FFmpeg
Data Structures | Functions | Variables
tls_openssl.c File Reference
#include "libavutil/avassert.h"
#include "libavutil/mem.h"
#include "network.h"
#include "os_support.h"
#include "libavutil/random_seed.h"
#include "url.h"
#include "tls.h"
#include "libavutil/opt.h"
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>

Go to the source code of this file.

Data Structures

struct  TLSContext
 

Functions

static int pkey_to_pem_string (EVP_PKEY *pkey, char *out, size_t out_sz)
 Convert an EVP_PKEY to a PEM string. More...
 
static int cert_to_pem_string (X509 *cert, char *out, size_t out_sz)
 Convert an X509 certificate to a PEM string. More...
 
static int x509_fingerprint (X509 *cert, char **fingerprint)
 Generate a SHA-256 fingerprint of an X.509 certificate. More...
 
int ff_ssl_read_key_cert (char *key_url, char *cert_url, char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint)
 
static int openssl_gen_private_key (EVP_PKEY **pkey)
 
static int openssl_gen_certificate (EVP_PKEY *pkey, X509 **cert, char **fingerprint)
 
int ff_ssl_gen_key_cert (char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint)
 
static EVP_PKEY * pkey_from_pem_string (const char *pem_str, int is_priv)
 Deserialize a PEM-encoded private or public key from a NUL-terminated C string. More...
 
static X509 * cert_from_pem_string (const char *pem_str)
 Deserialize a PEM-encoded certificate from a NUL-terminated C string. More...
 
static const char * openssl_get_error (TLSContext *c)
 Retrieves the error message for the latest OpenSSL error. More...
 
int ff_tls_set_external_socket (URLContext *h, URLContext *sock)
 
int ff_dtls_export_materials (URLContext *h, char *dtls_srtp_materials, size_t materials_sz)
 
static int print_ssl_error (URLContext *h, int ret)
 
static int tls_close (URLContext *h)
 
static int url_bio_create (BIO *b)
 
static int url_bio_destroy (BIO *b)
 
static int url_bio_bread (BIO *b, char *buf, int len)
 
static int url_bio_bwrite (BIO *b, const char *buf, int len)
 
static long url_bio_ctrl (BIO *b, int cmd, long num, void *ptr)
 
static int url_bio_bputs (BIO *b, const char *str)
 
static av_cold void init_bio_method (URLContext *h)
 
static void openssl_info_callback (const SSL *ssl, int where, int ret)
 
static int dtls_handshake (URLContext *h)
 
static av_cold int openssl_init_ca_key_cert (URLContext *h)
 
static int dtls_start (URLContext *h, const char *url, int flags, AVDictionary **options)
 Once the DTLS role has been negotiated - active for the DTLS client or passive for the DTLS server - we proceed to set up the DTLS state and initiate the handshake. More...
 
static int tls_open (URLContext *h, const char *uri, int flags, AVDictionary **options)
 
static int tls_read (URLContext *h, uint8_t *buf, int size)
 
static int tls_write (URLContext *h, const uint8_t *buf, int size)
 
static int tls_get_file_handle (URLContext *h)
 
static int tls_get_short_seek (URLContext *h)
 

Variables

static const AVOption options []
 
static const AVClass tls_class
 
const URLProtocol ff_tls_protocol
 
static const AVClass dtls_class
 
const URLProtocol ff_dtls_protocol
 

Function Documentation

◆ pkey_to_pem_string()

static int pkey_to_pem_string ( EVP_PKEY *  pkey,
char *  out,
size_t  out_sz 
)
static

Convert an EVP_PKEY to a PEM string.

Definition at line 40 of file tls_openssl.c.

Referenced by ff_ssl_gen_key_cert(), and ff_ssl_read_key_cert().

◆ cert_to_pem_string()

static int cert_to_pem_string ( X509 *  cert,
char *  out,
size_t  out_sz 
)
static

Convert an X509 certificate to a PEM string.

Definition at line 67 of file tls_openssl.c.

Referenced by ff_ssl_gen_key_cert(), and ff_ssl_read_key_cert().

◆ x509_fingerprint()

static int x509_fingerprint ( X509 *  cert,
char **  fingerprint 
)
static

Generate a SHA-256 fingerprint of an X.509 certificate.

Definition at line 95 of file tls_openssl.c.

Referenced by ff_ssl_read_key_cert(), and openssl_gen_certificate().

◆ ff_ssl_read_key_cert()

int ff_ssl_read_key_cert ( char *  key_url,
char *  cert_url,
char *  key_buf,
size_t  key_sz,
char *  cert_buf,
size_t  cert_sz,
char **  fingerprint 
)

Definition at line 116 of file tls_openssl.c.

◆ openssl_gen_private_key()

static int openssl_gen_private_key ( EVP_PKEY **  pkey)
static

Note that secp256r1 in openssl is called NID_X9_62_prime256v1 or prime256v1 in string, not NID_secp256k1 or secp256k1 in string.

