Libav
tls_gnutls.c
Go to the documentation of this file.
1 /*
2  * TLS/SSL Protocol
3  * Copyright (c) 2011 Martin Storsjo
4  *
5  * This file is part of Libav.
6  *
7  * Libav is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * Libav is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with Libav; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include <errno.h>
23 
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26 
27 #include "avformat.h"
28 #include "internal.h"
29 #include "network.h"
30 #include "os_support.h"
31 #include "url.h"
32 #include "tls.h"
33 #include "libavcodec/internal.h"
34 #include "libavutil/avstring.h"
35 #include "libavutil/opt.h"
36 #include "libavutil/parseutils.h"
37 
38 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER <= 0x020b00
39 #include <gcrypt.h>
40 #include "libavutil/thread.h"
41 GCRY_THREAD_OPTION_PTHREAD_IMPL;
42 #endif
43 
44 typedef struct TLSContext {
45  const AVClass *class;
47  gnutls_session_t session;
48  gnutls_certificate_credentials_t cred;
50 } TLSContext;
51 
52 void ff_gnutls_init(void)
53 {
55 #if HAVE_THREADS && GNUTLS_VERSION_NUMBER < 0x020b00
56  if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0)
57  gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
58 #endif
59  gnutls_global_init();
61 }
62 
63 void ff_gnutls_deinit(void)
64 {
66  gnutls_global_deinit();
68 }
69 
70 static int print_tls_error(URLContext *h, int ret)
71 {
72  switch (ret) {
73  case GNUTLS_E_AGAIN:
74  case GNUTLS_E_INTERRUPTED:
75  break;
76  case GNUTLS_E_WARNING_ALERT_RECEIVED:
77  av_log(h, AV_LOG_WARNING, "%s\n", gnutls_strerror(ret));
78  break;
79  default:
80  av_log(h, AV_LOG_ERROR, "%s\n", gnutls_strerror(ret));
81  break;
82  }
83  return AVERROR(EIO);
84 }
85 
86 static int tls_close(URLContext *h)
87 {
88  TLSContext *c = h->priv_data;
89  if (c->need_shutdown)
90  gnutls_bye(c->session, GNUTLS_SHUT_WR);
91  if (c->session)
92  gnutls_deinit(c->session);
93  if (c->cred)
94  gnutls_certificate_free_credentials(c->cred);
95  if (c->tls_shared.tcp)
98  return 0;
99 }
100 
101 static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport,
102  void *buf, size_t len)
103 {
104  URLContext *h = (URLContext*) transport;
105  int ret = ffurl_read(h, buf, len);
106  if (ret >= 0)
107  return ret;
108  if (ret == AVERROR_EXIT)
109  return 0;
110  errno = EIO;
111  return -1;
112 }
113 
114 static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport,
115  const void *buf, size_t len)
116 {
117  URLContext *h = (URLContext*) transport;
118  int ret = ffurl_write(h, buf, len);
119  if (ret >= 0)
120  return ret;
121  if (ret == AVERROR_EXIT)
122  return 0;
123  errno = EIO;
124  return -1;
125 }
126 
127 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
128 {
129  TLSContext *p = h->priv_data;
130  TLSShared *c = &p->tls_shared;
131  int ret;
132 
133  ff_gnutls_init();
134 
135  if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
136  goto fail;
137 
138  gnutls_init(&p->session, c->listen ? GNUTLS_SERVER : GNUTLS_CLIENT);
139  if (!c->listen && !c->numerichost)
140  gnutls_server_name_set(p->session, GNUTLS_NAME_DNS, c->host, strlen(c->host));
141  gnutls_certificate_allocate_credentials(&p->cred);
142  if (c->ca_file)
143  gnutls_certificate_set_x509_trust_file(p->cred, c->ca_file, GNUTLS_X509_FMT_PEM);
144 #if GNUTLS_VERSION_MAJOR >= 3
145  else
146  gnutls_certificate_set_x509_system_trust(p->cred);
147 #endif
148  gnutls_certificate_set_verify_flags(p->cred, c->verify ?
