doxygen/trunk/tls__openssl_8c_source.html

 /*
  * TLS/SSL Protocol
  * Copyright (c) 2011 Martin Storsjo
  *
  * This file is part of FFmpeg.
  *
  * FFmpeg is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
  * License as published by the Free Software Foundation; either
  * version 2.1 of the License, or (at your option) any later version.
  *
  * FFmpeg is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
  * License along with FFmpeg; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */

 #include "avformat.h"
 #include "internal.h"
 #include "network.h"
 #include "os_support.h"
 #include "url.h"
 #include "tls.h"
 #include "libavcodec/internal.h"
 #include "libavutil/avstring.h"
 #include "libavutil/avutil.h"
 #include "libavutil/opt.h"
 #include "libavutil/parseutils.h"
 #include "libavutil/thread.h"

 #include <openssl/bio.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>

 static int openssl_init;

 typedef struct TLSContext {
     const AVClass *class;
     TLSShared tls_shared;
     SSL_CTX *ctx;
     SSL *ssl;
 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
     BIO_METHOD* url_bio_method;
 #endif
 } TLSContext;

 #if HAVE_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
 #include <openssl/crypto.h>
 pthread_mutex_t *openssl_mutexes;
 static void openssl_lock(int mode, int type, const char *file, int line)
 {
     if (mode & CRYPTO_LOCK)
         pthread_mutex_lock(&openssl_mutexes[type]);
     else
         pthread_mutex_unlock(&openssl_mutexes[type]);
 }
 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
 static unsigned long openssl_thread_id(void)
 {
     return (intptr_t) pthread_self();
 }
 #endif
 #endif

 int ff_openssl_init(void)
 {
     ff_lock_avformat();
     if (!openssl_init) {
         /* OpenSSL 1.0.2 or below, then you would use SSL_library_init. If you are
          * using OpenSSL 1.1.0 or above, then the library will initialize
          * itself automatically.
          * https://wiki.openssl.org/index.php/Library_Initialization
          */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
         SSL_library_init();
         SSL_load_error_strings();
 #endif
 #if HAVE_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
         if (!CRYPTO_get_locking_callback()) {
             int i;
             openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks());
             if (!openssl_mutexes) {
                 ff_unlock_avformat();
                 return AVERROR(ENOMEM);
             }

             for (i = 0; i < CRYPTO_num_locks(); i++)
                 pthread_mutex_init(&openssl_mutexes[i], NULL);
             CRYPTO_set_locking_callback(openssl_lock);
 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
             CRYPTO_set_id_callback(openssl_thread_id);
 #endif
         }
 #endif
     }
     openssl_init++;
     ff_unlock_avformat();

     return 0;
 }

 void ff_openssl_deinit(void)
 {
     ff_lock_avformat();
     openssl_init--;
     if (!openssl_init) {
 #if HAVE_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
         if (CRYPTO_get_locking_callback() == openssl_lock) {
             int i;
             CRYPTO_set_locking_callback(NULL);
             for (i = 0; i < CRYPTO_num_locks(); i++)
                 pthread_mutex_destroy(&openssl_mutexes[i]);
             av_free(openssl_mutexes);
         }
 #endif
     }
     ff_unlock_avformat();
 }

 static int print_tls_error(URLContext *h, int ret)
 {
     TLSContext *c = h->priv_data;
     if (h->flags & AVIO_FLAG_NONBLOCK) {
         int err = SSL_get_error(c->ssl, ret);
         if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE)
             return AVERROR(EAGAIN);
     }
     av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
     return AVERROR(EIO);
 }

 static int tls_close(URLContext *h)
 {
     TLSContext *c = h->priv_data;
     if (c->ssl) {
         SSL_shutdown(c->ssl);
         SSL_free(c->ssl);
     }
     if (c->ctx)
         SSL_CTX_free(c->ctx);
     ffurl_closep(&c->tls_shared.tcp);
 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
     if (c->url_bio_method)
         BIO_meth_free(c->url_bio_method);
 #endif
     ff_openssl_deinit();
     return 0;
 }

 static int url_bio_create(BIO *b)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
     BIO_set_init(b, 1);
     BIO_set_data(b, NULL);
     BIO_set_flags(b, 0);
 #else
     b->init = 1;
     b->ptr = NULL;
     b->flags = 0;
 #endif
     return 1;
 }

