]> git.sesse.net Git - ffmpeg/blob - libavformat/tls_gnutls.c
projects / ffmpeg / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge commit '41cf3e3b1ca375962951fde1b90a03b16197d205'
[ffmpeg] / libavformat / tls_gnutls.c
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21
22 #include <errno.h>
23
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26
27 #include "avformat.h"
28 #include "internal.h"
29 #include "network.h"
30 #include "os_support.h"
31 #include "url.h"
32 #include "tls.h"
33 #include "libavcodec/internal.h"
34 #include "libavutil/avstring.h"
35 #include "libavutil/opt.h"
36 #include "libavutil/parseutils.h"
37
38 #ifndef GNUTLS_VERSION_NUMBER
39 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
40 #endif
41
42 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
43 #include <gcrypt.h>
44 #include "libavutil/thread.h"
45 GCRY_THREAD_OPTION_PTHREAD_IMPL;
46 #endif
47
48 typedef struct TLSContext {
49     const AVClass *class;
50     TLSShared tls_shared;
51     gnutls_session_t session;
52     gnutls_certificate_credentials_t cred;
53     int need_shutdown;
54 } TLSContext;
55
56 void ff_gnutls_init(void)
57 {
58     ff_lock_avformat();
59 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
60     if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
61         gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
62 #endif
63     gnutls_global_init();
64     ff_unlock_avformat();
65 }
66
67 void ff_gnutls_deinit(void)
68 {
69     ff_lock_avformat();
70     gnutls_global_deinit();
71     ff_unlock_avformat();
72 }
73
74 static int print_tls_error(URLContext *h, int ret)
75 {
76     switch (ret) {
77     case GNUTLS_E_AGAIN:
78         return AVERROR(EAGAIN);
79     case GNUTLS_E_INTERRUPTED:
80 #ifdef GNUTLS_E_PREMATURE_TERMINATION
81     case GNUTLS_E_PREMATURE_TERMINATION:
82 #endif
83         break;
84     case GNUTLS_E_WARNING_ALERT_RECEIVED:
85         av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
86         break;
87     default:
88         av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
89         break;
90     }
91     return AVERROR(EIO);
92 }
93
94 static int tls_close(URLContext *h)
95 {
96     TLSContext *c = h->priv_data;
97     if (c->need_shutdown)
98         gnutls_bye(c->session, GNUTLS_SHUT_WR);
99     if (c->session)
100         gnutls_deinit(c->session);
101     if (c->cred)
102         gnutls_certificate_free_credentials(c->cred);
103     if (c->tls_shared.tcp)
104         ffurl_close(c->tls_shared.tcp);
105     ff_gnutls_deinit();
106     return 0;
107 }
108
109 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
110                                void *buf, size_t len)
111 {
112     URLContext *h = (URLContext*) transport;
113     int ret = ffurl_read(h, buf, len);
114     if (ret >= 0)
115         return ret;
116     if (ret == AVERROR_EXIT)
117         return 0;
118     if (ret == AVERROR(EAGAIN))
119         errno = EAGAIN;
120     else
121         errno = EIO;
122     return -1;
123 }
124
125 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
126                                const void *buf, size_t len)
127 {
128     URLContext *h = (URLContext*) transport;
129     int ret = ffurl_write(h, buf, len);
130     if (ret >= 0)
131         return ret;
132     if (ret == AVERROR_EXIT)
133         return 0;
134     if (ret == AVERROR(EAGAIN))
135         errno = EAGAIN;
136     else
137         errno = EIO;
138     return -1;
139 }
140
141 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
142 {
143     TLSContext *p = h->priv_data;
144     TLSShared *c = &p->tls_shared;
145     int ret;
146
147     ff_gnutls_init();
148
149     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
150         goto fail;
151
152     gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
153     if (!c->listen && !c->numerichost)
154         gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
155     gnutls_certificate_allocate_credentials(&p->cred);
156     if (c->ca_file) {
157         ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
158         if (ret < 0)
159             av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
160     }
161 #if GNUTLS_VERSION_NUMBER >= 0x030020
162     else
163         gnutls_certificate_set_x509_system_trust(p->cred);
164 #endif
165     gnutls_certificate_set_verify_flags(p->cred, c->verify ?
