FFmpeg
tls_gnutls.c
Go to the documentation of this file.
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include <errno.h>
23 
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26 
27 #include "avformat.h"
28 #include "network.h"
29 #include "os_support.h"
30 #include "url.h"
31 #include "tls.h"
32 #include "libavutil/opt.h"
33 #include "libavutil/thread.h"
34 
35 #ifndef GNUTLS_VERSION_NUMBER
36 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
37 #endif
38 
39 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
40 #include <gcrypt.h>
41 GCRY_THREAD_OPTION_PTHREAD_IMPL;
42 #endif
43 
44 typedef struct TLSContext {
45  const AVClass *class;
47  gnutls_session_t session;
48  gnutls_certificate_credentials_t cred;
50  int io_err;
51 } TLSContext;
52 
54 
55 void ff_gnutls_init(void)
56 {
58 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
59  if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
60  gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
61 #endif
62  gnutls_global_init();
64 }
65 
66 void ff_gnutls_deinit(void)
67 {
69  gnutls_global_deinit();
71 }
72 
73 static int print_tls_error(URLContext *h, int ret)
74 {
75  TLSContext *c = h->priv_data;
76  switch (ret) {
77  case GNUTLS_E_AGAIN:
78  return AVERROR(EAGAIN);
79  case GNUTLS_E_INTERRUPTED:
80 #ifdef GNUTLS_E_PREMATURE_TERMINATION
81  case GNUTLS_E_PREMATURE_TERMINATION:
82 #endif
83  break;
84  case GNUTLS_E_WARNING_ALERT_RECEIVED:
85  av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
86  break;
87  default:
88  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
89  break;
90  }
91  if (c->io_err) {
92  av_log(h, AV_LOG_ERROR, "IO error: %s\n", av_err2str(c->io_err));
93  ret = c->io_err;
94  c->io_err = 0;
95  return ret;
96  }
97  return AVERROR(EIO);
98 }
99 
100 static int tls_close(URLContext *h)
101 {
102  TLSContext *c = h->priv_data;
103  if (c->need_shutdown)
104  gnutls_bye(c->session, GNUTLS_SHUT_WR);
105  if (c->session)
106  gnutls_deinit(c->session);
107  if (c->cred)
108  gnutls_certificate_free_credentials(c->cred);
109  ffurl_closep(&c->tls_shared.tcp);
111  return 0;
112 }
113 
114 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
115  void *buf, size_t len)
116 {
117  TLSContext *c = (TLSContext*) transport;
118  int ret = ffurl_read(c->tls_shared.tcp, buf, len);
119  if (ret >= 0)
120  return ret;
121  if (ret == AVERROR_EXIT)
122  return 0;
123  if (ret == AVERROR(EAGAIN)) {
124  errno = EAGAIN;
125  } else {
126  errno = EIO;
127  c->io_err = ret;
128  }
129  return -1;
130 }
131 
132 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
133  const void *buf, size_t len)
134 {
135  TLSContext *c = (TLSContext*) transport;
136  int ret = ffurl_write(c->tls_shared.tcp, buf, len);
137  if (ret >= 0)
138  return ret;
139  if (ret == AVERROR_EXIT)
140  return 0;
141  if (ret == AVERROR(EAGAIN)) {
142  errno = EAGAIN;
143  } else {
144  errno = EIO;
145  c->io_err = ret;
146  }
147  return -1;
148 }
149 
150 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
151 {
152  TLSContext *p = h->priv_data;
153  TLSShared *c = &p->tls_shared;
154  int ret;
155 
156  ff_gnutls_init();
157 
158  if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
159  goto fail;
160 
161  gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
162  if (!c->listen && !c->numerichost)
163  gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
164  gnutls_certificate_allocate_credentials(&p->cred);
165  if (c->ca_file) {
166  ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
167  if (ret < 0)
168  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
169  }
170 #if GNUTLS_VERSION_NUMBER >= 0x030020
171  else
172  gnutls_certificate_set_x509_system_trust(p->cred);
173 #endif
174  gnutls_certificate_set_verify_flags(p->cred, c->verify ?