TODO: Should choose the curves in ClientHello.supported_groups, for example: Supported Group: x25519 (0x001d) Supported Group: secp256r1 (0x0017) Supported Group: secp384r1 (0x0018)

Definition at line 185 of file tls_openssl.c.

Referenced by ff_ssl_gen_key_cert(), and openssl_init_ca_key_cert().

◆ openssl_gen_certificate()

static int openssl_gen_certificate ( EVP_PKEY *  pkey,
X509 **  cert,
char **  fingerprint 
)
static

Definition at line 259 of file tls_openssl.c.

Referenced by ff_ssl_gen_key_cert(), and openssl_init_ca_key_cert().

◆ ff_ssl_gen_key_cert()

int ff_ssl_gen_key_cert ( char *  key_buf,
size_t  key_sz,
char *  cert_buf,
size_t  cert_sz,
char **  fingerprint 
)

Definition at line 341 of file tls_openssl.c.

◆ pkey_from_pem_string()

static EVP_PKEY* pkey_from_pem_string ( const char *  pem_str,
int  is_priv 
)
static

Deserialize a PEM-encoded private or public key from a NUL-terminated C string.

Parameters
pem_strThe PEM text, e.g. "-----BEGIN PRIVATE KEY-----\n…\n-----END PRIVATE KEY-----\n"
is_privIf non-zero, parse as a PRIVATE key; otherwise, parse as a PUBLIC key.
Returns
EVP_PKEY* on success (must EVP_PKEY_free()), or NULL on error.

Definition at line 371 of file tls_openssl.c.

Referenced by openssl_init_ca_key_cert().

◆ cert_from_pem_string()

static X509* cert_from_pem_string ( const char *  pem_str)
static

Deserialize a PEM-encoded certificate from a NUL-terminated C string.

Parameters
pem_strThe PEM text, e.g. "-----BEGIN CERTIFICATE-----\n…\n-----END CERTIFICATE-----\n"
Returns
X509* on success (must X509_free()), or NULL on error.

Definition at line 401 of file tls_openssl.c.

Referenced by openssl_init_ca_key_cert().

◆ openssl_get_error()

static const char* openssl_get_error ( TLSContext c)
static

Retrieves the error message for the latest OpenSSL error.

This function retrieves the error code from the thread's error queue, converts it to a human-readable string, and stores it in the TLSContext's error_message field. The error queue is then cleared using ERR_clear_error().

Definition at line 439 of file tls_openssl.c.

Referenced by dtls_start(), ff_dtls_export_materials(), openssl_init_ca_key_cert(), and tls_open().

◆ ff_tls_set_external_socket()

int ff_tls_set_external_socket ( URLContext h,
URLContext sock 
)

Definition at line 451 of file tls_openssl.c.

◆ ff_dtls_export_materials()

int ff_dtls_export_materials ( URLContext h,
char *  dtls_srtp_materials,
size_t  materials_sz 
)

Definition at line 464 of file tls_openssl.c.

◆ print_ssl_error()

static int print_ssl_error ( URLContext h,
int  ret 
)
static

Definition at line 479 of file tls_openssl.c.

Referenced by dtls_handshake(), tls_open(), tls_read(), and tls_write().

◆ tls_close()

static int tls_close ( URLContext h)
static

Definition at line 503 of file tls_openssl.c.

Referenced by tls_open().

◆ url_bio_create()

static int url_bio_create ( BIO *  b)
static

Definition at line 519 of file tls_openssl.c.

Referenced by init_bio_method().

◆ url_bio_destroy()

static int url_bio_destroy ( BIO *  b)
static

Definition at line 527 of file tls_openssl.c.

Referenced by init_bio_method().

◆ url_bio_bread()

static int url_bio_bread ( BIO *  b,
char *  buf,
int  len 
)
static

Definition at line 532 of file tls_openssl.c.

Referenced by init_bio_method().

◆ url_bio_bwrite()

static int url_bio_bwrite ( BIO *  b,
const char *  buf,
int  len 
)
static

Definition at line 562 of file tls_openssl.c.

Referenced by init_bio_method(), and url_bio_bputs().

◆ url_bio_ctrl()

static long url_bio_ctrl ( BIO *  b,
int  cmd,
long  num,
void *  ptr 
)
static

Definition at line 578 of file tls_openssl.c.

Referenced by init_bio_method().

◆ url_bio_bputs()

static int url_bio_bputs ( BIO *  b,
const char *  str 
)
static

Definition at line 587 of file tls_openssl.c.

Referenced by init_bio_method().

◆ init_bio_method()

static av_cold void init_bio_method ( URLContext h)
static

Definition at line 592 of file tls_openssl.c.

Referenced by dtls_start(), and tls_open().

◆ openssl_info_callback()

static void openssl_info_callback ( const SSL *  ssl,
int  where,
int  ret 
)
static

Definition at line 609 of file tls_openssl.c.

Referenced by dtls_start(), and tls_open().

◆ dtls_handshake()

static int dtls_handshake ( URLContext h)
static

Definition at line 628 of file tls_openssl.c.

