From patchwork Sat Apr 21 23:33:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Volkert X-Patchwork-Id: 8552 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:155:0:0:0:0:0 with SMTP id c82-v6csp2159905jad; Sat, 21 Apr 2018 16:33:49 -0700 (PDT) X-Google-Smtp-Source: AIpwx48V2t6+3OgdPgzG0CbM++NBHtdbB7dkrxcFGkjNrFJd6UTcKFS521EFuCTvmZP+EKy2DUDh X-Received: by 2002:adf:9607:: with SMTP id b7-v6mr11483233wra.129.1524353629788; Sat, 21 Apr 2018 16:33:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524353629; cv=none; d=google.com; s=arc-20160816; b=WuQ0RHp+5q95FR/t9NXh5pu3uUzxpknsb+czi/uYT/EjGx8X2u6e+EnQu9d9xNKlAR +Cxi9aMhIy5Zj40qNLSmwtF8hij1s5KdQKvJE3GNWBwhWu2dSRvjg6VCWJoGxFSTeKDk 6vsirUsyTYPWAbKOZjBK4TnE3Tz7g61JsloM2PJYAB1IdKrI4VvfjQQbxFeZ/rITeAgp mE3vrtDKQHQvj1p0GzZiku6AHeMBBu/OsbC36XCM+zeRpwqtqimF0KlL/SBpNQ975oIu vty+cXhMDlaEFZa1ab2VQNk5HVZ1Sh8iQePMotc6DE5NhjoJYWTp9EN0tDd+zrx77VyI uebQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to :arc-authentication-results; bh=rS80NtTSZVB2qa6S6sPVrD8z0Q/ZWbuyxHup2LXy8Q0=; b=ahgyGg5KAvEiLWEprGwIc3ohQiT3eO1BA09l49xHIcaYS371hpaPvSHB90oST3re7y 4RlARtGB/SoZJmp77HKlRSm3Kqz6nzHes5TlRMhRh7TacjrruhF2Ac87FKtrPri012i4 q7mtRBENqfNY/bqg5csNCc83SVH0P9Dys0NblluPbTu7KnZ76nqJqE7f5G6G2yn9ftt4 kS5QLmpkDHtsuclmMBKflb9hY7LBFiYDZ39gNMXN070MXfUWWAkCvNVbO4m8bY49rOn2 fhotY1qHxCjD0XvMvvA2rYO/jwYWGB+2i2rh3pfkRFHDVu/k5/0K6QYPi8yyhh8t3uzK bglQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 30-v6si7152527wri.119.2018.04.21.16.33.49; Sat, 21 Apr 2018 16:33:49 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4D03768A183; Sun, 22 Apr 2018 02:33:19 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7B4C368A05D for ; Sun, 22 Apr 2018 02:33:12 +0300 (EEST) Received: from snake.fritz.box ([84.170.43.41]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LsPwa-1ePedH2icK-0121sk for ; Sun, 22 Apr 2018 01:33:39 +0200 From: Thomas Volkert To: ffmpeg-devel@ffmpeg.org Date: Sun, 22 Apr 2018 01:33:39 +0200 Message-Id: <1524353619-22423-1-git-send-email-silvo@gmx.net> X-Mailer: git-send-email 2.7.4 X-Provags-ID: V03:K1:jI/czMCvCp4HlHIDrUf24Y4JKpntLann+i2lO2RrU37YGpYTout FxCYRWCj+e+WM+5KLQMjJqSyxb6iqwci0i6b+kVzays+LSO0euUaljv1vLuZTIBnY/IkWO8 MA+qhchkZhVX9zhmAw8vobO5cKjCAPmy+CXTpXSzALi9tij3mcjuCa7pbBfc5FbizYTdAZa 7wB4PhAHzlRPEmZrsItWA== X-UI-Out-Filterresults: notjunk:1; V01:K0:BOp+fvQbnnE=:4K3Xvvh1iPJRANVdCe+W4D 5RMzxNHaxIZx8TgTzkEYtWFrGsaWwixeXqKeLGA2Ys6iqDu/yyiImITVaNtlcox2bKcF5rbEy VnYzVxOQuYh8tzySGTioMfTZJNWCeMrMl3+F4ot5BmH9bXj+LCEZO3mlxWyWkKJnEKiC390md Ri9Ttrsp8DFEGKVKqh3Ji1+C5WkpQ4LicTN3kyCzIrBCRb2iy1E1wT7j8DHuipqdWin89Jiie 7p4SgR4aUDoAlbuFD4q7mZw9TVBDoQWTvjhF/mLBivFvyUfSKC0KaZw+UD+RovJu60vhXKMjG nRiMo5sRwkyhBPGS6DY1F6sU1TvV0P0T39wOD4DPP70Iy2Th01WoxaC3Q6BRWpnNDQRMO2Xuf muBSA327gkhiuXW6oYQiST9mZAGaAsAx08B2IZjexzSOhWP7DUk6I/sP4U/p6B6fOL9tiPCUj g4V+iXZq3aRpAALHQVoTWg3Y4re/HNnr9i1zaF2nHOwqhOU5tLusMUrS63pARLStIVRBQuedz oZuaTdHHD5jMCQhEW7DN5ntCiKAcDKuD/wDMKPt7pFzg+nt6IMNQJB/fsg1kHiBzkheN4Jumg 4/1GEqOqf628iXiOrJV/e8V2qPSZhRWibkEkm8+Gr0edcIF5Kl56gdPFNbhtRRI5Hh1a5vJEP hV3ppCsfY4zicJFb/QSfPf1659RvTCSZPvTkn3jnhrSpMSo26FhZdeK6S+2sCXksav/7++0VJ wS3sj5tazg0inTyPWQabg9rRD9iGGoA40sJqSlrtW8c1rqQi4XOZLGZQZOyINF5MzUEg2Y8tP /RcVXANmfPd5YP+qJnZDtD/1hsdKR8XXWlURf38ObKaaN7GJfQyjpnRgoQyJQnbFBMM2wmMq1 WJ1yQOxwsDRUuY9W87jS3QYeagn6bP8OFXibKB8hX6MY49Kd94LF+kZ7fvbZKT+2wa0C6BZAh 1CIHlNlNPQhW/pFdLmDGfZohtvgSqE8b2XpZWftIqk2BRCuF9V9HL Subject: [FFmpeg-devel] [PATCH] libavformat: add mbedTLS based TLS X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" From: Thomas Volkert --- Changelog | 1 + configure | 31 ++-- libavformat/Makefile | 1 + libavformat/rtmpdh.c | 55 ++++++++ libavformat/rtmpdh.h | 5 + libavformat/tls_mbedtls.c | 351 ++++++++++++++++++++++++++++++++++++++++++++++ libavformat/version.h | 2 +- 7 files changed, 436 insertions(+), 10 deletions(-) create mode 100644 libavformat/tls_mbedtls.c diff --git a/Changelog b/Changelog index 3ed4874..0a344f3 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,7 @@ releases are sorted from youngest to oldest. version : - deblock filter +- support mbedTLS based TLS version 4.0: diff --git a/configure b/configure index dee507c..c1f21cd 100755 --- a/configure +++ b/configure @@ -213,7 +213,7 @@ External library support: --enable-gmp enable gmp, needed for rtmp(t)e support if openssl or librtmp is not used [no] --enable-gnutls enable gnutls, needed for https support - if openssl or libtls is not used [no] + if openssl, libtls or mbedtls is not used [no] --disable-iconv disable iconv [autodetect] --enable-jni enable JNI support [no] --enable-ladspa enable LADSPA audio filtering [no] @@ -262,7 +262,7 @@ External library support: --enable-libtesseract enable Tesseract, needed for ocr filter [no] --enable-libtheora enable Theora encoding via libtheora [no] --enable-libtls enable LibreSSL (via libtls), needed for https support - if openssl or gnutls is not used [no] + if openssl, gnutls or mbedtls is not used [no] --enable-libtwolame enable MP2 encoding via libtwolame [no] --enable-libv4l2 enable libv4l2/v4l-utils [no] --enable-libvidstab enable video stabilization using vid.stab [no] @@ -290,13 +290,15 @@ External library support: --disable-lzma disable lzma [autodetect] --enable-decklink enable Blackmagic DeckLink I/O support [no] --enable-libndi_newtek enable Newteck NDI I/O support [no] + --enable-mbedtls enable mbedTLS, needed for https support + if openssl, gnutls or libtls is not used [no] --enable-mediacodec enable Android MediaCodec support [no] --enable-libmysofa enable libmysofa, needed for sofalizer filter [no] --enable-openal enable OpenAL 1.1 capture support [no] --enable-opencl enable OpenCL processing [no] --enable-opengl enable OpenGL rendering [no] --enable-openssl enable openssl, needed for https support - if gnutls or libtls is not used [no] + if gnutls, libtls or mbedtls is not used [no] --disable-sndio disable sndio support [autodetect] --disable-schannel disable SChannel SSP, needed for TLS support on Windows if openssl and gnutls are not used [autodetect] @@ -1654,6 +1656,7 @@ EXTERNAL_LIBRARY_VERSION3_LIST=" libopencore_amrwb libvmaf libvo_amrwbenc + mbedtls rkmpp " @@ -3117,7 +3120,7 @@ fifo_muxer_deps="threads" flac_demuxer_select="flac_parser" hds_muxer_select="flv_muxer" hls_muxer_select="mpegts_muxer" -hls_muxer_suggest="gcrypt openssl" +hls_muxer_suggest="gcrypt openssl