Commit | Line | Data |
---|---|---|
2ba45a60 DM |
1 | /* |
2 | * TLS/SSL Protocol | |
3 | * Copyright (c) 2011 Martin Storsjo | |
4 | * | |
5 | * This file is part of FFmpeg. | |
6 | * | |
7 | * FFmpeg is free software; you can redistribute it and/or | |
8 | * modify it under the terms of the GNU Lesser General Public | |
9 | * License as published by the Free Software Foundation; either | |
10 | * version 2.1 of the License, or (at your option) any later version. | |
11 | * | |
12 | * FFmpeg is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
15 | * Lesser General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU Lesser General Public | |
18 | * License along with FFmpeg; if not, write to the Free Software | |
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
20 | */ | |
21 | ||
22 | #include "avformat.h" | |
23 | #include "url.h" | |
24 | #include "libavutil/avstring.h" | |
25 | #include "libavutil/opt.h" | |
26 | #include "libavutil/parseutils.h" | |
27 | #include "network.h" | |
28 | #include "os_support.h" | |
29 | #include "internal.h" | |
30 | #if CONFIG_GNUTLS | |
31 | #include <gnutls/gnutls.h> | |
32 | #include <gnutls/x509.h> | |
33 | #define TLS_read(c, buf, size) gnutls_record_recv(c->session, buf, size) | |
34 | #define TLS_write(c, buf, size) gnutls_record_send(c->session, buf, size) | |
35 | #define TLS_shutdown(c) gnutls_bye(c->session, GNUTLS_SHUT_RDWR) | |
36 | #define TLS_free(c) do { \ | |
37 | if (c->session) \ | |
38 | gnutls_deinit(c->session); \ | |
39 | if (c->cred) \ | |
40 | gnutls_certificate_free_credentials(c->cred); \ | |
41 | } while (0) | |
42 | #elif CONFIG_OPENSSL | |
43 | #include <openssl/bio.h> | |
44 | #include <openssl/ssl.h> | |
45 | #include <openssl/err.h> | |
46 | #define TLS_read(c, buf, size) SSL_read(c->ssl, buf, size) | |
47 | #define TLS_write(c, buf, size) SSL_write(c->ssl, buf, size) | |
48 | #define TLS_shutdown(c) SSL_shutdown(c->ssl) | |
49 | #define TLS_free(c) do { \ | |
50 | if (c->ssl) \ | |
51 | SSL_free(c->ssl); \ | |
52 | if (c->ctx) \ | |
53 | SSL_CTX_free(c->ctx); \ | |
54 | } while (0) | |
55 | #endif | |
56 | #if HAVE_POLL_H | |
57 | #include <poll.h> | |
58 | #endif | |
59 | ||
60 | typedef struct { | |
61 | const AVClass *class; | |
62 | URLContext *tcp; | |
63 | #if CONFIG_GNUTLS | |
64 | gnutls_session_t session; | |
65 | gnutls_certificate_credentials_t cred; | |
66 | #elif CONFIG_OPENSSL | |
67 | SSL_CTX *ctx; | |
68 | SSL *ssl; | |
69 | #endif | |
70 | int fd; | |
71 | char *ca_file; | |
72 | int verify; | |
73 | char *cert_file; | |
74 | char *key_file; | |
75 | int listen; | |
76 | } TLSContext; | |
77 | ||
78 | #define OFFSET(x) offsetof(TLSContext, x) | |
79 | #define D AV_OPT_FLAG_DECODING_PARAM | |
80 | #define E AV_OPT_FLAG_ENCODING_PARAM | |
81 | static const AVOption options[] = { | |
82 | {"ca_file", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, .flags = D|E }, | |
83 | {"cafile", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, .flags = D|E }, | |
84 | {"tls_verify", "Verify the peer certificate", OFFSET(verify), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E }, | |
85 | {"cert_file", "Certificate file", OFFSET(cert_file), AV_OPT_TYPE_STRING, .flags = D|E }, | |
86 | {"key_file", "Private key file", OFFSET(key_file), AV_OPT_TYPE_STRING, .flags = D|E }, | |
87 | {"listen", "Listen for incoming connections", OFFSET(listen), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E }, | |
88 | { NULL } | |
89 | }; | |
90 | ||
91 | static const AVClass tls_class = { | |
92 | .class_name = "tls", | |
93 | .item_name = av_default_item_name, | |
