[FFmpeg-cvslog] Merge commit '61cec5adaacb358783c18aa07362f15824c1b274'
James Almer
git at videolan.org
Wed Nov 1 21:55:38 EET 2017
ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Wed Nov 1 16:26:36 2017 -0300| [4600b0619afc58b58de1a21d7a2c472e0d788282] | committer: James Almer
Merge commit '61cec5adaacb358783c18aa07362f15824c1b274'
* commit '61cec5adaacb358783c18aa07362f15824c1b274':
tls: Hide backend implementation details from users
Also includes ed434be106a4615e0419b3ac7664220741afda2d
Changes were made to support schannel and securetransport.
Merged-by: James Almer <jamrial at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4600b0619afc58b58de1a21d7a2c472e0d788282
---
configure | 18 +++++++-----------
libavformat/Makefile | 9 +++++----
libavformat/network.c | 12 ++++++++----
libavformat/protocols.c | 5 +----
libavformat/tls.h | 2 --
libavformat/tls_gnutls.c | 2 +-
libavformat/tls_openssl.c | 2 +-
libavformat/tls_schannel.c | 2 +-
libavformat/tls_securetransport.c | 2 +-
9 files changed, 25 insertions(+), 29 deletions(-)
diff --git a/configure b/configure
index 63ee46a53b..998ac74e9e 100755
--- a/configure
+++ b/configure
@@ -3160,21 +3160,14 @@ rtmpte_protocol_suggest="zlib"
rtmpts_protocol_select="ffrtmphttp_protocol https_protocol"
rtmpts_protocol_suggest="zlib"
rtp_protocol_select="udp_protocol"
+schannel_conflict="openssl gnutls"
sctp_protocol_deps="struct_sctp_event_subscribe struct_msghdr_msg_flags"
sctp_protocol_select="network"
+securetransport_conflict="openssl gnutls"
srtp_protocol_select="rtp_protocol srtp"
tcp_protocol_select="network"
-tls_gnutls_protocol_conflict="tls_schannel_protocol tls_securetransport_protocol"
-tls_gnutls_protocol_deps="gnutls"
-tls_gnutls_protocol_select="tcp_protocol"
-tls_openssl_protocol_conflict="tls_schannel_protocol tls_securetransport_protocol tls_gnutls_protocol"
-tls_openssl_protocol_deps="openssl"
-tls_openssl_protocol_select="tcp_protocol"
-tls_schannel_protocol_deps="schannel"
-tls_schannel_protocol_select="tcp_protocol"
-tls_securetransport_protocol_deps="securetransport"
-tls_securetransport_protocol_select="tcp_protocol"
-tls_protocol_deps_any="tls_schannel_protocol tls_securetransport_protocol tls_gnutls_protocol tls_openssl_protocol"
+tls_protocol_deps_any="gnutls openssl schannel securetransport"
+tls_protocol_select="tcp_protocol"
udp_protocol_select="network"
udplite_protocol_select="network"
unix_protocol_deps="sys_un_h"
@@ -3752,6 +3745,9 @@ map "die_license_disabled nonfree" $HWACCEL_LIBRARY_NONFREE_LIST
enabled version3 && { enabled gpl && enable gplv3 || enable lgplv3; }
+enabled_all gnutls openssl &&
+ die "GnuTLS and OpenSSL must not be enabled at the same time."
+
# Disable all the library-specific components if the library itself
# is disabled, see AVCODEC_LIST and following _LIST variables.
diff --git a/libavformat/Makefile b/libavformat/Makefile
index 591a14b978..caebe5b146 100644
--- a/libavformat/Makefile
+++ b/libavformat/Makefile
@@ -586,10 +586,11 @@ OBJS-$(CONFIG_SRTP_PROTOCOL) += srtpproto.o srtp.o
OBJS-$(CONFIG_SUBFILE_PROTOCOL) += subfile.o
OBJS-$(CONFIG_TEE_PROTOCOL) += teeproto.o tee_common.o
OBJS-$(CONFIG_TCP_PROTOCOL) += tcp.o
-OBJS-$(CONFIG_TLS_GNUTLS_PROTOCOL) += tls_gnutls.o tls.o
-OBJS-$(CONFIG_TLS_OPENSSL_PROTOCOL) += tls_openssl.o tls.o
-OBJS-$(CONFIG_TLS_SCHANNEL_PROTOCOL) += tls_schannel.o tls.o
-OBJS-$(CONFIG_TLS_SECURETRANSPORT_PROTOCOL) += tls_securetransport.o tls.o
+TLS-OBJS-$(CONFIG_GNUTLS) += tls_gnutls.o
+TLS-OBJS-$(CONFIG_OPENSSL) += tls_openssl.o
+TLS-OBJS-$(CONFIG_SECURETRANSPORT) += tls_securetransport.o
+TLS-OBJS-$(CONFIG_SCHANNEL) += tls_schannel.o
+OBJS-$(CONFIG_TLS_PROTOCOL) += tls.o $(TLS-OBJS-yes)
OBJS-$(CONFIG_UDP_PROTOCOL) += udp.o
OBJS-$(CONFIG_UDPLITE_PROTOCOL) += udp.o
OBJS-$(CONFIG_UNIX_PROTOCOL) += unix.o
diff --git a/libavformat/network.c b/libavformat/network.c
index b3987a4d11..6c3d9def3b 100644
--- a/libavformat/network.c
+++ b/libavformat/network.c
@@ -29,25 +29,29 @@
int ff_tls_init(void)
{
-#if CONFIG_TLS_OPENSSL_PROTOCOL
+#if CONFIG_TLS_PROTOCOL
+#if CONFIG_OPENSSL
int ret;
if ((ret = ff_openssl_init()) < 0)
return ret;
#endif
-#if CONFIG_TLS_GNUTLS_PROTOCOL
+#if CONFIG_GNUTLS
ff_gnutls_init();
#endif
+#endif
return 0;
}
void ff_tls_deinit(void)
{
-#if CONFIG_TLS_OPENSSL_PROTOCOL
+#if CONFIG_TLS_PROTOCOL
+#if CONFIG_OPENSSL
ff_openssl_deinit();
#endif
-#if CONFIG_TLS_GNUTLS_PROTOCOL
+#if CONFIG_GNUTLS
ff_gnutls_deinit();
#endif
+#endif
}
int ff_network_inited_globally;
diff --git a/libavformat/protocols.c b/libavformat/protocols.c
index 8d3555ed52..669d74d5a8 100644
--- a/libavformat/protocols.c
+++ b/libavformat/protocols.c
@@ -56,10 +56,7 @@ extern const URLProtocol ff_srtp_protocol;
extern const URLProtocol ff_subfile_protocol;
extern const URLProtocol ff_tee_protocol;
