3 * Copyright (c) 2011 Martin Storsjo
5 * This file is part of Libav.
7 * Libav is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * Libav is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with Libav; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
24 #include "libavutil/avstring.h"
25 #include "libavutil/parseutils.h"
27 #include <gnutls/gnutls.h>
28 #define TLS_read(c, buf, size) gnutls_record_recv(c->session, buf, size)
29 #define TLS_write(c, buf, size) gnutls_record_send(c->session, buf, size)
30 #define TLS_shutdown(c) gnutls_bye(c->session, GNUTLS_SHUT_RDWR)
31 #define TLS_free(c) do { \
33 gnutls_deinit(c->session); \
35 gnutls_certificate_free_credentials(c->cred); \
38 #include <openssl/bio.h>
39 #include <openssl/ssl.h>
40 #include <openssl/err.h>
41 #define TLS_read(c, buf, size) SSL_read(c->ssl, buf, size)
42 #define TLS_write(c, buf, size) SSL_write(c->ssl, buf, size)
43 #define TLS_shutdown(c) SSL_shutdown(c->ssl)
44 #define TLS_free(c) do { \
48 SSL_CTX_free(c->ctx); \
52 #include "os_support.h"
62 gnutls_session_t session;
63 gnutls_certificate_credentials_t cred;
71 static int do_tls_poll(URLContext *h, int ret)
73 TLSContext *c = h->priv_data;
74 struct pollfd p = { c->fd, 0, 0 };
76 if (ret != GNUTLS_E_AGAIN && ret != GNUTLS_E_INTERRUPTED) {
77 av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
80 if (gnutls_record_get_direction(c->session))
85 ret = SSL_get_error(c->ssl, ret);
86 if (ret == SSL_ERROR_WANT_READ) {
88 } else if (ret == SSL_ERROR_WANT_WRITE) {
91 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
95 if (h->flags & AVIO_FLAG_NONBLOCK)
96 return AVERROR(EAGAIN);
98 int n = poll(&p, 1, 100);
101 if (ff_check_interrupt(&h->interrupt_callback))
102 return AVERROR(EINTR);
107 static void set_options(URLContext *h, const char *uri)
109 TLSContext *c = h->priv_data;
110 char buf[1024], key[1024];
111 int has_cert, has_key, verify = 0;
115 const char *p = strchr(uri, '?');
119 if (av_find_info_tag(buf, sizeof(buf), "cafile", p)) {
121 ret = gnutls_certificate_set_x509_trust_file(c->cred, buf, GNUTLS_X509_FMT_PEM);
123 av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
125 if (!SSL_CTX_load_verify_locations(c->ctx, buf, NULL))
126 av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
130 if (av_find_info_tag(buf, sizeof(buf), "verify", p)) {
132 verify = strtol(buf, &endptr, 10);
137 has_cert = av_find_info_tag(buf, sizeof(buf), "cert", p);
138 has_key = av_find_info_tag(key, sizeof(key), "key", p);
140 if (has_cert && has_key) {
141 ret = gnutls_certificate_set_x509_key_file(c->cred, buf, key, GNUTLS_X509_FMT_PEM);
143 av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
144 } else if (has_cert ^ has_key) {
145 av_log(h, AV_LOG_ERROR, "cert and key required\n");
147 gnutls_certificate_set_verify_flags(c->cred, verify);
149 if (has_cert && !SSL_CTX_use_certificate_chain_file(c->ctx, buf))
150 av_log(h, AV_LOG_ERROR, "SSL_CTX_use_certificate_chain_file %s\n", ERR_error_string(ERR_get_error(), NULL));
151 if (has_key && !SSL_CTX_use_PrivateKey_file(c->ctx, key, SSL_FILETYPE_PEM))
152 av_log(h, AV_LOG_ERROR, "SSL_CTX_use_PrivateKey_file %s\n", ERR_error_string(ERR_get_error(), NULL));
154 SSL_CTX_set_verify(c->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
158 static int tls_open(URLContext *h, const char *uri, int flags)
160 TLSContext *c = h->priv_data;
163 char buf[200], host[200], path[1024];
165 struct addrinfo hints = { 0 }, *ai = NULL;
166 const char *proxy_path;
169 const char *p = strchr(uri, '?');
170 if (p && av_find_info_tag(buf, sizeof(buf), "listen", p))
175 proxy_path = getenv("http_proxy");
176 use_proxy = (proxy_path != NULL) && !getenv("no_proxy") &&
177 av_strstart(proxy_path, "http://", NULL);
179 av_url_split(NULL, 0, NULL, 0, host, sizeof(host), &port, path, sizeof(path), uri);
180 ff_url_join(buf, sizeof(buf), "tcp", NULL, host, port, "%s", path);
182 hints.ai_flags = AI_NUMERICHOST;
183 if (!getaddrinfo(host, NULL, &hints, &ai)) {
189 char proxy_host[200], proxy_auth[200], dest[200];
191 av_url_split(NULL, 0, proxy_auth, sizeof(proxy_auth),
192 proxy_host, sizeof(proxy_host), &proxy_port, NULL, 0,
194 ff_url_join(dest, sizeof(dest), NULL, NULL, host, port, NULL);
195 ff_url_join(buf, sizeof(buf), "httpproxy", proxy_auth, proxy_host,
196 proxy_port, "/%s", dest);
199 ret = ffurl_open(&c->tcp, buf, AVIO_FLAG_READ_WRITE,
200 &h->interrupt_callback, NULL);
203 c->fd = ffurl_get_file_handle(c->tcp);
206 gnutls_init(&c->session, server ? GNUTLS_SERVER : GNUTLS_CLIENT);
208 gnutls_server_name_set(c->session, GNUTLS_NAME_DNS, host, strlen(host));
209 gnutls_certificate_allocate_credentials(&c->cred);
211 gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, c->cred);
212 gnutls_transport_set_ptr(c->session, (gnutls_transport_ptr_t)
214 gnutls_priority_set_direct(c->session, "NORMAL", NULL);
216 ret = gnutls_handshake(c->session);
219 if ((ret = do_tls_poll(h, ret)) < 0)
223 c->ctx = SSL_CTX_new(server ? TLSv1_server_method() : TLSv1_client_method());
225 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
230 c->ssl = SSL_new(c->ctx);
232 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
236 SSL_set_fd(c->ssl, c->fd);
237 if (!server && !numerichost)
238 SSL_set_tlsext_host_name(c->ssl, host);
240 ret = server ? SSL_accept(c->ssl) : SSL_connect(c->ssl);
244 av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
248 if ((ret = do_tls_poll(h, ret)) < 0)
261 static int tls_read(URLContext *h, uint8_t *buf, int size)
263 TLSContext *c = h->priv_data;
265 int ret = TLS_read(c, buf, size);
270 if ((ret = do_tls_poll(h, ret)) < 0)
276 static int tls_write(URLContext *h, const uint8_t *buf, int size)
278 TLSContext *c = h->priv_data;
280 int ret = TLS_write(c, buf, size);
285 if ((ret = do_tls_poll(h, ret)) < 0)
291 static int tls_close(URLContext *h)
293 TLSContext *c = h->priv_data;
301 URLProtocol ff_tls_protocol = {
303 .url_open = tls_open,
304 .url_read = tls_read,
305 .url_write = tls_write,
306 .url_close = tls_close,
307 .priv_data_size = sizeof(TLSContext),
308 .flags = URL_PROTOCOL_FLAG_NETWORK,