71fa96871dfbad81bbb14a2dcabbd4495c801a34
[libav.git] / libavformat / tls_openssl.c
1 /*
2 * TLS/SSL Protocol
3 * Copyright (c) 2011 Martin Storsjo
4 *
5 * This file is part of Libav.
6 *
7 * Libav is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * Libav is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with Libav; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include "avformat.h"
23 #include "internal.h"
24 #include "network.h"
25 #include "os_support.h"
26 #include "url.h"
27 #include "tls.h"
28 #include "libavcodec/internal.h"
29 #include "libavutil/avstring.h"
30 #include "libavutil/avutil.h"
31 #include "libavutil/opt.h"
32 #include "libavutil/parseutils.h"
33 #include "libavutil/thread.h"
34
35 #include <openssl/bio.h>
36 #include <openssl/ssl.h>
37 #include <openssl/err.h>
38
39 static int openssl_init;
40
41 typedef struct TLSContext {
42 const AVClass *class;
43 TLSShared tls_shared;
44 SSL_CTX *ctx;
45 SSL *ssl;
46 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
47 BIO_METHOD* url_bio_method;
48 #endif
49 } TLSContext;
50
51 #if HAVE_THREADS
52 #include <openssl/crypto.h>
53 pthread_mutex_t *openssl_mutexes;
54 static void openssl_lock(int mode, int type, const char *file, int line)
55 {
56 if (mode & CRYPTO_LOCK)
57 pthread_mutex_lock(&openssl_mutexes[type]);
58 else
59 pthread_mutex_unlock(&openssl_mutexes[type]);
60 }
61 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
62 static unsigned long openssl_thread_id(void)
63 {
64 return (intptr_t) pthread_self();
65 }
66 #endif
67 #endif
68
69 void ff_openssl_init(void)
70 {
71 avpriv_lock_avformat();
72 if (!openssl_init) {
73 SSL_library_init();
74 SSL_load_error_strings();
75 #if HAVE_THREADS
76 if (!CRYPTO_get_locking_callback()) {
77 int i;
78 openssl_mutexes = av_malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
79 for (i = 0; i < CRYPTO_num_locks(); i++)
80 pthread_mutex_init(&openssl_mutexes[i], NULL);
81 CRYPTO_set_locking_callback(openssl_lock);
82 #if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
83 CRYPTO_set_id_callback(openssl_thread_id);
84 #endif
85 }
86 #endif
87 }
88 openssl_init++;
89 avpriv_unlock_avformat();
90 }
91
92 void ff_openssl_deinit(void)
93 {
94 avpriv_lock_avformat();
95 openssl_init--;
96 if (!openssl_init) {
97 #if HAVE_THREADS
98 if (CRYPTO_get_locking_callback() == openssl_lock) {
99 int i;
100 CRYPTO_set_locking_callback(NULL);
101 for (i = 0; i < CRYPTO_num_locks(); i++)
102 pthread_mutex_destroy(&openssl_mutexes[i]);
103 av_free(openssl_mutexes);
104 }
105 #endif
106 }
107 avpriv_unlock_avformat();
108 }
109
110 static int print_tls_error(URLContext *h, int ret)
111 {
112 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
113 return AVERROR(EIO);
114 }
115
116 static int tls_close(URLContext *h)
117 {
118 TLSContext *c = h->priv_data;
119 if (c->ssl) {
120 SSL_shutdown(c->ssl);
121 SSL_free(c->ssl);
122 }
123 if (c->ctx)
124 SSL_CTX_free(c->ctx);
125 if (c->tls_shared.tcp)
126 ffurl_close(c->tls_shared.tcp);
127 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
128 if (c->url_bio_method)
129 BIO_meth_free(c->url_bio_method);
130 #endif
131 ff_openssl_deinit();
132 return 0;
133 }
134
135 static int url_bio_create(BIO *b)
136 {
137 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
138 BIO_set_init(b, 1);
139 BIO_set_data(b, NULL);
140 BIO_set_flags(b, 0);
141 #else
142 b->init = 1;
143 b->ptr = NULL;
144 b->flags = 0;
145 #endif
146 return 1;
147 }
148
149 static int url_bio_destroy(BIO *b)
150 {
151 return 1;
152 }
153
154 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
155 #define GET_BIO_DATA(x) BIO_get_data(x)
156 #else
157 #define GET_BIO_DATA(x) (x)->ptr
158 #endif
159
160 static int url_bio_bread(BIO *b, char *buf, int len)
161 {
162 URLContext *h = GET_BIO_DATA(b);
163 int ret = ffurl_read(h, buf, len);
164 if (ret >= 0)
165 return ret;
166 BIO_clear_retry_flags(b);
167 if (ret == AVERROR_EXIT)
168 return 0;
169 return -1;
170 }
171
172 static int url_bio_bwrite(BIO *b, const char *buf, int len)
173 {
174 URLContext *h = GET_BIO_DATA(b);
175 int ret = ffurl_write(h, buf, len);
176 if (ret >= 0)
177 return ret;
178 BIO_clear_retry_flags(b);
179 if (ret == AVERROR_EXIT)
180 return 0;
181 return -1;
182 }
183
184 static long url_bio_ctrl(BIO *b, int cmd, long num, void *ptr)
185 {
186 if (cmd == BIO_CTRL_FLUSH) {
187 BIO_clear_retry_flags(b);
188 return 1;
189 }
190 return 0;
191 }
192
193 static int url_bio_bputs(BIO *b, const char *str)
194 {
195 return url_bio_bwrite(b, str, strlen(str));
196 }
197
198 #if OPENSSL_VERSION_NUMBER < 0x1010000fL
199 static BIO_METHOD url_bio_method = {
200 .type = BIO_TYPE_SOURCE_SINK,
201 .name = "urlprotocol bio",
202 .bwrite = url_bio_bwrite,
203 .bread = url_bio_bread,
204 .bputs = url_bio_bputs,
205 .bgets = NULL,
206 .ctrl = url_bio_ctrl,
207 .create = url_bio_create,
208 .destroy = url_bio_destroy,
209 };
210 #endif
211
212 static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
213 {
214 TLSContext *p = h->priv_data;
215 TLSShared *c = &p->tls_shared;
216 BIO *bio;
217 int ret;
218
219 ff_openssl_init();
220
221 if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
222 goto fail;
223
224 // We want to support all versions of TLS >= 1.0, but not the deprecated
225 // and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method()
226 // enables support for all versions of SSL and TLS, and we then disable
227 // support for the old protocols immediately after creating the context.