94 | .option = options, | |
95 | .version = LIBAVUTIL_VERSION_INT, | |
96 | }; | |
97 | ||
98 | static int do_tls_poll(URLContext *h, int ret) | |
99 | { | |
100 | TLSContext *c = h->priv_data; | |
101 | struct pollfd p = { c->fd, 0, 0 }; | |
102 | #if CONFIG_GNUTLS | |
103 | switch (ret) { | |
104 | case GNUTLS_E_AGAIN: | |
105 | case GNUTLS_E_INTERRUPTED: | |
106 | break; | |
107 | case GNUTLS_E_WARNING_ALERT_RECEIVED: | |
108 | av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret)); | |
109 | break; | |
110 | default: | |
111 | av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret)); | |
112 | return AVERROR(EIO); | |
113 | } | |
114 | if (gnutls_record_get_direction(c->session)) | |
115 | p.events = POLLOUT; | |
116 | else | |
117 | p.events = POLLIN; | |
118 | #elif CONFIG_OPENSSL | |
119 | ret = SSL_get_error(c->ssl, ret); | |
120 | if (ret == SSL_ERROR_WANT_READ) { | |
121 | p.events = POLLIN; | |
122 | } else if (ret == SSL_ERROR_WANT_WRITE) { | |
123 | p.events = POLLOUT; | |
124 | } else { | |
125 | av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); | |
126 | return AVERROR(EIO); | |
127 | } | |
128 | #endif | |
129 | if (h->flags & AVIO_FLAG_NONBLOCK) | |
130 | return AVERROR(EAGAIN); | |
131 | while (1) { | |
132 | int n = poll(&p, 1, 100); | |
133 | if (n > 0) | |
134 | break; | |
135 | if (ff_check_interrupt(&h->interrupt_callback)) | |
136 | return AVERROR(EINTR); | |
137 | } | |
138 | return 0; | |
139 | } | |
140 | ||
141 | static void set_options(URLContext *h, const char *uri) | |
142 | { | |
143 | TLSContext *c = h->priv_data; | |
144 | char buf[1024]; | |
145 | const char *p = strchr(uri, '?'); | |
146 | if (!p) | |
147 | return; | |
148 | ||
149 | if (!c->ca_file && av_find_info_tag(buf, sizeof(buf), "cafile", p)) | |
150 | c->ca_file = av_strdup(buf); | |
151 | ||
152 | if (!c->verify && av_find_info_tag(buf, sizeof(buf), "verify", p)) { | |
153 | char *endptr = NULL; | |
154 | c->verify = strtol(buf, &endptr, 10); | |
155 | if (buf == endptr) | |
156 | c->verify = 1; | |
157 | } | |
158 | ||
159 | if (!c->cert_file && av_find_info_tag(buf, sizeof(buf), "cert", p)) | |
160 | c->cert_file = av_strdup(buf); | |
161 | ||
162 | if (!c->key_file && av_find_info_tag(buf, sizeof(buf), "key", p)) | |
163 | c->key_file = av_strdup(buf); | |
164 | } | |
165 | ||
166 | static int tls_open(URLContext *h, const char *uri, int flags) | |
167 | { | |
168 | TLSContext *c = h->priv_data; | |
169 | int ret; | |
170 | int port; | |
171 | char buf[200], host[200], opts[50] = ""; | |
172 | int numerichost = 0; | |
173 | struct addrinfo hints = { 0 }, *ai = NULL; | |
174 | const char *proxy_path; | |
175 | int use_proxy; | |
176 | const char *p = strchr(uri, '?'); | |
177 | ||
178 | ff_tls_init(); | |
179 | ||
180 | if(p && av_find_info_tag(buf, sizeof(buf), "listen", p)) | |
181 | c->listen = 1; | |
182 | if (c->listen) | |
183 | snprintf(opts, sizeof(opts), "?listen=1"); | |
184 | ||
185 | av_url_split(NULL, 0, NULL, 0, host, sizeof(host), &port, NULL, 0, uri); | |
186 | ff_url_join(buf, sizeof(buf), "tcp", NULL, host, port, "%s", opts); | |
187 | ||
188 | hints.ai_flags = AI_NUMERICHOST; | |
189 | if (!getaddrinfo(host, NULL, &hints, &ai)) { | |
190 | numerichost = 1; | |
191 | freeaddrinfo(ai); | |
192 | } | |
193 | ||
194 | proxy_path = getenv("http_proxy"); | |
195 | use_proxy = !ff_http_match_no_proxy(getenv("no_proxy"), host) && | |
196 | proxy_path && av_strstart(proxy_path, "http://", NULL); | |
197 | ||
198 | if (use_proxy) { | |
199 | char proxy_host[200], proxy_auth[200], dest[200]; | |
200 | int proxy_port; | |
201 | av_url_split(NULL, 0, proxy_auth, sizeof(proxy_auth), | |
202 | proxy_host, sizeof(proxy_host), &proxy_port, NULL, 0, | |
203 | proxy_path); | |
204 | ff_url_join(dest, sizeof(dest), NULL, NULL, host, port, NULL); | |
205 | ff_url_join(buf, sizeof(buf), "httpproxy", proxy_auth, proxy_host, | |
206 | proxy_port, "/%s", dest); | |
207 | } | |
208 | ||
209 | ret = ffurl_open(&c->tcp, buf, AVIO_FLAG_READ_WRITE, | |
210 | &h->interrupt_callback, NULL); | |
211 | if (ret) | |
212 | goto fail; | |
213 | c->fd = ffurl_get_file_handle(c->tcp); | |
214 | ||
215 | #if CONFIG_GNUTLS | |
216 | gnutls_init(&c->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT); | |
217 | if (!c->listen && !numerichost) | |
218 | gnutls_server_name_set(c->session, GNUTLS_NAME_DNS, host, strlen(host)); | |
219 | gnutls_certificate_allocate_credentials(&c->cred); | |
220 | set_options(h, uri); | |
221 | if (c->ca_file) { | |
222 | ret = gnutls_certificate_set_x509_trust_file(c->cred, c->ca_file, GNUTLS_X509_FMT_PEM); | |
223 | if (ret < 0) | |
224 | av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret)); | |
225 | } | |
226 | #if GNUTLS_VERSION_MAJOR >= 3 | |
227 | else | |
228 | gnutls_certificate_set_x509_system_trust(c->cred); | |
229 | #endif | |
230 | gnutls_certificate_set_verify_flags(c->cred, c->verify ? | |
231 | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0); | |
232 | if (c->cert_file && c->key_file) { | |
233 | ret = gnutls_certificate_set_x509_key_file(c->cred, | |
234 | c->cert_file, c->key_file, | |
235 | GNUTLS_X509_FMT_PEM); | |
236 | if (ret < 0) { | |
237 | av_log(h, AV_LOG_ERROR, | |
238 | "Unable to set cert/key files %s and %s: %s\n", | |
239 | c->cert_file, c->key_file, gnutls_strerror(ret)); | |
240 | ret = AVERROR(EIO); | |
241 | goto fail; | |
242 | } | |
243 | } else if (c->cert_file || c->key_file) | |
244 | av_log(h, AV_LOG_ERROR, "cert and key required\n"); | |
245 | gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, c->cred); | |
246 | gnutls_transport_set_ptr(c->session, (gnutls_transport_ptr_t) | |
247 | (intptr_t) c->fd); | |
248 | gnutls_priority_set_direct(c->session, "NORMAL", NULL); | |
249 | while (1) { | |
250 | ret = gnutls_handshake(c->session); | |
251 | if (ret == 0) | |
252 | break; | |
253 | if ((ret = do_tls_poll(h, ret)) < 0) | |
254 | goto fail; | |
255 | } | |
256 | if (c->verify) { | |
257 | unsigned int status, cert_list_size; | |
258 | gnutls_x509_crt_t cert; | |
259 | const gnutls_datum_t *cert_list; | |
260 | if ((ret = gnutls_certificate_verify_peers2(c->session, &status)) < 0) { | |
261 | av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n", | |
262 | gnutls_strerror(ret)); | |
263 | ret = AVERROR(EIO); | |
264 | goto fail; | |
265 | } | |
266 | if (status & GNUTLS_CERT_INVALID) { | |
267 | av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n"); | |
268 | ret = AVERROR(EIO); | |
269 | goto fail; | |
270 | } | |
271 | if (gnutls_certificate_type_get(c->session) != GNUTLS_CRT_X509) { | |
272 | av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n"); | |
273 | ret = AVERROR(EIO); | |
274 | goto fail; | |
275 | } | |
276 | gnutls_x509_crt_init(&cert); | |
277 | cert_list = gnutls_certificate_get_peers(c->session, &cert_list_size); | |
278 | gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER); | |
279 | ret = gnutls_x509_crt_check_hostname(cert, host); | |
280 | gnutls_x509_crt_deinit(cert); | |
281 | if (!ret) { | |
282 | av_log(h, AV_LOG_ERROR, | |
283 | "The certificate's owner does not match hostname %s\n", host); | |
284 | ret = AVERROR(EIO); | |
285 | goto fail; | |
286 | } | |