extern const URLProtocol ff_tcp_protocol;
-extern const URLProtocol ff_tls_gnutls_protocol;
-extern const URLProtocol ff_tls_schannel_protocol;
-extern const URLProtocol ff_tls_securetransport_protocol;
-extern const URLProtocol ff_tls_openssl_protocol;
+extern const URLProtocol ff_tls_protocol;
extern const URLProtocol ff_udp_protocol;
extern const URLProtocol ff_udplite_protocol;
extern const URLProtocol ff_unix_protocol;
diff --git a/libavformat/tls.h b/libavformat/tls.h
index 0326ef7924..9c851bf132 100644
--- a/libavformat/tls.h
+++ b/libavformat/tls.h
@@ -26,8 +26,6 @@
#include "url.h"
#include "libavutil/opt.h"
-#define CONFIG_TLS_PROTOCOL (CONFIG_TLS_GNUTLS_PROTOCOL | CONFIG_TLS_OPENSSL_PROTOCOL | CONFIG_TLS_SECURETRANSPORT_PROTOCOL | CONFIG_TLS_SCHANNEL_PROTOCOL)
-
typedef struct TLSShared {
char *ca_file;
int verify;
diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c
index 5ce6c3d448..7adb4eed56 100644
--- a/libavformat/tls_gnutls.c
+++ b/libavformat/tls_gnutls.c
@@ -260,7 +260,7 @@ static const AVClass tls_class = {
.version = LIBAVUTIL_VERSION_INT,
};
-const URLProtocol ff_tls_gnutls_protocol = {
+const URLProtocol ff_tls_protocol = {
.name = "tls",
.url_open2 = tls_open,
.url_read = tls_read,
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 38af8a21c0..3108a86f41 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -339,7 +339,7 @@ static const AVClass tls_class = {
.version = LIBAVUTIL_VERSION_INT,
};
-const URLProtocol ff_tls_openssl_protocol = {
+const URLProtocol ff_tls_protocol = {
.name = "tls",
.url_open2 = tls_open,
.url_read = tls_read,
diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c
index 9f1c08806f..9a6e0c92e3 100644
--- a/libavformat/tls_schannel.c
+++ b/libavformat/tls_schannel.c
@@ -595,7 +595,7 @@ static const AVClass tls_class = {
.version = LIBAVUTIL_VERSION_INT,
};
-const URLProtocol ff_tls_schannel_protocol = {
+const URLProtocol ff_tls_protocol = {
.name = "tls",
.url_open2 = tls_open,
.url_read = tls_read,
diff --git a/libavformat/tls_securetransport.c b/libavformat/tls_securetransport.c
index bc8a32069e..9958931b0c 100644
--- a/libavformat/tls_securetransport.c
+++ b/libavformat/tls_securetransport.c
@@ -393,7 +393,7 @@ static const AVClass tls_class = {
.version = LIBAVUTIL_VERSION_INT,
};
-const URLProtocol ff_tls_securetransport_protocol = {
+const URLProtocol ff_tls_protocol = {
.name = "tls",
.url_open2 = tls_open,
.url_read = tls_read,
======================================================================
diff --cc configure
index 63ee46a53b,90760fe39e..998ac74e9e
--- a/configure
+++ b/configure
@@@ -3147,36 -2457,20 +3147,29 @@@ mmsh_protocol_select="http_protocol
mmst_protocol_select="network"
rtmp_protocol_conflict="librtmp_protocol"
rtmp_protocol_select="tcp_protocol"
+rtmp_protocol_suggest="zlib"
rtmpe_protocol_select="ffrtmpcrypt_protocol"
+rtmpe_protocol_suggest="zlib"
rtmps_protocol_conflict="librtmp_protocol"
rtmps_protocol_select="tls_protocol"
+rtmps_protocol_suggest="zlib"
rtmpt_protocol_select="ffrtmphttp_protocol"
+rtmpt_protocol_suggest="zlib"
rtmpte_protocol_select="ffrtmpcrypt_protocol ffrtmphttp_protocol"
+rtmpte_protocol_suggest="zlib"
rtmpts_protocol_select="ffrtmphttp_protocol https_protocol"
+rtmpts_protocol_suggest="zlib"
rtp_protocol_select="udp_protocol"
-sctp_protocol_deps="struct_sctp_event_subscribe"
++schannel_conflict="openssl gnutls"
+sctp_protocol_deps="struct_sctp_event_subscribe struct_msghdr_msg_flags"
sctp_protocol_select="network"
++securetransport_conflict="openssl gnutls"
srtp_protocol_select="rtp_protocol srtp"
tcp_protocol_select="network"
- tls_gnutls_protocol_conflict="tls_schannel_protocol tls_securetransport_protocol"
- tls_gnutls_protocol_deps="gnutls"
- tls_gnutls_protocol_select="tcp_protocol"
- tls_openssl_protocol_conflict="tls_schannel_protocol tls_securetransport_protocol tls_gnutls_protocol"
- tls_openssl_protocol_deps="openssl"
- tls_openssl_protocol_select="tcp_protocol"
- tls_schannel_protocol_deps="schannel"
- tls_schannel_protocol_select="tcp_protocol"
- tls_securetransport_protocol_deps="securetransport"
- tls_securetransport_protocol_select="tcp_protocol"
- tls_protocol_deps_any="tls_schannel_protocol tls_securetransport_protocol tls_gnutls_protocol tls_openssl_protocol"
-tls_protocol_deps_any="gnutls openssl"
++tls_protocol_deps_any="gnutls openssl schannel securetransport"
+ tls_protocol_select="tcp_protocol"
udp_protocol_select="network"
+udplite_protocol_select="network"
unix_protocol_deps="sys_un_h"
unix_protocol_select="network"
@@@ -3752,6 -2878,6 +3745,9 @@@ map "die_license_disabled nonfree" $HWA
enabled version3 && { enabled gpl && enable gplv3 || enable lgplv3; }
++enabled_all gnutls openssl &&
++ die "GnuTLS and OpenSSL must not be enabled at the same time."
