platform/external/ffmpeg.git - Unnamed repository; edit this file 'description' to name the repository.

1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21
22 #include <errno.h>
23
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26
27 #include "avformat.h"
28 #include "internal.h"
29 #include "network.h"
30 #include "os_support.h"
31 #include "url.h"
32 #include "tls.h"
33 #include "libavcodec/internal.h"
34 #include "libavutil/avstring.h"
35 #include "libavutil/opt.h"
36 #include "libavutil/parseutils.h"
37
38 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
39 #include <gcrypt.h>
40 #include "libavutil/thread.h"
41 GCRY_THREAD_OPTION_PTHREAD_IMPL;
42 #endif
43
44 typedef struct TLSContext {
45     const AVClass *class;
46     TLSShared tls_shared;
47     gnutls_session_t session;
48     gnutls_certificate_credentials_t cred;
49     int need_shutdown;
50 } TLSContext;
51
52 void ff_gnutls_init(void)
53 {
54     avpriv_lock_avformat();
55 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
56     if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
57         gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
58 #endif
59     gnutls_global_init();
60     avpriv_unlock_avformat();
61 }
62
63 void ff_gnutls_deinit(void)
64 {
65     avpriv_lock_avformat();
66     gnutls_global_deinit();
67     avpriv_unlock_avformat();
68 }
69
70 static int print_tls_error(URLContext *h, int ret)
71 {
72     switch (ret) {
73     case GNUTLS_E_AGAIN:
74     case GNUTLS_E_INTERRUPTED:
75         break;
76     case GNUTLS_E_WARNING_ALERT_RECEIVED:
77         av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
78         break;
79     default:
80         av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
81         break;
82     }
83     return AVERROR(EIO);
84 }
85
86 static int tls_close(URLContext *h)
87 {
88     TLSContext *c = h->priv_data;
89     if (c->need_shutdown)
90         gnutls_bye(c->session, GNUTLS_SHUT_WR);
91     if (c->session)
92         gnutls_deinit(c->session);
93     if (c->cred)
94         gnutls_certificate_free_credentials(c->cred);
95     if (c->tls_shared.tcp)
96         ffurl_close(c->tls_shared.tcp);
97     ff_gnutls_deinit();
98     return 0;
99 }
100
101 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
102                                void *buf, size_t len)
103 {
104     URLContext *h = (URLContext*) transport;
105     int ret = ffurl_read(h, buf, len);
106     if (ret >= 0)
107         return ret;
108     if (ret == AVERROR_EXIT)
109         return 0;
110     errno = EIO;
111     return -1;
112 }
113
114 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
115                                const void *buf, size_t len)
116 {
117     URLContext *h = (URLContext*) transport;
118     int ret = ffurl_write(h, buf, len);
119     if (ret >= 0)
120         return ret;
121     if (ret == AVERROR_EXIT)
122         return 0;
123     errno = EIO;
124     return -1;
125 }
126
127 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
128 {
129     TLSContext *p = h->priv_data;
130     TLSShared *c = &p->tls_shared;
131     int ret;
132
133     ff_gnutls_init();
134
135     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
136         goto fail;
137
138     gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
139     if (!c->listen && !c->numerichost)
140         gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
141     gnutls_certificate_allocate_credentials(&p->cred);
142     if (c->ca_file) {
143         ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
144         if (ret < 0)
145             av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
146     }
147 #if GNUTLS_VERSION_NUMBER >= 0x030020
148     else
149         gnutls_certificate_set_x509_system_trust(p->cred);
150 #endif
151     gnutls_certificate_set_verify_flags(p->cred, c->verify ?
