* TLS/SSL Protocol
* Copyright (c) 2011 Martin Storsjo
*
- * This file is part of Libav.
+ * This file is part of FFmpeg.
*
- * Libav is free software; you can redistribute it and/or
+ * FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
- * Libav is distributed in the hope that it will be useful,
+ * FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
- * License along with Libav; if not, write to the Free Software
+ * License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
BIO_METHOD* url_bio_method;
#endif
+ int io_err;
} TLSContext;
-#if HAVE_THREADS
+#if HAVE_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
#include <openssl/crypto.h>
pthread_mutex_t *openssl_mutexes;
static void openssl_lock(int mode, int type, const char *file, int line)
#endif
#endif
-void ff_openssl_init(void)
+int ff_openssl_init(void)
{
- avpriv_lock_avformat();
+ ff_lock_avformat();
if (!openssl_init) {
+ /* OpenSSL 1.0.2 or below, then you would use SSL_library_init. If you are
+ * using OpenSSL 1.1.0 or above, then the library will initialize
+ * itself automatically.
+ * https://wiki.openssl.org/index.php/Library_Initialization
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_library_init();
SSL_load_error_strings();
-#if HAVE_THREADS
+#endif
+#if HAVE_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
if (!CRYPTO_get_locking_callback()) {
int i;
- openssl_mutexes = av_malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
+ openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks());
+ if (!openssl_mutexes) {
+ ff_unlock_avformat();
+ return AVERROR(ENOMEM);
+ }
+
for (i = 0; i < CRYPTO_num_locks(); i++)
pthread_mutex_init(&openssl_mutexes[i], NULL);
CRYPTO_set_locking_callback(openssl_lock);
#endif
}
openssl_init++;
- avpriv_unlock_avformat();
+ ff_unlock_avformat();
+
+ return 0;
}
void ff_openssl_deinit(void)
{
- avpriv_lock_avformat();
+ ff_lock_avformat();
openssl_init--;
if (!openssl_init) {
-#if HAVE_THREADS
+#if HAVE_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
if (CRYPTO_get_locking_callback() == openssl_lock) {
int i;
CRYPTO_set_locking_callback(NULL);
}
#endif
}
- avpriv_unlock_avformat();
+ ff_unlock_avformat();
}
static int print_tls_error(URLContext *h, int ret)
{
TLSContext *c = h->priv_data;
+ int printed = 0, e, averr = AVERROR(EIO);
if (h->flags & AVIO_FLAG_NONBLOCK) {
int err = SSL_get_error(c->ssl, ret);
if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE)
return AVERROR(EAGAIN);
}
- av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
- return AVERROR(EIO);
+ while ((e = ERR_get_error()) != 0) {
+ av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(e, NULL));
+ printed = 1;
+ }
+ if (c->io_err) {
+ av_log(h, AV_LOG_ERROR, "IO error: %s\n", av_err2str(c->io_err));
+ printed = 1;
+ averr = c->io_err;
+ c->io_err = 0;
+ }
+ if (!printed)
+ av_log(h, AV_LOG_ERROR, "Unknown error\n");
+ return averr;
}
static int tls_close(URLContext *h)
}
if (c->ctx)
SSL_CTX_free(c->ctx);
- if (c->tls_shared.tcp)
- ffurl_close(c->tls_shared.tcp);
+ ffurl_closep(&c->tls_shared.tcp);
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
if (c->url_bio_method)
BIO_meth_free(c->url_bio_method);
static int url_bio_bread(BIO *b, char *buf, int len)
{
- URLContext *h = GET_BIO_DATA(b);
- int ret = ffurl_read(h, buf, len);
+ TLSContext *c = GET_BIO_DATA(b);
+ int ret = ffurl_read(c->tls_shared.tcp, buf, len);
if (ret >= 0)
return ret;
BIO_clear_retry_flags(b);
- if (ret == AVERROR(EAGAIN))
- BIO_set_retry_read(b);
if (ret == AVERROR_EXIT)
return 0;
+ if (ret == AVERROR(EAGAIN))
+ BIO_set_retry_read(b);
+ else
+ c->io_err = ret;
return -1;
}
static int url_bio_bwrite(BIO *b, const char *buf, int len)
{
- URLContext *h = GET_BIO_DATA(b);
- int ret = ffurl_write(h, buf, len);
+ TLSContext *c = GET_BIO_DATA(b);
+ int ret = ffurl_write(c->tls_shared.tcp, buf, len);
if (ret >= 0)
return ret;
BIO_clear_retry_flags(b);
- if (ret == AVERROR(EAGAIN))
- BIO_set_retry_write(b);
if (ret == AVERROR_EXIT)
return 0;
+ if (ret == AVERROR(EAGAIN))
+ BIO_set_retry_write(b);
+ else
+ c->io_err = ret;
return -1;
}
BIO *bio;
int ret;
- ff_openssl_init();
+ if ((ret = ff_openssl_init()) < 0)
+ return ret;
if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
goto fail;
goto fail;
}
SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
- if (c->ca_file)
- SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL);
+ if (c->ca_file) {
+ if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
+ av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
+ }
if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {
av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n",
c->cert_file, ERR_error_string(ERR_get_error(), NULL));
// Note, this doesn't check that the peer certificate actually matches
// the requested hostname.
if (c->verify)
- SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER, NULL);
+ SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
p->ssl = SSL_new(p->ctx);
if (!p->ssl) {
av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
BIO_meth_set_create(p->url_bio_method, url_bio_create);
BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy);
bio = BIO_new(p->url_bio_method);
- BIO_set_data(bio, c->tcp);
+ BIO_set_data(bio, p);
#else
bio = BIO_new(&url_bio_method);
- bio->ptr = c->tcp;
+ bio->ptr = p;
#endif
SSL_set_bio(p->ssl, bio, bio);
if (!c->listen && !c->numerichost)
return print_tls_error(h, ret);
}
+static int tls_get_file_handle(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+ return ffurl_get_file_handle(c->tls_shared.tcp);
+}
+
+static int tls_get_short_seek(URLContext *h)
+{
+ TLSContext *s = h->priv_data;
+ return ffurl_get_short_seek(s->tls_shared.tcp);
+}
+
static const AVOption options[] = {
TLS_COMMON_OPTIONS(TLSContext, tls_shared),
{ NULL }
.url_read = tls_read,
.url_write = tls_write,
.url_close = tls_close,
+ .url_get_file_handle = tls_get_file_handle,
+ .url_get_short_seek = tls_get_short_seek,
.priv_data_size = sizeof(TLSContext),
.flags = URL_PROTOCOL_FLAG_NETWORK,
.priv_data_class = &tls_class,