228 p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
229 if (!p->ctx) {
230 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
231 ret = AVERROR(EIO);
232 goto fail;
233 }
234 SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
235 if (c->ca_file)
236 SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL);
237 if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {
238 av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n",
239 c->cert_file, ERR_error_string(ERR_get_error(), NULL));
240 ret = AVERROR(EIO);
241 goto fail;
242 }
243 if (c->key_file && !SSL_CTX_use_PrivateKey_file(p->ctx, c->key_file, SSL_FILETYPE_PEM)) {
244 av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n",
245 c->key_file, ERR_error_string(ERR_get_error(), NULL));
246 ret = AVERROR(EIO);
247 goto fail;
248 }
249 // Note, this doesn't check that the peer certificate actually matches
250 // the requested hostname.
251 if (c->verify)
252 SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER, NULL);
253 p->ssl = SSL_new(p->ctx);
254 if (!p->ssl) {
255 av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
256 ret = AVERROR(EIO);
257 goto fail;
258 }
259 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL
260 p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
261 BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
262 BIO_meth_set_read(p->url_bio_method, url_bio_bread);
263 BIO_meth_set_puts(p->url_bio_method, url_bio_bputs);
264 BIO_meth_set_ctrl(p->url_bio_method, url_bio_ctrl);
265 BIO_meth_set_create(p->url_bio_method, url_bio_create);
266 BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy);
267 bio = BIO_new(p->url_bio_method);
268 BIO_set_data(bio, c->tcp);
269 #else
270 bio = BIO_new(&url_bio_method);
271 bio->ptr = c->tcp;
272 #endif
273 SSL_set_bio(p->ssl, bio, bio);
274 if (!c->listen && !c->numerichost)
275 SSL_set_tlsext_host_name(p->ssl, c->host);
276 ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
277 if (ret == 0) {
278 av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
279 ret = AVERROR(EIO);
280 goto fail;
281 } else if (ret < 0) {
282 ret = print_tls_error(h, ret);
283 goto fail;
284 }
285
286 return 0;
287 fail:
288 tls_close(h);
289 return ret;
290 }
291
292 static int tls_read(URLContext *h, uint8_t *buf, int size)
293 {
294 TLSContext *c = h->priv_data;
295 int ret = SSL_read(c->ssl, buf, size);
296 if (ret > 0)
297 return ret;
298 if (ret == 0)
299 return AVERROR_EOF;
300 return print_tls_error(h, ret);
301 }
302
303 static int tls_write(URLContext *h, const uint8_t *buf, int size)
304 {
305 TLSContext *c = h->priv_data;
306 int ret = SSL_write(c->ssl, buf, size);
307 if (ret > 0)
308 return ret;
309 if (ret == 0)
310 return AVERROR_EOF;
311 return print_tls_error(h, ret);
312 }
313
314 static const AVOption options[] = {
315 TLS_COMMON_OPTIONS(TLSContext, tls_shared),
316 { NULL }
317 };
318
319 static const AVClass tls_class = {
320 .class_name = "tls",
321 .item_name = av_default_item_name,
322 .option = options,
323 .version = LIBAVUTIL_VERSION_INT,
324 };
325
326 const URLProtocol ff_tls_protocol = {
327 .name = "tls",
328 .url_open2 = tls_open,
329 .url_read = tls_read,
330 .url_write = tls_write,
331 .url_close = tls_close,
332 .priv_data_size = sizeof(TLSContext),
333 .flags = URL_PROTOCOL_FLAG_NETWORK,
334 .priv_data_class = &tls_class,
335 };