Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

libavformat: add mbedTLS based TLS

Browse Source 
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
pull/303/head^2
Thomas Volkert 7 years ago committed by Luca Barbato
parent 39f3b6f3fc
commit 4130e05ff4
7 changed files with 422 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      Changelog
  2. 13
      configure
  3. 1
      libavformat/Makefile
  4. 50
      libavformat/rtmpdh.c
  5. 6
      libavformat/rtmpdh.h
  6. 352
      libavformat/tls_mbedtls.c
  7. 2
      libavformat/version.h

1
Changelog
Unescape View File

@ -24,6 +24,7 @@ version <next>:
- Haivision SRT protocol via libsrt
- Dropped support for building for Windows XP. The minimum supported Windows
version is Windows Vista.
- support mbedTLS-based TLS
version 12:

13
configure vendored
Unescape View File

@ -229,6 +229,7 @@ External library support:
--enable-libxcb-shm X11 shm communication [auto]
--enable-libxcb-xfixes X11 mouse rendering [auto]
--enable-libxvid MPEG-4 ASP video encoding
--enable-mbedtls crypto
--enable-openssl crypto
--enable-zlib compression [autodetect]
@ -1343,6 +1344,7 @@ EXTERNAL_LIBRARY_VERSION3_LIST="
libopencore_amrwb
libvo_aacenc
libvo_amrwbenc
mbedtls
"
EXTERNAL_LIBRARY_LIST="
@ -2506,7 +2508,7 @@ xcbgrab_indev_suggest="libxcb_shm libxcb_xfixes"
# protocols
ffrtmpcrypt_protocol_conflict="librtmp_protocol"
ffrtmpcrypt_protocol_deps_any="gmp openssl"
ffrtmpcrypt_protocol_deps_any="gmp mbedtls openssl"
ffrtmpcrypt_protocol_select="tcp_protocol"
ffrtmphttp_protocol_conflict="librtmp_protocol"
ffrtmphttp_protocol_select="http_protocol"
@ -2539,7 +2541,7 @@ sctp_protocol_deps="struct_sctp_event_subscribe"
sctp_protocol_select="network"
srtp_protocol_select="rtp_protocol srtp"
tcp_protocol_select="network"
tls_protocol_deps_any="gnutls openssl"
tls_protocol_deps_any="gnutls mbedtls openssl"
tls_protocol_select="tcp_protocol"
udp_protocol_select="network"
unix_protocol_deps="sys_un_h"
@ -2959,6 +2961,12 @@ fi
enabled_all gnutls openssl &&
die "GnuTLS and OpenSSL must not be enabled at the same time."
enabled_all gnutls mbedtls &&
die "GnuTLS and mbedTLS must not be enabled at the same time."
enabled_all openssl mbedtls &&
die "OpenSSL and mbedTLS must not be enabled at the same time."
# Disable all the library-specific components if the library itself
# is disabled, see AVCODEC_LIST and following _LIST variables.
@ -4710,6 +4718,7 @@ enabled libx265 && require_pkg_config libx265 x265 x265.h x265_api_get
require_cpp_condition libx265 x265.h "X265_BUILD >= 57"
enabled libxavs && require libxavs "stdint.h xavs.h" xavs_encoder_encode -lxavs
enabled libxvid && require libxvid xvid.h xvid_global -lxvidcore
enabled mbedtls && require mbedtls mbedtls/ssl.h mbedtls_ssl_init -lmbedtls -lmbedcrypto -lmbedx509
enabled mmal && { check_lib mmal interface/mmal/mmal.h mmal_port_connect -lmmal_core -lmmal_util -lmmal_vc_client -lbcm_host ||
{ ! enabled cross_compile &&
add_cflags -isystem/opt/vc/include/ -isystem/opt/vc/include/interface/vmcs_host/linux -isystem/opt/vc/include/interface/vcos/pthreads -fgnu89-inline &&

1
libavformat/Makefile
Unescape View File

@ -408,6 +408,7 @@ OBJS-$(CONFIG_SCTP_PROTOCOL) += sctp.o
OBJS-$(CONFIG_SRTP_PROTOCOL) += srtpproto.o srtp.o
OBJS-$(CONFIG_TCP_PROTOCOL) += tcp.o
TLS-OBJS-$(CONFIG_GNUTLS) += tls_gnutls.o
TLS-OBJS-$(CONFIG_MBEDTLS) += tls_mbedtls.o
TLS-OBJS-$(CONFIG_OPENSSL) += tls_openssl.o
OBJS-$(CONFIG_TLS_PROTOCOL) += tls.o $(TLS-OBJS-yes)
OBJS-$(CONFIG_UDP_PROTOCOL) += udp.o

