1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-21 10:55:51 +02:00
FFmpeg/libavformat/tls_securetransport.c
Andreas Rheinhardt 790f793844 avutil/common: Don't auto-include mem.h
There are lots of files that don't need it: The number of object
files that actually need it went down from 2011 to 884 here.

Keep it for external users in order to not cause breakages.

Also improve the other headers a bit while just at it.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2024-03-31 00:08:43 +01:00

430 lines
12 KiB
C

/*
* Copyright (c) 2015 rcombs
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with FFmpeg; if not, write to the Free Software * Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <errno.h>
#include "avformat.h"
#include "avio_internal.h"
#include "internal.h"
#include "network.h"
#include "os_support.h"
#include "url.h"
#include "tls.h"
#include "libavcodec/internal.h"
#include "libavutil/avstring.h"
#include "libavutil/mem.h"
#include "libavutil/opt.h"
#include "libavutil/parseutils.h"
#include <Security/Security.h>
#include <Security/SecureTransport.h>
#include <CoreFoundation/CoreFoundation.h>
// We use a private API call here; it's good enough for WebKit.
SecIdentityRef SecIdentityCreate(CFAllocatorRef allocator, SecCertificateRef certificate, SecKeyRef privateKey);
#define ioErr -36
typedef struct TLSContext {
const AVClass *class;
TLSShared tls_shared;
SSLContextRef ssl_context;
CFArrayRef ca_array;
int lastErr;
} TLSContext;
static int print_tls_error(URLContext *h, int ret)
{
TLSContext *c = h->priv_data;
switch (ret) {
case errSSLWouldBlock:
return AVERROR(EAGAIN);
case errSSLXCertChainInvalid:
av_log(h, AV_LOG_ERROR, "Invalid certificate chain\n");
return AVERROR(EIO);
case ioErr:
return c->lastErr;
default:
av_log(h, AV_LOG_ERROR, "IO Error: %i\n", ret);
return AVERROR(EIO);
}
return AVERROR(EIO);
}
static int import_pem(URLContext *h, char *path, CFArrayRef *array)
{
#if !HAVE_SECITEMIMPORT
return AVERROR_PATCHWELCOME;
#else
AVIOContext *s = NULL;
CFDataRef data = NULL;
int64_t ret = 0;
char *buf = NULL;
SecExternalFormat format = kSecFormatPEMSequence;
SecExternalFormat type = kSecItemTypeAggregate;
CFStringRef pathStr = CFStringCreateWithCString(NULL, path, 0x08000100);
if (!pathStr) {
ret = AVERROR(ENOMEM);
goto end;
}
if ((ret = ffio_open_whitelist(&s, path, AVIO_FLAG_READ,
&h->interrupt_callback, NULL,
h->protocol_whitelist, h->protocol_blacklist)) < 0)
goto end;
if ((ret = avio_size(s)) < 0)
goto end;
if (ret == 0) {
ret = AVERROR_INVALIDDATA;
goto end;
}
if (!(buf = av_malloc(ret))) {
ret = AVERROR(ENOMEM);
goto end;
}
if ((ret = avio_read(s, buf, ret)) < 0)
goto end;
data = CFDataCreate(kCFAllocatorDefault, buf, ret);
if (SecItemImport(data, pathStr, &format, &type,
0, NULL, NULL, array) != noErr || !array) {
ret = AVERROR_UNKNOWN;
goto end;
}
if (CFArrayGetCount(*array) == 0) {
ret = AVERROR_INVALIDDATA;
goto end;
}
end:
av_free(buf);
if (pathStr)
CFRelease(pathStr);
if (data)
CFRelease(data);
if (s)
avio_close(s);
return ret;
#endif
}
static int load_ca(URLContext *h)
{
TLSContext *c = h->priv_data;
int ret = 0;
CFArrayRef array = NULL;
if ((ret = import_pem(h, c->tls_shared.ca_file, &array)) < 0)
goto end;
if (!(c->ca_array = CFRetain(array))) {
ret = AVERROR(ENOMEM);
goto end;
}
end:
if (array)
CFRelease(array);
return ret;
}
static int load_cert(URLContext *h)
{
TLSContext *c = h->priv_data;
int ret = 0;
CFArrayRef certArray = NULL;
CFArrayRef keyArray = NULL;
SecIdentityRef id = NULL;
CFMutableArrayRef outArray = NULL;
if ((ret = import_pem(h, c->tls_shared.cert_file, &certArray)) < 0)
goto end;
if ((ret = import_pem(h, c->tls_shared.key_file, &keyArray)) < 0)
goto end;
if (!(id = SecIdentityCreate(kCFAllocatorDefault,
(SecCertificateRef)CFArrayGetValueAtIndex(certArray, 0),
(SecKeyRef)CFArrayGetValueAtIndex(keyArray, 0)))) {
ret = AVERROR_UNKNOWN;
goto end;
}
if (!(outArray = CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, certArray))) {
ret = AVERROR(ENOMEM);
goto end;
}
CFArraySetValueAtIndex(outArray, 0, id);
SSLSetCertificate(c->ssl_context, outArray);
end:
if (certArray)
CFRelease(certArray);
if (keyArray)
CFRelease(keyArray);
if (outArray)
CFRelease(outArray);
if (id)
CFRelease(id);
return ret;
}
static OSStatus tls_read_cb(SSLConnectionRef connection, void *data, size_t *dataLength)
{
URLContext *h = (URLContext*)connection;
TLSContext *c = h->priv_data;
size_t requested = *dataLength;
int read = ffurl_read(c->tls_shared.tcp, data, requested);
if (read <= 0) {
*dataLength = 0;
switch(AVUNERROR(read)) {
case ENOENT:
case 0:
return errSSLClosedGraceful;
case ECONNRESET:
return errSSLClosedAbort;
case EAGAIN:
return errSSLWouldBlock;
default:
c->lastErr = read;
return ioErr;
}
} else {
*dataLength = read;
if (read < requested)
return errSSLWouldBlock;
else
return noErr;
}
}
static OSStatus tls_write_cb(SSLConnectionRef connection, const void *data, size_t *dataLength)
{
URLContext *h = (URLContext*)connection;
TLSContext *c = h->priv_data;
int written = ffurl_write(c->tls_shared.tcp, data, *dataLength);
if (written <= 0) {
*dataLength = 0;
switch(AVUNERROR(written)) {
case EAGAIN:
return errSSLWouldBlock;
default:
c->lastErr = written;
return ioErr;
}
} else {
*dataLength = written;
return noErr;
}
}
static int tls_close(URLContext *h)
{
TLSContext *c = h->priv_data;
if (c->ssl_context) {
SSLClose(c->ssl_context);
CFRelease(c->ssl_context);
}
if (c->ca_array)
CFRelease(c->ca_array);
ffurl_closep(&c->tls_shared.tcp);
return 0;
}
#define CHECK_ERROR(func, ...) do { \
OSStatus status = func(__VA_ARGS__); \
if (status != noErr) { \
ret = AVERROR_UNKNOWN; \
av_log(h, AV_LOG_ERROR, #func ": Error %i\n", (int)status); \
goto fail; \
} \
} while (0)
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
{
TLSContext *c = h->priv_data;
TLSShared *s = &c->tls_shared;
int ret;
if ((ret = ff_tls_open_underlying(s, h, uri, options)) < 0)
goto fail;
c->ssl_context = SSLCreateContext(NULL, s->listen ? kSSLServerSide : kSSLClientSide, kSSLStreamType);
if (!c->ssl_context) {
av_log(h, AV_LOG_ERROR, "Unable to create SSL context\n");
ret = AVERROR(ENOMEM);
goto fail;
}
if (s->ca_file) {
if ((ret = load_ca(h)) < 0)
goto fail;
}
if (s->ca_file || !s->verify)
CHECK_ERROR(SSLSetSessionOption, c->ssl_context, kSSLSessionOptionBreakOnServerAuth, true);
if (s->cert_file)
if ((ret = load_cert(h)) < 0)
goto fail;
CHECK_ERROR(SSLSetPeerDomainName, c->ssl_context, s->host, strlen(s->host));
CHECK_ERROR(SSLSetIOFuncs, c->ssl_context, tls_read_cb, tls_write_cb);
CHECK_ERROR(SSLSetConnection, c->ssl_context, h);
while (1) {
OSStatus status = SSLHandshake(c->ssl_context);
if (status == errSSLServerAuthCompleted) {
SecTrustRef peerTrust;
SecTrustResultType trustResult;
if (!s->verify)
continue;
if (SSLCopyPeerTrust(c->ssl_context, &peerTrust) != noErr) {
ret = AVERROR(ENOMEM);
goto fail;
}
if (SecTrustSetAnchorCertificates(peerTrust, c->ca_array) != noErr) {
ret = AVERROR_UNKNOWN;
goto fail;
}
if (SecTrustEvaluate(peerTrust, &trustResult) != noErr) {
ret = AVERROR_UNKNOWN;
goto fail;
}
if (trustResult == kSecTrustResultProceed ||
trustResult == kSecTrustResultUnspecified) {
// certificate is trusted
status = errSSLWouldBlock; // so we call SSLHandshake again
} else if (trustResult == kSecTrustResultRecoverableTrustFailure) {
// not trusted, for some reason other than being expired
status = errSSLXCertChainInvalid;
} else {
// cannot use this certificate (fatal)
status = errSSLBadCert;
}
if (peerTrust)
CFRelease(peerTrust);
}
if (status == noErr) {
break;
} else if (status != errSSLWouldBlock) {
av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session: %i\n", (int)status);
ret = AVERROR(EIO);
goto fail;
}
}
return 0;
fail:
tls_close(h);
return ret;
}
static int map_ssl_error(OSStatus status, size_t processed)
{
switch (status) {
case noErr:
return processed;
case errSSLClosedGraceful:
case errSSLClosedNoNotify:
return 0;
case errSSLWouldBlock:
if (processed > 0)
return processed;
default:
return (int)status;
}
}
static int tls_read(URLContext *h, uint8_t *buf, int size)
{
TLSContext *c = h->priv_data;
size_t available = 0, processed = 0;
int ret;
SSLGetBufferedReadSize(c->ssl_context, &available);
if (available)
size = FFMIN(available, size);
ret = SSLRead(c->ssl_context, buf, size, &processed);
ret = map_ssl_error(ret, processed);
if (ret > 0)
return ret;
if (ret == 0)
return AVERROR_EOF;
return print_tls_error(h, ret);
}
static int tls_write(URLContext *h, const uint8_t *buf, int size)
{
TLSContext *c = h->priv_data;
size_t processed = 0;
int ret = SSLWrite(c->ssl_context, buf, size, &processed);
ret = map_ssl_error(ret, processed);
if (ret > 0)
return ret;
if (ret == 0)
return AVERROR_EOF;
return print_tls_error(h, ret);
}
static int tls_get_file_handle(URLContext *h)
{
TLSContext *c = h->priv_data;
return ffurl_get_file_handle(c->tls_shared.tcp);
}
static int tls_get_short_seek(URLContext *h)
{
TLSContext *s = h->priv_data;
return ffurl_get_short_seek(s->tls_shared.tcp);
}
static const AVOption options[] = {
TLS_COMMON_OPTIONS(TLSContext, tls_shared),
{ NULL }
};
static const AVClass tls_class = {
.class_name = "tls",
.item_name = av_default_item_name,
.option = options,
.version = LIBAVUTIL_VERSION_INT,
};
const URLProtocol ff_tls_protocol = {
.name = "tls",
.url_open2 = tls_open,
.url_read = tls_read,
.url_write = tls_write,
.url_close = tls_close,
.url_get_file_handle = tls_get_file_handle,
.url_get_short_seek = tls_get_short_seek,
.priv_data_size = sizeof(TLSContext),
.flags = URL_PROTOCOL_FLAG_NETWORK,
.priv_data_class = &tls_class,
};