++
# Disable all the library-specific components if the library itself
# is disabled, see AVCODEC_LIST and following _LIST variables.
diff --cc libavformat/Makefile
index 591a14b978,2c1c0f6d7f..caebe5b146
--- a/libavformat/Makefile
+++ b/libavformat/Makefile
@@@ -583,23 -407,13 +583,24 @@@ OBJS-$(CONFIG_RTMPTS_PROTOCOL
OBJS-$(CONFIG_RTP_PROTOCOL) += rtpproto.o
OBJS-$(CONFIG_SCTP_PROTOCOL) += sctp.o
OBJS-$(CONFIG_SRTP_PROTOCOL) += srtpproto.o srtp.o
+OBJS-$(CONFIG_SUBFILE_PROTOCOL) += subfile.o
+OBJS-$(CONFIG_TEE_PROTOCOL) += teeproto.o tee_common.o
OBJS-$(CONFIG_TCP_PROTOCOL) += tcp.o
- OBJS-$(CONFIG_TLS_GNUTLS_PROTOCOL) += tls_gnutls.o tls.o
- OBJS-$(CONFIG_TLS_OPENSSL_PROTOCOL) += tls_openssl.o tls.o
- OBJS-$(CONFIG_TLS_SCHANNEL_PROTOCOL) += tls_schannel.o tls.o
- OBJS-$(CONFIG_TLS_SECURETRANSPORT_PROTOCOL) += tls_securetransport.o tls.o
+ TLS-OBJS-$(CONFIG_GNUTLS) += tls_gnutls.o
+ TLS-OBJS-$(CONFIG_OPENSSL) += tls_openssl.o
++TLS-OBJS-$(CONFIG_SECURETRANSPORT) += tls_securetransport.o
++TLS-OBJS-$(CONFIG_SCHANNEL) += tls_schannel.o
+ OBJS-$(CONFIG_TLS_PROTOCOL) += tls.o $(TLS-OBJS-yes)
OBJS-$(CONFIG_UDP_PROTOCOL) += udp.o
+OBJS-$(CONFIG_UDPLITE_PROTOCOL) += udp.o
OBJS-$(CONFIG_UNIX_PROTOCOL) += unix.o
+# libavdevice dependencies
+OBJS-$(CONFIG_IEC61883_INDEV) += dv.o
+
+# Windows resource file
+SLIBOBJS-$(HAVE_GNU_WINDRES) += avformatres.o
+
SKIPHEADERS-$(CONFIG_FFRTMPCRYPT_PROTOCOL) += rtmpdh.h
SKIPHEADERS-$(CONFIG_NETWORK) += network.h rtsp.h
diff --cc libavformat/network.c
index b3987a4d11,86d79553f7..6c3d9def3b
--- a/libavformat/network.c
+++ b/libavformat/network.c
@@@ -23,21 -23,18 +23,23 @@@
#include "tls.h"
#include "url.h"
#include "libavcodec/internal.h"
+#include "libavutil/avutil.h"
#include "libavutil/mem.h"
+#include "libavutil/time.h"
-void ff_tls_init(void)
+int ff_tls_init(void)
{
- #if CONFIG_TLS_OPENSSL_PROTOCOL
+ #if CONFIG_TLS_PROTOCOL
+ #if CONFIG_OPENSSL
- ff_openssl_init();
+ int ret;
+ if ((ret = ff_openssl_init()) < 0)
+ return ret;
#endif
- #if CONFIG_TLS_GNUTLS_PROTOCOL
+ #if CONFIG_GNUTLS
ff_gnutls_init();
#endif
+ #endif
+ return 0;
}
void ff_tls_deinit(void)
diff --cc libavformat/protocols.c
index 8d3555ed52,8ea5c0e757..669d74d5a8
--- a/libavformat/protocols.c
+++ b/libavformat/protocols.c
@@@ -53,15 -47,9 +53,12 @@@ extern const URLProtocol ff_rtmpts_prot
extern const URLProtocol ff_rtp_protocol;
extern const URLProtocol ff_sctp_protocol;
extern const URLProtocol ff_srtp_protocol;
+extern const URLProtocol ff_subfile_protocol;
+extern const URLProtocol ff_tee_protocol;
extern const URLProtocol ff_tcp_protocol;
- extern const URLProtocol ff_tls_gnutls_protocol;
- extern const URLProtocol ff_tls_schannel_protocol;
- extern const URLProtocol ff_tls_securetransport_protocol;
- extern const URLProtocol ff_tls_openssl_protocol;
+ extern const URLProtocol ff_tls_protocol;
extern const URLProtocol ff_udp_protocol;
+extern const URLProtocol ff_udplite_protocol;
extern const URLProtocol ff_unix_protocol;
extern const URLProtocol ff_librtmp_protocol;
extern const URLProtocol ff_librtmpe_protocol;
diff --cc libavformat/tls_schannel.c
index 9f1c08806f,0000000000..9a6e0c92e3
mode 100644,000000..100644
--- a/libavformat/tls_schannel.c
+++ b/libavformat/tls_schannel.c
@@@ -1,608 -1,0 +1,608 @@@
+/*
+ * Copyright (c) 2015 Hendrik Leppkes
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/** Based on the CURL SChannel module */
+
+#include "avformat.h"
+#include "internal.h"
+#include "network.h"
+#include "os_support.h"
+#include "url.h"
+#include "tls.h"
+
+#define SECURITY_WIN32
+#include <windows.h>
+#include <security.h>
+#include <schnlsp.h>
+
+#define SCHANNEL_INITIAL_BUFFER_SIZE 4096
+#define SCHANNEL_FREE_BUFFER_SIZE 1024
+
+/* mingw does not define this symbol */
+#ifndef SECBUFFER_ALERT
+#define SECBUFFER_ALERT 17
+#endif
+
+typedef struct TLSContext {
+ const AVClass *class;
+ TLSShared tls_shared;
+
+ CredHandle cred_handle;
+ TimeStamp cred_timestamp;
+
+ CtxtHandle ctxt_handle;
+ TimeStamp ctxt_timestamp;
+
+ ULONG request_flags;
+ ULONG context_flags;
+
+ uint8_t *enc_buf;
+ int enc_buf_size;
+ int enc_buf_offset;
+
+ uint8_t *dec_buf;
+ int dec_buf_size;
+ int dec_buf_offset;
+
+ SecPkgContext_StreamSizes sizes;
+
+ int connected;
+ int connection_closed;
+ int sspi_close_notify;
+} TLSContext;
+
+static void init_sec_buffer(SecBuffer *buffer, unsigned long type,
+ void *data, unsigned long size)
+{
+ buffer->cbBuffer = size;
+ buffer->BufferType = type;
+ buffer->pvBuffer = data;
+}
+
+static void init_sec_buffer_desc(SecBufferDesc *desc, SecBuffer *buffers,
+ unsigned long buffer_count)
+{
+ desc->ulVersion = SECBUFFER_VERSION;
+ desc->pBuffers = buffers;
+ desc->cBuffers = buffer_count;
+}
+
+static int tls_shutdown_client(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+ TLSShared *s = &c->tls_shared;
+ int ret;
+
+ if (c->connected) {
+ SecBufferDesc BuffDesc;
+ SecBuffer Buffer;
+ SECURITY_STATUS sspi_ret;
+ SecBuffer outbuf;
+ SecBufferDesc outbuf_desc;