 static int url_bio_destroy(BIO *b)
 {
     return 1;
 }

 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
 #define GET_BIO_DATA(x) BIO_get_data(x)
 #else
 #define GET_BIO_DATA(x) (x)->ptr
 #endif

 static int url_bio_bread(BIO *b, char *buf, int len)
 {
     URLContext *h = GET_BIO_DATA(b);
     int ret = ffurl_read(h, buf, len);
     if (ret >= 0)
         return ret;
     BIO_clear_retry_flags(b);
     if (ret == AVERROR(EAGAIN))
         BIO_set_retry_read(b);
     if (ret == AVERROR_EXIT)
         return 0;
     return -1;
 }

 static int url_bio_bwrite(BIO *b, const char *buf, int len)
 {
     URLContext *h = GET_BIO_DATA(b);
     int ret = ffurl_write(h, buf, len);
     if (ret >= 0)
         return ret;
     BIO_clear_retry_flags(b);
     if (ret == AVERROR(EAGAIN))
         BIO_set_retry_write(b);
     if (ret == AVERROR_EXIT)
         return 0;
     return -1;
 }

 static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
     if (cmd == BIO_CTRL_FLUSH) {
         BIO_clear_retry_flags(b);
         return 1;
     }
     return 0;
 }

 static int url_bio_bputs(BIO *b, const char *str)
 {
     return url_bio_bwrite(b, str, strlen(str));
 }

 #if OPENSSL_VERSION_NUMBER < 0x1010000fL
 static BIO_METHOD url_bio_method = {
     .type = BIO_TYPE_SOURCE_SINK,
     .name = "urlprotocol bio",
     .bwrite = url_bio_bwrite,
     .bread = url_bio_bread,
     .bputs = url_bio_bputs,
     .bgets = NULL,
     .ctrl = url_bio_ctrl,
     .create = url_bio_create,
     .destroy = url_bio_destroy,
 };
 #endif

 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
 {
     TLSContext *p = h->priv_data;
     TLSShared *c = &p->tls_shared;
     BIO *bio;
     int ret;

     if ((ret = ff_openssl_init()) < 0)
         return ret;

     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
         goto fail;

     // We want to support all versions of TLS >= 1.0, but not the deprecated
     // and insecure SSLv2 and SSLv3.  Despite the name, SSLv23_*_method()
     // enables support for all versions of SSL and TLS, and we then disable
     // support for the old protocols immediately after creating the context.
     p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
     if (!p->ctx) {
         av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
         ret = AVERROR(EIO);
         goto fail;
     }
     SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
     if (c->ca_file) {
         if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
             av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
     }
     if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {
         av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n",
                c->cert_file, ERR_error_string(ERR_get_error(), NULL));
         ret = AVERROR(EIO);
         goto fail;
     }
     if (c->key_file && !SSL_CTX_use_PrivateKey_file(p->ctx, c->key_file, SSL_FILETYPE_PEM)) {
         av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n",
                c->key_file, ERR_error_string(ERR_get_error(), NULL));
         ret = AVERROR(EIO);
         goto fail;
     }
     // Note, this doesn't check that the peer certificate actually matches
     // the requested hostname.
     if (c->verify)
         SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
     p->ssl = SSL_new(p->ctx);
     if (!p->ssl) {
         av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
         ret = AVERROR(EIO);
         goto fail;
     }
 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
     p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
     BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
     BIO_meth_set_read(p->url_bio_method, url_bio_bread);
     BIO_meth_set_puts(p->url_bio_method, url_bio_bputs);
     BIO_meth_set_ctrl(p->url_bio_method, url_bio_ctrl);
     BIO_meth_set_create(p->url_bio_method, url_bio_create);
     BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy);
     bio = BIO_new(p->url_bio_method);
     BIO_set_data(bio, c->tcp);
 #else
     bio = BIO_new(&url_bio_method);
     bio->ptr = c->tcp;
 #endif
     SSL_set_bio(p->ssl, bio, bio);
     if (!c->listen && !c->numerichost)
         SSL_set_tlsext_host_name(p->ssl, c->host);
     ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
     if (ret == 0) {
         av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
         ret = AVERROR(EIO);
         goto fail;
     } else if (ret < 0) {
         ret = print_tls_error(h, ret);
         goto fail;
     }

