From patchwork Sat May 30 03:57:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: rcombs X-Patchwork-Id: 19975 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 4A89D44B05D for ; Sat, 30 May 2020 06:58:11 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2181968AB65; Sat, 30 May 2020 06:58:11 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from so254-54.mailgun.net (so254-54.mailgun.net [198.61.254.54]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DF8E468A777 for ; Sat, 30 May 2020 06:58:04 +0300 (EEST) DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=rcombs.me; q=dns/txt; s=mx; t=1590811084; h=Content-Transfer-Encoding: MIME-Version: Message-Id: Date: Subject: To: From: Sender; bh=Bfvsjo0hxVvSGZkYHiKbfDb0opWnARaF7xppo5C0rEk=; b=GSwNLUpIDLbNCq7TEfxl839JIvEDK1I5KkA5m9/SRWcOKcDcSrmkZGP3MShBtAuQZcU19U8T 1nD8hFsQ+Agcyt4LPYZEPkKXnyG9T25xWBgY5Y4bCAvrziAlQnXPmS7++zuxFK1m3jFwhVk+ 2D/4K2S3SQtPsmqgNSiV+WWIBtc= X-Mailgun-Sending-Ip: 198.61.254.54 X-Mailgun-Sid: WyJiZDU1MSIsICJmZm1wZWctZGV2ZWxAZmZtcGVnLm9yZyIsICJiMGJhIl0= Received: from rcombs-mbp.localdomain ( [24.14.135.13]) by smtp-out-n11.prod.us-west-2.postgun.com with SMTP id 5ed1d9cac6d46832432b42f2 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Sat, 30 May 2020 03:58:02 GMT From: rcombs To: ffmpeg-devel@ffmpeg.org Date: Fri, 29 May 2020 22:57:50 -0500 Message-Id: <20200530035753.30241-1-rcombs@rcombs.me> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 1/4] lavf/tls_openssl: add support for verifying the server hostname on >=1.1.0 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" --- libavformat/tls_openssl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 002197fa76..d66845cf48 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -272,8 +272,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - // Note, this doesn't check that the peer certificate actually matches - // the requested hostname. if (c->verify) SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); p->ssl = SSL_new(p->ctx); @@ -297,8 +295,18 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op bio->ptr = c->tcp; #endif SSL_set_bio(p->ssl, bio, bio); - if (!c->listen && !c->numerichost) + if (!c->listen && !c->numerichost) { SSL_set_tlsext_host_name(p->ssl, c->host); + if (c->verify) +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + SSL_set1_host(p->ssl, c->host); +#else + av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n" + "which doesn't provide peer name verification, so this connection\n" + "will be made insecurely. To make this connection securely,\n" + "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n"); +#endif + } ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl); if (ret == 0) { av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n"); From patchwork Sat May 30 03:57:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: rcombs X-Patchwork-Id: 19976 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 625AF44B05D for ; Sat, 30 May 2020 06:58:13 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 48B2668AB72; Sat, 30 May 2020 06:58:13 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from so254-54.mailgun.net (so254-54.mailgun.net [198.61.254.54]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1499F6898AE for ; Sat, 30 May 2020 06:58:05 +0300 (EEST) DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=rcombs.me; q=dns/txt; s=mx; t=1590811086; h=Content-Transfer-Encoding: MIME-Version: References: In-Reply-To: Message-Id: Date: Subject: To: From: Sender; bh=hsv1LVh2Hx0FzvItqcizQdVAOAOnmdTGMRBhTCbuM+A=; b=K8rK40xZ/I+4WSAcsKCyiKkKsuLhAkleEhsRB3kWY3BwAK93UWVQVIGjCzpiXTVKI3rilDDn /l2yIIiZAMsMkWUGBeduN1phrRmWOOnCfEPMcUmU5gVDhGC8uXrQW2OO9ZZZKztYo/qgyD+6 d4Xn0R+u3UOkxDdjyloDEUa1A8Y= X-Mailgun-Sending-Ip: 198.61.254.54 X-Mailgun-Sid: WyJiZDU1MSIsICJmZm1wZWctZGV2ZWxAZmZtcGVnLm9yZyIsICJiMGJhIl0= Received: from rcombs-mbp.localdomain ( [24.14.135.13]) by smtp-out-n11.prod.us-west-2.postgun.com with SMTP id 5ed1d9cc3ac6f4f60354cf53 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Sat, 30 May 2020 03:58:04 GMT From: rcombs To: ffmpeg-devel@ffmpeg.org Date: Fri, 29 May 2020 22:57:51 -0500 Message-Id: <20200530035753.30241-2-rcombs@rcombs.me> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200530035753.30241-1-rcombs@rcombs.me> References: <20200530035753.30241-1-rcombs@rcombs.me> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 2/4] lavf/tls_openssl: use the system cert store by default X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" --- libavformat/tls_openssl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index d66845cf48..b44dd3136d 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -259,6 +259,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op if (c->ca_file) { if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL)) av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL)); + } else { + if (!SSL_CTX_set_default_verify_paths(p->ctx)) + av_log(h, AV_LOG_ERROR, "SSL_CTX_set_default_verify_paths %s\n", ERR_error_string(ERR_get_error(), NULL)); } if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) { av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n", From patchwork Sat May 30 03:57:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: rcombs X-Patchwork-Id: 19978 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 266EA44B05D for ; Sat, 30 May 2020 06:58:23 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1093A68AE26; Sat, 30 May 2020 06:58:23 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from so254-54.mailgun.net (so254-54.mailgun.net [198.61.254.54]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B208468AAD8 for ; Sat, 30 May 2020 06:58:16 +0300 (EEST) DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=rcombs.me; q=dns/txt; s=mx; t=1590811099; h=Content-Transfer-Encoding: MIME-Version: References: In-Reply-To: Message-Id: Date: Subject: To: From: Sender; bh=JmEXHa1cySGr7/tM7Ku1pBalbIHZiXdX5Bev31Jn5vw=; b=dTG3SPfjWWZBtTp0QVBSupxtJW5Gy/O+8VO9ZvUav0tB8EAIAdMCPISsfiPQj70Hwnd+WM8X bR7tzD9Qx11p29J1686+xTZC/zndxvTZlQ80x/Nk+CBr5KbIFgAADtHoasO2vqkKVzvnInH8 Z+k06NsqHFtLqW7XhYB1gyRUU0w= X-Mailgun-Sending-Ip: 198.61.254.54 X-Mailgun-Sid: WyJiZDU1MSIsICJmZm1wZWctZGV2ZWxAZmZtcGVnLm9yZyIsICJiMGJhIl0= Received: from rcombs-mbp.localdomain ( [24.14.135.13]) by smtp-out-n11.prod.us-west-2.postgun.com with SMTP id 5ed1d9cc508673248124b103 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Sat, 30 May 2020 03:58:04 GMT From: rcombs To: ffmpeg-devel@ffmpeg.org Date: Fri, 29 May 2020 22:57:52 -0500 Message-Id: <20200530035753.30241-3-rcombs@rcombs.me> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200530035753.30241-1-rcombs@rcombs.me> References: <20200530035753.30241-1-rcombs@rcombs.me> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 3/4] lavf/tls: use AV_OPT_TYPE_BOOL X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" --- libavformat/tls.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/tls.h b/libavformat/tls.h index beb19d6d55..6c2d025f6c 100644 --- a/libavformat/tls.h +++ b/libavformat/tls.h @@ -45,10 +45,10 @@ typedef struct TLSShared { #define TLS_COMMON_OPTIONS(pstruct, options_field) \ {"ca_file", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ {"cafile", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ - {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \ + {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \ {"cert_file", "Certificate file", offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ {"key_file", "Private key file", offsetof(pstruct, options_field . key_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ - {"listen", "Listen for incoming connections", offsetof(pstruct, options_field . listen), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \ + {"listen", "Listen for incoming connections", offsetof(pstruct, options_field . listen), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \ {"verifyhost", "Verify against a specific hostname", offsetof(pstruct, options_field . host), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL } int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AVDictionary **options); From patchwork Sat May 30 03:57:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: rcombs X-Patchwork-Id: 19977 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 2FD2144B05D for ; Sat, 30 May 2020 06:58:18 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1C99368AABE; Sat, 30 May 2020 06:58:18 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from so254-54.mailgun.net (so254-54.mailgun.net [198.61.254.54]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 26AC468AAD8 for ; Sat, 30 May 2020 06:58:11 +0300 (EEST) DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=rcombs.me; q=dns/txt; s=mx; t=1590811092; h=Content-Transfer-Encoding: MIME-Version: References: In-Reply-To: Message-Id: Date: Subject: To: From: Sender; bh=aE9VnrwMBRlPIgTDGr1G9HSdakODdRBjUk7plJ0v+Zc=; b=CCvNbAYswPqxpOepAC166FuvzJ9swjH4CxkPOJFmDHIZjcGkGZomSSgd0I6i9uC9jSJjY+Ho lZC2YLfAKcH8/5IkkqvxMn2GvhjP5my3yscqv8OIMsFj0JT3LNJPD7kDP7dWJ3tI+56RcP3H RE1zmHe0BCgHFOfXFl8JTH/z6/U= X-Mailgun-Sending-Ip: 198.61.254.54 X-Mailgun-Sid: WyJiZDU1MSIsICJmZm1wZWctZGV2ZWxAZmZtcGVnLm9yZyIsICJiMGJhIl0= Received: from rcombs-mbp.localdomain ( [24.14.135.13]) by smtp-out-n11.prod.us-west-2.postgun.com with SMTP id 5ed1d9cd3ac6f4f60354d0ea (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Sat, 30 May 2020 03:58:05 GMT From: rcombs To: ffmpeg-devel@ffmpeg.org Date: Fri, 29 May 2020 22:57:53 -0500 Message-Id: <20200530035753.30241-4-rcombs@rcombs.me> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200530035753.30241-1-rcombs@rcombs.me> References: <20200530035753.30241-1-rcombs@rcombs.me> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 4/4] lavf/tls: verify TLS connections by default whenever possible X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" --- libavformat/tls.c | 13 +++++++++++++ libavformat/tls.h | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/libavformat/tls.c b/libavformat/tls.c index 10e0792e29..3cf24ca056 100644 --- a/libavformat/tls.c +++ b/libavformat/tls.c @@ -64,6 +64,19 @@ int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AV set_options(c, uri); + if (c->verify < 0) { + c->verify = c->listen; +#if CONFIG_MBEDTLS + if (!c->listen && !c->ca_file) { + av_log(parent, AV_LOG_WARNING, "ffmpeg was configured with mbedTLS and no root CA store was provided,\n" + "so this connection will be made insecurely.\n" + "To make this connection securely, specify a path to a root bundle\n" + "with the 'ca_file' option."); + c->verify = 0; + } +#endif + } + if (c->listen) snprintf(opts, sizeof(opts), "?listen=1"); diff --git a/libavformat/tls.h b/libavformat/tls.h index 6c2d025f6c..e4854c28da 100644 --- a/libavformat/tls.h +++ b/libavformat/tls.h @@ -45,7 +45,7 @@ typedef struct TLSShared { #define TLS_COMMON_OPTIONS(pstruct, options_field) \ {"ca_file", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ {"cafile", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ - {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \ + {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = -1 }, -1, 1, .flags = TLS_OPTFL }, \ {"cert_file", "Certificate file", offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ {"key_file", "Private key file", offsetof(pstruct, options_field . key_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ {"listen", "Listen for incoming connections", offsetof(pstruct, options_field . listen), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \