falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45126 Commits
32 Branches
293MB
Tree: 35ed7f93db
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '35ed7f93db'
${ noResults }
FFmpeg/libavformat/tls_mbedtls.c

353 lines
12KB
Raw Blame History 

  1. /*

  2.  * TLS/SSL Protocol

  3.  * Copyright (c) 2018 Thomas Volkert

  4.  *

  5.  * This file is part of Libav.

  6.  *

  7.  * Libav is free software; you can redistribute it and/or

  8.  * modify it under the terms of the GNU Lesser General Public

  9.  * License as published by the Free Software Foundation; either

  10.  * version 2.1 of the License, or (at your option) any later version.

  11.  *

  12.  * Libav is distributed in the hope that it will be useful,

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  15.  * Lesser General Public License for more details.

  16.  *

  17.  * You should have received a copy of the GNU Lesser General Public

  18.  * License along with Libav; if not, write to the Free Software

  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

  20.  */

  21. 

  22. #include <mbedtls/certs.h>

  23. #include <mbedtls/config.h>

  24. #include <mbedtls/ctr_drbg.h>

  25. #include <mbedtls/entropy.h>

  26. #include <mbedtls/net_sockets.h>

  27. #include <mbedtls/platform.h>

  28. #include <mbedtls/ssl.h>

  29. #include <mbedtls/x509_crt.h>

  30. 

  31. #include "libavutil/parseutils.h"

  32. 

  33. #include "avformat.h"

  34. #include "internal.h"

  35. #include "tls.h"

  36. #include "url.h"

  37. 

  38. typedef struct TLSContext {

  39.     const AVClass *class;

  40.     TLSShared tls_shared;

  41.     mbedtls_ssl_context ssl_context;

  42.     mbedtls_ssl_config ssl_config;

  43.     mbedtls_entropy_context entropy_context;

  44.     mbedtls_ctr_drbg_context ctr_drbg_context;

  45.     mbedtls_x509_crt ca_cert;

  46.     mbedtls_x509_crt own_cert;

  47.     mbedtls_pk_context priv_key;

  48.     char *priv_key_pw;

  49. } TLSContext;

  50. 

  51. #define OFFSET(x) offsetof(TLSContext, x)

  52. 

  53. static int tls_close(URLContext *h)

  54. {

  55.     TLSContext *tls_ctx = h->priv_data;

  56. 

  57.     mbedtls_ssl_close_notify(&tls_ctx->ssl_context);

  58.     mbedtls_pk_free(&tls_ctx->priv_key);

  59.     mbedtls_x509_crt_free(&tls_ctx->ca_cert);

  60.     mbedtls_x509_crt_free(&tls_ctx->own_cert);

  61.     mbedtls_ssl_free(&tls_ctx->ssl_context);

  62.     mbedtls_ssl_config_free(&tls_ctx->ssl_config);

  63.     mbedtls_ctr_drbg_free(&tls_ctx->ctr_drbg_context);

  64.     mbedtls_entropy_free(&tls_ctx->entropy_context);

  65. 

  66.     return 0;

  67. }

  68. 

  69. static int handle_transport_error(URLContext *h, const char* func_name, int react_on_eagain, int ret)

  70. {

  71.     switch (ret) {

  72.     case AVERROR(EAGAIN):

  73.         return react_on_eagain;

  74.     case AVERROR_EXIT:

  75.         return 0;

  76.     case AVERROR(EPIPE):

  77.     case AVERROR(ECONNRESET):

  78.         return MBEDTLS_ERR_NET_CONN_RESET;

  79.     default:

  80.         av_log(h, AV_LOG_ERROR, "%s returned 0x%x\n", func_name, ret);

  81.         errno = EIO;

  82.         return MBEDTLS_ERR_NET_SEND_FAILED;

  83.     }

  84. }

  85. 

  86. static int mbedtls_send(void *ctx, const unsigned char *buf, size_t len)

  87. {

  88.     URLContext *h = (URLContext*) ctx;

  89.     int ret = ffurl_write(h, buf, len);

  90.     if (ret >= 0)

  91.         return ret;

  92. 

  93.     if (h->max_packet_size && len > h->max_packet_size)

  94.         return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;

  95. 

  96.     return handle_transport_error(h, "ffurl_write", MBEDTLS_ERR_SSL_WANT_WRITE, ret);

  97. }

  98. 

  99. static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)

  100. {

  101.     URLContext *h = ctx;

  102.     int ret = ffurl_read(h, buf, len);

  103.     if (ret >= 0)

  104.         return ret;

  105. 

  106.     if (h->max_packet_size && len > h->max_packet_size)

  107.         return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;

  108. 

  109.     return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret);

  110. }

  111. 

