Attached patch adds support for LibreSSL. Instead of trying to implement
support into the existing tls_openssl.c using lots of #ifdefs (which was
rejected previously(?)) this adds a new TLS backend making use of the
new libtls library.
Things to note:
- Haven't looked at LibreSSL's license closely, I assume that it has the
same GPL licensing incompatibility as a derivative of OpenSSL (requires
--enable-nonfree if --enable-gpl is used)
- ffrtmpcrypt support is not implemented since the bignum functions are
not part of libtls itself
- Not sure why anyone would use libtls without pkg-config but supporting
it probably doesn't hurt
I have tested all features (client mode, listen mode, cert/hostname
verification) on both Alpine and Arch Linux.
Before michaelni asks again: Yes, the absence of my real name in git is
intended.
From d4336b0733a1e582d7bf30795bf99df4cc60d7df Mon Sep 17 00:00:00 2001
From: sfan5 <sf...@live.de>
Date: Sat, 4 Nov 2017 15:45:16 +0100
Subject: [PATCH] libavformat: LibreSSL (libtls) support
Signed-off-by: sfan5 <sf...@live.de>
---
Changelog | 1 +
configure | 16 ++--
doc/protocols.texi | 2 +-
libavformat/Makefile | 1 +
libavformat/tls_libtls.c | 207 +++++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 221 insertions(+), 6 deletions(-)
create mode 100644 libavformat/tls_libtls.c
diff --git a/Changelog b/Changelog
index 8c45b2946d..bd37971af5 100644
--- a/Changelog
+++ b/Changelog
@@ -7,6 +7,7 @@ version <next>:
requires 2.1 (or later) and pkg-config.
- VDA dropped (use VideoToolbox instead)
- MagicYUV encoder
+- support LibreSSL (via libtls)
version 3.4:
diff --git a/configure b/configure
index 1b0f064607..2938be7b07 100755
--- a/configure
+++ b/configure
@@ -215,7 +215,7 @@ External library support:
--enable-gmp enable gmp, needed for rtmp(t)e support
if openssl or librtmp is not used [no]
--enable-gnutls enable gnutls, needed for https support
- if openssl is not used [no]
+ if openssl or libtls is not used [no]
--disable-iconv disable iconv [autodetect]
--enable-jni enable JNI support [no]
--enable-ladspa enable LADSPA audio filtering [no]
@@ -260,6 +260,8 @@ External library support:
--enable-libssh enable SFTP protocol via libssh [no]
--enable-libtesseract enable Tesseract, needed for ocr filter [no]
--enable-libtheora enable Theora encoding via libtheora [no]
+ --enable-libtls enable LibreSSL (via libtls), needed for https support
+ if openssl or gnutls is not used [no]
--enable-libtwolame enable MP2 encoding via libtwolame [no]
--enable-libv4l2 enable libv4l2/v4l-utils [no]
--enable-libvidstab enable video stabilization using vid.stab [no]
@@ -292,7 +294,7 @@ External library support:
--enable-opencl enable OpenCL code
--enable-opengl enable OpenGL rendering [no]
--enable-openssl enable openssl, needed for https support
- if gnutls is not used [no]
+ if gnutls or libtls is not used [no]
--disable-sndio disable sndio support [autodetect]
--disable-schannel disable SChannel SSP, needed for TLS support on
Windows if openssl and gnutls are not used [autodetect]
@@ -1563,6 +1565,7 @@ EXTERNAL_LIBRARY_NONFREE_LIST="
libndi_newtek
libfdk_aac
openssl
+ libtls
"
EXTERNAL_LIBRARY_VERSION3_LIST="
@@ -3135,6 +3138,7 @@ librtmpt_protocol_deps="librtmp"
librtmpte_protocol_deps="librtmp"
libsmbclient_protocol_deps="libsmbclient gplv3"
libssh_protocol_deps="libssh"
+libtls_conflict="openssl gnutls"
mmsh_protocol_select="http_protocol"
mmst_protocol_select="network"
rtmp_protocol_conflict="librtmp_protocol"
@@ -3152,13 +3156,13 @@ rtmpte_protocol_suggest="zlib"
rtmpts_protocol_select="ffrtmphttp_protocol https_protocol"
rtmpts_protocol_suggest="zlib"
rtp_protocol_select="udp_protocol"
-schannel_conflict="openssl gnutls"
+schannel_conflict="openssl gnutls libtls"
sctp_protocol_deps="struct_sctp_event_subscribe struct_msghdr_msg_flags"
sctp_protocol_select="network"
-securetransport_conflict="openssl gnutls"
+securetransport_conflict="openssl gnutls libtls"
srtp_protocol_select="rtp_protocol srtp"
tcp_protocol_select="network"
-tls_protocol_deps_any="gnutls openssl schannel securetransport"
+tls_protocol_deps_any="gnutls openssl schannel securetransport libtls"
tls_protocol_select="tcp_protocol"
udp_protocol_select="network"
udplite_protocol_select="network"
@@ -6009,6 +6013,8 @@ enabled libssh && require_pkg_config libssh libssh libssh/sftp.h sftp
enabled libspeex && require_pkg_config libspeex speex speex/speex.h speex_decoder_init -lspeex
enabled libtesseract && require_pkg_config libtesseract tesseract tesseract/capi.h TessBaseAPICreate
enabled libtheora && require libtheora theora/theoraenc.h th_info_init -ltheoraenc -ltheoradec -logg
+enabled libtls && { use_pkg_config libtls libtls tls.h tls_configure ||
+ require libtls tls.h tls_configure -ltls; }
enabled libtwolame && require libtwolame twolame.h twolame_init -ltwolame &&
{ check_lib libtwolame twolame.h twolame_encode_buffer_float32_interleaved -ltwolame ||
die "ERROR: libtwolame must be installed and version must be >= 0.3.10"; }
diff --git a/doc/protocols.texi b/doc/protocols.texi
index a7968ff56e..f4209f31fb 100644
--- a/doc/protocols.texi
+++ b/doc/protocols.texi
@@ -1277,7 +1277,7 @@ If enabled, try to verify the peer that we are communicating with.
Note, if using OpenSSL, this currently only makes sure that the
peer certificate is signed by one of the root certificates in the CA
database, but it does not validate that the certificate actually
-matches the host name we are trying to connect to. (With GnuTLS,
+matches the host name we are trying to connect to. (With other backends,
the host name is validated as well.)
This is disabled by default since it requires a CA database to be
diff --git a/libavformat/Makefile b/libavformat/Makefile
index caebe5b146..cdd98dfdd6 100644
--- a/libavformat/Makefile
+++ b/libavformat/Makefile
@@ -587,6 +587,7 @@ OBJS-$(CONFIG_SUBFILE_PROTOCOL) += subfile.o
OBJS-$(CONFIG_TEE_PROTOCOL) += teeproto.o tee_common.o
OBJS-$(CONFIG_TCP_PROTOCOL) += tcp.o
TLS-OBJS-$(CONFIG_GNUTLS) += tls_gnutls.o
+TLS-OBJS-$(CONFIG_LIBTLS) += tls_libtls.o
TLS-OBJS-$(CONFIG_OPENSSL) += tls_openssl.o
TLS-OBJS-$(CONFIG_SECURETRANSPORT) += tls_securetransport.o
TLS-OBJS-$(CONFIG_SCHANNEL) += tls_schannel.o
diff --git a/libavformat/tls_libtls.c b/libavformat/tls_libtls.c
new file mode 100644
index 0000000000..1321f79229
--- /dev/null
+++ b/libavformat/tls_libtls.c
@@ -0,0 +1,207 @@
+/*
+ * TLS/SSL Protocol
+ * Copyright (c) 2011 Martin Storsjo
+ * Copyright (c) 2017 sfan5 <sf...@live.de>
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "avformat.h"
+#include "internal.h"
+#include "network.h"
+#include "url.h"
+#include "tls.h"
+#include "libavcodec/internal.h"
+#include "libavutil/avutil.h"
+#include "libavutil/opt.h"
+
+#include <tls.h>
+
+typedef struct TLSContext {
+ const AVClass *class;
+ TLSShared tls_shared;
+ struct tls *ctx;
+} TLSContext;
+
+static int ff_tls_close(URLContext *h)
+{
+ TLSContext *p = h->priv_data;
+ if (p->ctx) {
+ tls_close(p->ctx);
+ tls_free(p->ctx);
+ }
+ if (p->tls_shared.tcp)
+ ffurl_close(p->tls_shared.tcp);
+ return 0;
+}
+
+static ssize_t tls_read_callback(struct tls *ctx, void *buf, size_t buflen, void *cb_arg)
+{
+ URLContext *h = (URLContext*) cb_arg;
+ int ret = ffurl_read(h, buf, buflen);
+ if (ret == AVERROR(EAGAIN))
+ return TLS_WANT_POLLIN;
+ else if (ret == AVERROR_EXIT)
+ return 0;
+ return ret >= 0 ? ret : -1;
+}
+
+static ssize_t tls_write_callback(struct tls *ctx, const void *buf, size_t buflen, void *cb_arg)
+{
+ URLContext *h = (URLContext*) cb_arg;
+ int ret = ffurl_write(h, buf, buflen);
+ if (ret == AVERROR(EAGAIN))
+ return TLS_WANT_POLLOUT;
+ else if (ret == AVERROR_EXIT)
+ return 0;
+ return ret >= 0 ? ret : -1;
+}
+
+static int ff_tls_open(URLContext *h, const char *uri, int flags, AVDictionary **options)
+{
+ TLSContext *p = h->priv_data;
+ TLSShared *c = &p->tls_shared;
+ struct tls_config *cfg = NULL;
+ int ret;
+
+ if (tls_init() == -1) {
+ ret = AVERROR(EIO);
+ goto fail;
+ }
+
+ if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
+ goto fail;
+
+ p->ctx = !c->listen ? tls_client() : tls_server();
+ if (!p->ctx) {
+ ret = AVERROR(EIO);
+ goto fail;
+ }
+
+ cfg = tls_config_new();
+ if (!p->ctx) {
+ ret = AVERROR(EIO);
+ goto fail;
+ }
+ if (tls_config_set_protocols(cfg, TLS_PROTOCOLS_ALL) == -1)
+ goto err_config;
+ // While TLSv1.0 and TLSv1.1 are already enabled by the above,
+ // we need to be less strict with ciphers so it works in practice.
+ if (tls_config_set_ciphers(cfg, "compat") == -1)
+ goto err_config;
+ if (c->ca_file && tls_config_set_ca_file(cfg, c->ca_file) == -1)
+ goto err_config;
+ if (c->cert_file && tls_config_set_cert_file(cfg, c->cert_file) == -1)
+ goto err_config;
+ if (c->key_file && tls_config_set_key_file(cfg, c->key_file) == -1)
+ goto err_config;
+ if (!c->verify) {
+ tls_config_insecure_noverifycert(cfg);
+ tls_config_insecure_noverifyname(cfg);
+ tls_config_insecure_noverifytime(cfg);
+ }
+ if (tls_configure(p->ctx, cfg) == -1)
+ goto err_ctx;
+
+ if (!c->listen) {
+ ret = tls_connect_cbs(p->ctx, tls_read_callback, tls_write_callback,
+ c->tcp, !c->numerichost ? c->host : NULL);
+ } else {
+ struct tls *ctx_new;
+ ret = tls_accept_cbs(p->ctx, &ctx_new, tls_read_callback,
+ tls_write_callback, c->tcp);
+ if (ret == 0) {
+ // free "server" context and replace by "connection" context
+ tls_free(p->ctx);
+ p->ctx = ctx_new;
+ }
+ }
+ if (ret == -1)
+ goto err_ctx;
+
+ tls_config_free(cfg);
+ return 0;
+err_config:
+ av_log(h, AV_LOG_ERROR, "%s\n", tls_config_error(cfg));
+ ret = AVERROR(EIO);
+ goto fail;
+err_ctx:
+ av_log(h, AV_LOG_ERROR, "%s\n", tls_error(p->ctx));
+ ret = AVERROR(EIO);
+ /* fallthrough */
+fail:
+ if (cfg)
+ tls_config_free(cfg);
+ ff_tls_close(h);
+ return ret;
+}
+
+static int ff_tls_read(URLContext *h, uint8_t *buf, int size)
+{
+ TLSContext *p = h->priv_data;
+ ssize_t ret;
+ ret = tls_read(p->ctx, buf, size);
+ if (ret > 0)
+ return ret;
+ else if (ret == 0)
+ return AVERROR_EOF;
+ av_log(h, AV_LOG_ERROR, "%s\n", tls_error(p->ctx));
+ return AVERROR(EIO);
+}
+
+static int ff_tls_write(URLContext *h, const uint8_t *buf, int size)
+{
+ TLSContext *p = h->priv_data;
+ ssize_t ret;
+ ret = tls_write(p->ctx, buf, size);
+ if (ret > 0)
+ return ret;
+ else if (ret == 0)
+ return AVERROR_EOF;
+ av_log(h, AV_LOG_ERROR, "%s\n", tls_error(p->ctx));
+ return AVERROR(EIO);
+}
+
+static int tls_get_file_handle(URLContext *h)
+{
+ TLSContext *c = h->priv_data;
+ return ffurl_get_file_handle(c->tls_shared.tcp);
+}
+
+static const AVOption options[] = {
+ TLS_COMMON_OPTIONS(TLSContext, tls_shared),
+ { NULL }
+};
+
+static const AVClass tls_class = {
+ .class_name = "tls",
+ .item_name = av_default_item_name,
+ .option = options,
+ .version = LIBAVUTIL_VERSION_INT,
+};
+
+const URLProtocol ff_tls_protocol = {
+ .name = "tls",
+ .url_open2 = ff_tls_open,
+ .url_read = ff_tls_read,
+ .url_write = ff_tls_write,
+ .url_close = ff_tls_close,
+ .url_get_file_handle = tls_get_file_handle,
+ .priv_data_size = sizeof(TLSContext),
+ .flags = URL_PROTOCOL_FLAG_NETWORK,
+ .priv_data_class = &tls_class,
+};
--
2.14.3
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
