search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit()
[FFMpeg-mirror.git] / libavformat / tls_openssl.c
blob8b0cf9efb23e98cf4e58aeb144f2e6e19681e911
1 /*
2 * TLS/SSL Protocol
3 * Copyright (c) 2011 Martin Storsjo
4 *
5 * This file is part of FFmpeg.
6 *
7 * FFmpeg is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * FFmpeg is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with FFmpeg; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include "network.h"
23 #include "os_support.h"
24 #include "url.h"
25 #include "tls.h"
26 #include "libavutil/opt.h"
27
28 #include <openssl/bio.h>
29 #include <openssl/ssl.h>
30 #include <openssl/err.h>
31
32 typedef struct TLSContext {
33 const AVClass *class;
34 TLSShared tls_shared;
35 SSL_CTX *ctx;
36 SSL *ssl;
37 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
38 BIO_METHOD* url_bio_method;
39 #endif
40 int io_err;
41 } TLSContext;
42
43 /* OpenSSL 1.0.2 or below, then you would use SSL_library_init. If you are
44 * using OpenSSL 1.1.0 or above, then the library will initialize
45 * itself automatically.
46 * https://wiki.openssl.org/index.php/Library_Initialization
47 */
48 #if OPENSSL_VERSION_NUMBER < 0x10100000L
49 #include "libavutil/thread.h"
50
51 static AVMutex openssl_mutex = AV_MUTEX_INITIALIZER;
52
53 static int openssl_init;
54
55 #if HAVE_THREADS
56 #include <openssl/crypto.h>
57 #include "libavutil/mem.h"
58
59 pthread_mutex_t *openssl_mutexes;
60 static void openssl_lock(int mode, int type, const char *file, int line)
61 {
62 if (mode & CRYPTO_LOCK)
63 pthread_mutex_lock(&openssl_mutexes[type]);
64 else
65 pthread_mutex_unlock(&openssl_mutexes[type]);
66 }
67 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
68 static unsigned long openssl_thread_id(void)
69 {
70 return (intptr_t) pthread_self();
71 }
72 #endif
73 #endif
74
75 int ff_openssl_init(void)
76 {
77 ff_mutex_lock(&openssl_mutex);
78 if (!openssl_init) {
79 SSL_library_init();
80 SSL_load_error_strings();
81 #if HAVE_THREADS
82 if (!CRYPTO_get_locking_callback()) {
83 int i;
84 openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks());
85 if (!openssl_mutexes) {
86 ff_mutex_unlock(&openssl_mutex);
87 return AVERROR(ENOMEM);
88 }
89
90 for (i = 0; i < CRYPTO_num_locks(); i++)
91 pthread_mutex_init(&openssl_mutexes[i], NULL);
92 CRYPTO_set_locking_callback(openssl_lock);
93 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
94 CRYPTO_set_id_callback(openssl_thread_id);
95 #endif
96 }
97 #endif
98 }
99 openssl_init++;
100 ff_mutex_unlock(&openssl_mutex);
101
102 return 0;
103 }
104
105 void ff_openssl_deinit(void)
106 {
107 ff_mutex_lock(&openssl_mutex);
108 openssl_init--;
109 if (!openssl_init) {
110 #if HAVE_THREADS
111 if (CRYPTO_get_locking_callback() == openssl_lock) {
112 int i;
113 CRYPTO_set_locking_callback(NULL);
114 for (i = 0; i < CRYPTO_num_locks(); i++)
115 pthread_mutex_destroy(&openssl_mutexes[i]);
116 av_free(openssl_mutexes);
117 }
118 #endif
119 }
120 ff_mutex_unlock(&openssl_mutex);
121 }
122 #endif
123
124 static int print_tls_error(URLContext *h, int ret)
125 {
126 TLSContext *c = h->priv_data;
127 int printed = 0, e, averr = AVERROR(EIO);
128 if (h->flags & AVIO_FLAG_NONBLOCK) {
129 int err = SSL_get_error(c->ssl, ret);
130 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE)
131 return AVERROR(EAGAIN);
132 }
133 while ((e = ERR_get_error()) != 0) {