mbedtls" image2_alias_pix_demuxer_select="image2_demuxer" image2_brender_pix_demuxer_select="image2_demuxer" ipod_muxer_select="mov_muxer" @@ -3229,7 +3232,7 @@ xv_outdev_extralibs="-lXv -lX11 -lXext" async_protocol_deps="threads" bluray_protocol_deps="libbluray" ffrtmpcrypt_protocol_conflict="librtmp_protocol" -ffrtmpcrypt_protocol_deps_any="gcrypt gmp openssl" +ffrtmpcrypt_protocol_deps_any="gcrypt gmp openssl mbedtls" ffrtmpcrypt_protocol_select="tcp_protocol" ffrtmphttp_protocol_conflict="librtmp_protocol" ffrtmphttp_protocol_select="http_protocol" @@ -3249,7 +3252,7 @@ librtmpt_protocol_deps="librtmp" librtmpte_protocol_deps="librtmp" libsmbclient_protocol_deps="libsmbclient gplv3" libssh_protocol_deps="libssh" -libtls_conflict="openssl gnutls" +libtls_conflict="openssl gnutls mbedtls" mmsh_protocol_select="http_protocol" mmst_protocol_select="network" libsrt_protocol_deps="libsrt" @@ -3269,13 +3272,13 @@ rtmpte_protocol_suggest="zlib" rtmpts_protocol_select="ffrtmphttp_protocol https_protocol" rtmpts_protocol_suggest="zlib" rtp_protocol_select="udp_protocol" -schannel_conflict="openssl gnutls libtls" +schannel_conflict="openssl gnutls libtls mbedtls" sctp_protocol_deps="struct_sctp_event_subscribe struct_msghdr_msg_flags" sctp_protocol_select="network" -securetransport_conflict="openssl gnutls libtls" +securetransport_conflict="openssl gnutls libtls mbedtls" srtp_protocol_select="rtp_protocol srtp" tcp_protocol_select="network" -tls_protocol_deps_any="gnutls openssl schannel securetransport libtls" +tls_protocol_deps_any="gnutls openssl schannel securetransport libtls mbedtls" tls_protocol_select="tcp_protocol" udp_protocol_select="network" udplite_protocol_select="network" @@ -3907,6 +3910,12 @@ fi enabled_all gnutls openssl && die "GnuTLS and OpenSSL must not be enabled at the same time." +enabled_all gnutls mbedtls && + die "GnuTLS and mbedTLS must not be enabled at the same time." + +enabled_all openssl mbedtls && + die "OpenSSL and mbedTLS must not be enabled at the same time." + # Disable all the library-specific components if the library itself # is disabled, see AVCODEC_LIST and following _LIST variables. @@ -6090,6 +6099,10 @@ enabled libzvbi && require_pkg_config libzvbi zvbi-0.2 libzvbi.h vbi_d { test_cpp_condition libzvbi.h "VBI_VERSION_MAJOR > 0 || VBI_VERSION_MINOR > 2 || VBI_VERSION_MINOR == 2 && VBI_VERSION_MICRO >= 28" || enabled gpl || die "ERROR: libzvbi requires version 0.2.28 or --enable-gpl."; } enabled libxml2 && require_pkg_config libxml2 libxml-2.0 libxml2/libxml/xmlversion.h xmlCheckVersion +enabled mbedtls && { check_pkg_config mbedtls mbedtls mbedtls/x509_crt.h mbedtls_x509_crt_init || + check_pkg_config mbedtls mbedtls mbedtls/ssl.h mbedtls_ssl_init || + check_lib mbedtls mbedtls/ssl.h mbedtls_ssl_init -lmbedtls || + die "ERROR: mbedTLS not found"; } enabled mediacodec && { enabled jni || die "ERROR: mediacodec requires --enable-jni"; } enabled mmal && { check_lib mmal interface/mmal/mmal.h mmal_port_connect -lmmal_core -lmmal_util -lmmal_vc_client -lbcm_host || { ! enabled cross_compile && diff --git a/libavformat/Makefile b/libavformat/Makefile index 3eeca50..1f6b42a 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -608,6 +608,7 @@ OBJS-$(CONFIG_TEE_PROTOCOL) += teeproto.o tee_common.o OBJS-$(CONFIG_TCP_PROTOCOL) += tcp.o TLS-OBJS-$(CONFIG_GNUTLS) += tls_gnutls.o TLS-OBJS-$(CONFIG_LIBTLS) += tls_libtls.o +TLS-OBJS-$(CONFIG_MBEDTLS) += tls_mbedtls.o TLS-OBJS-$(CONFIG_OPENSSL) += tls_openssl.o TLS-OBJS-$(CONFIG_SECURETRANSPORT) += tls_securetransport.o TLS-OBJS-$(CONFIG_SCHANNEL) += tls_schannel.o diff --git a/libavformat/rtmpdh.c b/libavformat/rtmpdh.c index 8eb0882..5ddae53 100644 --- a/libavformat/rtmpdh.c +++ b/libavformat/rtmpdh.c @@ -38,6 +38,11 @@ #include "rtmpdh.h" +#if CONFIG_MBEDTLS +#include +#include +#endif + #define P1024 \ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ @@ -159,6 +164,56 @@ static int bn_modexp(FFBigNum bn, FFBigNum y, FFBigNum q, FFBigNum p) BN_CTX_free(ctx); return 0; } +#elif CONFIG_MBEDTLS +#define bn_new(bn) \ + do { \ + bn = av_malloc(sizeof(*bn)); \ + if (bn) \ + mbedtls_mpi_init(bn); \ + } while (0) +#define bn_free(bn) \ + do { \ + mbedtls_mpi_free(bn); \ + av_free(bn); \ + } while (0) +#define bn_set_word(bn, w) mbedtls_mpi_lset(bn, w) +#define bn_cmp(a, b) mbedtls_mpi_cmp_mpi(a, b) +#define bn_copy(to, from) mbedtls_mpi_copy(to, from) +#define bn_sub_word(bn, w) mbedtls_mpi_sub_int(bn, bn, w) +#define bn_cmp_1(bn) mbedtls_mpi_cmp_int(bn, 1) +#define bn_num_bytes(bn) (mbedtls_mpi_bitlen(bn) + 7) / 8 +#define bn_bn2bin(bn, buf, len) mbedtls_mpi_write_binary(bn, buf, len) +#define bn_bin2bn(bn, buf, len) \ + do { \ + bn_new(bn); \ + if (bn) \ + mbedtls_mpi_read_binary(bn, buf, len); \ + } while (0) +#define bn_hex2bn(bn, buf, ret) \ + do { \ + bn_new(bn); \ + if (bn) \ + ret = (mbedtls_mpi_read_string(bn, 16, buf) == 0); \ + else \ + ret = 1; \ + } while (0) +#define bn_random(bn, num_bits) \ + do { \ + mbedtls_entropy_context entropy_ctx; \ + mbedtls_ctr_drbg_context ctr_drbg_ctx; \ + \ + mbedtls_entropy_init(&entropy_ctx); \ + mbedtls_ctr_drbg_init(&ctr_drbg_ctx); \ + mbedtls_ctr_drbg_seed(&ctr_drbg_ctx, \ + mbedtls_entropy_func, \ + &entropy_ctx, \ + NULL, 0); \ + mbedtls_mpi_fill_random(bn, (num_bits + 7) / 8, mbedtls_ctr_drbg_random, &ctr_drbg_ctx); \ + mbedtls_ctr_drbg_free(&ctr_drbg_ctx); \ + mbedtls_entropy_free(&entropy_ctx); \ + } while (0) +#define bn_modexp(bn, y, q, p) mbedtls_mpi_exp_mod(bn, y, q, p, 0) + #endif #define MAX_BYTES 18000 diff --git a/libavformat/rtmpdh.h b/libavformat/rtmpdh.h index 188aad7..8cc1a42 100644 --- a/libavformat/rtmpdh.h +++ b/libavformat/rtmpdh.h @@ -40,6 +40,11 @@ typedef gcry_mpi_t FFBigNum; #include typedef BIGNUM *FFBigNum; +#elif CONFIG_MBEDTLS +#include + +typedef mbedtls_mpi *FFBigNum; + #endif typedef struct FF_DH { diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c new file mode 100644 index 0000000..b42b76f --- /dev/null +++ b/libavformat/tls_mbedtls.c @@ -0,0 +1,351 @@ +/* + * TLS/SSL Protocol + * Copyright (c) 2018 Thomas Volkert + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "avformat.h" +#include "internal.h" +#include "url.h" +#include "tls.h" +#include "libavutil/parseutils.h" + +typedef struct TLSContext { + const AVClass *class; + TLSShared tls_shared; + mbedtls_ssl_context ssl_context; + mbedtls_ssl_config ssl_config; + mbedtls_entropy_context