152                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
153     if (c->cert_file && c->key_file) {
154         ret = gnutls_certificate_set_x509_key_file(p->cred,
155                                                    c->cert_file, c->key_file,
156                                                    GNUTLS_X509_FMT_PEM);
157         if (ret < 0) {
158             av_log(h, AV_LOG_ERROR,
159                    "Unable to set cert/key files %s and %s: %s\n",
160                    c->cert_file, c->key_file, gnutls_strerror(ret));
161             ret = AVERROR(EIO);
162             goto fail;
163         }
164     } else if (c->cert_file || c->key_file)
165         av_log(h, AV_LOG_ERROR, "cert and key required\n");
166     gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
167     gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
168     gnutls_transport_set_push_function(p->session, gnutls_url_push);
169     gnutls_transport_set_ptr(p->session, c->tcp);
170     gnutls_priority_set_direct(p->session, "NORMAL", NULL);
171     ret = gnutls_handshake(p->session);
172     if (ret) {
173         ret = print_tls_error(h, ret);
174         goto fail;
175     }
176     p->need_shutdown = 1;
177     if (c->verify) {
178         unsigned int status, cert_list_size;
179         gnutls_x509_crt_t cert;
180         const gnutls_datum_t *cert_list;
181         if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
182             av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
183                                     gnutls_strerror(ret));
184             ret = AVERROR(EIO);
185             goto fail;
186         }
187         if (status & GNUTLS_CERT_INVALID) {
188             av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
189             ret = AVERROR(EIO);
190             goto fail;
191         }
192         if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
193             av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
194             ret = AVERROR(EIO);
195             goto fail;
196         }
197         gnutls_x509_crt_init(&cert);
198         cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
199         gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
200         ret = gnutls_x509_crt_check_hostname(cert, c->host);
201         gnutls_x509_crt_deinit(cert);
202         if (!ret) {
203             av_log(h, AV_LOG_ERROR,
204                    "The certificate's owner does not match hostname %s\n", c->host);
205             ret = AVERROR(EIO);
206             goto fail;
207         }
208     }
209
210     return 0;
211 fail:
212     tls_close(h);
213     return ret;
214 }
215
216 static int tls_read(URLContext *h, uint8_t *buf, int size)
217 {
218     TLSContext *c = h->priv_data;
219     int ret = gnutls_record_recv(c->session, buf, size);
220     if (ret > 0)
221         return ret;
222     if (ret == 0)
223         return AVERROR_EOF;
224     return print_tls_error(h, ret);
225 }
226
227 static int tls_write(URLContext *h, const uint8_t *buf, int size)
228 {
229     TLSContext *c = h->priv_data;
230     int ret = gnutls_record_send(c->session, buf, size);
231     if (ret > 0)
232         return ret;
233     if (ret == 0)
234         return AVERROR_EOF;
235     return print_tls_error(h, ret);
236 }
237
238 static int tls_get_file_handle(URLContext *h)
239 {
240     TLSContext *c = h->priv_data;
241     return ffurl_get_file_handle(c->tls_shared.tcp);
242 }
243
244 static const AVOption options[] = {
245     TLS_COMMON_OPTIONS(TLSContext, tls_shared),
246     { NULL }
247 };
248
249 static const AVClass tls_class = {
250     .class_name = "tls",
251     .item_name  = av_default_item_name,
252     .option     = options,
253     .version    = LIBAVUTIL_VERSION_INT,
254 };
255
256 const URLProtocol ff_tls_gnutls_protocol = {
257     .name           = "tls",
258     .url_open2      = tls_open,
259     .url_read       = tls_read,
260     .url_write      = tls_write,
261     .url_close      = tls_close,
262     .url_get_file_handle = tls_get_file_handle,
263     .priv_data_size = sizeof(TLSContext),
264     .flags          = URL_PROTOCOL_FLAG_NETWORK,
265     .priv_data_class = &tls_class,
266 };
267
1	/*
2	* TLS/SSL Protocol
3	* Copyright (c) 2011 Martin Storsjo
4	*
5	* This file is part of FFmpeg.
6	*
7	* FFmpeg is free software; you can redistribute it and/or
8	* modify it under the terms of the GNU Lesser General Public
9	* License as published by the Free Software Foundation; either
10	* version 2.1 of the License, or (at your option) any later version.
