FFmpeg  4.0
tls_gnutls.c
Go to the documentation of this file.
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include <errno.h>
23 
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26 
27 #include "avformat.h"
28 #include "internal.h"
29 #include "network.h"
30 #include "os_support.h"
31 #include "url.h"
32 #include "tls.h"
33 #include "libavcodec/internal.h"
34 #include "libavutil/avstring.h"
35 #include "libavutil/opt.h"
36 #include "libavutil/parseutils.h"
37 
38 #ifndef GNUTLS_VERSION_NUMBER
39 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
40 #endif
41 
42 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
43 #include <gcrypt.h>
44 #include "libavutil/thread.h"
45 GCRY_THREAD_OPTION_PTHREAD_IMPL;
46 #endif
47 
48 typedef struct TLSContext {
49  const AVClass *class;
51  gnutls_session_t session;
52  gnutls_certificate_credentials_t cred;
54 } TLSContext;
55 
56 void ff_gnutls_init(void)
57 {
59 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
60  if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
61  gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
62 #endif
63  gnutls_global_init();
65 }
66 
67 void ff_gnutls_deinit(void)
68 {
70  gnutls_global_deinit();
72 }
73 
74 static int print_tls_error(URLContext *h, int ret)
75 {
76  switch (ret) {
77  case GNUTLS_E_AGAIN:
78  return AVERROR(EAGAIN);
79  case GNUTLS_E_INTERRUPTED:
80 #ifdef GNUTLS_E_PREMATURE_TERMINATION
81  case GNUTLS_E_PREMATURE_TERMINATION:
82 #endif
83  break;
84  case GNUTLS_E_WARNING_ALERT_RECEIVED:
85  av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
86  break;
87  default:
88  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
89  break;
90  }
91  return AVERROR(EIO);
92 }
93 
94 static int tls_close(URLContext *h)
95 {
96  TLSContext *c = h->priv_data;
97  if (c->need_shutdown)
98  gnutls_bye(c->session, GNUTLS_SHUT_WR);
99  if (c->session)
100  gnutls_deinit(c->session);
101  if (c->cred)
102  gnutls_certificate_free_credentials(c->cred);
103  if (c->tls_shared.tcp)
106  return 0;
107 }
108 
109 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
110  void *buf, size_t len)
111 {
112  URLContext *h = (URLContext*) transport;
113  int ret = ffurl_read(h, buf, len);
114  if (ret >= 0)
115  return ret;
116  if (ret == AVERROR_EXIT)
117  return 0;
118  if (ret == AVERROR(EAGAIN))
119  errno = EAGAIN;
120  else
121  errno = EIO;
122  return -1;
123 }
124 
125 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
126  const void *buf, size_t len)
127 {
128  URLContext *h = (URLContext*) transport;
129  int ret = ffurl_write(h, buf, len);
130  if (ret >= 0)
131  return ret;
132  if (ret == AVERROR_EXIT)
133  return 0;
134  if (ret == AVERROR(EAGAIN))
135  errno = EAGAIN;
136  else
137  errno = EIO;
138  return -1;
139 }
140 
141 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
142 {
143  TLSContext *p = h->priv_data;
144  TLSShared *c = &p->tls_shared;
145  int ret;
146 
147  ff_gnutls_init();
148 
149  if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
150  goto fail;
151 
152  gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
153  if (!c->listen && !c->numerichost)
154  gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
155  gnutls_certificate_allocate_credentials(&p->cred);
156  if (c->ca_file) {
157  ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
158  if (ret < 0)
159  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
160  }
161 #if GNUTLS_VERSION_NUMBER >= 0x030020
162  else
163  gnutls_certificate_set_x509_system_trust(p->cred);
164 #endif
165  gnutls_certificate_set_verify_flags(p->cred, c->verify ?
166  GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
167  if (c->cert_file && c->key_file) {
168  ret = gnutls_certificate_set_x509_key_file(p->cred,
169  c->cert_file, c->key_file,
170  GNUTLS_X509_FMT_PEM);
171  if (ret < 0) {
172  av_log(h, AV_LOG_ERROR,
173  "Unable to set cert/key files %s and %s: %s\n",
174  c->cert_file, c->key_file, gnutls_strerror(ret));
175  ret = AVERROR(EIO);
176  goto fail;
177  }
178  } else if (c->cert_file || c->key_file)
179  av_log(h, AV_LOG_ERROR, "cert and key required\n");
180  gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
181  gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
182  gnutls_transport_set_push_function(p->session, gnutls_url_push);
183  gnutls_transport_set_ptr(p->session, c->tcp);
184  gnutls_priority_set_direct(p->session, "NORMAL", NULL);
185  ret = gnutls_handshake(p->session);
186  if (ret) {
187  ret = print_tls_error(h, ret);
188  goto fail;
189  }
190  p->need_shutdown = 1;
191  if (c->verify) {
192  unsigned int status, cert_list_size;
193  gnutls_x509_crt_t cert;
194  const gnutls_datum_t *cert_list;
195  if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
196  av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
197  gnutls_strerror(ret));
198  ret = AVERROR(EIO);
199  goto fail;
200  }
201  if (status & GNUTLS_CERT_INVALID) {
202  av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
203  ret = AVERROR(EIO);
204  goto fail;
205  }
206  if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
207  av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
208  ret = AVERROR(EIO);
209  goto fail;
210  }
211  gnutls_x509_crt_init(&cert);
212  cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
213  gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
214  ret = gnutls_x509_crt_check_hostname(cert, c->host);
215  gnutls_x509_crt_deinit(cert);
216  if (!ret) {
217  av_log(h, AV_LOG_ERROR,
218  "The certificate's owner does not match hostname %s\n", c->host);
219  ret = AVERROR(EIO);
220  goto fail;
221  }
222  }
223 
224  return 0;
225 fail:
226  tls_close(h);
227  return ret;
228 }
229 
230 static int tls_read(URLContext *h, uint8_t *buf, int size)
231 {
232  TLSContext *c = h->priv_data;
233  int ret;
234  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
237  ret = gnutls_record_recv(c->session, buf, size);
238  if (ret > 0)
239  return ret;
240  if (ret == 0)
241  return AVERROR_EOF;
242  return print_tls_error(h, ret);
243 }
244 
245 static int tls_write(URLContext *h, const uint8_t *buf, int size)
246 {
247  TLSContext *c = h->priv_data;
248  int ret;
249  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
252  ret = gnutls_record_send(c->session, buf, size);
253  if (ret > 0)
254  return ret;
255  if (ret == 0)
256  return AVERROR_EOF;
257  return print_tls_error(h, ret);
258 }
259 
261 {
262  TLSContext *c = h->priv_data;
264 }
265 
266 static const AVOption options[] = {
268  { NULL }
269 };
270 
271 static const AVClass tls_class = {
272  .class_name = "tls",
273  .item_name = av_default_item_name,
274  .option = options,
275  .version = LIBAVUTIL_VERSION_INT,
276 };
277 
279  .name = "tls",
280  .url_open2 = tls_open,
281  .url_read = tls_read,
282  .url_write = tls_write,
283  .url_close = tls_close,
284  .url_get_file_handle = tls_get_file_handle,
285  .priv_data_size = sizeof(TLSContext),
287  .priv_data_class = &tls_class,
288 };
#define NULL
Definition: coverity.c:32
int size
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:34
AVOption.
Definition: opt.h:246
int verify
Definition: tls.h:31
#define AV_LOG_WARNING
Something somehow does not look correct.
Definition: log.h:182
#define LIBAVUTIL_VERSION_INT
Definition: version.h:85
int ffurl_write(URLContext *h, const unsigned char *buf, int size)
Write size bytes from buf to the resource accessed by h.
Definition: avio.c:421
void ff_gnutls_deinit(void)
Definition: tls_gnutls.c:67
const char * av_default_item_name(void *ptr)
Return the context name.
Definition: log.c:191
int flags
Definition: url.h:43
int listen
Definition: tls.h:34
static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport, const void *buf, size_t len)
Definition: tls_gnutls.c:125
static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, void *buf, size_t len)
Definition: tls_gnutls.c:109
gnutls_certificate_credentials_t cred
Definition: tls_gnutls.c:52
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
Definition: log.h:72
uint8_t
AVOptions.
miscellaneous OS support macros and functions.
static const AVClass tls_class
Definition: tls_gnutls.c:271
Definition: tls.h:29
static int flags
Definition: log.c:55
#define AVERROR_EOF
End of file.
Definition: error.h:55
void ff_gnutls_init(void)
Definition: tls_gnutls.c:56
#define av_log(a,...)
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
Definition: log.h:176
#define AVERROR(e)
Definition: error.h:43
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_gnutls.c:230
#define fail()
Definition: checkasm.h:116
char * host
Definition: tls.h:36
int ff_unlock_avformat(void)
Definition: utils.c:88
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:45
static int tls_close(URLContext *h)
Definition: tls_gnutls.c:94
char * cert_file
Definition: tls.h:32
gnutls_session_t session
Definition: tls_gnutls.c:51
int ffurl_get_file_handle(URLContext *h)
Return the file descriptor associated with this URL.
Definition: avio.c:626
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
Definition: error.h:56
char * ca_file
Definition: tls.h:30
#define AVIO_FLAG_NONBLOCK
Use non-blocking mode.
Definition: avio.h:673
TLSShared tls_shared
Definition: tls_gnutls.c:50
void * buf
Definition: avisynth_c.h:690
Definition: url.h:38
static int print_tls_error(URLContext *h, int ret)
Definition: tls_gnutls.c:74
Describe the class of an AVClass context structure.
Definition: log.h:67
void * priv_data
Definition: url.h:41
misc parsing utilities
const char * name
Definition: url.h:55
int ffurl_close(URLContext *h)
Definition: avio.c:467
Main libavformat public API header.
common internal api header.
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:56
static double c[64]
URLContext * tcp
Definition: tls.h:41
int numerichost
Definition: tls.h:39
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_gnutls.c:141
int len
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_gnutls.c:245
int need_shutdown
Definition: tls_gnutls.c:53
int ff_lock_avformat(void)
Definition: utils.c:83
unbuffered private I/O API
static int tls_get_file_handle(URLContext *h)
Definition: tls_gnutls.c:260
int ffurl_read(URLContext *h, unsigned char *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf...
Definition: avio.c:407
char * key_file
Definition: tls.h:33
const URLProtocol ff_tls_protocol
Definition: tls_gnutls.c:278
static const AVOption options[]
Definition: tls_gnutls.c:266