entropy_context; + mbedtls_ctr_drbg_context ctr_drbg_context; + mbedtls_x509_crt ca_cert; + mbedtls_x509_crt own_cert; + mbedtls_pk_context priv_key; + char *priv_key_pw; +} TLSContext; + +#define OFFSET(x) offsetof(TLSContext, x) + +static int tls_close(URLContext *h) +{ + TLSContext *tls_ctx = h->priv_data; + + mbedtls_ssl_close_notify(&tls_ctx->ssl_context); + mbedtls_pk_free(&tls_ctx->priv_key); + mbedtls_x509_crt_free(&tls_ctx->ca_cert); + mbedtls_x509_crt_free(&tls_ctx->own_cert); + mbedtls_ssl_free(&tls_ctx->ssl_context); + mbedtls_ssl_config_free(&tls_ctx->ssl_config); + mbedtls_ctr_drbg_free(&tls_ctx->ctr_drbg_context); + mbedtls_entropy_free(&tls_ctx->entropy_context); + + return 0; +} + +static int handle_transport_error(URLContext *h, const char* func_name, int react_on_eagain, int ret) +{ + switch (ret) { + case AVERROR(EAGAIN): + return react_on_eagain; + case AVERROR_EXIT: + return 0; + case AVERROR(EPIPE): + case AVERROR(ECONNRESET): + return MBEDTLS_ERR_NET_CONN_RESET; + default: + av_log(h, AV_LOG_ERROR, "%s returned 0x%x\n", func_name, ret); + errno = EIO; + return MBEDTLS_ERR_NET_SEND_FAILED; + } +} + +static int mbedtls_send(void *ctx, const unsigned char *buf, size_t len) +{ + URLContext *h = (URLContext*) ctx; + int ret = ffurl_write(h, buf, len); + if (ret >= 0) + return ret; + + if (h->max_packet_size && len > h->max_packet_size) + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + + return handle_transport_error(h, "ffurl_write", MBEDTLS_ERR_SSL_WANT_WRITE, ret); +} + +static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len) +{ + URLContext *h = (URLContext*) ctx; + int ret = ffurl_read(h, buf, len); + if (ret >= 0) + return ret; + + if (h->max_packet_size && len > h->max_packet_size) + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + + return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret); +} + +static void handle_pk_parse_error(URLContext *h, int ret) +{ + switch (ret) { + case MBEDTLS_ERR_PK_FILE_IO_ERROR: + av_log(h, AV_LOG_ERROR, "Read of key file failed. Is it actually there, are the access permissions correct?\n"); + break; + case MBEDTLS_ERR_PK_PASSWORD_REQUIRED: + av_log(h, AV_LOG_ERROR, "A password for the private key is missing.\n"); + break; + case MBEDTLS_ERR_PK_PASSWORD_MISMATCH: + av_log(h, AV_LOG_ERROR, "The given password for the private key is wrong.\n"); + break; + default: + av_log(h, AV_LOG_ERROR, "mbedtls_pk_parse_key returned -0x%x\n", -ret); + break; + } +} + +static void handle_handshake_error(URLContext *h, int ret) +{ + switch (ret) { + case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: + av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n"); + break; + case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: + av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); + break; + case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED: + av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to operate. Was the CA correctly set?