|
FFmpeg
|
#include "libavutil/mem.h"#include "network.h"#include "os_support.h"#include "libavutil/random_seed.h"#include "url.h"#include "tls.h"#include "libavutil/opt.h"#include <openssl/bio.h>#include <openssl/ssl.h>#include <openssl/err.h>#include "libavutil/thread.h"Go to the source code of this file.
Data Structures | |
| struct | TLSContext |
Macros | |
| #define | GET_BIO_DATA(x) (x)->ptr |
Functions | |
| static char * | pkey_to_pem_string (EVP_PKEY *pkey) |
| Returns a heap‐allocated null‐terminated string containing the PEM‐encoded public key. More... | |
| static char * | cert_to_pem_string (X509 *cert) |
| Serialize an X509 certificate to a av_malloc’d PEM string. More... | |
| static char * | generate_fingerprint (X509 *cert) |
| Generate a SHA-256 fingerprint of an X.509 certificate. More... | |
| int | ff_ssl_read_key_cert (char *key_url, char *cert_url, char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint) |
| static int | openssl_gen_private_key (EVP_PKEY **pkey, EC_KEY **eckey) |
| static int | openssl_gen_certificate (EVP_PKEY *pkey, X509 **cert, char **fingerprint) |
| int | ff_ssl_gen_key_cert (char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint) |
| static EVP_PKEY * | pkey_from_pem_string (const char *pem_str, int is_priv) |
| Deserialize a PEM‐encoded private or public key from a NUL-terminated C string. More... | |
| static X509 * | cert_from_pem_string (const char *pem_str) |
| Deserialize a PEM‐encoded certificate from a NUL-terminated C string. More... | |
| static const char * | openssl_get_error (TLSContext *ctx) |
| Retrieves the error message for the latest OpenSSL error. More... | |
| int | ff_dtls_set_udp (URLContext *h, URLContext *udp) |
| int | ff_dtls_export_materials (URLContext *h, char *dtls_srtp_materials, size_t materials_sz) |
| int | ff_dtls_state (URLContext *h) |
| int | ff_openssl_init (void) |
| void | ff_openssl_deinit (void) |
| static int | print_ssl_error (URLContext *h, int ret) |
| static int | tls_close (URLContext *h) |
| static int | url_bio_create (BIO *b) |
| static int | url_bio_destroy (BIO *b) |
| static int | url_bio_bread (BIO *b, char *buf, int len) |
| static int | url_bio_bwrite (BIO *b, const char *buf, int len) |
| static long | url_bio_ctrl (BIO *b, int cmd, long num, void *ptr) |
| static int | url_bio_bputs (BIO *b, const char *str) |
| static av_cold void | init_bio_method (URLContext *h) |
| static void | openssl_info_callback (const SSL *ssl, int where, int ret) |
| static int | openssl_dtls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx) |
| Always return 1 to accept any certificate. More... | |
| static int | dtls_handshake (URLContext *h) |
| static av_cold int | openssl_init_ca_key_cert (URLContext *h) |
| static int | dtls_start (URLContext *h, const char *url, int flags, AVDictionary **options) |
| Once the DTLS role has been negotiated - active for the DTLS client or passive for the DTLS server - we proceed to set up the DTLS state and initiate the handshake. More... | |
| static av_cold int | dtls_close (URLContext *h) |
| Cleanup the DTLS context. More... | |
| static int | tls_open (URLContext *h, const char *uri, int flags, AVDictionary **options) |
| static int | tls_read (URLContext *h, uint8_t *buf, int size) |
| static int | tls_write (URLContext *h, const uint8_t *buf, int size) |
| static int | tls_get_file_handle (URLContext *h) |
| static int | tls_get_short_seek (URLContext *h) |
Variables | |
| static AVMutex | openssl_mutex = AV_MUTEX_INITIALIZER |
| static int | openssl_init |
| static BIO_METHOD | url_bio_method |
| static const AVOption | options [] |
| static const AVClass | tls_class |
| const URLProtocol | ff_tls_protocol |
| static const AVClass | dtls_class |
| const URLProtocol | ff_dtls_protocol |
| #define GET_BIO_DATA | ( | x | ) | (x)->ptr |
Definition at line 672 of file tls_openssl.c.
|
static |
Returns a heap‐allocated null‐terminated string containing the PEM‐encoded public key.