287 | } | |
288 | #elif CONFIG_OPENSSL | |
289 | c->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method()); | |
290 | if (!c->ctx) { | |
291 | av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); | |
292 | ret = AVERROR(EIO); | |
293 | goto fail; | |
294 | } | |
295 | set_options(h, uri); | |
296 | if (c->ca_file) { | |
297 | if (!SSL_CTX_load_verify_locations(c->ctx, c->ca_file, NULL)) | |
298 | av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL)); | |
299 | } | |
300 | if (c->cert_file && !SSL_CTX_use_certificate_chain_file(c->ctx, c->cert_file)) { | |
301 | av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n", | |
302 | c->cert_file, ERR_error_string(ERR_get_error(), NULL)); | |
303 | ret = AVERROR(EIO); | |
304 | goto fail; | |
305 | } | |
306 | if (c->key_file && !SSL_CTX_use_PrivateKey_file(c->ctx, c->key_file, SSL_FILETYPE_PEM)) { | |
307 | av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n", | |
308 | c->key_file, ERR_error_string(ERR_get_error(), NULL)); | |
309 | ret = AVERROR(EIO); | |
310 | goto fail; | |
311 | } | |
312 | // Note, this doesn't check that the peer certificate actually matches | |
313 | // the requested hostname. | |
314 | if (c->verify) | |
315 | SSL_CTX_set_verify(c->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); | |
316 | c->ssl = SSL_new(c->ctx); | |
317 | if (!c->ssl) { | |
318 | av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); | |
319 | ret = AVERROR(EIO); | |
320 | goto fail; | |
321 | } | |
322 | SSL_set_fd(c->ssl, c->fd); | |
323 | if (!c->listen && !numerichost) | |
324 | SSL_set_tlsext_host_name(c->ssl, host); | |
325 | while (1) { | |
326 | ret = c->listen ? SSL_accept(c->ssl) : SSL_connect(c->ssl); | |
327 | if (ret > 0) | |
328 | break; | |
329 | if (ret == 0) { | |
330 | av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n"); | |
331 | ret = AVERROR(EIO); | |
332 | goto fail; | |
333 | } | |
334 | if ((ret = do_tls_poll(h, ret)) < 0) | |
335 | goto fail; | |
336 | } | |
337 | #endif | |
338 | return 0; | |
339 | fail: | |
340 | TLS_free(c); | |
341 | if (c->tcp) | |
342 | ffurl_close(c->tcp); | |
343 | ff_tls_deinit(); | |
344 | return ret; | |
345 | } | |
346 | ||
347 | static int tls_read(URLContext *h, uint8_t *buf, int size) | |
348 | { | |
349 | TLSContext *c = h->priv_data; | |
350 | while (1) { | |
351 | int ret = TLS_read(c, buf, size); | |
352 | if (ret > 0) | |
353 | return ret; | |
354 | if (ret == 0) | |
355 | return AVERROR_EOF; | |
356 | if ((ret = do_tls_poll(h, ret)) < 0) | |
357 | return ret; | |
358 | } | |
359 | return 0; | |
360 | } | |
361 | ||
362 | static int tls_write(URLContext *h, const uint8_t *buf, int size) | |
363 | { | |
364 | TLSContext *c = h->priv_data; | |
365 | while (1) { | |
366 | int ret = TLS_write(c, buf, size); | |
367 | if (ret > 0) | |
368 | return ret; | |
369 | if (ret == 0) | |
370 | return AVERROR_EOF; | |
371 | if ((ret = do_tls_poll(h, ret)) < 0) | |
372 | return ret; | |
373 | } | |
374 | return 0; | |
375 | } | |
376 | ||
377 | static int tls_close(URLContext *h) | |
378 | { | |
379 | TLSContext *c = h->priv_data; | |
380 | TLS_shutdown(c); | |
381 | TLS_free(c); | |
382 | ffurl_close(c->tcp); | |
383 | ff_tls_deinit(); | |
384 | return 0; | |
385 | } | |
386 | ||
387 | URLProtocol ff_tls_protocol = { | |
388 | .name = "tls", | |
389 | .url_open = tls_open, | |
390 | .url_read = tls_read, | |
391 | .url_write = tls_write, | |
392 | .url_close = tls_close, | |
393 | .priv_data_size = sizeof(TLSContext), | |
394 | .flags = URL_PROTOCOL_FLAG_NETWORK, | |
395 | .priv_data_class = &tls_class, | |
396 | }; |