149  GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT : 0);
150  if (c->cert_file && c->key_file) {
151  ret = gnutls_certificate_set_x509_key_file(p->cred,
152  c->cert_file, c->key_file,
153  GNUTLS_X509_FMT_PEM);
154  if (ret < 0) {
155  av_log(h, AV_LOG_ERROR,
156  "Unable to set cert/key files %s and %s: %s\n",
157  c->cert_file, c->key_file, gnutls_strerror(ret));
158  ret = AVERROR(EIO);
159  goto fail;
160  }
161  }
162  gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, p->cred);
163  gnutls_transport_set_pull_function(p->session, gnutls_url_pull);
164  gnutls_transport_set_push_function(p->session, gnutls_url_push);
165  gnutls_transport_set_ptr(p->session, c->tcp);
166  gnutls_priority_set_direct(p->session, "NORMAL", NULL);
167  ret = gnutls_handshake(p->session);
168  if (ret) {
169  ret = print_tls_error(h, ret);
170  goto fail;
171  }
172  p->need_shutdown = 1;
173  if (c->verify) {
174  unsigned int status, cert_list_size;
175  gnutls_x509_crt_t cert;
176  const gnutls_datum_t *cert_list;
177  if ((ret = gnutls_certificate_verify_peers2(p->session, &status)) < 0) {
178  av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
179  gnutls_strerror(ret));
180  ret = AVERROR(EIO);
181  goto fail;
182  }
183  if (status & GNUTLS_CERT_INVALID) {
184  av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
185  ret = AVERROR(EIO);
186  goto fail;
187  }
188  if (gnutls_certificate_type_get(p->session) != GNUTLS_CRT_X509) {
189  av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
190  ret = AVERROR(EIO);
191  goto fail;
192  }
193  gnutls_x509_crt_init(&cert);
194  cert_list = gnutls_certificate_get_peers(p->session, &cert_list_size);
195  gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
196  ret = gnutls_x509_crt_check_hostname(cert, c->host);
197  gnutls_x509_crt_deinit(cert);
198  if (!ret) {
199  av_log(h, AV_LOG_ERROR,
200  "The certificate's owner does not match hostname %s\n", c->host);
201  ret = AVERROR(EIO);
202  goto fail;
203  }
204  }
205 
206  return 0;
207 fail:
208  tls_close(h);
209  return ret;
210 }
211 
212 static int tls_read(URLContext *h, uint8_t *buf, int size)
213 {
214  TLSContext *c = h->priv_data;
215  int ret = gnutls_record_recv(c->session, buf, size);
216  if (ret > 0)
217  return ret;
218  if (ret == 0)
219  return AVERROR_EOF;
220  return print_tls_error(h, ret);
221 }
222 
223 static int tls_write(URLContext *h, const uint8_t *buf, int size)
224 {
225  TLSContext *c = h->priv_data;
226  int ret = gnutls_record_send(c->session, buf, size);
227  if (ret > 0)
228  return ret;
229  if (ret == 0)
230  return AVERROR_EOF;
231  return print_tls_error(h, ret);
232 }
233 
234 static const AVOption options[] = {
236  { NULL }
237 };
238 
239 static const AVClass tls_class = {
240  .class_name = "tls",
241  .item_name = av_default_item_name,
242  .option = options,
243  .version = LIBAVUTIL_VERSION_INT,
244 };
245 
247  .name = "tls",
248  .url_open2 = tls_open,
249  .url_read = tls_read,
250  .url_write = tls_write,
251  .url_close = tls_close,
252  .priv_data_size = sizeof(TLSContext),
254  .priv_data_class = &tls_class,
255 };
int size
#define URL_PROTOCOL_FLAG_NETWORK
Definition: url.h:34
int avpriv_unlock_avformat(void)
Definition: utils.c:2638
AVOption.
Definition: opt.h:234
int verify
Definition: tls.h:33
#define AV_LOG_WARNING
Something somehow does not look correct.
Definition: log.h:130
int ffurl_write(URLContext *h, const unsigned char *buf, int size)
Write size bytes from buf to the resource accessed by h.
Definition: avio.c:257
void ff_gnutls_deinit(void)
Definition: tls_gnutls.c:63
av_log(ac->avr, AV_LOG_TRACE, "%d samples - audio_convert: %s to %s (%s)\, len, av_get_sample_fmt_name(ac->in_fmt), av_get_sample_fmt_name(ac->out_fmt), use_generic ? ac->func_descr_generic :ac->func_descr)
int listen
Definition: tls.h:36
static ssize_t gnutls_url_push(gnutls_transport_ptr_t transport, const void *buf, size_t len)
Definition: tls_gnutls.c:114
static ssize_t gnutls_url_pull(gnutls_transport_ptr_t transport, void *buf, size_t len)
Definition: tls_gnutls.c:101
gnutls_certificate_credentials_t cred
Definition: tls_gnutls.c:48
const char * class_name
The name of the class; usually it is the same name as the context structure type to which the AVClass...
Definition: log.h:39
uint8_t
AVOptions.
miscellaneous OS support macros and functions.
static const AVClass tls_class
Definition: tls_gnutls.c:239
char host[200]
Definition: tls.h:38
Definition: tls.h:31
static int flags
Definition: log.c:50
#define AVERROR_EOF
End of file.
Definition: error.h:51
void ff_gnutls_init(void)
Definition: tls_gnutls.c:52
#define AV_LOG_ERROR
Something went wrong and cannot losslessly be recovered.
Definition: log.h:124
#define AVERROR(e)
Definition: error.h:43
static int tls_read(URLContext *h, uint8_t *buf, int size)
Definition: tls_gnutls.c:212
int avpriv_lock_avformat(void)
Definition: utils.c:2629
#define fail()
Definition: checkasm.h:80
#define TLS_COMMON_OPTIONS(pstruct, options_field)
Definition: tls.h:45
static int tls_close(URLContext *h)
Definition: tls_gnutls.c:86
char * cert_file
Definition: tls.h:34
gnutls_session_t session
Definition: tls_gnutls.c:47
#define AVERROR_EXIT
Immediate exit was requested; the called function should not be restarted.
Definition: error.h:52
LIBAVUTIL_VERSION_INT
Definition: eval.c:55
char * ca_file
Definition: tls.h:32
NULL
Definition: eval.c:55
av_default_item_name
Definition: dnxhdenc.c:55
TLSShared tls_shared
Definition: tls_gnutls.c:46
Definition: url.h:38
static int print_tls_error(URLContext *h, int ret)
Definition: tls_gnutls.c:70
Describe the class of an AVClass context structure.
Definition: log.h:34
void * priv_data
Definition: url.h:45
misc parsing utilities
const char * name
Definition: url.h:56
int ffurl_close(URLContext *h)
Close the resource accessed by the URLContext h, and free the memory used by it.
Definition: avio.c:280
Main libavformat public API header.
common internal api header.
int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options)
Definition: tls.c:32
URLContext * tcp
Definition: tls.h:41
int numerichost
Definition: tls.h:39
const URLProtocol ff_tls_gnutls_protocol
Definition: tls_gnutls.c:246
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
Definition: tls_gnutls.c:127
int len
static int tls_write(URLContext *h, const uint8_t *buf, int size)
Definition: tls_gnutls.c:223
int need_shutdown
Definition: tls_gnutls.c:49
unbuffered private I/O API
int ffurl_read(URLContext *h, unsigned char *buf, int size)
Read up to size bytes from the resource accessed by h, and store the read bytes in buf...
Definition: avio.c:243
char * key_file
Definition: tls.h:35
static const AVOption options[]
Definition: tls_gnutls.c:234