Commit | Line | Data |
---|---|---|
2ba45a60 DM |
1 | /* |
2 | * TLS/SSL Protocol | |
3 | * Copyright (c) 2011 Martin Storsjo | |
4 | * | |
5 | * This file is part of FFmpeg. | |
6 | * | |
7 | * FFmpeg is free software; you can redistribute it and/or | |
8 | * modify it under the terms of the GNU Lesser General Public | |
9 | * License as published by the Free Software Foundation; either | |
10 | * version 2.1 of the License, or (at your option) any later version. | |
11 | * | |
12 | * FFmpeg is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
15 | * Lesser General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU Lesser General Public | |
18 | * License along with FFmpeg; if not, write to the Free Software | |
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
20 | */ | |
21 | ||
22 | #include "avformat.h" | |
23 | #include "url.h" | |
24 | #include "libavutil/avstring.h" | |
25 | #include "libavutil/opt.h" | |
26 | #include "libavutil/parseutils.h" | |
27 | #include "network.h" | |
28 | #include "os_support.h" | |
29 | #include "internal.h" | |
30 | #if CONFIG_GNUTLS | |
31 | #include <gnutls/gnutls.h> | |
32 | #include <gnutls/x509.h> | |
33 | #define TLS_read(c, buf, size) gnutls_record_recv(c->session, buf, size) | |
34 | #define TLS_write(c, buf, size) gnutls_record_send(c->session, buf, size) | |
35 | #define TLS_shutdown(c) gnutls_bye(c->session, GNUTLS_SHUT_RDWR) | |
36 | #define TLS_free(c) do { \ | |
37 | if (c->session) \ | |
38 | gnutls_deinit(c->session); \ | |
39 | if (c->cred) \ | |
40 | gnutls_certificate_free_credentials(c->cred); \ | |
41 | } while (0) | |
42 | #elif CONFIG_OPENSSL | |
43 | #include <openssl/bio.h> | |
44 | #include <openssl/ssl.h> | |
45 | #include <openssl/err.h> | |
46 | #define TLS_read(c, buf, size) SSL_read(c->ssl, buf, size) | |
47 | #define TLS_write(c, buf, size) SSL_write(c->ssl, buf, size) | |
48 | #define TLS_shutdown(c) SSL_shutdown(c->ssl) | |
49 | #define TLS_free(c) do { \ | |
50 | if (c->ssl) \ | |
51 | SSL_free(c->ssl); \ | |
52 | if (c->ctx) \ | |
53 | SSL_CTX_free(c->ctx); \ | |
54 | } while (0) | |
55 | #endif | |
56 | #if HAVE_POLL_H | |
57 | #include <poll.h> | |
58 | #endif | |
59 | ||
60 | typedef struct { | |
61 | const AVClass *class; | |
62 | URLContext *tcp; | |
63 | #if CONFIG_GNUTLS | |
64 | gnutls_session_t session; | |
65 | gnutls_certificate_credentials_t cred; | |
66 | #elif CONFIG_OPENSSL | |
67 | SSL_CTX *ctx; | |
68 | SSL *ssl; | |
69 | #endif | |
70 | int fd; | |
71 | char *ca_file; | |
72 | int verify; | |
73 | char *cert_file; | |
74 | char *key_file; | |
75 | int listen; | |
76 | } TLSContext; | |
77 | ||
78 | #define OFFSET(x) offsetof(TLSContext, x) | |
79 | #define D AV_OPT_FLAG_DECODING_PARAM | |
80 | #define E AV_OPT_FLAG_ENCODING_PARAM | |
81 | static const AVOption options[] = { | |
82 | {"ca_file", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, .flags = D|E }, | |
83 | {"cafile", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, .flags = D|E }, | |
84 | {"tls_verify", "Verify the peer certificate", OFFSET(verify), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E }, | |
85 | {"cert_file", "Certificate file", OFFSET(cert_file), AV_OPT_TYPE_STRING, .flags = D|E }, | |
86 | {"key_file", "Private key file", OFFSET(key_file), AV_OPT_TYPE_STRING, .flags = D|E }, | |
87 | {"listen", "Listen for incoming connections", OFFSET(listen), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E }, | |
88 | { NULL } | |
89 | }; | |
90 | ||
91 | static const AVClass tls_class = { | |
92 | .class_name = "tls", | |
93 | .item_name = av_default_item_name, | |
94 | .option = options, | |
