Subversion Repositories Kolibri OS

Rev

Blame | Last modification | View Log | RSS feed

  1. /*
  2.  * TLS/SSL Protocol
  3.  * Copyright (c) 2011 Martin Storsjo
  4.  *
  5.  * This file is part of FFmpeg.
  6.  *
  7.  * FFmpeg is free software; you can redistribute it and/or
  8.  * modify it under the terms of the GNU Lesser General Public
  9.  * License as published by the Free Software Foundation; either
  10.  * version 2.1 of the License, or (at your option) any later version.
  11.  *
  12.  * FFmpeg is distributed in the hope that it will be useful,
  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  15.  * Lesser General Public License for more details.
  16.  *
  17.  * You should have received a copy of the GNU Lesser General Public
  18.  * License along with FFmpeg; if not, write to the Free Software
  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  20.  */
  21.  
  22. #include "avformat.h"
  23. #include "internal.h"
  24. #include "network.h"
  25. #include "os_support.h"
  26. #include "url.h"
  27. #include "tls.h"
  28. #include "libavcodec/internal.h"
  29. #include "libavutil/avstring.h"
  30. #include "libavutil/avutil.h"
  31. #include "libavutil/opt.h"
  32. #include "libavutil/parseutils.h"
  33. #include "libavutil/thread.h"
  34.  
  35. #include <openssl/bio.h>
  36. #include <openssl/ssl.h>
  37. #include <openssl/err.h>
  38.  
  39. static int openssl_init;
  40.  
  41. typedef struct TLSContext {
  42.     const AVClass *class;
  43.     TLSShared tls_shared;
  44.     SSL_CTX *ctx;
  45.     SSL *ssl;
  46. } TLSContext;
  47.  
  48. #if HAVE_THREADS
  49. #include <openssl/crypto.h>
  50. pthread_mutex_t *openssl_mutexes;
  51. static void openssl_lock(int mode, int type, const char *file, int line)
  52. {
  53.     if (mode & CRYPTO_LOCK)
  54.         pthread_mutex_lock(&openssl_mutexes[type]);
  55.     else
  56.         pthread_mutex_unlock(&openssl_mutexes[type]);
  57. }
  58. #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
  59. static unsigned long openssl_thread_id(void)
  60. {
  61.     return (intptr_t) pthread_self();
  62. }
  63. #endif
  64. #endif
  65.  
  66. int ff_openssl_init(void)
  67. {
  68.     avpriv_lock_avformat();
  69.     if (!openssl_init) {
  70.         SSL_library_init();
  71.         SSL_load_error_strings();
  72. #if HAVE_THREADS
  73.         if (!CRYPTO_get_locking_callback()) {
  74.             int i;
  75.             openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks());
  76.             if (!openssl_mutexes) {
  77.                 avpriv_unlock_avformat();
  78.                 return AVERROR(ENOMEM);
  79.             }
  80.  
  81.             for (i = 0; i < CRYPTO_num_locks(); i++)
  82.                 pthread_mutex_init(&openssl_mutexes[i], NULL);
  83.             CRYPTO_set_locking_callback(openssl_lock);
  84. #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
  85.             CRYPTO_set_id_callback(openssl_thread_id);
  86. #endif
  87.         }
  88. #endif
  89.     }
  90.     openssl_init++;
  91.     avpriv_unlock_avformat();
  92.  
  93.     return 0;
  94. }
  95.  
  96. void ff_openssl_deinit(void)
  97. {
  98.     avpriv_lock_avformat();
  99.     openssl_init--;
  100.     if (!openssl_init) {
  101. #if HAVE_THREADS
  102.         if (CRYPTO_get_locking_callback() == openssl_lock) {
  103.             int i;
  104.             CRYPTO_set_locking_callback(NULL);
  105.             for (i = 0; i < CRYPTO_num_locks(); i++)
  106.                 pthread_mutex_destroy(&openssl_mutexes[i]);
  107.             av_free(openssl_mutexes);
  108.         }
  109. #endif
  110.     }
  111.     avpriv_unlock_avformat();
  112. }
  113.  
  114. static int print_tls_error(URLContext *h, int ret)
  115. {
  116.     av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
  117.     return AVERROR(EIO);
  118. }
  119.  
  120. static int tls_close(URLContext *h)
  121. {
  122.     TLSContext *c = h->priv_data;
  123.     if (c->ssl) {
  124.         SSL_shutdown(c->ssl);
  125.         SSL_free(c->ssl);
  126.     }
  127.     if (c->ctx)
  128.         SSL_CTX_free(c->ctx);
  129.     if (c->tls_shared.tcp)
  130.         ffurl_close(c->tls_shared.tcp);
  131.     ff_openssl_deinit();
  132.     return 0;
  133. }
  134.  
  135. static int url_bio_create(BIO *b)
  136. {
  137.     b->init = 1;
  138.     b->ptr = NULL;
  139.     b->flags = 0;
  140.     return 1;
  141. }
  142.  
  143. static int url_bio_destroy(BIO *b)
  144. {
  145.     return 1;
  146. }
  147.  
  148. static int url_bio_bread(BIO *b, char *buf, int len)
  149. {
  150.     URLContext *h = b->ptr;
  151.     int ret = ffurl_read(h, buf, len);
  152.     if (ret >= 0)
  153.         return ret;
  154.     BIO_clear_retry_flags(b);
  155.     if (ret == AVERROR_EXIT)
  156.         return 0;
  157.     return -1;
  158. }
  159.  
  160. static int url_bio_bwrite(BIO *b, const char *buf, int len)
  161. {