+
+ DWORD dwshut = SCHANNEL_SHUTDOWN;
+ init_sec_buffer(&Buffer, SECBUFFER_TOKEN, &dwshut, sizeof(dwshut));
+ init_sec_buffer_desc(&BuffDesc, &Buffer, 1);
+
+ sspi_ret = ApplyControlToken(&c->ctxt_handle, &BuffDesc);
+ if (sspi_ret != SEC_E_OK)
+ av_log(h, AV_LOG_ERROR, "ApplyControlToken failed\n");
+
+ init_sec_buffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
+ init_sec_buffer_desc(&outbuf_desc, &outbuf, 1);
+
+ sspi_ret = InitializeSecurityContext(&c->cred_handle, &c->ctxt_handle, s->host,
+ c->request_flags, 0, 0, NULL, 0, &c->ctxt_handle,
+ &outbuf_desc, &c->context_flags, &c->ctxt_timestamp);
+ if (sspi_ret == SEC_E_OK || sspi_ret == SEC_I_CONTEXT_EXPIRED) {
+ ret = ffurl_write(s->tcp, outbuf.pvBuffer, outbuf.cbBuffer);
+ FreeContextBuffer(outbuf.pvBuffer);
+ if (ret < 0 || ret != outbuf.cbBuffer)
+ av_log(h, AV_LOG_ERROR, "Failed to send close message\n");
+ }
+
+ c->connected = 0;
+ }
+ return 0;
+}
+
+static int tls_close(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+
+ tls_shutdown_client(h);
+
+ DeleteSecurityContext(&c->ctxt_handle);
+ FreeCredentialsHandle(&c->cred_handle);
+
+ av_freep(&c->enc_buf);
+ c->enc_buf_size = c->enc_buf_offset = 0;
+
+ av_freep(&c->dec_buf);
+ c->dec_buf_size = c->dec_buf_offset = 0;
+
+ if (c->tls_shared.tcp)
+ ffurl_close(c->tls_shared.tcp);
+ return 0;
+}
+
+static int tls_client_handshake_loop(URLContext *h, int initial)
+{
+ TLSContext *c = h->priv_data;
+ TLSShared *s = &c->tls_shared;
+ SECURITY_STATUS sspi_ret;
+ SecBuffer outbuf[3];
+ SecBufferDesc outbuf_desc;
+ SecBuffer inbuf[2];
+ SecBufferDesc inbuf_desc;
+ int i, ret = 0, read_data = initial;
+
+ if (c->enc_buf == NULL) {
+ c->enc_buf_offset = 0;
+ ret = av_reallocp(&c->enc_buf, SCHANNEL_INITIAL_BUFFER_SIZE);
+ if (ret < 0)
+ goto fail;
+ c->enc_buf_size = SCHANNEL_INITIAL_BUFFER_SIZE;
+ }
+
+ if (c->dec_buf == NULL) {
+ c->dec_buf_offset = 0;
+ ret = av_reallocp(&c->dec_buf, SCHANNEL_INITIAL_BUFFER_SIZE);
+ if (ret < 0)
+ goto fail;
+ c->dec_buf_size = SCHANNEL_INITIAL_BUFFER_SIZE;
+ }
+
+ while (1) {
+ if (c->enc_buf_size - c->enc_buf_offset < SCHANNEL_FREE_BUFFER_SIZE) {
+ c->enc_buf_size = c->enc_buf_offset + SCHANNEL_FREE_BUFFER_SIZE;
+ ret = av_reallocp(&c->enc_buf, c->enc_buf_size);
+ if (ret < 0) {
+ c->enc_buf_size = c->enc_buf_offset = 0;
+ goto fail;
+ }
+ }
+
+ if (read_data) {
+ ret = ffurl_read(c->tls_shared.tcp, c->enc_buf + c->enc_buf_offset,
+ c->enc_buf_size - c->enc_buf_offset);
+ if (ret < 0) {
+ av_log(h, AV_LOG_ERROR, "Failed to read handshake response\n");
+ goto fail;
+ }
+ c->enc_buf_offset += ret;
+ }
+
+ /* input buffers */
+ init_sec_buffer(&inbuf[0], SECBUFFER_TOKEN, av_malloc(c->enc_buf_offset), c->enc_buf_offset);
+ init_sec_buffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
+ init_sec_buffer_desc(&inbuf_desc, inbuf, 2);
+
+ if (inbuf[0].pvBuffer == NULL) {
+ av_log(h, AV_LOG_ERROR, "Failed to allocate input buffer\n");
+ ret = AVERROR(ENOMEM);
+ goto fail;
+ }
+
+ memcpy(inbuf[0].pvBuffer, c->enc_buf, c->enc_buf_offset);
+
+ /* output buffers */
+ init_sec_buffer(&outbuf[0], SECBUFFER_TOKEN, NULL, 0);
+ init_sec_buffer(&outbuf[1], SECBUFFER_ALERT, NULL, 0);
+ init_sec_buffer(&outbuf[2], SECBUFFER_EMPTY, NULL, 0);
+ init_sec_buffer_desc(&outbuf_desc, outbuf, 3);
+
+ sspi_ret = InitializeSecurityContext(&c->cred_handle, &c->ctxt_handle, s->host, c->request_flags,
+ 0, 0, &inbuf_desc, 0, NULL, &outbuf_desc, &c->context_flags,
+ &c->ctxt_timestamp);
+ av_freep(&inbuf[0].pvBuffer);
+
+ if (sspi_ret == SEC_E_INCOMPLETE_MESSAGE) {
+ av_log(h, AV_LOG_DEBUG, "Received incomplete handshake, need more data\n");
+ read_data = 1;
+ continue;
+ }
+
+ /* remote requests a client certificate - attempt to continue without one anyway */
+ if (sspi_ret == SEC_I_INCOMPLETE_CREDENTIALS &&
+ !(c->request_flags & ISC_REQ_USE_SUPPLIED_CREDS)) {
+ av_log(h, AV_LOG_VERBOSE, "Client certificate has been requested, ignoring\n");
+ c->request_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
+ read_data = 0;
+ continue;
+ }
+
+ /* continue handshake */
+ if (sspi_ret == SEC_I_CONTINUE_NEEDED || sspi_ret == SEC_E_OK) {
+ for (i = 0; i < 3; i++) {
+ if (outbuf[i].BufferType == SECBUFFER_TOKEN && outbuf[i].cbBuffer > 0) {
+ ret = ffurl_write(c->tls_shared.tcp, outbuf[i].pvBuffer, outbuf[i].cbBuffer);
+ if (ret < 0 || ret != outbuf[i].cbBuffer) {
+ av_log(h, AV_LOG_VERBOSE, "Failed to send handshake data\n");
+ ret = AVERROR(EIO);
+ goto fail;
+ }
+ }
+
+ if (outbuf[i].pvBuffer != NULL) {
+ FreeContextBuffer(outbuf[i].pvBuffer);
+ outbuf[i].pvBuffer = NULL;
+ }
+ }
+ } else {
+ if (sspi_ret == SEC_E_WRONG_PRINCIPAL)
+ av_log(h, AV_LOG_ERROR, "SNI or certificate check failed\n");
+ else
+ av_log(h, AV_LOG_ERROR, "Creating security context failed (0x%lx)\n", sspi_ret);
+ ret = AVERROR_UNKNOWN;
+ goto fail;
+ }
+
+ if (inbuf[1].BufferType == SECBUFFER_EXTRA && inbuf[1].cbBuffer > 0) {
+ if (c->enc_buf_offset > inbuf[1].cbBuffer) {