50
libavformat/rtmpdh.c
Unescape View File

@ -132,6 +132,56 @@ static int bn_modexp(FFBigNum bn, FFBigNum y, FFBigNum q, FFBigNum p)
BN_CTX_free(ctx);
return 0;
}
#elif CONFIG_MBEDTLS
#define bn_new(bn) \
do { \
bn = av_malloc(sizeof(*bn)); \
if (bn) \
mbedtls_mpi_init(bn); \
} while (0)
#define bn_free(bn) \
do { \
mbedtls_mpi_free(bn); \
av_free(bn); \
} while (0)
#define bn_set_word(bn, w) mbedtls_mpi_lset(bn, w)
#define bn_cmp(a, b) mbedtls_mpi_cmp_mpi(a, b)
#define bn_copy(to, from) mbedtls_mpi_copy(to, from)
#define bn_sub_word(bn, w) mbedtls_mpi_sub_int(bn, bn, w)
#define bn_cmp_1(bn) mbedtls_mpi_cmp_int(bn, 1)
#define bn_num_bytes(bn) (mbedtls_mpi_bitlen(bn) + 7) / 8
#define bn_bn2bin(bn, buf, len) mbedtls_mpi_write_binary(bn, buf, len)
#define bn_bin2bn(bn, buf, len) \
do { \
bn_new(bn); \
if (bn) \
mbedtls_mpi_read_binary(bn, buf, len); \
} while (0)
#define bn_hex2bn(bn, buf, ret) \
do { \
bn_new(bn); \
if (bn) \
ret = (mbedtls_mpi_read_string(bn, 16, buf) == 0); \
else \
ret = 1; \
} while (0)
#define bn_random(bn, num_bits) \
do { \
mbedtls_entropy_context entropy_ctx; \
mbedtls_ctr_drbg_context ctr_drbg_ctx; \
\
mbedtls_entropy_init(&entropy_ctx); \
mbedtls_ctr_drbg_init(&ctr_drbg_ctx); \
mbedtls_ctr_drbg_seed(&ctr_drbg_ctx, \
mbedtls_entropy_func, \
&entropy_ctx, \
NULL, 0); \
mbedtls_mpi_fill_random(bn, (num_bits + 7) / 8, mbedtls_ctr_drbg_random, &ctr_drbg_ctx); \
mbedtls_ctr_drbg_free(&ctr_drbg_ctx); \
mbedtls_entropy_free(&entropy_ctx); \
} while (0)
#define bn_modexp(bn, y, q, p) mbedtls_mpi_exp_mod(bn, y, q, p, 0)
#endif
#define MAX_BYTES 18000

6
libavformat/rtmpdh.h
Unescape View File

@ -35,6 +35,12 @@ typedef mpz_ptr FFBigNum;
#include <openssl/dh.h>
typedef BIGNUM *FFBigNum;
#elif CONFIG_MBEDTLS
#include <mbedtls/bignum.h>
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h>
typedef mbedtls_mpi *FFBigNum;
#endif
typedef struct FF_DH {