Caller must free.
Definition at line 39 of file tls_openssl.c.
Referenced by ff_ssl_gen_key_cert(), and ff_ssl_read_key_cert().
|
static |
Serialize an X509 certificate to a av_malloc’d PEM string.
Caller must free the returned pointer.
Definition at line 81 of file tls_openssl.c.
Referenced by ff_ssl_gen_key_cert(), and ff_ssl_read_key_cert().
|
static |
Generate a SHA-256 fingerprint of an X.509 certificate.
| ctx | AVFormatContext for logging (can be NULL) |
| cert | X509 certificate to fingerprint |
Definition at line 122 of file tls_openssl.c.
Referenced by ff_ssl_read_key_cert(), and openssl_gen_certificate().
| int ff_ssl_read_key_cert | ( | char * | key_url, |
| char * | cert_url, | ||
| char * | key_buf, | ||
| size_t | key_sz, | ||
| char * | cert_buf, | ||
| size_t | cert_sz, | ||
| char ** | fingerprint | ||
| ) |
Definition at line 159 of file tls_openssl.c.
Referenced by certificate_key_init().
|
static |
Note that secp256r1 in openssl is called NID_X9_62_prime256v1 or prime256v1 in string, not NID_secp256k1 or secp256k1 in string.
TODO: Should choose the curves in ClientHello.supported_groups, for example: Supported Group: x25519 (0x001d) Supported Group: secp256r1 (0x0017) Supported Group: secp384r1 (0x0018)
Definition at line 236 of file tls_openssl.c.
Referenced by ff_ssl_gen_key_cert().
|
static |
Definition at line 302 of file tls_openssl.c.
Referenced by ff_ssl_gen_key_cert().
| int ff_ssl_gen_key_cert | ( | char * | key_buf, |
| size_t | key_sz, | ||
| char * | cert_buf, | ||
| size_t | cert_sz, | ||
| char ** | fingerprint | ||
| ) |
Definition at line 381 of file tls_openssl.c.
Referenced by certificate_key_init().
|
static |
Deserialize a PEM‐encoded private or public key from a NUL-terminated C string.
| pem_str | The PEM text, e.g. "-----BEGIN PRIVATE KEY-----\n…\n-----END PRIVATE KEY-----\n" |
| is_priv | If non-zero, parse as a PRIVATE key; otherwise, parse as a PUBLIC key. |
Definition at line 416 of file tls_openssl.c.
Referenced by openssl_init_ca_key_cert().
|
static |
Deserialize a PEM‐encoded certificate from a NUL-terminated C string.
| pem_str | The PEM text, e.g. "-----BEGIN CERTIFICATE-----\n…\n-----END CERTIFICATE-----\n" |
Definition at line 446 of file tls_openssl.c.
Referenced by openssl_init_ca_key_cert().
|
static |
Retrieves the error message for the latest OpenSSL error.
This function retrieves the error code from the thread's error queue, converts it to a human-readable string, and stores it in the TLSContext's error_message field. The error queue is then cleared using ERR_clear_error().
Definition at line 485 of file tls_openssl.c.
Referenced by dtls_handshake(), dtls_start(), ff_dtls_export_materials(), openssl_init_ca_key_cert(), and tls_open().
| int ff_dtls_set_udp | ( | URLContext * | h, |
| URLContext * | udp | ||
| ) |
Definition at line 497 of file tls_openssl.c.
Referenced by dtls_initialize().
| int ff_dtls_export_materials | ( | URLContext * | h, |
| char * | dtls_srtp_materials, | ||
| size_t | materials_sz | ||
| ) |
Definition at line 504 of file tls_openssl.c.