+ memmove(c->enc_buf, (c->enc_buf + c->enc_buf_offset) - inbuf[1].cbBuffer,
+ inbuf[1].cbBuffer);
+ c->enc_buf_offset = inbuf[1].cbBuffer;
+ if (sspi_ret == SEC_I_CONTINUE_NEEDED) {
+ read_data = 0;
+ continue;
+ }
+ }
+ } else {
+ c->enc_buf_offset = 0;
+ }
+
+ if (sspi_ret == SEC_I_CONTINUE_NEEDED) {
+ read_data = 1;
+ continue;
+ }
+
+ break;
+ }
+
+ return 0;
+
+fail:
+ /* free any remaining output data */
+ for (i = 0; i < 3; i++) {
+ if (outbuf[i].pvBuffer != NULL) {
+ FreeContextBuffer(outbuf[i].pvBuffer);
+ outbuf[i].pvBuffer = NULL;
+ }
+ }
+
+ return ret;
+}
+
+static int tls_client_handshake(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+ TLSShared *s = &c->tls_shared;
+ SecBuffer outbuf;
+ SecBufferDesc outbuf_desc;
+ SECURITY_STATUS sspi_ret;
+ int ret;
+
+ init_sec_buffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
+ init_sec_buffer_desc(&outbuf_desc, &outbuf, 1);
+
+ c->request_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |
+ ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY |
+ ISC_REQ_STREAM;
+
+ sspi_ret = InitializeSecurityContext(&c->cred_handle, NULL, s->host, c->request_flags, 0, 0,
+ NULL, 0, &c->ctxt_handle, &outbuf_desc, &c->context_flags,
+ &c->ctxt_timestamp);
+ if (sspi_ret != SEC_I_CONTINUE_NEEDED) {
+ av_log(h, AV_LOG_ERROR, "Unable to create initial security context (0x%lx)\n", sspi_ret);
+ ret = AVERROR_UNKNOWN;
+ goto fail;
+ }
+
+ ret = ffurl_write(s->tcp, outbuf.pvBuffer, outbuf.cbBuffer);
+ FreeContextBuffer(outbuf.pvBuffer);
+ if (ret < 0 || ret != outbuf.cbBuffer) {
+ av_log(h, AV_LOG_ERROR, "Failed to send initial handshake data\n");
+ ret = AVERROR(EIO);
+ goto fail;
+ }
+
+ return tls_client_handshake_loop(h, 1);
+
+fail:
+ DeleteSecurityContext(&c->ctxt_handle);
+ return ret;
+}
+
+static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
+{
+ TLSContext *c = h->priv_data;
+ TLSShared *s = &c->tls_shared;
+ SECURITY_STATUS sspi_ret;
+ SCHANNEL_CRED schannel_cred = { 0 };
+ int ret;
+
+ if ((ret = ff_tls_open_underlying(s, h, uri, options)) < 0)
+ goto fail;
+
+ if (s->listen) {
+ av_log(h, AV_LOG_ERROR, "TLS Listen Sockets with SChannel is not implemented.\n");
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
+
+ /* SChannel Options */
+ schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
+
+ if (s->verify)
+ schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION |
+ SCH_CRED_REVOCATION_CHECK_CHAIN;
+ else
+ schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION |
+ SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
+ SCH_CRED_IGNORE_REVOCATION_OFFLINE;
+
+ /* Get credential handle */
+ sspi_ret = AcquireCredentialsHandle(NULL, (TCHAR *)UNISP_NAME, SECPKG_CRED_OUTBOUND,
+ NULL, &schannel_cred, NULL, NULL, &c->cred_handle,
+ &c->cred_timestamp);
+ if (sspi_ret != SEC_E_OK) {
+ av_log(h, AV_LOG_ERROR, "Unable to acquire security credentials (0x%lx)\n", sspi_ret);
+ ret = AVERROR_UNKNOWN;
+ goto fail;
+ }
+
+ ret = tls_client_handshake(h);
+ if (ret < 0)
+ goto fail;
+
+ c->connected = 1;
+
+ return 0;
+
+fail:
+ tls_close(h);
+ return ret;
+}
+
+static int tls_read(URLContext *h, uint8_t *buf, int len)
+{
+ TLSContext *c = h->priv_data;
+ TLSShared *s = &c->tls_shared;
+ SECURITY_STATUS sspi_ret = SEC_E_OK;
+ SecBuffer inbuf[4];
+ SecBufferDesc inbuf_desc;
+ int size, ret;
+ int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE;
+
+ if (len <= c->dec_buf_offset)
+ goto cleanup;
+
+ if (c->sspi_close_notify)
+ goto cleanup;
+
+ if (!c->connection_closed) {
+ size = c->enc_buf_size - c->enc_buf_offset;
+ if (size < SCHANNEL_FREE_BUFFER_SIZE || c->enc_buf_size < min_enc_buf_size) {
+ c->enc_buf_size = c->enc_buf_offset + SCHANNEL_FREE_BUFFER_SIZE;
+ if (c->enc_buf_size < min_enc_buf_size)
+ c->enc_buf_size = min_enc_buf_size;
+ ret = av_reallocp(&c->enc_buf, c->enc_buf_size);
+ if (ret < 0) {
+ c->enc_buf_size = c->enc_buf_offset = 0;
+ return ret;
+ }
+ }
+
+ ret = ffurl_read(s->tcp, c->enc_buf + c->enc_buf_offset,
+ c->enc_buf_size - c->enc_buf_offset);
+ if (ret < 0) {
+ av_log(h, AV_LOG_ERROR, "Unable to read from socket\n");
+ return ret;
+ } else if (ret == 0)
+ c->connection_closed = 1;
+
+ c->enc_buf_offset += ret;
+ }
+
+ while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK && c->dec_buf_offset < len) {
+ /* input buffer */
+ init_sec_buffer(&inbuf[0], SECBUFFER_DATA, c->enc_buf, c->enc_buf_offset);
+
+ /* additional buffers for possible output */
+ init_sec_buffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
+ init_sec_buffer(&inbuf[2], SECBUFFER_EMPTY, NULL, 0);
+ init_sec_buffer(&inbuf[3], SECBUFFER_EMPTY, NULL, 0);
+ init_sec_buffer_desc(&inbuf_desc, inbuf, 4);
+
+ sspi_ret = DecryptMessage(&c->ctxt_handle, &inbuf_desc, 0, NULL);
+ if (sspi_ret == SEC_E_OK || sspi_ret == SEC_I_RENEGOTIATE ||
+ sspi_ret == SEC_I_CONTEXT_EXPIRED) {
+ /* handle decrypted data */
+ if (inbuf[1].BufferType == SECBUFFER_DATA) {
+ /* grow buffer if needed */
+ size = inbuf[1].cbBuffer > SCHANNEL_FREE_BUFFER_SIZE ?