  162.     URLContext *h = b->ptr;
  163.     int ret = ffurl_write(h, buf, len);
  164.     if (ret >= 0)
  165.         return ret;
  166.     BIO_clear_retry_flags(b);
  167.     if (ret == AVERROR_EXIT)
  168.         return 0;
  169.     return -1;
  170. }
  171.  
  172. static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr)
  173. {
  174.     if (cmd == BIO_CTRL_FLUSH) {
  175.         BIO_clear_retry_flags(b);
  176.         return 1;
  177.     }
  178.     return 0;
  179. }
  180.  
  181. static int url_bio_bputs(BIO *b, const char *str)
  182. {
  183.     return url_bio_bwrite(b, str, strlen(str));
  184. }
  185.  
  186. static BIO_METHOD url_bio_method = {
  187.     .type = BIO_TYPE_SOURCE_SINK,
  188.     .name = "urlprotocol bio",
  189.     .bwrite = url_bio_bwrite,
  190.     .bread = url_bio_bread,
  191.     .bputs = url_bio_bputs,
  192.     .bgets = NULL,
  193.     .ctrl = url_bio_ctrl,
  194.     .create = url_bio_create,
  195.     .destroy = url_bio_destroy,
  196. };
  197.  
  198. static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
  199. {
  200.     TLSContext *p = h->priv_data;
  201.     TLSShared *c = &p->tls_shared;
  202.     BIO *bio;
  203.     int ret;
  204.  
  205.     if ((ret = ff_openssl_init()) < 0)
  206.         return ret;
  207.  
  208.     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
  209.         goto fail;
  210.  
  211.     p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method());
  212.     if (!p->ctx) {
  213.         av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
  214.         ret = AVERROR(EIO);
  215.         goto fail;
  216.     }
  217.     if (c->ca_file) {
  218.         if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
  219.             av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
  220.     }
  221.     if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {
  222.         av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n",
  223.                c->cert_file, ERR_error_string(ERR_get_error(), NULL));
  224.         ret = AVERROR(EIO);
  225.         goto fail;
  226.     }
  227.     if (c->key_file && !SSL_CTX_use_PrivateKey_file(p->ctx, c->key_file, SSL_FILETYPE_PEM)) {
  228.         av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n",
  229.                c->key_file, ERR_error_string(ERR_get_error(), NULL));
  230.         ret = AVERROR(EIO);
  231.         goto fail;
  232.     }
  233.     // Note, this doesn't check that the peer certificate actually matches
  234.     // the requested hostname.
  235.     if (c->verify)
  236.         SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
  237.     p->ssl = SSL_new(p->ctx);
  238.     if (!p->ssl) {
  239.         av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
  240.         ret = AVERROR(EIO);
  241.         goto fail;
  242.     }
  243.     bio = BIO_new(&url_bio_method);
  244.     bio->ptr = c->tcp;
  245.     SSL_set_bio(p->ssl, bio, bio);
  246.     if (!c->listen && !c->numerichost)
  247.         SSL_set_tlsext_host_name(p->ssl, c->host);
  248.     ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
  249.     if (ret == 0) {
  250.         av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
  251.         ret = AVERROR(EIO);
  252.         goto fail;
  253.     } else if (ret < 0) {
  254.         ret = print_tls_error(h, ret);
  255.         goto fail;
  256.     }
  257.  
  258.     return 0;
  259. fail:
  260.     tls_close(h);
  261.     return ret;
  262. }
  263.  
  264. static int tls_read(URLContext *h, uint8_t *buf, int size)
  265. {
  266.     TLSContext *c = h->priv_data;
  267.     int ret = SSL_read(c->ssl, buf, size);
  268.     if (ret > 0)
  269.         return ret;
  270.     if (ret == 0)
  271.         return AVERROR_EOF;
  272.     return print_tls_error(h, ret);
  273. }
  274.  
  275. static int tls_write(URLContext *h, const uint8_t *buf, int size)
  276. {
  277.     TLSContext *c = h->priv_data;
  278.     int ret = SSL_write(c->ssl, buf, size);
  279.     if (ret > 0)
  280.         return ret;
  281.     if (ret == 0)
  282.         return AVERROR_EOF;
  283.     return print_tls_error(h, ret);
  284. }
  285.  
  286. static const AVOption options[] = {
  287.     TLS_COMMON_OPTIONS(TLSContext, tls_shared),
  288.     { NULL }
  289. };
  290.  
  291. static const AVClass tls_class = {
  292.     .class_name = "tls",
  293.     .item_name  = av_default_item_name,
  294.     .option     = options,
  295.     .version    = LIBAVUTIL_VERSION_INT,
  296. };
  297.  
  298. URLProtocol ff_tls_openssl_protocol = {
  299.     .name           = "tls",
  300.     .url_open2      = tls_open,
  301.     .url_read       = tls_read,
  302.     .url_write      = tls_write,
  303.     .url_close      = tls_close,
  304.     .priv_data_size = sizeof(TLSContext),
  305.     .flags          = URL_PROTOCOL_FLAG_NETWORK,
  306.     .priv_data_class = &tls_class,
  307. };
  308.