11	*
12	* FFmpeg is distributed in the hope that it will be useful,
13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15	* Lesser General Public License for more details.
16	*
17	* You should have received a copy of the GNU Lesser General Public
18	* License along with FFmpeg; if not, write to the Free Software
19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20	*/
21
22	#include <errno.h>
23
24	#include <gnutls/gnutls.h>
25	#include <gnutls/x509.h>
26
27	#include "avformat.h"
28	#include "internal.h"
29	#include "network.h"
30	#include "os_support.h"
31	#include "url.h"
32	#include "tls.h"
33	#include "libavcodec/internal.h"
34	#include "libavutil/avstring.h"
35	#include "libavutil/opt.h"
36	#include "libavutil/parseutils.h"
37
38	#if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
39	#include <gcrypt.h>
40	#include "libavutil/thread.h"
41	GCRY_THREAD_OPTION_PTHREAD_IMPL;
42	#endif
43
44	typedef struct TLSContext {
45	const AVClass *class;
46	TLSShared tls_shared;
47	gnutls_session_t session;
48	gnutls_certificate_credentials_t cred;
49	int need_shutdown;
50	} TLSContext;
51
52	void ff_gnutls_init(void)
53	{
54	avpriv_lock_avformat();
55	#if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
56	if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
57	gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
58	#endif
59	gnutls_global_init();
60	avpriv_unlock_avformat();
61	}
62
63	void ff_gnutls_deinit(void)
64	{
65	avpriv_lock_avformat();
66	gnutls_global_deinit();
67	avpriv_unlock_avformat();
68	}
69
70	static int print_tls_error(URLContext *h, int ret)
71	{
72	switch (ret) {
73	case GNUTLS_E_AGAIN:
74	case GNUTLS_E_INTERRUPTED:
75	break;
76	case GNUTLS_E_WARNING_ALERT_RECEIVED:
77	av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
78	break;
79	default:
80	av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
81	break;
82	}
83	return AVERROR(EIO);
84	}
85
86	static int tls_close(URLContext *h)
87	{
88	TLSContext *c = h->priv_data;
89	if (c->need_shutdown)
90	gnutls_bye(c->session, GNUTLS_SHUT_WR);
91	if (c->session)
92	gnutls_deinit(c->session);
93	if (c->cred)
94	gnutls_certificate_free_credentials(c->cred);
95	if (c->tls_shared.tcp)
96	ffurl_close(c->tls_shared.tcp);
97	ff_gnutls_deinit();
98	return 0;
99	}
100
101	static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
102	void *buf, size_t len)
103	{
104	URLContext h = (URLContext) transport;
105	int ret = ffurl_read(h, buf, len);
106	if (ret >= 0)
107	return ret;
108	if (ret == AVERROR_EXIT)
109	return 0;
110	errno = EIO;
111	return -1;
112	}
113
114	static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
115	const void *buf, size_t len)
116	{
117	URLContext h = (URLContext) transport;
118	int ret = ffurl_write(h, buf, len);
119	if (ret >= 0)
120	return ret;
121	if (ret == AVERROR_EXIT)
122	return 0;
123	errno = EIO;
124	return -1;
125	}
126
127	static int tls_open(URLContext h, const char uri, int flags, AVDictionary **options)
128	{
129	TLSContext *p = h->priv_data;
130	TLSShared *c = &p->tls_shared;
131	int ret;
132
133	ff_gnutls_init();
134
135	if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
136	goto fail;
137
138	gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
139	if (!c->listen && !c->numerichost)
140	gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
141	gnutls_certificate_allocate_credentials(&p->cred);
142	if (c->ca_file) {
143	ret = gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
144	if (ret < 0)
145	av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
146	}
147	#if GNUTLS_VERSION_NUMBER >= 0x030020
148	else
149	gnutls_certificate_set_x509_system_trust(p->cred);
150	#endif
151	gnutls_certificate_set_verify_flags(p->cred, c->verify ?