+ inbuf[1].cbBuffer : SCHANNEL_FREE_BUFFER_SIZE;
+ if (c->dec_buf_size - c->dec_buf_offset < size || c->dec_buf_size < len) {
+ c->dec_buf_size = c->dec_buf_offset + size;
+ if (c->dec_buf_size < len)
+ c->dec_buf_size = len;
+ ret = av_reallocp(&c->dec_buf, c->dec_buf_size);
+ if (ret < 0) {
+ c->dec_buf_size = c->dec_buf_offset = 0;
+ return ret;
+ }
+ }
+
+ /* copy decrypted data to buffer */
+ size = inbuf[1].cbBuffer;
+ if (size) {
+ memcpy(c->dec_buf + c->dec_buf_offset, inbuf[1].pvBuffer, size);
+ c->dec_buf_offset += size;
+ }
+ }
+ if (inbuf[3].BufferType == SECBUFFER_EXTRA && inbuf[3].cbBuffer > 0) {
+ if (c->enc_buf_offset > inbuf[3].cbBuffer) {
+ memmove(c->enc_buf, (c->enc_buf + c->enc_buf_offset) - inbuf[3].cbBuffer,
+ inbuf[3].cbBuffer);
+ c->enc_buf_offset = inbuf[3].cbBuffer;
+ }
+ } else
+ c->enc_buf_offset = 0;
+
+ if (sspi_ret == SEC_I_RENEGOTIATE) {
+ if (c->enc_buf_offset) {
+ av_log(h, AV_LOG_ERROR, "Cannot renegotiate, encrypted data buffer not empty\n");
+ ret = AVERROR_UNKNOWN;
+ goto cleanup;
+ }
+
+ av_log(h, AV_LOG_VERBOSE, "Re-negotiating security context\n");
+ ret = tls_client_handshake_loop(h, 0);
+ if (ret < 0) {
+ goto cleanup;
+ }
+ sspi_ret = SEC_E_OK;
+ continue;
+ } else if (sspi_ret == SEC_I_CONTEXT_EXPIRED) {
+ c->sspi_close_notify = 1;
+ if (!c->connection_closed) {
+ c->connection_closed = 1;
+ av_log(h, AV_LOG_VERBOSE, "Server closed the connection\n");
+ }
+ ret = 0;
+ goto cleanup;
+ }
+ } else if (sspi_ret == SEC_E_INCOMPLETE_MESSAGE) {
+ ret = AVERROR(EAGAIN);
+ goto cleanup;
+ } else {
+ av_log(h, AV_LOG_ERROR, "Unable to decrypt message (error 0x%x)\n", (unsigned)sspi_ret);
+ ret = AVERROR(EIO);
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+
+cleanup:
+ size = FFMIN(len, c->dec_buf_offset);
+ if (size) {
+ memcpy(buf, c->dec_buf, size);
+ memmove(c->dec_buf, c->dec_buf + size, c->dec_buf_offset - size);
+ c->dec_buf_offset -= size;
+
+ return size;
+ }
+
+ if (ret == 0 && !c->connection_closed)
+ ret = AVERROR(EAGAIN);
+
+ return ret < 0 ? ret : 0;
+}
+
+static int tls_write(URLContext *h, const uint8_t *buf, int len)
+{
+ TLSContext *c = h->priv_data;
+ TLSShared *s = &c->tls_shared;
+ SECURITY_STATUS sspi_ret;
+ int ret = 0, data_size;
+ uint8_t *data = NULL;
+ SecBuffer outbuf[4];
+ SecBufferDesc outbuf_desc;
+
+ if (c->sizes.cbMaximumMessage == 0) {
+ sspi_ret = QueryContextAttributes(&c->ctxt_handle, SECPKG_ATTR_STREAM_SIZES, &c->sizes);
+ if (sspi_ret != SEC_E_OK)
+ return AVERROR_UNKNOWN;
+ }
+
+ /* limit how much data we can consume */
+ len = FFMIN(len, c->sizes.cbMaximumMessage);
+
+ data_size = c->sizes.cbHeader + len + c->sizes.cbTrailer;
+ data = av_malloc(data_size);
+ if (data == NULL)
+ return AVERROR(ENOMEM);
+
+ init_sec_buffer(&outbuf[0], SECBUFFER_STREAM_HEADER,
+ data, c->sizes.cbHeader);
+ init_sec_buffer(&outbuf[1], SECBUFFER_DATA,
+ data + c->sizes.cbHeader, len);
+ init_sec_buffer(&outbuf[2], SECBUFFER_STREAM_TRAILER,
+ data + c->sizes.cbHeader + len,
+ c->sizes.cbTrailer);
+ init_sec_buffer(&outbuf[3], SECBUFFER_EMPTY, NULL, 0);
+ init_sec_buffer_desc(&outbuf_desc, outbuf, 4);
+
+ memcpy(outbuf[1].pvBuffer, buf, len);
+
+ sspi_ret = EncryptMessage(&c->ctxt_handle, 0, &outbuf_desc, 0);
+ if (sspi_ret == SEC_E_OK) {
+ len = outbuf[0].cbBuffer + outbuf[1].cbBuffer + outbuf[2].cbBuffer;
+ ret = ffurl_write(s->tcp, data, len);
+ if (ret < 0 || ret != len) {
+ ret = AVERROR(EIO);
+ av_log(h, AV_LOG_ERROR, "Writing encrypted data to socket failed\n");
+ goto done;
+ }
+ } else {
+ av_log(h, AV_LOG_ERROR, "Encrypting data failed\n");
+ if (sspi_ret == SEC_E_INSUFFICIENT_MEMORY)
+ ret = AVERROR(ENOMEM);
+ else
+ ret = AVERROR(EIO);
+ goto done;
+ }
+
+done:
+ av_freep(&data);
+ return ret < 0 ? ret : outbuf[1].cbBuffer;
+}
+
+static int tls_get_file_handle(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+ return ffurl_get_file_handle(c->tls_shared.tcp);
+}
+
+static const AVOption options[] = {
+ TLS_COMMON_OPTIONS(TLSContext, tls_shared),
+ { NULL }
+};
+
+static const AVClass tls_class = {
+ .class_name = "tls",
+ .item_name = av_default_item_name,
+ .option = options,
+ .version = LIBAVUTIL_VERSION_INT,
+};
+
- const URLProtocol ff_tls_schannel_protocol = {
++const URLProtocol ff_tls_protocol = {
+ .name = "tls",
+ .url_open2 = tls_open,
+ .url_read = tls_read,
+ .url_write = tls_write,
+ .url_close = tls_close,
+ .url_get_file_handle = tls_get_file_handle,
+ .priv_data_size = sizeof(TLSContext),
+ .flags = URL_PROTOCOL_FLAG_NETWORK,
+ .priv_data_class = &tls_class,
+};
diff --cc libavformat/tls_securetransport.c
index bc8a32069e,0000000000..9958931b0c
mode 100644,000000..100644
--- a/libavformat/tls_securetransport.c
+++ b/libavformat/tls_securetransport.c
@@@ -1,406 -1,0 +1,406 @@@
+/*
+ * Copyright (c) 2015 Rodger Combs
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with FFmpeg; if not, write to the Free Software * Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <errno.h>
+
+
+#include "avformat.h"
+#include "avio_internal.h"
+#include "internal.h"
+#include "network.h"
+#include "os_support.h"
+#include "url.h"
+#include "tls.h"
+#include "libavcodec/internal.h"
+#include "libavutil/avstring.h"
+#include "libavutil/opt.h"
+#include "libavutil/parseutils.h"
+
+#include <Security/Security.h>
+#include <Security/SecureTransport.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+// We use a private API call here; it's good enough for WebKit.