     return 0;
 fail:
     tls_close(h);
     return ret;
 }

 static int tls_read(URLContext *h, uint8_t *buf, int size)
 {
     TLSContext *c = h->priv_data;
     int ret;
     // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
     c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
     c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
     ret = SSL_read(c->ssl, buf, size);
     if (ret > 0)
         return ret;
     if (ret == 0)
         return AVERROR_EOF;
     return print_tls_error(h, ret);
 }

 static int tls_write(URLContext *h, const uint8_t *buf, int size)
 {
     TLSContext *c = h->priv_data;
     int ret;
     // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
     c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
     c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
     ret = SSL_write(c->ssl, buf, size);
     if (ret > 0)
         return ret;
     if (ret == 0)
         return AVERROR_EOF;
     return print_tls_error(h, ret);
 }

 static int tls_get_file_handle(URLContext *h)
 {
     TLSContext *c = h->priv_data;
     return ffurl_get_file_handle(c->tls_shared.tcp);
 }

 static const AVOption options[] = {
     TLS_COMMON_OPTIONS(TLSContext, tls_shared),
     { NULL }
 };

 static const AVClass tls_class = {
     .class_name = "tls",
     .item_name  = av_default_item_name,
     .option     = options,
     .version    = LIBAVUTIL_VERSION_INT,
 };

 const URLProtocol ff_tls_protocol = {
     .name           = "tls",
     .url_open2      = tls_open,
     .url_read       = tls_read,
     .url_write      = tls_write,
     .url_close      = tls_close,
     .url_get_file_handle = tls_get_file_handle,
     .priv_data_size = sizeof(TLSContext),
     .flags          = URL_PROTOCOL_FLAG_NETWORK,
     .priv_data_class = &tls_class,
 };
tls.h

NULL
#define NULL
Definition: coverity.c:32

TLSContext
Definition: tls_gnutls.c:48

pthread_mutex_destroy
static av_always_inline int pthread_mutex_destroy(pthread_mutex_t *mutex)
Definition: os2threads.h:112

openssl_init
static int openssl_init
Definition: tls_openssl.c:39

URL_PROTOCOL_FLAG_NETWORK
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:34

pthread_mutex_lock
#define pthread_mutex_lock(a)
Definition: ffprobe.c:62

h
h
Definition: vp9dsp_template.c:2038

AVOption
AVOption.
Definition: opt.h:248

TLSShared::verify
int verify
Definition: tls.h:31

ret
ret
Definition: filter_design.txt:187

LIBAVUTIL_VERSION_INT
#define LIBAVUTIL_VERSION_INT
Definition: version.h:85

ffurl_write
int ffurl_write(URLContext *h, const unsigned char *buf, int size)
Write size bytes from buf to the resource accessed by h.
Definition: avio.c:423

url_bio_bwrite
static int url_bio_bwrite(BIO *b, const char *buf, int len)
Definition: tls_openssl.c:193

av_default_item_name
const char * av_default_item_name(void *ptr)
Return the context name.
Definition: log.c:235

avutil.h
Convenience header that includes libavutil&#39;s core.

type
GLint GLenum type
Definition: opengl_enc.c:104

URLContext::flags
int flags
Definition: url.h:43

TLSShared::listen
int listen
Definition: tls.h:34

avstring.h

AVClass::class_name
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
Definition: log.h:72

url_bio_bread
static int url_bio_bread(BIO *b, char *buf, int len)
Definition: tls_openssl.c:179

uint8_t
uint8_t
Definition: audio_convert.c:194

opt.h
AVOptions.

os_support.h
miscellaneous OS support macros and functions.

url_bio_bputs
static int url_bio_bputs(BIO *b, const char *str)
Definition: tls_openssl.c:216

c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32

GET_BIO_DATA
#define GET_BIO_DATA(x)
Definition: tls_openssl.c:176

TLSShared
Definition: tls.h:29

AVERROR_EOF
#define AVERROR_EOF
End of file.
Definition: error.h:55

size
ptrdiff_t size
Definition: opengl_enc.c:100

tls_get_file_handle
static int tls_get_file_handle(URLContext *h)
Definition: tls_openssl.c:348

av_log
#define av_log(a,...)
Definition: tableprint_vlc.h:28

TLSContext::ssl
SSL * ssl
Definition: tls_openssl.c:45

AVDictionary
Definition: dict.c:30

AV_LOG_ERROR
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
Definition: log.h:194