Referenced by setup_srtp().
| int ff_dtls_state | ( | URLContext * | h | ) |
Definition at line 519 of file tls_openssl.c.
Referenced by dtls_context_on_state().
| int ff_openssl_init | ( | void | ) |
Definition at line 557 of file tls_openssl.c.
Referenced by ff_tls_init(), and tls_open().
| void ff_openssl_deinit | ( | void | ) |
Definition at line 587 of file tls_openssl.c.
Referenced by ff_tls_deinit(), and tls_close().
|
static |
Definition at line 606 of file tls_openssl.c.
Referenced by tls_open(), tls_read(), and tls_write().
|
static |
Definition at line 630 of file tls_openssl.c.
Referenced by tls_open().
|
static |
Definition at line 650 of file tls_openssl.c.
Referenced by init_bio_method().
|
static |
Definition at line 664 of file tls_openssl.c.
Referenced by init_bio_method().
|
static |
Definition at line 675 of file tls_openssl.c.
Referenced by init_bio_method().
|
static |
Definition at line 691 of file tls_openssl.c.
Referenced by init_bio_method(), and url_bio_bputs().
|
static |
Definition at line 707 of file tls_openssl.c.
Referenced by init_bio_method().
|
static |
Definition at line 716 of file tls_openssl.c.
Referenced by init_bio_method().
|
static |
Definition at line 735 of file tls_openssl.c.
Referenced by dtls_start(), and tls_open().
|
static |
Definition at line 756 of file tls_openssl.c.
Referenced by dtls_start(), and tls_open().
|
static |
Always return 1 to accept any certificate.
This is because we allow the peer to use a temporary self-signed certificate for DTLS.
Definition at line 779 of file tls_openssl.c.
Referenced by dtls_start().
|
static |
Definition at line 784 of file tls_openssl.c.
Referenced by dtls_start().
|
static |
Definition at line 810 of file tls_openssl.c.
Referenced by dtls_start(), and tls_open().
|
static |
Once the DTLS role has been negotiated - active for the DTLS client or passive for the DTLS server - we proceed to set up the DTLS state and initiate the handshake.
The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c. The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c.
We activate "ALL" cipher suites to align with the peer's capabilities, ensuring maximum compatibility.
We have set the MTU to fragment the DTLS packet. It is important to note that the packet is split to ensure that each handshake packet is smaller than the MTU.
During initialization, we only need to call SSL_do_handshake once because SSL_read consumes the handshake message if the handshake is incomplete. To simplify maintenance, we initiate the handshake for both the DTLS server and client after sending out the ICE response in the start_active_handshake function. It's worth noting that although the DTLS server may receive the ClientHello immediately after sending out the ICE response, this shouldn't be an issue as the handshake function is called before any DTLS packets are received.
The SSL_do_handshake can't be called if DTLS hasn't prepare for udp.
Definition at line 873 of file tls_openssl.c.
|
static |
Cleanup the DTLS context.
Definition at line 1019 of file tls_openssl.c.
|
static |
Definition at line 1031 of file tls_openssl.c.
|
static |
Definition at line 1089 of file tls_openssl.c.
|
static |
Definition at line 1106 of file tls_openssl.c.
|
static |
Definition at line 1123 of file tls_openssl.c.
|
static |
Definition at line 1129 of file tls_openssl.c.
|
static |
Definition at line 533 of file tls_openssl.c.
Referenced by ff_openssl_deinit(), and ff_openssl_init().
|
static |
Definition at line 535 of file tls_openssl.c.
Referenced by ff_openssl_deinit(), and ff_openssl_init().
|
static |
Definition at line 722 of file tls_openssl.c.
Referenced by init_bio_method().
Definition at line 1135 of file tls_openssl.c.
|
static |
Definition at line 1140 of file tls_openssl.c.
| const URLProtocol ff_tls_protocol |
Definition at line 1147 of file tls_openssl.c.
|
static |
Definition at line 1160 of file tls_openssl.c.
| const URLProtocol ff_dtls_protocol |
Definition at line 1167 of file tls_openssl.c.
1.8.17