FFmpeg  4.3.9
tls_gnutls.c
Go to the documentation of this file.
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include <errno.h>
23 
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26 
27 #include "avformat.h"
28 #include "internal.h"
29 #include "network.h"
30 #include "os_support.h"
31 #include "url.h"
32 #include "tls.h"
33 #include "libavcodec/internal.h"
34 #include "libavutil/avstring.h"
35 #include "libavutil/opt.h"
36 #include "libavutil/parseutils.h"
37 
38 #ifndef GNUTLS_VERSION_NUMBER
39 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
40 #endif
41 
42 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
43 #include <gcrypt.h>
44 #include "libavutil/thread.h"
45 GCRY_THREAD_OPTION_PTHREAD_IMPL;
46 #endif
47 
48 typedef struct TLSContext {
49  const AVClass *class;
51  gnutls_session_t session;
52  gnutls_certificate_credentials_t cred;
54 } TLSContext;
55 
56 void ff_gnutls_init(void)
57 {
59 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
60  if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
61  gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
62 #endif
63  gnutls_global_init();
65 }
66 
67 void ff_gnutls_deinit(void)
68 {
70  gnutls_global_deinit();
72 }
73 
74 static int print_tls_error(URLContext *h, int ret)
75 {
76  switch (ret) {
77  case GNUTLS_E_AGAIN:
78  return AVERROR(EAGAIN);
79  case GNUTLS_E_INTERRUPTED:
80 #ifdef GNUTLS_E_PREMATURE_TERMINATION
81  case GNUTLS_E_PREMATURE_TERMINATION:
82 #endif
83  break;
84  case GNUTLS_E_WARNING_ALERT_RECEIVED:
85  av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
86  break;
87  default:
88  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
89  break;
90  }
91  return AVERROR(EIO);
92 }
93 
94 static int tls_close(URLContext *h)
95 {
96  TLSContext *c = h->priv_data;
97  if (c->need_shutdown)
98  gnutls_bye(c->session, GNUTLS_SHUT_WR);
99  if (c->session)
100  gnutls_deinit(c->session);
101  if (c->cred)
102  gnutls_certificate_free_credentials(c->cred);
105  return 0;
106 }
107 
108 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
109  void *buf, size_t len)
110 {
111  URLContext *h = (URLContext*) transport;
112  int ret = ffurl_read(h, buf, len);
113  if (ret >= 0)
114  return ret;
115  if (ret == AVERROR_EXIT)
116  return 0;
117  if (ret == AVERROR(EAGAIN))
118  errno = EAGAIN;
119  else
120  errno = EIO;
121  return -1;
122 }
123 
124 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
125  const void *buf, size_t len)
126 {
127  URLContext *h = (URLContext*) transport;
128  int ret = ffurl_write(h, buf, len);
129  if (ret >= 0)
130  return ret;
131  if (ret == AVERROR_EXIT)
132  return 0;
133  if (ret == AVERROR(EAGAIN))
134  errno = EAGAIN;
135  else
136  errno = EIO;
137  return -1;
138 }
139 
140 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
141 {
142  TLSContext *p = h->priv_data;
143  TLSShared *c = &p->tls_shared;
144  int ret;
145 
146  ff_gnutls_init();
147 
148  if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
149  goto fail;
150 
151  gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
152  if (!c->listen && !c->numerichost)
153  gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
154  gnutls_certificate_allocate_credentials(&p->cred);
155  if (c->ca_file) {
156  ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
157  if (ret < 0)
158  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
159  }
160 #if GNUTLS_VERSION_NUMBER >= 0x030020
161  else
162  gnutls_certificate_set_x509_system_trust(p->cred);
163 #endif
164  gnutls_certificate_set_verify_flags(p->cred, c->verify ?
165  GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
166  if (c->cert_file && c->key_file) {
167  ret = gnutls_certificate_set_x509_key_file(p->cred,
168  c->cert_file, c->key_file,
169  GNUTLS_X509_FMT_PEM);
170  if (ret < 0) {
171  av_log(h, AV_LOG_ERROR,
172  "Unable to set cert/key files %s and %s: %s\n",
173  c->cert_file, c->key_file, gnutls_strerror(ret));
174  ret = AVERROR(EIO);
175  goto fail;
176  }
177  } else if (c->cert_file || c->key_file)
178  av_log(h, AV_LOG_ERROR, "cert and key required\n");
179  gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
180  gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
181  gnutls_transport_set_push_function(p->session, gnutls_url_push);
182  gnutls_transport_set_ptr(p->session, c->tcp);
183  gnutls_priority_set_direct(p->session, "NORMAL", NULL);
184  do {
186  ret = AVERROR_EXIT;
187  goto fail;
188  }
189 
190  ret = gnutls_handshake(p->session);
191  if (gnutls_error_is_fatal(ret)) {
192  ret = print_tls_error(h, ret);
193  goto fail;
194  }
195  } while (ret);
196  p->need_shutdown = 1;
197  if (c->verify) {
198  unsigned int status, cert_list_size;
199  gnutls_x509_crt_t cert;
200  const gnutls_datum_t *cert_list;
201  if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
202  av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
203  gnutls_strerror(ret));
204  ret = AVERROR(EIO);
205  goto fail;
206  }
207  if (status & GNUTLS_CERT_INVALID) {
208  av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
209  ret = AVERROR(EIO);
210  goto fail;
211  }
212  if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
213  av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
214  ret = AVERROR(EIO);
215  goto fail;
216  }
217  gnutls_x509_crt_init(&cert);
218  cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
