github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-21 05:11:59 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
FFmpeg/libavformat/tls_mbedtls.c
zengshuang 9d73d10c50 avformat,avcodec: use PRI format macros for uint32_t in log messages 
Use PRIu32/PRIX32 format specifiers instead of %d/%u/%X for uint32_t
variables in av_log calls. On some platforms (e.g. NuttX), uint32_t is
typedef'd as unsigned long rather than unsigned int, which triggers
-Wformat warnings despite both types being 4 bytes. Using PRI macros
is the portable way to match the actual underlying type of uint32_t.

Signed-off-by: zengshuang <zengshuang@xiaomi.com>
2026-03-04 10:40:12 +00:00

815 lines
28 KiB
C
Raw Permalink Blame History

/*
* TLS/SSL Protocol
* Copyright (c) 2018 Thomas Volkert
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <mbedtls/version.h>
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h>
#include <mbedtls/net_sockets.h>
#include <mbedtls/platform.h>
#include <mbedtls/ssl.h>
#include <mbedtls/x509_crt.h>
#include <mbedtls/debug.h>
#include <mbedtls/timing.h>
#ifdef MBEDTLS_PSA_CRYPTO_C
#include <psa/crypto.h>
#endif
#include "avformat.h"
#include "internal.h"
#include "network.h"
#include "url.h"
#include "tls.h"
#include "libavutil/mem.h"
#include "libavutil/parseutils.h"
#include "libavutil/avstring.h"
#include "libavutil/random_seed.h"
static int mbedtls_x509_fingerprint(char *cert_buf, size_t cert_sz, char **fingerprint)
{
unsigned char md[32];
size_t n = sizeof(md);
AVBPrint buf;
int ret;
mbedtls_x509_crt crt;
mbedtls_x509_crt_init(&crt);
if ((ret = mbedtls_x509_crt_parse(&crt, cert_buf, cert_sz)) != 0) {
mbedtls_x509_crt_free(&crt);
return AVERROR(EINVAL);
}
if ((ret = mbedtls_sha256(crt.raw.p, crt.raw.len, md, 0)) != 0) {
mbedtls_x509_crt_free(&crt);
return AVERROR(EINVAL);
}
av_bprint_init(&buf, n*3, n*3);
for (int i = 0; i < n - 1; i++)
av_bprintf(&buf, "%02X:", md[i]);
av_bprintf(&buf, "%02X", md[n - 1]);
return av_bprint_finalize(&buf, fingerprint);
}
int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint)
{
int ret = 0;
AVBPrint key_bp, cert_bp;
av_bprint_init(&key_bp, 1, MAX_CERTIFICATE_SIZE);
av_bprint_init(&cert_bp, 1, MAX_CERTIFICATE_SIZE);
ret = ff_url_read_all(key_url, &key_bp);
if (ret < 0) {
av_log(NULL, AV_LOG_ERROR, "TLS: Failed to open key file %s\n", key_url);
goto end;
}
ret = ff_url_read_all(cert_url, &cert_bp);
if (ret < 0) {
av_log(NULL, AV_LOG_ERROR, "TLS: Failed to open cert file %s\n", cert_url);
goto end;
}
if (key_sz < key_bp.size || cert_sz < cert_bp.size) {
av_log(NULL, AV_LOG_ERROR, "TLS: Key or Cert buffer is too samall\n");
ret = AVERROR_BUFFER_TOO_SMALL;
goto end;
}
key_buf = key_bp.str;
cert_buf = cert_bp.str;
ret = mbedtls_x509_fingerprint(cert_buf, cert_sz, fingerprint);
if (ret < 0)
av_log(NULL, AV_LOG_ERROR, "TLS: Failed to generate fingerprint\n");
end:
av_bprint_finalize(&key_bp, NULL);
av_bprint_finalize(&cert_bp, NULL);
return ret;
}
static int mbedtls_gen_pkey(mbedtls_pk_context *key)
{
int ret = 0;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
&entropy, NULL, 0)) != 0) {
av_log(NULL, AV_LOG_ERROR, "mbedtls_ctr_drbg_seed returned %d\n", ret);
goto end;
}
if ((ret = mbedtls_pk_setup(key,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY))) != 0) {
av_log(NULL, AV_LOG_ERROR, "mbedtls_pk_setup returned %d\n", ret);
goto end;
}
/**
* See RFC 8827 section 6.5,
* All implementations MUST support DTLS 1.2 with the
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite
* and the P-256 curve.
*/
if ((ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1,
mbedtls_pk_ec(*key),
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
av_log(NULL, AV_LOG_ERROR, "mbedtls_ecp_gen_key returned %d\n", ret);
goto end;
}
end:
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
return ret;
}
static int mbedtls_gen_x509_cert(mbedtls_pk_context *key, char *cert_buf, size_t cert_sz)
{
int ret = 0;
const char *name = "CN=lavf";
time_t now;
struct tm tm;
char not_before[16], not_after[16];
unsigned char serial[20];
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_x509write_cert crt;
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_x509write_crt_init(&crt);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0)) != 0) {
av_log(NULL, AV_LOG_ERROR, "mbedtls_ctr_drbg_seed returned %d\n", ret);
goto end;
}
mbedtls_x509write_crt_set_subject_key(&crt, key);
mbedtls_x509write_crt_set_issuer_key(&crt, key);
if ((ret = mbedtls_x509write_crt_set_subject_name(&crt, name)) != 0) {
av_log(NULL, AV_LOG_ERROR, "mbedtls_x509write_crt_set_subject_name returned %d\n", ret);
goto end;
}
if ((ret = mbedtls_x509write_crt_set_issuer_name(&crt, name)) != 0) {
av_log(NULL, AV_LOG_ERROR, "mbedtls_x509write_crt_set_issuer_name returned %d\n", ret);
goto end;
}
mbedtls_x509write_crt_set_version(&crt, MBEDTLS_X509_CRT_VERSION_3);
mbedtls_x509write_crt_set_md_alg(&crt, MBEDTLS_MD_SHA256);
ret = av_random_bytes((uint8_t *)serial, sizeof(serial));
if (ret < 0) {
av_log(NULL, AV_LOG_ERROR, "Failed to generate random serial number!\n");
return ret;
}
if ((ret = mbedtls_x509write_crt_set_serial_raw(&crt, serial, sizeof(serial))) != 0) {
av_log(NULL, AV_LOG_ERROR, "mbedtls_x509write_crt_set_serial_raw returned %d\n", ret);
goto end;
}
time(&now);
gmtime_r(&now, &tm);
strftime(not_before, sizeof(not_before), "%Y%m%d%H%M%S", &tm);
tm.tm_year += 1;
strftime(not_after, sizeof(not_after), "%Y%m%d%H%M%S", &tm);
if ((ret = mbedtls_x509write_crt_set_validity(&crt, not_before, not_after)) != 0) {
av_log(NULL, AV_LOG_ERROR, "mbedtls_x509write_crt_set_validity returned %d\n", ret);
goto end;
}
if ((ret = mbedtls_x509write_crt_pem(&crt, cert_buf, cert_sz,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
av_log(NULL, AV_LOG_ERROR, "mbedtls_x509write_crt_pem returned %d\n", ret);
return ret;
}
end:
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_x509write_crt_free(&crt);
return ret;
}
int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint)
{
int ret = 0;
mbedtls_pk_context key;
mbedtls_pk_init(&key);
if ((ret = mbedtls_gen_pkey(&key)) != 0)
goto end;
if ((ret = mbedtls_pk_write_key_pem(&key, key_buf, key_sz)) != 0)
goto end;
if ((ret = mbedtls_gen_x509_cert(&key, cert_buf, cert_sz)) != 0)
goto end;
ret = mbedtls_x509_fingerprint(cert_buf, cert_sz, fingerprint);
if (ret < 0)
av_log(NULL, AV_LOG_ERROR, "TLS: Failed to generate fingerprint\n");
end:
mbedtls_pk_free(&key);
return ret;
}
typedef struct dtls_srtp_keys {
unsigned char master_secret[48];
unsigned char randbytes[64];
mbedtls_tls_prf_types tls_prf_type;
} dtls_srtp_keys;
typedef struct TLSContext {
TLSShared tls_shared;
mbedtls_ssl_context ssl_context;
mbedtls_ssl_config ssl_config;
mbedtls_entropy_context entropy_context;
mbedtls_ctr_drbg_context ctr_drbg_context;
mbedtls_timing_delay_context timer;
mbedtls_x509_crt ca_cert;
mbedtls_x509_crt own_cert;
mbedtls_pk_context priv_key;
char *priv_key_pw;
dtls_srtp_keys srtp_key;
struct sockaddr_storage dest_addr;
socklen_t dest_addr_len;
} TLSContext;
int ff_tls_set_external_socket(URLContext *h, URLContext *sock)
{
TLSContext *tls_ctx = h->priv_data;
TLSShared *shr = &tls_ctx->tls_shared;
if (shr->is_dtls)
shr->udp = sock;
else
shr->tcp = sock;
return 0;
}
#if defined(MBEDTLS_SSL_DTLS_SRTP)
static void dtls_srtp_key_derivation(void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type)
{
dtls_srtp_keys *keys = (dtls_srtp_keys *) p_expkey;
if (secret_len != sizeof(keys->master_secret))
return;
memcpy(keys->master_secret, secret, secret_len);
memcpy(keys->randbytes, client_random, 32);
memcpy(keys->randbytes + 32, server_random, 32);
keys->tls_prf_type = tls_prf_type;
}
#endif
int ff_dtls_export_materials(URLContext *h, char *dtls_srtp_materials, size_t materials_sz)
{
int ret = 0;
TLSContext *tls_ctx = h->priv_data;
#if defined(MBEDTLS_SSL_DTLS_SRTP)
const char* dst = "EXTRACTOR-dtls_srtp";
mbedtls_dtls_srtp_info dtls_srtp_negotiation_result;
mbedtls_ssl_get_dtls_srtp_negotiation_result(&tls_ctx->ssl_context, &dtls_srtp_negotiation_result);
if ((ret = mbedtls_ssl_tls_prf(tls_ctx->srtp_key.tls_prf_type,
tls_ctx->srtp_key.master_secret,
sizeof(tls_ctx->srtp_key.master_secret),
dst,
tls_ctx->srtp_key.randbytes,
sizeof(tls_ctx->srtp_key.randbytes),
dtls_srtp_materials,
materials_sz)) != 0) {
av_log(h, AV_LOG_ERROR,"mbedtls_ssl_tls_prf returned %d\n", ret);
ret = AVERROR(EINVAL);
}
#else
av_log(h, AV_LOG_ERROR, "DTLS-SRTP is not supported in this mbedtls build\n");
ret = AVERROR(ENOSYS);
#endif
return ret;
}
#define OFFSET(x) offsetof(TLSContext, x)
static int tls_close(URLContext *h)
{
TLSContext *tls_ctx = h->priv_data;
TLSShared *shr = &tls_ctx->tls_shared;
mbedtls_ssl_close_notify(&tls_ctx->ssl_context);
mbedtls_pk_free(&tls_ctx->priv_key);
mbedtls_x509_crt_free(&tls_ctx->ca_cert);
mbedtls_x509_crt_free(&tls_ctx->own_cert);
mbedtls_ssl_free(&tls_ctx->ssl_context);
mbedtls_ssl_config_free(&tls_ctx->ssl_config);
mbedtls_ctr_drbg_free(&tls_ctx->ctr_drbg_context);
mbedtls_entropy_free(&tls_ctx->entropy_context);
if (!shr->external_sock)
ffurl_closep(shr->is_dtls ? &shr->udp : &shr->tcp);
return 0;
}
static int handle_transport_error(URLContext *h, const char* func_name, int react_on_eagain, int ret)
{
switch (ret) {
case AVERROR(EAGAIN):
return react_on_eagain;
case AVERROR_EXIT:
return 0;
case AVERROR(EPIPE):
case AVERROR(ECONNRESET):
return MBEDTLS_ERR_NET_CONN_RESET;
default:
av_log(h, AV_LOG_ERROR, "%s returned 0x%x\n", func_name, ret);
errno = EIO;
return MBEDTLS_ERR_NET_SEND_FAILED;
}
}
static int mbedtls_send(void *ctx, const unsigned char *buf, size_t len)
{
TLSContext *tls_ctx = (TLSContext*) ctx;
TLSShared *shr = &tls_ctx->tls_shared;
URLContext *h = shr->is_dtls ? shr->udp : shr->tcp;
int ret = ffurl_write(h, buf, len);
if (ret >= 0)
return ret;
if (h->max_packet_size && len > h->max_packet_size)
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
return handle_transport_error(h, "ffurl_write", MBEDTLS_ERR_SSL_WANT_WRITE, ret);
}
static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
{
TLSContext *tls_ctx = (TLSContext*) ctx;
TLSShared *shr = &tls_ctx->tls_shared;
URLContext *h = shr->is_dtls ? shr->udp : shr->tcp;
int ret = ffurl_read(h, buf, len);
if (ret >= 0) {
if (shr->is_dtls && shr->listen && !tls_ctx->dest_addr_len) {
int err_ret;
ff_udp_get_last_recv_addr(shr->udp, &tls_ctx->dest_addr, &tls_ctx->dest_addr_len);
err_ret = ff_udp_set_remote_addr(shr->udp, (struct sockaddr *)&tls_ctx->dest_addr, tls_ctx->dest_addr_len, 1);
if (err_ret < 0) {
av_log(tls_ctx, AV_LOG_ERROR, "Failed connecting udp context\n");
return err_ret;
}
av_log(tls_ctx, AV_LOG_TRACE, "Set UDP remote addr on UDP socket, now 'connected'\n");
}
return ret;
}
if (h->max_packet_size && len > h->max_packet_size)
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret);
}
static void mbedtls_debug(void *ctx, int lvl, const char *file, int line, const char *msg)
{
URLContext *h = (URLContext*) ctx;
int av_lvl = lvl >= 4 ? AV_LOG_TRACE : AV_LOG_DEBUG;
av_log(h, av_lvl, "%s:%d: %s", av_basename(file), line, msg);
}
static void handle_pk_parse_error(URLContext *h, int ret)
{
switch (ret) {
case MBEDTLS_ERR_PK_FILE_IO_ERROR:
av_log(h, AV_LOG_ERROR, "Read of key file failed. Is it actually there, are the access permissions correct?\n");
break;
case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
av_log(h, AV_LOG_ERROR, "A password for the private key is missing.\n");
break;
case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
av_log(h, AV_LOG_ERROR, "The given password for the private key is wrong.\n");
break;
default:
av_log(h, AV_LOG_ERROR, "mbedtls_pk_parse_key returned -0x%x\n", -ret);
break;
}
}
static void handle_handshake_error(URLContext *h, int ret)
{
switch (ret) {
#if MBEDTLS_VERSION_MAJOR < 3
case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n");
break;
#else
case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:
av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n");
break;
case MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION:
av_log(h, AV_LOG_ERROR, "TLS protocol version mismatch.\n");
break;
#endif
case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n");
break;
case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED:
av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to operate. Was the CA correctly set?\n");
break;
case MBEDTLS_ERR_SSL_INTERNAL_ERROR:
av_log(h, AV_LOG_ERROR, "Internal error encountered.\n");
break;
case MBEDTLS_ERR_NET_CONN_RESET:
av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n");
break;
case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
av_log(h, AV_LOG_ERROR, "Certificate verification failed.\n");
break;
default:
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_handshake returned -0x%x\n", -ret);
break;
}
}
static int tls_handshake(URLContext *h)
{
TLSContext *tls_ctx = h->priv_data;
TLSShared *shr = &tls_ctx->tls_shared;
URLContext *uc = shr->is_dtls ? shr->udp : shr->tcp;
int ret;
uc->flags &= ~AVIO_FLAG_NONBLOCK;
while (1) {
ret = mbedtls_ssl_handshake(&tls_ctx->ssl_context);
if (!ret)
break;
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
handle_handshake_error(h, ret);
return ret;
}
}
return ret;
}
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
{
TLSContext *tls_ctx = h->priv_data;
TLSShared *shr = &tls_ctx->tls_shared;
uint32_t verify_res_flags;
int ret;
#if defined(MBEDTLS_SSL_DTLS_SRTP)
const mbedtls_ssl_srtp_profile profiles[] = {
MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80,
MBEDTLS_TLS_SRTP_UNSET
};
#endif
if (!shr->external_sock) {
if ((ret = ff_tls_open_underlying(shr, h, uri, options)) < 0)
goto fail;
}
#ifdef MBEDTLS_PSA_CRYPTO_C
if ((ret = psa_crypto_init()) != PSA_SUCCESS) {
av_log(h, AV_LOG_ERROR, "psa_crypto_init returned %d\n", ret);
goto fail;
}
#endif
mbedtls_ssl_init(&tls_ctx->ssl_context);
mbedtls_ssl_config_init(&tls_ctx->ssl_config);
mbedtls_entropy_init(&tls_ctx->entropy_context);
mbedtls_ctr_drbg_init(&tls_ctx->ctr_drbg_context);
mbedtls_x509_crt_init(&tls_ctx->ca_cert);
mbedtls_pk_init(&tls_ctx->priv_key);
if (av_log_get_level() >= AV_LOG_DEBUG) {
mbedtls_ssl_conf_dbg(&tls_ctx->ssl_config, mbedtls_debug, shr->is_dtls ? shr->udp : shr->tcp);
/*
* Note: we can't call mbedtls_debug_set_threshold() here because
* it's global state. The user is thus expected to manage this.
*/
}
// load trusted CA
if (shr->ca_file) {
if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for CA cert returned %d\n", ret);
goto fail;
}
}
// load own certificate
if (shr->cert_file) {
if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->own_cert, shr->cert_file)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for own cert returned %d\n", ret);
goto fail;
}
} else if (shr->cert_buf) {
if ((ret = mbedtls_x509_crt_parse(&tls_ctx->own_cert, shr->cert_buf, strlen(shr->cert_buf) + 1)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse for own cert returned %d\n", ret);
goto fail;
}
}
// seed the random number generator
if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context,
mbedtls_entropy_func,
&tls_ctx->entropy_context,
NULL, 0)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ctr_drbg_seed returned %d\n", ret);
goto fail;
}
// load key file
if (shr->key_file) {
if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
shr->key_file,
tls_ctx->priv_key_pw
#if MBEDTLS_VERSION_MAJOR >= 3
, mbedtls_ctr_drbg_random,
&tls_ctx->ctr_drbg_context
#endif
)) != 0) {
handle_pk_parse_error(h, ret);
goto fail;
}
} else if (shr->key_buf) {
if ((ret = mbedtls_pk_parse_key(&tls_ctx->priv_key,
shr->key_buf,
strlen(shr->key_buf) + 1,
NULL,
0
#if MBEDTLS_VERSION_MAJOR >= 3
, mbedtls_ctr_drbg_random,
&tls_ctx->ctr_drbg_context
#endif
)) != 0) {
handle_pk_parse_error(h, ret);
goto fail;
}
}
if (shr->listen && !shr->cert_file && !shr->cert_buf && !shr->key_file && !shr->key_buf) {
char buf[4096];
if ((ret = mbedtls_gen_pkey(&tls_ctx->priv_key)) != 0) {
av_log(h, AV_LOG_ERROR, "failed to generate priv_key, returned %d\n", ret);
goto fail;
}
if ((ret = mbedtls_gen_x509_cert(&tls_ctx->priv_key, buf, sizeof(buf))) != 0) {
av_log(h, AV_LOG_ERROR, "failed to generate cert, returned %d\n", ret);
goto fail;
}
if ((ret = mbedtls_x509_crt_parse(&tls_ctx->own_cert, buf, sizeof(buf))) != 0) {
av_log(h, AV_LOG_ERROR, "failed to parse generated cert, returned %d\n", ret);
goto fail;
}
}
if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config,
shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
shr->is_dtls ? MBEDTLS_SSL_TRANSPORT_DATAGRAM : MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_config_defaults returned %d\n", ret);
goto fail;
}
#ifdef MBEDTLS_SSL_PROTO_TLS1_3
// this version does not allow disabling certificate verification with TLSv1.3 (yes, really).
if (mbedtls_version_get_number() == 0x03060000 && !shr->verify) {
av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
}
#endif
// not VERIFY_REQUIRED because we manually check after handshake
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);
// set own certificate and private key
if ((ret = mbedtls_ssl_conf_own_cert(&tls_ctx->ssl_config, &tls_ctx->own_cert, &tls_ctx->priv_key)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_conf_own_cert returned %d\n", ret);
goto fail;
}
if (shr->is_dtls) {
mbedtls_ssl_conf_dtls_cookies(&tls_ctx->ssl_config, NULL, NULL, NULL);
if (shr->use_srtp) {
#if defined(MBEDTLS_SSL_DTLS_SRTP)
if ((ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles(&tls_ctx->ssl_config, profiles)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_conf_dtls_srtp_protection_profiles returned %d\n", ret);
goto fail;
}
mbedtls_ssl_set_export_keys_cb(&tls_ctx->ssl_context, dtls_srtp_key_derivation, &tls_ctx->srtp_key);
#else
av_log(h, AV_LOG_ERROR, "DTLS-SRTP is not supported in this mbedtls build\n");
ret = AVERROR(ENOSYS);
goto fail;
#endif
}
}
if ((ret = mbedtls_ssl_setup(&tls_ctx->ssl_context, &tls_ctx->ssl_config)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_setup returned %d\n", ret);
goto fail;
}
if (!shr->listen && !shr->numerichost) {
if ((ret = mbedtls_ssl_set_hostname(&tls_ctx->ssl_context, shr->host)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_set_hostname returned %d\n", ret);
goto fail;
}
}
// set I/O functions to use FFmpeg internal code for transport layer
mbedtls_ssl_set_bio(&tls_ctx->ssl_context, tls_ctx, mbedtls_send, mbedtls_recv, NULL);
if (shr->is_dtls) {
mbedtls_ssl_set_timer_cb(&tls_ctx->ssl_context, &tls_ctx->timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay);
if (shr->mtu)
mbedtls_ssl_set_mtu(&tls_ctx->ssl_context, shr->mtu);
}
if (!shr->external_sock) {
ret = tls_handshake(h);
if (ret < 0)
goto fail;
}
if (shr->verify) {
// check the result of the certificate verification
if ((verify_res_flags = mbedtls_ssl_get_verify_result(&tls_ctx->ssl_context)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_get_verify_result reported problems "\
"with the certificate verification, returned flags: %"PRIu32"\n",
verify_res_flags);
if (verify_res_flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
av_log(h, AV_LOG_ERROR, "The certificate is not correctly signed by the trusted CA.\n");
goto fail;
}
}
return 0;
fail:
tls_close(h);
return AVERROR(EIO);
}
static int dtls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
{
TLSContext *tls_ctx = h->priv_data;
TLSShared *shr = &tls_ctx->tls_shared;
shr->is_dtls = 1;
return tls_open(h, uri, flags, options);
}
static int handle_tls_error(URLContext *h, const char* func_name, int ret)
{
switch (ret) {
case MBEDTLS_ERR_SSL_WANT_READ:
case MBEDTLS_ERR_SSL_WANT_WRITE:
#ifdef MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET
case MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET:
#endif
return AVERROR(EAGAIN);
case MBEDTLS_ERR_NET_SEND_FAILED:
case MBEDTLS_ERR_NET_RECV_FAILED:
return AVERROR(EIO);
case MBEDTLS_ERR_NET_CONN_RESET:
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
av_log(h, AV_LOG_WARNING, "%s reported connection reset by peer\n", func_name);
return AVERROR_EOF;
default:
av_log(h, AV_LOG_ERROR, "%s returned -0x%x\n", func_name, -ret);
return AVERROR(EIO);
}
}
static int tls_read(URLContext *h, uint8_t *buf, int size)
{
TLSContext *tls_ctx = h->priv_data;
TLSShared *shr = &tls_ctx->tls_shared;
URLContext *uc = shr->is_dtls ? shr->udp : shr->tcp;
int ret;
uc->flags &= ~AVIO_FLAG_NONBLOCK;
uc->flags |= h->flags & AVIO_FLAG_NONBLOCK;
if ((ret = mbedtls_ssl_read(&tls_ctx->ssl_context, buf, size)) > 0) {
// return read length
return ret;
}
return handle_tls_error(h, "mbedtls_ssl_read", ret);
}
static int tls_write(URLContext *h, const uint8_t *buf, int size)
{
TLSContext *tls_ctx = h->priv_data;
TLSShared *shr = &tls_ctx->tls_shared;
URLContext *uc = shr->is_dtls ? shr->udp : shr->tcp;
int ret;
uc->flags &= ~AVIO_FLAG_NONBLOCK;
uc->flags |= h->flags & AVIO_FLAG_NONBLOCK;
if ((ret = mbedtls_ssl_write(&tls_ctx->ssl_context, buf, size)) > 0) {
// return written length
return ret;
}
return handle_tls_error(h, "mbedtls_ssl_write", ret);
}
static int tls_get_file_handle(URLContext *h)
{
TLSContext *c = h->priv_data;
return ffurl_get_file_handle(c->tls_shared.tcp);
}
static int tls_get_short_seek(URLContext *h)
{
TLSContext *s = h->priv_data;
return ffurl_get_short_seek(s->tls_shared.tcp);
}
static const AVOption options[] = {
TLS_COMMON_OPTIONS(TLSContext, tls_shared), \
{"key_password", "Password for the private key file", OFFSET(priv_key_pw), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
{ NULL }
};
static const AVClass tls_class = {
.class_name = "tls",
.item_name = av_default_item_name,
.option = options,
.version = LIBAVUTIL_VERSION_INT,
};
const URLProtocol ff_tls_protocol = {
.name = "tls",
.url_open2 = tls_open,
.url_read = tls_read,
.url_write = tls_write,
.url_close = tls_close,
.url_get_file_handle = tls_get_file_handle,
.url_get_short_seek = tls_get_short_seek,
.priv_data_size = sizeof(TLSContext),
.flags = URL_PROTOCOL_FLAG_NETWORK,
.priv_data_class = &tls_class,
};
static const AVClass dtls_class = {
.class_name = "dtls",
.item_name = av_default_item_name,
.option = options,
.version = LIBAVUTIL_VERSION_INT,
};
const URLProtocol ff_dtls_protocol = {
.name = "dtls",
.url_open2 = dtls_open,
.url_handshake = tls_handshake,
.url_read = tls_read,
.url_write = tls_write,
.url_close = tls_close,
.url_get_file_handle = tls_get_file_handle,
.url_get_short_seek = tls_get_short_seek,
.priv_data_size = sizeof(TLSContext),
.flags = URL_PROTOCOL_FLAG_NETWORK,
.priv_data_class = &dtls_class,
};
Reference in New Issue View Git Blame Copy Permalink