  112. static void handle_pk_parse_error(URLContext *h, int ret)

  113. {

  114.     switch (ret) {

  115.     case MBEDTLS_ERR_PK_FILE_IO_ERROR:

  116.         av_log(h, AV_LOG_ERROR, "Read of key file failed. Is it actually there, are the access permissions correct?\n");

  117.         break;

  118.     case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:

  119.         av_log(h, AV_LOG_ERROR, "A password for the private key is missing.\n");

  120.         break;

  121.     case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:

  122.         av_log(h, AV_LOG_ERROR, "The given password for the private key is wrong.\n");

  123.         break;

  124.     default:

  125.         av_log(h, AV_LOG_ERROR, "mbedtls_pk_parse_key returned -0x%x\n", -ret);

  126.         break;

  127.     }

  128. }

  129. 

  130. static void handle_handshake_error(URLContext *h, int ret)

  131. {

  132.     switch (ret) {

  133.     case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:

  134.         av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate set correctly?\n");

  135.         break;

  136.     case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:

  137.         av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer. Does the peer have a correct certificate?\n");

  138.         break;

  139.     case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED:

  140.         av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to operate. Was the CA set correctly?\n");

  141.         break;

  142.     case MBEDTLS_ERR_NET_CONN_RESET:

  143.         av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n");

  144.         break;

  145.     default:

  146.         av_log(h, AV_LOG_ERROR, "mbedtls_ssl_handshake returned -0x%x\n", -ret);

  147.         break;

  148.     }

  149. }

  150. 

  151. static void parse_options(TLSContext *tls_ctxc, const char *uri)

  152. {

  153.     char buf[1024];

  154.     const char *p = strchr(uri, '?');

  155.     if (!p)

  156.         return;

  157. 

  158.     if (!tls_ctxc->priv_key_pw && av_find_info_tag(buf, sizeof(buf), "key_password", p))

  159.         tls_ctxc->priv_key_pw = av_strdup(buf);

  160. }

  161. 

  162. static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)

  163. {

  164.     TLSContext *tls_ctx = h->priv_data;

  165.     TLSShared *shr = &tls_ctx->tls_shared;

  166.     uint32_t verify_res_flags;

  167.     int ret;

  168. 

  169.     // parse additional options

  170.     parse_options(tls_ctx, uri);

  171. 

  172.     if ((ret = ff_tls_open_underlying(shr, h, uri, options)) < 0)

  173.         goto fail;

  174. 

  175.     mbedtls_ssl_init(&tls_ctx->ssl_context);

  176.     mbedtls_ssl_config_init(&tls_ctx->ssl_config);

  177.     mbedtls_entropy_init(&tls_ctx->entropy_context);

  178.     mbedtls_ctr_drbg_init(&tls_ctx->ctr_drbg_context);

  179.     mbedtls_x509_crt_init(&tls_ctx->ca_cert);

  180.     mbedtls_pk_init(&tls_ctx->priv_key);

  181. 

  182.     // load trusted CA

  183.     if (shr->ca_file) {

  184.         if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) {

  185.             av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for CA cert returned %d\n", ret);

  186.             goto fail;

  187.         }

  188.     }

  189. 

  190.     // load own certificate

  191.     if (shr->cert_file) {

  192.         if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->own_cert, shr->cert_file)) != 0) {

  193.             av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for own cert returned %d\n", ret);

  194.             goto fail;

  195.         }

  196.     }

  197. 

  198.     // load key file

  199.     if (shr->key_file) {

  200.         if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,

  201.                                             shr->key_file,

  202.                                             tls_ctx->priv_key_pw)) != 0) {

  203.             handle_pk_parse_error(h, ret);

  204.             goto fail;

  205.         }

  206.     }

  207. 

  208.     // seed the random number generator

  209.     if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context,

  210.                                      mbedtls_entropy_func,

  211.                                      &tls_ctx->entropy_context,

  212.                                      NULL, 0)) != 0) {

  213.         av_log(h, AV_LOG_ERROR, "mbedtls_ctr_drbg_seed returned %d\n", ret);

  214.         goto fail;

  215.     }

  216. 

  217.     if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config,

  218.                                            shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,

  219.                                            MBEDTLS_SSL_TRANSPORT_STREAM,

  220.                                            MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {

  221.         av_log(h, AV_LOG_ERROR, "mbedtls_ssl_config_defaults returned %d\n", ret);

  222.         goto fail;

  223.     }

  224. 

  225.     mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,

  226.                               shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);

  227.     mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);

  228.     mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);

  229. 

  230.     // set own certificate and private key

  231.     if ((ret = mbedtls_ssl_conf_own_cert(&tls_ctx->ssl_config, &tls_ctx->own_cert, &tls_ctx->priv_key)) != 0) {

  232.         av_log(h, AV_LOG_ERROR, "mbedtls_ssl_conf_own_cert returned %d\n", ret);

  233.         goto fail;

  234.     }

  235. 

  236.     if ((ret = mbedtls_ssl_setup(&tls_ctx->ssl_context, &tls_ctx->ssl_config)) != 0) {

  237.         av_log(h, AV_LOG_ERROR, "mbedtls_ssl_setup returned %d\n", ret);

  238.         goto fail;

  239.     }

  240. 

