From patchwork Thu Jan 17 08:57:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rodger Combs X-Patchwork-Id: 11777 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id DB6C544DBF7 for ; Thu, 17 Jan 2019 11:03:54 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 069C668AB93; Thu, 17 Jan 2019 11:03:43 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-io1-f48.google.com (mail-io1-f48.google.com [209.85.166.48]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A8EB768AB1C for ; Thu, 17 Jan 2019 11:03:36 +0200 (EET) Received: by mail-io1-f48.google.com with SMTP id k7so7206383iob.6 for ; Thu, 17 Jan 2019 01:03:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=4LGAuGT3EGnSUMyw1z4atGQzbX6NW8ZNs1lWFCGyLMM=; b=AugTka1GXby1FEPVs94EK5hvIfGLqANw4PqsLoqStW+3lvT8Bhrc7fRw2fYidApNlj QuYCymmMMAjUrh8XQNEooNqkHS6oJdbKq0+XSfWNDOTXvQj7+695LWlsYytRK4knYcJy NLGbVn3uQYG2DxI5jTewd1/Xg4Iek/H+lkVeM8iy6lygwlmK1qJ6cOaWDfhsauQk8ESd fs55d3TaCgG6/L9NbROWEebCGUqFNCfsZdQBZp7ccMiaSC2snvdbCHszxX82A5PQUPK+ tVfutbCQcbciiMnq1kLSZwoe8j9qxzLKl024+ME1y10hkaM6MMXbfOyMGhJbWxlVmEJ2 mKuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4LGAuGT3EGnSUMyw1z4atGQzbX6NW8ZNs1lWFCGyLMM=; b=i8oHh67IIXF9nffiUbYREOb4wfeRKmxi5H7/nC9+XCCUu43Y1ITCK1BWlJ40VN5OM3 bGlvZuUAXDxFxAM7tMXHKTe+oJuPLkXKXcZIqEdDcg3luzIN+mWkmwQYQBBvcIWvvhEW 6QMiWLDtIEV7z7f3f4ZPjs1MjZSN7u5B39N0t1QKd9XxC4MuXSY/j1azjzwl1GLTMZ0D SjkJZoSA4M2rEStG0NdGruS3GMAUJRcqS5yrQEj6fYvwojbTNKOD8q9jxBN1psV1EetO Goafu/lbps6A/JQsyYPT80LrRE5tyiwZIqwCKQ9USO4hA26UkP8EOd6Pqd+V4Gkud65U 0boA== X-Gm-Message-State: AJcUukcQpvdqtu1XI+Yk7zqVUrndVZaO7Fdn0t5tZol7qoktKmDyf7U/ uJ/IB+Ao5hpopW/7ZO7BZMkWgOj/ X-Google-Smtp-Source: ALg8bN5DgFi42hh7FDa0xxHtK32XnDUISfW3qLsSUiV0RjtEeH9lBVzgckNCB2TV0F4YcTDAGBd3rg== X-Received: by 2002:a6b:8b0a:: with SMTP id n10mr6819862iod.2.1547715492043; Thu, 17 Jan 2019 00:58:12 -0800 (PST) Received: from Rodgers-MBP.localdomain ([71.201.155.37]) by smtp.gmail.com with ESMTPSA id w16sm411342ita.38.2019.01.17.00.58.10 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 17 Jan 2019 00:58:10 -0800 (PST) From: Rodger Combs To: ffmpeg-devel@ffmpeg.org Date: Thu, 17 Jan 2019 02:57:14 -0600 Message-Id: <20190117085715.44726-3-rodger.combs@gmail.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190117085715.44726-1-rodger.combs@gmail.com> References: <20190117085715.44726-1-rodger.combs@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 3/4] lavf/tls_openssl: on 1.1 or later, verify the server's hostname X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" --- libavformat/tls_openssl.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 493f43e610..bdc4985bad 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -35,6 +35,7 @@ #include #include #include +#include static int openssl_init; @@ -269,8 +270,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - // Note, this doesn't check that the peer certificate actually matches - // the requested hostname. if (c->verify) SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); p->ssl = SSL_new(p->ctx); @@ -294,8 +293,23 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op bio->ptr = c->tcp; #endif SSL_set_bio(p->ssl, bio, bio); - if (!c->listen && !c->numerichost) - SSL_set_tlsext_host_name(p->ssl, c->host); + if (!c->listen && !c->numerichost) { +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + X509_VERIFY_PARAM *param = SSL_get0_param(p->ssl); + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); +#endif + if ( +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + // Note, if on OpenSSL prior to 1.1.0, we won't check that + // the peer certificate actually matches the requested hostname. + !X509_VERIFY_PARAM_set1_host(param, c->host, 0) || +#endif + !SSL_set_tlsext_host_name(p->ssl, c->host)) { + av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); + ret = AVERROR(EIO); + goto fail; + } + } ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl); if (ret == 0) { av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");