+SecIdentityRef SecIdentityCreate(CFAllocatorRef allocator, SecCertificateRef certificate, SecKeyRef privateKey);
+#define ioErr -36
+
+typedef struct TLSContext {
+ const AVClass *class;
+ TLSShared tls_shared;
+ SSLContextRef ssl_context;
+ CFArrayRef ca_array;
+ int lastErr;
+} TLSContext;
+
+static int print_tls_error(URLContext *h, int ret)
+{
+ TLSContext *c = h->priv_data;
+ switch (ret) {
+ case errSSLWouldBlock:
+ break;
+ case errSSLXCertChainInvalid:
+ av_log(h, AV_LOG_ERROR, "Invalid certificate chain\n");
+ return AVERROR(EIO);
+ case ioErr:
+ return c->lastErr;
+ default:
+ av_log(h, AV_LOG_ERROR, "IO Error: %i\n", ret);
+ return AVERROR(EIO);
+ }
+ return AVERROR(EIO);
+}
+
+static int import_pem(URLContext *h, char *path, CFArrayRef *array)
+{
+ AVIOContext *s = NULL;
+ CFDataRef data = NULL;
+ int64_t ret = 0;
+ char *buf = NULL;
+ SecExternalFormat format = kSecFormatPEMSequence;
+ SecExternalFormat type = kSecItemTypeAggregate;
+ CFStringRef pathStr = CFStringCreateWithCString(NULL, path, 0x08000100);
+ if (!pathStr) {
+ ret = AVERROR(ENOMEM);
+ goto end;
+ }
+
+ if ((ret = ffio_open_whitelist(&s, path, AVIO_FLAG_READ,
+ &h->interrupt_callback, NULL,
+ h->protocol_whitelist, h->protocol_blacklist)) < 0)
+ goto end;
+
+ if ((ret = avio_size(s)) < 0)
+ goto end;
+
+ if (ret == 0) {
+ ret = AVERROR_INVALIDDATA;
+ goto end;
+ }
+
+ if (!(buf = av_malloc(ret))) {
+ ret = AVERROR(ENOMEM);
+ goto end;
+ }
+
+ if ((ret = avio_read(s, buf, ret)) < 0)
+ goto end;
+
+ data = CFDataCreate(kCFAllocatorDefault, buf, ret);
+
+ if (SecItemImport(data, pathStr, &format, &type,
+ 0, NULL, NULL, array) != noErr || !array) {
+ ret = AVERROR_UNKNOWN;
+ goto end;
+ }
+
+ if (CFArrayGetCount(*array) == 0) {
+ ret = AVERROR_INVALIDDATA;
+ goto end;
+ }
+
+end:
+ av_free(buf);
+ if (pathStr)
+ CFRelease(pathStr);
+ if (data)
+ CFRelease(data);
+ if (s)
+ avio_close(s);
+ return ret;
+}
+
+static int load_ca(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+ int ret = 0;
+ CFArrayRef array = NULL;
+
+ if ((ret = import_pem(h, c->tls_shared.ca_file, &array)) < 0)
+ goto end;
+
+ if (!(c->ca_array = CFRetain(array))) {
+ ret = AVERROR(ENOMEM);
+ goto end;
+ }
+
+end:
+ if (array)
+ CFRelease(array);
+ return ret;
+}
+
+static int load_cert(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+ int ret = 0;
+ CFArrayRef certArray = NULL;
+ CFArrayRef keyArray = NULL;
+ SecIdentityRef id = NULL;
+ CFMutableArrayRef outArray = NULL;
+
+ if ((ret = import_pem(h, c->tls_shared.cert_file, &certArray)) < 0)
+ goto end;
+
+ if ((ret = import_pem(h, c->tls_shared.key_file, &keyArray)) < 0)
+ goto end;
+
+ if (!(id = SecIdentityCreate(kCFAllocatorDefault,
+ (SecCertificateRef)CFArrayGetValueAtIndex(certArray, 0),
+ (SecKeyRef)CFArrayGetValueAtIndex(keyArray, 0)))) {
+ ret = AVERROR_UNKNOWN;
+ goto end;
+ }
+
+ if (!(outArray = CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, certArray))) {
+ ret = AVERROR(ENOMEM);
+ goto end;
+ }
+
+ CFArraySetValueAtIndex(outArray, 0, id);
+
+ SSLSetCertificate(c->ssl_context, outArray);
+
+end:
+ if (certArray)
+ CFRelease(certArray);
+ if (keyArray)
+ CFRelease(keyArray);
+ if (outArray)
+ CFRelease(outArray);
+ if (id)
+ CFRelease(id);
+ return ret;
+}
+
+static OSStatus tls_read_cb(SSLConnectionRef connection, void *data, size_t *dataLength)
+{
+ URLContext *h = (URLContext*)connection;
+ TLSContext *c = h->priv_data;
+ int read = ffurl_read_complete(c->tls_shared.tcp, data, *dataLength);
+ if (read <= 0) {
+ *dataLength = 0;
+ switch(AVUNERROR(read)) {
+ case ENOENT:
+ case 0:
+ return errSSLClosedGraceful;
+ case ECONNRESET:
+ return errSSLClosedAbort;
+ case EAGAIN:
+ return errSSLWouldBlock;
+ default:
+ c->lastErr = read;
+ return ioErr;
+ }
+ } else {
+ *dataLength = read;
+ return noErr;
+ }
+}
+
+static OSStatus tls_write_cb(SSLConnectionRef connection, const void *data, size_t *dataLength)
+{
+ URLContext *h = (URLContext*)connection;
+ TLSContext *c = h->priv_data;
+ int written = ffurl_write(c->tls_shared.tcp, data, *dataLength);
+ if (written <= 0) {
+ *dataLength = 0;
+ switch(AVUNERROR(written)) {
+ case EAGAIN:
+ return errSSLWouldBlock;
+ default:
+ c->lastErr = written;
+ return ioErr;
+ }
+ } else {
+ *dataLength = written;
+ return noErr;
+ }
+}
+