95 | .version = LIBAVUTIL_VERSION_INT, | |
96 | }; | |
97 | ||
98 | static int do_tls_poll(URLContext *h, int ret) | |
99 | { | |
100 | TLSContext *c = h->priv_data; | |
101 | struct pollfd p = { c->fd, 0, 0 }; | |
102 | #if CONFIG_GNUTLS | |
103 | switch (ret) { | |
104 | case GNUTLS_E_AGAIN: | |
105 | case GNUTLS_E_INTERRUPTED: | |
106 | break; | |
107 | case GNUTLS_E_WARNING_ALERT_RECEIVED: | |
108 | av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret)); | |
109 | break; | |
110 | default: | |
111 | av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret)); | |
112 | return AVERROR(EIO); | |
113 | } | |
114 | if (gnutls_record_get_direction(c->session)) | |
115 | p.events = POLLOUT; | |
116 | else | |
117 | p.events = POLLIN; | |
118 | #elif CONFIG_OPENSSL | |
119 | ret = SSL_get_error(c->ssl, ret); | |
120 | if (ret == SSL_ERROR_WANT_READ) { | |
121 | p.events = POLLIN; | |
122 | } else if (ret == SSL_ERROR_WANT_WRITE) { | |
123 | p.events = POLLOUT; | |
124 | } else { | |
125 | av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); | |
126 | return AVERROR(EIO); | |
127 | } | |
128 | #endif | |
129 | if (h->flags & AVIO_FLAG_NONBLOCK) | |
130 | return AVERROR(EAGAIN); | |
131 | while (1) { | |
132 | int n = poll(&p, 1, 100); | |
133 | if (n > 0) | |
134 | break; | |
135 | if (ff_check_interrupt(&h->interrupt_callback)) | |
136 | return AVERROR(EINTR); | |
137 | } | |
138 | return 0; | |
139 | } | |
140 | ||
141 | static void set_options(URLContext *h, const char *uri) | |
142 | { | |
143 | TLSContext *c = h->priv_data; | |
144 | char buf[1024]; | |
145 | const char *p = strchr(uri, '?'); | |
146 | if (!p) | |
147 | return; | |
148 | ||
149 | if (!c->ca_file && av_find_info_tag(buf, sizeof(buf), "cafile", p)) | |
150 | c->ca_file = av_strdup(buf); | |
151 | ||
152 | if (!c->verify && av_find_info_tag(buf, sizeof(buf), "verify", p)) { | |
153 | char *endptr = NULL; | |
154 | c->verify = strtol(buf, &endptr, 10); | |
155 | if (buf == endptr) | |
156 | c->verify = 1; | |
157 | } | |
158 | ||
159 | if (!c->cert_file && av_find_info_tag(buf, sizeof(buf), "cert", p)) | |
160 | c->cert_file = av_strdup(buf); | |
161 | ||
162 | if (!c->key_file && av_find_info_tag(buf, sizeof(buf), "key", p)) | |
163 | c->key_file = av_strdup(buf); | |
164 | } | |
165 | ||
166 | static int tls_open(URLContext *h, const char *uri, int flags) | |
167 | { | |
168 | TLSContext *c = h->priv_data; | |
169 | int ret; | |
170 | int port; | |
f6fa7814 | 171 | const char *p; |
2ba45a60 DM |
172 | char buf[200], host[200], opts[50] = ""; |
173 | int numerichost = 0; | |
174 | struct addrinfo hints = { 0 }, *ai = NULL; | |
175 | const char *proxy_path; | |
176 | int use_proxy; | |
2ba45a60 DM |
177 | |
178 | ff_tls_init(); | |
179 | ||
2ba45a60 DM |
180 | if (c->listen) |
181 | snprintf(opts, sizeof(opts), "?listen=1"); | |
182 | ||
183 | av_url_split(NULL, 0, NULL, 0, host, sizeof(host), &port, NULL, 0, uri); | |
f6fa7814 DM |
184 | |
185 | p = strchr(uri, '?'); | |
186 | ||
187 | if (!p) { | |
188 | p = opts; | |
189 | } else { | |
190 | if (av_find_info_tag(opts, sizeof(opts), "listen", p)) | |
191 | c->listen = 1; | |
192 | } | |
193 | ||
194 | ff_url_join(buf, sizeof(buf), "tcp", NULL, host, port, "%s", p); | |
2ba45a60 DM |
195 | |
196 | hints.ai_flags = AI_NUMERICHOST; | |
197 | if (!getaddrinfo(host, NULL, &hints, &ai)) { | |
198 | numerichost = 1; | |
199 | freeaddrinfo(ai); | |
200 | } | |
201 | ||
202 | proxy_path = getenv("http_proxy"); | |
203 | use_proxy = !ff_http_match_no_proxy(getenv("no_proxy"), host) && | |
204 | proxy_path && av_strstart(proxy_path, "http://", NULL); | |
205 | ||
206 | if (use_proxy) { | |
