falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
90813 Commits
32 Branches
935MB
Tree: 62f5c9d68b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '62f5c9d68b'
${ noResults }
FFmpeg/libavformat/tls_mbedtls.c

352 lines
12KB
Raw Blame History 

  1. /*

  2.  * TLS/SSL Protocol

  3.  * Copyright (c) 2018 Thomas Volkert

  4.  *

  5.  * This file is part of FFmpeg.

  6.  *

  7.  * FFmpeg is free software; you can redistribute it and/or

  8.  * modify it under the terms of the GNU Lesser General Public

  9.  * License as published by the Free Software Foundation; either

  10.  * version 2.1 of the License, or (at your option) any later version.

  11.  *

  12.  * FFmpeg is distributed in the hope that it will be useful,

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  15.  * Lesser General Public License for more details.

  16.  *

  17.  * You should have received a copy of the GNU Lesser General Public

  18.  * License along with FFmpeg; if not, write to the Free Software

  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

  20.  */

  21. 

  22. #include <mbedtls/certs.h>

  23. #include <mbedtls/config.h>

  24. #include <mbedtls/ctr_drbg.h>

  25. #include <mbedtls/entropy.h>

  26. #include <mbedtls/net.h>

  27. #include <mbedtls/platform.h>

  28. #include <mbedtls/ssl.h>

  29. #include <mbedtls/x509_crt.h>

  30. 

  31. #include "avformat.h"

  32. #include "internal.h"

  33. #include "url.h"

  34. #include "tls.h"

  35. #include "libavutil/parseutils.h"

  36. 

  37. typedef struct TLSContext {

  38.     const AVClass *class;

  39.     TLSShared tls_shared;

  40.     mbedtls_ssl_context ssl_context;

  41.     mbedtls_ssl_config ssl_config;

  42.     mbedtls_entropy_context entropy_context;

  43.     mbedtls_ctr_drbg_context ctr_drbg_context;

  44.     mbedtls_x509_crt ca_cert;

  45.     mbedtls_x509_crt own_cert;

  46.     mbedtls_pk_context priv_key;

  47.     char *priv_key_pw;

  48. } TLSContext;

  49. 

  50. #define OFFSET(x) offsetof(TLSContext, x)

  51. 

  52. static int tls_close(URLContext *h)

  53. {

  54.     TLSContext *tls_ctx = h->priv_data;

  55. 

  56.     mbedtls_ssl_close_notify(&tls_ctx->ssl_context);

  57.     mbedtls_pk_free(&tls_ctx->priv_key);

  58.     mbedtls_x509_crt_free(&tls_ctx->ca_cert);

  59.     mbedtls_x509_crt_free(&tls_ctx->own_cert);

  60.     mbedtls_ssl_free(&tls_ctx->ssl_context);

  61.     mbedtls_ssl_config_free(&tls_ctx->ssl_config);

  62.     mbedtls_ctr_drbg_free(&tls_ctx->ctr_drbg_context);

  63.     mbedtls_entropy_free(&tls_ctx->entropy_context);

  64. 

  65.     return 0;

  66. }

  67. 

  68. static int handle_transport_error(URLContext *h, const char* func_name, int react_on_eagain, int ret)

  69. {

  70.     switch (ret) {

  71.     case AVERROR(EAGAIN):

  72.         return react_on_eagain;

  73.     case AVERROR_EXIT:

  74.         return 0;

  75.     case AVERROR(EPIPE):

  76.     case AVERROR(ECONNRESET):

  77.         return MBEDTLS_ERR_NET_CONN_RESET;

  78.     default:

  79.         av_log(h, AV_LOG_ERROR, "%s returned 0x%x\n", func_name, ret);

  80.         errno = EIO;

  81.         return MBEDTLS_ERR_NET_SEND_FAILED;

  82.     }

  83. }

  84. 

  85. static int mbedtls_send(void *ctx, const unsigned char *buf, size_t len)

  86. {

  87.     URLContext *h = (URLContext*) ctx;

  88.     int ret = ffurl_write(h, buf, len);

  89.     if (ret >= 0)

  90.         return ret;

  91. 

  92.     if (h->max_packet_size && len > h->max_packet_size)

  93.         return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;

  94. 

  95.     return handle_transport_error(h, "ffurl_write", MBEDTLS_ERR_SSL_WANT_WRITE, ret);

  96. }

  97. 

  98. static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)

  99. {

  100.     URLContext *h = (URLContext*) ctx;

  101.     int ret = ffurl_read(h, buf, len);

  102.     if (ret >= 0)

  103.         return ret;

  104. 

  105.     if (h->max_packet_size && len > h->max_packet_size)

  106.         return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;

  107. 

  108.     return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret);

  109. }

  110. 