134 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(e, NULL));
135 printed = 1;
136 }
137 if (c->io_err) {
138 av_log(h, AV_LOG_ERROR, "IO error: %s\n", av_err2str(c->io_err));
139 printed = 1;
140 averr = c->io_err;
141 c->io_err = 0;
142 }
143 if (!printed)
144 av_log(h, AV_LOG_ERROR, "Unknown error\n");
145 return averr;
146 }
147
148 static int tls_close(URLContext *h)
149 {
150 TLSContext *c = h->priv_data;
151 if (c->ssl) {
152 SSL_shutdown(c->ssl);
153 SSL_free(c->ssl);
154 }
155 if (c->ctx)
156 SSL_CTX_free(c->ctx);
157 ffurl_closep(&c->tls_shared.tcp);
158 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
159 if (c->url_bio_method)
160 BIO_meth_free(c->url_bio_method);
161 #endif
162 #if OPENSSL_VERSION_NUMBER < 0x10100000L
163 ff_openssl_deinit();
164 #endif
165 return 0;
166 }
167
168 static int url_bio_create(BIO *b)
169 {
170 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
171 BIO_set_init(b, 1);
172 BIO_set_data(b, NULL);
173 BIO_set_flags(b, 0);
174 #else
175 b->init = 1;
176 b->ptr = NULL;
177 b->flags = 0;
178 #endif
179 return 1;
180 }
181
182 static int url_bio_destroy(BIO *b)
183 {
184 return 1;
185 }
186
187 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
188 #define GET_BIO_DATA(x) BIO_get_data(x)
189 #else
190 #define GET_BIO_DATA(x) (x)->ptr
191 #endif
192
193 static int url_bio_bread(BIO *b, char *buf, int len)
194 {
195 TLSContext *c = GET_BIO_DATA(b);
196 int ret = ffurl_read(c->tls_shared.tcp, buf, len);
197 if (ret >= 0)
198 return ret;
199 BIO_clear_retry_flags(b);
200 if (ret == AVERROR_EXIT)
201 return 0;
202 if (ret == AVERROR(EAGAIN))
203 BIO_set_retry_read(b);
204 else
205 c->io_err = ret;
206 return -1;
207 }
208
209 static int url_bio_bwrite(BIO *b, const char *buf, int len)
210 {
211 TLSContext *c = GET_BIO_DATA(b);
212 int ret = ffurl_write(c->tls_shared.tcp, buf, len);
213 if (ret >= 0)
214 return ret;
215 BIO_clear_retry_flags(b);
216 if (ret == AVERROR_EXIT)
217 return 0;
218 if (ret == AVERROR(EAGAIN))
219 BIO_set_retry_write(b);
220 else
221 c->io_err = ret;
222 return -1;
223 }
224
225 static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr)
226 {
227 if (cmd == BIO_CTRL_FLUSH) {
228 BIO_clear_retry_flags(b);
229 return 1;
230 }
231 return 0;
232 }
233
234 static int url_bio_bputs(BIO *b, const char *str)
235 {
236 return url_bio_bwrite(b, str, strlen(str));
237 }
238
239 #if OPENSSL_VERSION_NUMBER < 0x1010000fL
240 static BIO_METHOD url_bio_method = {
241 .type = BIO_TYPE_SOURCE_SINK,
242 .name = "urlprotocol bio",
243 .bwrite = url_bio_bwrite,
244 .bread = url_bio_bread,
245 .bputs = url_bio_bputs,
246 .bgets = NULL,
247 .ctrl = url_bio_ctrl,
248 .create = url_bio_create,
249 .destroy = url_bio_destroy,
250 };
251 #endif
252
253 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
254 {
255 TLSContext *p = h->priv_data;
256 TLSShared *c = &p->tls_shared;
257 BIO *bio;
258 int ret;
259
260 #if OPENSSL_VERSION_NUMBER < 0x10100000L
261 if ((ret = ff_openssl_init()) < 0)
262 return ret;
263 #endif
264
265 if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
266 goto fail;
267
268 // We want to support all versions of TLS >= 1.0, but not the deprecated
269 // and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method()
270 // enables support for all versions of SSL and TLS, and we then disable
271 // support for the old protocols immediately after creating the context.