175  GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
176  if (c->cert_file && c->key_file) {
177  ret = gnutls_certificate_set_x509_key_file(p->cred,
178  c->cert_file, c->key_file,
179  GNUTLS_X509_FMT_PEM);
180  if (ret < 0) {
182  "Unable to set cert/key files %s and %s: %s\n",
183  c->cert_file, c->key_file, gnutls_strerror(ret));
184  ret = AVERROR(EIO);
185  goto fail;
186  }
187  } else if (c->cert_file || c->key_file)
188  av_log(h, AV_LOG_ERROR, "cert and key required\n");
189  gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
190  gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
191  gnutls_transport_set_push_function(p->session, gnutls_url_push);
192  gnutls_transport_set_ptr(p->session, p);
193  gnutls_set_default_priority(p->session);
194  do {
195  if (ff_check_interrupt(&h->interrupt_callback)) {
196  ret = AVERROR_EXIT;
197  goto fail;
198  }
199 
200  ret = gnutls_handshake(p->session);
201  if (gnutls_error_is_fatal(ret)) {
202  ret = print_tls_error(h, ret);
203  goto fail;
204  }
205  } while (ret);
206  p->need_shutdown = 1;
207  if (c->verify) {
208  unsigned int status, cert_list_size;
209  gnutls_x509_crt_t cert;
210  const gnutls_datum_t *cert_list;
211  if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
212  av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
213  gnutls_strerror(ret));
214  ret = AVERROR(EIO);
215  goto fail;
216  }
217  if (status & GNUTLS_CERT_INVALID) {
218  av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
219  ret = AVERROR(EIO);
220  goto fail;
221  }
222  if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
223  av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
224  ret = AVERROR(EIO);
225  goto fail;
226  }
227  gnutls_x509_crt_init(&cert);
228  cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
229  gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
230  ret = gnutls_x509_crt_check_hostname(cert, c->host);
231  gnutls_x509_crt_deinit(cert);
232  if (!ret) {
234  "The certificate's owner does not match hostname %s\n", c->host);
235  ret = AVERROR(EIO);
236  goto fail;
237  }
238  }
239 
240  return 0;
241 fail:
242  tls_close(h);
243  return ret;
244 }
245 
246 static int tls_read(URLContext *h, uint8_t *buf, int size)
247 {
248  TLSContext *c = h->priv_data;
249  int ret;
250  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
251  c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
252  c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
253  ret = gnutls_record_recv(c->session, buf, size);
254  if (ret > 0)
255  return ret;
256  if (ret == 0)
257  return AVERROR_EOF;
258  return print_tls_error(h, ret);
259 }
260 
261 static int tls_write(URLContext *h, const uint8_t *buf, int size)
262 {
263  TLSContext *c = h->priv_data;
264  int ret;
265  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
266  c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
267  c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
268  ret = gnutls_record_send(c->session, buf, size);
269  if (ret > 0)
270  return ret;
271  if (ret == 0)
272  return AVERROR_EOF;
273  return print_tls_error(h, ret);
274 }
275 
277 {
278  TLSContext *c = h->priv_data;
279  return ffurl_get_file_handle(c->tls_shared.tcp);
280 }
281 
283 {
284  TLSContext *s = h->priv_data;
285  return ffurl_get_short_seek(s->tls_shared.tcp);
286 }
287 
288 static const AVOption options[] = {
289  TLS_COMMON_OPTIONS(TLSContext, tls_shared),
290  { NULL }
291 };
292 
293 static const AVClass tls_class = {
294  .class_name = "tls",
295  .item_name = av_default_item_name,
296  .option = options,
297  .version = LIBAVUTIL_VERSION_INT,
298 };
299 
301  .name = "tls",
302  .url_open2 = tls_open,
303  .url_read = tls_read,
304  .url_write = tls_write,
305  .url_close = tls_close,
306  .url_get_file_handle = tls_get_file_handle,
307  .url_get_short_seek = tls_get_short_seek,
308  .priv_data_size = sizeof(TLSContext),
310  .priv_data_class = &tls_class,
311 };
ff_gnutls_init
void ff_gnutls_init(void)
Definition: tls_gnutls.c:55
AV_LOG_WARNING
#define AV_LOG_WARNING
Something somehow does not look correct.
Definition: log.h:186
TLSContext
Definition: tls_gnutls.c:44
AVERROR
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later. That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another. Frame references ownership and permissions
opt.h
URL_PROTOCOL_FLAG_NETWORK
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:33
gnutls_url_pull
static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, void *buf, size_t len)
Definition: tls_gnutls.c:114
thread.h
AVERROR_EOF
#define AVERROR_EOF
End of file.
Definition: error.h:57
ffurl_write
static int ffurl_write(URLContext *h, const uint8_t *buf, int size)
Write size bytes from buf to the resource accessed by h.
Definition: url.h:202
print_tls_error
static int print_tls_error(URLContext *h, int ret)
Definition: tls_gnutls.c:73
AVOption
AVOption.