+static int tls_close(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+ if (c->ssl_context) {
+ SSLClose(c->ssl_context);
+ CFRelease(c->ssl_context);
+ }
+ if (c->ca_array)
+ CFRelease(c->ca_array);
+ if (c->tls_shared.tcp)
+ ffurl_close(c->tls_shared.tcp);
+ return 0;
+}
+
+#define CHECK_ERROR(func, ...) do { \
+ OSStatus status = func(__VA_ARGS__); \
+ if (status != noErr) { \
+ ret = AVERROR_UNKNOWN; \
+ av_log(h, AV_LOG_ERROR, #func ": Error %i\n", (int)status); \
+ goto fail; \
+ } \
+ } while (0)
+
+static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
+{
+ TLSContext *c = h->priv_data;
+ TLSShared *s = &c->tls_shared;
+ int ret;
+
+ if ((ret = ff_tls_open_underlying(s, h, uri, options)) < 0)
+ goto fail;
+
+ c->ssl_context = SSLCreateContext(NULL, s->listen ? kSSLServerSide : kSSLClientSide, kSSLStreamType);
+ if (!c->ssl_context) {
+ av_log(h, AV_LOG_ERROR, "Unable to create SSL context\n");
+ ret = AVERROR(ENOMEM);
+ goto fail;
+ }
+ if (s->ca_file) {
+ if ((ret = load_ca(h)) < 0)
+ goto fail;
+ }
+ if (s->ca_file || !s->verify)
+ CHECK_ERROR(SSLSetSessionOption, c->ssl_context, kSSLSessionOptionBreakOnServerAuth, true);
+ if (s->cert_file)
+ if ((ret = load_cert(h)) < 0)
+ goto fail;
+ CHECK_ERROR(SSLSetPeerDomainName, c->ssl_context, s->host, strlen(s->host));
+ CHECK_ERROR(SSLSetIOFuncs, c->ssl_context, tls_read_cb, tls_write_cb);
+ CHECK_ERROR(SSLSetConnection, c->ssl_context, h);
+ while (1) {
+ OSStatus status = SSLHandshake(c->ssl_context);
+ if (status == errSSLServerAuthCompleted) {
+ SecTrustRef peerTrust;
+ SecTrustResultType trustResult;
+ if (!s->verify)
+ continue;
+
+ if (SSLCopyPeerTrust(c->ssl_context, &peerTrust) != noErr) {
+ ret = AVERROR(ENOMEM);
+ goto fail;
+ }
+
+ if (SecTrustSetAnchorCertificates(peerTrust, c->ca_array) != noErr) {
+ ret = AVERROR_UNKNOWN;
+ goto fail;
+ }
+
+ if (SecTrustEvaluate(peerTrust, &trustResult) != noErr) {
+ ret = AVERROR_UNKNOWN;
+ goto fail;
+ }
+
+ if (trustResult == kSecTrustResultProceed ||
+ trustResult == kSecTrustResultUnspecified) {
+ // certificate is trusted
+ status = errSSLWouldBlock; // so we call SSLHandshake again
+ } else if (trustResult == kSecTrustResultRecoverableTrustFailure) {
+ // not trusted, for some reason other than being expired
+ status = errSSLXCertChainInvalid;
+ } else {
+ // cannot use this certificate (fatal)
+ status = errSSLBadCert;
+ }
+
+ if (peerTrust)
+ CFRelease(peerTrust);
+ }
+ if (status == noErr)
+ break;
+
+ av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session: %i\n", (int)status);
+ ret = AVERROR(EIO);
+ goto fail;
+ }
+
+ return 0;
+fail:
+ tls_close(h);
+ return ret;
+}
+
+static int map_ssl_error(OSStatus status, size_t processed)
+{
+ switch (status) {
+ case noErr:
+ return processed;
+ case errSSLClosedGraceful:
+ case errSSLClosedNoNotify:
+ return 0;
+ default:
+ return (int)status;
+ }
+}
+
+static int tls_read(URLContext *h, uint8_t *buf, int size)
+{
+ TLSContext *c = h->priv_data;
+ size_t processed = 0;
+ int ret = SSLRead(c->ssl_context, buf, size, &processed);
+ ret = map_ssl_error(ret, processed);
+ if (ret > 0)
+ return ret;
+ if (ret == 0)
+ return AVERROR_EOF;
+ return print_tls_error(h, ret);
+}
+
+static int tls_write(URLContext *h, const uint8_t *buf, int size)
+{
+ TLSContext *c = h->priv_data;
+ size_t processed = 0;
+ int ret = SSLWrite(c->ssl_context, buf, size, &processed);
+ ret = map_ssl_error(ret, processed);
+ if (ret > 0)
+ return ret;
+ if (ret == 0)
+ return AVERROR_EOF;
+ return print_tls_error(h, ret);
+}
+
+static int tls_get_file_handle(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+ return ffurl_get_file_handle(c->tls_shared.tcp);
+}
+
+static const AVOption options[] = {
+ TLS_COMMON_OPTIONS(TLSContext, tls_shared),
+ { NULL }
+};
+
+static const AVClass tls_class = {
+ .class_name = "tls",
+ .item_name = av_default_item_name,
+ .option = options,
+ .version = LIBAVUTIL_VERSION_INT,
+};
+
- const URLProtocol ff_tls_securetransport_protocol = {
++const URLProtocol ff_tls_protocol = {
+ .name = "tls",
+ .url_open2 = tls_open,
+ .url_read = tls_read,
+ .url_write = tls_write,
+ .url_close = tls_close,
+ .url_get_file_handle = tls_get_file_handle,
+ .priv_data_size = sizeof(TLSContext),
+ .flags = URL_PROTOCOL_FLAG_NETWORK,
+ .priv_data_class = &tls_class,
+};
More information about the ffmpeg-cvslog
mailing list