352
libavformat/tls_mbedtls.c
Unescape View File

@ -0,0 +1,352 @@
/*
* TLS/SSL Protocol
* Copyright (c) 2018 Thomas Volkert
*
* This file is part of Libav.
*
* Libav is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* Libav is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with Libav; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <mbedtls/certs.h>
#include <mbedtls/config.h>
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h>
#include <mbedtls/net.h>
#include <mbedtls/platform.h>
#include <mbedtls/ssl.h>
#include <mbedtls/x509_crt.h>
#include "libavutil/parseutils.h"
#include "avformat.h"
#include "internal.h"
#include "tls.h"
#include "url.h"
typedef struct TLSContext {
const AVClass *class;
TLSShared tls_shared;
mbedtls_ssl_context ssl_context;
mbedtls_ssl_config ssl_config;
mbedtls_entropy_context entropy_context;
mbedtls_ctr_drbg_context ctr_drbg_context;
mbedtls_x509_crt ca_cert;
mbedtls_x509_crt own_cert;
mbedtls_pk_context priv_key;
char *priv_key_pw;
} TLSContext;
#define OFFSET(x) offsetof(TLSContext, x)
static int tls_close(URLContext *h)
{
TLSContext *tls_ctx = h->priv_data;
mbedtls_ssl_close_notify(&tls_ctx->ssl_context);
mbedtls_pk_free(&tls_ctx->priv_key);
mbedtls_x509_crt_free(&tls_ctx->ca_cert);
mbedtls_x509_crt_free(&tls_ctx->own_cert);
mbedtls_ssl_free(&tls_ctx->ssl_context);
mbedtls_ssl_config_free(&tls_ctx->ssl_config);
mbedtls_ctr_drbg_free(&tls_ctx->ctr_drbg_context);
mbedtls_entropy_free(&tls_ctx->entropy_context);
return 0;
}
static int handle_transport_error(URLContext *h, const char* func_name, int react_on_eagain, int ret)
{
switch (ret) {
case AVERROR(EAGAIN):
return react_on_eagain;
case AVERROR_EXIT:
return 0;
case AVERROR(EPIPE):
case AVERROR(ECONNRESET):
return MBEDTLS_ERR_NET_CONN_RESET;
default:
av_log(h, AV_LOG_ERROR, "%s returned 0x%x\n", func_name, ret);
errno = EIO;
return MBEDTLS_ERR_NET_SEND_FAILED;
}
}
static int mbedtls_send(void *ctx, const unsigned char *buf, size_t len)
{
URLContext *h = (URLContext*) ctx;
int ret = ffurl_write(h, buf, len);
if (ret >= 0)
return ret;
if (h->max_packet_size && len > h->max_packet_size)
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
return handle_transport_error(h, "ffurl_write", MBEDTLS_ERR_SSL_WANT_WRITE, ret);
}
static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
{
URLContext *h = ctx;
int ret = ffurl_read(h, buf, len);
if (ret >= 0)
return ret;
if (h->max_packet_size && len > h->max_packet_size)
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret);
}
static void handle_pk_parse_error(URLContext *h, int ret)
{
switch (ret) {
case MBEDTLS_ERR_PK_FILE_IO_ERROR:
av_log(h, AV_LOG_ERROR, "Read of key file failed. Is it actually there, are the access permissions correct?\n");
break;
case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
av_log(h, AV_LOG_ERROR, "A password for the private key is missing.\n");
break;
case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
av_log(h, AV_LOG_ERROR, "The given password for the private key is wrong.\n");
break;
default:
av_log(h, AV_LOG_ERROR, "mbedtls_pk_parse_key returned -0x%x\n", -ret);
break;
}
}
static void handle_handshake_error(URLContext *h, int ret)
{
switch (ret) {
case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate set correctly?\n");
break;
case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer. Does the peer have a correct certificate?\n");
break;
case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED:
av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to operate. Was the CA set correctly?\n");
break;
case MBEDTLS_ERR_NET_CONN_RESET:
av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n");
break;
default:
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_handshake returned -0x%x\n", -ret);
break;
}
}
static void parse_options(TLSContext *tls_ctxc, const char *uri)
{
char buf[1024];
const char *p = strchr(uri, '?');
if (!p)
return;
if (!tls_ctxc->priv_key_pw && av_find_info_tag(buf, sizeof(buf), "key_password", p))
tls_ctxc->priv_key_pw = av_strdup(buf);
}
static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
{
TLSContext *tls_ctx = h->priv_data;
TLSShared *shr = &tls_ctx->tls_shared;
uint32_t verify_res_flags;
int ret;
// parse additional options
parse_options(tls_ctx, uri);
if ((ret = ff_tls_open_underlying(shr, h, uri, options)) < 0)
goto fail;
mbedtls_ssl_init(&tls_ctx->ssl_context);
mbedtls_ssl_config_init(&tls_ctx->ssl_config);
mbedtls_entropy_init(&tls_ctx->entropy_context);
mbedtls_ctr_drbg_init(&tls_ctx->ctr_drbg_context);
mbedtls_x509_crt_init(&tls_ctx->ca_cert);
mbedtls_pk_init(&tls_ctx->priv_key);
// load trusted CA
if (shr->ca_file) {
if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for CA cert returned %d\n", ret);
