |= GNUTLS_SERVER;
169  else
170  gnutls_flags |= GNUTLS_CLIENT;
171  gnutls_init(&c->session, gnutls_flags);
172  if (!s->listen && !s->numerichost)
173  gnutls_server_name_set(c->session, GNUTLS_NAME_DNS, s->host, strlen(s->host));
174  gnutls_certificate_allocate_credentials(&c->cred);
175  if (s->ca_file) {
176  ret = gnutls_certificate_set_x509_trust_file(c->cred, s->ca_file, GNUTLS_X509_FMT_PEM);
177  if (ret < 0)
178  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
179  }
180 #if GNUTLS_VERSION_NUMBER >= 0x030020
181  else
182  gnutls_certificate_set_x509_system_trust(c->cred);
183 #endif
184  gnutls_certificate_set_verify_flags(c->cred, s->verify ?
185  GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
186  if (s->cert_file && s->key_file) {
187  ret = gnutls_certificate_set_x509_key_file(c->cred,
188  s->cert_file, s->key_file,
189  GNUTLS_X509_FMT_PEM);
190  if (ret < 0) {
191  av_log(h, AV_LOG_ERROR,
192  "Unable to set cert/key files %s and %s: %s\n",
193  s->cert_file, s->key_file, gnutls_strerror(ret));
194  ret = AVERROR(EIO);
195  goto fail;
196  }
197  } else if (s->cert_file || s->key_file)
198  av_log(h, AV_LOG_ERROR, "cert and key required\n");
199  gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, c->cred);
200  gnutls_transport_set_pull_function(c->session, gnutls_url_pull);
201  gnutls_transport_set_push_function(c->session, gnutls_url_push);
202  gnutls_transport_set_ptr(c->session, c);
203  if (s->is_dtls)
204  if (s->mtu)
205  gnutls_dtls_set_mtu(c->session, s->mtu);
206  gnutls_set_default_priority(c->session);
207  do {
208  if (ff_check_interrupt(&h->interrupt_callback)) {
209  ret = AVERROR_EXIT;
210  goto fail;
211  }
212 
213  ret = gnutls_handshake(c->session);
214  if (gnutls_error_is_fatal(ret)) {
215  ret = print_tls_error(h, ret);
216  goto fail;
217  }
218  } while (ret);
219  c->need_shutdown = 1;
220  if (s->verify) {
221  unsigned int status, cert_list_size;
222  gnutls_x509_crt_t cert;
223  const gnutls_datum_t *cert_list;
224  if ((ret = gnutls_certificate_verify_peers2(c->session, &status)) < 0) {
225  av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
226  gnutls_strerror(ret));
227  ret = AVERROR(EIO);
228  goto fail;
229  }
230  if (status & GNUTLS_CERT_INVALID) {
231  av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
232  ret = AVERROR(EIO);
233  goto fail;
234  }
235  if (gnutls_certificate_type_get(c->session) != GNUTLS_CRT_X509) {
236  av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
237  ret = AVERROR(EIO);
238  goto fail;
239  }
240  gnutls_x509_crt_init(&cert);
241  cert_list = gnutls_certificate_get_peers(c->session, &cert_list_size);
242  gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
243  ret = gnutls_x509_crt_check_hostname(cert, s->host);
244  gnutls_x509_crt_deinit(cert);
245  if (!ret) {
246  av_log(h, AV_LOG_ERROR,
247  "The certificate's owner does not match hostname %s\n", s->host);
248  ret = AVERROR(EIO);
249  goto fail;
250  }
251  }
252 
253  return 0;
254 fail:
255  tls_close(h);
256  return ret;
257 }
258 
259 static int dtls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
260 {
261  TLSContext *c = h->priv_data;
262  TLSShared *s = &c->tls_shared;
263  s->is_dtls = 1;
264  return tls_open(h, uri, flags, options);
265 }
266 
267 static int tls_read(URLContext *h, uint8_t *buf, int size)
268 {
269  TLSContext *c = h->priv_data;
270  TLSShared *s = &c->tls_shared;
271  URLContext *uc = s->is_dtls ? s->udp : s->tcp;
272  int ret;
273  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
274  uc->flags &= ~AVIO_FLAG_NONBLOCK;
275  uc->flags |= h->flags & AVIO_FLAG_NONBLOCK;
276  ret = gnutls_record_recv(c->session, buf, size);
277  if (ret > 0)
278  return ret;
279  if (ret == 0)
280  return AVERROR_EOF;
281  return print_tls_error(h, ret);