207 | char proxy_host[200], proxy_auth[200], dest[200]; | |
208 | int proxy_port; | |
209 | av_url_split(NULL, 0, proxy_auth, sizeof(proxy_auth), | |
210 | proxy_host, sizeof(proxy_host), &proxy_port, NULL, 0, | |
211 | proxy_path); | |
212 | ff_url_join(dest, sizeof(dest), NULL, NULL, host, port, NULL); | |
213 | ff_url_join(buf, sizeof(buf), "httpproxy", proxy_auth, proxy_host, | |
214 | proxy_port, "/%s", dest); | |
215 | } | |
216 | ||
217 | ret = ffurl_open(&c->tcp, buf, AVIO_FLAG_READ_WRITE, | |
218 | &h->interrupt_callback, NULL); | |
219 | if (ret) | |
220 | goto fail; | |
221 | c->fd = ffurl_get_file_handle(c->tcp); | |
222 | ||
223 | #if CONFIG_GNUTLS | |
224 | gnutls_init(&c->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT); | |
225 | if (!c->listen && !numerichost) | |
226 | gnutls_server_name_set(c->session, GNUTLS_NAME_DNS, host, strlen(host)); | |
227 | gnutls_certificate_allocate_credentials(&c->cred); | |
228 | set_options(h, uri); | |
229 | if (c->ca_file) { | |
230 | ret = gnutls_certificate_set_x509_trust_file(c->cred, c->ca_file, GNUTLS_X509_FMT_PEM); | |
231 | if (ret < 0) | |
232 | av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret)); | |
233 | } | |
234 | #if GNUTLS_VERSION_MAJOR >= 3 | |
235 | else | |
236 | gnutls_certificate_set_x509_system_trust(c->cred); | |
237 | #endif | |
238 | gnutls_certificate_set_verify_flags(c->cred, c->verify ? | |
239 | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0); | |
240 | if (c->cert_file && c->key_file) { | |
241 | ret = gnutls_certificate_set_x509_key_file(c->cred, | |
242 | c->cert_file, c->key_file, | |
243 | GNUTLS_X509_FMT_PEM); | |
244 | if (ret < 0) { | |
245 | av_log(h, AV_LOG_ERROR, | |
246 | "Unable to set cert/key files %s and %s: %s\n", | |
247 | c->cert_file, c->key_file, gnutls_strerror(ret)); | |
248 | ret = AVERROR(EIO); | |
249 | goto fail; | |
250 | } | |
251 | } else if (c->cert_file || c->key_file) | |
252 | av_log(h, AV_LOG_ERROR, "cert and key required\n"); | |
253 | gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, c->cred); | |
254 | gnutls_transport_set_ptr(c->session, (gnutls_transport_ptr_t) | |
255 | (intptr_t) c->fd); | |
256 | gnutls_priority_set_direct(c->session, "NORMAL", NULL); | |
257 | while (1) { | |
258 | ret = gnutls_handshake(c->session); | |
259 | if (ret == 0) | |
260 | break; | |
261 | if ((ret = do_tls_poll(h, ret)) < 0) | |
262 | goto fail; | |
263 | } | |
264 | if (c->verify) { | |
265 | unsigned int status, cert_list_size; | |
266 | gnutls_x509_crt_t cert; | |
267 | const gnutls_datum_t *cert_list; | |
268 | if ((ret = gnutls_certificate_verify_peers2(c->session, &status)) < 0) { | |
269 | av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n", | |
270 | gnutls_strerror(ret)); | |
271 | ret = AVERROR(EIO); | |
272 | goto fail; | |
273 | } | |
274 | if (status & GNUTLS_CERT_INVALID) { | |
275 | av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n"); | |
276 | ret = AVERROR(EIO); | |
277 | goto fail; | |
278 | } | |
279 | if (gnutls_certificate_type_get(c->session) != GNUTLS_CRT_X509) { | |
280 | av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n"); | |
281 | ret = AVERROR(EIO); | |
282 | goto fail; | |
283 | } | |
284 | gnutls_x509_crt_init(&cert); | |
285 | cert_list = gnutls_certificate_get_peers(c->session, &cert_list_size); | |
286 | gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER); | |
287 | ret = gnutls_x509_crt_check_hostname(cert, host); | |
288 | gnutls_x509_crt_deinit(cert); | |
289 | if (!ret) { | |
290 | av_log(h, AV_LOG_ERROR, | |
291 | "The certificate's owner does not match hostname %s\n", host); | |
292 | ret = AVERROR(EIO); | |