219  gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
220  ret = gnutls_x509_crt_check_hostname(cert, c->host);
221  gnutls_x509_crt_deinit(cert);
222  if (!ret) {
223  av_log(h, AV_LOG_ERROR,
224  "The certificate's owner does not match hostname %s\n", c->host);
225  ret = AVERROR(EIO);
226  goto fail;
227  }
228  }
229 
230  return 0;
231 fail:
232  tls_close(h);
233  return ret;
234 }
235 
236 static int tls_read(URLContext *h, uint8_t *buf, int size)
237 {
238  TLSContext *c = h->priv_data;
239  int ret;
240  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
243  ret = gnutls_record_recv(c->session, buf, size);
244  if (ret > 0)
245  return ret;
246  if (ret == 0)
247  return AVERROR_EOF;
248  return print_tls_error(h, ret);
249 }
250 
251 static int tls_write(URLContext *h, const uint8_t *buf, int size)
252 {
253  TLSContext *c = h->priv_data;
254  int ret;
255  // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
258  ret = gnutls_record_send(c->session, buf, size);
259  if (ret > 0)
260  return ret;
261  if (ret == 0)
262  return AVERROR_EOF;
263  return print_tls_error(h, ret);
264 }
265 
267 {
268  TLSContext *c = h->priv_data;
270 }
271 
272 static const AVOption options[] = {
274  { NULL }
275 };
276 
277 static const AVClass tls_class = {
278  .class_name = "tls",
279  .item_name = av_default_item_name,
280  .option = options,
281  .version = LIBAVUTIL_VERSION_INT,
282 };
283 
285  .name = "tls",
286  .url_open2 = tls_open,
287  .url_read = tls_read,
288  .url_write = tls_write,
289  .url_close = tls_close,
290  .url_get_file_handle = tls_get_file_handle,
291  .priv_data_size = sizeof(TLSContext),
293  .priv_data_class = &tls_class,
294 };
#define NULL
Definition: coverity.c:32
int size
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:34
AVOption.
Definition: opt.h:246
int verify
Definition: tls.h:31
#define AV_LOG_WARNING
Something somehow does not look correct.
Definition: log.h:182
#define LIBAVUTIL_VERSION_INT
Definition: version.h:85
int ffurl_write(URLContext *h, const unsigned char *buf, int size)
Write size bytes from buf to the resource accessed by h.
Definition: avio.c:423
void ff_gnutls_deinit(void)
Definition: tls_gnutls.c:67
AVIOInterruptCB interrupt_callback
Definition: url.h:47
const char * av_default_item_name(void *ptr)
Return the context name.
Definition: log.c:235
int flags
Definition: url.h:43
int listen
Definition: tls.h:34
static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport, const void *buf, size_t len)
Definition: tls_gnutls.c:124
static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, void *buf, size_t len)
Definition: tls_gnutls.c:108
gnutls_certificate_credentials_t cred
Definition: tls_gnutls.c:52
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
Definition: log.h:72
uint8_t
AVOptions.
miscellaneous OS support macros and functions.
static const AVClass tls_class
Definition: tls_gnutls.c:277
Definition: tls.h:29
#define AVERROR_EOF
End of file.
Definition: error.h:55
void ff_gnutls_init(void)
Definition: tls_gnutls.c:56
#define av_log(a,...)
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
Definition: log.h:176
#define AVERROR(e)
Definition: error.h:43
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_gnutls.c:236
#define fail()
Definition: checkasm.h:123
char * host
Definition: tls.h:36
int ff_unlock_avformat(void)
Definition: utils.c:83
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:45
static int tls_close(URLContext *h)
Definition: tls_gnutls.c:94
char * cert_file
Definition: tls.h:32
gnutls_session_t session
Definition: tls_gnutls.c:51
int ffurl_get_file_handle(URLContext *h)
Return the file descriptor associated with this URL.
Definition: avio.c:628
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
Definition: error.h:56
char * ca_file
Definition: tls.h:30
int ffurl_closep(URLContext **hh)
Close the resource accessed by the URLContext h, and free the memory used by it.
Definition: avio.c:446
int ff_check_interrupt(AVIOInterruptCB *cb)
Check if the user has requested to interrupt a blocking function associated with cb.
Definition: avio.c:666
#define AVIO_FLAG_NONBLOCK
Use non-blocking mode.
Definition: avio.h:693
TLSShared tls_shared
Definition: tls_gnutls.c:50
Definition: url.h:38
static int print_tls_error(URLContext *h, int ret)
Definition: tls_gnutls.c:74
Describe the class of an AVClass context structure.
Definition: log.h:67
void * priv_data
Definition: url.h:41
misc parsing utilities
const char * name
Definition: url.h:55
#define flags(name, subs,...)
Definition: cbs_av1.c:576
Main libavformat public API header.
common internal api header.
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:56
static double c[64]
URLContext * tcp
Definition: tls.h:41
int numerichost
Definition: tls.h:39
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_gnutls.c:140
int len
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_gnutls.c:251
int need_shutdown
Definition: tls_gnutls.c:53
int ff_lock_avformat(void)
Definition: utils.c:78
unbuffered private I/O API
static int tls_get_file_handle(URLContext *h)
Definition: tls_gnutls.c:266
int ffurl_read(URLContext *h, unsigned char *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf...
Definition: avio.c:409
char * key_file
Definition: tls.h:33
const URLProtocol ff_tls_protocol
Definition: tls_gnutls.c:284
static const AVOption options[]
Definition: tls_gnutls.c:272