\n"); + break; + case MBEDTLS_ERR_NET_CONN_RESET: + av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n"); + break; + default: + av_log(h, AV_LOG_ERROR, "mbedtls_ssl_handshake returned -0x%x\n", -ret); + break; + } +} + +static void parse_options(TLSContext *tls_ctxc, const char *uri) +{ + char buf[1024]; + const char *p = strchr(uri, '?'); + if (!p) + return; + + if (!tls_ctxc->priv_key_pw && av_find_info_tag(buf, sizeof(buf), "key_password", p)) + tls_ctxc->priv_key_pw = av_strdup(buf); +} + +static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options) +{ + TLSContext *tls_ctx = h->priv_data; + TLSShared *shr = &tls_ctx->tls_shared; + uint32_t verify_res_flags; + int ret; + + // parse additional options + parse_options(tls_ctx, uri); + + if ((ret = ff_tls_open_underlying(shr, h, uri, options)) < 0) + goto fail; + + mbedtls_ssl_init(&tls_ctx->ssl_context); + mbedtls_ssl_config_init(&tls_ctx->ssl_config); + mbedtls_entropy_init(&tls_ctx->entropy_context); + mbedtls_ctr_drbg_init(&tls_ctx->ctr_drbg_context); + mbedtls_x509_crt_init(&tls_ctx->ca_cert); + mbedtls_pk_init(&tls_ctx->priv_key); + + // load trusted CA + if (shr->ca_file) { + if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) { + av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for CA cert returned %d\n", ret); + goto fail; + } + } + + // load own certificate + if (shr->cert_file) { + if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->own_cert, shr->cert_file)) != 0) { + av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for own cert returned %d\n", ret); + goto fail; + } + } + + // load key file + if (shr->key_file) { + if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, + shr->key_file, + tls_ctx->priv_key_pw)) != 0) { + handle_pk_parse_error(h, ret); + goto fail; + } + } + + // seed the random number generator + if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context, + mbedtls_entropy_func, + &tls_ctx->entropy_context, + NULL, 0)) != 0) { + av_log(h, AV_LOG_ERROR, "mbedtls_ctr_drbg_seed returned %d\n", ret); + goto fail; + } + + if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config, + shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT)) != 0) { + av_log(h, AV_LOG_ERROR, "mbedtls_ssl_config_defaults returned %d\n", ret); + goto fail; + } + + mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, + shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context); + mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL); + + // set own certificate and private key + if ((ret = mbedtls_ssl_conf_own_cert(&tls_ctx->ssl_config, &tls_ctx->own_cert, &tls_ctx->priv_key)) != 0) { + av_log(h, AV_LOG_ERROR, "mbedtls_ssl_conf_own_cert returned %d\n", ret); + goto fail; + } + + if ((ret = mbedtls_ssl_setup(&tls_ctx->ssl_context, &tls_ctx->ssl_config)) != 0) { + av_log(h, AV_LOG_ERROR, "mbedtls_ssl_setup returned %d\n", ret); + goto fail; + } + + if (!shr->listen && !shr->numerichost) { + if ((ret = mbedtls_ssl_set_hostname(&tls_ctx->ssl_context, shr->host)) != 0) { + av_log(h, AV_LOG_ERROR, "mbedtls_ssl_set_hostname returned %d\n", ret); + goto fail; + } + } + + // set I/O functions to use FFmpeg internal code for transport layer + mbedtls_ssl_set_bio(&tls_ctx->ssl_context, shr->tcp, mbedtls_send, mbedtls_recv, NULL); + + // ssl handshake + while ((ret = mbedtls_ssl_handshake(&tls_ctx->ssl_context)) != 0) { + if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { + handle_handshake_error(h, ret); + goto fail; + } + } + + if (shr->verify) { + // check the result of the certificate verification + if ((verify_res_flags = mbedtls_ssl_get_verify_result(&tls_ctx->ssl_context)) != 0) { + av_log(h, AV_LOG_ERROR, "mbedtls_ssl_get_verify_result reported problems "\ + "with the certificate verification, returned flags: %u\n", + verify_res_flags); + if (verify_res_flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) + av_log(h, AV_LOG_ERROR, "The certificate is not correctly signed by the trusted CA.\n"); + goto fail; + } + } + + return 0; + +fail: + tls_close(h); + return AVERROR(EIO); +} + +static int handle_tls_error(URLContext *h, const char* func_name, int ret) +{ + switch (ret) { + case MBEDTLS_ERR_SSL_WANT_READ: + case MBEDTLS_ERR_SSL_WANT_WRITE: + return AVERROR(EAGAIN); + case MBEDTLS_ERR_NET_SEND_FAILED: + case MBEDTLS_ERR_NET_RECV_FAILED: + return AVERROR(EIO); + case MBEDTLS_ERR_NET_CONN_RESET: + case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY: + av_log(h, AV_LOG_WARNING, "%s reported connection reset by peer\n", func_name); + return AVERROR_EOF; + default: + av_log(h, AV_LOG_ERROR, "%s returned -0x%x\n", func_name, -ret); + return AVERROR(EIO); + } +} + +static int tls_read(URLContext *h, uint8_t *buf, int size) +{ + TLSContext *tls_ctx = h->priv_data; + int ret; + + if ((ret = mbedtls_ssl_read(&tls_ctx->ssl_context, buf, size)) > 0) { + // return read length + return ret; + } + + return handle_tls_error(h, "mbedtls_ssl_read", ret); +} + +static int tls_write(URLContext *h, const uint8_t *buf, int size) +{ + TLSContext *tls_ctx = h->priv_data; + int ret; + + if ((ret = mbedtls_ssl_write(&tls_ctx->ssl_context, buf, size)) > 0) { + // return written length + return ret; + } + + return handle_tls_error(h, "mbedtls_ssl_write", ret); +} + +static int tls_get_file_handle(URLContext *h) +{ + TLSContext *c = h->priv_data; + return ffurl_get_file_handle(c->tls_shared.tcp); +} + +static const AVOption options[] = { + TLS_COMMON_OPTIONS(TLSContext, tls_shared), \ + {"key_password", "Password for the private key file", OFFSET(priv_key_pw), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ + { NULL } +}; + +static const AVClass tls_class = { + .class_name = "tls", + .item_name = av_default_item_name, + .option = options, + .version = LIBAVUTIL_VERSION_INT, +}; + +const URLProtocol ff_tls_protocol = { + .name = "tls", + .url_open2 = tls_open, + .url_read = tls_read, + .url_write = tls_write, + .url_close = tls_close, + .url_get_file_handle = tls_get_file_handle, + .priv_data_size = sizeof(TLSContext), + .flags = URL_PROTOCOL_FLAG_NETWORK, + .priv_data_class = &tls_class, +}; diff --git a/libavformat/version.h b/libavformat/version.h index dced716..e9b94cc 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -32,7 +32,7 @@ // Major bumping may affect Ticket5467, 5421, 5451(compatibility with Chromium) // Also please add any ticket numbers that you believe might be affected here #define LIBAVFORMAT_VERSION_MAJOR 58 -#define LIBAVFORMAT_VERSION_MINOR 13 +#define LIBAVFORMAT_VERSION_MINOR 14 #define LIBAVFORMAT_VERSION_MICRO 100 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \