Libav
tls_openssl.c
Go to the documentation of this file.
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of Libav.
6  *
7  * Libav is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * Libav is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with Libav; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include "avformat.h"
23 #include "internal.h"
24 #include "network.h"
25 #include "os_support.h"
26 #include "url.h"
27 #include "tls.h"
28 #include "libavcodec/internal.h"
29 #include "libavutil/avstring.h"
30 #include "libavutil/avutil.h"
31 #include "libavutil/opt.h"
32 #include "libavutil/parseutils.h"
33 #include "libavutil/thread.h"
34 
35 #include <openssl/bio.h>
36 #include <openssl/ssl.h>
37 #include <openssl/err.h>
38 
39 static int openssl_init;
40 
41 typedef struct TLSContext {
42  const AVClass *class;
44  SSL_CTX *ctx;
45  SSL *ssl;
46 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
47  BIO_METHOD* url_bio_method;
48 #endif
49 } TLSContext;
50 
51 #if HAVE_THREADS
52 #include <openssl/crypto.h>
53 pthread_mutex_t *openssl_mutexes;
54 static void openssl_lock(int mode, int type, const char *file, int line)
55 {
56  if (mode & CRYPTO_LOCK)
57  pthread_mutex_lock(&openssl_mutexes[type]);
58  else
59  pthread_mutex_unlock(&openssl_mutexes[type]);
60 }
61 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
62 static unsigned long openssl_thread_id(void)
63 {
64  return (intptr_t) pthread_self();
65 }
66 #endif
67 #endif
68 
69 void ff_openssl_init(void)
70 {
72  if (!openssl_init) {
73  SSL_library_init();
74  SSL_load_error_strings();
75 #if HAVE_THREADS
76  if (!CRYPTO_get_locking_callback()) {
77  int i;
78  openssl_mutexes = av_malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
79  for (i = 0; i < CRYPTO_num_locks(); i++)
80  pthread_mutex_init(&openssl_mutexes[i], NULL);
81  CRYPTO_set_locking_callback(openssl_lock);
82 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
83  CRYPTO_set_id_callback(openssl_thread_id);
84 #endif
85  }
86 #endif
87  }
88  openssl_init++;
90 }
91 
93 {
95  openssl_init--;
96  if (!openssl_init) {
97 #if HAVE_THREADS
98  if (CRYPTO_get_locking_callback() == openssl_lock) {
99  int i;
100  CRYPTO_set_locking_callback(NULL);
101  for (i = 0; i < CRYPTO_num_locks(); i++)
102  pthread_mutex_destroy(&openssl_mutexes[i]);
103  av_free(openssl_mutexes);
104  }
105 #endif
106  }
108 }
109 
110 static int print_tls_error(URLContext *h, int ret)
111 {
112  av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
113  return AVERROR(EIO);
114 }
115 
116 static int tls_close(URLContext *h)
117 {
118  TLSContext *c = h->priv_data;
119  if (c->ssl) {
120  SSL_shutdown(c->ssl);
121  SSL_free(c->ssl);
122  }
123  if (c->ctx)
124  SSL_CTX_free(c->ctx);
125  if (c->tls_shared.tcp)
127 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
128  if (c->url_bio_method)
129  BIO_meth_free(c->url_bio_method);
130 #endif
132  return 0;
133 }
134 
135 static int url_bio_create(BIO *b)
136 {
137 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
138  BIO_set_init(b, 1);
139  BIO_set_data(b, NULL);
140  BIO_set_flags(b, 0);
141 #else
142  b->init = 1;
143  b->ptr = NULL;
144  b->flags = 0;
145 #endif
146  return 1;
147 }
148 
149 static int url_bio_destroy(BIO *b)
150 {
151  return 1;
152 }
153 
154 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
155 #define GET_BIO_DATA(x) BIO_get_data(x)
156 #else
157 #define GET_BIO_DATA(x) (x)->ptr
158 #endif
159 
160 static int url_bio_bread(BIO *b, char *buf, int len)
161 {
162  URLContext *h = GET_BIO_DATA(b);
163  int ret = ffurl_read(h, buf, len);
164  if (ret >= 0)
165  return ret;
166  BIO_clear_retry_flags(b);
167  if (ret == AVERROR_EXIT)
168  return 0;
169  return -1;
170 }
171 
172 static int url_bio_bwrite(BIO *b, const char *buf, int len)
173 {
174  URLContext *h = GET_BIO_DATA(b);
175  int ret = ffurl_write(h, buf, len);
176  if (ret >= 0)
177  return ret;
178  BIO_clear_retry_flags(b);
179  if (ret == AVERROR_EXIT)
180  return 0;
181  return -1;
182 }
183 
184 static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr)
185 {
186  if (cmd == BIO_CTRL_FLUSH) {
187  BIO_clear_retry_flags(b);
188  return 1;
189  }
