X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Ftls_openssl.c;h=1d813cbbb58a7e762feb59f0429a8cd3ac6fdb1b;hb=e3d993fab0ad4255dffd10a794fc5e1bd37047b7;hp=4a2fcfd7718c4431a0599f4d3ce13c5b8fdc3cd2;hpb=6a9c00c09d2bc50c0ea64ba092b2f4afc46aa978;p=ffmpeg diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 4a2fcfd7718..1d813cbbb58 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -2,20 +2,20 @@ * TLS/SSL Protocol * Copyright (c) 2011 Martin Storsjo * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -46,9 +46,10 @@ typedef struct TLSContext { #if OPENSSL_VERSION_NUMBER >= 0x1010000fL BIO_METHOD* url_bio_method; #endif + int io_err; } TLSContext; -#if HAVE_THREADS +#if HAVE_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L #include pthread_mutex_t *openssl_mutexes; static void openssl_lock(int mode, int type, const char *file, int line) @@ -66,16 +67,28 @@ static unsigned long openssl_thread_id(void) #endif #endif -void ff_openssl_init(void) +int ff_openssl_init(void) { - avpriv_lock_avformat(); + ff_lock_avformat(); if (!openssl_init) { + /* OpenSSL 1.0.2 or below, then you would use SSL_library_init. If you are + * using OpenSSL 1.1.0 or above, then the library will initialize + * itself automatically. + * https://wiki.openssl.org/index.php/Library_Initialization + */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); SSL_load_error_strings(); -#if HAVE_THREADS +#endif +#if HAVE_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L if (!CRYPTO_get_locking_callback()) { int i; - openssl_mutexes = av_malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks()); + openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks()); + if (!openssl_mutexes) { + ff_unlock_avformat(); + return AVERROR(ENOMEM); + } + for (i = 0; i < CRYPTO_num_locks(); i++) pthread_mutex_init(&openssl_mutexes[i], NULL); CRYPTO_set_locking_callback(openssl_lock); @@ -86,15 +99,17 @@ void ff_openssl_init(void) #endif } openssl_init++; - avpriv_unlock_avformat(); + ff_unlock_avformat(); + + return 0; } void ff_openssl_deinit(void) { - avpriv_lock_avformat(); + ff_lock_avformat(); openssl_init--; if (!openssl_init) { -#if HAVE_THREADS +#if HAVE_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L if (CRYPTO_get_locking_callback() == openssl_lock) { int i; CRYPTO_set_locking_callback(NULL); @@ -104,19 +119,31 @@ void ff_openssl_deinit(void) } #endif } - avpriv_unlock_avformat(); + ff_unlock_avformat(); } static int print_tls_error(URLContext *h, int ret) { TLSContext *c = h->priv_data; + int printed = 0, e, averr = AVERROR(EIO); if (h->flags & AVIO_FLAG_NONBLOCK) { int err = SSL_get_error(c->ssl, ret); if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) return AVERROR(EAGAIN); } - av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); - return AVERROR(EIO); + while ((e = ERR_get_error()) != 0) { + av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(e, NULL)); + printed = 1; + } + if (c->io_err) { + av_log(h, AV_LOG_ERROR, "IO error: %s\n", av_err2str(c->io_err)); + printed = 1; + averr = c->io_err; + c->io_err = 0; + } + if (!printed) + av_log(h, AV_LOG_ERROR, "Unknown error\n"); + return averr; } static int tls_close(URLContext *h) @@ -128,8 +155,7 @@ static int tls_close(URLContext *h) } if (c->ctx) SSL_CTX_free(c->ctx); - if (c->tls_shared.tcp) - ffurl_close(c->tls_shared.tcp); + ffurl_closep(&c->tls_shared.tcp); #if OPENSSL_VERSION_NUMBER >= 0x1010000fL if (c->url_bio_method) BIO_meth_free(c->url_bio_method); @@ -165,29 +191,33 @@ static int url_bio_destroy(BIO *b) static int url_bio_bread(BIO *b, char *buf, int len) { - URLContext *h = GET_BIO_DATA(b); - int ret = ffurl_read(h, buf, len); + TLSContext *c = GET_BIO_DATA(b); + int ret = ffurl_read(c->tls_shared.tcp, buf, len); if (ret >= 0) return ret; BIO_clear_retry_flags(b); - if (ret == AVERROR(EAGAIN)) - BIO_set_retry_read(b); if (ret == AVERROR_EXIT) return 0; + if (ret == AVERROR(EAGAIN)) + BIO_set_retry_read(b); + else + c->io_err = ret; return -1; } static int url_bio_bwrite(BIO *b, const char *buf, int len) { - URLContext *h = GET_BIO_DATA(b); - int ret = ffurl_write(h, buf, len); + TLSContext *c = GET_BIO_DATA(b); + int ret = ffurl_write(c->tls_shared.tcp, buf, len); if (ret >= 0) return ret; BIO_clear_retry_flags(b); - if (ret == AVERROR(EAGAIN)) - BIO_set_retry_write(b); if (ret == AVERROR_EXIT) return 0; + if (ret == AVERROR(EAGAIN)) + BIO_set_retry_write(b); + else + c->io_err = ret; return -1; } @@ -226,7 +256,8 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op BIO *bio; int ret; - ff_openssl_init(); + if ((ret = ff_openssl_init()) < 0) + return ret; if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0) goto fail; @@ -242,8 +273,10 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); - if (c->ca_file) - SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL); + if (c->ca_file) { + if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL)) + av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL)); + } if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) { av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n", c->cert_file, ERR_error_string(ERR_get_error(), NULL)); @@ -259,7 +292,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op // Note, this doesn't check that the peer certificate actually matches // the requested hostname. if (c->verify) - SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER, NULL); + SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); p->ssl = SSL_new(p->ctx); if (!p->ssl) { av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); @@ -275,10 +308,10 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op BIO_meth_set_create(p->url_bio_method, url_bio_create); BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy); bio = BIO_new(p->url_bio_method); - BIO_set_data(bio, c->tcp); + BIO_set_data(bio, p); #else bio = BIO_new(&url_bio_method); - bio->ptr = c->tcp; + bio->ptr = p; #endif SSL_set_bio(p->ssl, bio, bio); if (!c->listen && !c->numerichost) @@ -329,6 +362,18 @@ static int tls_write(URLContext *h, const uint8_t *buf, int size) return print_tls_error(h, ret); } +static int tls_get_file_handle(URLContext *h) +{ + TLSContext *c = h->priv_data; + return ffurl_get_file_handle(c->tls_shared.tcp); +} + +static int tls_get_short_seek(URLContext *h) +{ + TLSContext *s = h->priv_data; + return ffurl_get_short_seek(s->tls_shared.tcp); +} + static const AVOption options[] = { TLS_COMMON_OPTIONS(TLSContext, tls_shared), { NULL } @@ -347,6 +392,8 @@ const URLProtocol ff_tls_protocol = { .url_read = tls_read, .url_write = tls_write, .url_close = tls_close, + .url_get_file_handle = tls_get_file_handle, + .url_get_short_seek = tls_get_short_seek, .priv_data_size = sizeof(TLSContext), .flags = URL_PROTOCOL_FLAG_NETWORK, .priv_data_class = &tls_class,