Referenced by dtls_start().

◆ openssl_init_ca_key_cert()

static av_cold int openssl_init_ca_key_cert ( URLContext h)
static

Definition at line 657 of file tls_openssl.c.

Referenced by dtls_start(), and tls_open().

◆ dtls_start()

static int dtls_start ( URLContext h,
const char *  url,
int  flags,
AVDictionary **  options 
)
static

Once the DTLS role has been negotiated - active for the DTLS client or passive for the DTLS server - we proceed to set up the DTLS state and initiate the handshake.

The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c. The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c.

We have set the MTU to fragment the DTLS packet. It is important to note that the packet is split to ensure that each handshake packet is smaller than the MTU.

During initialization, we only need to call SSL_do_handshake once because SSL_read consumes the handshake message if the handshake is incomplete. To simplify maintenance, we initiate the handshake for both the DTLS server and client after sending out the ICE response in the start_active_handshake function. It's worth noting that although the DTLS server may receive the ClientHello immediately after sending out the ICE response, this shouldn't be an issue as the handshake function is called before any DTLS packets are received.

The SSL_do_handshake can't be called if DTLS hasn't prepare for udp.

Definition at line 745 of file tls_openssl.c.

◆ tls_open()

static int tls_open ( URLContext h,
const char *  uri,
int  flags,
AVDictionary **  options 
)
static

Definition at line 845 of file tls_openssl.c.

◆ tls_read()

static int tls_read ( URLContext h,
uint8_t *  buf,
int  size 
)
static

Definition at line 915 of file tls_openssl.c.

◆ tls_write()

static int tls_write ( URLContext h,
const uint8_t *  buf,
int  size 
)
static

Definition at line 932 of file tls_openssl.c.

◆ tls_get_file_handle()

static int tls_get_file_handle ( URLContext h)
static

Definition at line 954 of file tls_openssl.c.

◆ tls_get_short_seek()

static int tls_get_short_seek ( URLContext h)
static

Definition at line 961 of file tls_openssl.c.

Variable Documentation

◆ options

const AVOption options[]
static
Initial value:
= {
{ NULL }
}

Definition at line 968 of file tls_openssl.c.

◆ tls_class

const AVClass tls_class
static
Initial value:
= {
.class_name = "tls",
.item_name = av_default_item_name,
.option = options,
}

Definition at line 973 of file tls_openssl.c.

◆ ff_tls_protocol

const URLProtocol ff_tls_protocol
Initial value:
= {
.name = "tls",
.url_open2 = tls_open,
.url_read = tls_read,
.url_write = tls_write,
.url_close = tls_close,
.url_get_file_handle = tls_get_file_handle,
.url_get_short_seek = tls_get_short_seek,
.priv_data_size = sizeof(TLSContext),
.priv_data_class = &tls_class,
}

Definition at line 980 of file tls_openssl.c.

◆ dtls_class

const AVClass dtls_class
static
Initial value:
= {
.class_name = "dtls",
.item_name = av_default_item_name,
.option = options,
}

Definition at line 993 of file tls_openssl.c.

◆ ff_dtls_protocol

const URLProtocol ff_dtls_protocol
Initial value:
= {
.name = "dtls",
.url_open2 = dtls_start,
.url_handshake = dtls_handshake,
.url_close = tls_close,
.url_read = tls_read,
.url_write = tls_write,
.url_get_file_handle = tls_get_file_handle,
.url_get_short_seek = tls_get_short_seek,
.priv_data_size = sizeof(TLSContext),
.priv_data_class = &dtls_class,
}

Definition at line 1000 of file tls_openssl.c.

flags
const SwsFlags flags[]
Definition: swscale.c:61
TLSContext
Definition: tls_gnutls.c:44
URL_PROTOCOL_FLAG_NETWORK
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:33
TLS_COMMON_OPTIONS
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:84
tls_class
static const AVClass tls_class
Definition: tls_openssl.c:973
tls_write
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_openssl.c:932
LIBAVUTIL_VERSION_INT
#define LIBAVUTIL_VERSION_INT
Definition: version.h:85
dtls_handshake
static int dtls_handshake(URLContext *h)
Definition: tls_openssl.c:628
NULL
#define NULL
Definition: coverity.c:32
av_default_item_name
const char * av_default_item_name(void *ptr)
Return the context name.
Definition: log.c:241
tls_open
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_openssl.c:845
options
static const AVOption options[]
Definition: tls_openssl.c:968
tls_get_file_handle
static int tls_get_file_handle(URLContext *h)
Definition: tls_openssl.c:954
tls_get_short_seek
static int tls_get_short_seek(URLContext *h)
Definition: tls_openssl.c:961
tls_read
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_openssl.c:915
dtls_start
static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **options)
Once the DTLS role has been negotiated - active for the DTLS client or passive for the DTLS server - ...
Definition: tls_openssl.c:745
dtls_class
static const AVClass dtls_class
Definition: tls_openssl.c:993
tls_close
static int tls_close(URLContext *h)
Definition: tls_openssl.c:503