190  return 0;
191 }
192 
193 static int url_bio_bputs(BIO *b, const char *str)
194 {
195  return url_bio_bwrite(b, str, strlen(str));
196 }
197 
198 #if OPENSSL_VERSION_NUMBER < 0x1010000fL
199 static BIO_METHOD url_bio_method = {
200  .type = BIO_TYPE_SOURCE_SINK,
201  .name = "urlprotocol bio",
202  .bwrite = url_bio_bwrite,
203  .bread = url_bio_bread,
204  .bputs = url_bio_bputs,
205  .bgets = NULL,
206  .ctrl = url_bio_ctrl,
207  .create = url_bio_create,
208  .destroy = url_bio_destroy,
209 };
210 #endif
211 
212 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
213 {
214  TLSContext *p = h->priv_data;
215  TLSShared *c = &p->tls_shared;
216  BIO *bio;
217  int ret;
218 
219  ff_openssl_init();
220 
221  if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
222  goto fail;
223 
224  p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method());
225  if (!p->ctx) {
226  av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
227  ret = AVERROR(EIO);
228  goto fail;
229  }
230  if (c->ca_file)
231  SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL);
232  if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {
233  av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n",
234  c->cert_file, ERR_error_string(ERR_get_error(), NULL));
235  ret = AVERROR(EIO);
236  goto fail;
237  }
238  if (c->key_file && !SSL_CTX_use_PrivateKey_file(p->ctx, c->key_file, SSL_FILETYPE_PEM)) {
239  av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n",
240  c->key_file, ERR_error_string(ERR_get_error(), NULL));
241  ret = AVERROR(EIO);
242  goto fail;
243  }
244  // Note, this doesn't check that the peer certificate actually matches
245  // the requested hostname.
246  if (c->verify)
247  SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER, NULL);
248  p->ssl = SSL_new(p->ctx);
249  if (!p->ssl) {
250  av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
251  ret = AVERROR(EIO);
252  goto fail;
253  }
254 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
255  p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
256  BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
257  BIO_meth_set_read(p->url_bio_method, url_bio_bread);
258  BIO_meth_set_puts(p->url_bio_method, url_bio_bputs);
259  BIO_meth_set_ctrl(p->url_bio_method, url_bio_ctrl);
260  BIO_meth_set_create(p->url_bio_method, url_bio_create);
261  BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy);
262  bio = BIO_new(p->url_bio_method);
263  BIO_set_data(bio, c->tcp);
264 #else
265  bio = BIO_new(&url_bio_method);
266  bio->ptr = c->tcp;
267 #endif
268  SSL_set_bio(p->ssl, bio, bio);
269  if (!c->listen && !c->numerichost)
270  SSL_set_tlsext_host_name(p->ssl, c->host);
271  ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
272  if (ret == 0) {
273  av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
274  ret = AVERROR(EIO);
275  goto fail;
276  } else if (ret < 0) {
277  ret = print_tls_error(h, ret);
278  goto fail;
279  }
280 
281  return 0;
282 fail:
283  tls_close(h);
284  return ret;
285 }
286 
287 static int tls_read(URLContext *h, uint8_t *buf, int size)
288 {
289  TLSContext *c = h->priv_data;
290  int ret = SSL_read(c->ssl, buf, size);
291  if (ret > 0)
292  return ret;
293  if (ret == 0)
294  return AVERROR_EOF;
295  return print_tls_error(h, ret);
296 }
297 
298 static int tls_write(URLContext *h, const uint8_t *buf, int size)
299 {
300  TLSContext *c = h->priv_data;
301  int ret = SSL_write(c->ssl, buf, size);
302  if (ret > 0)
303  return ret;
304  if (ret == 0)
305  return AVERROR_EOF;
306  return print_tls_error(h, ret);
307 }
308 
309 static const AVOption options[] = {
311  { NULL }
312 };
313 
314 static const AVClass tls_class = {
315  .class_name = "tls",
316  .item_name = av_default_item_name,
317  .option = options,
318  .version = LIBAVUTIL_VERSION_INT,
319 };
320 
322  .name = "tls",
323  .url_open2 = tls_open,
324  .url_read = tls_read,
325  .url_write = tls_write,
326  .url_close = tls_close,
327  .priv_data_size = sizeof(TLSContext),
329  .priv_data_class = &tls_class,
330 };
void * av_malloc(size_t size)
Allocate a block of size bytes with alignment suitable for all memory accesses (including vectors if ...
Definition: mem.c:62
int size
static int openssl_init
Definition: tls_openssl.c:39
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:34
int avpriv_unlock_avformat(void)
Definition: utils.c:2638
AVOption.
Definition: opt.h:234
int verify
Definition: tls.h:33
int ffurl_write(URLContext *h, const unsigned char *buf, int size)
Write size bytes from buf to the resource accessed by h.
Definition: avio.c:257
static int url_bio_bwrite(BIO *b, const char *buf, int len)
Definition: tls_openssl.c:172
av_log(ac->avr, AV_LOG_TRACE, "%d samples - audio_convert: %s to %s (%s)\, len, av_get_sample_fmt_name(ac->in_fmt), av_get_sample_fmt_name(ac->out_fmt), use_generic ? ac->func_descr_generic :ac->func_descr)
external API header
int listen
Definition: tls.h:36
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
Definition: log.h:39
static int url_bio_bread(BIO *b, char *buf, int len)
Definition: tls_openssl.c:160
uint8_t
AVOptions.
miscellaneous OS support macros and functions.
static int url_bio_bputs(BIO *b, const char *str)
Definition: tls_openssl.c:193
#define b
Definition: input.c:52
CRITICAL_SECTION pthread_mutex_t
Definition: w32pthreads.h:60
char host[200]
Definition: tls.h:38
const URLProtocol ff_tls_openssl_protocol
Definition: tls_openssl.c:321
#define GET_BIO_DATA(x)
Definition: tls_openssl.c:157
Definition: tls.h:31
static int flags
Definition: log.c:50
#define AVERROR_EOF
End of file.
Definition: error.h:51
SSL * ssl
Definition: tls_openssl.c:45
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
Definition: log.h:124
void av_free(void *ptr)
Free a memory block which has been allocated with av_malloc(z)() or av_realloc(). ...
Definition: mem.c:190
#define AVERROR(e)
Definition: error.h:43
static int pthread_mutex_init(pthread_mutex_t *m, void *attr)
Definition: w32pthreads.h:104
static int pthread_mutex_unlock(pthread_mutex_t *m)
Definition: w32pthreads.h:119
void ff_openssl_init(void)
Definition: tls_openssl.c:69
Definition: graph2dot.c:48
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_openssl.c:212
int avpriv_lock_avformat(void)
Definition: utils.c:2629
#define fail()
Definition: checkasm.h:80
static const AVOption options[]
Definition: tls_openssl.c:309
static int pthread_mutex_destroy(pthread_mutex_t *m)
Definition: w32pthreads.h:109
void ff_openssl_deinit(void)
Definition: tls_openssl.c:92
static const AVClass tls_class
Definition: tls_openssl.c:314
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:45
char * cert_file
Definition: tls.h:34
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_openssl.c:298
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
Definition: error.h:52
LIBAVUTIL_VERSION_INT
Definition: eval.c:55
char * ca_file
Definition: tls.h:32
static int url_bio_destroy(BIO *b)
Definition: tls_openssl.c:149
NULL
Definition: eval.c:55
static int pthread_mutex_lock(pthread_mutex_t *m)
Definition: w32pthreads.h:114
static int print_tls_error(URLContext *h, int ret)
Definition: tls_openssl.c:110
SSL_CTX * ctx
Definition: tls_openssl.c:44
av_default_item_name
Definition: dnxhdenc.c:55
TLSShared tls_shared
Definition: tls_gnutls.c:46
Definition: url.h:38
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_openssl.c:287
Describe the class of an AVClass context structure.
Definition: log.h:34
void * priv_data
Definition: url.h:45
static int tls_close(URLContext *h)
Definition: tls_openssl.c:116
misc parsing utilities
const char * name
Definition: url.h:56
int ffurl_close(URLContext *h)
Close the resource accessed by the URLContext h, and free the memory used by it.
Definition: avio.c:280
Main libavformat public API header.
common internal api header.
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:32
URLContext * tcp
Definition: tls.h:41
static BIO_METHOD url_bio_method
Definition: tls_openssl.c:199
int numerichost
Definition: tls.h:39
static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr)
Definition: tls_openssl.c:184
int len
unbuffered private I/O API
int ffurl_read(URLContext *h, unsigned char *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf...
Definition: avio.c:243
char * key_file
Definition: tls.h:35
static int url_bio_create(BIO *b)
Definition: tls_openssl.c:135