152	GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
153	if (c->cert_file && c->key_file) {
154	ret = gnutls_certificate_set_x509_key_file(p->cred,
155	c->cert_file, c->key_file,
156	GNUTLS_X509_FMT_PEM);
157	if (ret < 0) {
158	av_log(h, AV_LOG_ERROR,
159	"Unable to set cert/key files %s and %s: %s\n",
160	c->cert_file, c->key_file, gnutls_strerror(ret));
161	ret = AVERROR(EIO);
162	goto fail;
163	}
164	} else if (c->cert_file \|\| c->key_file)
165	av_log(h, AV_LOG_ERROR, "cert and key required\n");
166	gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
167	gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
168	gnutls_transport_set_push_function(p->session, gnutls_url_push);
169	gnutls_transport_set_ptr(p->session, c->tcp);
170	gnutls_priority_set_direct(p->session, "NORMAL", NULL);
171	ret = gnutls_handshake(p->session);
172	if (ret) {
173	ret = print_tls_error(h, ret);
174	goto fail;
175	}
176	p->need_shutdown = 1;
177	if (c->verify) {
178	unsigned int status, cert_list_size;
179	gnutls_x509_crt_t cert;
180	const gnutls_datum_t *cert_list;
181	if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
182	av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
183	gnutls_strerror(ret));
184	ret = AVERROR(EIO);
185	goto fail;
186	}
187	if (status & GNUTLS_CERT_INVALID) {
188	av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
189	ret = AVERROR(EIO);
190	goto fail;
191	}
192	if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
193	av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
194	ret = AVERROR(EIO);
195	goto fail;
196	}
197	gnutls_x509_crt_init(&cert);
198	cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
199	gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
200	ret = gnutls_x509_crt_check_hostname(cert, c->host);
201	gnutls_x509_crt_deinit(cert);
202	if (!ret) {
203	av_log(h, AV_LOG_ERROR,
204	"The certificate's owner does not match hostname %s\n", c->host);
205	ret = AVERROR(EIO);
206	goto fail;
207	}
208	}
209
210	return 0;
211	fail:
212	tls_close(h);
213	return ret;
214	}
215
216	static int tls_read(URLContext h, uint8_t buf, int size)
217	{
218	TLSContext *c = h->priv_data;
219	int ret = gnutls_record_recv(c->session, buf, size);
220	if (ret > 0)
221	return ret;
222	if (ret == 0)
223	return AVERROR_EOF;
224	return print_tls_error(h, ret);
225	}
226
227	static int tls_write(URLContext h, const uint8_t buf, int size)
228	{
229	TLSContext *c = h->priv_data;
230	int ret = gnutls_record_send(c->session, buf, size);
231	if (ret > 0)
232	return ret;
233	if (ret == 0)
234	return AVERROR_EOF;
235	return print_tls_error(h, ret);
236	}
237
238	static int tls_get_file_handle(URLContext *h)
239	{
240	TLSContext *c = h->priv_data;
241	return ffurl_get_file_handle(c->tls_shared.tcp);
242	}
243
244	static const AVOption options[] = {
245	TLS_COMMON_OPTIONS(TLSContext, tls_shared),
246	{ NULL }
247	};
248
249	static const AVClass tls_class = {
250	.class_name = "tls",
251	.item_name = av_default_item_name,
252	.option = options,
253	.version = LIBAVUTIL_VERSION_INT,
254	};
255
256	const URLProtocol ff_tls_gnutls_protocol = {
257	.name = "tls",
258	.url_open2 = tls_open,
259	.url_read = tls_read,
260	.url_write = tls_write,
261	.url_close = tls_close,
262	.url_get_file_handle = tls_get_file_handle,
263	.priv_data_size = sizeof(TLSContext),
264	.flags = URL_PROTOCOL_FLAG_NETWORK,
265	.priv_data_class = &tls_class,
266	};
267