From patchwork Fri Jan 18 08:46:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rodger Combs X-Patchwork-Id: 11792 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 9E44044E019 for ; Fri, 18 Jan 2019 10:46:21 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C73CD68AC6E; Fri, 18 Jan 2019 10:46:09 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3DD0568AC6D for ; Fri, 18 Jan 2019 10:46:03 +0200 (EET) Received: by mail-io1-f54.google.com with SMTP id b23so10081279ios.10 for ; Fri, 18 Jan 2019 00:46:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=X5N/11f46KhQWoI4v686i0WSd/8zV8BQkxAzvHOTuj4=; b=d6UUNpCFH1hvuvN6D7/JJsfhvE3wuYPQDfAOBwDowJQz3VyNrd6vkoyO53A8Ks9NOw 8BKUCUcuKLMmLnaJJLctJAeyeWXvyIUVSiLhPyg0JopXPcw1TAQzyooR4Zg1giiZKYRe xFkU6v4o/a6wA5NCDU8nFV1mYvF8PfWcYoOpKsvApevTzO8mbhNRkUhauY+4cacoQwhN KTjOGc0Y9f7YxOU0f8dMb+qgYSxRzTc1VGdkZ7rLLDxcF4fxJ2h23k8NFhRvBLCvg8OB D6wE5gk5svoLImZldA3dTNppUW/Jh9q9t2m+nhx87dgVh+4qvPCGtyppadRhqu28kXSs eULA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=X5N/11f46KhQWoI4v686i0WSd/8zV8BQkxAzvHOTuj4=; b=oVn89+Kv5owmylM5pfbZf9kDi+zTG8mCAOzAGQuf3aNd4MXW1AzhbWIP2LJFM1G9YE B09e26lrNsxMzbZCTbQ2rh/7uV96WXN+UWHBUvDWY0t+Uxw+UTmkmAVmBki3L6h9QZQ0 y+/W36jIWpE2MjGWZx1krbY5AiJWU+ACPvmwNLyUjEfDouBwtS6Sv/F6FTs4AvR8n0pO VYsXjFOB/oorX7jQ9JPYq1nWFokXRQth7YIoo+BiKCFknUy1/tIABhl2j9U0R5G/aTY+ 8uzfOadCQlZGUR/73M918VF4Ubjcbyr0dXazcbLqO0LL87/UTLjLwhg2RbBJfXNdKieV C0IQ== X-Gm-Message-State: AJcUukdybCh6HKbger1rgjeqqVUI3G4hm1nUeSyQrpR4ox7wA/ubyw4C K3hBvmsnAklKSbpOjkJPc9Rbqidd X-Google-Smtp-Source: ALg8bN7/OcojWP+EmPzEYa4IEJoEw8TbzZiiXmHydNRlnHIVowUDqJGm3cLGkEHT6Isz79Vzvu/0wQ== X-Received: by 2002:a6b:ce06:: with SMTP id p6mr8873032iob.189.1547801176663; Fri, 18 Jan 2019 00:46:16 -0800 (PST) Received: from Rodgers-MBP.localdomain ([71.201.155.37]) by smtp.gmail.com with ESMTPSA id b25sm1477777iot.10.2019.01.18.00.46.15 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 18 Jan 2019 00:46:15 -0800 (PST) From: Rodger Combs To: ffmpeg-devel@ffmpeg.org Date: Fri, 18 Jan 2019 02:46:02 -0600 Message-Id: <20190118084604.82324-3-rodger.combs@gmail.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190118084604.82324-1-rodger.combs@gmail.com> References: <20190118084604.82324-1-rodger.combs@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 3/5] lavf/tls_openssl: on 1.1 or later, verify the server's hostname X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" --- libavformat/tls_openssl.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index ae3fd6e236..ba233c0229 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -35,6 +35,7 @@ #include #include #include +#include static int openssl_init; @@ -269,8 +270,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - // Note, this doesn't check that the peer certificate actually matches - // the requested hostname. if (c->verify) SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); p->ssl = SSL_new(p->ctx); @@ -294,8 +293,23 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op bio->ptr = c->tcp; #endif SSL_set_bio(p->ssl, bio, bio); - if (!c->listen && !c->numerichost) - SSL_set_tlsext_host_name(p->ssl, c->host); + if (!c->listen && !c->numerichost) { +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + X509_VERIFY_PARAM *param = SSL_get0_param(p->ssl); + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); +#endif + if ( +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + // Note, if on OpenSSL prior to 1.1.0, we won't check that + // the peer certificate actually matches the requested hostname. + !X509_VERIFY_PARAM_set1_host(param, c->host, 0) || +#endif + !SSL_set_tlsext_host_name(p->ssl, c->host)) { + av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); + ret = AVERROR(EIO); + goto fail; + } + } ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl); if (ret == 0) { av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");