272 p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
273 if (!p->ctx) {
274 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
275 ret = AVERROR(EIO);
276 goto fail;
277 }
278 SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
279 if (c->ca_file) {
280 if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
281 av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
282 }
283 if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {
284 av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n",
285 c->cert_file, ERR_error_string(ERR_get_error(), NULL));
286 ret = AVERROR(EIO);
287 goto fail;
288 }
289 if (c->key_file && !SSL_CTX_use_PrivateKey_file(p->ctx, c->key_file, SSL_FILETYPE_PEM)) {
290 av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n",
291 c->key_file, ERR_error_string(ERR_get_error(), NULL));
292 ret = AVERROR(EIO);
293 goto fail;
294 }
295 // Note, this doesn't check that the peer certificate actually matches
296 // the requested hostname.
297 if (c->verify)
298 SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
299 p->ssl = SSL_new(p->ctx);
300 if (!p->ssl) {
301 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
302 ret = AVERROR(EIO);
303 goto fail;
304 }
305 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
306 p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
307 BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
308 BIO_meth_set_read(p->url_bio_method, url_bio_bread);
309 BIO_meth_set_puts(p->url_bio_method, url_bio_bputs);
310 BIO_meth_set_ctrl(p->url_bio_method, url_bio_ctrl);
311 BIO_meth_set_create(p->url_bio_method, url_bio_create);
312 BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy);
313 bio = BIO_new(p->url_bio_method);
314 BIO_set_data(bio, p);
315 #else
316 bio = BIO_new(&url_bio_method);
317 bio->ptr = p;
318 #endif
319 SSL_set_bio(p->ssl, bio, bio);
320 if (!c->listen && !c->numerichost)
321 SSL_set_tlsext_host_name(p->ssl, c->host);
322 ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
323 if (ret == 0) {
324 av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
325 ret = AVERROR(EIO);
326 goto fail;
327 } else if (ret < 0) {
328 ret = print_tls_error(h, ret);
329 goto fail;
330 }
331
332 return 0;
333 fail:
334 tls_close(h);
335 return ret;
336 }
337
338 static int tls_read(URLContext *h, uint8_t *buf, int size)
339 {
340 TLSContext *c = h->priv_data;
341 int ret;
342 // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
343 c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
344 c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
345 ret = SSL_read(c->ssl, buf, size);
346 if (ret > 0)
347 return ret;
348 if (ret == 0)
349 return AVERROR_EOF;
350 return print_tls_error(h, ret);
351 }
352
353 static int tls_write(URLContext *h, const uint8_t *buf, int size)
354 {
355 TLSContext *c = h->priv_data;
356 int ret;
357 // Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
358 c->tls_shared.tcp->flags &= ~AVIO_FLAG_NONBLOCK;
359 c->tls_shared.tcp->flags |= h->flags & AVIO_FLAG_NONBLOCK;
360 ret = SSL_write(c->ssl, buf, size);
361 if (ret > 0)
362 return ret;
363 if (ret == 0)
364 return AVERROR_EOF;
365 return print_tls_error(h, ret);
366 }
367
368 static int tls_get_file_handle(URLContext *h)
369 {
370 TLSContext *c = h->priv_data;
371 return ffurl_get_file_handle(c->tls_shared.tcp);
372 }
373
374 static int tls_get_short_seek(URLContext *h)
375 {
376 TLSContext *s = h->priv_data;
377 return ffurl_get_short_seek(s->tls_shared.tcp);
378 }
379
380 static const AVOption options[] = {
381 TLS_COMMON_OPTIONS(TLSContext, tls_shared),
382 { NULL }
383 };
384
385 static const AVClass tls_class = {
386 .class_name = "tls",
387 .item_name = av_default_item_name,
388 .option = options,
389 .version = LIBAVUTIL_VERSION_INT,
390 };
391
392 const URLProtocol ff_tls_protocol = {
393 .name = "tls",
394 .url_open2 = tls_open,
395 .url_read = tls_read,
396 .url_write = tls_write,
397 .url_close = tls_close,
398 .url_get_file_handle = tls_get_file_handle,
399 .url_get_short_seek = tls_get_short_seek,
400 .priv_data_size = sizeof(TLSContext),
401 .flags = URL_PROTOCOL_FLAG_NETWORK,
402 .priv_data_class = &tls_class,
403 };
Mirror of the official FFMpeg Git repo