  241.     if (!shr->listen && !shr->numerichost) {

  242.         if ((ret = mbedtls_ssl_set_hostname(&tls_ctx->ssl_context, shr->host)) != 0) {

  243.             av_log(h, AV_LOG_ERROR, "mbedtls_ssl_set_hostname returned %d\n", ret);

  244.             goto fail;

  245.         }

  246.     }

  247. 

  248.     // set I/O functions to use libavformat-internal code for transport layer

  249.     mbedtls_ssl_set_bio(&tls_ctx->ssl_context, shr->tcp, mbedtls_send, mbedtls_recv, NULL);

  250. 

  251.     // ssl handshake

  252.     while ((ret = mbedtls_ssl_handshake(&tls_ctx->ssl_context)) != 0) {

  253.         if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {

  254.             handle_handshake_error(h, ret);

  255.             goto fail;

  256.         }

  257.     }

  258. 

  259.     if (shr->verify) {

  260.         // check the result of the certificate verification

  261.         if ((verify_res_flags = mbedtls_ssl_get_verify_result(&tls_ctx->ssl_context)) != 0) {

  262.             av_log(h, AV_LOG_ERROR, "mbedtls_ssl_get_verify_result reported problems "\

  263.                                     "with the certificate verification, returned flags: %u\n",

  264.                                     verify_res_flags);

  265.             if (verify_res_flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED)

  266.                 av_log(h, AV_LOG_ERROR, "The certificate is not correctly signed by the trusted CA.\n");

  267.             goto fail;

  268.         }

  269.     }

  270. 

  271.     return 0;

  272. 

  273. fail:

  274.     tls_close(h);

  275.     return AVERROR(EIO);

  276. }

  277. 

  278. static int handle_tls_error(URLContext *h, const char *func_name, int ret)

  279. {

  280.     switch (ret) {

  281.     case MBEDTLS_ERR_SSL_WANT_READ:

  282.     case MBEDTLS_ERR_SSL_WANT_WRITE:

  283.         return AVERROR(EAGAIN);

  284.     case MBEDTLS_ERR_NET_SEND_FAILED:

  285.     case MBEDTLS_ERR_NET_RECV_FAILED:

  286.         return AVERROR(EIO);

  287.     case MBEDTLS_ERR_NET_CONN_RESET:

  288.     case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:

  289.         av_log(h, AV_LOG_WARNING, "%s reported connection reset by peer\n", func_name);

  290.         return AVERROR_EOF;

  291.     default:

  292.         av_log(h, AV_LOG_ERROR, "%s returned -0x%x\n", func_name, -ret);

  293.         return AVERROR(EIO);

  294.     }

  295. }

  296. 

  297. static int tls_read(URLContext *h, uint8_t *buf, int size)

  298. {

  299.     TLSContext *tls_ctx = h->priv_data;

  300.     int ret;

  301. 

  302.     if ((ret = mbedtls_ssl_read(&tls_ctx->ssl_context, buf, size)) > 0) {

  303.         // return read length

  304.         return ret;

  305.     }

  306. 

  307.     return handle_tls_error(h, "mbedtls_ssl_read", ret);

  308. }

  309. 

  310. static int tls_write(URLContext *h, const uint8_t *buf, int size)

  311. {

  312.     TLSContext *tls_ctx = h->priv_data;

  313.     int ret;

  314. 

  315.     if ((ret = mbedtls_ssl_write(&tls_ctx->ssl_context, buf, size)) > 0) {

  316.         // return written length

  317.         return ret;

  318.     }

  319. 

  320.     return handle_tls_error(h, "mbedtls_ssl_write", ret);

  321. }

  322. 

  323. static int tls_get_file_handle(URLContext *h)

  324. {

  325.     TLSContext *c = h->priv_data;

  326.     return ffurl_get_file_handle(c->tls_shared.tcp);

  327. }

  328. 

  329. static const AVOption options[] = {

  330.     TLS_COMMON_OPTIONS(TLSContext, tls_shared), \

  331.     { "key_password", "Password for the private key file", OFFSET(priv_key_pw),  AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \

  332.     { NULL }

  333. };

  334. 

  335. static const AVClass tls_class = {

  336.     .class_name = "tls",

  337.     .item_name  = av_default_item_name,

  338.     .option     = options,

  339.     .version    = LIBAVUTIL_VERSION_INT,

  340. };

  341. 

  342. const URLProtocol ff_tls_protocol = {

  343.     .name                = "tls",

  344.     .url_open2           = tls_open,

  345.     .url_read            = tls_read,

  346.     .url_write           = tls_write,

  347.     .url_close           = tls_close,

  348.     .url_get_file_handle = tls_get_file_handle,

  349.     .priv_data_size      = sizeof(TLSContext),

  350.     .flags               = URL_PROTOCOL_FLAG_NETWORK,

  351.     .priv_data_class     = &tls_class,

  352. };