282 }
283 
284 static int tls_write(URLContext *h, const uint8_t *buf, int size)
285 {
286  TLSContext *c = h->priv_data;
287  TLSShared *s = &c->tls_shared;
288  URLContext *uc = s->is_dtls ? s->udp : s->tcp;
289  int ret;
290  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
291  uc->flags &= ~AVIO_FLAG_NONBLOCK;
292  uc->flags |= h->flags & AVIO_FLAG_NONBLOCK;
293  ret = gnutls_record_send(c->session, buf, size);
294  if (ret > 0)
295  return ret;
296  if (ret == 0)
297  return AVERROR_EOF;
298  return print_tls_error(h, ret);
299 }
300 
301 static int tls_get_file_handle(URLContext *h)
302 {
303  TLSContext *c = h->priv_data;
304  return ffurl_get_file_handle(c->tls_shared.tcp);
305 }
306 
307 static int tls_get_short_seek(URLContext *h)
308 {
309  TLSContext *s = h->priv_data;
310  return ffurl_get_short_seek(s->tls_shared.tcp);
311 }
312 
313 static const AVOption options[] = {
314  TLS_COMMON_OPTIONS(TLSContext, tls_shared),
315  { NULL }
316 };
317 
318 static const AVClass tls_class = {
319  .class_name = "tls",
320  .item_name = av_default_item_name,
321  .option = options,
322  .version = LIBAVUTIL_VERSION_INT,
323 };
324 
325 const URLProtocol ff_tls_protocol = {
326  .name = "tls",
327  .url_open2 = tls_open,
328  .url_read = tls_read,
329  .url_write = tls_write,
330  .url_close = tls_close,
331  .url_get_file_handle = tls_get_file_handle,
332  .url_get_short_seek = tls_get_short_seek,
333  .priv_data_size = sizeof(TLSContext),
334  .flags = URL_PROTOCOL_FLAG_NETWORK,
335  .priv_data_class = &tls_class,
336 };
337 
338 static const AVClass dtls_class = {
339  .class_name = "dtls",
340  .item_name = av_default_item_name,
341  .option = options,
342  .version = LIBAVUTIL_VERSION_INT,
343 };
344 
345 const URLProtocol ff_dtls_protocol = {
346  .name = "dtls",
347  .url_open2 = dtls_open,
348  .url_read = tls_read,
349  .url_write = tls_write,
350  .url_close = tls_close,
351  .url_get_file_handle = tls_get_file_handle,
352  .url_get_short_seek = tls_get_short_seek,
353  .priv_data_size = sizeof(TLSContext),
354  .flags = URL_PROTOCOL_FLAG_NETWORK,
355  .priv_data_class = &dtls_class,
356 };
ff_gnutls_init
void ff_gnutls_init(void)
Definition: tls_gnutls.c:55
flags
const SwsFlags flags[]
Definition: swscale.c:61
AV_LOG_WARNING
#define AV_LOG_WARNING
Something somehow does not look correct.
Definition: log.h:216
TLSContext
Definition: tls_gnutls.c:45
AVERROR
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later. That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another. Frame references ownership and permissions
opt.h
URL_PROTOCOL_FLAG_NETWORK
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:33
gnutls_url_pull
static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, void *buf, size_t len)
Definition: tls_gnutls.c:116
thread.h
AVERROR_EOF
#define AVERROR_EOF
End of file.
Definition: error.h:57
ffurl_write
static int ffurl_write(URLContext *h, const uint8_t *buf, int size)
Write size bytes from buf to the resource accessed by h.
Definition: url.h:202
print_tls_error
static int print_tls_error(URLContext *h, int ret)
Definition: tls_gnutls.c:73
AVOption
AVOption.
Definition: opt.h:429
tls_class
static const AVClass tls_class
Definition: tls_gnutls.c:318
tls_write
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_gnutls.c:284
AVDictionary
Definition: dict.c:32
URLProtocol
Definition: url.h:51
os_support.h
ff_mutex_unlock
static int ff_mutex_unlock(AVMutex *mutex)
Definition: thread.h:189
TLSContext::cred
gnutls_certificate_credentials_t cred
Definition: tls_gnutls.c:48
TLS_COMMON_OPTIONS
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:88
fail
#define fail()
Definition: checkasm.h:201
ffurl_get_short_seek
int ffurl_get_short_seek(void *urlcontext)
Return the current short seek threshold value for this URL.