Definition: opt.h:357
tls_class
static const AVClass tls_class
Definition: tls_gnutls.c:293
tls_write
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_gnutls.c:261
AVDictionary
Definition: dict.c:34
URLProtocol
Definition: url.h:51
os_support.h
ff_mutex_unlock
static int ff_mutex_unlock(AVMutex *mutex)
Definition: thread.h:189
TLSContext::cred
gnutls_certificate_credentials_t cred
Definition: tls_gnutls.c:48
TLS_COMMON_OPTIONS
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:46
fail
#define fail()
Definition: checkasm.h:182
ffurl_get_short_seek
int ffurl_get_short_seek(void *urlcontext)
Return the current short seek threshold value for this URL.
Definition: avio.c:838
gnutls_mutex
static AVMutex gnutls_mutex
Definition: tls_gnutls.c:53
ff_check_interrupt
int ff_check_interrupt(AVIOInterruptCB *cb)
Check if the user has requested to interrupt a blocking function associated with cb.
Definition: avio.c:854
tls_open
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_gnutls.c:150
AV_LOG_ERROR
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
Definition: log.h:180
AVMutex
#define AVMutex
Definition: thread.h:184
s
#define s(width, name)
Definition: cbs_vp9.c:198
tls_close
static int tls_close(URLContext *h)
Definition: tls_gnutls.c:100
LIBAVUTIL_VERSION_INT
#define LIBAVUTIL_VERSION_INT
Definition: version.h:85
AVClass
Describe the class of an AVClass context structure.
Definition: log.h:66
NULL
#define NULL
Definition: coverity.c:32
av_default_item_name
const char * av_default_item_name(void *ptr)
Return the context name.
Definition: log.c:237
c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
av_err2str
#define av_err2str(errnum)
Convenience macro, the return value should be used only directly in function arguments but never stan...
Definition: error.h:122
AV_MUTEX_INITIALIZER
#define AV_MUTEX_INITIALIZER
Definition: thread.h:185
size
int size
Definition: twinvq_data.h:10344
TLSContext::tls_shared
TLSShared tls_shared
Definition: tls_gnutls.c:46
URLProtocol::name
const char * name
Definition: url.h:52
TLSContext::io_err
int io_err
Definition: tls_gnutls.c:50
tls_get_file_handle
static int tls_get_file_handle(URLContext *h)
Definition: tls_gnutls.c:276
gnutls_url_push
static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport, const void *buf, size_t len)
Definition: tls_gnutls.c:132
ff_mutex_lock
static int ff_mutex_lock(AVMutex *mutex)
Definition: thread.h:188
tls_get_short_seek
static int tls_get_short_seek(URLContext *h)
Definition: tls_gnutls.c:282
URLContext
Definition: url.h:35
ff_tls_protocol
const URLProtocol ff_tls_protocol
Definition: tls_gnutls.c:300
url.h
len
int len
Definition: vorbis_enc_data.h:426
ffurl_closep
int ffurl_closep(URLContext **hh)
Close the resource accessed by the URLContext h, and free the memory used by it.
Definition: avio.c:588
ff_tls_open_underlying
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:67
ret
ret
Definition: filter_design.txt:187
AVClass::class_name
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
Definition: log.h:71
avformat.h
network.h
tls.h
status
ov_status_e status
Definition: dnn_backend_openvino.c:101
TLSContext::need_shutdown
int need_shutdown
Definition: tls_gnutls.c:49
options
static const AVOption options[]
Definition: tls_gnutls.c:288
tls_read
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_gnutls.c:246
TLSContext::session
gnutls_session_t session
Definition: tls_gnutls.c:47
TLSShared
Definition: tls.h:29
AVIO_FLAG_NONBLOCK
#define AVIO_FLAG_NONBLOCK
Use non-blocking mode.
Definition: avio.h:636
flags
#define flags(name, subs,...)
Definition: cbs_av1.c:474
av_log
#define av_log(a,...)
Definition: tableprint_vlc.h:27
h
h
Definition: vp9dsp_template.c:2038
AVERROR_EXIT
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
Definition: error.h:58
ff_gnutls_deinit
void ff_gnutls_deinit(void)
Definition: tls_gnutls.c:66
ffurl_get_file_handle
int ffurl_get_file_handle(URLContext *h)
Return the file descriptor associated with this URL.
Definition: avio.c:814
ffurl_read
static int ffurl_read(URLContext *h, uint8_t *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf.
Definition: url.h:181