line
Definition: graph2dot.c:48

tls_open
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_openssl.c:235

fail
#define fail()
Definition: checkasm.h:123

TLSShared::host
char * host
Definition: tls.h:36

options
static const AVOption options[]
Definition: tls_openssl.c:354

ff_openssl_deinit
void ff_openssl_deinit(void)
Definition: tls_openssl.c:106

b
#define b
Definition: input.c:41

tls_class
static const AVClass tls_class
Definition: tls_openssl.c:359

ff_unlock_avformat
int ff_unlock_avformat(void)
Definition: utils.c:83

TLS_COMMON_OPTIONS
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:45

network.h

pthread_mutex_init
static av_always_inline int pthread_mutex_init(pthread_mutex_t *mutex, const pthread_mutexattr_t *attr)
Definition: os2threads.h:104

TLSShared::cert_file
char * cert_file
Definition: tls.h:32

tls_write
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_openssl.c:333

pthread_mutex_unlock
#define pthread_mutex_unlock(a)
Definition: ffprobe.c:66

ffurl_get_file_handle
int ffurl_get_file_handle(URLContext *h)
Return the file descriptor associated with this URL.
Definition: avio.c:628

AVERROR_EXIT
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
Definition: error.h:56

TLSShared::ca_file
char * ca_file
Definition: tls.h:30

ffurl_closep
int ffurl_closep(URLContext **hh)
Close the resource accessed by the URLContext h, and free the memory used by it.
Definition: avio.c:446

url_bio_destroy
static int url_bio_destroy(BIO *b)
Definition: tls_openssl.c:168

print_tls_error
static int print_tls_error(URLContext *h, int ret)
Definition: tls_openssl.c:124

TLSContext::ctx
SSL_CTX * ctx
Definition: tls_openssl.c:44

AVIO_FLAG_NONBLOCK
#define AVIO_FLAG_NONBLOCK
Use non-blocking mode.
Definition: avio.h:693

URLProtocol
Definition: url.h:54

ff_openssl_init
int ff_openssl_init(void)
Definition: tls_openssl.c:69

TLSContext::tls_shared
TLSShared tls_shared
Definition: tls_gnutls.c:50

URLContext
Definition: url.h:38

tls_read
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_openssl.c:318

AVClass
Describe the class of an AVClass context structure.
Definition: log.h:67

URLContext::priv_data
void * priv_data
Definition: url.h:41

tls_close
static int tls_close(URLContext *h)
Definition: tls_openssl.c:136

ff_tls_protocol
const URLProtocol ff_tls_protocol
Definition: tls_openssl.c:366

parseutils.h
misc parsing utilities

URLProtocol::name
const char * name
Definition: url.h:55

convert_header.str
string str
Definition: convert_header.py:20

flags
#define flags(name, subs,...)
Definition: cbs_av1.c:560

avformat.h
Main libavformat public API header.

internal.h
common internal api header.

pthread_mutex_t
_fmutex pthread_mutex_t
Definition: os2threads.h:53

ff_tls_open_underlying
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:56

TLSContext::ctx
struct tls * ctx
Definition: tls_libtls.c:37

TLSShared::tcp
URLContext * tcp
Definition: tls.h:41

url_bio_method
static BIO_METHOD url_bio_method
Definition: tls_openssl.c:222

TLSShared::numerichost
int numerichost
Definition: tls.h:39

url_bio_ctrl
static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr)
Definition: tls_openssl.c:207

av_free
#define av_free(p)
Definition: tableprint_vlc.h:34

len
int len
Definition: vorbis_enc_data.h:452

ff_lock_avformat
int ff_lock_avformat(void)
Definition: utils.c:78

url.h
unbuffered private I/O API

av_malloc_array
#define av_malloc_array(a, b)
Definition: tableprint_vlc.h:32

AVERROR
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later.That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another.Frame references ownership and permissions

ffurl_read
int ffurl_read(URLContext *h, unsigned char *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf...
Definition: avio.c:409

mode
mode
Use these values in ebur128_init (or&#39;ed).
Definition: ebur128.h:83

TLSShared::key_file
char * key_file
Definition: tls.h:33

url_bio_create
static int url_bio_create(BIO *b)
Definition: tls_openssl.c:154

i
int i
Definition: input.c:406

thread.h