3 * Copyright (c) 2011 Martin Storsjo
5 * This file is part of FFmpeg.
7 * FFmpeg is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * FFmpeg is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with FFmpeg; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
25 #include "os_support.h"
28 #include "libavcodec/internal.h"
29 #include "libavutil/avstring.h"
30 #include "libavutil/avutil.h"
31 #include "libavutil/opt.h"
32 #include "libavutil/parseutils.h"
33 #include "libavutil/thread.h"
35 #include <openssl/bio.h>
36 #include <openssl/ssl.h>
37 #include <openssl/err.h>
39 static int openssl_init;
41 typedef struct TLSContext {
46 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
47 BIO_METHOD* url_bio_method;
52 #include <openssl/crypto.h>
53 pthread_mutex_t *openssl_mutexes;
54 static void openssl_lock(int mode, int type, const char *file, int line)
56 if (mode & CRYPTO_LOCK)
57 pthread_mutex_lock(&openssl_mutexes[type]);
59 pthread_mutex_unlock(&openssl_mutexes[type]);
61 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
62 static unsigned long openssl_thread_id(void)
64 return (intptr_t) pthread_self();
69 int ff_openssl_init(void)
74 SSL_load_error_strings();
76 if (!CRYPTO_get_locking_callback()) {
78 openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks());
79 if (!openssl_mutexes) {
81 return AVERROR(ENOMEM);
84 for (i = 0; i < CRYPTO_num_locks(); i++)
85 pthread_mutex_init(&openssl_mutexes[i], NULL);
86 CRYPTO_set_locking_callback(openssl_lock);
87 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
88 CRYPTO_set_id_callback(openssl_thread_id);
99 void ff_openssl_deinit(void)
105 if (CRYPTO_get_locking_callback() == openssl_lock) {
107 CRYPTO_set_locking_callback(NULL);
108 for (i = 0; i < CRYPTO_num_locks(); i++)
109 pthread_mutex_destroy(&openssl_mutexes[i]);
110 av_free(openssl_mutexes);
114 ff_unlock_avformat();
117 static int print_tls_error(URLContext *h, int ret)
119 TLSContext *c = h->priv_data;
120 if (h->flags & AVIO_FLAG_NONBLOCK) {
121 int err = SSL_get_error(c->ssl, ret);
122 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_READ)
123 return AVERROR(EAGAIN);
125 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
129 static int tls_close(URLContext *h)
131 TLSContext *c = h->priv_data;
133 SSL_shutdown(c->ssl);
137 SSL_CTX_free(c->ctx);
138 if (c->tls_shared.tcp)
139 ffurl_close(c->tls_shared.tcp);
140 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
141 if (c->url_bio_method)
142 BIO_meth_free(c->url_bio_method);
148 static int url_bio_create(BIO *b)
150 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
152 BIO_set_data(b, NULL);
162 static int url_bio_destroy(BIO *b)
167 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
168 #define GET_BIO_DATA(x) BIO_get_data(x)
170 #define GET_BIO_DATA(x) (x)->ptr
173 static int url_bio_bread(BIO *b, char *buf, int len)
175 URLContext *h = GET_BIO_DATA(b);
176 int ret = ffurl_read(h, buf, len);
179 BIO_clear_retry_flags(b);
180 if (ret == AVERROR(EAGAIN))
181 BIO_set_retry_read(b);
182 if (ret == AVERROR_EXIT)
187 static int url_bio_bwrite(BIO *b, const char *buf, int len)
189 URLContext *h = GET_BIO_DATA(b);
190 int ret = ffurl_write(h, buf, len);
193 BIO_clear_retry_flags(b);
194 if (ret == AVERROR(EAGAIN))
195 BIO_set_retry_write(b);
196 if (ret == AVERROR_EXIT)
201 static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr)
203 if (cmd == BIO_CTRL_FLUSH) {
204 BIO_clear_retry_flags(b);
210 static int url_bio_bputs(BIO *b, const char *str)
212 return url_bio_bwrite(b, str, strlen(str));
215 #if OPENSSL_VERSION_NUMBER < 0x1010000fL
216 static BIO_METHOD url_bio_method = {
217 .type = BIO_TYPE_SOURCE_SINK,
218 .name = "urlprotocol bio",
219 .bwrite = url_bio_bwrite,
220 .bread = url_bio_bread,
221 .bputs = url_bio_bputs,
223 .ctrl = url_bio_ctrl,
224 .create = url_bio_create,
225 .destroy = url_bio_destroy,
229 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
231 TLSContext *p = h->priv_data;
232 TLSShared *c = &p->tls_shared;
236 if ((ret = ff_openssl_init()) < 0)
239 if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
242 // We want to support all versions of TLS >= 1.0, but not the deprecated
243 // and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method()
244 // enables support for all versions of SSL and TLS, and we then disable
245 // support for the old protocols immediately after creating the context.
246 p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
248 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
252 SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
254 if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
255 av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
257 if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {
258 av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n",
259 c->cert_file, ERR_error_string(ERR_get_error(), NULL));
263 if (c->key_file && !SSL_CTX_use_PrivateKey_file(p->ctx, c->key_file, SSL_FILETYPE_PEM)) {
264 av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n",
265 c->key_file, ERR_error_string(ERR_get_error(), NULL));
269 // Note, this doesn't check that the peer certificate actually matches
270 // the requested hostname.
272 SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
273 p->ssl = SSL_new(p->ctx);
275 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
279 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
280 p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
281 BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
282 BIO_meth_set_read(p->url_bio_method, url_bio_bread);
283 BIO_meth_set_puts(p->url_bio_method, url_bio_bputs);
284 BIO_meth_set_ctrl(p->url_bio_method, url_bio_ctrl);
285 BIO_meth_set_create(p->url_bio_method, url_bio_create);
286 BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy);
287 bio = BIO_new(p->url_bio_method);
288 BIO_set_data(bio, c->tcp);
290 bio = BIO_new(&url_bio_method);
293 SSL_set_bio(p->ssl, bio, bio);
294 if (!c->listen && !c->numerichost)
295 SSL_set_tlsext_host_name(p->ssl, c->host);
296 ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
298 av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
301 } else if (ret < 0) {
302 ret = print_tls_error(h, ret);
312 static int tls_read(URLContext *h, uint8_t *buf, int size)
314 TLSContext *c = h->priv_data;
316 // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
317 c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
318 c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
319 ret = SSL_read(c->ssl, buf, size);
324 return print_tls_error(h, ret);
327 static int tls_write(URLContext *h, const uint8_t *buf, int size)
329 TLSContext *c = h->priv_data;
331 // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
332 c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
333 c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
334 ret = SSL_write(c->ssl, buf, size);
339 return print_tls_error(h, ret);
342 static int tls_get_file_handle(URLContext *h)
344 TLSContext *c = h->priv_data;
345 return ffurl_get_file_handle(c->tls_shared.tcp);
348 static const AVOption options[] = {
349 TLS_COMMON_OPTIONS(TLSContext, tls_shared),
353 static const AVClass tls_class = {
355 .item_name = av_default_item_name,
357 .version = LIBAVUTIL_VERSION_INT,
360 const URLProtocol ff_tls_protocol = {
362 .url_open2 = tls_open,
363 .url_read = tls_read,
364 .url_write = tls_write,
365 .url_close = tls_close,
366 .url_get_file_handle = tls_get_file_handle,
367 .priv_data_size = sizeof(TLSContext),
368 .flags = URL_PROTOCOL_FLAG_NETWORK,
369 .priv_data_class = &tls_class,