  111. static void handle_pk_parse_error(URLContext *h, int ret)

  112. {

  113.     switch (ret) {

  114.     case MBEDTLS_ERR_PK_FILE_IO_ERROR:

  115.         av_log(h, AV_LOG_ERROR, "Read of key file failed. Is it actually there, are the access permissions correct?\n");

  116.         break;

  117.     case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:

  118.         av_log(h, AV_LOG_ERROR, "A password for the private key is missing.\n");

  119.         break;

  120.     case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:

  121.         av_log(h, AV_LOG_ERROR, "The given password for the private key is wrong.\n");

  122.         break;

  123.     default:

  124.         av_log(h, AV_LOG_ERROR, "mbedtls_pk_parse_key returned -0x%x\n", -ret);

  125.         break;

  126.     }

  127. }

  128. 

  129. static void handle_handshake_error(URLContext *h, int ret)

  130. {

  131.     switch (ret) {

  132.     case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:

  133.         av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n");

  134.         break;

  135.     case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:

  136.         av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n");

  137.         break;

  138.     case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED:

  139.         av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to operate. Was the CA correctly set?\n");

  140.         break;

  141.     case MBEDTLS_ERR_NET_CONN_RESET:

  142.         av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n");

  143.         break;

  144.     default:

  145.         av_log(h, AV_LOG_ERROR, "mbedtls_ssl_handshake returned -0x%x\n", -ret);

  146.         break;

  147.     }

  148. }

  149. 

  150. static void parse_options(TLSContext *tls_ctxc, const char *uri)

  151. {

  152.     char buf[1024];

  153.     const char *p = strchr(uri, '?');

  154.     if (!p)

  155.         return;

  156. 

  157.     if (!tls_ctxc->priv_key_pw && av_find_info_tag(buf, sizeof(buf), "key_password", p))

  158.         tls_ctxc->priv_key_pw = av_strdup(buf);

  159. }

  160. 

  161. static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)

  162. {

  163.     TLSContext *tls_ctx = h->priv_data;

  164.     TLSShared *shr = &tls_ctx->tls_shared;

  165.     uint32_t verify_res_flags;

  166.     int ret;

  167. 

  168.     // parse additional options

  169.     parse_options(tls_ctx, uri);

  170. 

  171.     if ((ret = ff_tls_open_underlying(shr, h, uri, options)) < 0)

  172.         goto fail;

  173. 

  174.     mbedtls_ssl_init(&tls_ctx->ssl_context);

  175.     mbedtls_ssl_config_init(&tls_ctx->ssl_config);

  176.     mbedtls_entropy_init(&tls_ctx->entropy_context);

  177.     mbedtls_ctr_drbg_init(&tls_ctx->ctr_drbg_context);

  178.     mbedtls_x509_crt_init(&tls_ctx->ca_cert);

  179.     mbedtls_pk_init(&tls_ctx->priv_key);

  180. 

  181.     // load trusted CA

  182.     if (shr->ca_file) {

  183.         if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) {

  184.             av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for CA cert returned %d\n", ret);

  185.             goto fail;

  186.         }

  187.     }

  188. 

  189.     // load own certificate

  190.     if (shr->cert_file) {

  191.         if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->own_cert, shr->cert_file)) != 0) {

  192.             av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for own cert returned %d\n", ret);

  193.             goto fail;

  194.         }

  195.     }

  196. 

  197.     // load key file

  198.     if (shr->key_file) {

  199.         if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,

  200.                                             shr->key_file,

  201.                                             tls_ctx->priv_key_pw)) != 0) {

  202.             handle_pk_parse_error(h, ret);

  203.             goto fail;

  204.         }

  205.     }

  206. 

  207.     // seed the random number generator

  208.     if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context,

  209.                                      mbedtls_entropy_func,

  210.                                      &tls_ctx->entropy_context,

  211.                                      NULL, 0)) != 0) {

  212.         av_log(h, AV_LOG_ERROR, "mbedtls_ctr_drbg_seed returned %d\n", ret);

  213.         goto fail;

  214.     }

  215. 

  216.     if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config,

  217.                                            shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,

  218.                                            MBEDTLS_SSL_TRANSPORT_STREAM,

  219.                                            MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {

  220.         av_log(h, AV_LOG_ERROR, "mbedtls_ssl_config_defaults returned %d\n", ret);

  221.         goto fail;

  222.     }

  223. 

  224.     mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,

  225.                               shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);

  226.     mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);

  227.     mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);

  228. 

  229.     // set own certificate and private key

  230.     if ((ret = mbedtls_ssl_conf_own_cert(&tls_ctx->ssl_config, &tls_ctx->own_cert, &tls_ctx->priv_key)) != 0) {

  231.         av_log(h, AV_LOG_ERROR, "mbedtls_ssl_conf_own_cert returned %d\n", ret);

  232.         goto fail;

  233.     }

  234. 

  235.     if ((ret = mbedtls_ssl_setup(&tls_ctx->ssl_context, &tls_ctx->ssl_config)) != 0) {

  236.         av_log(h, AV_LOG_ERROR, "mbedtls_ssl_setup returned %d\n", ret);

  237.         goto fail;

  238.     }

  239. 