166                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
167     if (c->cert_file && c->key_file) {
168         ret = gnutls_certificate_set_x509_key_file(p->cred,
169                                                    c->cert_file, c->key_file,
170                                                    GNUTLS_X509_FMT_PEM);
171         if (ret < 0) {
172             av_log(h, AV_LOG_ERROR,
173                    "Unable to set cert/key files %s and %s: %s\n",
174                    c->cert_file, c->key_file, gnutls_strerror(ret));
175             ret = AVERROR(EIO);
176             goto fail;
177         }
178     } else if (c->cert_file || c->key_file)
179         av_log(h, AV_LOG_ERROR, "cert and key required\n");
180     gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
181     gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
182     gnutls_transport_set_push_function(p->session, gnutls_url_push);
183     gnutls_transport_set_ptr(p->session, c->tcp);
184     gnutls_priority_set_direct(p->session, "NORMAL", NULL);
185     ret = gnutls_handshake(p->session);
186     if (ret) {
187         ret = print_tls_error(h, ret);
188         goto fail;
189     }
190     p->need_shutdown = 1;
191     if (c->verify) {
192         unsigned int status, cert_list_size;
193         gnutls_x509_crt_t cert;
194         const gnutls_datum_t *cert_list;
195         if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
196             av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
197                                     gnutls_strerror(ret));
198             ret = AVERROR(EIO);
199             goto fail;
200         }
201         if (status & GNUTLS_CERT_INVALID) {
202             av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
203             ret = AVERROR(EIO);
204             goto fail;
205         }
206         if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
207             av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
208             ret = AVERROR(EIO);
209             goto fail;
210         }
211         gnutls_x509_crt_init(&cert);
212         cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
213         gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
214         ret = gnutls_x509_crt_check_hostname(cert, c->host);
215         gnutls_x509_crt_deinit(cert);
216         if (!ret) {
217             av_log(h, AV_LOG_ERROR,
218                    "The certificate's owner does not match hostname %s\n", c->host);
219             ret = AVERROR(EIO);
220             goto fail;
221         }
222     }
223
224     return 0;
225 fail:
226     tls_close(h);
227     return ret;
228 }
229
230 static int tls_read(URLContext *h, uint8_t *buf, int size)
231 {
232     TLSContext *c = h->priv_data;
233     int ret;
234     // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
235     c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
236     c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
237     ret = gnutls_record_recv(c->session, buf, size);
238     if (ret > 0)
239         return ret;
240     if (ret == 0)
241         return AVERROR_EOF;
242     return print_tls_error(h, ret);
243 }
244
245 static int tls_write(URLContext *h, const uint8_t *buf, int size)
246 {
247     TLSContext *c = h->priv_data;
248     int ret;
249     // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
250     c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
251     c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
252     ret = gnutls_record_send(c->session, buf, size);
253     if (ret > 0)
254         return ret;
255     if (ret == 0)
256         return AVERROR_EOF;
257     return print_tls_error(h, ret);
258 }
259
260 static int tls_get_file_handle(URLContext *h)
261 {
262     TLSContext *c = h->priv_data;
263     return ffurl_get_file_handle(c->tls_shared.tcp);
264 }
265
266 static const AVOption options[] = {
267     TLS_COMMON_OPTIONS(TLSContext, tls_shared),
268     { NULL }
269 };
270
271 static const AVClass tls_class = {
272     .class_name = "tls",
273     .item_name  = av_default_item_name,
274     .option     = options,
275     .version    = LIBAVUTIL_VERSION_INT,
276 };
277
278 const URLProtocol ff_tls_protocol = {
279     .name           = "tls",
280     .url_open2      = tls_open,
281     .url_read       = tls_read,
282     .url_write      = tls_write,
283     .url_close      = tls_close,
284     .url_get_file_handle = tls_get_file_handle,
285     .priv_data_size = sizeof(TLSContext),
286     .flags          = URL_PROTOCOL_FLAG_NETWORK,
287     .priv_data_class = &tls_class,
288 };
Unnamed repository; edit this file 'description' to name the repository.