goto fail;
}
}
// load own certificate
if (shr->cert_file) {
if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->own_cert, shr->cert_file)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for own cert returned %d\n", ret);
goto fail;
}
}
// load key file
if (shr->key_file) {
if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
shr->key_file,
tls_ctx->priv_key_pw)) != 0) {
handle_pk_parse_error(h, ret);
goto fail;
}
}
// seed the random number generator
if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context,
mbedtls_entropy_func,
&tls_ctx->entropy_context,
NULL, 0)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ctr_drbg_seed returned %d\n", ret);
goto fail;
}
if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config,
shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_config_defaults returned %d\n", ret);
goto fail;
}
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);
// set own certificate and private key
if ((ret = mbedtls_ssl_conf_own_cert(&tls_ctx->ssl_config, &tls_ctx->own_cert, &tls_ctx->priv_key)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_conf_own_cert returned %d\n", ret);
goto fail;
}
if ((ret = mbedtls_ssl_setup(&tls_ctx->ssl_context, &tls_ctx->ssl_config)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_setup returned %d\n", ret);
goto fail;
}
if (!shr->listen && !shr->numerichost) {
if ((ret = mbedtls_ssl_set_hostname(&tls_ctx->ssl_context, shr->host)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_set_hostname returned %d\n", ret);
goto fail;
}
}
// set I/O functions to use libavformat-internal code for transport layer
mbedtls_ssl_set_bio(&tls_ctx->ssl_context, shr->tcp, mbedtls_send, mbedtls_recv, NULL);
// ssl handshake
while ((ret = mbedtls_ssl_handshake(&tls_ctx->ssl_context)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
handle_handshake_error(h, ret);
goto fail;
}
}
if (shr->verify) {
// check the result of the certificate verification
if ((verify_res_flags = mbedtls_ssl_get_verify_result(&tls_ctx->ssl_context)) != 0) {
av_log(h, AV_LOG_ERROR, "mbedtls_ssl_get_verify_result reported problems "\
"with the certificate verification, returned flags: %u\n",
verify_res_flags);
if (verify_res_flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
av_log(h, AV_LOG_ERROR, "The certificate is not correctly signed by the trusted CA.\n");
goto fail;
}
}
return 0;
fail:
tls_close(h);
return AVERROR(EIO);
}
static int handle_tls_error(URLContext *h, const char *func_name, int ret)
{
switch (ret) {
case MBEDTLS_ERR_SSL_WANT_READ:
case MBEDTLS_ERR_SSL_WANT_WRITE:
return AVERROR(EAGAIN);
case MBEDTLS_ERR_NET_SEND_FAILED:
case MBEDTLS_ERR_NET_RECV_FAILED:
return AVERROR(EIO);
case MBEDTLS_ERR_NET_CONN_RESET:
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
av_log(h, AV_LOG_WARNING, "%s reported connection reset by peer\n", func_name);
return AVERROR_EOF;
default:
av_log(h, AV_LOG_ERROR, "%s returned -0x%x\n", func_name, -ret);
return AVERROR(EIO);
}
}
static int tls_read(URLContext *h, uint8_t *buf, int size)
{
TLSContext *tls_ctx = h->priv_data;
int ret;
if ((ret = mbedtls_ssl_read(&tls_ctx->ssl_context, buf, size)) > 0) {
// return read length
return ret;
}
return handle_tls_error(h, "mbedtls_ssl_read", ret);
}
static int tls_write(URLContext *h, const uint8_t *buf, int size)
{
TLSContext *tls_ctx = h->priv_data;
int ret;
if ((ret = mbedtls_ssl_write(&tls_ctx->ssl_context, buf, size)) > 0) {
// return written length
return ret;
}
return handle_tls_error(h, "mbedtls_ssl_write", ret);
}
static int tls_get_file_handle(URLContext *h)
{
TLSContext *c = h->priv_data;
return ffurl_get_file_handle(c->tls_shared.tcp);
}
static const AVOption options[] = {
TLS_COMMON_OPTIONS(TLSContext, tls_shared), \
{ "key_password", "Password for the private key file", OFFSET(priv_key_pw), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
{ NULL }
};
static const AVClass tls_class = {
.class_name = "tls",
.item_name = av_default_item_name,
.option = options,
.version = LIBAVUTIL_VERSION_INT,
};
const URLProtocol ff_tls_protocol = {
.name = "tls",
.url_open2 = tls_open,
.url_read = tls_read,
.url_write = tls_write,
.url_close = tls_close,
.url_get_file_handle = tls_get_file_handle,
.priv_data_size = sizeof(TLSContext),
.flags = URL_PROTOCOL_FLAG_NETWORK,
.priv_data_class = &tls_class,
};

2
libavformat/version.h
Unescape View File

@ -30,7 +30,7 @@
#include "libavutil/version.h"
#define LIBAVFORMAT_VERSION_MAJOR 58
#define LIBAVFORMAT_VERSION_MINOR 1
#define LIBAVFORMAT_VERSION_MINOR 2
#define LIBAVFORMAT_VERSION_MICRO 0
#define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \

Write Preview
Loading…
Cancel
Save