293 | goto fail; | |
294 | } | |
295 | } | |
296 | #elif CONFIG_OPENSSL | |
297 | c->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method()); | |
298 | if (!c->ctx) { | |
299 | av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); | |
300 | ret = AVERROR(EIO); | |
301 | goto fail; | |
302 | } | |
303 | set_options(h, uri); | |
304 | if (c->ca_file) { | |
305 | if (!SSL_CTX_load_verify_locations(c->ctx, c->ca_file, NULL)) | |
306 | av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL)); | |
307 | } | |
308 | if (c->cert_file && !SSL_CTX_use_certificate_chain_file(c->ctx, c->cert_file)) { | |
309 | av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n", | |
310 | c->cert_file, ERR_error_string(ERR_get_error(), NULL)); | |
311 | ret = AVERROR(EIO); | |
312 | goto fail; | |
313 | } | |
314 | if (c->key_file && !SSL_CTX_use_PrivateKey_file(c->ctx, c->key_file, SSL_FILETYPE_PEM)) { | |
315 | av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n", | |
316 | c->key_file, ERR_error_string(ERR_get_error(), NULL)); | |
317 | ret = AVERROR(EIO); | |
318 | goto fail; | |
319 | } | |
320 | // Note, this doesn't check that the peer certificate actually matches | |
321 | // the requested hostname. | |
322 | if (c->verify) | |
323 | SSL_CTX_set_verify(c->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); | |
324 | c->ssl = SSL_new(c->ctx); | |
325 | if (!c->ssl) { | |
326 | av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); | |
327 | ret = AVERROR(EIO); | |
328 | goto fail; | |
329 | } | |
330 | SSL_set_fd(c->ssl, c->fd); | |
331 | if (!c->listen && !numerichost) | |
332 | SSL_set_tlsext_host_name(c->ssl, host); | |
333 | while (1) { | |
334 | ret = c->listen ? SSL_accept(c->ssl) : SSL_connect(c->ssl); | |
335 | if (ret > 0) | |
336 | break; | |
337 | if (ret == 0) { | |
338 | av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n"); | |
339 | ret = AVERROR(EIO); | |
340 | goto fail; | |
341 | } | |
342 | if ((ret = do_tls_poll(h, ret)) < 0) | |
343 | goto fail; | |
344 | } | |
345 | #endif | |
346 | return 0; | |
347 | fail: | |
348 | TLS_free(c); | |
349 | if (c->tcp) | |
350 | ffurl_close(c->tcp); | |
351 | ff_tls_deinit(); | |
352 | return ret; | |
353 | } | |
354 | ||
355 | static int tls_read(URLContext *h, uint8_t *buf, int size) | |
356 | { | |
357 | TLSContext *c = h->priv_data; | |
358 | while (1) { | |
359 | int ret = TLS_read(c, buf, size); | |
360 | if (ret > 0) | |
361 | return ret; | |
362 | if (ret == 0) | |
363 | return AVERROR_EOF; | |
364 | if ((ret = do_tls_poll(h, ret)) < 0) | |
365 | return ret; | |
366 | } | |
367 | return 0; | |
368 | } | |
369 | ||
370 | static int tls_write(URLContext *h, const uint8_t *buf, int size) | |
371 | { | |
372 | TLSContext *c = h->priv_data; | |
373 | while (1) { | |
374 | int ret = TLS_write(c, buf, size); | |
375 | if (ret > 0) | |
376 | return ret; | |
377 | if (ret == 0) | |
378 | return AVERROR_EOF; | |
379 | if ((ret = do_tls_poll(h, ret)) < 0) | |
380 | return ret; | |
381 | } | |
382 | return 0; | |
383 | } | |
384 | ||
385 | static int tls_close(URLContext *h) | |
386 | { | |
387 | TLSContext *c = h->priv_data; | |
388 | TLS_shutdown(c); | |
389 | TLS_free(c); | |
390 | ffurl_close(c->tcp); | |
391 | ff_tls_deinit(); | |
392 | return 0; | |
393 | } | |
394 | ||
395 | URLProtocol ff_tls_protocol = { | |
396 | .name = "tls", | |
397 | .url_open = tls_open, | |
398 | .url_read = tls_read, | |
399 | .url_write = tls_write, | |
400 | .url_close = tls_close, | |
401 | .priv_data_size = sizeof(TLSContext), | |
402 | .flags = URL_PROTOCOL_FLAG_NETWORK, | |
403 | .priv_data_class = &tls_class, | |
404 | }; |