  240.     if (!shr->listen && !shr->numerichost) {

  241.         if ((ret = mbedtls_ssl_set_hostname(&tls_ctx->ssl_context, shr->host)) != 0) {

  242.             av_log(h, AV_LOG_ERROR, "mbedtls_ssl_set_hostname returned %d\n", ret);

  243.             goto fail;

  244.         }

  245.     }

  246. 

  247.     // set I/O functions to use FFmpeg internal code for transport layer

  248.     mbedtls_ssl_set_bio(&tls_ctx->ssl_context, shr->tcp, mbedtls_send, mbedtls_recv, NULL);

  249. 

  250.     // ssl handshake

  251.     while ((ret = mbedtls_ssl_handshake(&tls_ctx->ssl_context)) != 0) {

  252.         if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {

  253.             handle_handshake_error(h, ret);

  254.             goto fail;

  255.         }

  256.     }

  257. 

  258.     if (shr->verify) {

  259.         // check the result of the certificate verification

  260.         if ((verify_res_flags = mbedtls_ssl_get_verify_result(&tls_ctx->ssl_context)) != 0) {

  261.             av_log(h, AV_LOG_ERROR, "mbedtls_ssl_get_verify_result reported problems "\

  262.                                     "with the certificate verification, returned flags: %u\n",

  263.                                     verify_res_flags);

  264.             if (verify_res_flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED)

  265.                 av_log(h, AV_LOG_ERROR, "The certificate is not correctly signed by the trusted CA.\n");

  266.             goto fail;

  267.         }

  268.     }

  269. 

  270.     return 0;

  271. 

  272. fail:

  273.     tls_close(h);

  274.     return AVERROR(EIO);

  275. }

  276. 

  277. static int handle_tls_error(URLContext *h, const char* func_name, int ret)

  278. {

  279.     switch (ret) {

  280.     case MBEDTLS_ERR_SSL_WANT_READ:

  281.     case MBEDTLS_ERR_SSL_WANT_WRITE:

  282.         return AVERROR(EAGAIN);

  283.     case MBEDTLS_ERR_NET_SEND_FAILED:

  284.     case MBEDTLS_ERR_NET_RECV_FAILED:

  285.         return AVERROR(EIO);

  286.     case MBEDTLS_ERR_NET_CONN_RESET:

  287.     case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:

  288.         av_log(h, AV_LOG_WARNING, "%s reported connection reset by peer\n", func_name);

  289.         return AVERROR_EOF;

  290.     default:

  291.         av_log(h, AV_LOG_ERROR, "%s returned -0x%x\n", func_name, -ret);

  292.         return AVERROR(EIO);

  293.     }

  294. }

  295. 

  296. static int tls_read(URLContext *h, uint8_t *buf, int size)

  297. {

  298.     TLSContext *tls_ctx = h->priv_data;

  299.     int ret;

  300. 

  301.     if ((ret = mbedtls_ssl_read(&tls_ctx->ssl_context, buf, size)) > 0) {

  302.         // return read length

  303.         return ret;

  304.     }

  305. 

  306.     return handle_tls_error(h, "mbedtls_ssl_read", ret);

  307. }

  308. 

  309. static int tls_write(URLContext *h, const uint8_t *buf, int size)

  310. {

  311.     TLSContext *tls_ctx = h->priv_data;

  312.     int ret;

  313. 

  314.     if ((ret = mbedtls_ssl_write(&tls_ctx->ssl_context, buf, size)) > 0) {

  315.         // return written length

  316.         return ret;

  317.     }

  318. 

  319.     return handle_tls_error(h, "mbedtls_ssl_write", ret);

  320. }

  321. 

  322. static int tls_get_file_handle(URLContext *h)

  323. {

  324.     TLSContext *c = h->priv_data;

  325.     return ffurl_get_file_handle(c->tls_shared.tcp);

  326. }

  327. 

  328. static const AVOption options[] = {

  329.     TLS_COMMON_OPTIONS(TLSContext, tls_shared), \

  330.     {"key_password", "Password for the private key file", OFFSET(priv_key_pw),  AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \

  331.     { NULL }

  332. };

  333. 

  334. static const AVClass tls_class = {

  335.     .class_name = "tls",

  336.     .item_name  = av_default_item_name,

  337.     .option     = options,

  338.     .version    = LIBAVUTIL_VERSION_INT,

  339. };

  340. 

  341. const URLProtocol ff_tls_protocol = {

  342.     .name           = "tls",

  343.     .url_open2      = tls_open,

  344.     .url_read       = tls_read,

  345.     .url_write      = tls_write,

  346.     .url_close      = tls_close,

  347.     .url_get_file_handle = tls_get_file_handle,

  348.     .priv_data_size = sizeof(TLSContext),

  349.     .flags          = URL_PROTOCOL_FLAG_NETWORK,

  350.     .priv_data_class = &tls_class,

  351. };