Definition: avio.c:839
gnutls_mutex
static AVMutex gnutls_mutex
Definition: tls_gnutls.c:53
ff_check_interrupt
int ff_check_interrupt(AVIOInterruptCB *cb)
Check if the user has requested to interrupt a blocking function associated with cb.
Definition: avio.c:855
tls_open
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_gnutls.c:152
AV_LOG_ERROR
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
Definition: log.h:210
AVMutex
#define AVMutex
Definition: thread.h:184
s
#define s(width, name)
Definition: cbs_vp9.c:198
URLContext::flags
int flags
Definition: url.h:40
dtls_class
static const AVClass dtls_class
Definition: tls_gnutls.c:338
tls_close
static int tls_close(URLContext *h)
Definition: tls_gnutls.c:100
LIBAVUTIL_VERSION_INT
#define LIBAVUTIL_VERSION_INT
Definition: version.h:85
AVClass
Describe the class of an AVClass context structure.
Definition: log.h:76
NULL
#define NULL
Definition: coverity.c:32
av_default_item_name
const char * av_default_item_name(void *ptr)
Return the context name.
Definition: log.c:241
options
Definition: swscale.c:43
c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
av_err2str
#define av_err2str(errnum)
Convenience macro, the return value should be used only directly in function arguments but never stan...
Definition: error.h:122
AV_MUTEX_INITIALIZER
#define AV_MUTEX_INITIALIZER
Definition: thread.h:185
size
int size
Definition: twinvq_data.h:10344
TLSContext::tls_shared
TLSShared tls_shared
Definition: tls_gnutls.c:46
URLProtocol::name
const char * name
Definition: url.h:52
TLSContext::io_err
int io_err
Definition: tls_gnutls.c:50
tls_get_file_handle
static int tls_get_file_handle(URLContext *h)
Definition: tls_gnutls.c:301
gnutls_url_push
static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport, const void *buf, size_t len)
Definition: tls_gnutls.c:134
ff_mutex_lock
static int ff_mutex_lock(AVMutex *mutex)
Definition: thread.h:188
tls_get_short_seek
static int tls_get_short_seek(URLContext *h)
Definition: tls_gnutls.c:307
URLContext
Definition: url.h:35
dtls_open
static int dtls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_gnutls.c:259
ff_tls_protocol
const URLProtocol ff_tls_protocol
Definition: tls_gnutls.c:325
url.h
len
int len
Definition: vorbis_enc_data.h:426
ffurl_closep
int ffurl_closep(URLContext **hh)
Close the resource accessed by the URLContext h, and free the memory used by it.
Definition: avio.c:589
ff_tls_open_underlying
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:69
ret
ret
Definition: filter_design.txt:187
AVClass::class_name
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
Definition: log.h:81
avformat.h
network.h
tls.h
status
ov_status_e status
Definition: dnn_backend_openvino.c:100
ff_dtls_protocol
const URLProtocol ff_dtls_protocol
Definition: tls_gnutls.c:345
TLSContext::need_shutdown
int need_shutdown
Definition: tls_gnutls.c:49
options
static const AVOption options[]
Definition: tls_gnutls.c:313
tls_read
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_gnutls.c:267
TLSContext::session
gnutls_session_t session
Definition: tls_gnutls.c:47
TLSShared
Definition: tls.h:37
AVIO_FLAG_NONBLOCK
#define AVIO_FLAG_NONBLOCK
Use non-blocking mode.
Definition: avio.h:636
av_log
#define av_log(a,...)
Definition: tableprint_vlc.h:27
h
h
Definition: vp9dsp_template.c:2070
AVERROR_EXIT
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
Definition: error.h:58
ff_gnutls_deinit
void ff_gnutls_deinit(void)
Definition: tls_gnutls.c:66
ffurl_get_file_handle
int ffurl_get_file_handle(URLContext *h)
Return the file descriptor associated with this URL.
Definition: avio.c:815
ffurl_read
static int ffurl_read(URLContext *h, uint8_t *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf.
Definition: url.h:181
Generated on Tue Sep 23 2025 19:22:59 for FFmpeg by   doxygen 1.8.17