]> git.sesse.net Git - ffmpeg/blob - libavformat/tls_gnutls.c
projects / ffmpeg / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
avformat/http: escape unsafe URL path in HTTP request
[ffmpeg] / libavformat / tls_gnutls.c
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21
22 #include <errno.h>
23
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26
27 #include "avformat.h"
28 #include "internal.h"
29 #include "network.h"
30 #include "os_support.h"
31 #include "url.h"
32 #include "tls.h"
33 #include "libavcodec/internal.h"
34 #include "libavutil/avstring.h"
35 #include "libavutil/opt.h"
36 #include "libavutil/parseutils.h"
37
38 #ifndef GNUTLS_VERSION_NUMBER
39 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
40 #endif
41
42 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
43 #include <gcrypt.h>
44 #include "libavutil/thread.h"
45 GCRY_THREAD_OPTION_PTHREAD_IMPL;
46 #endif
47
48 typedef struct TLSContext {
49     const AVClass *class;
50     TLSShared tls_shared;
51     gnutls_session_t session;
52     gnutls_certificate_credentials_t cred;
53     int need_shutdown;
54 } TLSContext;
55
56 void ff_gnutls_init(void)
57 {
58     ff_lock_avformat();
59 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
60     if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
61         gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
62 #endif
63     gnutls_global_init();
64     ff_unlock_avformat();
65 }
66
67 void ff_gnutls_deinit(void)
68 {
69     ff_lock_avformat();
70     gnutls_global_deinit();
71     ff_unlock_avformat();
72 }
73
74 static int print_tls_error(URLContext *h, int ret)
75 {
76     switch (ret) {
77     case GNUTLS_E_AGAIN:
78         return AVERROR(EAGAIN);
79     case GNUTLS_E_INTERRUPTED:
80 #ifdef GNUTLS_E_PREMATURE_TERMINATION
81     case GNUTLS_E_PREMATURE_TERMINATION:
82 #endif
83         break;
84     case GNUTLS_E_WARNING_ALERT_RECEIVED:
85         av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
86         break;
87     default:
88         av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
89         break;
90     }
91     return AVERROR(EIO);
92 }
93
94 static int tls_close(URLContext *h)
95 {
96     TLSContext *c = h->priv_data;
97     if (c->need_shutdown)
98         gnutls_bye(c->session, GNUTLS_SHUT_WR);
99     if (c->session)
100         gnutls_deinit(c->session);
101     if (c->cred)
102         gnutls_certificate_free_credentials(c->cred);
103     if (c->tls_shared.tcp)
104         ffurl_close(c->tls_shared.tcp);
105     ff_gnutls_deinit();
106     return 0;
107 }
108
109 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
110                                void *buf, size_t len)
111 {
112     URLContext *h = (URLContext*) transport;
113     int ret = ffurl_read(h, buf, len);
114     if (ret >= 0)
115         return ret;
116     if (ret == AVERROR_EXIT)
117         return 0;
118     if (ret == AVERROR(EAGAIN))
119         errno = EAGAIN;
120     else
121         errno = EIO;
122     return -1;
123 }
124
125 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
126                                const void *buf, size_t len)
127 {
128     URLContext *h = (URLContext*) transport;
129     int ret = ffurl_write(h, buf, len);
130     if (ret >= 0)
131         return ret;
132     if (ret == AVERROR_EXIT)
133         return 0;
134     if (ret == AVERROR(EAGAIN))
135         errno = EAGAIN;
136     else
137         errno = EIO;
138     return -1;
139 }
140
141 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
142 {
143     TLSContext *p = h->priv_data;
144     TLSShared *c = &p->tls_shared;
145     int ret;
146
147     ff_gnutls_init();
148
149     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
150         goto fail;
151
152     gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
153     if (!c->listen && !c->numerichost)
154         gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
155     gnutls_certificate_allocate_credentials(&p->cred);
156     if (c->ca_file) {
157         ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
158         if (ret < 0)
159             av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
160     }
161 #if GNUTLS_VERSION_NUMBER >= 0x030020
162     else
163         gnutls_certificate_set_x509_system_trust(p->cred);
164 #endif
165     gnutls_certificate_set_verify_flags(p->cred, c->verify ?
166                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
167     if (c->cert_file && c->key_file) {
168         ret = gnutls_certificate_set_x509_key_file(p->cred,
169                                                    c->cert_file, c->key_file,
170                                                    GNUTLS_X509_FMT_PEM);
171         if (ret < 0) {
172             av_log(h, AV_LOG_ERROR,
173                    "Unable to set cert/key files %s and %s: %s\n",
174                    c->cert_file, c->key_file, gnutls_strerror(ret));
175             ret = AVERROR(EIO);
176             goto fail;
177         }
178     } else if (c->cert_file || c->key_file)
179         av_log(h, AV_LOG_ERROR, "cert and key required\n");
180     gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
181     gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
182     gnutls_transport_set_push_function(p->session, gnutls_url_push);
183     gnutls_transport_set_ptr(p->session, c->tcp);
184     gnutls_priority_set_direct(p->session, "NORMAL", NULL);
185     do {
186         ret = gnutls_handshake(p->session);
187         if (gnutls_error_is_fatal(ret)) {
188             ret = print_tls_error(h, ret);
189             goto fail;
190         }
191     } while (ret);
192     p->need_shutdown = 1;
193     if (c->verify) {
194         unsigned int status, cert_list_size;
195         gnutls_x509_crt_t cert;
196         const gnutls_datum_t *cert_list;
197         if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
198             av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
199                                     gnutls_strerror(ret));
200             ret = AVERROR(EIO);
201             goto fail;
202         }
203         if (status & GNUTLS_CERT_INVALID) {
204             av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
205             ret = AVERROR(EIO);
206             goto fail;
207         }
208         if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
209             av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
210             ret = AVERROR(EIO);
211             goto fail;
212         }
213         gnutls_x509_crt_init(&cert);
214         cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
215         gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
216         ret = gnutls_x509_crt_check_hostname(cert, c->host);
217         gnutls_x509_crt_deinit(cert);
218         if (!ret) {
219             av_log(h, AV_LOG_ERROR,
220                    "The certificate's owner does not match hostname %s\n", c->host);
221             ret = AVERROR(EIO);
222             goto fail;
223         }
224     }
225
226     return 0;
227 fail:
228     tls_close(h);
229     return ret;
230 }
231
232 static int tls_read(URLContext *h, uint8_t *buf, int size)
233 {
234     TLSContext *c = h->priv_data;
235     int ret;
236     // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
237     c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
238     c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
239     ret = gnutls_record_recv(c->session, buf, size);
240     if (ret > 0)
241         return ret;
242     if (ret == 0)
243         return AVERROR_EOF;
244     return print_tls_error(h, ret);
245 }
246
247 static int tls_write(URLContext *h, const uint8_t *buf, int size)
248 {
249     TLSContext *c = h->priv_data;
250     int ret;
251     // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
252     c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
253     c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
254     ret = gnutls_record_send(c->session, buf, size);
255     if (ret > 0)
256         return ret;
257     if (ret == 0)
258         return AVERROR_EOF;
259     return print_tls_error(h, ret);
260 }
261
262 static int tls_get_file_handle(URLContext *h)
263 {
264     TLSContext *c = h->priv_data;
265     return ffurl_get_file_handle(c->tls_shared.tcp);
266 }
267
268 static const AVOption options[] = {
269     TLS_COMMON_OPTIONS(TLSContext, tls_shared),
270     { NULL }
271 };
272
273 static const AVClass tls_class = {
274     .class_name = "tls",
275     .item_name  = av_default_item_name,
276     .option     = options,
277     .version    = LIBAVUTIL_VERSION_INT,
278 };
279
280 const URLProtocol ff_tls_protocol = {
281     .name           = "tls",
282     .url_open2      = tls_open,
283     .url_read       = tls_read,
284     .url_write      = tls_write,
285     .url_close      = tls_close,
286     .url_get_file_handle = tls_get_file_handle,
287     .priv_data_size = sizeof(TLSContext),
288     .flags          = URL_PROTOCOL_FLAG_NETWORK,
289     .priv_data_class = &tls_class,
290 };
Unnamed repository; edit this file 'description' to name the repository.